proof-reading
This commit is contained in:
parent
9dd62d0c1d
commit
9d478c72fc
1
.gitignore
vendored
1
.gitignore
vendored
@ -8,6 +8,7 @@
|
|||||||
*.ilg
|
*.ilg
|
||||||
*.ind
|
*.ind
|
||||||
*.latexmain
|
*.latexmain
|
||||||
|
*.lot
|
||||||
*.lof
|
*.lof
|
||||||
*.log
|
*.log
|
||||||
*.out
|
*.out
|
||||||
|
@ -14,10 +14,19 @@ Before describing those scheme, let us recall in this Chapter the definition of
|
|||||||
Dynamic group signatures are a solution to allow a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}) that can be publicly verified while remaining anonymous inside its group.
|
Dynamic group signatures are a solution to allow a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}) that can be publicly verified while remaining anonymous inside its group.
|
||||||
On the other hand, the user remains accountable for the signatures it provides as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using its own secret key.
|
On the other hand, the user remains accountable for the signatures it provides as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using its own secret key.
|
||||||
In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to enroll the group after an interaction with it.
|
In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to enroll the group after an interaction with it.
|
||||||
This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03} in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang ({BSZ}) in 2005~\cite{BSZ05}.
|
These interactions are summarized in Figure~\ref{fig:gs-relations}.
|
||||||
|
|
||||||
|
The concept of group signatures was introduced by Chaum and van Heyst in 1991~\cite{CVH91}, but the works of Ateniese, Camenisch, Joye and Tsudik in 2001~\cite{ACJT00} were the first to provide scalable and secure group signatures.
|
||||||
|
In 2003, Bellare, Micciancio and Warinschi~\cite{BMW03} proposed a formal definition for \textit{static} group signatures, where the group is defined once and for all at the setup phase.
|
||||||
|
This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. Those two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gs-definitions}.
|
||||||
|
|
||||||
The \cite{BMW03}~model summarize the security of a group signature scheme in two notions: \textit{anonymity} and \textit{traceability}.
|
The \cite{BMW03}~model summarize the security of a group signature scheme in two notions: \textit{anonymity} and \textit{traceability}.
|
||||||
The former notions models the fact that without the opening authority's secret, even if everyone colludes, no one can trace back a user from a signature; the latter sum up the fact that even if everyone is corrupted (even the opening authority), it is impossible to forge a valid signature that does not open to a valid user.
|
The former notions models the fact that without the opening authority's secret, even if everyone colludes, no one can trace back a user from a signature; the latter sum up the fact that even if everyone is corrupted (even the opening authority), it is impossible to forge a valid signature that does not open to a valid user.
|
||||||
|
|
||||||
|
In the dynamically growing group setting, the \textit{group private keys issuing} phase is replaced by an interactive \textit{join} protocol where a user that wants to join the group interacts with the group manager.
|
||||||
|
In this context, the two notions of the BMW model are kept, and a third one is added: the ``\textit{non-frameability}''.
|
||||||
|
This notion expresses the impossibility to frame a group of honest users in order to provide a signature that opens to one on them, \textit{even if the group manager and the opening authority are colluding}.
|
||||||
|
|
||||||
One application of this primitive can be to handle anonymous access control for public transportation systems.
|
One application of this primitive can be to handle anonymous access control for public transportation systems.
|
||||||
In order to commute, a person should prove the possession of a valid subscription to the transportation service.
|
In order to commute, a person should prove the possession of a valid subscription to the transportation service.
|
||||||
Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group.
|
Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group.
|
||||||
@ -27,7 +36,7 @@ Then, the public transportation company is unable to learn anything from seeing
|
|||||||
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.
|
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.
|
||||||
As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.
|
As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.
|
||||||
|
|
||||||
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- we do not consider this approach.
|
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- this approach is not considered here, even if it is of interest~\cite{LNWX17}.
|
||||||
|
|
||||||
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
|
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
|
||||||
@ -43,7 +52,7 @@ This section recalls the syntax and the security definitions of dynamic group s
|
|||||||
\input fig-gs-relations
|
\input fig-gs-relations
|
||||||
\caption{Relations between the protagonists in a dynamic group signature
|
\caption{Relations between the protagonists in a dynamic group signature
|
||||||
scheme}
|
scheme}
|
||||||
\label{fig:relations}
|
\label{fig:gs-relations}
|
||||||
\end{figure}
|
\end{figure}
|
||||||
|
|
||||||
In the setting of \emph{dynamic groups}, the syntax of group signatures includes
|
In the setting of \emph{dynamic groups}, the syntax of group signatures includes
|
||||||
@ -59,36 +68,22 @@ membership secret, $\scr_i$.
|
|||||||
%\paragraph{Syntax.}
|
%\paragraph{Syntax.}
|
||||||
We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle.
|
We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle.
|
||||||
\begin{definition}[Dynamic Group Signature]
|
\begin{definition}[Dynamic Group Signature]
|
||||||
A \emph{dynamic group signature} scheme consists of the following algorithms
|
A \emph{dynamic group signature} scheme consists of the algorithms or protocols $(\Setup, \mathsf{Join}, \Sign, \Verify, \Open)$ described as follows.
|
||||||
or protocols.
|
|
||||||
|
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$
|
\item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$ and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm is run by a \textit{trusted party} to generate a group public key $\gspk$, the group manager's private key $\mathcal{S}_{\GM}$ and the opening authority's private key $\mathcal{S}_{\OA}$.
|
||||||
and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm
|
Each key is given to the appropriate authority while $\gspk$ is made public.
|
||||||
is run by a trusted party to generate a group public key $\mathcal{Y}$,
|
The algorithm also initializes a public state $\mathsf{st}$ comprising a set data structure $\mathsf{st}_{\users}=\emptyset$ and a string data structure $\mathsf{st}_{\trans}= \epsilon$.\\
|
||||||
the group manager's private key $\mathcal{S}_{\GM}$ and the opening
|
In the following, all algorithms have access to the public parameters $\gspk$.
|
||||||
authority's private key $\mathcal{S}_{\OA}$. Each key is given to the
|
|
||||||
appropriate authority while $\mathcal{Y}$ is made public. The algorithm
|
|
||||||
also initializes a public state $St$ comprising a set data structure
|
|
||||||
$St_{\users}=\emptyset$ and a string data structure $St_{\trans}=
|
|
||||||
\epsilon$.\\
|
|
||||||
In the following, all algorithms have access to the public parameters
|
|
||||||
$\gspk$.
|
|
||||||
%
|
%
|
||||||
\item[\textsf{Join}:] is an \emph{interactive} protocol between the group manager
|
\item[\textsf{Join}$^{\join_{\user}, \join_{\GM}}$:] is an \emph{interactive} protocol between the group manager GM and a user $\mathcal{U}_i$ where the latter becomes a group member.
|
||||||
GM and a user $\mathcal{U}_i$ where the latter becomes a group member.
|
The protocol involves two interactive Turing machines $\join_{\user}$ and $\join_{\GM}$ that both take the group public key $\gspk$ as input.
|
||||||
The protocol involves two interactive Turing machines $\join_{\user}$ and
|
The execution $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$, ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i}$, that no one else knows, and a membership certificate $\crt_{i }$.
|
||||||
$\join_{\GM}$ that both take $\mathcal{Y}$ as input. The execution
|
If the protocol is successful, the group manager updates the public state $\mathsf{st}$ by updating the following state informations $\mathsf{st}_{\users}:=\mathsf{st}_{\users} \cup \{ i \}$ as well as $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( i ,\transcript_i )$.
|
||||||
$\langle \join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \rangle$,
|
|
||||||
ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i }$,
|
|
||||||
that no one else knows, and a membership certificate $\crt_{i }$. If the
|
|
||||||
protocol is successful, the group manager updates the public state $St$ by
|
|
||||||
setting $St_{\users}:=St_{\users} \cup \{ i \}$ as well as
|
|
||||||
$St_{\trans}:=St_{\trans} || \langle i ,\transcript_i \rangle$.
|
|
||||||
%
|
%
|
||||||
%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM
|
%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM
|
||||||
%to generate an updated revocation list $RL_t$ for the new revocation period $t$.
|
%to generate an updated revocation list $RL_t$ for the new revocation period $t$.
|
||||||
%It takes as input a public key $\mathcal{Y}$ and a set $\mathcal{R}_t \subset St_{\users}$
|
%It takes as input a public key $\gspk$ and a set $\mathcal{R}_t \subset \mathsf{st}_{\users}$
|
||||||
%that identifies the users to be revoked.
|
%that identifies the users to be revoked.
|
||||||
%It outputs an updated revocation list $RL_t$ for period $t$.
|
%It outputs an updated revocation list $RL_t$ for period $t$.
|
||||||
%%
|
%%
|
||||||
@ -101,15 +96,15 @@ We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that
|
|||||||
%
|
%
|
||||||
\item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$,
|
\item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$,
|
||||||
%a revocation period $t $, the corresponding revocation list $RL_t$,
|
%a revocation period $t $, the corresponding revocation list $RL_t$,
|
||||||
a message $M$ and a group public key $\mathcal{Y}$, this
|
a message $M$ and a group public key $\gspk$, this
|
||||||
\emph{deterministic} algorithm returns either $0$ or $1$.
|
\emph{deterministic} algorithm returns either $0$ or $1$.
|
||||||
%
|
%
|
||||||
\item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a
|
\item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a
|
||||||
message $M$, a valid signature $\sigma$ w.r.t.
|
message $M$, a valid signature $\sigma$ w.r.t.
|
||||||
$\mathcal{Y}$ %for the indicated revocation period $t$
|
$\gspk$ %for the indicated revocation period $t$
|
||||||
, the opening authority's private key $\mathcal{S}_{\OA}$ and the public
|
, the opening authority's private key $\mathcal{S}_{\OA}$ and the public
|
||||||
state $St$.
|
state $\mathsf{st}$.
|
||||||
It outputs $i \in St_{\users} \cup \{ \bot \}$, which is the identity of
|
It outputs $i \in \mathsf{st}_{\users} \cup \{ \bot \}$, which is the identity of
|
||||||
a group member or a symbol indicating an opening failure.
|
a group member or a symbol indicating an opening failure.
|
||||||
%
|
%
|
||||||
\end{description}
|
\end{description}
|
||||||
@ -128,16 +123,16 @@ against them. And finally the \textit{anonymity} property is also formalized by
|
|||||||
|
|
||||||
\paragraph{Correctness for Dynamic Group Signatures.}
|
\paragraph{Correctness for Dynamic Group Signatures.}
|
||||||
Following the Kiayias-Yung terminology \cite{KY06}, we say that a public state
|
Following the Kiayias-Yung terminology \cite{KY06}, we say that a public state
|
||||||
$St$ is \textit{valid} if it can be reached from $St=(\emptyset,\epsilon)$ by a
|
$\mathsf{st}$ is \textit{valid} if it can be reached from $\mathsf{st}=(\emptyset,\epsilon)$ by a
|
||||||
Turing machine having oracle access to $\join_{\GM}$. Also, a state $St'$ is said
|
Turing machine having oracle access to $\join_{\GM}$. Also, a state $\mathsf{st}'$ is said
|
||||||
to \textit{extend} another state $St$ if it is within reach from $St$.
|
to \textit{extend} another state $\mathsf{st}$ if it is within reach from $\mathsf{st}$.
|
||||||
|
|
||||||
Moreover, as in \cite{KY06}, when we write
|
Moreover, as in \cite{KY06}, when we write
|
||||||
$\crt_{i}\leftrightharpoons_{\mathcal{Y}} \scr_{i}$, it means that there exists
|
$\crt_{i}\leftrightharpoons_{\gspk} \scr_{i}$, it means that there exists
|
||||||
coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid
|
coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid
|
||||||
public state $St'$, the execution of the interactive protocol
|
public state $\mathsf{st}'$, the execution of the interactive protocol
|
||||||
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St',\mathcal{Y},\mathcal{S}_{\GM})](\varpi)$
|
$\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st}',\gspk,\mathcal{S}_{\GM}) \rangle_\varpi$
|
||||||
provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$.
|
provides $\join_{\user}$ with $(i,\scr_{i },\crt_{i })$.
|
||||||
|
|
||||||
\begin{definition}[Correctness]
|
\begin{definition}[Correctness]
|
||||||
A dynamic group signature scheme is correct if the following conditions are
|
A dynamic group signature scheme is correct if the following conditions are
|
||||||
@ -146,26 +141,26 @@ provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$.
|
|||||||
%
|
%
|
||||||
\begin{enumerate}[(1)]
|
\begin{enumerate}[(1)]
|
||||||
%
|
%
|
||||||
\item In a valid state $St$, $|St_{users}|=|St_{trans}|$ always holds and
|
\item In a valid state $\mathsf{st}$, $|\mathsf{st}_{users}|=|\mathsf{st}_{trans}|$ always holds and
|
||||||
two distinct entries of $St_{trans}$ always contain certificates with
|
two distinct entries of $\mathsf{st}_{trans}$ always contain certificates with
|
||||||
distinct tag.
|
distinct tag.
|
||||||
%
|
%
|
||||||
\item If
|
\item If
|
||||||
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$
|
$\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$
|
||||||
is run by two honest parties following the protocol and
|
is run by two honest parties following the protocol and
|
||||||
$\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then
|
$\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then
|
||||||
we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$.
|
we have $\crt_{i} \leftrightharpoons_{\gspk} \scr_{i }$.
|
||||||
%
|
%
|
||||||
\item For each %revocation period $t$ and any
|
\item For each %revocation period $t$ and any
|
||||||
$\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i }
|
$(i, \crt_{i}, \scr_{i})$ such that $\crt_{i }
|
||||||
\leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have
|
\leftrightharpoons_{\gspk} \scr_{i }$, satisfying condition 2, we have
|
||||||
$ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i
|
$ \mathsf{Verify}\big(\mathsf{Sign}(\gspk, \crt_{i }, \scr_{i
|
||||||
},M),M,\mathcal{Y}\big)=1$.
|
},M),M,\gspk\big)=1$.
|
||||||
%
|
%
|
||||||
\item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid
|
\item For any outcome $(i, \crt_{i }, \scr_{i })$ of
|
||||||
$St$,
|
$\langle\join_{\user}(.,. ),\join_{\GM}(.,\mathsf{st},.,. )\rangle$
|
||||||
if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then
|
for some valid state information $\mathsf{st}$, if $\sigma =\mathsf{Sign}(\gspk,\crt_{i }, \scr_{i},M)$, then
|
||||||
$\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$
|
$\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\gspk,\mathsf{st}')=i.$
|
||||||
%
|
%
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
%
|
%
|
||||||
@ -186,17 +181,17 @@ variables:
|
|||||||
\item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the
|
\item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the
|
||||||
state of the interface as the adversary invokes the various oracles
|
state of the interface as the adversary invokes the various oracles
|
||||||
available in the attack games. It is initialized as
|
available in the attack games. It is initialized as
|
||||||
$\mathsf{state}_{\mathcal{I}}=(St,\mathcal{Y},\mathcal{S}_{\GM},
|
$\mathsf{state}_{\mathcal{I}}=(\textsf{st},\gspk,\mathcal{S}_{\GM},
|
||||||
%\linebreak[4]
|
%\linebreak[4]
|
||||||
\mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$.
|
\mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$.
|
||||||
It includes the (initially empty) set $St_{users}$ of group members and a
|
It includes the (initially empty) set $\textsf{st}_{users}$ of group members and a
|
||||||
dynamically growing database $St_{trans}$ storing the transcripts of
|
dynamically growing database $\textsf{st}_{trans}$ storing the transcripts of
|
||||||
previously executed join protocols.
|
previously executed join protocols.
|
||||||
%Finally,
|
%Finally,
|
||||||
%$\mathsf{state}_{\mathcal{I}}$ includes a counter
|
%$\mathsf{state}_{\mathcal{I}}$ includes a counter
|
||||||
%$t$ (which is initialized to $0$) indicating the number of user revocation
|
%$t$ (which is initialized to $0$) indicating the number of user revocation
|
||||||
%queries so far.
|
%queries so far.
|
||||||
\item $n=|St_{users}|<\Ngs$ denotes the current cardinality of the group.
|
\item $n=|\textsf{st}_{users}|<\Ngs$ denotes the current cardinality of the group.
|
||||||
%
|
%
|
||||||
\item $\mathsf{Sigs}$: is a database of signatures created by the signing
|
\item $\mathsf{Sigs}$: is a database of signatures created by the signing
|
||||||
oracle. Each entry consists of a triple $(i,M,\sigma)$ indicating that
|
oracle. Each entry consists of a triple $(i,M,\sigma)$ indicating that
|
||||||
@ -219,7 +214,7 @@ following oracles:
|
|||||||
%
|
%
|
||||||
\item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when
|
\item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when
|
||||||
these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and
|
these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and
|
||||||
returns the group public key $\mathcal{Y}$, the GM's private key
|
returns the group public key $\gspk$, the GM's private key
|
||||||
$\mathcal{S}_{\GM}$ and the opening authority's private key
|
$\mathcal{S}_{\GM}$ and the opening authority's private key
|
||||||
$\mathcal{S}_{\OA}$ respectively.
|
$\mathcal{S}_{\OA}$ respectively.
|
||||||
%
|
%
|
||||||
@ -227,16 +222,16 @@ following oracles:
|
|||||||
in the group. On behalf of the GM, the interface runs $\join_{\GM}$ in
|
in the group. On behalf of the GM, the interface runs $\join_{\GM}$ in
|
||||||
interaction with the $\join_{\user}$-executing adversary who plays the role of
|
interaction with the $\join_{\user}$-executing adversary who plays the role of
|
||||||
the prospective user in the join protocol. If this protocol successfully
|
the prospective user in the join protocol. If this protocol successfully
|
||||||
ends, the interface increments $n$, updates $St$ by inserting the new user
|
ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user
|
||||||
$n$ in both sets $St_{users}$ and $U^a$. It also sets
|
$n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets
|
||||||
$St_{\trans}:=St_{\trans} || \langle n, \transcript_n \rangle$.
|
$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n, \transcript_n \rangle$.
|
||||||
%
|
%
|
||||||
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
|
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
|
||||||
to introduce new honest group members of its choice. The interface
|
to introduce new honest group members of its choice. The interface
|
||||||
triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in
|
triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in
|
||||||
interaction with the adversary who runs $\join_{\GM}$. If the protocol
|
interaction with the adversary who runs $\join_{\GM}$. If the protocol
|
||||||
successfully completes, the interface increments $n$, adds user $n$ to
|
successfully completes, the interface increments $n$, adds user $n$ to
|
||||||
$St_{users}$ and $U^b$ and sets $St_{\trans}:=St_{\trans} || \langle n,
|
$\mathsf{st}_{users}$ and $U^b$ and sets $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n,
|
||||||
\transcript_n \rangle$. It stores the membership certificate $\crt_{n }$
|
\transcript_n \rangle$. It stores the membership certificate $\crt_{n }$
|
||||||
and the membership secret $\scr_{n }$ in a \textit{private} part of
|
and the membership secret $\scr_{n }$ in a \textit{private} part of
|
||||||
$\mathsf{state}_{\interface}$.
|
$\mathsf{state}_{\interface}$.
|
||||||
@ -251,7 +246,7 @@ following oracles:
|
|||||||
%
|
%
|
||||||
\item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid
|
\item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid
|
||||||
pair $(M,\sigma)$,
|
pair $(M,\sigma)$,
|
||||||
the interface runs algorithm $\mathsf{Open}$ using the current state $St $.
|
the interface runs algorithm $\mathsf{Open}$ using the current state $\mathsf{st} $.
|
||||||
When $S$ is a set of pairs of the form $(M,\sigma)$,
|
When $S$ is a set of pairs of the form $(M,\sigma)$,
|
||||||
$Q_{\mathsf{open}}^{\neg S}$ denotes a restricted oracle that only applies
|
$Q_{\mathsf{open}}^{\neg S}$ denotes a restricted oracle that only applies
|
||||||
the opening algorithm to pairs $(M,\sigma)$ which are not in $S$.
|
the opening algorithm to pairs $(M,\sigma)$ which are not in $S$.
|
||||||
@ -262,8 +257,8 @@ following oracles:
|
|||||||
the public/private keys and the private part of $\mathsf{state}_{\interface}$ where
|
the public/private keys and the private part of $\mathsf{state}_{\interface}$ where
|
||||||
membership secrets are stored after $Q_{\bjoin}$-queries. By using
|
membership secrets are stored after $Q_{\bjoin}$-queries. By using
|
||||||
$Q_{\mathsf{write}}$, the adversary can modify $\mathsf{state}_{\interface}$ at
|
$Q_{\mathsf{write}}$, the adversary can modify $\mathsf{state}_{\interface}$ at
|
||||||
will as long as it does not remove or alter elements of $St_{users}$,
|
will as long as it does not remove or alter elements of $\mathsf{st}_{users}$,
|
||||||
$St_{trans}$ or invalidate the public state $St$: for example, the adversary
|
$\mathsf{st}_{trans}$ or invalidate the public state $\mathsf{st}$: for example, the adversary
|
||||||
is allowed to create dummy users as long as it does not re-use already
|
is allowed to create dummy users as long as it does not re-use already
|
||||||
existing certificate tags.
|
existing certificate tags.
|
||||||
|
|
||||||
@ -279,13 +274,13 @@ security properties are formalized as follows.
|
|||||||
\begin{figure}[H]
|
\begin{figure}[H]
|
||||||
\centering
|
\centering
|
||||||
\procedure{Experiment $\Exp{\textrm{mis-id}}{\adv}(\lambda)$}{%
|
\procedure{Experiment $\Exp{\textrm{mis-id}}{\adv}(\lambda)$}{%
|
||||||
\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})
|
\mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
|
||||||
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
|
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
|
||||||
(M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin},
|
(M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin},
|
||||||
Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\
|
Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\
|
||||||
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\
|
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\gspk)=0 \pcthen\\
|
||||||
\pcind \pcreturn{0}\\
|
\pcind \pcreturn{0}\\
|
||||||
i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \mathcal{Y},St')\\
|
i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \gspk,\mathsf{st}')\\
|
||||||
\pcif i \not\in U^a \pcthen \\
|
\pcif i \not\in U^a \pcthen \\
|
||||||
\pcind\pcreturn{1}\\
|
\pcind\pcreturn{1}\\
|
||||||
\pcelse\\
|
\pcelse\\
|
||||||
@ -320,16 +315,16 @@ adversarially-controlled user.
|
|||||||
\begin{figure}[H]
|
\begin{figure}[H]
|
||||||
\centering
|
\centering
|
||||||
\procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{%
|
\procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{%
|
||||||
\mathsf{state}_{\interface}=(St,\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
|
\mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
|
||||||
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
|
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
|
||||||
(M^\star,\sigma^\star)
|
(M^\star,\sigma^\star)
|
||||||
\gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM},
|
\gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM},
|
||||||
Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}},
|
Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}},
|
||||||
Q_{\mathsf{sig}}, Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\
|
Q_{\mathsf{sig}}, Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\
|
||||||
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\
|
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\gspk)=0 \pcthen\\
|
||||||
\pcind \pcreturn 0 \\
|
\pcind \pcreturn 0 \\
|
||||||
\pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA},
|
\pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA},
|
||||||
\mathcal{Y},St') \not \in U^b \pcthen\\
|
\gspk,\mathsf{st}') \not \in U^b \pcthen\\
|
||||||
\pcind \pcreturn 0\\
|
\pcind \pcreturn 0\\
|
||||||
\pcif
|
\pcif
|
||||||
\bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast)
|
\bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast)
|
||||||
@ -376,23 +371,23 @@ The adversary eventually aims at framing an honest group member.
|
|||||||
\begin{figure}[H]
|
\begin{figure}[H]
|
||||||
\centering
|
\centering
|
||||||
\procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{
|
\procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{
|
||||||
\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})
|
\mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
|
||||||
\gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\
|
\gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\
|
||||||
\big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star),
|
\big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star),
|
||||||
(\scr_{1}^\star,\crt_{1}^\star )\big)
|
(\scr_{1}^\star,\crt_{1}^\star )\big)
|
||||||
\gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}},
|
\gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}},
|
||||||
%Q_{\mathsf{revoke}},
|
%Q_{\mathsf{revoke}},
|
||||||
Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\
|
Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\
|
||||||
%\If{\neg(\crt_{b}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{b}^\star) for b\in\bit}
|
%\If{\neg(\crt_{b}^\star \leftrightharpoons_{\gspk} \scr_{b}^\star) for b\in\bit}
|
||||||
%{\Return \bot\\}
|
%{\Return \bot\\}
|
||||||
%\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\}
|
%\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\}
|
||||||
\pcif
|
\pcif
|
||||||
\neg((\crt_{0}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{0}^\star)
|
\neg((\crt_{0}^\star \leftrightharpoons_{\gspk} \scr_{0}^\star)
|
||||||
\wedge (\crt_{1}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{1}^\star)
|
\wedge (\crt_{1}^\star \leftrightharpoons_{\gspk} \scr_{1}^\star)
|
||||||
\wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\
|
\wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\
|
||||||
\pcind\pcreturn \bot\\
|
\pcind\pcreturn \bot\\
|
||||||
%Pick random d \gets \bit;
|
%Pick random d \gets \bit;
|
||||||
\sigma^\star \leftarrow \mathsf{Sign}(\mathcal{Y},\crt_{d}^\star,
|
\sigma^\star \leftarrow \mathsf{Sign}(\gspk,\crt_{d}^\star,
|
||||||
\scr_{d}^\star,M^\star)\\
|
\scr_{d}^\star,M^\star)\\
|
||||||
d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}},
|
d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}},
|
||||||
Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}},
|
Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}},
|
||||||
|
11
chap-ZK.tex
11
chap-ZK.tex
@ -114,7 +114,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i
|
|||||||
|
|
||||||
These algorithms should verify correctness, hiding and binding properties, where $\Exp{\mathrm{hiding}}{\adv, b}$ and $\Exp{\mathrm{binding}}{\adv}$ are described in Figure~\ref{fig:hiding-binding-games}.
|
These algorithms should verify correctness, hiding and binding properties, where $\Exp{\mathrm{hiding}}{\adv, b}$ and $\Exp{\mathrm{binding}}{\adv}$ are described in Figure~\ref{fig:hiding-binding-games}.
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[Correctness.] For any $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$.
|
\item[Correctness.] For any public parameters $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$.
|
||||||
\item[Hiding.] For any \ppt{} adversary $\adv$ against the hiding experiment, we have that
|
\item[Hiding.] For any \ppt{} adversary $\adv$ against the hiding experiment, we have that
|
||||||
\[ \hspace{-1cm}
|
\[ \hspace{-1cm}
|
||||||
\advantage{\mathrm{hiding}}{\adv}(\lambda) = \left| \Pr\left[\Exp{\mathrm{hiding}}{\adv, 1}(\lambda) = 1\right] - \Pr\left[\Exp{\mathrm{hiding}}{\adv, 0}(\lambda) = 1\right] \right| \leq \negl[\lambda],
|
\advantage{\mathrm{hiding}}{\adv}(\lambda) = \left| \Pr\left[\Exp{\mathrm{hiding}}{\adv, 1}(\lambda) = 1\right] - \Pr\left[\Exp{\mathrm{hiding}}{\adv, 0}(\lambda) = 1\right] \right| \leq \negl[\lambda],
|
||||||
@ -180,7 +180,7 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
|
|||||||
|
|
||||||
\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
|
\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
|
||||||
\index{Zero Knowledge!Fiat-Shamir Transform}
|
\index{Zero Knowledge!Fiat-Shamir Transform}
|
||||||
Let $(P, V)$ be a three-round zero-knowledge proof for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.
|
Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.
|
||||||
|
|
||||||
Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
|
Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
@ -233,13 +233,14 @@ For the sake of completeness, we can also mention $\NIZK$ in the standard model,
|
|||||||
Schnorr's methodology to construct proofs is based on the $\Sigma$-protocol technique to design zero-knowledge proofs.
|
Schnorr's methodology to construct proofs is based on the $\Sigma$-protocol technique to design zero-knowledge proofs.
|
||||||
It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorr-dlog}.
|
It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorr-dlog}.
|
||||||
|
|
||||||
This methodology can be interpreted as follows. Given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in fixing the randomness used in the commitment scheme $r$ \emph{via} $\rho$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$. Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$.
|
An interpretation of this methodology is the following: given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in binding the randomness used in the commitment scheme $r$ using the transmitted value $\rho = g^r$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$.
|
||||||
|
Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$.
|
||||||
|
|
||||||
In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}.
|
In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}: a commitment of a message $M \in \Zp$ is $g^m \cdot h^r \in \GG$ and the opening is the randomness $r$ used to commit.
|
||||||
|
|
||||||
Given its effiency, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}.
|
Given its effiency, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}.
|
||||||
|
|
||||||
This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct zero-knowledge proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}.
|
This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct ZK proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}.
|
||||||
In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.
|
In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.
|
||||||
The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V.
|
The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V.
|
||||||
This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.
|
This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.
|
||||||
|
@ -93,8 +93,14 @@ That's why we'll now define the principle of polynomial time reduction.
|
|||||||
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
|
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
|
||||||
This is illustrated in Figure~\ref{fig:poly-reduction}.
|
This is illustrated in Figure~\ref{fig:poly-reduction}.
|
||||||
|
|
||||||
|
To write down that a TM has black-box access to a TM $M_O$ that computes function $O$, we sometimes use the \textit{oracle} terminology.
|
||||||
|
|
||||||
|
\begin{definition}[Oracle machine] \index{Turing machine!Oracle machine}
|
||||||
|
A Turing Machine $M$ is said to have \textit{oracle access} to a function $O(\cdot)$ if it has access to the result of $O(x)$ for any input $x$ of its choice in constant time. We denote the output of $M$ on input $x$ with oracle $O$ by $M^O(x)$.
|
||||||
|
\end{definition}
|
||||||
|
|
||||||
We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction.
|
We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction.
|
||||||
Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then this problem is also in \textsf{P} (resp. \textsf{PP}).
|
Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then the former problem is also in \textsf{P} (resp. \textsf{PP}).
|
||||||
|
|
||||||
Until know, we mainly focus on the running time of the algorithms.
|
Until know, we mainly focus on the running time of the algorithms.
|
||||||
In cryptology, it is also important to consider the success probability of algorithms:
|
In cryptology, it is also important to consider the success probability of algorithms:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%--------------------------------------------------
|
%--------------------------------------------------
|
||||||
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction.
|
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction.
|
||||||
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove
|
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove
|
||||||
|
|
||||||
%--------------------------------------------------
|
%--------------------------------------------------
|
||||||
\section{Building blocks}
|
\section{Building blocks}
|
||||||
@ -15,14 +15,14 @@ groups of prime order $p$ and we rely on the assumed security of the \SDL and \
|
|||||||
|
|
||||||
\defSDL*
|
\defSDL*
|
||||||
|
|
||||||
\subsection{Quasi-Adaptive NIZK Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk}
|
\subsection{Quasi-Adaptive $\NIZK$ Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument NIZK quasi-adaptatif pour un sous-espace linéaire}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument $\NIZK$ quasi-adaptatif pour un sous-espace linéaire}
|
||||||
|
|
||||||
Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS)
|
Quasi-Adaptive $\NIZK$ (\QANIZK) proofs \cite{JR13} are $\NIZK$ proofs where the common reference string (CRS)
|
||||||
may depend on the language for which proofs have to be generated.
|
may depend on the language for which proofs have to be generated.
|
||||||
Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK}.
|
Formal definitions are given in \cite{JR13,LPJY14,KW15}.
|
||||||
|
|
||||||
This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix.
|
This section recalls the \QANIZK argument of \cite{KW15} for proving membership in the row space of a matrix.
|
||||||
In the description below, we assume that all
|
In the description below, we assume that all
|
||||||
algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric
|
algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric
|
||||||
bilinear groups $(\GG,\Gh,\GT,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter.
|
bilinear groups $(\GG,\Gh,\GT,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter.
|
||||||
@ -58,16 +58,16 @@ We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}
|
|||||||
$ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $
|
$ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $
|
||||||
\end{description}
|
\end{description}
|
||||||
|
|
||||||
The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable.
|
The proof of the soundness of this \QANIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable.
|
||||||
This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$.
|
This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$.
|
||||||
This requirement is compatible with our security proofs.
|
This requirement is compatible with our security proofs.
|
||||||
|
|
||||||
\section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig}
|
\section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig}
|
||||||
|
|
||||||
In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme
|
In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the $\SXDH$ assumption. We show that their scheme
|
||||||
implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme
|
implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme
|
||||||
compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace.
|
compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying \QANIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace.
|
||||||
Moreover, we show that their scheme remains unforgeable under the SXDH assumption.
|
Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assumption.
|
||||||
|
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$
|
\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$
|
||||||
@ -89,7 +89,7 @@ Moreover, we show that their scheme remains unforgeable under the SXDH assumptio
|
|||||||
\end{array}\right) ,
|
\end{array}\right) ,
|
||||||
\end{equation}
|
\end{equation}
|
||||||
where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$.
|
where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$.
|
||||||
\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk}
|
\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk}
|
||||||
to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$.
|
to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$.
|
||||||
\bigskip
|
\bigskip
|
||||||
\item[]
|
\item[]
|
||||||
@ -111,13 +111,13 @@ $\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute
|
|||||||
= g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, &
|
= g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, &
|
||||||
\sigma_2 & = g^{s}, & \sigma_3 & = h^{s} .
|
\sigma_2 & = g^{s}, & \sigma_3 & = h^{s} .
|
||||||
\end{align*}
|
\end{align*}
|
||||||
Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that
|
Then, run $\mathsf{Prove}$ of the \QANIZK argument to prove that
|
||||||
the following vector of $\GG^{2\ell+4}$
|
the following vector of $\GG^{2\ell+4}$
|
||||||
\begin{align} \label{eq:vector}
|
\begin{align} \label{eq:vector}
|
||||||
(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2,
|
(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2,
|
||||||
\sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)
|
\sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)
|
||||||
\end{align}
|
\end{align}
|
||||||
is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot
|
is in the row space of $\mathbf{M}$. This \QANIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot
|
||||||
z_{\ell+2})^{s}.$
|
z_{\ell+2})^{s}.$
|
||||||
|
|
||||||
Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$.
|
Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$.
|
||||||
@ -138,7 +138,7 @@ The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$
|
|||||||
while the verification equation only involves a computation of 5 pairings.
|
while the verification equation only involves a computation of 5 pairings.
|
||||||
|
|
||||||
\begin{theorem} \label{th:eu-cma-1}
|
\begin{theorem} \label{th:eu-cma-1}
|
||||||
The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GT)$.
|
The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the $\SXDH$ assumption holds in $(\GG, \Gh, \GT)$.
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
|
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
@ -158,7 +158,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
|
|||||||
\end{aligned}
|
\end{aligned}
|
||||||
\end{equation}
|
\end{equation}
|
||||||
Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$
|
Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$
|
||||||
is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as
|
is in the row space of $\mathbf{M}$, the \QANIZK proof $\pi$ has the same distribution as if it were computed as
|
||||||
\begin{equation}
|
\begin{equation}
|
||||||
\label{eq:rel-sim-A}
|
\label{eq:rel-sim-A}
|
||||||
\begin{aligned}
|
\begin{aligned}
|
||||||
@ -184,7 +184,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
|
|||||||
\end{gathered}
|
\end{gathered}
|
||||||
\label{eq:rel-sig-B}
|
\label{eq:rel-sig-B}
|
||||||
\end{equation*}
|
\end{equation*}
|
||||||
The QA-NIZK proof $\pi$ is
|
The \QANIZK proof $\pi$ is
|
||||||
computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$.
|
computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$.
|
||||||
\end{description}
|
\end{description}
|
||||||
\smallskip
|
\smallskip
|
||||||
@ -205,9 +205,9 @@ The above signature scheme is existentially unforgeable under chosen-message att
|
|||||||
and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$.
|
and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$.
|
||||||
|
|
||||||
\item[Game 1:] We change the way $\bdv$ answers signing queries.
|
\item[Game 1:] We change the way $\bdv$ answers signing queries.
|
||||||
The QA-NIZK proofs $\pi$ are then computed as simulated QA-NIZK proofs
|
The \QANIZK proofs $\pi$ are then computed as simulated \QANIZK proofs
|
||||||
using $\mathsf{tk}$
|
using $\mathsf{tk}$
|
||||||
as in~\eqref{eq:rel-sim-A}. These QA-NIZK proofs are thus simulated
|
as in~\eqref{eq:rel-sim-A}. These \QANIZK proofs are thus simulated
|
||||||
proofs for true statements, and then their distribution remains unchanged.
|
proofs for true statements, and then their distribution remains unchanged.
|
||||||
We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge
|
We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge
|
||||||
\neg E_1]$.
|
\neg E_1]$.
|
||||||
@ -225,7 +225,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
|
|||||||
is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$.
|
is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$.
|
||||||
\end{description}
|
\end{description}
|
||||||
|
|
||||||
In Game $2.Q$, we know that if SXDH holds, $\adv$ can only output a type $\mathrm{A}'$
|
In Game $2.Q$, we know that if $\SXDH$ holds, $\adv$ can only output a type $\mathrm{A}'$
|
||||||
forgery even if it only obtains type B signatures during the game.
|
forgery even if it only obtains type B signatures during the game.
|
||||||
Nevertheless, lemma~\ref{le:final-forgery} shows
|
Nevertheless, lemma~\ref{le:final-forgery} shows
|
||||||
that a type $\mathrm{A}'$ forgery in Game
|
that a type $\mathrm{A}'$ forgery in Game
|
||||||
@ -250,7 +250,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
|
|||||||
\begin{proof}
|
\begin{proof}
|
||||||
Let $\adv$ be an attacker that does not
|
Let $\adv$ be an attacker that does not
|
||||||
output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the
|
output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the
|
||||||
Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing
|
Quasi-Adaptive $\NIZK$ (\QANIZK) scheme, which security is implied from the double-pairing
|
||||||
problem that reduces from DDH as explained in~\cite{LPJY13}.
|
problem that reduces from DDH as explained in~\cite{LPJY13}.
|
||||||
Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as
|
Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as
|
||||||
\[
|
\[
|
||||||
@ -263,7 +263,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
|
|||||||
Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in
|
Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in
|
||||||
(\ref{matrix-scal-sig}) and a common
|
(\ref{matrix-scal-sig}) and a common
|
||||||
reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the
|
reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the
|
||||||
QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$.
|
\QANIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$.
|
||||||
The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$.
|
The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$.
|
||||||
After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$.
|
After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$.
|
||||||
Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key:
|
Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key:
|
||||||
@ -305,7 +305,7 @@ If DDH holds in $\GG$, for each $k \in
|
|||||||
|
|
||||||
Then, queries are answered depending on their index~$j$:\\
|
Then, queries are answered depending on their index~$j$:\\
|
||||||
\textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2,
|
\textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2,
|
||||||
\sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QA-NIZK simulator
|
\sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the \QANIZK simulator
|
||||||
to computes $\pi$.
|
to computes $\pi$.
|
||||||
|
|
||||||
\noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as
|
\noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as
|
||||||
@ -317,7 +317,7 @@ If DDH holds in $\GG$, for each $k \in
|
|||||||
depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$,
|
depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$,
|
||||||
and
|
and
|
||||||
$ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $
|
$ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $
|
||||||
Then $\bdv$ simulates QA-NIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$.
|
Then $\bdv$ simulates \QANIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$.
|
||||||
\smallskip
|
\smallskip
|
||||||
|
|
||||||
If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is
|
If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is
|
||||||
@ -690,7 +690,7 @@ This concludes the proof. % TODO: ugly
|
|||||||
\subsection{Signing a Committed Message}
|
\subsection{Signing a Committed Message}
|
||||||
|
|
||||||
At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$.
|
At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$.
|
||||||
In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the QA-NIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip
|
In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the \QANIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip
|
||||||
|
|
||||||
\noindent \textbf{The protocol.}
|
\noindent \textbf{The protocol.}
|
||||||
%
|
%
|
||||||
@ -729,11 +729,11 @@ In comparison, the construction of \cite{CL02a} requires groups of larger hidde
|
|||||||
\noindent \textbf{Security.}
|
\noindent \textbf{Security.}
|
||||||
%
|
%
|
||||||
We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol.
|
We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol.
|
||||||
In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an SXDH challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip
|
In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip
|
||||||
|
|
||||||
\noindent \textbf{Remark.}
|
\noindent \textbf{Remark.}
|
||||||
%
|
%
|
||||||
Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying QA-NIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form.
|
Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying \QANIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -749,7 +749,7 @@ on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to
|
|||||||
efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section).
|
efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section).
|
||||||
For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using
|
For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using
|
||||||
the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using
|
the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using
|
||||||
$\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier NIZK proofs \cite{CS98}. \\
|
$\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier $\NIZK$ proofs \cite{CS98}. \\
|
||||||
\indent
|
\indent
|
||||||
In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact
|
In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact
|
||||||
with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}.
|
with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}.
|
||||||
@ -779,15 +779,15 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
that will be modeled as a random oracle.
|
that will be modeled as a random oracle.
|
||||||
|
|
||||||
\item Define
|
\item Define
|
||||||
$\mathcal Y = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key.
|
$\gspk = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key.
|
||||||
The group manager's private key is $\mathcal S_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of
|
The group manager's private key is $\mathcal{S}_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of
|
||||||
$ \mathcal S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
$ \mathcal{S}_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
||||||
\end{enumerate} \vspace{-1mm}
|
\end{enumerate} \vspace{-1mm}
|
||||||
%
|
%
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the
|
\item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the
|
||||||
prospective user $\U_i$ run the following interactive protocol:
|
prospective user $\U_i$ run the following interactive protocol:
|
||||||
%$[ \mathsf J_{\user}(\lambda, \mathcal Y), \mathsf J_\GM(\lambda, St, \mathcal Y, \mathcal S_{\GM}) ]$
|
%$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$
|
||||||
\end{description} \vspace{-2mm}
|
\end{description} \vspace{-2mm}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to
|
\item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to
|
||||||
@ -813,13 +813,13 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
|
|
||||||
\item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of
|
\item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of
|
||||||
section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \Zp$, and
|
section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \Zp$, and
|
||||||
uses $\mathcal S_\GM = \omega$ to compute
|
uses $\mathcal{S}_\GM = \omega$ to compute
|
||||||
$\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$
|
$\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$
|
||||||
and
|
and
|
||||||
\begin{align*}
|
\begin{align*}
|
||||||
\sigma_2 & = g^s, & \sigma_3 & = h^s.
|
\sigma_2 & = g^s, & \sigma_3 & = h^s.
|
||||||
\end{align*}
|
\end{align*}
|
||||||
Then $\GM$ uses $Z_{\ID}$ to generate the QA-NIZK proof $\pi\in \GG$ as
|
Then $\GM$ uses $Z_{\ID}$ to generate the \QANIZK proof $\pi\in \GG$ as
|
||||||
\begin{align*}
|
\begin{align*}
|
||||||
\pi &= z_1^\omega \cdot (Z_{\ID} \cdot z_3)^s
|
\pi &= z_1^\omega \cdot (Z_{\ID} \cdot z_3)^s
|
||||||
= z_1^\omega \cdot (z_2^\ID \cdot z_3)^s
|
= z_1^\omega \cdot (z_2^\ID \cdot z_3)^s
|
||||||
@ -836,7 +836,7 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
%
|
%
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Sign}$(\mathcal Y, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$
|
\item[\textsf{Sign}$(\gspk, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$
|
||||||
does the following:
|
does the following:
|
||||||
\end{description} \vspace{-2mm}
|
\end{description} \vspace{-2mm}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
@ -888,7 +888,7 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
%
|
%
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Verify}$(\mathcal Y, M, \Sigma)$:]
|
\item[\textsf{Verify}$(\gspk, M, \Sigma)$:]
|
||||||
Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as
|
Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as
|
||||||
$(C_1, C_2, C_z, C_\sigma, C_\ID)$.
|
$(C_1, C_2, C_z, C_\sigma, C_\ID)$.
|
||||||
Then, output 1 if the the zero-knowledge proof verifies. Namely,
|
Then, output 1 if the the zero-knowledge proof verifies. Namely,
|
||||||
@ -940,11 +940,11 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
\end{enumerate} \vspace{-1mm}
|
\end{enumerate} \vspace{-1mm}
|
||||||
%
|
%
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Open}$(\mathcal Y, \mathcal S_\OA, M, \Sigma)$:] Given a pair $(M,\Sigma)$
|
\item[\textsf{Open}$(\gspk, \mathcal{S}_\OA, M, \Sigma)$:] Given a message-signature pair $(M,\Sigma)$
|
||||||
and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm}
|
and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm}
|
||||||
\end{description}
|
\end{description}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
%\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal S_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
%\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
||||||
\item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing
|
\item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing
|
||||||
$\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$,
|
$\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$,
|
||||||
$ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$.
|
$ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$.
|
||||||
@ -985,18 +985,19 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas
|
|||||||
\subsection{Security}
|
\subsection{Security}
|
||||||
|
|
||||||
\begin{theorem} \label{gsig-anon}
|
\begin{theorem} \label{gsig-anon}
|
||||||
If SXDH holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm}
|
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm}
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
|
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
We use a sequence of games where, for each $i$, $W_i$ is the event that the adversary $\adv$ wins in Game $i$.
|
We use a sequence of games where, for each $i$, $W_i$ is the event that the adversary $\adv$ wins in Game $i$.
|
||||||
\\
|
\\
|
||||||
At the first transition, we need to rely on the security of the computational soundness of the QA-NIZK argument of Section~\ref{QA-NIZK-scheme} which relies on the SXDH assumption, since $\tilde \sigma_2$ and
|
At the first transition, we need to rely on the security of the computational soundness of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk} which relies on the $\SXDH$ assumption, since $\tilde \sigma_2$ and
|
||||||
$\tilde \sigma_3$ appear un-encrypted in each group signature.
|
$\tilde \sigma_3$ appear un-encrypted in each group signature.
|
||||||
\vspace{-2mm}
|
\vspace{-2mm}
|
||||||
|
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[Game 0:] This is the real CCA-anonymity game. In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that
|
\item[Game 0:] This is the real CCA-anonymity game.\\
|
||||||
|
In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that
|
||||||
the adversary outputs $d'=d$.
|
the adversary outputs $d'=d$.
|
||||||
|
|
||||||
\item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event,
|
\item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event,
|
||||||
@ -1007,7 +1008,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
|
|||||||
This implies that the vector
|
This implies that the vector
|
||||||
$(\sigma_1^\star, \sigma_2^{\star \ID}, \sigma_2^\star, \sigma_3^{\star \ID}, \sigma_3^\star, \Omega)$
|
$(\sigma_1^\star, \sigma_2^{\star \ID}, \sigma_2^\star, \sigma_3^{\star \ID}, \sigma_3^\star, \Omega)$
|
||||||
is outside the row space of the matrix $\mathbf{M}$ (\ref{matrix-scal-sig}), so that $F_1$ would contradict
|
is outside the row space of the matrix $\mathbf{M}$ (\ref{matrix-scal-sig}), so that $F_1$ would contradict
|
||||||
the soundness of the QA-NIZK proof of \cite{KW15}
|
the soundness of the \QANIZK proof of \cite{KW15}
|
||||||
(via the same arguments as in Theorem 9 of \cite{LPY15} since the matrix can be witness-samplable here)
|
(via the same arguments as in Theorem 9 of \cite{LPY15} since the matrix can be witness-samplable here)
|
||||||
and thus the DDH assumption in $\Gh$. We have
|
and thus the DDH assumption in $\Gh$. We have
|
||||||
$ [\Pr[W_1] - P[W_0] | \leq \advantage{\DDH}{\Gh}(\lambda).$
|
$ [\Pr[W_1] - P[W_0] | \leq \advantage{\DDH}{\Gh}(\lambda).$
|
||||||
@ -1027,7 +1028,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
|
|||||||
Thus $|\Pr[W_2] - \Pr[W_1] | \leq 1/p^3$
|
Thus $|\Pr[W_2] - \Pr[W_1] | \leq 1/p^3$
|
||||||
|
|
||||||
\item[Game 3:] We modify again the generation of the challenge signature $ \Sigma^\star $. Namely, the challenger computes
|
\item[Game 3:] We modify again the generation of the challenge signature $ \Sigma^\star $. Namely, the challenger computes
|
||||||
$C_z, C_\sigma, C_\ID$ using $\mathcal S_\OA$ as follows
|
$C_z, C_\sigma, C_\ID$ using $\mathcal{S}_\OA$ as follows
|
||||||
\begin{align*}
|
\begin{align*}
|
||||||
C_z &= \tilde \pi \cdot C_1^{x_z} \cdot C_2^{y_z}, \\
|
C_z &= \tilde \pi \cdot C_1^{x_z} \cdot C_2^{y_z}, \\
|
||||||
C_\sigma &= \tilde \sigma \cdot C_1^{x_\sigma} \cdot C_2^{y_\sigma}, &
|
C_\sigma &= \tilde \sigma \cdot C_1^{x_\sigma} \cdot C_2^{y_\sigma}, &
|
||||||
@ -1090,7 +1091,7 @@ It comes that $\Pr[W_5]=1/2$. \medskip
|
|||||||
$\bdv$ faithfully generates the signature public key by faithfully running steps $1$, $2$, $3$ of the signature scheme
|
$\bdv$ faithfully generates the signature public key by faithfully running steps $1$, $2$, $3$ of the signature scheme
|
||||||
of Section~\ref{scal-sig} and then calls for the signing oracle to obtain homomorphic signatures $\{ (z_j, r_j) \}_{j=1}^3$
|
of Section~\ref{scal-sig} and then calls for the signing oracle to obtain homomorphic signatures $\{ (z_j, r_j) \}_{j=1}^3$
|
||||||
on the rows of the matrix $\mathbf{M} \in \GG^{3 \times 6}$. It then conducts the remaining steps faithfully to obtain a
|
on the rows of the matrix $\mathbf{M} \in \GG^{3 \times 6}$. It then conducts the remaining steps faithfully to obtain a
|
||||||
group public key $\mathcal Y$. Since $\bdv$ knows $\mathcal S_\OA$, it an perfectly simulate the opening oracle. If
|
group public key $\gspk$. Since $\bdv$ knows $\mathcal{S}_\OA$, it an perfectly simulate the opening oracle. If
|
||||||
$F_1$ occurs -- which it does by hypothesis --, one of the two membership certificate $\crt_d^\star$ of the challenge
|
$F_1$ occurs -- which it does by hypothesis --, one of the two membership certificate $\crt_d^\star$ of the challenge
|
||||||
phase must contain a signature $\sigma^\star$ such that $\log_g(\sigma_2^\star) \neq \log_h(\sigma^\star_3)$. At this
|
phase must contain a signature $\sigma^\star$ such that $\log_g(\sigma_2^\star) \neq \log_h(\sigma^\star_3)$. At this
|
||||||
point, $\bdv$ can win the game against its challenger by outputting the vector $(\sigma_1^\star, \sigma^{\star \ID}_2,
|
point, $\bdv$ can win the game against its challenger by outputting the vector $(\sigma_1^\star, \sigma^{\star \ID}_2,
|
||||||
@ -1162,7 +1163,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|||||||
|
|
||||||
\begin{theorem}
|
\begin{theorem}
|
||||||
In the ROM, the scheme is secure against
|
In the ROM, the scheme is secure against
|
||||||
mis-identification attacks under the SXDH assumption in $(\GG,\Gh)$.
|
mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
|
||||||
\vspace{-1mm}
|
\vspace{-1mm}
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
%
|
%
|
||||||
@ -1179,7 +1180,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|||||||
scheme of section~\ref{scal-sig}. \medskip
|
scheme of section~\ref{scal-sig}. \medskip
|
||||||
\\
|
\\
|
||||||
\noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the
|
\noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the
|
||||||
public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\mathcal Y$. Except for $\mathcal S_\GM$, all keys
|
public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\gspk$. Except for $\mathcal{S}_\GM$, all keys
|
||||||
are generated as in the normal
|
are generated as in the normal
|
||||||
\textsf{Keygen} algorithm. \medskip
|
\textsf{Keygen} algorithm. \medskip
|
||||||
\\
|
\\
|
||||||
@ -1192,19 +1193,20 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|||||||
\medskip
|
\medskip
|
||||||
\\
|
\\
|
||||||
\noindent At some point, the attacker $\adv$ produces a valid forgery
|
\noindent At some point, the attacker $\adv$ produces a valid forgery
|
||||||
$(M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star,
|
\[ (M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star,
|
||||||
\tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))$ for
|
\tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))\] for
|
||||||
which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value
|
which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value
|
||||||
$H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ which would have been unpredictable otherwise. \medskip
|
\[ H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)\]
|
||||||
\\
|
which would have been unpredictable otherwise.
|
||||||
|
|
||||||
Thus, $\bdv$ replays the adversary $\adv$ with the \emph{same} input and random tape as in the first run. In the second run, the random oracle is also the same until the hash query
|
Thus, $\bdv$ replays the adversary $\adv$ with the \emph{same} input and random tape as in the first run. In the second run, the random oracle is also the same until the hash query
|
||||||
$H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. At this point,
|
\[ H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star).\]
|
||||||
the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains
|
At this point, the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains
|
||||||
two suitably related forgeries with non-negligible probability $\varepsilon \cdot (\varepsilon / q_H -1/p) $. Namely, $\bdv$ will obtain two matching transcripts
|
two suitably related forgeries with non-negligible probability $\varepsilon \cdot (\varepsilon / q_H -1/p) $. Namely, $\bdv$ will obtain two matching transcripts
|
||||||
$(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star)$,
|
$(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star)$,
|
||||||
$(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\dag, s_\ID^\dag, s_\theta^\dag )$
|
$(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\dag, s_\ID^\dag, s_\theta^\dag )$
|
||||||
of the $\Sigma$-protocol for the commitment message
|
of the $\Sigma$-protocol for the commitment message
|
||||||
$\mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$.
|
\[ \mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star).\]
|
||||||
From the responses
|
From the responses
|
||||||
$s_\ID^\star$ and
|
$s_\ID^\star$ and
|
||||||
$s_\ID^\dag$ (that necessarily involve the same identifier $\ID^\star$ which is uniquely determined by $C_{\mathsf{CS}}^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star)$), $\bdv$ runs the knowledge extractor of to obtain
|
$s_\ID^\dag$ (that necessarily involve the same identifier $\ID^\star$ which is uniquely determined by $C_{\mathsf{CS}}^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star)$), $\bdv$ runs the knowledge extractor of to obtain
|
||||||
@ -1222,7 +1224,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|||||||
%\end{align*}
|
%\end{align*}
|
||||||
\medskip
|
\medskip
|
||||||
\\
|
\\
|
||||||
Finally $\bdv$ uses $\mathcal S_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs
|
Finally $\bdv$ uses $\mathcal{S}_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs
|
||||||
$\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery
|
$\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery
|
||||||
for the signature scheme of Section~\ref{scal-sig}.
|
for the signature scheme of Section~\ref{scal-sig}.
|
||||||
%\vspace{-1mm}
|
%\vspace{-1mm}
|
||||||
@ -1235,10 +1237,10 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|||||||
\end{theorem}
|
\end{theorem}
|
||||||
\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\
|
\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\
|
||||||
\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.
|
\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.
|
||||||
To generate the group public key $\mathcal{Y}$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
|
To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
|
||||||
At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$.
|
At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$.
|
||||||
In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are QA-NIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)
|
In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)
|
||||||
As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\mathcal{Y}:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip
|
As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip
|
||||||
\\
|
\\
|
||||||
Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested.
|
Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested.
|
||||||
%At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows.
|
%At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows.
|
||||||
@ -1257,9 +1259,9 @@ $ \vec{v}_i= (V_i,G_i,1,H_i,1,1)=(v,g,1,h,1,1)^{\ID_i}$ as
|
|||||||
\[
|
\[
|
||||||
V_i =(g^a)^{\alpha_v\cdot\delta_i}, \quad G_i = (g^a)^{\delta_i}, \quad H_i =(g^a)^{\alpha_h\cdot\delta_i},
|
V_i =(g^a)^{\alpha_v\cdot\delta_i}, \quad G_i = (g^a)^{\delta_i}, \quad H_i =(g^a)^{\alpha_h\cdot\delta_i},
|
||||||
\]
|
\]
|
||||||
and then computes $Z_i$ as a simulated QA-NIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$.
|
and then computes $Z_i$ as a simulated \QANIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$.
|
||||||
A straightforward calculation
|
A straightforward calculation
|
||||||
shows that $Z_i=z_2^{\ID_i}$ since the QA-NIZK argument of Section \ref{QA-NIZK-scheme} has a deterministic proving algorithm, so that
|
shows that $Z_i=z_2^{\ID_i}$ since the \QANIZK argument of Section \ref{sse:sigmasig-qa-nizk} has a deterministic proving algorithm, so that
|
||||||
$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2.
|
$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2.
|
||||||
As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes
|
As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes
|
||||||
\begin{eqnarray*}
|
\begin{eqnarray*}
|
||||||
@ -1271,7 +1273,7 @@ At step 3 of $\mathsf{Join}$, $\bdv$ simulates the interactive proof of knowledg
|
|||||||
In the rest of the protocol, $\bdv$ proceeds like the actual run and obtains $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$.
|
In the rest of the protocol, $\bdv$ proceeds like the actual run and obtains $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$.
|
||||||
Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$.
|
Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$.
|
||||||
% \item[-] $Q_{\mathsf{pub}}$-queries: These can be answered as in the real game, by having the simulator return
|
% \item[-] $Q_{\mathsf{pub}}$-queries: These can be answered as in the real game, by having the simulator return
|
||||||
%$\mathcal{Y}$.
|
%$\gspk$.
|
||||||
\item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use
|
\item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use
|
||||||
the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 1-2 of the signing algorithm.
|
the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 1-2 of the signing algorithm.
|
||||||
While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the
|
While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the
|
||||||
@ -1282,7 +1284,7 @@ More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r
|
|||||||
\tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r.
|
\tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r.
|
||||||
\end{align*}
|
\end{align*}
|
||||||
Then $\bdv$ encrypts $\tilde \pi$, $\tilde \sigma_1$ and $V_i$ as in the real
|
Then $\bdv$ encrypts $\tilde \pi$, $\tilde \sigma_1$ and $V_i$ as in the real
|
||||||
signing algorithm to get ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$
|
signing algorithm to get the encryption ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$
|
||||||
chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in
|
chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in
|
||||||
(\ref{gsig-verif-1}) and (\ref{gsig-verif-2}) of $\mathsf{Verify}$. Finally, $\bdv$
|
(\ref{gsig-verif-1}) and (\ref{gsig-verif-2}) of $\mathsf{Verify}$. Finally, $\bdv$
|
||||||
programs $H$ to return $c$ on inputs $(M, C_{\mathsf{CS}},\tilde \sigma_2, \tilde \sigma_3, R_1, R_2, R_3, R_4)$. In the event that $H$ is already defined at that point,
|
programs $H$ to return $c$ on inputs $(M, C_{\mathsf{CS}},\tilde \sigma_2, \tilde \sigma_3, R_1, R_2, R_3, R_4)$. In the event that $H$ is already defined at that point,
|
||||||
@ -1297,9 +1299,11 @@ $q_s$ is the number of signing queries.
|
|||||||
\end{align*}
|
\end{align*}
|
||||||
for some message $M^\star$, that opens to ${i^\star} \in U^b$ although user $i^\star$ did not sign $M^\star$. With high probability, $\adv$ must have queried the hash value
|
for some message $M^\star$, that opens to ${i^\star} \in U^b$ although user $i^\star$ did not sign $M^\star$. With high probability, $\adv$ must have queried the hash value
|
||||||
$H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$, which would be unpredictable otherwise.
|
$H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$, which would be unpredictable otherwise.
|
||||||
Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape. At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run.
|
Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape.
|
||||||
|
|
||||||
|
At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run.
|
||||||
The Forking Lemma of \cite{BN06} ensures that, with non-negligible probability the second run will result in a forgery
|
The Forking Lemma of \cite{BN06} ensures that, with non-negligible probability the second run will result in a forgery
|
||||||
$\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)$ on
|
\[\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)\] on
|
||||||
the same message $M^\star$,
|
the same message $M^\star$,
|
||||||
with distinct challenges
|
with distinct challenges
|
||||||
$c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses
|
$c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses
|
||||||
@ -1318,6 +1322,7 @@ We stress that the proofs can be easily adapted to the case where the opening a
|
|||||||
\subsection{Comparison with Existing Schemes}
|
\subsection{Comparison with Existing Schemes}
|
||||||
|
|
||||||
\begin{table*}
|
\begin{table*}
|
||||||
|
\small
|
||||||
\centering
|
\centering
|
||||||
\begin{tabular}{|c|c|c|c|c|c|c|}
|
\begin{tabular}{|c|c|c|c|c|c|c|}
|
||||||
\hline
|
\hline
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
\newcommand{\ZK}{\textsf{ZK}\xspace}
|
\newcommand{\ZK}{\textsf{ZK}\xspace}
|
||||||
\newcommand{\ZKAoK}{\textsf{ZKAoK}\xspace}
|
\newcommand{\ZKAoK}{\textsf{ZKAoK}\xspace}
|
||||||
\newcommand{\NIZK}{\textsf{NIZK}\xspace}
|
\newcommand{\NIZK}{\textsf{NIZK}\xspace}
|
||||||
|
\newcommand{\QANIZK}{\textsf{QA-NIZK}\xspace}
|
||||||
\newcommand{\PKE}{\textsf{PKE}\xspace}
|
\newcommand{\PKE}{\textsf{PKE}\xspace}
|
||||||
\newcommand{\OT}{\textsf{OT}\xspace}
|
\newcommand{\OT}{\textsf{OT}\xspace}
|
||||||
%% Common
|
%% Common
|
||||||
|
10
main.tex
10
main.tex
@ -2,6 +2,9 @@
|
|||||||
\documentclass[a4paper, 11pt]{memoir}
|
\documentclass[a4paper, 11pt]{memoir}
|
||||||
\semiisopage
|
\semiisopage
|
||||||
|
|
||||||
|
%% Highlight overfull hbox
|
||||||
|
\overfullrule=1mm
|
||||||
|
|
||||||
\usepackage[utf8x]{inputenc}
|
\usepackage[utf8x]{inputenc}
|
||||||
\usepackage[french,english]{babel}
|
\usepackage[french,english]{babel}
|
||||||
%\usepackage[UKenglish]{babel}
|
%\usepackage[UKenglish]{babel}
|
||||||
@ -123,12 +126,13 @@
|
|||||||
\cleardoublepage
|
\cleardoublepage
|
||||||
{\let\newpage\relax
|
{\let\newpage\relax
|
||||||
\part{Group Signatures and Anonymous Credentials}
|
\part{Group Signatures and Anonymous Credentials}
|
||||||
\label{pa:gs-ac}
|
|
||||||
\addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes}
|
\addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes}
|
||||||
|
\label{pa:gs-ac}
|
||||||
}
|
}
|
||||||
|
|
||||||
\chapter{Dynamic Group Signatures} \label{ch:gs-background}
|
\chapter{Dynamic Group Signatures}
|
||||||
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique}
|
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique}
|
||||||
|
\label{ch:gs-background}
|
||||||
|
|
||||||
\input chap-GS-background
|
\input chap-GS-background
|
||||||
|
|
||||||
@ -153,11 +157,13 @@
|
|||||||
|
|
||||||
\chapter{Lattice-Based Group Encryption}
|
\chapter{Lattice-Based Group Encryption}
|
||||||
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Chiffrement de groupe à base de réseaux euclidiens}
|
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Chiffrement de groupe à base de réseaux euclidiens}
|
||||||
|
\label{ch:ge-lwe}
|
||||||
|
|
||||||
\input chap-GE-LWE
|
\input chap-GE-LWE
|
||||||
|
|
||||||
\chapter{Lattice-Based Oblivious Transfer with Access Control} \label{ch:ac-ot}
|
\chapter{Lattice-Based Oblivious Transfer with Access Control} \label{ch:ac-ot}
|
||||||
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}
|
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}
|
||||||
|
\label{ch:ot-lwe}
|
||||||
|
|
||||||
\input chap-OT-LWE
|
\input chap-OT-LWE
|
||||||
|
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
|
Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
|
||||||
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
|
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{BBS04}.
|
||||||
Multiple constructions and parameter sets coexist for pairings.
|
Multiple constructions and parameter sets coexist for pairings.
|
||||||
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
|
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
|
||||||
|
|
||||||
@ -50,5 +50,4 @@ In the aforementioned chapter, we also rely on the following assumption, which g
|
|||||||
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
|
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
|
||||||
\end{restatable}
|
\end{restatable}
|
||||||
|
|
||||||
This assumption is still a static and non-interactive assumption.
|
This assumption is also static and non-interactive.
|
||||||
|
|
||||||
|
@ -56,7 +56,7 @@ The details of this proof is given in \cref{sse:stern-abstraction}, but it can b
|
|||||||
|
|
||||||
Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$.
|
Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$.
|
||||||
|
|
||||||
A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}).
|
%A method to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13,LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\cref{sse:stern}).
|
||||||
|
|
||||||
\index{Lattices!Inhomogeneous \SIS}
|
\index{Lattices!Inhomogeneous \SIS}
|
||||||
To prove the knowledge of an \ISIS preimage, i.e.
|
To prove the knowledge of an \ISIS preimage, i.e.
|
||||||
|
@ -26,6 +26,7 @@
|
|||||||
$\ZK$ & Zero-Knowledge \\
|
$\ZK$ & Zero-Knowledge \\
|
||||||
$\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\
|
$\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\
|
||||||
$\NIZK$ & Non-Interactive Zero-Knowledge \\
|
$\NIZK$ & Non-Interactive Zero-Knowledge \\
|
||||||
|
$\QANIZK$ & Quasi-Adaptive Non-Interactive Zero-Knowledge \\
|
||||||
$\OT$ & Oblivious Transfer \\
|
$\OT$ & Oblivious Transfer \\
|
||||||
[1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\
|
[1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\
|
||||||
EU-CMA & Existentially Unforgeable under chosen-message attacks \\
|
EU-CMA & Existentially Unforgeable under chosen-message attacks \\
|
||||||
|
26
these.bib
26
these.bib
@ -1,3 +1,4 @@
|
|||||||
|
% Encoding: UTF-8
|
||||||
@InCollection{BCKL08,
|
@InCollection{BCKL08,
|
||||||
author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},
|
author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},
|
||||||
title = {{P}-signatures and Noninteractive Anonymous Credentials},
|
title = {{P}-signatures and Noninteractive Anonymous Credentials},
|
||||||
@ -1621,7 +1622,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
@InProceedings{CVH91,
|
@InProceedings{CVH91,
|
||||||
author = {Chaum, David and Van Heyst, Eug{\`e}ne},
|
author = {Chaum, David and van Heyst, Eug{\`e}ne},
|
||||||
title = {Group signatures},
|
title = {Group signatures},
|
||||||
booktitle = {{Eurocrypt}},
|
booktitle = {{Eurocrypt}},
|
||||||
year = {1991},
|
year = {1991},
|
||||||
@ -2229,7 +2230,7 @@
|
|||||||
|
|
||||||
@Article{KL11,
|
@Article{KL11,
|
||||||
author = {Kidron, Dafna and Lindell, Yehuda},
|
author = {Kidron, Dafna and Lindell, Yehuda},
|
||||||
title = {Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs},
|
title = {Impossibility Results for Universal Composability in<EFBFBD>Public-Key Models and with Fixed Inputs},
|
||||||
journal = {Journal of Cryptology},
|
journal = {Journal of Cryptology},
|
||||||
year = {2011},
|
year = {2011},
|
||||||
volume = {24},
|
volume = {24},
|
||||||
@ -2509,14 +2510,14 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
@InProceedings{dPLNS17,
|
@InProceedings{dPLNS17,
|
||||||
author = {del Pino, Rafaël and Lyubashevsky, Vadim and Neven, Gregory and Seiler, Gregory},
|
author = {del Pino, Rafa<EFBFBD>l and Lyubashevsky, Vadim and Neven, Gregory and Seiler, Gregory},
|
||||||
title = {{Practical Quantum-Safe Voting from Lattices}},
|
title = {{Practical Quantum-Safe Voting from Lattices}},
|
||||||
booktitle = {CCS},
|
booktitle = {CCS},
|
||||||
year = {2017},
|
year = {2017},
|
||||||
}
|
}
|
||||||
|
|
||||||
@InProceedings{LLNW17,
|
@InProceedings{LLNW17,
|
||||||
author = {Libert, Benoît and Ling, San and Nguyen, Khoa and Wang, Huaxiong},
|
author = {Libert, Beno<EFBFBD>t and Ling, San and Nguyen, Khoa and Wang, Huaxiong},
|
||||||
title = {{Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash}},
|
title = {{Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash}},
|
||||||
booktitle = {Asiacrypt},
|
booktitle = {Asiacrypt},
|
||||||
year = {2017},
|
year = {2017},
|
||||||
@ -2526,7 +2527,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
@InProceedings{Ajt96,
|
@InProceedings{Ajt96,
|
||||||
author = {Ajtai, Miklós},
|
author = {Ajtai, Mikl<EFBFBD>s},
|
||||||
title = {{Generating Hard Instances of Lattice Problems}},
|
title = {{Generating Hard Instances of Lattice Problems}},
|
||||||
booktitle = {STOC},
|
booktitle = {STOC},
|
||||||
year = {1996},
|
year = {1996},
|
||||||
@ -2562,7 +2563,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
@InProceedings{LMN16,
|
@InProceedings{LMN16,
|
||||||
author = {Libert, Benoît and Mouhartem, Fabrice and Nguyen, Khoa},
|
author = {Libert, Beno<EFBFBD>t and Mouhartem, Fabrice and Nguyen, Khoa},
|
||||||
title = {{A Lattice-Based Group Signature Scheme with Message-Dependent Opening}},
|
title = {{A Lattice-Based Group Signature Scheme with Message-Dependent Opening}},
|
||||||
booktitle = {ACNS},
|
booktitle = {ACNS},
|
||||||
year = {2016},
|
year = {2016},
|
||||||
@ -2591,7 +2592,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
@InProceedings{LPJY14,
|
@InProceedings{LPJY14,
|
||||||
author = {Libert, Benoît and Peters, Thomas and Joye, Marc and Yung, Moti},
|
author = {Libert, Beno<EFBFBD>t and Peters, Thomas and Joye, Marc and Yung, Moti},
|
||||||
title = {{Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures}},
|
title = {{Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures}},
|
||||||
booktitle = {Eurocrypt},
|
booktitle = {Eurocrypt},
|
||||||
year = {2014},
|
year = {2014},
|
||||||
@ -2617,7 +2618,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
@InProceedings{LPJY13,
|
@InProceedings{LPJY13,
|
||||||
author = {Libert, Benoît and Peters, Thomas and Joye, Marc and Yung, Moti},
|
author = {Libert, Beno<EFBFBD>t and Peters, Thomas and Joye, Marc and Yung, Moti},
|
||||||
title = {{Linearly Homomorphic Structure-Preserving Signatures and Their Applications}},
|
title = {{Linearly Homomorphic Structure-Preserving Signatures and Their Applications}},
|
||||||
booktitle = {Crypto},
|
booktitle = {Crypto},
|
||||||
year = {2013},
|
year = {2013},
|
||||||
@ -2716,4 +2717,13 @@
|
|||||||
publisher = {Springer},
|
publisher = {Springer},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@InProceedings{LNWX17,
|
||||||
|
author = {Ling, San and Nguyen, Khoa and Wang, Huaxiong and Xu, Yahong},
|
||||||
|
title = {{Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease}},
|
||||||
|
booktitle = {ACNS},
|
||||||
|
year = {2017},
|
||||||
|
series = {LNCS},
|
||||||
|
publisher = {Springer},
|
||||||
|
}
|
||||||
|
|
||||||
@Comment{jabref-meta: databaseType:bibtex;}
|
@Comment{jabref-meta: databaseType:bibtex;}
|
||||||
|
Loading…
Reference in New Issue
Block a user