This commit is contained in:
Fabrice Mouhartem 2018-04-30 16:21:16 +02:00
parent b295212aac
commit a6b9f5a2f7

View File

@ -615,12 +615,149 @@ In our proofs, we mainly use the probability preservation to bound the
probabilities during hybrid games where the two distributions are not close in terms of statistical distance. probabilities during hybrid games where the two distributions are not close in terms of statistical distance.
%--------- PROOF ---------- %--------- PROOF ----------
\input merge \begin{proof} The proof is very similar to the proof of \cref{th:gs-lwe-security-cma-sig} and we will only explain the changes.
Assuming that an adversary $\adv$ can prove possession of a signature on a message $(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ which has not been blindly signed by the issuer,
we outline an algorithm $\bdv$ that solves a $\mathsf{SIS}_{n,2m,q,\beta}$ instance $\bar{\mathbf{A}}$, where $\bar{\mathbf{A}} =
[ \bar{\mathbf{A}}_1 \mid \bar{\mathbf{A}}_2 ] \in \ZZ_q^{ n \times 2m}$ with
$\bar{\mathbf{A}}_1, \bar{\mathbf{A}}_2 \in U(\ZZ_q^{n \times m})$.
At the outset of the game, $\bdv$ generates the common parameters $\mathsf{par}$ by choosing
$\mathbf{B} \in_R \ZZ_q^{n \times m}$ and defining $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \ZZ_q^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \ZZ_q^{n \times 2m}$.
The short Gaussian matrices $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ are retained for later use. Also, $\bdv$ flips a coin $coin \in \{0,1,2\}$ as
a guess for the kind of attack that $\adv$ will mount. If $coin=0$, $\bdv$ expects a Type I forgery, where $\adv$'s forgery involves a new $\tau^\star \in \{0,1\}^\ell$ that
was never used by the signing oracle. If $coin=1$, $\bdv$ expects $\adv$ to recycle a tag $\tau^\star$ involved in some signing query in its forgery. Namely,
if $coin=1$, $\bdv$ expects an attack which is either a Type II forgery or a Type III forgery.
If $coin=2$, $\bdv$ rather bets that $\adv$ will break the soundness of the interactive argument systems used in the signature issuing protocol or the $\mathsf{Prove}$ protocol.
Depending on the value of $coin \in \{0,1,2 \}$, $\bdv$ generates the issuer's public key $PK$ and simulates $\adv$'s view in different ways. \medskip
\noindent $\bullet$ If $coin=0$, $\bdv$ undertakes to find a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)$, which in turn yields a short non-zero vector
of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. To this end, it defines $\mathbf{A}=\bar{\mathbf{A}}_1$ and
generates $PK$ by computing $\{\mathbf{A}_j\}_{j=0}^\ell$ as re-randomizations of $\mathbf{A} \in \ZZ_q^{n \times m}$ as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}. This implies that $\bdv$ can always answer signing queries using the trapdoor $\mathbf{T}_{\mathbf{C}}
\in \ZZ^{m \times m}$ of the matrix $\mathbf{C}$ without even knowing the messages hidden in the commitments $ \mathbf{c}_{\mathfrak{m}}$ and $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{s'}$.
When the adversary generates a proof of possession of its own at the end of the game, $\bdv$ uses the matrices $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$
as an extraction trapdoor to extract a plain message-signature pair $\big( (\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star), (\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star) \big)$
from the ciphertexts
$\{ \mathbf{c}_k^\star\}_{k=1}^N$ $(\mathbf{c}_{\mathbf{v}_1}^\star,\mathbf{c}_{\mathbf{v}_2^\star})$, $\mathbf{c}_{\tau}^\star$, $\mathbf{c}_{\mathbf{s}}^\star$ produced by $\adv$ as part of its forgery.
If the extracted $\tau^\star$ is not a new tag, then $\bdv$ aborts. Otherwise, it can solve the given $\mathsf{SIS}$ instance exactly as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}.
\medskip
\noindent $\bullet$ If $coin=1$, the proof proceeds as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks} with one difference in \textsf{Game} $3$. This difference is that \textsf{Game} $3$ is no longer statistically
indistinguishable from \textsf{Game} $2$: instead, we rely on an argument based on the R\'enyi divergence.
In \textsf{Game} $3$, $\bdv$ generates $PK$ exactly as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}. This implies that $\bdv$ takes a guess $i^\dagger \leftarrow U(\{1,\ldots,Q\})$
with the hope that $\adv$ will choose to recycle the tag $\tau^{(i^\dagger)} $ of the $i^\dagger$-th signing query (i.e., $ \tau^\star =\tau^{(i^\dagger)} $).
As in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}, $\bdv$ defines $\mathbf{D}=\bar{\mathbf{A}}_1 \in \ZZ_q^{n \times m}$ and $\mathbf{A}= \bar{\mathbf{A}}_1 \cdot \mathbf{S} $ for a small-norm
matrix $\mathbf{S} \in \ZZ^{m \times m}$ with Gaussian entries. It also ``programs'' the matrices $\{ \mathbf{A}_j\}_{j=0}^\ell$ in such a way that
the trapdoor precisely vanishes at the $i^\dagger$-th signing query: in other words,
the sum $$\mathbf{A}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot \mathbf{S}_j) + (h_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot h_j ) \cdot \mathbf{C} $$ does not depend on the matrix $\mathbf{C} \in \ZZ_q^{n \times m}$
(of which a trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ is known to $\bdv$) when $\tau^{(i)} = \tau^{(i^\dagger)}$, but it does for all other tags $\tau^{(i)} \neq \tau^{(i^\dagger)}$. In the setup phase,
$\bdv$ also sets up a random matrix $\mathbf{D}_0 \in U(\ZZ_q^{2n \times 2m})$ which it obtains by choosing
$\mathbf{A}' \sample U(\ZZ_q^{n \times 2m})$ to define
\begin{eqnarray} \label{def-D0}
\mathbf{D}_0=\begin{bmatrix} \bar{\mathbf{A}} \\ \hline \mathbf{A}' \end{bmatrix} \in \ZZ_q^{2n \times 2m}.
\end{eqnarray}
Then, it computes $\mathbf{c}_M = \mathbf{D}_0 \cdot \mathbf{s}_0 \in \ZZ_q^{2n}$ for a short Gaussian vector
$\mathbf{s}_0 \sample D_{\ZZ^{2m},\sigma_0}$, which will be used in the $i^\dagger$-th query.
Next, it samples short vectors $\mathbf{v}_1,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ to define
$$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1 \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \bit (\mathbf{c}_M) ~ \in \ZZ_q^n.$$
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
are used to define randomizations of $\mathbf{D}_0$ by computing $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
The adversary is given public parameters $\mathsf{par}:=\{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK:=\big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
Using $\mathbf{T}_{\mathbf{C}}$,
$\bdv$ can perfectly emulate the signing oracle at all queries, except the $i^\dagger$-th query where the
vector ${\mathbf{s}''}^{(i^\dagger)}$ chosen by $\bdv$ is sampled from a distribution that departs from $D_{\ZZ^{2m},\sigma_0}$. At the $i^\dagger$-th query,
$\bdv$ uses the extraction trapdoor $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ to obtain $ {\mathbf{s}' }^{(i^\dagger)} \in \ZZ^{2m}$ and $\{\mathfrak{m}_k\}_{k=1}^N$ -- which form a valid opening
of $\mathbf{c}_{\mathfrak{m}}$ unless the soundness of the proof system is broken (note that the latter case is addressed by the situation $coin=3$) -- from the ciphertexts
$\mathbf{c}_{s'}^{(i^\dagger)} $ and $\{ \mathbf{c}_k\}_{k=1}^N$ sent by $\adv$ at step 1 of the signing protocol. Then, $\bdv$
computes the vector ${\mathbf{s}''}^{(i^\dagger)}$ as
\begin{eqnarray} \label{sim-s-prime}
{\mathbf{s}'' }^{(i^\dagger)} = \mathbf{s}_0 - \sum_{k=1}^N \mathbf{R}_k \cdot \mathfrak{m}_k^{(i^\dagger)} - {\mathbf{s}' }^{(i^\dagger)} \in \ZZ^{2m},
\end{eqnarray}
which satisfies $\mathbf{c}_M=\sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^{(i^\dagger)} + \mathbf{D}_0 \cdot ({\mathbf{s}' }^{(i^\dagger)} + {\mathbf{s}'' }^{(i^\dagger)} ) $ and
allows returning $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)}, {\mathbf{s}'' }^{(i^\dagger)} )$ such that
$(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)}, {\mathbf{s}' }^{(i^\dagger)} + {\mathbf{s}'' }^{(i^\dagger)} )$ satisfies the verification
equation of the signature scheme. Moreover, we argue that, with noticeable probability, the integer
vector ${\mathbf{s} }^{(i^\dagger)} ={\mathbf{s}' }^{(i^\dagger)} + {\mathbf{s}'' }^{(i^\dagger)}$ will be accepted by the verification algorithm since the R\'enyi divergence
between the simulated distribution of ${\mathbf{s}'' }^{(i^\dagger)}$ and its distribution in the real game will be sufficiently small. Indeed, its distribution
is now that of a Gaussian vector $D_{\ZZ^{2m},\sigma_0,\mathbf{z}^\dagger }$ centered in $$\mathbf{z}^\dagger = - \sum_{k=1}^N
\mathbf{R}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} }
- {\mathbf{s}' }^{(i^\dagger)} \in \ZZ^{2m} ,$$ whose norm is at most $\| \mathbf{z}^\dagger \|_2 \leq N \sigma ({2m})^{3/2} + \sigma (2m)^{1/2}$. By choosing the standard deviation $\sigma_0$ to
be at least
$\sigma_0> N \sigma (2m)^{3/2} + \sigma (2m)^{1/2} $, the R\'enyi divergence between the simulated
distribution of ${\mathbf{s}'' }^{(i^\dagger)}$ (in \textsf{Game} $3$) and its real distribution (which is the one of \textsf{Game} $2$) can be kept constant: we have
\begin{eqnarray} \label{r-bound}
R_2( {\mathbf{s}'' }^{(i^\dagger),2} ||{\mathbf{s}'' }^{(i^\dagger),3} ) \leq \exp \big( 2\pi \cdot \frac{ \| \mathbf{z}^\dagger \|_2^2}{\sigma_0^2} \big) \leq \exp(2 \pi).
\end{eqnarray}
This ensures that, with noticeable
probability, $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)}, {\mathbf{s} }^{(i^\dagger)} )$ will pass the verification test and lead $\adv$ to eventually output a valid forgery.
So, the success probability of $\adv$ in \textsf{Game} $3$ remains noticeable as (\ref{r-bound}) implies $\Pr[W_3] \geq \Pr[W_2]^2 / \exp(2\pi)$.
When $W_3$ occurs in \textsf{Game} $3$, $\bdv$ uses the matrices $(\mathbf{E}_0,\mathbf{E}_1)$ to extract a plain message-signature pair $\big((\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star),(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star) \big)$ from the extractable commitments
$\{ \mathbf{c}_k^\star\}_{k=1}^N$ $(\mathbf{c}_{\mathbf{v}_1}^\star,\mathbf{c}_{\mathbf{v}_2}^\star)$, $\mathbf{c}_{\tau}^\star$, $\mathbf{c}_{\mathbf{s}}^\star$ generated by $\adv$.
At this point, two cases can be distinguished. First, if $\mathbf{c}_M \neq \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star + \mathbf{D}_0 \cdot \mathbf{s}^\star \bmod q$, then algorithm
$\bdv$ can
find a short vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)=\Lambda_q^{\perp}( {\mathbf{D}})$ exactly as in the proof of Lemma~\ref{le:lwe-gs-type-II-attacks}. In the event that $\mathbf{c}_M = \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star + \mathbf{D}_0 \cdot \mathbf{s}^\star $,
$\bdv$ can use the fact that the collision $\mathbf{c}_M = \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} } + \mathbf{D}_0 \cdot {\mathbf{s}^{(i^\dagger)} } $ allows computing
$$ \mathbf{w}= \mathbf{s}^\star -{\mathbf{s}^{(i^\dagger)}} + \sum_{k=1}^N \mathbf{R}_k \cdot \left(\mathfrak{m}_k^\star - \mathfrak{m}_k^{(i^\dagger)} \right) ~ \in \ZZ^{2m} , $$
which belongs to $\Lambda_q^{\perp}(\mathbf{D}_0)$ and has norm $\| \mathbf{w} \|_2 \leq N \sigma (2m)^{3/2} + 4 \sigma_1 m^{3/2} $. Moreover, it
is non-zero with overwhelming probability. Indeed, there exists at least one $k \in [1,N]$ such that $\mathfrak{m}_k^{(i^\dagger)} \neq \mathfrak{m}_k^\star$. Let us assume w.l.o.g.
that they differ in their first two bits where $\mathfrak{m}_k^{(i^\dagger)}$ contains a $0$ and $\mathfrak{m}_k^\star$ contains a $1$ (recall that each bit $b$
is encoded as $(\bar{b},b)$ in both messages).
This implies that $ {\mathbf{s}'' }^{(i^\dagger)} $ (as computed in (\ref{sim-s-prime})) does not depend on the first column of $\mathbf{R}_k$ but $\mathbf{w}$ does.
Hence, given that the columns of $\mathbf{R}_k$ have at least $n$ bits of min-entropy conditionally on $\mathbf{D}_k =\mathbf{D}_0 \cdot \mathbf{R}_k$, the vector
$\mathbf{w} \in \ZZ^{2m}$ is unpredictable to the adversary.
Due to the definition of $\mathbf{D}_0 \in \ZZ_q^{2n \times 2m}$ in (\ref{def-D0}), we finally note that
$\mathbf{w} \in \ZZ^{2m}$ is also a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$.
\medskip
\noindent $\bullet$ If $coin=2$, $\bdv$ faithfully generates $\mathsf{par}$ and $PK$, but it retains the extraction trapdoor $(\mathbf{E}_0,\mathbf{E}_1)$ associated with the dual Regev public keys
$(\mathbf{G}_0,\mathbf{G}_1)$. Note that $\adv$ can break the soundness of the proof system by either: (i) Generating ciphertexts
$\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ that do not encrypt an opening of $\mathbf{c}_{\mathfrak{m}}$ in the signature issuing protocol; (ii) Generating ciphertexts
$\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{\tau}$, $\mathbf{c}_{\mathbf{v}_1}$, $\mathbf{c}_{\mathbf{v}_2}$ and $\mathbf{c}_{s}$ that do not encrypt a valid signature in the $\mathsf{Prove}$ protocol.
In either case, the reduction $\bdv$ is able to detect the event by decrypting dual Regev ciphertext using $(\mathbf{E}_0,\mathbf{E}_1)$ and create a breach in the
soundness of the argument system. \medskip
It it easy to see that, since $coin \in \{0,1,2 \}$ is chosen independently of $\adv$'s view, it turns out to be correct with probability $1/3$. As a consequence, if $\adv$'s advantage
is non-negligible, so is $\bdv$'s.
\end{proof}
\begin{theorem} \label{anon-cred} \begin{theorem} \label{anon-cred}
The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption. The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
\end{theorem} \end{theorem}
\begin{proof}
The proof is rather straightforward and consists of a sequence of three games.
\medskip
\begin{description}
\item[\textsf{Game} 0:] This is the real game. Namely, the adversary is given common public parameters $\mathsf{par}$ and comes up with a public key $PK$ of its own.
The adversary can run oblivious signing protocols with honest users. At each query, the adversary chooses a user index $i$ and triggers an execution of the signing protocol
with the challenger emulating the honest users. At some point, the adversary chooses some user index $i^\star$ for which the execution of the signing protocol ended successfully.
At this point, the challenger $\bdv$ runs the real $\mathsf{Prove}$ protocol on behalf of user $i$. At the end of the game, the adversary outputs
a bit $b' \in \{0,1\}$. We define $W_0$ to be the event that
$b'=1$.
\smallskip
\item[\textsf{Game} 1:] This game is like \textsf{Game} $0$ with the difference that, at each execution of the $\mathsf{Prove}$ protocol, the challenger runs the zero-knowledge
simulator of the interactive proof system. The latter simulator uses either a trapdoor hidden in the common reference string (if Damg\aa rd's technique \cite{Damg00} is used) or
proceeds by programming the random oracle which allows implementing the Fiat-Shamir heuristic. In either case, the statistical zero-knowledge property ensures that the
adversary cannot distinguish \textsf{Game} $1$ from \textsf{Game} $0$ and $|\Pr[W_1] - \Pr[W_0] | \in \mathsf{negl}(\lambda)$.
\smallskip
\item[Game 3:] This game is like \textsf{Game} $1$ except that, at each execution of the $\mathsf{Prove}$ protocol, the ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_s$, $\mathbf{c}_{\tau}$,
and $\mathbf{c}_{\mathbf{v}_1}$, $\mathbf{c}_{\mathbf{v}_2}$ encrypt random messages instead of the actual witnesses. The semantic security of the dual Regev cryptosystem ensures that,
under the $\LWE_{n,q,\chi}$ assumption, the adversary is unable to see the difference. Hence, we have $|\Pr[W_2] - \Pr[W_1]| \leq \mathbf{Adv}_{\bdv}^{\mathsf{LWE}}(\lambda)$.
\end{description}
\medskip
\noindent In \textsf{Game} $2$, we can notice that the adversary is interacting with a simulator that emulates the user in the $\mathsf{Prove}$ protocol \textit{without} using
any message-signature pair. We thus conclude that, under the $\LWE_{n,q,\chi}$ assumption, $\adv$'s view cannot distinguish a real proof of signature possession from a simulated proof
produced without any witness.
\end{proof}
\section{Subprotocols for Stern-like Argument} \section{Subprotocols for Stern-like Argument}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Protocoles pour les preuves à la Stern} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Protocoles pour les preuves à la Stern}
\label{se:gs-lwe-stern} \label{se:gs-lwe-stern}
@ -954,3 +1091,6 @@ as the permutation that transforms $\mathbf{z}$ as follows:
\end{enumerate} \end{enumerate}
\end{itemize} \end{itemize}
It can be check that~(\ref{eq:zk-equivalence}) holds. Therefore, we can obtain a statistical \textsf{ZKAoK} for the given relation by running the protocol in \cref{sse:stern-abstraction}. It can be check that~(\ref{eq:zk-equivalence}) holds. Therefore, we can obtain a statistical \textsf{ZKAoK} for the given relation by running the protocol in \cref{sse:stern-abstraction}.
\section{A Dynamic Lattice-Based Group Signature}
\input{merge}