From 9dd62d0c1d676822f7a16d1634eb2c04faae88ee Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Fri, 13 Apr 2018 15:50:34 +0200 Subject: [PATCH] Remove trailing spaces --- chap-sigmasig.tex | 772 +++++++++++++++++++++++----------------------- 1 file changed, 386 insertions(+), 386 deletions(-) diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index ad0d45d..8065c33 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -1,6 +1,6 @@ %-------------------------------------------------- In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction. -Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove +Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove %-------------------------------------------------- \section{Building blocks} @@ -19,81 +19,81 @@ groups of prime order $p$ and we rely on the assumed security of the \SDL and \ \addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument NIZK quasi-adaptatif pour un sous-espace linéaire} Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS) -may depend on the language for which proofs have to be generated. -Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK}. +may depend on the language for which proofs have to be generated. +Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK}. -This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix. -In the description below, we assume that all -algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric +This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix. +In the description below, we assume that all +algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric bilinear groups $(\GG,\Gh,\GT,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter. -In this setting the problem is to convince that $\boldsymbol{v}$ is a linear combination of the rows of a given +In this setting the problem is to convince that $\boldsymbol{v}$ is a linear combination of the rows of a given $\mathbf{M}\in\GG^{t\times n}$. Kiltz and Wee \cite{KW15} suggested the following construction which simplifies \cite{LPJY14} and remains secure under \SXDH. We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}_1\cdots\vec{M}_t)^T$. \begin{description} -\item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:] +\item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:] Given public parameters $\mathsf{cp}=(\GG,\Gh,\GT,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$. - Then, choose $\hat{g_z} \sample \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$ - and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$. + Then, choose $\hat{g_z} \sample \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$ + and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$. Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and - output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big) - \in \GG^t\times\Gh^{n+1}$. + output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big) + \in \GG^t\times\Gh^{n+1}$. -\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol{v}}, \{\omega_i\}_{i=1}^t)$:] - To prove that ${\boldsymbol{v}}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$, +\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol{v}}, \{\omega_i\}_{i=1}^t)$:] + To prove that ${\boldsymbol{v}}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$, for some witness $\omega_1,\ldots,\omega_t \in \Zp$, - where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$, + where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$, parse $\mathsf{crs}$ as above and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$. - -\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol{v}})$:] - In order to simulate a proof for a vector ${\boldsymbol{v}} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $, + +\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol{v}})$:] + In order to simulate a proof for a vector ${\boldsymbol{v}} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $, output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $. -\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol{v}}, \pi)$:] - Given $\pi \in \GG$ and ${\boldsymbol{v}}=(v_1,\dotsc,v_n)$, +\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol{v}}, \pi)$:] + Given $\pi \in \GG$ and ${\boldsymbol{v}}=(v_1,\dotsc,v_n)$, return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies - $ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ + $ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ \end{description} -The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. +The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$. This requirement is compatible with our security proofs. \section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig} -In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme - implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme -compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace. -Moreover, we show that their scheme remains unforgeable under the SXDH assumption. +In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme + implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme +compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace. +Moreover, we show that their scheme remains unforgeable under the SXDH assumption. \begin{description} -\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$ - of prime order $p>2^{\lambda}$ with $g \sample \GG$, $\hat{g} \sample \Gh$. +\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$ + of prime order $p>2^{\lambda}$ with $g \sample \GG$, $\hat{g} \sample \Gh$. \end{description} \begin{enumerate} \item Choose $\omega,a \sample \Zp$, and set $h=g^a$, $\Omega=h^{\omega}$. -\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \GG^{\ell+1}$. -\item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$ - \begin{equation}\label{matrix-scal-sig} - \mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} = - \setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3} - \left(\begin{array}{c|c|c|c} - g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline - \vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}} - & \mathbf{1}_{{}_{\ell+1}}^\top +\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \GG^{\ell+1}$. +\item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$ + \begin{equation}\label{matrix-scal-sig} + \mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} = + \setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3} + \left(\begin{array}{c|c|c|c} + g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline + \vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}} + & \mathbf{1}_{{}_{\ell+1}}^\top \end{array}\right) , \end{equation} where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$. -\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk} - to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$. +\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk} + to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$. \bigskip \item[] -The private key is $ \mathsf{sk}:=\omega $ and the public key is +The private key is $ \mathsf{sk}:=\omega $ and the public key is \begin{align*} \mathsf{pk}=\Bigl( \mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w) @@ -103,28 +103,28 @@ The private key is $ \mathsf{sk}:=\omega $ and the public key is \end{enumerate} \begin{description} -\item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given -the private key $\mathsf{sk}=\omega$ and a message -$\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute +\item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given +the private key $\mathsf{sk}=\omega$ and a message +$\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute \begin{align*} - \sigma_1 & - = g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, & + \sigma_1 & + = g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, & \sigma_2 & = g^{s}, & \sigma_3 & = h^{s} . \end{align*} -Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that +Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that the following vector of $\GG^{2\ell+4}$ \begin{align} \label{eq:vector} - (\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, - \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega) + (\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, + \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega) \end{align} -is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot - z_{\ell+2})^{s}.$ +is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot + z_{\ell+2})^{s}.$ Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$. -\item[\textsf{Verify}$(\mathsf{pk},\sigma,\vec{m}):$] - parse $\sigma$ as above and $\vec{m}$ as a tuple $(m_1,\ldots,m_\ell)$ in $\Zp^\ell$ and return $1$ - if and only if +\item[\textsf{Verify}$(\mathsf{pk},\sigma,\vec{m}):$] + parse $\sigma$ as above and $\vec{m}$ as a tuple $(m_1,\ldots,m_\ell)$ in $\Zp^\ell$ and return $1$ + if and only if \begin{align} \label{sig-ver-1} e(\Omega,\hat{g}_{2\ell+4})^{-1} = &~ e(\pi,\hat{g}_z) \cdot e(\sigma_1,\hat{g_1}) \\ \nonumber @@ -134,7 +134,7 @@ Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4 \end{description} -The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$ +The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$ while the verification equation only involves a computation of 5 pairings. \begin{theorem} \label{th:eu-cma-1} @@ -142,7 +142,7 @@ The above signature scheme is existentially unforgeable under chosen-message att \end{theorem} \begin{proof} - We will proceed as in~\cite{LPY15} to prove that the scheme of + We will proceed as in~\cite{LPY15} to prove that the scheme of section~\ref{scal-sig} is secure under chosen-message attacks. Namely we will consider a sequence of hybrid games involving two kinds of signatures. \vspace{-0.1 cm} @@ -152,19 +152,19 @@ The above signature scheme is existentially unforgeable under chosen-message att \begin{aligned} \sigma_1 &= g^\omega \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, & \sigma_2 &= g^s, \\ - \pi &= z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot - z_{\ell+2})^{s} ,& + \pi &= z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot + z_{\ell+2})^{s} ,& \sigma_3 &= h^s. \end{aligned} \end{equation} - Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$ - is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as + Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$ + is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as \begin{equation} \label{eq:rel-sim-A} \begin{aligned} - \pi &= \sigma_1^{-\chi_1} \cdot \left( \prod_{i=2}^{\ell+1} \sigma_2^{-\chi_i m_{i-1}} \right) \cdot \sigma_2^{-\chi_{\ell + 2}} \cdot \quad \\ \quad & + \pi &= \sigma_1^{-\chi_1} \cdot \left( \prod_{i=2}^{\ell+1} \sigma_2^{-\chi_i m_{i-1}} \right) \cdot \sigma_2^{-\chi_{\ell + 2}} \cdot \quad \\ \quad & \left( \prod_{i=\ell + 3}^{2 \ell + 2} \sigma_3^{-\chi_i m_{i - \ell - 2}} \right) \cdot - \sigma_3^{-\chi_{2\ell+3}} \cdot \Omega^{-\chi_{2 \ell + 4}} . + \sigma_3^{-\chi_{2\ell+3}} \cdot \Omega^{-\chi_{2 \ell + 4}} . \end{aligned} \end{equation} \end{description} \smallskip @@ -176,7 +176,7 @@ The above signature scheme is existentially unforgeable under chosen-message att \smallskip \begin{description} - \item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \Zp$ and + \item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \Zp$ and compute: \begin{equation*} \begin{gathered} @@ -189,8 +189,8 @@ The above signature scheme is existentially unforgeable under chosen-message att \end{description} \smallskip - - We consider a sequence of games. + + We consider a sequence of games. In Game $i$, $S_i$ denotes the event that $\adv$ produces a valid signature $\sigma^\star$ on $M^\star$ such that $(M^\star, \sigma^\star)$ was not queried before, and by $E_i$ the event that @@ -201,7 +201,7 @@ The above signature scheme is existentially unforgeable under chosen-message att a key pair $(\mathsf{sk}, \mathsf{pk})$ and sends $\mathsf{pk}$ to $\adv$. Then $\adv$ makes $Q$ signature queries: $\adv$ sends messages $M_i$ to $\bdv$, and $\bdv$ answers by sending $\sigma_i = \Sign(\mathsf{sk}, M_i)$ to $\adv$. Finally $\adv$ - sends a pair $(M^\star, \sigma^\star) \notin \{ (M_i, \sigma_i) \}_{i=1}^Q$ + sends a pair $(M^\star, \sigma^\star) \notin \{ (M_i, \sigma_i) \}_{i=1}^Q$ and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$. \item[Game 1:] We change the way $\bdv$ answers signing queries. @@ -210,8 +210,8 @@ The above signature scheme is existentially unforgeable under chosen-message att as in~\eqref{eq:rel-sim-A}. These QA-NIZK proofs are thus simulated proofs for true statements, and then their distribution remains unchanged. We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge - \neg E_1]$. - Lemma~\ref{le:type-a-sig} states + \neg E_1]$. + Lemma~\ref{le:type-a-sig} states that the event $S_1 \wedge \neg E_1$ happens with all but negligible probability: $\Pr[S_1 \wedge \neg E_1] \leq \advantage{\DDH}{\Gh}(\lambda) - 1/p$. Thus our task is now @@ -222,24 +222,24 @@ The above signature scheme is existentially unforgeable under chosen-message att last $Q - k$ signature queries, the challenger answers a type $A$ signature. \cref{le:type-b-sig} ensures that \[\left| \Pr\Bigl[S_{2.k} \wedge E_{2.k}\Bigr] - \Pr\Bigl[S_{2.(k-1)} \wedge E_{2.(k-1)}\Bigr] \right|\] - is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$. + is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$. \end{description} In Game $2.Q$, we know that if SXDH holds, $\adv$ can only output a type $\mathrm{A}'$ forgery even if it only obtains type B signatures during the game. - Nevertheless, lemma~\ref{le:final-forgery} shows + Nevertheless, lemma~\ref{le:final-forgery} shows that a type $\mathrm{A}'$ forgery in Game $2.Q$ contradicts the DDH assumptions in $\GG$. Therefore we have - $\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by + $\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by \begin{multline*} \advantage{\DDH}{\Gh}(\lambda) + \frac{1}{p} + Q \left( \advantage{\DDH}{\GG}(\lambda) + \frac{1}{p} \right) + \advantage{\DDH}{\GG}(\lambda) \\ - < (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right). - \end{multline*} + < (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right). + \end{multline*} \end{proof} - + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{lemma} \label{le:type-a-sig} @@ -249,26 +249,26 @@ The above signature scheme is existentially unforgeable under chosen-message att \begin{proof} Let $\adv$ be an attacker that does not - output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the + output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing problem that reduces from DDH as explained in~\cite{LPJY13}. - Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as + Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as \[ - \ssigma \triangleq (\sigma_1^\star, \sigma_2^{\star m_1}, \ldots, \sigma_2^{\star m_\ell}, \sigma_2^\star, \sigma_3^{\star m_1}, \ldots, \sigma_3^{\star m_\ell}, \sigma_3^\star, \Omega) + \ssigma \triangleq (\sigma_1^\star, \sigma_2^{\star m_1}, \ldots, \sigma_2^{\star m_\ell}, \sigma_2^\star, \sigma_3^{\star m_1}, \ldots, \sigma_3^{\star m_\ell}, \sigma_3^\star, \Omega) \in \GG^{2\ell + 4}. \] If $(M^\star, \sigma^\star)$ is not a type $\mathrm{A}'$ forgery, $\ssigma$ is then not in the row space of $\mathbf{M}$. - Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in - (\ref{matrix-scal-sig}) and a common - reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the - QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. + Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in + (\ref{matrix-scal-sig}) and a common + reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the + QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$. After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$. Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key: \begin{align*} - \mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr). + \mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr). \end{align*} Since $\bdv$ knows the secret key $\omega \in \Zp$, it can answer all signing queries by honestly @@ -276,8 +276,8 @@ The above signature scheme is existentially unforgeable under chosen-message att When $\adv$ halts, it outputs $(M^\star, \sigma^\star)$ where $\sigma^\star$ is not a Type $\mathrm{A}'$ forgery, so that $\ssigma$ is not in the row space of $\mathbf{M}$. Therefore, outputting $\pi^\star$ constitutes a valid proof against the soundness property of the - scheme, and thus implies an algorithm against DDH as in~\cite{KW15} since the matrix can be - witness-samplable. + scheme, and thus implies an algorithm against DDH as in~\cite{KW15} since the matrix can be + witness-samplable. \end{proof} \begin{lemma} \label{le:type-b-sig} @@ -297,12 +297,12 @@ If DDH holds in $\GG$, for each $k \in \[ \forall i \in \{1,\dots, \ell \}:~~ v_i = g^{a_{v_i}} \cdot h^{b_{v_i}}, \quad w = g^{a_w} \cdot h^{b_w}. \] % in order to have the discrete logs of $v_i$ and $w$. \medskip % \\ - + The reduction $\bdv$ also chooses $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ and - computes $\mathsf{crs} = ( \{z_j\}_{j=1}^{2\ell+4}, \hat g_z, \{ \hat g_i \}_{i=1}^{2\ell + 4})$ + computes $\mathsf{crs} = ( \{z_j\}_{j=1}^{2\ell+4}, \hat g_z, \{ \hat g_i \}_{i=1}^{2\ell + 4})$ as in steps 3-4 of \textsf{Keygen}. It then outputs $\mathsf{pk}=(g,h,\hat g, \vec{v}, \omega,\mathsf{crs})$. \smallskip - + Then, queries are answered depending on their index~$j$:\\ \textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QA-NIZK simulator @@ -314,9 +314,9 @@ If DDH holds in $\GG$, for each $k \in \noindent\textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$ embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$ - depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$, + depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$, and - $ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $ + $ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $ Then $\bdv$ simulates QA-NIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$. \smallskip @@ -327,7 +327,7 @@ If DDH holds in $\GG$, for each $k \in \sigma_1 & = g^\omega g^{ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b\\ & = g^{\omega'} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b \\ \sigma_2 &= g^b, \qquad \qquad \qquad \qquad \qquad - \sigma_3 = h^{b+c} + \sigma_3 = h^{b+c} \end{align*} Where $\omega' = \omega + ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)$. Since the term $b_w + \sum_{i=1}^\ell b_{v_i}m_i$ is uniform and independent of $\adv$'s view, $\sigma$ is @@ -337,23 +337,23 @@ If DDH holds in $\GG$, for each $k \in during the signing queries. Now the reduction $\bdv$ has to determine whether $\sigma^\star$ is a Type $\mathrm{A}'$ forgery or not. To this end, it tests if the equality: \begin{equation} \label{eq:verif-proof} - \sigma_1^\star = g^\omega \sigma_2^{\star a_w + \sum_{i=1}^\ell a_{v_i} m_i^\star} \sigma_3^{\star b_w + \sum_{i=1}^\ell b_{v_i} m_i^\star} + \sigma_1^\star = g^\omega \sigma_2^{\star a_w + \sum_{i=1}^\ell a_{v_i} m_i^\star} \sigma_3^{\star b_w + \sum_{i=1}^\ell b_{v_i} m_i^\star} \end{equation} is satisfied. If it is, $\bdv$ outputs $1$ to indicate that $\eta = g^{ab}$. Otherwise it outputs $0$ and rather bets that $\eta \in_R \GG$. To see why this test allows recognizing Type $\mathrm{A}'$ forgeries, - we remark that $\sigma^\star$ is of the form: + we remark that $\sigma^\star$ is of the form: \begin{align*} \sigma^\star_2 & = g^s , & \sigma^\star_3 & = h^{s + s_1} , & \sigma^\star_1 & = g^{\omega + s_0} (v_1^{m^\star_1} \cdots v_\ell^{m^\star_\ell} w)^s , \end{align*} - and the goal of $\bdv$ is to decide whether $(s_0, s_1) = (0, 0)$ or not. We notice that + and the goal of $\bdv$ is to decide whether $(s_0, s_1) = (0, 0)$ or not. We notice that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell b_{v_i} \cdot m_i^\star)$ if the forgery fulfills relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$ meaning that Type $\mathrm{B}$ forgery passes the test with the same probability. - + %\noindent And the goal of $\bdv$ is to decide if $(s_0, s_1) = (0, 0)$ or not. We notice that if %$s_0 \neq 0$ and $s_1 = 0$, then the relation~\eqref{eq:verif-proof} cannot be satisfied. We then %have the case $s_1 \neq 0$ left which implies that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell @@ -372,7 +372,7 @@ If DDH holds in $\GG$, for each $k \in \begin{array}{c|c} \mathbf{I}_{\ell+1} & a \cdot \mathbf{I}_{\ell + 1}\\ \hline \boldsymbol{0}_{\ell + 1}^{\top} & ac \cdot( m_1 | \cdots | m_\ell | 1) \\ \hline - \boldsymbol{0}_{\ell + 1}^{\top} & a s_1 \cdot( m_1^\star | \cdots | m_\ell^\star | 1) + \boldsymbol{0}_{\ell + 1}^{\top} & a s_1 \cdot( m_1^\star | \cdots | m_\ell^\star | 1) \end{array} \egroup \right) \cdot @@ -386,27 +386,27 @@ If DDH holds in $\GG$, for each $k \in \begin{pmatrix} a_{v_1} \\ \vdots \\ a_{v_\ell} \\ a_w\\ b_{v_1} \\ \vdots \\ b_{v_\ell} \\ b_w - \end{pmatrix} + \end{pmatrix} = \begin{pmatrix} \log_g(v_1) \\ \vdots \\ \log_g(v_\ell) \\ \log_g(w) \\ \omega' - \omega \\ s_0 \end{pmatrix} \] - where, $\boldsymbol{0}_{\ell + 1}$ denotes the zero vector of length $\ell + 1$ and $m_1, \ldots, m_\ell$ - is the message involved in the $k$-th signing query. Note that the $(l+2)$-th equation is meaningless when + where, $\boldsymbol{0}_{\ell + 1}$ denotes the zero vector of length $\ell + 1$ and $m_1, \ldots, m_\ell$ + is the message involved in the $k$-th signing query. Note that the $(l+2)$-th equation is meaningless when $c=0$ since then $\omega' = \omega$. However, even if $c\neq 0$ the information that $\adv$ can infer about $(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$ - during the game amounts to the first $\ell+2$ equations of the system which is of full rank. It means that - this vector is unpredictable since all the solutions of this linear system live in a sub-space of dimension + during the game amounts to the first $\ell+2$ equations of the system which is of full rank. It means that + this vector is unpredictable since all the solutions of this linear system live in a sub-space of dimension at least one (actually $\ell=(2\ell+2) -(\ell+2)$). Finally, as long as $s_1\neq 0$, the right value $s_0$ - can only be guessed with probability $1/p$ since the last row of the matrix is independent of the others + can only be guessed with probability $1/p$ since the last row of the matrix is independent of the others as soon as $(m_1, \ldots, m_\ell) \neq (m^\star_1, \ldots, m^\star_\ell) \neq 0$. - - To conclude the proof, since $\bdv$ is able the tell apart the type of the forgery, if $\adv$'s probability to - output a forgery of some Type in Game $k-1$ (\textit{i.e.}, $c=0$) was significantly different than in Game $k$ - (\textit{i.e.}, $c\neq0$) then $B$ would be able to solve the DDH problem with non-negligible advantage. - + + To conclude the proof, since $\bdv$ is able the tell apart the type of the forgery, if $\adv$'s probability to + output a forgery of some Type in Game $k-1$ (\textit{i.e.}, $c=0$) was significantly different than in Game $k$ + (\textit{i.e.}, $c\neq0$) then $B$ would be able to solve the DDH problem with non-negligible advantage. + \end{proof} \begin{lemma} \label{le:final-forgery} @@ -419,15 +419,15 @@ If DDH holds in $\GG$, for each $k \in We will build an algorithm $\bdv$ for solving the Computational Diffie Hellman problem~(CDH) which is at least as hard as the DDH problem. The reduction $\bdv$ takes as input a tuple $(g, h, \Omega = h^\omega)$ and computes $g^\omega$. To generate $\mathsf{pk}$, $\bdv$ picks $\hat g - \sample \Gh$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \Zp$ and computes - $ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates + \sample \Gh$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \Zp$ and computes + $ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$, $\mathsf{crs} = (\{ z_j\}_{j=1}^{\ell + 2}, \hat g_z, \{\hat g_i\}_{i=1}^{2\ell + 4})$ - as in step 3-4 of the key generation algorithm, then sends the public key + as in step 3-4 of the key generation algorithm, then sends the public key $ pk = \bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, \mathsf{crs}\bigr) $ to $\adv$. %\begin{multline*} - % pk = \Bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, - % \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr) + % pk = \Bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, + % \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr) %\end{multline*} \noindent $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle @@ -438,8 +438,8 @@ If DDH holds in $\GG$, for each $k \in The results of Lemma~\ref{le:type-b-sig} implies that even if $\adv$ only obtains Type B signatures, it will necessarily output a Type $\mathrm{A}'$ forgery $\sigma^\star = (\sigma^\star_1, \sigma^\star_2, \sigma^\star_3, \pi^\star)$ - unless the DDH assumption does not hold in $\GG$. - This event thus allows $\bdv$ to compute + unless the DDH assumption does not hold in $\GG$. + This event thus allows $\bdv$ to compute \[g^\omega = \sigma_1^\star \cdot {\sigma_2^\star}^{-a_w - \sum_{i=1}^\ell a_{v_i} m_i^\star}_{},\] which contradicts the DDH assumption in $\GG$. \end{proof} @@ -455,69 +455,69 @@ In this section, we give $\Sigma$-protocols (\cref{sse:sigma-protocols}) for iss We give $\Sigma$-protocols for proving the knowledge of a signature-message pair $({\sigma},\vec{m})$ satisfying the verification equation of the scheme of Section~\ref{scal-sig} \begin{align} \label{eq-mult-sig} - e(\Omega,\hat{g}_{2 \ell+4})^{-1} - & = \, e(\sigma_1,\hat{g_1}) \cdot - e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot \hat{g}_{\ell+2} ) - \\ \nonumber - & \quad \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot \hat{g}_{2 \ell+3} ) - \cdot e(\pi,\hat{g}_z), + e(\Omega,\hat{g}_{2 \ell+4})^{-1} + & = \, e(\sigma_1,\hat{g_1}) \cdot + e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot \hat{g}_{\ell+2} ) + \\ \nonumber + & \quad \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot \hat{g}_{2 \ell+3} ) + \cdot e(\pi,\hat{g}_z), \end{align} % -where ${\sigma}=(\sigma_1,\sigma_2,\sigma_3,\pi)$ and $\vec{m}=(m_1,\ldots,m_\ell)$. -We note that, as shown in the proof of Theorem \ref{th:eu-cma-1}, a candidate signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ may satisfy the verification equation -although $\log_g(\sigma_2)\neq \log_h(\sigma_3)$. In applications to anonymous credentials, a malicious credential issuer could take advantage of this fact in attempts to -break the anonymity of the scheme (e.g., by linking two authentications involving the same credential). For this reason, we consider a protocol for proving possession -of a possibly maliciously generated signature. - +where ${\sigma}=(\sigma_1,\sigma_2,\sigma_3,\pi)$ and $\vec{m}=(m_1,\ldots,m_\ell)$. +We note that, as shown in the proof of Theorem \ref{th:eu-cma-1}, a candidate signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ may satisfy the verification equation +although $\log_g(\sigma_2)\neq \log_h(\sigma_3)$. In applications to anonymous credentials, a malicious credential issuer could take advantage of this fact in attempts to +break the anonymity of the scheme (e.g., by linking two authentications involving the same credential). For this reason, we consider a protocol for proving possession +of a possibly maliciously generated signature. + We thus consider the case of arbitrary valid signatures that may have been maliciously computed by a signer who, {e.g.}, aims at tracing provers across different authentications. In this setting, we can still obtain a perfect SHVZK $\Sigma$-protocol to hedge against such attacks. \vspace{-1mm} A first attempt to efficiently build such a protocol is to ``linearize'' the verification equation (\ref{eq-mult-sig}) by making sure that two witnesses are never paired together. However, we will still have to deal with (parallelizable) intermediate $\Sigma$-protocols for quadratic scalar relations. -Even though a quadratic pairing-product equation $e(x_1,\hat{a}) \cdot e(x_2,\hat{y})$ -- for variables $x_1,x_2,\hat{y}$ and constant $\hat{a}$ -- can be linearized by partially randomizing the variables so as to get the equation $e(x_1\cdot x_2^{r},\hat{a}) \cdot e(x_2,\hat{y}\cdot \hat{a}^{-r})$ (which allows $\hat{y}'=\hat{y}\cdot \hat{a}^{-r}$ to appear in the -clear), proving knowledge of a valid signature still requires proving a statement about some representation of $\hat{y}$ which now appears in committed form. Somehow, going through the randomizing factor $\hat{a}^{-r}$ involves a quadratic relation between some known exponents to get special-soundness. To ease the entire proof we rather directly commit to the variables in $\GG$ and $\hat{\GG}$ using their available generator $g$ and $\hat{g}$ which are not among the constants of the verification equation of the signature. We additionally need an extra generator $f$ of $\GG$ whose discrete logarithm is unknown. +Even though a quadratic pairing-product equation $e(x_1,\hat{a}) \cdot e(x_2,\hat{y})$ -- for variables $x_1,x_2,\hat{y}$ and constant $\hat{a}$ -- can be linearized by partially randomizing the variables so as to get the equation $e(x_1\cdot x_2^{r},\hat{a}) \cdot e(x_2,\hat{y}\cdot \hat{a}^{-r})$ (which allows $\hat{y}'=\hat{y}\cdot \hat{a}^{-r}$ to appear in the +clear), proving knowledge of a valid signature still requires proving a statement about some representation of $\hat{y}$ which now appears in committed form. Somehow, going through the randomizing factor $\hat{a}^{-r}$ involves a quadratic relation between some known exponents to get special-soundness. To ease the entire proof we rather directly commit to the variables in $\GG$ and $\hat{\GG}$ using their available generator $g$ and $\hat{g}$ which are not among the constants of the verification equation of the signature. We additionally need an extra generator $f$ of $\GG$ whose discrete logarithm is unknown. \vspace{-1mm} \begin{description} \item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps. \vspace{-1mm} -\end{description} +\end{description} \begin{enumerate} - \item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$ - and $d_2:=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$. - To this end, choose + \item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$ + and $d_2:=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$. + To this end, choose $r_1,r_2\sample\ZZ_p$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$. - \item In order to prove knowledge of an opening of commitments $\hat{D}_1,\hat{D}_2\in\Gh$ to the same message $\vec{m}=(m_1,\ldots,m_\ell)\in\ZZ_p^\ell$, + \item In order to prove knowledge of an opening of commitments $\hat{D}_1,\hat{D}_2\in\Gh$ to the same message $\vec{m}=(m_1,\ldots,m_\ell)\in\ZZ_p^\ell$, choose $s_1,s_2,u_1,\ldots,u_\ell \sample\ZZ_p$ - and compute $\hat{E}_1=\hat{g}_2^{u_1}\cdots\hat{g}_{\ell+1}^{u_\ell}\cdot \hat{g}^{s_1}$ + and compute $\hat{E}_1=\hat{g}_2^{u_1}\cdots\hat{g}_{\ell+1}^{u_\ell}\cdot \hat{g}^{s_1}$ and $\hat{E}_2=\hat{g}_{\ell+3}^{u_1}\cdots\hat{g}_{2 \ell+2}^{u_\ell}\cdot \hat{g}^{s_2}$. - \item Using $r_1,r_2 \in \ZZ_p$ from step 1, define $\sigma_0 = \sigma_2^{r_1} \cdot \sigma_3^{r_2}$ - and commit to $(\pi,\sigma_0 ,\sigma_1,\sigma_2,\sigma_3)\in\GG^5.$ - For this purpose, choose $t_z,t_0,t_1,t_2,t_3\sample\ZZ_p$ at random and set $C_z=\pi \cdot g^{t_z}$, - $C_i=\sigma_i \cdot g^{t_i}$, for $i \in \{0,\ldots,3\}$, and - $\hat{D}_0=\hat{g}_z^{t_z} \cdot \hat{g}_1^{t_1} \cdot \hat{D}_{1}^{t_2} - \cdot \hat{D}_{2}^{t_3} \cdot \hat{g}^{-t_0}.$ + \item Using $r_1,r_2 \in \ZZ_p$ from step 1, define $\sigma_0 = \sigma_2^{r_1} \cdot \sigma_3^{r_2}$ + and commit to $(\pi,\sigma_0 ,\sigma_1,\sigma_2,\sigma_3)\in\GG^5.$ + For this purpose, choose $t_z,t_0,t_1,t_2,t_3\sample\ZZ_p$ at random and set $C_z=\pi \cdot g^{t_z}$, + $C_i=\sigma_i \cdot g^{t_i}$, for $i \in \{0,\ldots,3\}$, and + $\hat{D}_0=\hat{g}_z^{t_z} \cdot \hat{g}_1^{t_1} \cdot \hat{D}_{1}^{t_2} + \cdot \hat{D}_{2}^{t_3} \cdot \hat{g}^{-t_0}.$ \item In order to prove (partial) knowledge of an opening to $(C_z,C_0,C_1,C_2,C_3,\hat{D}_0)$, compute - $\hat{E}_0=\hat{g}_z^{v_z} \cdot \hat{g}_1^{v_1} \cdot \hat{D}_{1}^{v_2} - \cdot \hat{D}_{2}^{v_3} \cdot \hat{g}^{-v_0}$ + $\hat{E}_0=\hat{g}_z^{v_z} \cdot \hat{g}_1^{v_1} \cdot \hat{D}_{1}^{v_2} + \cdot \hat{D}_{2}^{v_3} \cdot \hat{g}^{-v_0}$ for random $v_z,v_0,v_1,v_2,v_3\sample\ZZ_p$. - \item Prove that $C_0$ is well-formed relatively to the committed values in $C_1,C_2$ and the coins - $r_1,r_2 \in \ZZ_p$ used in $\hat{D}_1,\hat{D}_2$. To this end, prove knowledge of the representation + \item Prove that $C_0$ is well-formed relatively to the committed values in $C_1,C_2$ and the coins + $r_1,r_2 \in \ZZ_p$ used in $\hat{D}_1,\hat{D}_2$. To this end, prove knowledge of the representation $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot {g}^{t_4},$ where $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$. To do this, compute - $F_0=C_2^{s_1} \cdot C_3^{s_2} \cdot {g}^{v_4}$, for $v_4\sample\ZZ_p$ and where $s_1,s_2 \in \ZZ_p$ are the random coins used in $\hat{E}_1,\hat{E}_2$. - \item To prove that $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$, (re-)commit to $t_0,t_2,t_3,t_4 \in \ZZ_p$ by picking $x_2,x_3,x_4\sample\ZZ_p$ and computing - $$T_i=g^{t_i} \cdot f^{x_i} \qquad \forall i \in \{0,2,3, 4\}, $$ where $x_0=x_2 \cdot r_1+x_3 \cdot r_2+x_4$. Ensure that committed - variables coincide with those of previous steps by computing $$\{V_i=g^{v_i} \cdot f^{y_i}\}_{i \in \{0,2,3,4\} },$$ where - $y_0,y_2,y_3,y_4\sample\ZZ_p$. To prove the equality $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$, re-use $s_1,s_2 \in \ZZ_p$ from steps 2 and 5 to compute + $F_0=C_2^{s_1} \cdot C_3^{s_2} \cdot {g}^{v_4}$, for $v_4\sample\ZZ_p$ and where $s_1,s_2 \in \ZZ_p$ are the random coins used in $\hat{E}_1,\hat{E}_2$. + \item To prove that $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$, (re-)commit to $t_0,t_2,t_3,t_4 \in \ZZ_p$ by picking $x_2,x_3,x_4\sample\ZZ_p$ and computing + $$T_i=g^{t_i} \cdot f^{x_i} \qquad \forall i \in \{0,2,3, 4\}, $$ where $x_0=x_2 \cdot r_1+x_3 \cdot r_2+x_4$. Ensure that committed + variables coincide with those of previous steps by computing $$\{V_i=g^{v_i} \cdot f^{y_i}\}_{i \in \{0,2,3,4\} },$$ where + $y_0,y_2,y_3,y_4\sample\ZZ_p$. To prove the equality $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$, re-use $s_1,s_2 \in \ZZ_p$ from steps 2 and 5 to compute $S_0=T_2^{s_1} \cdot T_3^{s_2}$. \medskip - \item[~~~Finally,] keep $C_z\in\GG$ and all the random coins in $\mathsf{aux}$, + \item[~~~Finally,] keep $C_z\in\GG$ and all the random coins in $\mathsf{aux}$, \item[~~~and] output \begin{equation} \label{eq-comm-2} \begin{aligned} \mathsf{com}=\Bigl( \{C_i\}_{i=0}^3, F_0, \{(T_i,V_i)\}_{i=0,2,3,4},~~~\\ S_0, \{(\hat{D}_i,\hat{E}_i)\}_{i=0}^2 - \Bigr) \in \GG^{14} \times \hat{\GG}^{6} + \Bigr) \in \GG^{14} \times \hat{\GG}^{6} \end{aligned} \end{equation} \end{enumerate} \vspace{-2mm} @@ -526,15 +526,15 @@ clear), proving knowledge of a valid signature still requires proving a statem \item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample\ZZ_p $ uniformly at random and return $\mathsf{chall}=\rho $. \item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\ZZ_p$: \end{description}\vspace{-4mm} - %set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and + %set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and \begin{enumerate} - \item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $, + \item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $, and $\bar{r}_2= \rho\cdot r_2 +s_2 $; \item $w_z= \rho\cdot t_z + v_z $ and $w_i= \rho\cdot t_i + v_i $, for $i=0$ to $3$; \item $w_4= \rho\cdot t_4 + v_4 $, where $t_4:=t_0-t_1 \cdot r_1-t_2 \cdot r_2$; \item $z_i= \rho\cdot x_i + y_i $ for each $i \in \{0,2,3,4\}$. \smallskip \item[~~~Output] $\mathsf{resp}\in \GG\times \ZZ_p^{\ell+12}$ as - \begin{align*} + \begin{align*} %\mathsf{resp}= \bigl( C_z,\{\bar{m}_i\}_{i=1}^\ell,\bar{r}_1,\bar{r}_2, w_z,\{w_i\}_{i=0}^4,\{z_i\}_{i=0,2,3,4} \bigr). @@ -543,15 +543,15 @@ clear), proving knowledge of a valid signature still requires proving a statem % \begin{description} \item[\textsf{Verify}] Given $(\mathsf{com};\mathsf{chall};\mathsf{resp})$ return $0$ if it does not parse correctly or if the following relations do not hold: \vspace{-2mm} -\end{description} +\end{description} \begin{enumerate} \item $(\hat{D}_1/\hat{g}_{\ell+2})^{\,\rho}\cdot\hat{E}_1 =\hat{g}_2^{\,\bar{m}_1}\cdots\hat{g}_{\ell+1}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_1}$ and $(\hat{D}_2/\hat{g}_{2\ell+3})^{\,\rho}\cdot\hat{E}_2 =\hat{g}_{\ell+3}^{\,\bar{m}_1}\cdots\hat{g}_{2 \ell+2}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_2}$ ; \item $\hat{D}_0^{\,\rho}\cdot\hat{E}_0 - =\hat{g}_z^{w_z} \cdot \hat{g}_1^{w_1} \cdot \hat{D}_{1}^{w_2} \cdot \hat{D}_{2}^{w_3} - \cdot \hat{g}^{-w_0}$ and + =\hat{g}_z^{w_z} \cdot \hat{g}_1^{w_1} \cdot \hat{D}_{1}^{w_2} \cdot \hat{D}_{2}^{w_3} + \cdot \hat{g}^{-w_0}$ and $C_0^{\,\rho}\cdot F_0=C_2^{\,\bar{r}_1} \cdot C_3^{\,\bar{r}_2} \cdot {g}^{w_4}$. \item $T_i^{\rho}\cdot V_i=g^{w_i}f^{z_i}$ for each $i \in \{0,2,3,4\}$ and \begin{eqnarray} \label{last-ver-sig} @@ -559,147 +559,147 @@ clear), proving knowledge of a valid signature still requires proving a statem \end{eqnarray} \vspace{-5mm} %\end{enumerate} % - \item[~~~Then,] return $1$ if and only if + \item[~~~Then,] return $1$ if and only if % \begin{align} \label{eq-vrf-2} \lefteqn{e(C_0,\hat{g}) \cdot e(g,\hat{D}_0) \cdot e(\Omega,\hat{g}_{2 \ell+4})^{-1}} \\ \nonumber & \quad = \, e(C_1,\hat{g_1}) \cdot e(C_2,\hat{D}_1) %\\ \qquad \cdot e(C_3,\hat{D}_2) \cdot e(C_z,\hat{g}_z) . \end{align} - % + % % and $0$ otherwise. \vspace{-1mm} \end{enumerate} \noindent -It is worth noticing that no pairing evaluation is required until the final step of $\mathsf{Verify}$, which is almost as efficient as the verification of +It is worth noticing that no pairing evaluation is required until the final step of $\mathsf{Verify}$, which is almost as efficient as the verification of underlying signatures. -Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by +Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by a constant additive overhead. \vspace{-1mm} \begin{theorem} - The above interactive scheme is a secure $\Sigma$-protocol for the language $L_{sig}$ induced by the relation - $R_{sig}(\mathsf{pk},(\vec{\sigma},\vec{m}))=1$ if and only if $\mathsf{Verify}'(\mathsf{pk},\vec{\sigma},\vec{m})=1$, + The above interactive scheme is a secure $\Sigma$-protocol for the language $L_{sig}$ induced by the relation + $R_{sig}(\mathsf{pk},(\vec{\sigma},\vec{m}))=1$ if and only if $\mathsf{Verify}'(\mathsf{pk},\vec{\sigma},\vec{m})=1$, where $(\mathsf{KeyGen},\mathsf{Sign},\mathsf{Verify}')$ is the signature of Section~\ref{scal-sig}. \end{theorem} -\begin{proof} -\emph{Correctness.} - Expanding an honestly generated $\hat{D}_0=\hat{g}_z^{t_z} \cdot \hat{g}_1^{t_1} \cdot \hat{D}_1^{t_2} \cdot +\begin{proof} +\emph{Correctness.} + Expanding an honestly generated $\hat{D}_0=\hat{g}_z^{t_z} \cdot \hat{g}_1^{t_1} \cdot \hat{D}_1^{t_2} \cdot \hat{D}_2^{t_3} \cdot \hat{g}^{-t_0}$ in equation (\ref{eq-vrf-2}) and regrouping the pairing factors gives % - \begin{multline*} %\label{eq-vrf-corr-1} + \begin{multline*} %\label{eq-vrf-corr-1} \quad e(C_0\cdot {g}^{-t_0},\hat{g}) \cdot e(\Omega,\hat{g}_{2\ell+4})^{-1} \\ %& \quad \!\! - = \, e(C_1\cdot {g}^{-t_1},\hat{g_1}) \cdot e(C_2\cdot {g}^{-t_2},\hat{D}_1) \\ %\nonumber & - \cdot \, e(C_3\cdot {g}^{-t_3},\hat{D}_2) \cdot e(C_z\cdot {g}^{-t_z},\hat{g}_z) . + = \, e(C_1\cdot {g}^{-t_1},\hat{g_1}) \cdot e(C_2\cdot {g}^{-t_2},\hat{D}_1) \\ %\nonumber & + \cdot \, e(C_3\cdot {g}^{-t_3},\hat{D}_2) \cdot e(C_z\cdot {g}^{-t_z},\hat{g}_z) . \end{multline*} - % + % Now, expanding the commitments to group elements in $\GG$ reduces this equation to % \begin{align*} %\label{eq-vrf-corr-2} \lefteqn{e(\sigma_2^{r_1} \cdot \sigma_3^{r_2},\hat{g}) \cdot e(\Omega,\hat{g}_{2 \ell+4})^{-1} } - \\ %\nonumber + \\ %\nonumber & \quad = \, e(\sigma_1,\hat{g_1}) \cdot e(\sigma_2,\hat{D}_1) \cdot e(\sigma_3,\hat{D}_2) \cdot e(\pi ,\hat{g}_z) \end{align*} - % - which holds true for valid witnesses when $\hat{D}_1=d_1 \cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2 \cdot \hat{g}^{r_2}$. + % + which holds true for valid witnesses when $\hat{D}_1=d_1 \cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2 \cdot \hat{g}^{r_2}$. Remaining verifications of items 1,2,3 follow from the correctness of the built-in $\Sigma$-protocols. \medskip -\noindent \emph{Special-Soundness.} Let us assume two accepting transcripts $(\mathsf{com},\rho,\mathsf{resp})$, $(\mathsf{com},\rho',\mathsf{resp}')$ with $\rho \neq \rho'$. +\noindent \emph{Special-Soundness.} Let us assume two accepting transcripts $(\mathsf{com},\rho,\mathsf{resp})$, $(\mathsf{com},\rho',\mathsf{resp}')$ with $\rho \neq \rho'$. The special soundness of the sub-protocols involving $\hat{D}_1,\hat{D}_2$ (with $\hat{E}_1,\hat{E}_2$) - -- consisting of steps 1 and 2 of \textsf{Commit} and step 1 of \textsf{Verify} -- + -- consisting of steps 1 and 2 of \textsf{Commit} and step 1 of \textsf{Verify} -- ensures the extraction of $m_1,\ldots,m_\ell,r_1,r_2 $ satisfying - $\hat{D}_1=d_1\cdot\hat{g}^{r_1}$, where $d_1=\hat{g}_2^{m_1}\cdots \hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}$, and + $\hat{D}_1=d_1\cdot\hat{g}^{r_1}$, where $d_1=\hat{g}_2^{m_1}\cdots \hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}$, and $\hat{D}_2=d_2\cdot\hat{g}^{r_2}$, where $d_2=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}$. - From step 2 of $\mathsf{Verify}$, a similar argument on $\hat{D}_0$ (with $\hat{E}_0$) implies the extractability of $(t_z,t_0,t_1,t_2,t_3,t_4)$ such + From step 2 of $\mathsf{Verify}$, a similar argument on $\hat{D}_0$ (with $\hat{E}_0$) implies the extractability of $(t_z,t_0,t_1,t_2,t_3,t_4)$ such that $\hat{D}_0={\hat{g}_z}^{t_z} \cdot {\hat{g}_1}^{t_1} \cdot {\hat{D}_{1}}^{t_2} \cdot {\hat{D}_{2}}^{t_3} \cdot {\hat{g}}^{-t_0}.$ - Moreover, together with previously extracted $(r_1,r_2)$, step 2 of $\mathsf{Verify}$ also guarantees that $t_4$ satisfies $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$. + Moreover, together with previously extracted $(r_1,r_2)$, step 2 of $\mathsf{Verify}$ also guarantees that $t_4$ satisfies $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$. % - - We now state that quantities $\{\sigma_i=C_i\cdot {g}^{-t_i}\}_{i \in \{1,2,3\}}$ and $\pi=C_z\cdot {g}^{-t_z}$ satisfy (\ref{sig-ver-1}), - so that, together with $\vec{m}=(m_1,\ldots,m_\ell)$, they form a valid witness for $R_{sig}$. Namely, + + We now state that quantities $\{\sigma_i=C_i\cdot {g}^{-t_i}\}_{i \in \{1,2,3\}}$ and $\pi=C_z\cdot {g}^{-t_z}$ satisfy (\ref{sig-ver-1}), + so that, together with $\vec{m}=(m_1,\ldots,m_\ell)$, they form a valid witness for $R_{sig}$. Namely, $({\sigma},\vec{m})=((\sigma_1,\sigma_2,\sigma_3,\pi),(m_1,\ldots,m_\ell))$ is a valid message-signature pair. - + To see this, define $\sigma_0=C_0\cdot g^{-t_0}$. Since equation (\ref{eq-vrf-2}) holds by hypothesis, if we expand all commitments using extracted values, we find % \begin{align*} %\label{eq-sound-1} \lefteqn{e(\sigma_0,\hat{g}) \cdot e(\Omega,\hat{g}_{2 \ell+4})^{-1}} \\ %\nonumber - & \; = \, e(\sigma_1,\hat{g_1}) \cdot e(\sigma_2,d_1\cdot \hat{g}^{r_1}) + & \; = \, e(\sigma_1,\hat{g_1}) \cdot e(\sigma_2,d_1\cdot \hat{g}^{r_1}) \cdot e(\sigma_3,d_2\cdot \hat{g}^{r_2}) \cdot e(\pi,\hat{g}_z) . \end{align*} - % - We are thus left with showing that $\sigma_0=\sigma_2^{r_1} \cdot \sigma_3^{r_2}$ or, equivalently, + % + We are thus left with showing that $\sigma_0=\sigma_2^{r_1} \cdot \sigma_3^{r_2}$ or, equivalently, $e(\sigma_0,\hat{g})=e(\sigma_2,\hat{g}^{r_1}) \cdot e(\sigma_3,\hat{g}^{r_2})$. Remember that, from step 2 of $\mathsf{Verify}$, we know that extracted $(r_1,r_2,t_4) \in \ZZ_p^3$ form a representation of $C_0$ {w.r.t.} - the base $(C_0,C_2,g)$: i.e., $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$, which, from the definition of - $\sigma_0,\sigma_2,\sigma_3$, yields + the base $(C_0,C_2,g)$: i.e., $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$, which, from the definition of + $\sigma_0,\sigma_2,\sigma_3$, yields $\sigma_0\cdot g^{t_0}=\sigma_2^{r_1} \cdot \sigma_3^{r_2} \cdot g^{t_2 \cdot r_1+t_3 \cdot r_2+t_4}$. Hence, we are done if we can show that $t_0=t_2r_1+t_3r_2+t_4$. But this exactly what step 3 of $\mathsf{Verify}$ and the - special soundness of the sub-protocol involving $(T_0,T_2,T_3,T_4)$ tells us. First, we have a representation of these - $T_i$'s {w.r.t.} the basis $(g,f)\in \GG^2$ which guarantees that we are working on the already extracted $(t_0,t_2,t_3,t_4)$ involved in the expressions of $\hat{D}_0$ and + special soundness of the sub-protocol involving $(T_0,T_2,T_3,T_4)$ tells us. First, we have a representation of these + $T_i$'s {w.r.t.} the basis $(g,f)\in \GG^2$ which guarantees that we are working on the already extracted $(t_0,t_2,t_3,t_4)$ involved in the expressions of $\hat{D}_0$ and $C_0$. - Second, the verification equation (\ref{last-ver-sig}) ensures that $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$ and the final result follows by replacing them by their - representation. + Second, the verification equation (\ref{last-ver-sig}) ensures that $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$ and the final result follows by replacing them by their + representation. \medskip -\noindent \emph{Perfect SHVZK.} - To show this property we must build a simulator that, on input of a challenge - $\mathsf{chall}=\rho \in_R \ZZ_p$, emulates a valid transcript without any witness. +\noindent \emph{Perfect SHVZK.} + To show this property we must build a simulator that, on input of a challenge + $\mathsf{chall}=\rho \in_R \ZZ_p$, emulates a valid transcript without any witness. First, we need to compute a random tuple $C_z,\{C_i\}_{i=0}^3,\{\hat{D}\}_{i=0}^2$ constrained to satisfy the verification equation (\ref{eq-vrf-2}). \vspace{-1mm} - - From the identity $e(\Omega,\hat{g}_{2\ell+4})^{-1}=e(\Omega^{-1},\hat{g}_{2\ell+4})$ we first pick - $a_0,a_1,a_2,a_z\gets\ZZ_p$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}= + + From the identity $e(\Omega,\hat{g}_{2\ell+4})^{-1}=e(\Omega^{-1},\hat{g}_{2\ell+4})$ we first pick + $a_0,a_1,a_2,a_z\gets\ZZ_p$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}= e(\Omega^{-1},\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}) \cdot e(\Omega^{a_0},\hat{g})\cdot e(\Omega^{a_1},\hat{g}_1)\cdot e(\Omega^{a_2},\hat{D}_1) \cdot e(\Omega^{a_z},\hat{g}_z)$, so that we can set $C_0=\Omega^{-a_0}$, $C_1=\Omega^{a_1}$, $C_2=\Omega^{a_2}$ and $C_z=\Omega^{a_z}$. Let $\hat{B}:=\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}$. - Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\ZZ_p$ since - $e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set - $\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a + Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\ZZ_p$ since + $e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set + $\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a random $a_3\gets\ZZ_p$. %\vspace{-1mm} - + To complete the simulated transcript, we run a parallel execution of the simulators of all $\Sigma$-protocols used as subroutines. - More explicitly, first pick $\rho\sample\ZZ_p$ and + More explicitly, first pick $\rho\sample\ZZ_p$ and $\bar{m}_1,\ldots,\bar{m}_\ell,\bar{r}_1,\bar{r}_2,w_z,w_0,\ldots,w_4,z_0,z_2,z_3,z_4\sample\ZZ_p$. Also, choose $T_0,T_2,T_3,T_4\sample\GG$ and do the following: \begin{enumerate} \item Compute \[\hat{E}_1 = (\hat{D}_1/\hat{g}_{\ell+2})^{\,-\rho}\cdot - \hat{g}_2^{\,\bar{m}_1}\cdots\hat{g}_{\ell+1}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_1}\] and, similarly, + \hat{g}_2^{\,\bar{m}_1}\cdots\hat{g}_{\ell+1}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_1}\] and, similarly, \[\hat{E}_2 = (\hat{D}_2/\hat{g}_{2\ell+3})^{\,-\rho}\cdot \hat{g}_{\ell+3}^{\,\bar{m}_1}\cdots\hat{g}_{2 \ell+2}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_2};\] \item Compute \[F_0 = C_0^{\,-\rho}\cdot C_2^{\,\bar{r}_1} \cdot C_3^{\,\bar{r}_2} \cdot {g}^{w_4}\] - as well as - \[\hat{E}_0 = \hat{D}_0^{\,\rho}\cdot \hat{g}_z^{w_z} \cdot \hat{g}_1^{w_1} + as well as + \[\hat{E}_0 = \hat{D}_0^{\,\rho}\cdot \hat{g}_z^{w_z} \cdot \hat{g}_1^{w_1} \cdot \hat{D}_{1}^{w_2} \cdot \hat{D}_{2}^{w_3} \cdot \hat{g}^{-w_0} ; \] - \item Compute \[V_i = T_i^{-\rho}\cdot g^{v_i}f^{z_i},\] for each $i \in \{0,2,3,4\}$, and + \item Compute \[V_i = T_i^{-\rho}\cdot g^{v_i}f^{z_i},\] for each $i \in \{0,2,3,4\}$, and \[S_0 = (T_0/T_4)^{-\rho} \cdot T_2^{\bar{r}_1} \cdot T_3^{\bar{r}_2}.\] \end{enumerate} This concludes the proof. % TODO: ugly \end{proof} - + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \subsection{Signing a Committed Message} At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$. -In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the QA-NIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip +In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the QA-NIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip \noindent \textbf{The protocol.} % -At the beginning of a new run of the protocol, the committer has a vector ${\mathbf{m}}=(m_1,\ldots,m_\ell)$, the public-key of the signature scheme and the extra generator $u\in\GG$ (which can be a hashed point), the signer also has the secret key of the signature scheme but not ${\mathbf{m}}$. -To get a signature on ${\mathbf{m}}$, the committer picks $r\sample\ZZ_p$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$. +At the beginning of a new run of the protocol, the committer has a vector ${\mathbf{m}}=(m_1,\ldots,m_\ell)$, the public-key of the signature scheme and the extra generator $u\in\GG$ (which can be a hashed point), the signer also has the secret key of the signature scheme but not ${\mathbf{m}}$. +To get a signature on ${\mathbf{m}}$, the committer picks $r\sample\ZZ_p$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$. Besides, it also computes the elements $c_z = z_2^{m_1}\cdots z_{\ell+1}^{m_\ell}\cdot u^{t_z}$. -%and $c_r = r_2^{m_1}\cdots r_{\ell+1}^{m_\ell}\cdot u^{t_r}$. +%and $c_r = r_2^{m_1}\cdots r_{\ell+1}^{m_\ell}\cdot u^{t_r}$. The signer receives these commitments and they both engage in an interactive proof of knowledge of an equal representation of $c_v$ relatively to the basis $(v_1,\ldots,v_\ell;u)$ and $c_z$ relatively to the basis $(z_2,\ldots,z_{\ell+1};u)$, -%and $c_r$ relatively to the basis $(r_2,\ldots,r_{\ell+1};u)$, +%and $c_r$ relatively to the basis $(r_2,\ldots,r_{\ell+1};u)$, where the signer plays the role of the verifier. Depending on the success of the proof the signer computes what we can call a ``pre-signature'' consisting of the following group elements % @@ -709,7 +709,7 @@ Depending on the success of the proof the signer computes what we can call a ``p \tau_2 & = g^s , & \tau_0 & = u^s , & %r_0 & = r_1^\omega \cdot c_r^s \cdot r_{\ell+2}^s , \end{align*} -%and $(z_d,r_d)=(z_{\ell+3}^s,r_{\ell+3}^s)$, +%and $(z_d,r_d)=(z_{\ell+3}^s,r_{\ell+3}^s)$, for a random $s\sample\ZZ_p$. In the final step, the user received the pre-signature, then picks $s'\sample\ZZ_p$ and computes $(\sigma_1, \sigma_2, \sigma_3, \pi) \in \GG^4$ as follows \begin{align*} @@ -723,13 +723,13 @@ $(\sigma_1, \sigma_2, \sigma_3, \pi) \in \GG^4$ as follows \end{align*} Finally the user checks the validity of the signature. Depending on the validity, the user outputs the signature or a failure symbol $\bot$. -We notice that the number of transmitted group elements is constant and no pairing is needed before the signature verification phase. -In comparison, the construction of \cite{CL02a} requires groups of larger hidden order and their protocol for signing committed message blocks requires a linear number of range proofs. \smallskip +We notice that the number of transmitted group elements is constant and no pairing is needed before the signature verification phase. +In comparison, the construction of \cite{CL02a} requires groups of larger hidden order and their protocol for signing committed message blocks requires a linear number of range proofs. \smallskip \noindent \textbf{Security.} % We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol. -In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an SXDH challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip +In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an SXDH challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip \noindent \textbf{Remark.} % @@ -742,109 +742,109 @@ Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i \addcontentsline{tof}{section}{\protect\numberline{\thesection} Construction de la signature de groupe dynamique} We adapt the protocol of section~\ref{scal-sig} to build a dynamic group -signature~\cite{BSZ05,KY06}. -\indent At a high level, each group member obtains a membership certificate consisting of a signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ on -a message $\ID \in \Zp$ which is only known to the group member. During the joining protocol, each group member thus obtains a signature -on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to $\ID$, which suffices to ensure security against framing attacks and allows for a better -efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section). -For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using -the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using +signature~\cite{BSZ05,KY06}. +\indent At a high level, each group member obtains a membership certificate consisting of a signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ on +a message $\ID \in \Zp$ which is only known to the group member. During the joining protocol, each group member thus obtains a signature +on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to $\ID$, which suffices to ensure security against framing attacks and allows for a better +efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section). +For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using +the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using $\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier NIZK proofs \cite{CS98}. \\ -\indent -In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact -with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}. +\indent +In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact +with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}. -\begin{description} +\begin{description} \item[\textsf{Keygen}$(\lambda, N)$:] given $\lambda \in \NN$, and the maximum number of users $N \in \poly(\lambda)$, choose asymmetric - bilinear groups $\mathsf{cp}=(\GG, \Gh, \GT,p)$ of order $p > 2^\lambda$. + bilinear groups $\mathsf{cp}=(\GG, \Gh, \GT,p)$ of order $p > 2^\lambda$. \end{description} \vspace{-2mm} \begin{enumerate} \item Generate a key pair $(\pk_s, \sk_s)$ for the scheme of - section~\ref{scal-sig} for a one-block message (i.e., $\ell=1$). The secret key is + section~\ref{scal-sig} for a one-block message (i.e., $\ell=1$). The secret key is $\sk_s = \omega$, while the public key is \begin{align*} \pk_s = \bigl( \mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}=(v,w), ~\Omega=h^\omega,~\mathsf{crs} \bigr), \end{align*} - where %$\Omega=h^\omega$ and + where %$\Omega=h^\omega$ and $\mathsf{crs} = \big(\{{z}_j\}_{j=1}^{3}, \hat g_z, \{\hat g_i\}_{i=1}^{6} \big)$. - \item Pick $x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \sample \Zp$ and set + \item Pick $x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \sample \Zp$ and set \begin{align*} X_z & = g^{x_z} h^{y_z}, & X_\sigma & = g^{x_\sigma} h^{y_\sigma}, & X_\ID & = g^{x_\ID} h^{y_\ID}. \end{align*} - \item Choose a hash function $H : \bit^* \times \GG^{10} \times \GT \to \Zp$ + \item Choose a hash function $H : \bit^* \times \GG^{10} \times \GT \to \Zp$ that will be modeled as a random oracle. - \item Define - $\mathcal Y = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key. - The group manager's private key is $\mathcal S_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of - $ \mathcal S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. + \item Define + $\mathcal Y = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key. + The group manager's private key is $\mathcal S_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of + $ \mathcal S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. \end{enumerate} \vspace{-1mm} % -\begin{description} +\begin{description} \item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the prospective user $\U_i$ run the following interactive protocol: %$[ \mathsf J_{\user}(\lambda, \mathcal Y), \mathsf J_\GM(\lambda, St, \mathcal Y, \mathcal S_{\GM}) ]$ \end{description} \vspace{-2mm} \begin{enumerate} - \item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to + \item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to $\GM$: $(V_\ID, Z_{\ID}, \hat G_{2, \ID}, \hat G_{4, \ID}) = (v^\ID, z_2^\ID, \hat g_2^\ID, \hat g_4^\ID)$ - \item $\GM$ checks that $V_\ID$ does not appear in any transcript of + \item $\GM$ checks that $V_\ID$ does not appear in any transcript of $St$ and abort if it does. Otherwise (i.e., if $V_\ID$ is fresh), $\GM$ verifies that: for $k=2,4$, \begin{align*} e(V_\ID,\hat g_k) & \iseq e( v, \hat G_{k,\ID}) , & e(Z_{\ID},\hat g_k) & \iseq e( z_2, \hat G_{k,\ID}) . - %\\ + %\\ %& e(V_\ID, \hat G_{4,\ID}^{-1}) &\iseq 1. \end{align*} - If all tests pass, samples a fresh index $i \in \Zp$ and sends it to + If all tests pass, samples a fresh index $i \in \Zp$ and sends it to $\U_i$, otherwise abort. - \item $\U_i$ runs an interactive zero-knowledge proof of knowledge of - $\ID =\log_v(V_\ID)$ in interaction with $\GM$. For instance, the - 4-round protocol of Cramer~\textit{et al.}~\cite{CDM00} can be used for + \item $\U_i$ runs an interactive zero-knowledge proof of knowledge of + $\ID =\log_v(V_\ID)$ in interaction with $\GM$. For instance, the + 4-round protocol of Cramer~\textit{et al.}~\cite{CDM00} can be used for this purpose. Let $\pi_K(\ID)$ denote the interaction transcript. \item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \Zp$, and - uses $\mathcal S_\GM = \omega$ to compute - $\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$ - and + uses $\mathcal S_\GM = \omega$ to compute + $\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$ + and \begin{align*} \sigma_2 & = g^s, & \sigma_3 & = h^s. \end{align*} Then $\GM$ uses $Z_{\ID}$ to generate the QA-NIZK proof $\pi\in \GG$ as \begin{align*} - \pi &= z_1^\omega \cdot (Z_{\ID} \cdot z_3)^s + \pi &= z_1^\omega \cdot (Z_{\ID} \cdot z_3)^s = z_1^\omega \cdot (z_2^\ID \cdot z_3)^s \end{align*} - and finally sends + and finally sends $\crt_i = (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi)$ - \item Finally $\GM$ and $\mathcal{U}_i$ respectively store + \item Finally $\GM$ and $\mathcal{U}_i$ respectively store \begin{align} \label{gsig-trans} \!\!\!\!\transcript_i & \! = \! - \Bigl(\! \bigl( Z_{\ID}, \hat G_{2,\ID}, \hat G_{4,\ID} \bigr), \pi_K(\ID),\crt_i \!\Bigr) + \Bigl(\! \bigl( Z_{\ID}, \hat G_{2,\ID}, \hat G_{4,\ID} \bigr), \pi_K(\ID),\crt_i \!\Bigr) \end{align} and $(\crt_i,\scr_i) =\bigl( (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi), \ID \bigr)$. %\vspace{-1mm} - \end{enumerate} + \end{enumerate} % \begin{description} \item[\textsf{Sign}$(\mathcal Y, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$ does the following: \end{description} \vspace{-2mm} \begin{enumerate} - \item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \Zp$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$, - $\tilde \sigma_1 = \sigma_1 \cdot (v^\ID \cdot w)^r$, $\tilde \pi = \pi \cdot (z_2^\ID \cdot z_3)^r$. + \item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \Zp$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$, + $\tilde \sigma_1 = \sigma_1 \cdot (v^\ID \cdot w)^r$, $\tilde \pi = \pi \cdot (z_2^\ID \cdot z_3)^r$. - \item Encrypt elements $\tilde \pi$, $\tilde \sigma_1$ and $v^\ID$ from the membership certificate. - Specifically, choose $\theta \sample \Zp$ and compute the Cramer-Shoup ciphertext + \item Encrypt elements $\tilde \pi$, $\tilde \sigma_1$ and $v^\ID$ from the membership certificate. + Specifically, choose $\theta \sample \Zp$ and compute the Cramer-Shoup ciphertext $C_{\mathsf{CS}}=(C_1,C_2,C_z,C_{\sigma},C_{\ID})$, where $C_1 = g^\theta$, $C_2 = h^\theta$, \begin{align*} C_z & = \tilde \pi \cdot X_z^\theta, & @@ -852,20 +852,20 @@ with prospective users. However, this limitation can be removed using an extract C_\ID & = v^\ID \cdot X_\ID^\theta. \end{align*} - \item Then, prove knowledge of $(\ID, \theta) \in \Zp^2$ such that + \item Then, prove knowledge of $(\ID, \theta) \in \Zp^2$ such that \begin{align*} %\label{sham-rel-1} - C_1 & = g^\theta ,& + C_1 & = g^\theta ,& C_2 & = h^\theta, & - C_\ID & = v^\ID \cdot X_\ID^\theta, %\quad + C_\ID & = v^\ID \cdot X_\ID^\theta, %\quad \end{align*} % and \begin{align*} %\label{sham-rel-3} - \lefteqn{\big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) \cdot e(\tilde \sigma_2, \hat g_3) + \lefteqn{\big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \cdot e(\Omega, \hat g_6) \big)} \\ %\nonumber - & = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{\theta} + & = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{\theta} \cdot\big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-\ID} . \end{align*} - Namely, sample random $r_\ID, r_\theta \sample \Zp$, compute + Namely, sample random $r_\ID, r_\theta \sample \Zp$, compute \begin{eqnarray*} &\begin{aligned} R_1 &= g^{r_\theta}, & @@ -877,22 +877,22 @@ with prospective users. However, this limitation can be removed using an extract \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-r_\ID} \end{aligned} \end{eqnarray*} - and then $c = H(M, C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$. + and then $c = H(M, C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$. Finally compute $ s_\theta = r_\theta + c \cdot \theta$, $s_\ID = r_\ID + c \cdot \ID$~in~$\Zp$. - \item Return the signature $\Sigma $ which consists of + \item Return the signature $\Sigma $ which consists of \begin{equation} \label{gsig-sigma} - \hspace{-1.25em} \Sigma=(C_{\mathsf{CS}}, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta) + \hspace{-1.25em} \Sigma=(C_{\mathsf{CS}}, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta) \in\GG^7\times\Zp^3 \vspace{-1mm} \end{equation} % - \end{enumerate} + \end{enumerate} % \begin{description} - \item[\textsf{Verify}$(\mathcal Y, M, \Sigma)$:] - Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as + \item[\textsf{Verify}$(\mathcal Y, M, \Sigma)$:] + Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as $(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, output 1 if the the zero-knowledge proof verifies. Namely, -\end{description} +\end{description} \begin{enumerate} \item Compute the group elements $R_1$, $R_2$, $R_3\in\GG$ as: %\begin{eqnarray} @@ -902,14 +902,14 @@ with prospective users. However, this limitation can be removed using an extract %R_2 & = h^{s_\theta} \cdot C_2^{-c}, %\end{aligned}\\ %\begin{aligned} - %R_3 & = v^{s_\ID} \cdot X_\ID^{s_\theta} \cdot C_\ID^{-c}, \label{gsig-verif-1} + %R_3 & = v^{s_\ID} \cdot X_\ID^{s_\theta} \cdot C_\ID^{-c}, \label{gsig-verif-1} %\end{aligned} %\end{gathered} \\ %&\begin{aligned} %R_4 &= \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} \\& %\qquad \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID} \\& %\quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1)\\& - %\qquad \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \big)^{-c} + %\qquad \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \big)^{-c} %\end{aligned} \label{gsig-verif-2} %\end{eqnarray} % @@ -920,33 +920,33 @@ with prospective users. However, this limitation can be removed using an extract R_2 & = h^{s_\theta} \cdot C_2^{-c}, \end{aligned}\\ \begin{aligned} - R_3 & = v^{s_\ID} \cdot X_\ID^{s_\theta} \cdot C_\ID^{-c}; \label{gsig-verif-1} + R_3 & = v^{s_\ID} \cdot X_\ID^{s_\theta} \cdot C_\ID^{-c}; \label{gsig-verif-1} \end{aligned} \end{gathered} \end{eqnarray} and the element $R_4\in\GT$ as \begin{align} \nonumber - \lefteqn{\big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} - \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID}} + \lefteqn{\big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} + \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID}} \\ \label{gsig-verif-2} - & \quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) + & \quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \nonumber \\ & \qquad \cdot e(\Omega, \hat g_6) \big)^{-c} . - \end{align} + \end{align} \item Return $1$ if $ - c = H(M,C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$ and $0$ otherwise. + c = H(M,C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$ and $0$ otherwise. \end{enumerate} \vspace{-1mm} % \begin{description} - \item[\textsf{Open}$(\mathcal Y, \mathcal S_\OA, M, \Sigma)$:] Given a pair $(M,\Sigma)$ + \item[\textsf{Open}$(\mathcal Y, \mathcal S_\OA, M, \Sigma)$:] Given a pair $(M,\Sigma)$ and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm} -\end{description} +\end{description} \begin{enumerate} - %\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal S_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. + %\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal S_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. \item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing - $\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$, + $\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$, $ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$. %\begin{align*} % \tilde \sigma_1 &= C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, & @@ -954,7 +954,7 @@ with prospective users. However, this limitation can be removed using an extract % z &= C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}, & % V_\ID &=C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}. & %\end{align*} - \item Search $V_\ID$ in the database of joining transcripts~\eqref{gsig-trans} and + \item Search $V_\ID$ in the database of joining transcripts~\eqref{gsig-trans} and check that it corresponds to a valid signature $\big(\tilde \sigma_1, \tilde \sigma_2, \tilde \sigma_3, \tilde \pi \big)$ for the committed value $V_\ID$. If so, return the corresponding $i$, otherwise return $\bot$. \medskip @@ -974,7 +974,7 @@ with prospective users. However, this limitation can be removed using an extract % If one and only one of them corresponds, then return the corresponding $i$, otherwise return $\bot$. \end{enumerate} -It is possible to spare one group element in the signature by eliminating the encryption $C_{\ID}$ of $v^\ID$ which is only used to open signatures in constant time. +It is possible to spare one group element in the signature by eliminating the encryption $C_{\ID}$ of $v^\ID$ which is only used to open signatures in constant time. Then, the opening algorithm has to check for each transcript if $(\tilde \sigma_1, \tilde \sigma_2, \tilde \sigma_3, \tilde \pi)$ corresponds to the identifier $\ID$ embedded in $(\sigma_1, \hat G_{2,\ID}, \hat G_{4, \ID})$ by testing the relation @@ -982,7 +982,7 @@ in $(\sigma_1, \hat G_{2,\ID}, \hat G_{4, \ID})$ by testing the relation This results in a modified opening algorithm which takes $O(N)$ in the worst-case. In applications where signature openings are infrequent, this is acceptable. %--------------------------------------------------------------------- -\subsection{Security} +\subsection{Security} \begin{theorem} \label{gsig-anon} If SXDH holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm} @@ -990,32 +990,32 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas \begin{proof} We use a sequence of games where, for each $i$, $W_i$ is the event that the adversary $\adv$ wins in Game $i$. -\\ -At the first transition, we need to rely on the security of the computational soundness of the QA-NIZK argument of Section~\ref{QA-NIZK-scheme} which relies on the SXDH assumption, since $\tilde \sigma_2$ and +\\ +At the first transition, we need to rely on the security of the computational soundness of the QA-NIZK argument of Section~\ref{QA-NIZK-scheme} which relies on the SXDH assumption, since $\tilde \sigma_2$ and $\tilde \sigma_3$ appear un-encrypted in each group signature. \vspace{-2mm} \begin{description} - \item[Game 0:] This is the real CCA-anonymity game. In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that - the adversary outputs $d'=d$. + \item[Game 0:] This is the real CCA-anonymity game. In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that + the adversary outputs $d'=d$. - \item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event, + \item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event, which we call $F_1$, that $\adv$ chooses - membership certificates $\crt_0^\star, \crt_1^\star$ for which one of the underlying signatures + membership certificates $\crt_0^\star, \crt_1^\star$ for which one of the underlying signatures $ \bigl( \sigma_1^\star, \sigma_2^\star, \sigma_3^\star, \pi^\star \bigr) $ - correctly verifies but $\log_g(\sigma_2^\star) \neq \log_h(\sigma_3^\star)$. + correctly verifies but $\log_g(\sigma_2^\star) \neq \log_h(\sigma_3^\star)$. This implies that the vector $(\sigma_1^\star, \sigma_2^{\star \ID}, \sigma_2^\star, \sigma_3^{\star \ID}, \sigma_3^\star, \Omega)$ - is outside the row space of the matrix $\mathbf{M}$ (\ref{matrix-scal-sig}), so that $F_1$ would contradict - the soundness of the QA-NIZK proof of \cite{KW15} - (via the same arguments as in Theorem 9 of \cite{LPY15} since the matrix can be witness-samplable here) - and thus the DDH assumption in $\Gh$. We have + is outside the row space of the matrix $\mathbf{M}$ (\ref{matrix-scal-sig}), so that $F_1$ would contradict + the soundness of the QA-NIZK proof of \cite{KW15} + (via the same arguments as in Theorem 9 of \cite{LPY15} since the matrix can be witness-samplable here) + and thus the DDH assumption in $\Gh$. We have $ [\Pr[W_1] - P[W_0] | \leq \advantage{\DDH}{\Gh}(\lambda).$ \item[Game 2:] We change the way to generate the challenge signature $ \Sigma^\star $. Instead of faithfully running the - Schnorr-like protocol, we use the HVZK-simulator to produce the proofs $s_\theta, s_\ID$ without knowing the witnesses + Schnorr-like protocol, we use the HVZK-simulator to produce the proofs $s_\theta, s_\ID$ without knowing the witnesses $\theta, \ID$. Namely, we pick $c,~ s_\theta,~ s_\ID \sample \Zp$ at random and set $ R_1 = g^{s_\theta} \cdot C_1^{-c}$, $R_2 = h^{s_\theta} \cdot C_2^{-c},$ - $R_3 = v^{s_\ID} \cdot X_{\ID}^{s_\theta} \cdot C_{\ID}^{-c}$ as well as + $R_3 = v^{s_\ID} \cdot X_{\ID}^{s_\theta} \cdot C_{\ID}^{-c}$ as well as %\begin{multline*} %R_4 = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} \\ %\cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID} \\ @@ -1034,23 +1034,23 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature. C_\ID &= v^\ID \cdot C_1^{x_\ID} \cdot C_2^{y_\ID}. \end{align*} The distribution of $(C_z, C_\sigma, C_\ID)$ remains the same and we have $\Pr[W_3] = \Pr[W_2]$. - + \item[Game 4:] Here, we modify the distribution of the challenge signature and replace $C_2 = h^\theta$ by $C_2 = h^{\theta + \theta'}$, for a randomly chosen $\theta' - \sample \Zp$. We prove in Lemma~\ref{le-gsig-3} that + \sample \Zp$. We prove in Lemma~\ref{le-gsig-3} that $\left| \Pr[W_4] - \Pr[W_3] \right| \leq \advantage{\DDH}{\GG}(\lambda)$. \item[Game 5:] We introduce one more change. Instead of sampling $h \in_R \Zp$, - the challenger chooses a random $\alpha \sample \Zp$ at the beginning of the game, sets $h = g^\alpha$ and retains the information $\alpha = \log_g(h)$ (note that - we are done with the DDH assumption and we can henceforth use $\alpha=\log_g(h)$). At each signature opening query, - the challenger returns $\perp$ on any signature - $\Sigma=(C_1, C_2, C_z, C_\sigma, C_\ID, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta)$ such - that $C_2 \neq C_1^\alpha$. Game $5$ remains the same as Game $4$. until the event $E_5$ that $\adv$ queries the opening of a signature - that properly verifies although $C_2 \neq C_1^\alpha$. Lemma~\ref{le-gsig-4} states that $\Pr[E_5] \leq q_O \cdot q_H/ p$, where $q_O$ is the number of opening + the challenger chooses a random $\alpha \sample \Zp$ at the beginning of the game, sets $h = g^\alpha$ and retains the information $\alpha = \log_g(h)$ (note that + we are done with the DDH assumption and we can henceforth use $\alpha=\log_g(h)$). At each signature opening query, + the challenger returns $\perp$ on any signature + $\Sigma=(C_1, C_2, C_z, C_\sigma, C_\ID, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta)$ such + that $C_2 \neq C_1^\alpha$. Game $5$ remains the same as Game $4$. until the event $E_5$ that $\adv$ queries the opening of a signature + that properly verifies although $C_2 \neq C_1^\alpha$. Lemma~\ref{le-gsig-4} states that $\Pr[E_5] \leq q_O \cdot q_H/ p$, where $q_O$ is the number of opening queries and $q_H$ is the number of random oracle queries. \vspace{-1mm} \end{description} -In Game $5$, $ \Sigma^\star $ perfectly hides $(\tilde{\pi},\tilde{\sigma}_1,v^{\mathsf{ID}})$. Indeed, +In Game $5$, $ \Sigma^\star $ perfectly hides $(\tilde{\pi},\tilde{\sigma}_1,v^{\mathsf{ID}})$. Indeed, \begin{equation*} \begin{gathered} \begin{aligned} @@ -1058,17 +1058,17 @@ In Game $5$, $ \Sigma^\star $ perfectly hides $(\tilde{\pi},\tilde{\sigma}_1 & C_z &= (\tilde z \cdot h^{\theta' \cdot y_z} ) \cdot X_z^\theta , \end{aligned}\\ \begin{aligned} - C_\sigma &= (\tilde \sigma_1 \cdot h^{\theta' \cdot y_\sigma} ) \cdot X_\sigma^\theta, - & \; C_\ID &= ( v^\ID \cdot h^{\theta' \cdot y_{\ID}} ) \cdot X_\ID^\theta + C_\sigma &= (\tilde \sigma_1 \cdot h^{\theta' \cdot y_\sigma} ) \cdot X_\sigma^\theta, + & \; C_\ID &= ( v^\ID \cdot h^{\theta' \cdot y_{\ID}} ) \cdot X_\ID^\theta \end{aligned} \end{gathered} \end{equation*} -and $(y_{\sigma},y_z,y_{\mathsf{ID}}) \in \Zp^3$ are completely independent of $\adv$'s view. -The only way for $\adv$ to infer information about $(y_{\sigma},y_z,y_{\mathsf{ID}}) $ is to make -opening queries on signatures such that $C_2 \neq C_1^\alpha$. However, all such signatures are declared invalid in Game $5$. +and $(y_{\sigma},y_z,y_{\mathsf{ID}}) \in \Zp^3$ are completely independent of $\adv$'s view. +The only way for $\adv$ to infer information about $(y_{\sigma},y_z,y_{\mathsf{ID}}) $ is to make +opening queries on signatures such that $C_2 \neq C_1^\alpha$. However, all such signatures are declared invalid in Game $5$. It comes that $\Pr[W_5]=1/2$. \medskip \\ - Finally, $\adv$'s advantage $\bigl| \Pr[W_0] - 1/2 \bigr|$ is bounded by + Finally, $\adv$'s advantage $\bigl| \Pr[W_0] - 1/2 \bigr|$ is bounded by \[ \advantage{\DDH}{\GG}(\lambda) + \advantage{\DDH}{\Gh}(\lambda)+ \frac{q_O \cdot q_H}{p} + \frac{1}{p^3}, \] @@ -1107,14 +1107,14 @@ It comes that $\Pr[W_5]=1/2$. \medskip % \begin{proof} Let us assume that an adversary $\adv$ wins with noticeably different probabilities in Game $4$ and Game $3$. We - then construct a DDH distinguisher $\bdv$ from $\adv$. - \\ \indent - Our reduction $\bdv$ takes as input a DDH instance $(g^a, g^b, \eta)$, where $\eta = g^{a(b+c)}$ and has to + then construct a DDH distinguisher $\bdv$ from $\adv$. + \\ \indent + Our reduction $\bdv$ takes as input a DDH instance $(g^a, g^b, \eta)$, where $\eta = g^{a(b+c)}$ and has to decide with non-negligible probability $\varepsilon$ whether $c = 0$ or $c \in_R \Zp$. To achieve this, $\bdv$ sets $h = g^a$ and computes the challenge signature as $ C_1 = g^b$ and $ C_2 = \eta$. The rest of the game continues like in Game $3$ (which is also the same as in Game $2$). If $\adv$ wins and correctly guesses $d'=d \in \{0,1\}$, $\bdv$ outputs $1$, meaning that $C_2 = h^{b } = g^{ab}$. Otherwise, $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$. - \\ -It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon$ if $|\Pr[W_4]-\Pr[W_3]|=\varepsilon$. + \\ +It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon$ if $|\Pr[W_4]-\Pr[W_3]|=\varepsilon$. %\vspace{-1mm} \end{proof} @@ -1125,11 +1125,11 @@ It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon \begin{proof} This proof uses idea similar to the security proof of the Katz-Wang~\cite{KW03} signature scheme. In Game $5$, event $E_5$ happens if $\log_g(C_1) \neq \log_h(C_2)$ and the verification - equations~\eqref{gsig-verif-1} and \eqref{gsig-verif-2} holds. + equations~\eqref{gsig-verif-1} and \eqref{gsig-verif-2} holds. In particular, we have $ R_1 = g^{s_\theta} \cdot C_1^{-c}$ and $R_2 = h^{s_\theta} \cdot C_2^{-c}$, %\begin{align*} % R_1 &= g^{s_\theta} \cdot C_1^{-c}, & - % R_2 &= h^{s_\theta} \cdot C_2^{-c}, + % R_2 &= h^{s_\theta} \cdot C_2^{-c}, %\end{align*} which can be interpreted as a linear system with unknowns $(c,s_\theta) \in \Zp^2$ \begin{equation} \label{gsig-proof-sys} @@ -1139,75 +1139,75 @@ It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon \end{cases} \end{equation} We can assume w.l.o.g. that each opening query is preceded by the corresponding random oracle query (otherwise, the reduction can simply make the hash query for itself). - The input of each hash query contains a pair $(R_1, R_2)$ determining the non-homogeneous terms of the linear - system~\eqref{gsig-proof-sys}. Since $\log_g(C_1) \neq \log_h(C_2)$, the system is full-rank, so that for each $(R_1,R_2)$, there is exactly - one pair $(c, s_\theta) \in \Zp^2$ that satisfies (\ref{gsig-proof-sys}). The probability that, in response to a random oracle query, the reduction returns + The input of each hash query contains a pair $(R_1, R_2)$ determining the non-homogeneous terms of the linear + system~\eqref{gsig-proof-sys}. Since $\log_g(C_1) \neq \log_h(C_2)$, the system is full-rank, so that for each $(R_1,R_2)$, there is exactly + one pair $(c, s_\theta) \in \Zp^2$ that satisfies (\ref{gsig-proof-sys}). The probability that, in response to a random oracle query, the reduction returns the value of $c$ which is uniquely determined by (\ref{gsig-proof-sys}) is at most $1/p$. For all hash queries, the probability that one of them be answered with the uniquely determined $c \in \ZZ_q$ is \emph{at most} - $q_H/p$. A union bound over all opening queries implies that the probability that the event $E_4$ happens is smaller than - $\Pr[E_4] \leq q_O \cdot q_H/p.$ + $q_H/p$. A union bound over all opening queries implies that the probability that the event $E_4$ happens is smaller than + $\Pr[E_4] \leq q_O \cdot q_H/p.$ %\vspace{-1mm} \end{proof} The proof of security against misidentification attacks requires the reduction to rewind a -the proof of knowledge of $\ID$ at each execution of the join protocol with the adversary attempting to escape traceability. -For this -reason, we need to assume that users join the system sequentially, rather than concurrently. -However, this problem can be solved as in \cite{DP06} by having the user send an extractable commitment to $\ID$ and non-interactively prove (via the Fiat-Shamir heuristic) that he did so correctly. -This allows the reduction to -extract $\ID$ without rewinding the user at each execution of $\mathsf{Join}$. Then, the proof of security against framing attacks must be modified by having the reduction +the proof of knowledge of $\ID$ at each execution of the join protocol with the adversary attempting to escape traceability. +For this +reason, we need to assume that users join the system sequentially, rather than concurrently. +However, this problem can be solved as in \cite{DP06} by having the user send an extractable commitment to $\ID$ and non-interactively prove (via the Fiat-Shamir heuristic) that he did so correctly. +This allows the reduction to +extract $\ID$ without rewinding the user at each execution of $\mathsf{Join}$. Then, the proof of security against framing attacks must be modified by having the reduction simulate the proof of knowledge of $\ID$ (by programming a random oracle) and rely on the hiding property of the extractable commitment. \begin{theorem} - In the ROM, the scheme is secure against + In the ROM, the scheme is secure against mis-identification attacks under the SXDH assumption in $(\GG,\Gh)$. \vspace{-1mm} \end{theorem} % \begin{proof} - The proof uses the forking technique \cite{PS00} % {\em rewinding extractor} method + The proof uses the forking technique \cite{PS00} % {\em rewinding extractor} method %from Bernhard~{\em et~al.}~\cite{BFW15}, - which consists in implicitly rewinding the zero-knowledge proof by running the adversary twice and changing the outputs of the random oracle after the hash query that involves - the forgery message. The Forking Lemma~\cite{PS00} -- more precisely, its generalization given by Bellare and Neven~\cite{BN06} -- ensures that, after two runs of the adversary, + which consists in implicitly rewinding the zero-knowledge proof by running the adversary twice and changing the outputs of the random oracle after the hash query that involves + the forgery message. The Forking Lemma~\cite{PS00} -- more precisely, its generalization given by Bellare and Neven~\cite{BN06} -- ensures that, after two runs of the adversary, the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge.\\ %After the extraction, the reduction can then call the corresponding oracles to simulate the game without having - %information it does not hold. + %information it does not hold. \indent Let us assume an attacker $\adv$ against the mis-identification game that wins with non-negligible probability $\varepsilon$. We build an adversary $\bdv$ against the chosen-message security of the signature - scheme of section~\ref{scal-sig}. \medskip + scheme of section~\ref{scal-sig}. \medskip \\ \noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\mathcal Y$. Except for $\mathcal S_\GM$, all keys are generated as in the normal - \textsf{Keygen} algorithm. \medskip + \textsf{Keygen} algorithm. \medskip \\ \noindent \textit{Join.} To answer joining queries without knowing $\sk_s$, $\bdv$ uses the knowledge extractor of the proof of knowledge of $\ID = \log_v(V_\ID)$ to extract the identity to be signed. Namely, on a - \textsf{Join} query, the reduction $\bdv$ rewinds the adversary $\adv$ in order to extract the witness $\ID=\log_v(V_{\ID})$ of which $\adv$ demonstrates knowledge at step 3 of the - join protocol. Having extracted $\ID \in \Zp$, $\bdv$ invokes its own - signing oracle on the message $\ID$ to obtain $(\sigma_1, \sigma_2, \sigma_3, z, r)$. Then, $\bdv$ returns $\crt_i=(i,V_{\ID},\sigma_1,\sigma_2,\sigma_3,z,r)$ as in a normal execution + \textsf{Join} query, the reduction $\bdv$ rewinds the adversary $\adv$ in order to extract the witness $\ID=\log_v(V_{\ID})$ of which $\adv$ demonstrates knowledge at step 3 of the + join protocol. Having extracted $\ID \in \Zp$, $\bdv$ invokes its own + signing oracle on the message $\ID$ to obtain $(\sigma_1, \sigma_2, \sigma_3, z, r)$. Then, $\bdv$ returns $\crt_i=(i,V_{\ID},\sigma_1,\sigma_2,\sigma_3,z,r)$ as in a normal execution of the join protocol. \medskip \\ \noindent At some point, the attacker $\adv$ produces a valid forgery - $(M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, + $(M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))$ for - which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value + which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value $H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ which would have been unpredictable otherwise. \medskip \\ - Thus, $\bdv$ replays the adversary $\adv$ with the \emph{same} input and random tape as in the first run. In the second run, the random oracle is also the same until the hash query + Thus, $\bdv$ replays the adversary $\adv$ with the \emph{same} input and random tape as in the first run. In the second run, the random oracle is also the same until the hash query $H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. At this point, the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains two suitably related forgeries with non-negligible probability $\varepsilon \cdot (\varepsilon / q_H -1/p) $. Namely, $\bdv$ will obtain two matching transcripts $(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star)$, $(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\dag, s_\ID^\dag, s_\theta^\dag )$ - of the $\Sigma$-protocol for the commitment message + of the $\Sigma$-protocol for the commitment message $\mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. - From the responses + From the responses $s_\ID^\star$ and - $s_\ID^\dag$ (that necessarily involve the same identifier $\ID^\star$ which is uniquely determined by $C_{\mathsf{CS}}^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star)$), $\bdv$ runs the knowledge extractor of to obtain + $s_\ID^\dag$ (that necessarily involve the same identifier $\ID^\star$ which is uniquely determined by $C_{\mathsf{CS}}^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star)$), $\bdv$ runs the knowledge extractor of to obtain $\ID^\star \in \Zp$. Namely, given $(c^\star ,c'^\star , s_\theta^\star , s_\theta'^\star ,s_\ID^\star , s_\ID'^\star ) \in \Zp^6$ with \begin{align*} c^\star &\neq c^\dag, & @@ -1224,90 +1224,90 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re \\ Finally $\bdv$ uses $\mathcal S_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs $\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery - for the signature scheme of Section~\ref{scal-sig}. + for the signature scheme of Section~\ref{scal-sig}. %\vspace{-1mm} \end{proof} -\begin{theorem} %[Non-frameability] +\begin{theorem} %[Non-frameability] \label{non-frame} In the ROM, the scheme is secure against framing attacks under the SDL assumption \vspace{-1mm} \end{theorem} \begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\ -\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. -To generate the group public key $\mathcal{Y}$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. +\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. +To generate the group public key $\mathcal{Y}$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$. In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are QA-NIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.) As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\mathcal{Y}:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip \\ -Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested. +Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested. %At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows. In addition, $\bdv$ must be able to answer the following queries. \begin{itemize} % \item[-] $Q_{\mathsf{keyGM}}$-queries: if $\adv$ decides to corrupt the group manager, $\bdv$ surrenders $\mathcal{S}_{\GM}=\omega=\sk_s$. - \item[-] $Q_{\bjoin}$-queries: At any time $\adv$ can act as a corrupted group manager and introduce a new honest user $i$ in the group by invoking the $Q_{\bjoin}$ oracle. Then, $\bdv$ runs $\mathsf{J}_{\mathsf{user}}$ on behalf of the honest user in an execution of $\mathsf{Join}$. %The actions taken by $\bdv$ are dictated by the index $j \in \{1,\ldots,q_b\}$ of the $Q_{\bjoin}$-query. \\ + \item[-] $Q_{\bjoin}$-queries: At any time $\adv$ can act as a corrupted group manager and introduce a new honest user $i$ in the group by invoking the $Q_{\bjoin}$ oracle. Then, $\bdv$ runs $\mathsf{J}_{\mathsf{user}}$ on behalf of the honest user in an execution of $\mathsf{Join}$. %The actions taken by $\bdv$ are dictated by the index $j \in \{1,\ldots,q_b\}$ of the $Q_{\bjoin}$-query. \\ %\begin{itemize} %\item[-] If $j \neq j^\star$, $\bdv$ follows the exact specification of $\mathsf{J}_{\mathsf{user}}$. %\item[-] If $j=j^\star$,... %\end{itemize} -At step 1 of $\mathsf{Join}$, $\bdv$ picks a random $\delta_i \sample \Zp$ and uses $\mathsf{tk}$ to compute the tuple -$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$, for an unknown $\scr_{i}=\ID_i=a\cdot\delta_i \in \Zp$, that +At step 1 of $\mathsf{Join}$, $\bdv$ picks a random $\delta_i \sample \Zp$ and uses $\mathsf{tk}$ to compute the tuple +$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$, for an unknown $\scr_{i}=\ID_i=a\cdot\delta_i \in \Zp$, that $\mathsf{J}_{\mathsf{GM}}$ expects at step 1 of the join protocol. Namely, $\bdv$ computes the vector $ \vec{v}_i= (V_i,G_i,1,H_i,1,1)=(v,g,1,h,1,1)^{\ID_i}$ as \[ V_i =(g^a)^{\alpha_v\cdot\delta_i}, \quad G_i = (g^a)^{\delta_i}, \quad H_i =(g^a)^{\alpha_h\cdot\delta_i}, \] -and then computes $Z_i$ as a simulated QA-NIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$. +and then computes $Z_i$ as a simulated QA-NIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$. A straightforward calculation - shows that $Z_i=z_2^{\ID_i}$ since the QA-NIZK argument of Section \ref{QA-NIZK-scheme} has a deterministic proving algorithm, so that -$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2. -As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes + shows that $Z_i=z_2^{\ID_i}$ since the QA-NIZK argument of Section \ref{QA-NIZK-scheme} has a deterministic proving algorithm, so that +$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2. +As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes \begin{eqnarray*} - \quad\hat{G}_{j,i} := (\hat{g}^a)^{\delta_i(\alpha_z\chi_j+\alpha_r\gamma_j)} + \quad\hat{G}_{j,i} := (\hat{g}^a)^{\delta_i(\alpha_z\chi_j+\alpha_r\gamma_j)} = (\hat{g}_z^{\chi_j}\hat{g}_r^{\gamma_j})^{\ID_i} = \hat{g}_j^{\ID_i}, \end{eqnarray*} %where $g^a$ is a component of the discrete logarithm problem it is trying to solve. At step 3 of $\mathsf{Join}$, $\bdv$ simulates the interactive proof of knowledge of $\ID_i=\log_{v}(V_i)$ using the simulator. -In the rest of the protocol, $\bdv$ proceeds like the actual run and obtains $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$. -Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$. +In the rest of the protocol, $\bdv$ proceeds like the actual run and obtains $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$. +Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$. % \item[-] $Q_{\mathsf{pub}}$-queries: These can be answered as in the real game, by having the simulator return %$\mathcal{Y}$. - \item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use + \item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 1-2 of the signing algorithm. While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the non-interactive proof $(c, s_\ID, s_\theta)$, for a randomly chosen challenge $c \sample \Zp$ by programming the random oracle. -More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r \sample \Zp$ and computing +More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r \sample \Zp$ and computing \begin{align*} \tilde\sigma_1 & = \sigma_1 \cdot (V_i\cdot w)^r & \tilde \sigma_2 & = \sigma_2 \cdot g^r, \\ \tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r. \end{align*} - Then $\bdv$ encrypts $\tilde \pi$, $\tilde \sigma_1$ and $V_i$ as in the real - signing algorithm to get ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$ -chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in + Then $\bdv$ encrypts $\tilde \pi$, $\tilde \sigma_1$ and $V_i$ as in the real + signing algorithm to get ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$ +chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in (\ref{gsig-verif-1}) and (\ref{gsig-verif-2}) of $\mathsf{Verify}$. Finally, $\bdv$ - programs $H$ to return $c$ on inputs $(M, C_{\mathsf{CS}},\tilde \sigma_2, \tilde \sigma_3, R_1, R_2, R_3, R_4)$. In the event that $H$ is already defined at that point, - $\bdv$ aborts. - The probability to fail at one signing query is $\leq q_s/p^3$, where -$q_s$ is the number of signing queries. + programs $H$ to return $c$ on inputs $(M, C_{\mathsf{CS}},\tilde \sigma_2, \tilde \sigma_3, R_1, R_2, R_3, R_4)$. In the event that $H$ is already defined at that point, + $\bdv$ aborts. + The probability to fail at one signing query is $\leq q_s/p^3$, where +$q_s$ is the number of signing queries. \end{itemize} % -\noindent When $\adv$ halts, it presumably frames some honest user ${i^\star} \in U^b$ by outputting a signature -\begin{align*} -\Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star) , \quad +\noindent When $\adv$ halts, it presumably frames some honest user ${i^\star} \in U^b$ by outputting a signature +\begin{align*} +\Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star) , \quad \end{align*} for some message $M^\star$, that opens to ${i^\star} \in U^b$ although user $i^\star$ did not sign $M^\star$. With high probability, $\adv$ must have queried the hash value - $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$, which would be unpredictable otherwise. + $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$, which would be unpredictable otherwise. Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape. At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run. -The Forking Lemma of \cite{BN06} ensures that, with non-negligible probability the second run will result in a forgery +The Forking Lemma of \cite{BN06} ensures that, with non-negligible probability the second run will result in a forgery $\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)$ on - the same message $M^\star$, -with distinct challenges + the same message $M^\star$, +with distinct challenges $c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses - $(\theta^\star,\ID^\star)$ satisfying ${C}_\ID^\star=v^{\ID^\star}X_\ID^{\theta^\star}$ and -which identifies $V_i^\star=v^{\ID^\star}$. At this stage, $\bdv$ can compute and output the sought-after SDL solution - $a:=\ID^\star/\delta_i$ in $\Zp$. + $(\theta^\star,\ID^\star)$ satisfying ${C}_\ID^\star=v^{\ID^\star}X_\ID^{\theta^\star}$ and +which identifies $V_i^\star=v^{\ID^\star}$. At this stage, $\bdv$ can compute and output the sought-after SDL solution + $a:=\ID^\star/\delta_i$ in $\Zp$. \\ -This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $. +This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $. \vspace{-2mm} \end{proof} @@ -1337,21 +1337,21 @@ We stress that the proofs can be easily adapted to the case where the opening a \end{table*} Table~\ref{sig-comp} compares our scheme with previous practical group signatures based on pairing-related assumptions. -Since we focus on practical schemes, we only consider those in the random oracle model. +Since we focus on practical schemes, we only consider those in the random oracle model. To make the comparison possible, we use $256$-bit group orders, so that elements of $\GG$ and $\Zp$ are encoded using -$256$ bits each. +$256$ bits each. The scheme of Boneh, Boyen and Shacham~\cite{BBS04} is the first scheme providing short signatures: each signature is comprised of $3$ group elements and $6$ elements of $\Zp$. However, this scheme is designed for static groups only and relies on the Strong Diffie-Hellmann assumption, which is a non-standard $q$-type assumption, and its anonymity is only -proved in the CPA sense. +proved in the CPA sense. Delerablée and Pointcheval~\cite{DP06} presented a scheme designed for a dynamically growing group and which is also fully (i.e., CCA) anonymous. The security of their scheme is based on the eXternal Diffie-Hellman assumption (XDH), which we also use here, and the $q$-SDH assumption. In \cite{DP06}, each signature consists of $4$ group elements and $5$ scalars in $\Zp$, which leads to the same signature size as previously. They also proposed a variant to get rid of the XDH assumption at the cost of $2$ more group elements and one more scalar, but they still rely on the $q$-SDH -assumption. +assumption. Bichsel~{\em et al.} \cite{BCN+10} proposed a very short group signature for dynamic groups, where each signature consists of $3$ group elements and $2$ elements in $\Zp$. @@ -1359,20 +1359,20 @@ The downsides are their use the LRSW assumption~\cite{LRSW99}, which is a very { their security notion is not fully-anonymous, but is an hybrid security with selfless-anonymity, which is marked ``CCA-'' in Table~\ref{sig-comp}. %they don't provide full-CCA anonymity but an hybrid security with selfless anonymity, which is marked ``CCA*'' in Table~\ref{sig-comp}. Another caveat is that, unlike the two previous systems, the opening complexity of their scheme is linear in the number of group members. - + In 2015, Pointcheval and Sanders~\cite{PS16} gave another instantiation of~\cite{BCN+10} based on a variant of the LRSW assumption in the asymmetric setting (meaning using only Type III pairings), which provides even shorter signatures than \cite{BCN+10} with the same downsides. Their scheme provides signatures composed of only $2$ group elements in $\GG$ and $2$ scalars in $\Zp$. - + Our main contribution compared to these schemes is to provide size-comparable signatures --\,we recall that our scheme is composed of $7$ group elements and $3$ scalars in $\Zp$\,-- while relying on standard, constant-size assumptions. Moreover, we can notice that we can save one element in $\GG$ at the expense of a linear-time opening algorithm in the number $N$ of group users (like \cite{BCN+10}). -%On the other hand, the comparison of computational cost is not straightforward, as it is not clear if the computation of $e(x^\alpha, \hat x) \cdot e(y^\beta, \hat y)$ is easier than the computation +%On the other hand, the comparison of computational cost is not straightforward, as it is not clear if the computation of $e(x^\alpha, \hat x) \cdot e(y^\beta, \hat y)$ is easier than the computation \section{Implementation results} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation}