fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

proof-reading

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-04-13 18:52:15 +02:00
parent 9dd62d0c1d
commit 9d478c72fc
11 changed files with 180 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -8,6 +8,7 @@
*.ilg *.ilg
*.ind *.ind
*.latexmain *.latexmain
*.lot
*.lof *.lof
*.log *.log
*.out *.out

141
chap-GS-background.tex
View File

@ -14,10 +14,19 @@ Before describing those scheme, let us recall in this Chapter the definition of
Dynamic group signatures are a solution to allow a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}) that can be publicly verified while remaining anonymous inside its group. Dynamic group signatures are a solution to allow a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}) that can be publicly verified while remaining anonymous inside its group.
On the other hand, the user remains accountable for the signatures it provides as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using its own secret key. On the other hand, the user remains accountable for the signatures it provides as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using its own secret key.
In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to enroll the group after an interaction with it. In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to enroll the group after an interaction with it.
This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03} in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang ({BSZ}) in 2005~\cite{BSZ05}. These interactions are summarized in Figure~\ref{fig:gs-relations}.
The concept of group signatures was introduced by Chaum and van Heyst in 1991~\cite{CVH91}, but the works of Ateniese, Camenisch, Joye and Tsudik in 2001~\cite{ACJT00} were the first to provide scalable and secure group signatures.
In 2003, Bellare, Micciancio and Warinschi~\cite{BMW03} proposed a formal definition for \textit{static} group signatures, where the group is defined once and for all at the setup phase.
This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. Those two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gs-definitions}.
The \cite{BMW03}~model summarize the security of a group signature scheme in two notions: \textit{anonymity} and \textit{traceability}. The \cite{BMW03}~model summarize the security of a group signature scheme in two notions: \textit{anonymity} and \textit{traceability}.
The former notions models the fact that without the opening authority's secret, even if everyone colludes, no one can trace back a user from a signature; the latter sum up the fact that even if everyone is corrupted (even the opening authority), it is impossible to forge a valid signature that does not open to a valid user. The former notions models the fact that without the opening authority's secret, even if everyone colludes, no one can trace back a user from a signature; the latter sum up the fact that even if everyone is corrupted (even the opening authority), it is impossible to forge a valid signature that does not open to a valid user.
In the dynamically growing group setting, the \textit{group private keys issuing} phase is replaced by an interactive \textit{join} protocol where a user that wants to join the group interacts with the group manager.
In this context, the two notions of the BMW model are kept, and a third one is added: the ``\textit{non-frameability}''.
This notion expresses the impossibility to frame a group of honest users in order to provide a signature that opens to one on them, \textit{even if the group manager and the opening authority are colluding}.
One application of this primitive can be to handle anonymous access control for public transportation systems. One application of this primitive can be to handle anonymous access control for public transportation systems.
In order to commute, a person should prove the possession of a valid subscription to the transportation service. In order to commute, a person should prove the possession of a valid subscription to the transportation service.
Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group. Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group.
@ -27,7 +36,7 @@ Then, the public transportation company is unable to learn anything from seeing
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building. Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.
As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful. As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- we do not consider this approach. Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- this approach is not considered here, even if it is of interest~\cite{LNWX17}.
\section{Formal Definition and Correctness} \label{sse:gs-definitions} \section{Formal Definition and Correctness} \label{sse:gs-definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
@ -43,7 +52,7 @@ This section recalls the syntax and the security definitions of dynamic group s
\input fig-gs-relations \input fig-gs-relations
\caption{Relations between the protagonists in a dynamic group signature \caption{Relations between the protagonists in a dynamic group signature
scheme} scheme}
\label{fig:relations} \label{fig:gs-relations}
\end{figure} \end{figure}
In the setting of \emph{dynamic groups}, the syntax of group signatures includes In the setting of \emph{dynamic groups}, the syntax of group signatures includes
@ -59,36 +68,22 @@ membership secret, $\scr_i$.
%\paragraph{Syntax.} %\paragraph{Syntax.}
We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle. We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle.
\begin{definition}[Dynamic Group Signature] \begin{definition}[Dynamic Group Signature]
A \emph{dynamic group signature} scheme consists of the following algorithms A \emph{dynamic group signature} scheme consists of the algorithms or protocols $(\Setup, \mathsf{Join}, \Sign, \Verify, \Open)$ described as follows.
or protocols.
\begin{description} \begin{description}
\item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$ \item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$ and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm is run by a \textit{trusted party} to generate a group public key $\gspk$, the group manager's private key $\mathcal{S}_{\GM}$ and the opening authority's private key $\mathcal{S}_{\OA}$.
and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm Each key is given to the appropriate authority while $\gspk$ is made public.
is run by a trusted party to generate a group public key $\mathcal{Y}$, The algorithm also initializes a public state $\mathsf{st}$ comprising a set data structure $\mathsf{st}_{\users}=\emptyset$ and a string data structure $\mathsf{st}_{\trans}= \epsilon$.\\
the group manager's private key $\mathcal{S}_{\GM}$ and the opening In the following, all algorithms have access to the public parameters $\gspk$.
authority's private key $\mathcal{S}_{\OA}$. Each key is given to the
appropriate authority while $\mathcal{Y}$ is made public. The algorithm
also initializes a public state $St$ comprising a set data structure
$St_{\users}=\emptyset$ and a string data structure $St_{\trans}=
\epsilon$.\\
In the following, all algorithms have access to the public parameters
$\gspk$.
% %
\item[\textsf{Join}:] is an \emph{interactive} protocol between the group manager \item[\textsf{Join}$^{\join_{\user}, \join_{\GM}}$:] is an \emph{interactive} protocol between the group manager GM and a user $\mathcal{U}_i$ where the latter becomes a group member.
GM and a user $\mathcal{U}_i$ where the latter becomes a group member. The protocol involves two interactive Turing machines $\join_{\user}$ and $\join_{\GM}$ that both take the group public key $\gspk$ as input.
The protocol involves two interactive Turing machines $\join_{\user}$ and The execution $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$, ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i}$, that no one else knows, and a membership certificate $\crt_{i }$.
$\join_{\GM}$ that both take $\mathcal{Y}$ as input. The execution If the protocol is successful, the group manager updates the public state $\mathsf{st}$ by updating the following state informations $\mathsf{st}_{\users}:=\mathsf{st}_{\users} \cup \{ i \}$ as well as $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( i ,\transcript_i )$.
$\langle \join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \rangle$,
ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i }$,
that no one else knows, and a membership certificate $\crt_{i }$. If the
protocol is successful, the group manager updates the public state $St$ by
setting $St_{\users}:=St_{\users} \cup \{ i \}$ as well as
$St_{\trans}:=St_{\trans} || \langle i ,\transcript_i \rangle$.
% %
%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM %\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM
%to generate an updated revocation list $RL_t$ for the new revocation period $t$. %to generate an updated revocation list $RL_t$ for the new revocation period $t$.
%It takes as input a public key $\mathcal{Y}$ and a set $\mathcal{R}_t \subset St_{\users}$ %It takes as input a public key $\gspk$ and a set $\mathcal{R}_t \subset \mathsf{st}_{\users}$
%that identifies the users to be revoked. %that identifies the users to be revoked.
%It outputs an updated revocation list $RL_t$ for period $t$. %It outputs an updated revocation list $RL_t$ for period $t$.
%% %%
@ -101,15 +96,15 @@ We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that
% %
\item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$, \item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$,
%a revocation period $t $, the corresponding revocation list $RL_t$, %a revocation period $t $, the corresponding revocation list $RL_t$,
a message $M$ and a group public key $\mathcal{Y}$, this a message $M$ and a group public key $\gspk$, this
\emph{deterministic} algorithm returns either $0$ or $1$. \emph{deterministic} algorithm returns either $0$ or $1$.
% %
\item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a \item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a
message $M$, a valid signature $\sigma$ w.r.t. message $M$, a valid signature $\sigma$ w.r.t.
$\mathcal{Y}$ %for the indicated revocation period $t$ $\gspk$ %for the indicated revocation period $t$
, the opening authority's private key $\mathcal{S}_{\OA}$ and the public , the opening authority's private key $\mathcal{S}_{\OA}$ and the public
state $St$. state $\mathsf{st}$.
It outputs $i \in St_{\users} \cup \{ \bot \}$, which is the identity of It outputs $i \in \mathsf{st}_{\users} \cup \{ \bot \}$, which is the identity of
a group member or a symbol indicating an opening failure. a group member or a symbol indicating an opening failure.
% %
\end{description} \end{description}
@ -128,16 +123,16 @@ against them. And finally the \textit{anonymity} property is also formalized by
\paragraph{Correctness for Dynamic Group Signatures.} \paragraph{Correctness for Dynamic Group Signatures.}
Following the Kiayias-Yung terminology \cite{KY06}, we say that a public state Following the Kiayias-Yung terminology \cite{KY06}, we say that a public state
$St$ is \textit{valid} if it can be reached from $St=(\emptyset,\epsilon)$ by a $\mathsf{st}$ is \textit{valid} if it can be reached from $\mathsf{st}=(\emptyset,\epsilon)$ by a
Turing machine having oracle access to $\join_{\GM}$. Also, a state $St'$ is said Turing machine having oracle access to $\join_{\GM}$. Also, a state $\mathsf{st}'$ is said
to \textit{extend} another state $St$ if it is within reach from $St$. to \textit{extend} another state $\mathsf{st}$ if it is within reach from $\mathsf{st}$.
Moreover, as in \cite{KY06}, when we write Moreover, as in \cite{KY06}, when we write
$\crt_{i}\leftrightharpoons_{\mathcal{Y}} \scr_{i}$, it means that there exists $\crt_{i}\leftrightharpoons_{\gspk} \scr_{i}$, it means that there exists
coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid
public state $St'$, the execution of the interactive protocol public state $\mathsf{st}'$, the execution of the interactive protocol
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St',\mathcal{Y},\mathcal{S}_{\GM})](\varpi)$ $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st}',\gspk,\mathcal{S}_{\GM}) \rangle_\varpi$
provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$. provides $\join_{\user}$ with $(i,\scr_{i },\crt_{i })$.
\begin{definition}[Correctness] \begin{definition}[Correctness]
A dynamic group signature scheme is correct if the following conditions are A dynamic group signature scheme is correct if the following conditions are
@ -146,26 +141,26 @@ provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$.
% %
\begin{enumerate}[(1)] \begin{enumerate}[(1)]
% %
\item In a valid state $St$, $|St_{users}|=|St_{trans}|$ always holds and \item In a valid state $\mathsf{st}$, $|\mathsf{st}_{users}|=|\mathsf{st}_{trans}|$ always holds and
two distinct entries of $St_{trans}$ always contain certificates with two distinct entries of $\mathsf{st}_{trans}$ always contain certificates with
distinct tag. distinct tag.
% %
\item If \item If
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$ $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$
is run by two honest parties following the protocol and is run by two honest parties following the protocol and
$\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then $\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then
we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$. we have $\crt_{i} \leftrightharpoons_{\gspk} \scr_{i }$.
% %
\item For each %revocation period $t$ and any \item For each %revocation period $t$ and any
$\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i } $(i, \crt_{i}, \scr_{i})$ such that $\crt_{i }
\leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have \leftrightharpoons_{\gspk} \scr_{i }$, satisfying condition 2, we have
$ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i $ \mathsf{Verify}\big(\mathsf{Sign}(\gspk, \crt_{i }, \scr_{i
},M),M,\mathcal{Y}\big)=1$. },M),M,\gspk\big)=1$.
% %
\item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid \item For any outcome $(i, \crt_{i }, \scr_{i })$ of
$St$, $\langle\join_{\user}(.,. ),\join_{\GM}(.,\mathsf{st},.,. )\rangle$
if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then for some valid state information $\mathsf{st}$, if $\sigma =\mathsf{Sign}(\gspk,\crt_{i }, \scr_{i},M)$, then
$\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$ $\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\gspk,\mathsf{st}')=i.$
% %
\end{enumerate} \end{enumerate}
% %
@ -186,17 +181,17 @@ variables:
\item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the \item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the
state of the interface as the adversary invokes the various oracles state of the interface as the adversary invokes the various oracles
available in the attack games. It is initialized as available in the attack games. It is initialized as
$\mathsf{state}_{\mathcal{I}}=(St,\mathcal{Y},\mathcal{S}_{\GM}, $\mathsf{state}_{\mathcal{I}}=(\textsf{st},\gspk,\mathcal{S}_{\GM},
%\linebreak[4] %\linebreak[4]
\mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$. \mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$.
It includes the (initially empty) set $St_{users}$ of group members and a It includes the (initially empty) set $\textsf{st}_{users}$ of group members and a
dynamically growing database $St_{trans}$ storing the transcripts of dynamically growing database $\textsf{st}_{trans}$ storing the transcripts of
previously executed join protocols. previously executed join protocols.
%Finally, %Finally,
%$\mathsf{state}_{\mathcal{I}}$ includes a counter %$\mathsf{state}_{\mathcal{I}}$ includes a counter
%$t$ (which is initialized to $0$) indicating the number of user revocation %$t$ (which is initialized to $0$) indicating the number of user revocation
%queries so far. %queries so far.
\item $n=|St_{users}|<\Ngs$ denotes the current cardinality of the group. \item $n=|\textsf{st}_{users}|<\Ngs$ denotes the current cardinality of the group.
% %
\item $\mathsf{Sigs}$: is a database of signatures created by the signing \item $\mathsf{Sigs}$: is a database of signatures created by the signing
oracle. Each entry consists of a triple $(i,M,\sigma)$ indicating that oracle. Each entry consists of a triple $(i,M,\sigma)$ indicating that
@ -219,7 +214,7 @@ following oracles:
% %
\item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when \item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when
these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and
returns the group public key $\mathcal{Y}$, the GM's private key returns the group public key $\gspk$, the GM's private key
$\mathcal{S}_{\GM}$ and the opening authority's private key $\mathcal{S}_{\GM}$ and the opening authority's private key
$\mathcal{S}_{\OA}$ respectively. $\mathcal{S}_{\OA}$ respectively.
% %
@ -227,16 +222,16 @@ following oracles:
in the group. On behalf of the GM, the interface runs $\join_{\GM}$ in in the group. On behalf of the GM, the interface runs $\join_{\GM}$ in
interaction with the $\join_{\user}$-executing adversary who plays the role of interaction with the $\join_{\user}$-executing adversary who plays the role of
the prospective user in the join protocol. If this protocol successfully the prospective user in the join protocol. If this protocol successfully
ends, the interface increments $n$, updates $St$ by inserting the new user ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user
$n$ in both sets $St_{users}$ and $U^a$. It also sets $n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets
$St_{\trans}:=St_{\trans} || \langle n, \transcript_n \rangle$. $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n, \transcript_n \rangle$.
% %
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager, \item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
to introduce new honest group members of its choice. The interface to introduce new honest group members of its choice. The interface
triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in
interaction with the adversary who runs $\join_{\GM}$. If the protocol interaction with the adversary who runs $\join_{\GM}$. If the protocol
successfully completes, the interface increments $n$, adds user $n$ to successfully completes, the interface increments $n$, adds user $n$ to
$St_{users}$ and $U^b$ and sets $St_{\trans}:=St_{\trans} || \langle n, $\mathsf{st}_{users}$ and $U^b$ and sets $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n,
\transcript_n \rangle$. It stores the membership certificate $\crt_{n }$ \transcript_n \rangle$. It stores the membership certificate $\crt_{n }$
and the membership secret $\scr_{n }$ in a \textit{private} part of and the membership secret $\scr_{n }$ in a \textit{private} part of
$\mathsf{state}_{\interface}$. $\mathsf{state}_{\interface}$.
@ -251,7 +246,7 @@ following oracles:
% %
\item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid \item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid
pair $(M,\sigma)$, pair $(M,\sigma)$,
the interface runs algorithm $\mathsf{Open}$ using the current state $St $. the interface runs algorithm $\mathsf{Open}$ using the current state $\mathsf{st} $.
When $S$ is a set of pairs of the form $(M,\sigma)$, When $S$ is a set of pairs of the form $(M,\sigma)$,
$Q_{\mathsf{open}}^{\neg S}$ denotes a restricted oracle that only applies $Q_{\mathsf{open}}^{\neg S}$ denotes a restricted oracle that only applies
the opening algorithm to pairs $(M,\sigma)$ which are not in $S$. the opening algorithm to pairs $(M,\sigma)$ which are not in $S$.
@ -262,8 +257,8 @@ following oracles:
the public/private keys and the private part of $\mathsf{state}_{\interface}$ where the public/private keys and the private part of $\mathsf{state}_{\interface}$ where
membership secrets are stored after $Q_{\bjoin}$-queries. By using membership secrets are stored after $Q_{\bjoin}$-queries. By using
$Q_{\mathsf{write}}$, the adversary can modify $\mathsf{state}_{\interface}$ at $Q_{\mathsf{write}}$, the adversary can modify $\mathsf{state}_{\interface}$ at
will as long as it does not remove or alter elements of $St_{users}$, will as long as it does not remove or alter elements of $\mathsf{st}_{users}$,
$St_{trans}$ or invalidate the public state $St$: for example, the adversary $\mathsf{st}_{trans}$ or invalidate the public state $\mathsf{st}$: for example, the adversary
is allowed to create dummy users as long as it does not re-use already is allowed to create dummy users as long as it does not re-use already
existing certificate tags. existing certificate tags.
@ -279,13 +274,13 @@ security properties are formalized as follows.
\begin{figure}[H] \begin{figure}[H]
\centering \centering
\procedure{Experiment $\Exp{\textrm{mis-id}}{\adv}(\lambda)$}{% \procedure{Experiment $\Exp{\textrm{mis-id}}{\adv}(\lambda)$}{%
\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA}) \mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\ \gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
(M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin}, (M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin},
Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\ Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\ \pcif \mathsf{Verify}(\sigma^\star,M^\star,\gspk)=0 \pcthen\\
\pcind \pcreturn{0}\\ \pcind \pcreturn{0}\\
i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \mathcal{Y},St')\\ i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \gspk,\mathsf{st}')\\
\pcif i \not\in U^a \pcthen \\ \pcif i \not\in U^a \pcthen \\
\pcind\pcreturn{1}\\ \pcind\pcreturn{1}\\
\pcelse\\ \pcelse\\
@ -320,16 +315,16 @@ adversarially-controlled user.
\begin{figure}[H] \begin{figure}[H]
\centering \centering
\procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{% \procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{%
\mathsf{state}_{\interface}=(St,\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA}) \mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\ \gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
(M^\star,\sigma^\star) (M^\star,\sigma^\star)
\gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM}, \gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM},
Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}}, Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}},
Q_{\mathsf{sig}}, Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\ Q_{\mathsf{sig}}, Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\ \pcif \mathsf{Verify}(\sigma^\star,M^\star,\gspk)=0 \pcthen\\
\pcind \pcreturn 0 \\ \pcind \pcreturn 0 \\
\pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA},
\mathcal{Y},St') \not \in U^b \pcthen\\ \gspk,\mathsf{st}') \not \in U^b \pcthen\\
\pcind \pcreturn 0\\ \pcind \pcreturn 0\\
\pcif \pcif
\bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast) \bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast)
@ -376,23 +371,23 @@ The adversary eventually aims at framing an honest group member.
\begin{figure}[H] \begin{figure}[H]
\centering \centering
\procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{ \procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{
\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA}) \mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
\gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\ \gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\
\big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star), \big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star),
(\scr_{1}^\star,\crt_{1}^\star )\big) (\scr_{1}^\star,\crt_{1}^\star )\big)
\gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}}, \gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}},
%Q_{\mathsf{revoke}}, %Q_{\mathsf{revoke}},
Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\ Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\
%\If{\neg(\crt_{b}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{b}^\star) for b\in\bit} %\If{\neg(\crt_{b}^\star \leftrightharpoons_{\gspk} \scr_{b}^\star) for b\in\bit}
%{\Return \bot\\} %{\Return \bot\\}
%\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\} %\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\}
\pcif \pcif
\neg((\crt_{0}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{0}^\star) \neg((\crt_{0}^\star \leftrightharpoons_{\gspk} \scr_{0}^\star)
\wedge (\crt_{1}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{1}^\star) \wedge (\crt_{1}^\star \leftrightharpoons_{\gspk} \scr_{1}^\star)
\wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\ \wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\
\pcind\pcreturn \bot\\ \pcind\pcreturn \bot\\
%Pick random d \gets \bit; %Pick random d \gets \bit;
\sigma^\star \leftarrow \mathsf{Sign}(\mathcal{Y},\crt_{d}^\star, \sigma^\star \leftarrow \mathsf{Sign}(\gspk,\crt_{d}^\star,
\scr_{d}^\star,M^\star)\\ \scr_{d}^\star,M^\star)\\
d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}}, d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}},
Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}}, Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}},

11
chap-ZK.tex
View File

@ -114,7 +114,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i
These algorithms should verify correctness, hiding and binding properties, where $\Exp{\mathrm{hiding}}{\adv, b}$ and $\Exp{\mathrm{binding}}{\adv}$ are described in Figure~\ref{fig:hiding-binding-games}. These algorithms should verify correctness, hiding and binding properties, where $\Exp{\mathrm{hiding}}{\adv, b}$ and $\Exp{\mathrm{binding}}{\adv}$ are described in Figure~\ref{fig:hiding-binding-games}.
\begin{description} \begin{description}
\item[Correctness.] For any $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$. \item[Correctness.] For any public parameters $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$.
\item[Hiding.] For any \ppt{} adversary $\adv$ against the hiding experiment, we have that \item[Hiding.] For any \ppt{} adversary $\adv$ against the hiding experiment, we have that
\[ \hspace{-1cm} \[ \hspace{-1cm}
\advantage{\mathrm{hiding}}{\adv}(\lambda) = \left| \Pr\left[\Exp{\mathrm{hiding}}{\adv, 1}(\lambda) = 1\right] - \Pr\left[\Exp{\mathrm{hiding}}{\adv, 0}(\lambda) = 1\right] \right| \leq \negl[\lambda], \advantage{\mathrm{hiding}}{\adv}(\lambda) = \left| \Pr\left[\Exp{\mathrm{hiding}}{\adv, 1}(\lambda) = 1\right] - \Pr\left[\Exp{\mathrm{hiding}}{\adv, 0}(\lambda) = 1\right] \right| \leq \negl[\lambda],
@ -180,7 +180,7 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}] \begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
\index{Zero Knowledge!Fiat-Shamir Transform} \index{Zero Knowledge!Fiat-Shamir Transform}
Let $(P, V)$ be a three-round zero-knowledge proof for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function. Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.
Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$: Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
\begin{enumerate} \begin{enumerate}
@ -233,13 +233,14 @@ For the sake of completeness, we can also mention $\NIZK$ in the standard model,
Schnorr's methodology to construct proofs is based on the $\Sigma$-protocol technique to design zero-knowledge proofs. Schnorr's methodology to construct proofs is based on the $\Sigma$-protocol technique to design zero-knowledge proofs.
It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorr-dlog}. It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorr-dlog}.
This methodology can be interpreted as follows. Given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in fixing the randomness used in the commitment scheme $r$ \emph{via} $\rho$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$. Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$. An interpretation of this methodology is the following: given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in binding the randomness used in the commitment scheme $r$ using the transmitted value $\rho = g^r$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$.
Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$.
In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}. In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}: a commitment of a message $M \in \Zp$ is $g^m \cdot h^r \in \GG$ and the opening is the randomness $r$ used to commit.
Given its effiency, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}. Given its effiency, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}.
This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct zero-knowledge proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}. This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct ZK proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}.
In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$. In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.
The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V. The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V.
This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}. This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.

8
chap-proofs.tex
View File

@ -93,8 +93,14 @@ That's why we'll now define the principle of polynomial time reduction.
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$. In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
This is illustrated in Figure~\ref{fig:poly-reduction}. This is illustrated in Figure~\ref{fig:poly-reduction}.
To write down that a TM has black-box access to a TM $M_O$ that computes function $O$, we sometimes use the \textit{oracle} terminology.
\begin{definition}[Oracle machine] \index{Turing machine!Oracle machine}
A Turing Machine $M$ is said to have \textit{oracle access} to a function $O(\cdot)$ if it has access to the result of $O(x)$ for any input $x$ of its choice in constant time. We denote the output of $M$ on input $x$ with oracle $O$ by $M^O(x)$.
\end{definition}
We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction. We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction.
Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then this problem is also in \textsf{P} (resp. \textsf{PP}). Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then the former problem is also in \textsf{P} (resp. \textsf{PP}).
Until know, we mainly focus on the running time of the algorithms. Until know, we mainly focus on the running time of the algorithms.
In cryptology, it is also important to consider the success probability of algorithms: In cryptology, it is also important to consider the success probability of algorithms:

127
chap-sigmasig.tex
View File

@ -15,14 +15,14 @@ groups of prime order $p$ and we rely on the assumed security of the \SDL and \
\defSDL* \defSDL*
\subsection{Quasi-Adaptive NIZK Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk} \subsection{Quasi-Adaptive $\NIZK$ Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument NIZK quasi-adaptatif pour un sous-espace linéaire} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument $\NIZK$ quasi-adaptatif pour un sous-espace linéaire}
Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS) Quasi-Adaptive $\NIZK$ (\QANIZK) proofs \cite{JR13} are $\NIZK$ proofs where the common reference string (CRS)
may depend on the language for which proofs have to be generated. may depend on the language for which proofs have to be generated.
Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK}. Formal definitions are given in \cite{JR13,LPJY14,KW15}.
This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix. This section recalls the \QANIZK argument of \cite{KW15} for proving membership in the row space of a matrix.
In the description below, we assume that all In the description below, we assume that all
algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric
bilinear groups $(\GG,\Gh,\GT,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter. bilinear groups $(\GG,\Gh,\GT,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter.
@ -58,16 +58,16 @@ We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}
$ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ $ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $
\end{description} \end{description}
The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. The proof of the soundness of this \QANIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable.
This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$. This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$.
This requirement is compatible with our security proofs. This requirement is compatible with our security proofs.
\section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig} \section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig}
In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the $\SXDH$ assumption. We show that their scheme
implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme
compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace. compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying \QANIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace.
Moreover, we show that their scheme remains unforgeable under the SXDH assumption. Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assumption.
\begin{description} \begin{description}
\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$ \item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$
@ -89,7 +89,7 @@ Moreover, we show that their scheme remains unforgeable under the SXDH assumptio
\end{array}\right) , \end{array}\right) ,
\end{equation} \end{equation}
where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$. where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$.
\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk} \item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk}
to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$. to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$.
\bigskip \bigskip
\item[] \item[]
@ -111,13 +111,13 @@ $\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute
= g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, & = g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, &
\sigma_2 & = g^{s}, & \sigma_3 & = h^{s} . \sigma_2 & = g^{s}, & \sigma_3 & = h^{s} .
\end{align*} \end{align*}
Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that Then, run $\mathsf{Prove}$ of the \QANIZK argument to prove that
the following vector of $\GG^{2\ell+4}$ the following vector of $\GG^{2\ell+4}$
\begin{align} \label{eq:vector} \begin{align} \label{eq:vector}
(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, (\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2,
\sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega) \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)
\end{align} \end{align}
is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot is in the row space of $\mathbf{M}$. This \QANIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot
z_{\ell+2})^{s}.$ z_{\ell+2})^{s}.$
Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$. Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$.
@ -138,7 +138,7 @@ The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$
while the verification equation only involves a computation of 5 pairings. while the verification equation only involves a computation of 5 pairings.
\begin{theorem} \label{th:eu-cma-1} \begin{theorem} \label{th:eu-cma-1}
The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GT)$. The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the $\SXDH$ assumption holds in $(\GG, \Gh, \GT)$.
\end{theorem} \end{theorem}
\begin{proof} \begin{proof}
@ -158,7 +158,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
\end{aligned} \end{aligned}
\end{equation} \end{equation}
Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$ Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$
is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as is in the row space of $\mathbf{M}$, the \QANIZK proof $\pi$ has the same distribution as if it were computed as
\begin{equation} \begin{equation}
\label{eq:rel-sim-A} \label{eq:rel-sim-A}
\begin{aligned} \begin{aligned}
@ -184,7 +184,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
\end{gathered} \end{gathered}
\label{eq:rel-sig-B} \label{eq:rel-sig-B}
\end{equation*} \end{equation*}
The QA-NIZK proof $\pi$ is The \QANIZK proof $\pi$ is
computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$. computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$.
\end{description} \end{description}
\smallskip \smallskip
@ -205,9 +205,9 @@ The above signature scheme is existentially unforgeable under chosen-message att
and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$. and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$.
\item[Game 1:] We change the way $\bdv$ answers signing queries. \item[Game 1:] We change the way $\bdv$ answers signing queries.
The QA-NIZK proofs $\pi$ are then computed as simulated QA-NIZK proofs The \QANIZK proofs $\pi$ are then computed as simulated \QANIZK proofs
using $\mathsf{tk}$ using $\mathsf{tk}$
as in~\eqref{eq:rel-sim-A}. These QA-NIZK proofs are thus simulated as in~\eqref{eq:rel-sim-A}. These \QANIZK proofs are thus simulated
proofs for true statements, and then their distribution remains unchanged. proofs for true statements, and then their distribution remains unchanged.
We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge
\neg E_1]$. \neg E_1]$.
@ -225,7 +225,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$. is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$.
\end{description} \end{description}
In Game $2.Q$, we know that if SXDH holds, $\adv$ can only output a type $\mathrm{A}'$ In Game $2.Q$, we know that if $\SXDH$ holds, $\adv$ can only output a type $\mathrm{A}'$
forgery even if it only obtains type B signatures during the game. forgery even if it only obtains type B signatures during the game.
Nevertheless, lemma~\ref{le:final-forgery} shows Nevertheless, lemma~\ref{le:final-forgery} shows
that a type $\mathrm{A}'$ forgery in Game that a type $\mathrm{A}'$ forgery in Game
@ -250,7 +250,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
\begin{proof} \begin{proof}
Let $\adv$ be an attacker that does not Let $\adv$ be an attacker that does not
output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the
Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing Quasi-Adaptive $\NIZK$ (\QANIZK) scheme, which security is implied from the double-pairing
problem that reduces from DDH as explained in~\cite{LPJY13}. problem that reduces from DDH as explained in~\cite{LPJY13}.
Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as
\[ \[
@ -263,7 +263,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in
(\ref{matrix-scal-sig}) and a common (\ref{matrix-scal-sig}) and a common
reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the
QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. \QANIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$.
The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$. The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$.
After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$. After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$.
Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key: Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key:
@ -305,7 +305,7 @@ If DDH holds in $\GG$, for each $k \in
Then, queries are answered depending on their index~$j$:\\ Then, queries are answered depending on their index~$j$:\\
\textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2, \textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2,
\sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QA-NIZK simulator \sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the \QANIZK simulator
to computes $\pi$. to computes $\pi$.
\noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as \noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as
@ -317,7 +317,7 @@ If DDH holds in $\GG$, for each $k \in
depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$, depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$,
and and
$ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $ $ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $
Then $\bdv$ simulates QA-NIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$. Then $\bdv$ simulates \QANIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$.
\smallskip \smallskip
If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is
@ -690,7 +690,7 @@ This concludes the proof. % TODO: ugly
\subsection{Signing a Committed Message} \subsection{Signing a Committed Message}
At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$. At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$.
In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the QA-NIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the \QANIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip
\noindent \textbf{The protocol.} \noindent \textbf{The protocol.}
% %
@ -729,11 +729,11 @@ In comparison, the construction of \cite{CL02a} requires groups of larger hidde
\noindent \textbf{Security.} \noindent \textbf{Security.}
% %
We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol. We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol.
In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an SXDH challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip
\noindent \textbf{Remark.} \noindent \textbf{Remark.}
% %
Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying QA-NIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form. Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying \QANIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form.
@ -749,7 +749,7 @@ on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to
efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section). efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section).
For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using
the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using
$\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier NIZK proofs \cite{CS98}. \\ $\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier $\NIZK$ proofs \cite{CS98}. \\
\indent \indent
In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact
with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}. with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}.
@ -779,15 +779,15 @@ with prospective users. However, this limitation can be removed using an extract
that will be modeled as a random oracle. that will be modeled as a random oracle.
\item Define \item Define
$\mathcal Y = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key. $\gspk = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key.
The group manager's private key is $\mathcal S_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of The group manager's private key is $\mathcal{S}_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of
$ \mathcal S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. $ \mathcal{S}_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
\end{enumerate} \vspace{-1mm} \end{enumerate} \vspace{-1mm}
% %
\begin{description} \begin{description}
\item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the \item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the
prospective user $\U_i$ run the following interactive protocol: prospective user $\U_i$ run the following interactive protocol:
%$[ \mathsf J_{\user}(\lambda, \mathcal Y), \mathsf J_\GM(\lambda, St, \mathcal Y, \mathcal S_{\GM}) ]$ %$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$
\end{description} \vspace{-2mm} \end{description} \vspace{-2mm}
\begin{enumerate} \begin{enumerate}
\item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to \item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to
@ -813,13 +813,13 @@ with prospective users. However, this limitation can be removed using an extract
\item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of \item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of
section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \Zp$, and section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \Zp$, and
uses $\mathcal S_\GM = \omega$ to compute uses $\mathcal{S}_\GM = \omega$ to compute
$\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$ $\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$
and and
\begin{align*} \begin{align*}
\sigma_2 & = g^s, & \sigma_3 & = h^s. \sigma_2 & = g^s, & \sigma_3 & = h^s.
\end{align*} \end{align*}
Then $\GM$ uses $Z_{\ID}$ to generate the QA-NIZK proof $\pi\in \GG$ as Then $\GM$ uses $Z_{\ID}$ to generate the \QANIZK proof $\pi\in \GG$ as
\begin{align*} \begin{align*}
\pi &= z_1^\omega \cdot (Z_{\ID} \cdot z_3)^s \pi &= z_1^\omega \cdot (Z_{\ID} \cdot z_3)^s
= z_1^\omega \cdot (z_2^\ID \cdot z_3)^s = z_1^\omega \cdot (z_2^\ID \cdot z_3)^s
@ -836,7 +836,7 @@ with prospective users. However, this limitation can be removed using an extract
\end{enumerate} \end{enumerate}
% %
\begin{description} \begin{description}
\item[\textsf{Sign}$(\mathcal Y, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$ \item[\textsf{Sign}$(\gspk, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$
does the following: does the following:
\end{description} \vspace{-2mm} \end{description} \vspace{-2mm}
\begin{enumerate} \begin{enumerate}
@ -888,7 +888,7 @@ with prospective users. However, this limitation can be removed using an extract
\end{enumerate} \end{enumerate}
% %
\begin{description} \begin{description}
\item[\textsf{Verify}$(\mathcal Y, M, \Sigma)$:] \item[\textsf{Verify}$(\gspk, M, \Sigma)$:]
Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as
$(C_1, C_2, C_z, C_\sigma, C_\ID)$. $(C_1, C_2, C_z, C_\sigma, C_\ID)$.
Then, output 1 if the the zero-knowledge proof verifies. Namely, Then, output 1 if the the zero-knowledge proof verifies. Namely,
@ -940,11 +940,11 @@ with prospective users. However, this limitation can be removed using an extract
\end{enumerate} \vspace{-1mm} \end{enumerate} \vspace{-1mm}
% %
\begin{description} \begin{description}
\item[\textsf{Open}$(\mathcal Y, \mathcal S_\OA, M, \Sigma)$:] Given a pair $(M,\Sigma)$ \item[\textsf{Open}$(\gspk, \mathcal{S}_\OA, M, \Sigma)$:] Given a message-signature pair $(M,\Sigma)$
and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm} and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm}
\end{description} \end{description}
\begin{enumerate} \begin{enumerate}
%\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal S_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. %\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
\item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing \item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing
$\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$, $\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$,
$ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$. $ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$.
@ -985,18 +985,19 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas
\subsection{Security} \subsection{Security}
\begin{theorem} \label{gsig-anon} \begin{theorem} \label{gsig-anon}
If SXDH holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm} If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm}
\end{theorem} \end{theorem}
\begin{proof} \begin{proof}
We use a sequence of games where, for each $i$, $W_i$ is the event that the adversary $\adv$ wins in Game $i$. We use a sequence of games where, for each $i$, $W_i$ is the event that the adversary $\adv$ wins in Game $i$.
\\ \\
At the first transition, we need to rely on the security of the computational soundness of the QA-NIZK argument of Section~\ref{QA-NIZK-scheme} which relies on the SXDH assumption, since $\tilde \sigma_2$ and At the first transition, we need to rely on the security of the computational soundness of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk} which relies on the $\SXDH$ assumption, since $\tilde \sigma_2$ and
$\tilde \sigma_3$ appear un-encrypted in each group signature. $\tilde \sigma_3$ appear un-encrypted in each group signature.
\vspace{-2mm} \vspace{-2mm}
\begin{description} \begin{description}
\item[Game 0:] This is the real CCA-anonymity game. In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that \item[Game 0:] This is the real CCA-anonymity game.\\
In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that
the adversary outputs $d'=d$. the adversary outputs $d'=d$.
\item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event, \item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event,
@ -1007,7 +1008,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
This implies that the vector This implies that the vector
$(\sigma_1^\star, \sigma_2^{\star \ID}, \sigma_2^\star, \sigma_3^{\star \ID}, \sigma_3^\star, \Omega)$ $(\sigma_1^\star, \sigma_2^{\star \ID}, \sigma_2^\star, \sigma_3^{\star \ID}, \sigma_3^\star, \Omega)$
is outside the row space of the matrix $\mathbf{M}$ (\ref{matrix-scal-sig}), so that $F_1$ would contradict is outside the row space of the matrix $\mathbf{M}$ (\ref{matrix-scal-sig}), so that $F_1$ would contradict
the soundness of the QA-NIZK proof of \cite{KW15} the soundness of the \QANIZK proof of \cite{KW15}
(via the same arguments as in Theorem 9 of \cite{LPY15} since the matrix can be witness-samplable here) (via the same arguments as in Theorem 9 of \cite{LPY15} since the matrix can be witness-samplable here)
and thus the DDH assumption in $\Gh$. We have and thus the DDH assumption in $\Gh$. We have
$ [\Pr[W_1] - P[W_0] | \leq \advantage{\DDH}{\Gh}(\lambda).$ $ [\Pr[W_1] - P[W_0] | \leq \advantage{\DDH}{\Gh}(\lambda).$
@ -1027,7 +1028,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
Thus $|\Pr[W_2] - \Pr[W_1] | \leq 1/p^3$ Thus $|\Pr[W_2] - \Pr[W_1] | \leq 1/p^3$
\item[Game 3:] We modify again the generation of the challenge signature $ \Sigma^\star $. Namely, the challenger computes \item[Game 3:] We modify again the generation of the challenge signature $ \Sigma^\star $. Namely, the challenger computes
$C_z, C_\sigma, C_\ID$ using $\mathcal S_\OA$ as follows $C_z, C_\sigma, C_\ID$ using $\mathcal{S}_\OA$ as follows
\begin{align*} \begin{align*}
C_z &= \tilde \pi \cdot C_1^{x_z} \cdot C_2^{y_z}, \\ C_z &= \tilde \pi \cdot C_1^{x_z} \cdot C_2^{y_z}, \\
C_\sigma &= \tilde \sigma \cdot C_1^{x_\sigma} \cdot C_2^{y_\sigma}, & C_\sigma &= \tilde \sigma \cdot C_1^{x_\sigma} \cdot C_2^{y_\sigma}, &
@ -1090,7 +1091,7 @@ It comes that $\Pr[W_5]=1/2$. \medskip
$\bdv$ faithfully generates the signature public key by faithfully running steps $1$, $2$, $3$ of the signature scheme $\bdv$ faithfully generates the signature public key by faithfully running steps $1$, $2$, $3$ of the signature scheme
of Section~\ref{scal-sig} and then calls for the signing oracle to obtain homomorphic signatures $\{ (z_j, r_j) \}_{j=1}^3$ of Section~\ref{scal-sig} and then calls for the signing oracle to obtain homomorphic signatures $\{ (z_j, r_j) \}_{j=1}^3$
on the rows of the matrix $\mathbf{M} \in \GG^{3 \times 6}$. It then conducts the remaining steps faithfully to obtain a on the rows of the matrix $\mathbf{M} \in \GG^{3 \times 6}$. It then conducts the remaining steps faithfully to obtain a
group public key $\mathcal Y$. Since $\bdv$ knows $\mathcal S_\OA$, it an perfectly simulate the opening oracle. If group public key $\gspk$. Since $\bdv$ knows $\mathcal{S}_\OA$, it an perfectly simulate the opening oracle. If
$F_1$ occurs -- which it does by hypothesis --, one of the two membership certificate $\crt_d^\star$ of the challenge $F_1$ occurs -- which it does by hypothesis --, one of the two membership certificate $\crt_d^\star$ of the challenge
phase must contain a signature $\sigma^\star$ such that $\log_g(\sigma_2^\star) \neq \log_h(\sigma^\star_3)$. At this phase must contain a signature $\sigma^\star$ such that $\log_g(\sigma_2^\star) \neq \log_h(\sigma^\star_3)$. At this
point, $\bdv$ can win the game against its challenger by outputting the vector $(\sigma_1^\star, \sigma^{\star \ID}_2, point, $\bdv$ can win the game against its challenger by outputting the vector $(\sigma_1^\star, \sigma^{\star \ID}_2,
@ -1162,7 +1163,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
\begin{theorem} \begin{theorem}
In the ROM, the scheme is secure against In the ROM, the scheme is secure against
mis-identification attacks under the SXDH assumption in $(\GG,\Gh)$. mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
\vspace{-1mm} \vspace{-1mm}
\end{theorem} \end{theorem}
% %
@ -1179,7 +1180,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
scheme of section~\ref{scal-sig}. \medskip scheme of section~\ref{scal-sig}. \medskip
\\ \\
\noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the \noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the
public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\mathcal Y$. Except for $\mathcal S_\GM$, all keys public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\gspk$. Except for $\mathcal{S}_\GM$, all keys
are generated as in the normal are generated as in the normal
\textsf{Keygen} algorithm. \medskip \textsf{Keygen} algorithm. \medskip
\\ \\
@ -1192,19 +1193,20 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
\medskip \medskip
\\ \\
\noindent At some point, the attacker $\adv$ produces a valid forgery \noindent At some point, the attacker $\adv$ produces a valid forgery
$(M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \[ (M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star,
\tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))$ for \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))\] for
which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value
$H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ which would have been unpredictable otherwise. \medskip \[ H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)\]
\\ which would have been unpredictable otherwise.
Thus, $\bdv$ replays the adversary $\adv$ with the \emph{same} input and random tape as in the first run. In the second run, the random oracle is also the same until the hash query Thus, $\bdv$ replays the adversary $\adv$ with the \emph{same} input and random tape as in the first run. In the second run, the random oracle is also the same until the hash query
$H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. At this point, \[ H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star).\]
the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains At this point, the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains
two suitably related forgeries with non-negligible probability $\varepsilon \cdot (\varepsilon / q_H -1/p) $. Namely, $\bdv$ will obtain two matching transcripts two suitably related forgeries with non-negligible probability $\varepsilon \cdot (\varepsilon / q_H -1/p) $. Namely, $\bdv$ will obtain two matching transcripts
$(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star)$, $(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star)$,
$(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\dag, s_\ID^\dag, s_\theta^\dag )$ $(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\dag, s_\ID^\dag, s_\theta^\dag )$
of the $\Sigma$-protocol for the commitment message of the $\Sigma$-protocol for the commitment message
$\mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. \[ \mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star).\]
From the responses From the responses
$s_\ID^\star$ and $s_\ID^\star$ and
$s_\ID^\dag$ (that necessarily involve the same identifier $\ID^\star$ which is uniquely determined by $C_{\mathsf{CS}}^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star)$), $\bdv$ runs the knowledge extractor of to obtain $s_\ID^\dag$ (that necessarily involve the same identifier $\ID^\star$ which is uniquely determined by $C_{\mathsf{CS}}^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star)$), $\bdv$ runs the knowledge extractor of to obtain
@ -1222,7 +1224,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
%\end{align*} %\end{align*}
\medskip \medskip
\\ \\
Finally $\bdv$ uses $\mathcal S_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs Finally $\bdv$ uses $\mathcal{S}_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs
$\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery $\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery
for the signature scheme of Section~\ref{scal-sig}. for the signature scheme of Section~\ref{scal-sig}.
%\vspace{-1mm} %\vspace{-1mm}
@ -1235,10 +1237,10 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
\end{theorem} \end{theorem}
\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\ \begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\
\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. \indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.
To generate the group public key $\mathcal{Y}$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$. At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$.
In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are QA-NIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.) In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)
As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\mathcal{Y}:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip
\\ \\
Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested. Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested.
%At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows. %At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows.
@ -1257,9 +1259,9 @@ $ \vec{v}_i= (V_i,G_i,1,H_i,1,1)=(v,g,1,h,1,1)^{\ID_i}$ as
\[ \[
V_i =(g^a)^{\alpha_v\cdot\delta_i}, \quad G_i = (g^a)^{\delta_i}, \quad H_i =(g^a)^{\alpha_h\cdot\delta_i}, V_i =(g^a)^{\alpha_v\cdot\delta_i}, \quad G_i = (g^a)^{\delta_i}, \quad H_i =(g^a)^{\alpha_h\cdot\delta_i},
\] \]
and then computes $Z_i$ as a simulated QA-NIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$. and then computes $Z_i$ as a simulated \QANIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$.
A straightforward calculation A straightforward calculation
shows that $Z_i=z_2^{\ID_i}$ since the QA-NIZK argument of Section \ref{QA-NIZK-scheme} has a deterministic proving algorithm, so that shows that $Z_i=z_2^{\ID_i}$ since the \QANIZK argument of Section \ref{sse:sigmasig-qa-nizk} has a deterministic proving algorithm, so that
$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2. $(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2.
As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes
\begin{eqnarray*} \begin{eqnarray*}
@ -1271,7 +1273,7 @@ At step 3 of $\mathsf{Join}$, $\bdv$ simulates the interactive proof of knowledg
In the rest of the protocol, $\bdv$ proceeds like the actual run and obtains $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$. In the rest of the protocol, $\bdv$ proceeds like the actual run and obtains $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$.
Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$. Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$.
% \item[-] $Q_{\mathsf{pub}}$-queries: These can be answered as in the real game, by having the simulator return % \item[-] $Q_{\mathsf{pub}}$-queries: These can be answered as in the real game, by having the simulator return
%$\mathcal{Y}$. %$\gspk$.
\item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use \item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use
the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 1-2 of the signing algorithm. the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 1-2 of the signing algorithm.
While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the
@ -1282,7 +1284,7 @@ More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r
\tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r. \tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r.
\end{align*} \end{align*}
Then $\bdv$ encrypts $\tilde \pi$, $\tilde \sigma_1$ and $V_i$ as in the real Then $\bdv$ encrypts $\tilde \pi$, $\tilde \sigma_1$ and $V_i$ as in the real
signing algorithm to get ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$ signing algorithm to get the encryption ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$
chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in
(\ref{gsig-verif-1}) and (\ref{gsig-verif-2}) of $\mathsf{Verify}$. Finally, $\bdv$ (\ref{gsig-verif-1}) and (\ref{gsig-verif-2}) of $\mathsf{Verify}$. Finally, $\bdv$
programs $H$ to return $c$ on inputs $(M, C_{\mathsf{CS}},\tilde \sigma_2, \tilde \sigma_3, R_1, R_2, R_3, R_4)$. In the event that $H$ is already defined at that point, programs $H$ to return $c$ on inputs $(M, C_{\mathsf{CS}},\tilde \sigma_2, \tilde \sigma_3, R_1, R_2, R_3, R_4)$. In the event that $H$ is already defined at that point,
@ -1297,9 +1299,11 @@ $q_s$ is the number of signing queries.
\end{align*} \end{align*}
for some message $M^\star$, that opens to ${i^\star} \in U^b$ although user $i^\star$ did not sign $M^\star$. With high probability, $\adv$ must have queried the hash value for some message $M^\star$, that opens to ${i^\star} \in U^b$ although user $i^\star$ did not sign $M^\star$. With high probability, $\adv$ must have queried the hash value
$H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$, which would be unpredictable otherwise. $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$, which would be unpredictable otherwise.
Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape. At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run. Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape.
At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run.
The Forking Lemma of \cite{BN06} ensures that, with non-negligible probability the second run will result in a forgery The Forking Lemma of \cite{BN06} ensures that, with non-negligible probability the second run will result in a forgery
$\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)$ on \[\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)\] on
the same message $M^\star$, the same message $M^\star$,
with distinct challenges with distinct challenges
$c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses $c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses
@ -1318,6 +1322,7 @@ We stress that the proofs can be easily adapted to the case where the opening a
\subsection{Comparison with Existing Schemes} \subsection{Comparison with Existing Schemes}
\begin{table*} \begin{table*}
\small
\centering \centering
\begin{tabular}{|c|c|c|c|c|c|c|} \begin{tabular}{|c|c|c|c|c|c|c|}
\hline \hline

1
macros.tex
View File

@ -16,6 +16,7 @@
\newcommand{\ZK}{\textsf{ZK}\xspace} \newcommand{\ZK}{\textsf{ZK}\xspace}
\newcommand{\ZKAoK}{\textsf{ZKAoK}\xspace} \newcommand{\ZKAoK}{\textsf{ZKAoK}\xspace}
\newcommand{\NIZK}{\textsf{NIZK}\xspace} \newcommand{\NIZK}{\textsf{NIZK}\xspace}
\newcommand{\QANIZK}{\textsf{QA-NIZK}\xspace}
\newcommand{\PKE}{\textsf{PKE}\xspace} \newcommand{\PKE}{\textsf{PKE}\xspace}
\newcommand{\OT}{\textsf{OT}\xspace} \newcommand{\OT}{\textsf{OT}\xspace}
%% Common %% Common

10
main.tex
View File

@ -2,6 +2,9 @@
\documentclass[a4paper, 11pt]{memoir} \documentclass[a4paper, 11pt]{memoir}
\semiisopage \semiisopage
%% Highlight overfull hbox
\overfullrule=1mm
\usepackage[utf8x]{inputenc} \usepackage[utf8x]{inputenc}
\usepackage[french,english]{babel} \usepackage[french,english]{babel}
%\usepackage[UKenglish]{babel} %\usepackage[UKenglish]{babel}
@ -123,12 +126,13 @@
\cleardoublepage \cleardoublepage
{\let\newpage\relax {\let\newpage\relax
\part{Group Signatures and Anonymous Credentials} \part{Group Signatures and Anonymous Credentials}
\label{pa:gs-ac}
\addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes} \addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes}
\label{pa:gs-ac}
} }
\chapter{Dynamic Group Signatures} \label{ch:gs-background} \chapter{Dynamic Group Signatures}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique} \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique}
\label{ch:gs-background}
\input chap-GS-background \input chap-GS-background
@ -153,11 +157,13 @@
\chapter{Lattice-Based Group Encryption} \chapter{Lattice-Based Group Encryption}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Chiffrement de groupe à base de réseaux euclidiens} \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Chiffrement de groupe à base de réseaux euclidiens}
\label{ch:ge-lwe}
\input chap-GE-LWE \input chap-GE-LWE
\chapter{Lattice-Based Oblivious Transfer with Access Control} \label{ch:ac-ot} \chapter{Lattice-Based Oblivious Transfer with Access Control} \label{ch:ac-ot}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens} \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}
\label{ch:ot-lwe}
\input chap-OT-LWE \input chap-OT-LWE

5
sec-pairings.tex
View File

@ -3,7 +3,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round. Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}. Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{BBS04}.
Multiple constructions and parameter sets coexist for pairings. Multiple constructions and parameter sets coexist for pairings.
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}. Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
@ -50,5 +50,4 @@ In the aforementioned chapter, we also rely on the following assumption, which g
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$. where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
\end{restatable} \end{restatable}
This assumption is still a static and non-interactive assumption. This assumption is also static and non-interactive.

2
sec-stern.tex
View File

@ -56,7 +56,7 @@ The details of this proof is given in \cref{sse:stern-abstraction}, but it can b
Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$. Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$.
A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}). %A method to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13,LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\cref{sse:stern}).
\index{Lattices!Inhomogeneous \SIS} \index{Lattices!Inhomogeneous \SIS}
To prove the knowledge of an \ISIS preimage, i.e. To prove the knowledge of an \ISIS preimage, i.e.

1
symbols.tex
View File

@ -26,6 +26,7 @@
$\ZK$ & Zero-Knowledge \\ $\ZK$ & Zero-Knowledge \\
$\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\ $\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\
$\NIZK$ & Non-Interactive Zero-Knowledge \\ $\NIZK$ & Non-Interactive Zero-Knowledge \\
$\QANIZK$ & Quasi-Adaptive Non-Interactive Zero-Knowledge \\
$\OT$ & Oblivious Transfer \\ $\OT$ & Oblivious Transfer \\
[1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\ [1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\
EU-CMA & Existentially Unforgeable under chosen-message attacks \\ EU-CMA & Existentially Unforgeable under chosen-message attacks \\

26
these.bib
View File

@ -1,3 +1,4 @@
% Encoding: UTF-8
@InCollection{BCKL08, @InCollection{BCKL08,
author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna}, author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},
title = {{P}-signatures and Noninteractive Anonymous Credentials}, title = {{P}-signatures and Noninteractive Anonymous Credentials},
@ -1621,7 +1622,7 @@
} }
@InProceedings{CVH91, @InProceedings{CVH91,
author = {Chaum, David and Van Heyst, Eug{\`e}ne}, author = {Chaum, David and van Heyst, Eug{\`e}ne},
title = {Group signatures}, title = {Group signatures},
booktitle = {{Eurocrypt}}, booktitle = {{Eurocrypt}},
year = {1991}, year = {1991},
@ -2229,7 +2230,7 @@
@Article{KL11, @Article{KL11,
author = {Kidron, Dafna and Lindell, Yehuda}, author = {Kidron, Dafna and Lindell, Yehuda},
title = {Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs}, title = {Impossibility Results for Universal Composability in<EFBFBD>Public-Key Models and with Fixed Inputs},
journal = {Journal of Cryptology}, journal = {Journal of Cryptology},
year = {2011}, year = {2011},
volume = {24}, volume = {24},
@ -2509,14 +2510,14 @@
} }
@InProceedings{dPLNS17, @InProceedings{dPLNS17,
author = {del Pino, Rafaël and Lyubashevsky, Vadim and Neven, Gregory and Seiler, Gregory}, author = {del Pino, Rafa<EFBFBD>l and Lyubashevsky, Vadim and Neven, Gregory and Seiler, Gregory},
title = {{Practical Quantum-Safe Voting from Lattices}}, title = {{Practical Quantum-Safe Voting from Lattices}},
booktitle = {CCS}, booktitle = {CCS},
year = {2017}, year = {2017},
} }
@InProceedings{LLNW17, @InProceedings{LLNW17,
author = {Libert, Benoît and Ling, San and Nguyen, Khoa and Wang, Huaxiong}, author = {Libert, Beno<EFBFBD>t and Ling, San and Nguyen, Khoa and Wang, Huaxiong},
title = {{Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash}}, title = {{Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash}},
booktitle = {Asiacrypt}, booktitle = {Asiacrypt},
year = {2017}, year = {2017},
@ -2526,7 +2527,7 @@
} }
@InProceedings{Ajt96, @InProceedings{Ajt96,
author = {Ajtai, Miklós}, author = {Ajtai, Mikl<EFBFBD>s},
title = {{Generating Hard Instances of Lattice Problems}}, title = {{Generating Hard Instances of Lattice Problems}},
booktitle = {STOC}, booktitle = {STOC},
year = {1996}, year = {1996},
@ -2562,7 +2563,7 @@
} }
@InProceedings{LMN16, @InProceedings{LMN16,
author = {Libert, Benoît and Mouhartem, Fabrice and Nguyen, Khoa}, author = {Libert, Beno<EFBFBD>t and Mouhartem, Fabrice and Nguyen, Khoa},
title = {{A Lattice-Based Group Signature Scheme with Message-Dependent Opening}}, title = {{A Lattice-Based Group Signature Scheme with Message-Dependent Opening}},
booktitle = {ACNS}, booktitle = {ACNS},
year = {2016}, year = {2016},
@ -2591,7 +2592,7 @@
} }
@InProceedings{LPJY14, @InProceedings{LPJY14,
author = {Libert, Benoît and Peters, Thomas and Joye, Marc and Yung, Moti}, author = {Libert, Beno<EFBFBD>t and Peters, Thomas and Joye, Marc and Yung, Moti},
title = {{Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures}}, title = {{Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures}},
booktitle = {Eurocrypt}, booktitle = {Eurocrypt},
year = {2014}, year = {2014},
@ -2617,7 +2618,7 @@
} }
@InProceedings{LPJY13, @InProceedings{LPJY13,
author = {Libert, Benoît and Peters, Thomas and Joye, Marc and Yung, Moti}, author = {Libert, Beno<EFBFBD>t and Peters, Thomas and Joye, Marc and Yung, Moti},
title = {{Linearly Homomorphic Structure-Preserving Signatures and Their Applications}}, title = {{Linearly Homomorphic Structure-Preserving Signatures and Their Applications}},
booktitle = {Crypto}, booktitle = {Crypto},
year = {2013}, year = {2013},
@ -2716,4 +2717,13 @@
publisher = {Springer}, publisher = {Springer},
} }
@InProceedings{LNWX17,
author = {Ling, San and Nguyen, Khoa and Wang, Huaxiong and Xu, Yahong},
title = {{Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease}},
booktitle = {ACNS},
year = {2017},
series = {LNCS},
publisher = {Springer},
}
@Comment{jabref-meta: databaseType:bibtex;} @Comment{jabref-meta: databaseType:bibtex;}