fmouhart
/
thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updates

This commit is contained in:
Fabrice Mouhartem 2018-06-15 16:04:10 +02:00
parent 0882fb5238
commit b25d1b0a71
10 changed files with 481 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

300
chap-GE-LWE.tex
View File

@ -1,13 +1,97 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\chapter{Lattice-Based Oblivious Transfer with Access Control} \label{ch:ac-ot}
%\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}
%\label{ch:ot-lwe}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{comment}
\section{Introduction}
\end{comment}
Kiayias, Tsiounis and Yung~\cite{KTY07} presented group encryption ($\mathsf{GE}$) as the encryption analogue of group signatures~\cite{CVH91}, which allow users to anonymously sign messages on behalf of an entire group they belong to.
While group signatures aim at hiding the source of some message within a crowd administered by some group manager, group encryption rather seeks to hide its destination within a group of legitimate receivers.
In both cases, a verifier should be convinced that the anonymous signer/receiver indeed belongs to a purported population.
In order to keep users accountable for their actions, an opening authority ($\mathsf{OA}$) is further empowered with some information allowing it to un-anonymize signatures/ciphertexts.
Kiayias, Tsiounis and Yung~\cite{KTY07} formalized $\mathsf{GE}$ schemes as a primitive allowing the sender to generate publicly verifiable guarantees that:
(1) The ciphertext is well-formed and intended for some registered group member who will be able to decrypt;
(2) the opening authority will be able identify the receiver if necessary; (3) The plaintext satisfies certain properties such as being a witness for some
public relation or the private key that underlies a given public key. In the model of Kiayias \textit{et al.}~\cite{KTY07}, the message secrecy and anonymity
properties are required to withstand active adversaries, which are granted access to decryption oracles in all security experiments.
As a natural application, group encryption allows a firewall to filter all incoming encrypted emails except those intended for some certified organization
member and the content of which is additionally guaranteed to satisfy certain requirements, like the absence of malware.
$\mathsf{GE}$~schemes are also motivated by natural privacy applications such as anonymous trusted third parties, key recovery mechanisms or oblivious retriever
storage systems. In optimistic protocols, $\mathsf{GE}$ allows verifiably encrypting messages to \emph{anonymous} trusted third parties which mostly remain off-line
and only come into play to sort out conflicts. In order to protect privacy-sensitive information such as users' citizenship, group encryption
makes it possible to hide the identity of users' preferred trusted third parties within a set of properly certified trustees.
In cloud storage services, $\mathsf{GE}$ enables privacy-preserving asynchronous transfers of encrypted datasets. Namely, it allows users to archive encrypted datasets
on remote servers while convincing those servers that the data is indeed intended for some anonymous certified client who paid a subscription to the storage
provider. Moreover, a judge should be able to identify the archive's recipient in case a misbehaving server is found guilty of hosting suspicious
transaction records or any other illegal content.
As pointed out by Kiayias \textit{et al.}~\cite{KTY07}, group encryption also implies a form of hierarchical group signatures~\cite{TW05}, where signatures can only be opened by a set of eligible trustees operating in a very specific manner determiner by the signer.
The design of numerous privacy-preserving cryptographic protocols crucially relies on zero-knowledge proofs~\cite{GMR85} to prove properties about encrypted or committed values so as to enforce honest behavior on behalf of participants or protect the privacy of users.
In the lattice settings, efficient zero-knowledge proofs are non-trivial to construct due to the limited amount of algebraic structure.
While natural methods of proving knowledge of secret keys \cite{MV03,Lyu08,KTX08,LNSW13} are available, they are only known to work for specific languages.
When it comes to proving circuit satisfiability, the best known methods are designed for the $\mathsf{LPN}$ setting~\cite{JKPT12} or take advantage of the extra structure available in the ring $\LWE$
setting~\cite{XXW13,BKLP15}.
Hence, these methods are not known to readily carry over to standard (i.e., non-ideal) lattices.
In the standard model, the problem
is even trickier as we do not have a lattice-based counterpart of Groth-Sahai proofs~\cite{GS08} and efficient non-interactive proof systems are only available
for specific problems~\cite{PV08}.
The difficulty of designing efficient zero-knowledge proofs for lattice-related languages makes it highly non-trivial to adapt privacy-preserving cryptographic
primitives in the lattice setting. In spite of these technical hurdles, a recent body of work successfully designed anonymity-enabling mechanisms like ring
signatures \cite{KTX08,ABB+13}, blind signatures \cite{Ruec10}, group signatures \cite{GKV10,LLLS13,LLNW14,BCK+14,NZZ15,LNW15,LLNW16}
or, more recently, signature schemes with companion zero-knowledge protocols~\cite{LLM+16}. A common feature of all these works is that the zero-knowledge
layer of the proposed protocols only deals with linear equations, where witnesses are only multiplied by public values.
In this chapter, motivated by the design of advanced privacy-preserving protocols in the lattice setting, we construct zero-knowledge arguments for non-linear
statements among witnesses consisting of vectors and matrices. For suitable parameters $q,n,m \in \ZZ$, we consider zero-knowledge argument systems whereby a
prover can demonstrate knowledge of secret matrices $\mathbf{X} \in \ZZ_q^{m \times n}$ and vectors $\mathbf{s} \in \ZZ_q^n$, $\mathbf{e} \in \ZZ^m$ such that:
(i) $\mathbf{e} \in \ZZ^m$ has small norm;
(ii) A public vector $\mathbf{b} \in \ZZ_q^n$ equals $\mathbf{b} = \mathbf{X}\cdot \mathbf{s} + \mathbf{e} \bmod q$;
(iii) The underlying pair $(\mathbf{X},\mathbf{s})$ satisfies additional algebraic relations: for instance, it should be possible to prove possession of a signature on some representation of the matrix $\mathbf{X}$.
In particular, our zero-knowledge argument makes it possible to prove that a given ciphertext is a well-formed $\LWE$-based encryption with respect to some
hidden, but certified public key. This protocol comes in handy in the design of \textit{group encryption} schemes~\cite{KTY07}, where such languages naturally
arise.
Using these advances, we thus construct, in this chapter, the first construction of group encryption under lattice assumptions.
\paragraph{Related work.}
Kiayias, Tsiounis and Yung (KTY) \cite{KTY07} formalized the notion of group encryption and provided a modular design using
zero-knowledge proofs, digital signatures, anonymous CCA-secure public-key encryption and commitment schemes. They also gave an efficient instantiation using
Paillier's cryptosystem~\cite{Pail99} and Camenisch-Lysyanskaya signatures \cite{CL02}.
Cathalo, Libert and Yung \cite{CLY09}
designed a non-interactive system in the standard model under non-interactive pairing-related assumptions. El~Aimani and Joye \cite{EJ13} suggested various
efficiency improvements with both interactive and non-interactive proofs.
Libert \textit{et al.}~\cite{LYJP14} empowered the $\GE$ primitive with a refined traceability mechanism akin to that of traceable signatures~\cite{KTY04}. Namely,
by releasing a user-specific trapdoor, the opening authority can allow anyone to publicly trace ciphertexts encrypted for this specific group member without
affecting the privacy of other users. Back in 2010, Izabachène, Pointcheval and Vergnaud~\cite{IPV10} considered the problem of eliminating subliminal
channels in a different form of traceable group encryption.
As a matter of fact, all existing realizations of group encryption or similar primitives rely on traditional number theoretic assumptions like the hardness of
factoring or computing discrete logarithms. In particular, all of them are vulnerable to quantum attacks. For the sake of not putting all one's eggs in the
same basket, it is highly desirable to have instantiations based on alternative, quantum-resistant foundations.
\bigskip
In the next sections, we first present the definitions of a group encryption schemes and the required building block.
Then, we describe the zero-knowledge protocol we use to handle these quadratic relations before finally describing our scheme.
\section{Syntax and Definitions of Group Encryption} \label{GE-model}
\index{Group Encryption}
We use the syntax and the security model of Kiayias, Tsiounis and Yung \cite{KTY07}.
The group encryption (\textsf{GE}) primitive involves a sender, a verifier, a group manager~(\textsf{GM}) that manages the group of receivers and an opening
authority~(\textsf{OA}) which is capable of identifying ciphertexts' recipients.
In the syntax of \cite{KTY07}, a $\GE$ scheme is specified by the description of a
In the syntax of \cite{KTY07}, a $\mathsf{GE}$ scheme is specified by the description of a
relation $R$ as well as a tuple
$\GE=\bigl(\mathsf{SETUP},\mathsf{JOIN},\langle
$\mathsf{GE}=\bigl(\mathsf{SETUP},\mathsf{JOIN},\langle
\mathcal{G}_r,R,\mathsf{sample}_{R}
\rangle,\mathsf{ENC},\mathsf{DEC},\mathsf{OPEN},\langle
\mathcal{P},\mathcal{V} \rangle \bigr)$ of algorithms or protocols.
@ -121,7 +205,7 @@ As pointed out in \cite{KTY07,CLY09}, designing an efficient
simulator $\mathsf{PP}'$ (for executing $\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(.)$
when $b=0$) is part of the security proof.
\begin{definition} \label{security-def}
A $\GE$ scheme satisfies \textit{message security}
A $\mathsf{GE}$ scheme satisfies \textit{message security}
if, for any PPT adversary $\adv$, the experiment below returns $1$
with probability at most $1/2 + \mathsf{negl}(\lambda)$.
@ -165,7 +249,7 @@ in the group. It uses a string $\mathsf{keys}$ where the outputs $(\pk_0,\sk_0,\
by the oracle and no entry is introduced in $\mathsf{keys}$ for them).
\item[-]
$\mathsf{OPEN}(\sk_{\OA},.)$: is a stateless oracle that simulates
the opening algorithm and, on input of a $\GE$
the opening algorithm and, on input of a $\mathsf{GE}$
ciphertext, returns the receiver's public key.
\end{itemize}
@ -175,7 +259,7 @@ certified by the adversarially-controlled $\mathsf{GM}$ before the challenge pha
proofs generated using $(\pk_b,\crt_{\pk_b})$.
\begin{definition} \label{anonymity-def}
A $\GE$ scheme satisfies \textit{anonymity} if, for any PPT adversary $\adv$, the experiment below returns $1$
A $\mathsf{GE}$ scheme satisfies \textit{anonymity} if, for any PPT adversary $\adv$, the experiment below returns $1$
with a probability not exceeding $1/2 + \mathsf{negl}(\lambda)$.
\begin{center}
\procedure{Experiment $\Expt_{\adv}^{\mathrm{anon}}(\lambda)$}{
@ -224,7 +308,7 @@ maintains a list $\mathsf{database}$ where registered public keys and
their certificates are stored.
\begin{definition} \label{soundness-def}
A $\GE$ scheme is \textit{sound} if, for any PPT adversary $\adv$, the experiment below returns $1$
A $\mathsf{GE}$ scheme is \textit{sound} if, for any PPT adversary $\adv$, the experiment below returns $1$
with negligible probability.
\begin{center}
\procedure{Experiment $\Expt_{\adv}^{\mathrm{soundness}}(\lambda)$}{
@ -271,6 +355,7 @@ of valid public keys is dense in that all matrices of a given dimension are vali
\subsection{The Agrawal-Boneh-Boyen IBE Scheme} \label{ap:ABB-IBE}
\index{Identity-Based Encryption!Agrawal-Boneh-Boyen}
\subsubsection{Identity-Based Encryption.} \label{ap:IBE}
@ -347,13 +432,13 @@ encryption of a message of its choice from a random element of the ciphertext sp
\begin{enumerate}
\item Compute the matrix $\mathbf B_\ID = \mathbf B + \mathsf{FRD}(\ID) \cdot \mathbf G \in \Zq^{n \times \bar{m}}$.
Sample vectors $\mathbf s \sample U(\Zq^n), \mathbf x, \mathbf y \sample \chi^m$, $\mathbf R \sample D_{\ZZ,\sigma}^{m \times \bar{m}}$ and compute
$\mathbf z = \mathbf R^\top \cdot \mathbf y \in \ZZ^m$.
$\mathbf z = \mathbf R^T \cdot \mathbf y \in \ZZ^m$.
\item Compute
\begin{equation} \label{eq:ABB-c}
\begin{cases}
\mathbf c^{(1)} = \bar{\mathbf A}^\top \cdot \mathbf s + \mathbf y \bmod q,\\
\mathbf c^{(2)} = \mathbf B_\ID^\top \cdot \mathbf s + \mathbf z \bmod q,\\
\mathbf c^{(3)} = \mathbf U^\top \cdot \mathbf s + \mathbf x + \mathbf m \cdot \left\lfloor \dfrac{q}{2} \right\rfloor.
\mathbf c^{(1)} = \bar{\mathbf A}^T \cdot \mathbf s + \mathbf y \bmod q,\\
\mathbf c^{(2)} = \mathbf B_\ID^T \cdot \mathbf s + \mathbf z \bmod q,\\
\mathbf c^{(3)} = \mathbf U^T \cdot \mathbf s + \mathbf x + \mathbf m \cdot \left\lfloor \dfrac{q}{2} \right\rfloor.
\end{cases}
\end{equation}
\item Output $\mathbf c = \bigl(\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr) \in \ZZ_q^m \times \ZZ_q^{\bar{m}} \times \ZZ_q^m$. \smallskip \smallskip
@ -372,11 +457,12 @@ encryption of a message of its choice from a random element of the ciphertext sp
\end{theorem}
\section{Warm-up: Decompositions, Extensions, Permutations}
\label{se:decomposition-extensions-permutations}
This section introduces the notations and techniques that will be used throughout the paper. Part of the covered material appeared (in slightly different forms) in recent works~\cite{LNSW13,LNW15,ELL+15,LLNW16,LLM+16} on Stern-like protocols~\cite{Ste96}. The techniques that will be employed for handling quadratic relations (double-bit extension $\mathsf{ext}(\cdot, \cdot)$, expansion $\expandtimes(\cdot, \cdot)$ of matrix-vector product and the associated permuting mechanisms) are novel contributions of this chapter.
This section introduces the notations and techniques that will be used throughout the chapter. It details Stern-like protocols that have been introduced in~\cref{sse:stern}. The techniques that will be employed for handling quadratic relations (double-bit extension $\mathsf{ext}(\cdot, \cdot)$, expansion $\expandtimes(\cdot, \cdot)$ of matrix-vector product and the associated permuting mechanisms) are novel contributions.
\subsection{Decompositions}\label{subsection:decomposition}
For any $B \in \ZZ_+$, define the number $\delta_B:=\lfloor \log_2 B\rfloor +1 = \lceil \log_2(B+1)\rceil$ and the sequence $B_1, \ldots, B_{\delta_B}$, where $B_j = \lfloor\frac{B + 2^{j-1}}{2^j} \rfloor$, $\forall j \in [1,\delta_B]$. As observed in~\cite{LNSW13}, the sequence satisfies $\sum_{j=1}^{\delta_B} B_j = B$ and
any integer $v \in [0, B]$ can be decomposed into a binary vector $\mathsf{idec}_B(v) \hspace*{-1pt}= \hspace*{-1pt}(v^{(1)}, \ldots, v^{(\delta_B)})^\top \hspace*{-2pt}\in \hspace*{-1pt}\{0,1\}^{\delta_B}$ such that $\sum_{j=1}^{\delta_B}B_j \cdot v^{(j)} \hspace*{-1pt}=\hspace*{-1pt} v$. We describe this decomposition procedure in a deterministic manner:
any integer $v \in [0, B]$ can be decomposed into a binary vector $\mathsf{idec}_B(v) \hspace*{-1pt}= \hspace*{-1pt}(v^{(1)}, \ldots, v^{(\delta_B)})^T \hspace*{-2pt}\in \hspace*{-1pt}\{0,1\}^{\delta_B}$ such that $\sum_{j=1}^{\delta_B}B_j \cdot v^{(j)} \hspace*{-1pt}=\hspace*{-1pt} v$. We describe this decomposition procedure in a deterministic manner:
\begin{enumerate}
\item $v': = v$
\item For $j=1$ to $\delta_B$ do:
@ -384,7 +470,7 @@ For any $B \in \ZZ_+$, define the number $\delta_B:=\lfloor \log_2 B\rfloor +1 =
\item If $v' \geq B_j$ then $v^{(j)}: = 1$, else $v^{(j)}: = 0$;
\item $v': = v' - B_j\cdot v^{(j)}$.
\end{enumerate}
\item Output $\mathsf{idec}_B(v) = (v^{(1)}, \ldots, v^{(\delta_B)})^\top$.
\item Output $\mathsf{idec}_B(v) = (v^{(1)}, \ldots, v^{(\delta_B)})^T$.
\end{enumerate}
Next, for any positive integers $\mathfrak{m}, B$, we define the decomposition matrix:
@ -397,30 +483,30 @@ Next, for any positive integers $\mathfrak{m}, B$, we define the decomposition m
\end{eqnarray}
and the following injective functions:
\begin{enumerate}[(i)]
\item $\mathsf{vdec}_{\mathfrak{m}, B}: [0,B]^{\mathfrak{m}} \rightarrow \{0,1\}^{\mathfrak{m}\delta_B}$ that maps vector $\mathbf{v} = (v_1, \ldots, v_{\mathfrak{m}})^\top$ to vector $\big(\mathsf{idec}_B(v_1)^\top \| \ldots \| \mathsf{idec}_B(v_{\mathfrak{m}})^\top\big)^\top$. Note that $\mathbf{H}_{\mathfrak{m}, B} \cdot \mathsf{vdec}_{\mathfrak{m}, B}(\mathbf{v}) = \mathbf{v}$. \smallskip
\item $\mathsf{vdec}_{\mathfrak{m}, B}: [0,B]^{\mathfrak{m}} \rightarrow \{0,1\}^{\mathfrak{m}\delta_B}$ that maps vector $\mathbf{v} = (v_1, \ldots, v_{\mathfrak{m}})^T$ to vector $\big(\mathsf{idec}_B(v_1)^T \| \ldots \| \mathsf{idec}_B(v_{\mathfrak{m}})^T\big)^T$. Note that $\mathbf{H}_{\mathfrak{m}, B} \cdot \mathsf{vdec}_{\mathfrak{m}, B}(\mathbf{v}) = \mathbf{v}$. \smallskip
\item $\mathsf{vdec}'_{\mathfrak{m}, B}: [-B,B]^{\mathfrak{m}} \rightarrow \{-1,0,1\}^{\mathfrak{m}\delta_B}$ that maps vector
$\mathbf{w} = (w_1, \ldots, w_{\mathfrak{m}})^\top$ to vector
$\big(\sigma(w_1)\cdot\mathsf{idec}_B(w_1)^\top \| \ldots \| \sigma(w_{\mathfrak{m}})\cdot\mathsf{idec}_B(w_{\mathfrak{m}})^\top\big)^\top$, where for each $i=1, \ldots, \mathfrak{m}$: $\sigma(w_i) = 0$ if $w_i =0$; $\sigma(w_i) = -1$ if $w_i <0$; $\sigma(w_i) = 1$ if $w_i >0$. Note that $\mathbf{H}_{\mathfrak{m}, B} \cdot \mathsf{vdec}'_{\mathfrak{m}, B}(\mathbf{w}) = \mathbf{w}$.
$\mathbf{w} = (w_1, \ldots, w_{\mathfrak{m}})^T$ to vector
$\big(\sigma(w_1)\cdot\mathsf{idec}_B(w_1)^T \| \ldots \| \sigma(w_{\mathfrak{m}})\cdot\mathsf{idec}_B(w_{\mathfrak{m}})^T\big)^T$, where for each $i=1, \ldots, \mathfrak{m}$: $\sigma(w_i) = 0$ if $w_i =0$; $\sigma(w_i) = -1$ if $w_i <0$; $\sigma(w_i) = 1$ if $w_i >0$. Note that $\mathbf{H}_{\mathfrak{m}, B} \cdot \mathsf{vdec}'_{\mathfrak{m}, B}(\mathbf{w}) = \mathbf{w}$.
\end{enumerate}
We also define the following matrix decomposition procedure. For positive integers $n,m,q$, define the injective function $\mathsf{mdec}_{n,m,q}: \mathbb{Z}_q^{m \times n} \rightarrow \{0,1\}^{mn\delta_{q-1}}$ that maps matrix $\mathbf{X} = [\mathbf{x}_1 | \ldots | \mathbf{x}_n] \in \mathbb{Z}_q^{m \times n}$, where $\mathbf{x}_1, \ldots, \mathbf{x}_n \in \mathbb{Z}_q^m$, to vector
\begin{align*}
\mathsf{mdec}_{n,m,q}(\mathbf{X}) &= \big(\mathsf{vdec}_{m, q-1}(\mathbf{x}_1)^\top \| \ldots \|\ \mathsf{vdec}_{m,q-1}(\mathbf{x}_n)^\top\big)^\top \\
&= (x_{1,1}, \ldots, x_{1, mk}, x_{2,1}, \ldots, x_{2,mk}, \ldots, x_{n,1}, \ldots, x_{n,mk})^\top \\
\mathsf{mdec}_{n,m,q}(\mathbf{X}) &= \big(\mathsf{vdec}_{m, q-1}(\mathbf{x}_1)^T \| \ldots \|\ \mathsf{vdec}_{m,q-1}(\mathbf{x}_n)^T\big)^T \\
&= (x_{1,1}, \ldots, x_{1, mk}, x_{2,1}, \ldots, x_{2,mk}, \ldots, x_{n,1}, \ldots, x_{n,mk})^T \\
& \hspace{.6\textwidth}\in \{0,1\}^{nm \delta_{q-1}},
\end{align*}
where, for each $(i,j) \in [n] \times [m \delta_{q-1}]$, $x_{i,j} \in \{0,1\}$ denotes the $j$-th bit of the decomposition of the $i$-th column of $\mathbf{X}$. \\ \indent Looking ahead,
when proving
knowledge of witnesses $(\mathbf{X},\mathbf{s}) \in \ZZ_q^{m \times n} \times \ZZ_q^{n}$ satisfying $\mathbf{b} = \mathbf{X} \cdot \mathbf{s} + \mathbf{e} \bmod q$, we will have to consider terms of the form $x_{i,j} \cdot s_{i,t}$, where $\mathbf{s}=(s_1,\ldots,s_n)^\top \in \ZZ_q^n$ and
$(s_{i,1},\ldots,s_{i,\delta_{q-1}})^\top=\mathsf{idec}_{q-1}(s_i)$ for each
knowledge of witnesses $(\mathbf{X},\mathbf{s}) \in \ZZ_q^{m \times n} \times \ZZ_q^{n}$ satisfying $\mathbf{b} = \mathbf{X} \cdot \mathbf{s} + \mathbf{e} \bmod q$, we will have to consider terms of the form $x_{i,j} \cdot s_{i,t}$, where $\mathbf{s}=(s_1,\ldots,s_n)^T \in \ZZ_q^n$ and
$(s_{i,1},\ldots,s_{i,\delta_{q-1}})^T=\mathsf{idec}_{q-1}(s_i)$ for each
$i \in [n]$.
\subsection{Extensions and Permutations}\label{subsection:warm-up-ext-perm}
We now introduce the extensions and permutations which will be essential for proving quadratic relations.
\begin{itemize}
\item For each $c \in \{0,1\}$, denote by $\overline{c}$ the bit $1-c \in \{0,1\}$.
\item For $c_1,c_2 \in \{0,1\}$, define the vector $$\mathsf{ext}(c_1,c_2) = (\overline{c}_1\cdot \overline{c}_2, \overline{c}_1\cdot {c}_2, {c}_1\cdot \overline{c}_2, c_1\cdot c_2)^\top \in \{0,1\}^4.$$
\item For $b_1,b_2 \in \{0,1\}$, define the permutation $T_{b_1,b_2}$ that transforms vector $\mathbf{v} = (v_{0,0}, v_{0,1}, v_{1,0}, v_{1,1})^\top \in \mathbb{Z}_q^4$ to vector $(v_{{b}_1, {b}_2}, v_{{b}_1, \overline{b}_2}, v_{ \overline{b}_1,{b}_2}, v_{\overline{b}_1, \overline{b}_2})^\top$.
\item For $c_1,c_2 \in \{0,1\}$, define the vector $$\mathsf{ext}(c_1,c_2) = (\overline{c}_1\cdot \overline{c}_2, \overline{c}_1\cdot {c}_2, {c}_1\cdot \overline{c}_2, c_1\cdot c_2)^T \in \{0,1\}^4.$$
\item For $b_1,b_2 \in \{0,1\}$, define the permutation $T_{b_1,b_2}$ that transforms vector $\mathbf{v} = (v_{0,0}, v_{0,1}, v_{1,0}, v_{1,1})^T \in \mathbb{Z}_q^4$ to vector $(v_{{b}_1, {b}_2}, v_{{b}_1, \overline{b}_2}, v_{ \overline{b}_1,{b}_2}, v_{\overline{b}_1, \overline{b}_2})^T$.
Note that, for all $c_1, c_2, b_1, b_2 \in \{0,1\}$, we have the following:
\begin{eqnarray}
@ -430,36 +516,36 @@ We now introduce the extensions and permutations which will be essential for pro
\end{itemize}
where $\oplus$ denotes the bit-wise addition modulo $2$.
Now, for positive integers $n,m,k$, and for vectors $$\mathbf{x} = (x_{1,1}, \ldots, x_{1, mk}, x_{2,1}, \ldots, x_{2,mk}, \ldots, x_{n,1}, x_{n,mk})^\top \in \{0,1\}^{nmk}$$
and $\mathbf{s}_0 = (s_{1,1}, \ldots, s_{1,k}, s_{2,1}, \ldots, s_{2,k}, \ldots, s_{n,1}, \ldots, s_{n,k})^\top \in \{0,1\}^{nk}$, we define the vector $ \expandtimes (\mathbf{x}, \mathbf{s}_0) \in \{0,1\}^{4nmk^2}$ as
Now, for positive integers $n,m,k$, and for vectors $$\mathbf{x} = (x_{1,1}, \ldots, x_{1, mk}, x_{2,1}, \ldots, x_{2,mk}, \ldots, x_{n,1}, x_{n,mk})^T \in \{0,1\}^{nmk}$$
and $\mathbf{s}_0 = (s_{1,1}, \ldots, s_{1,k}, s_{2,1}, \ldots, s_{2,k}, \ldots, s_{n,1}, \ldots, s_{n,k})^T \in \{0,1\}^{nk}$, we define the vector $ \expandtimes (\mathbf{x}, \mathbf{s}_0) \in \{0,1\}^{4nmk^2}$ as
\begin{align*}
\expandtimes (\mathbf{x}, \mathbf{s}_0) =
&\bigl( \mathsf{ext}^\top(x_{1,1}, s_{1,1}) \| \mathsf{ext}^\top(x_{1,1}, s_{1,2}) \| \ldots \| \mathsf{ext}^\top(x_{1,1}, s_{1,k}) \| \\
&\| \mathsf{ext}^\top(x_{1,2}, s_{1,1}) \| \mathsf{ext}^\top(x_{1,2}, s_{1,2}) \| \ldots \| \mathsf{ext}^\top(x_{1,2}, s_{1,k}) \| \ldots \\
&\| \mathsf{ext}^\top(x_{1,mk}, s_{1,1}) \| \mathsf{ext}^\top(x_{1,mk}, s_{1,2}) \| \ldots \| \mathsf{ext}^\top(x_{1,mk}, s_{1,k}) \| \\
&\| \mathsf{ext}^\top(x_{2,1}, s_{2,1}) \| \mathsf{ext}^\top(x_{2,1}, s_{2,2}) \| \ldots \| \mathsf{ext}^\top(x_{2,1}, s_{2,k}) \| \ldots \\
&\| \mathsf{ext}^\top(x_{2,mk}, s_{2,1}) \| \mathsf{ext}^\top(x_{2,mk}, s_{2,2}) \| \ldots \| \mathsf{ext}^\top(x_{2,mk}, s_{2,k}) \| \ldots \\
&\| \mathsf{ext}^\top(x_{n,1}, s_{n,1}) \| \mathsf{ext}^\top(x_{n,1}, s_{n,2}) \| \ldots \| \mathsf{ext}^\top(x_{n,1}, s_{n,k}) \| \ldots \\
&\| \mathsf{ext}^\top(x_{n,mk}, s_{n,1}) \| \mathsf{ext}^\top(x_{n,mk}, s_{n,2}) \| \ldots \| \mathsf{ext}^\top(x_{n,mk}, s_{n,k})
\bigr)^\top\hspace*{-2.5pt}.
&\bigl( \mathsf{ext}^T(x_{1,1}, s_{1,1}) \| \mathsf{ext}^T(x_{1,1}, s_{1,2}) \| \ldots \| \mathsf{ext}^T(x_{1,1}, s_{1,k}) \| \\
&\| \mathsf{ext}^T(x_{1,2}, s_{1,1}) \| \mathsf{ext}^T(x_{1,2}, s_{1,2}) \| \ldots \| \mathsf{ext}^T(x_{1,2}, s_{1,k}) \| \ldots \\
&\| \mathsf{ext}^T(x_{1,mk}, s_{1,1}) \| \mathsf{ext}^T(x_{1,mk}, s_{1,2}) \| \ldots \| \mathsf{ext}^T(x_{1,mk}, s_{1,k}) \| \\
&\| \mathsf{ext}^T(x_{2,1}, s_{2,1}) \| \mathsf{ext}^T(x_{2,1}, s_{2,2}) \| \ldots \| \mathsf{ext}^T(x_{2,1}, s_{2,k}) \| \ldots \\
&\| \mathsf{ext}^T(x_{2,mk}, s_{2,1}) \| \mathsf{ext}^T(x_{2,mk}, s_{2,2}) \| \ldots \| \mathsf{ext}^T(x_{2,mk}, s_{2,k}) \| \ldots \\
&\| \mathsf{ext}^T(x_{n,1}, s_{n,1}) \| \mathsf{ext}^T(x_{n,1}, s_{n,2}) \| \ldots \| \mathsf{ext}^T(x_{n,1}, s_{n,k}) \| \ldots \\
&\| \mathsf{ext}^T(x_{n,mk}, s_{n,1}) \| \mathsf{ext}^T(x_{n,mk}, s_{n,2}) \| \ldots \| \mathsf{ext}^T(x_{n,mk}, s_{n,k})
\bigr)^T\hspace*{-2.5pt}.
\end{align*}
That is, $ \expandtimes (\mathbf{x}, \mathbf{s}_0)$ is obtained by applying $\mathsf{ext}$ to all pairs of the form $(x_{i,j},s_{i,t})$ for $(i,j,t) \in [n] \times [mk] \times [k]$.
Now, for $\mathbf{b} = (b_{1,1}, \ldots, b_{1, mk}, b_{2,1}, \ldots, b_{2,mk}, \ldots, b_{n,1}, b_{n,mk})^\top \in \{0,1\}^{nmk}$ and $\mathbf{d} = (d_{1,1}, \ldots, d_{1,k}, d_{2,1}, \ldots, d_{2,k}, \ldots, d_{n,1}, \ldots, d_{n,k})^\top \in \{0,1\}^{nk}$, we define the permutation $P_{\mathbf{b}, \mathbf{d}}$ that transforms
Now, for $\mathbf{b} = (b_{1,1}, \ldots, b_{1, mk}, b_{2,1}, \ldots, b_{2,mk}, \ldots, b_{n,1}, b_{n,mk})^T \in \{0,1\}^{nmk}$ and $\mathbf{d} = (d_{1,1}, \ldots, d_{1,k}, d_{2,1}, \ldots, d_{2,k}, \ldots, d_{n,1}, \ldots, d_{n,k})^T \in \{0,1\}^{nk}$, we define the permutation $P_{\mathbf{b}, \mathbf{d}}$ that transforms
vector
\begin{align*}
\mathbf{v} = &\big( (\mathbf{v}_{1,1,1}^\top \| \ldots \| \mathbf{v}_{1,1, k}^\top ) \| ( \mathbf{v}_{1,2,1}^\top \| \ldots \| \mathbf{v}_{1,2,k}^\top ) \| \ldots \| ( \mathbf{v}_{1,mk,1}^\top \| \ldots \| \mathbf{v}_{1,mk,k}^\top ) \| \\
&~ (\mathbf{v}_{2,1,1}^\top \| \ldots \| \mathbf{v}_{2,1, k}^\top ) \| (\mathbf{v}_{2,2,1}^\top \| \ldots \| \mathbf{v}_{2,2,k}^\top ) \| \ldots \| ( \mathbf{v}_{2,mk,1}^\top \| \ldots \| \mathbf{v}_{2,mk,k}^\top ) \| \\
&~ \hspace*{-25pt} (\mathbf{v}_{n,1,1}^\top \| \ldots \| \mathbf{v}_{n,1, k}^\top ) \| ( \mathbf{v}_{n,2,1}^\top \| \ldots \| \mathbf{v}_{n,2,k}^\top ) \| \ldots \| ( \mathbf{v}_{n,mk,1}^\top \| \ldots \| \mathbf{v}_{n,mk,k}^\top )
\big)^\top \hspace*{-3.5pt}\in \hspace*{-1.5pt}\mathbb{Z}^{4nmk^2},
\mathbf{v} = &\big( (\mathbf{v}_{1,1,1}^T \| \ldots \| \mathbf{v}_{1,1, k}^T ) \| ( \mathbf{v}_{1,2,1}^T \| \ldots \| \mathbf{v}_{1,2,k}^T ) \| \ldots \| ( \mathbf{v}_{1,mk,1}^T \| \ldots \| \mathbf{v}_{1,mk,k}^T ) \| \\
&~ (\mathbf{v}_{2,1,1}^T \| \ldots \| \mathbf{v}_{2,1, k}^T ) \| (\mathbf{v}_{2,2,1}^T \| \ldots \| \mathbf{v}_{2,2,k}^T ) \| \ldots \| ( \mathbf{v}_{2,mk,1}^T \| \ldots \| \mathbf{v}_{2,mk,k}^T ) \| \\
&~ \hspace*{-25pt} (\mathbf{v}_{n,1,1}^T \| \ldots \| \mathbf{v}_{n,1, k}^T ) \| ( \mathbf{v}_{n,2,1}^T \| \ldots \| \mathbf{v}_{n,2,k}^T ) \| \ldots \| ( \mathbf{v}_{n,mk,1}^T \| \ldots \| \mathbf{v}_{n,mk,k}^T )
\big)^T \hspace*{-3.5pt}\in \hspace*{-1.5pt}\mathbb{Z}^{4nmk^2},
\end{align*}
consisting of $nmk^2$ blocks of length $4$, to the vector $P_{\mathbf{b}, \mathbf{d}}(\mathbf{v})$ of the form
\begin{align*}
\big(~& (\mathbf{w}_{1,1,1}^\top \| \ldots \| \mathbf{w}_{1,1, k}^\top ) \| ( \mathbf{w}_{1,2,1}^\top \| \ldots \| \mathbf{w}_{1,2,k}^\top ) \| \ldots \| ( \mathbf{w}_{1,mk,1}^\top \| \ldots \| \mathbf{w}_{1,mk,k}^\top ) \| \\
& ( \mathbf{w}_{2,1,1}^\top \| \ldots \| \mathbf{w}_{2,1, k}^\top ) \| ( \mathbf{w}_{2,2,1}^\top \| \ldots \| \mathbf{w}_{2,2,k}^\top ) \| \ldots \| ( \mathbf{w}_{2,mk,1}^\top \| \ldots \| \mathbf{w}_{2,mk,k}^\top ) \| \\
& (\mathbf{w}_{n,1,1}^\top \| \ldots \| \mathbf{w}_{n,1, k}^\top ) \| (\mathbf{w}_{n,2,1}^\top \| \ldots \| \mathbf{w}_{n,2,k}^\top ) \| \ldots \| (\mathbf{w}_{n,mk,1}^\top \| \ldots \| \mathbf{w}_{n,mk,k}^\top )
~ \big)^\top,
\big(~& (\mathbf{w}_{1,1,1}^T \| \ldots \| \mathbf{w}_{1,1, k}^T ) \| ( \mathbf{w}_{1,2,1}^T \| \ldots \| \mathbf{w}_{1,2,k}^T ) \| \ldots \| ( \mathbf{w}_{1,mk,1}^T \| \ldots \| \mathbf{w}_{1,mk,k}^T ) \| \\
& ( \mathbf{w}_{2,1,1}^T \| \ldots \| \mathbf{w}_{2,1, k}^T ) \| ( \mathbf{w}_{2,2,1}^T \| \ldots \| \mathbf{w}_{2,2,k}^T ) \| \ldots \| ( \mathbf{w}_{2,mk,1}^T \| \ldots \| \mathbf{w}_{2,mk,k}^T ) \| \\
& (\mathbf{w}_{n,1,1}^T \| \ldots \| \mathbf{w}_{n,1, k}^T ) \| (\mathbf{w}_{n,2,1}^T \| \ldots \| \mathbf{w}_{n,2,k}^T ) \| \ldots \| (\mathbf{w}_{n,mk,1}^T \| \ldots \| \mathbf{w}_{n,mk,k}^T )
~ \big)^T,
\end{align*}
where for each $(i,j,t) \in [n]\times [mk] \times [k]$: \hspace*{2.5pt}$\mathbf{w}_{i,j,t} = T_{b_{i,j}, d_{i,t}}(\mathbf{v}_{i,j,t})$.
\smallskip
@ -473,23 +559,23 @@ Observe that, for all $\mathbf{b} \in \{0,1\}^{nmk}, \mathbf{d} \in \{0,1\}^{nk}
\noindent
Next, we recall the notations, extensions and permutations used in previous Stern-like protocols~\cite{LNSW13,LNW15,ELL+15,LLM+16} for proving linear relations.
For any positive integer $t$, denote by $\mathcal{S}_t$ the symmetric group of all permutations of~$t$ elements, by $\mathsf{B}_{2t}$ the set of all vectors in $\{0,1\}^{2t}$ having Hamming weight~$t$, and by $\mathsf{B}_{3t}$ the set of all vectors in $\{-1,0,1\}^{3t}$ having exactly $t$ coordinates equal to $j$, for each $j \in \{-1,0,1\}$.
Note that for any $\phi \in \mathcal{S}_{2t}$ and $\psi\in \mathcal{S}_{3t}$, we have the following equivalences:
For any positive integer $t$, denote by $\permutations_t$ the symmetric group of all permutations of~$t$ elements, by $\mathsf{B}_{2t}$ the set of all vectors in $\{0,1\}^{2t}$ having Hamming weight~$t$, and by $\mathsf{B}_{3t}$ the set of all vectors in $\{-1,0,1\}^{3t}$ having exactly $t$ coordinates equal to $j$, for each $j \in \{-1,0,1\}$.
Note that for any $\phi \in \permutations_{2t}$ and $\psi\in \permutations_{3t}$, we have the following equivalences:
\begin{eqnarray}\label{eq:permuting-B_2t_B_3t}
\mathbf{x} \in \mathsf{B}_{2t} \Longleftrightarrow \phi(\mathbf{x}) \in \mathsf{B}_{2t} \hspace*{7.5pt}\text{ and }\hspace*{7.5pt} \mathbf{y} \in \mathsf{B}_{3t} \Longleftrightarrow \psi(\mathbf{y}) \in \mathsf{B}_{3t}.
\end{eqnarray}
The following extending procedures are defined for any positive integers $t$.
\begin{itemize}
\item $\mathsf{ExtendTwo}_t: \{0,1\}^{t} \rightarrow \mathsf{B}_{2t}$. On input vector $\mathbf{x}$ with Hamming weight $w$, it outputs
\[\mathbf{x}' = (\mathbf{x}^\top \| \mathbf{1}^{t-w} \| \mathbf{0}^{w})^\top. \]
\[\mathbf{x}' = (\mathbf{x}^T \| \mathbf{1}^{t-w} \| \mathbf{0}^{w})^T. \]
\item $\mathsf{ExtendThree}_t: \{-1,0,1\}^{t} \rightarrow \mathsf{B}_{3t}$. On input vector $\mathbf{y}$ containing $n_j$ coordinates equal to $j$ for $j \in \{-1,0,1\}$, this procedure outputs the vector
\[\mathbf{y}' = (\mathbf{y}^\top \| \mathbf{1}^{t-n_1}
\[\mathbf{y}' = (\mathbf{y}^T \| \mathbf{1}^{t-n_1}
\| \mathbf{0}^{t-n_0} \| \mathbf{(-1)}^{t-n_{-1}}).\]
\end{itemize}
We also use the following encoding and permutation to achieve fine-grained control over coordinates of binary witness-vectors.
\begin{itemize}
\item For any positive integer $t$, define the function $\mathsf{encode}_t$ that encodes vector $\mathbf{x} = (x_1, \ldots, x_t)^\top\in \{0,1\}^t$ to vector $\mathsf{encode}_t(\mathbf{x}) = (\bar{x}_1, x_1, \ldots, \bar{x}_t, x_t)^\top \in \{0,1\}^{2t}$.
\item For any positive integer $t$ and any vector $\mathbf{c} = (c_1, \ldots, c_t)^\top \in \{0,1\}^t$, define the permutation $F_{\mathbf{c}}^{(t)}$ that transforms vector $\mathbf{v} = (v_1^{(0)}, v_1^{(1)}, \ldots, v_t^{(0)}, v_t^{(1)})^\top \in \ZZ^{2t}$ into vector $F_{\mathbf{c}}^{(t)}(\mathbf{v}) = (v_1^{(c_1)}, v_1^{(\bar{c}_1)}, \ldots, v_t^{(c_t)}, v_t^{(\bar{c}_t)})^\top$.
\item For any positive integer $t$, define the function $\mathsf{encode}_t$ that encodes vector $\mathbf{x} = (x_1, \ldots, x_t)^T\in \{0,1\}^t$ to vector $\mathsf{encode}_t(\mathbf{x}) = (\bar{x}_1, x_1, \ldots, \bar{x}_t, x_t)^T \in \{0,1\}^{2t}$.
\item For any positive integer $t$ and any vector $\mathbf{c} = (c_1, \ldots, c_t)^T \in \{0,1\}^t$, define the permutation $F_{\mathbf{c}}^{(t)}$ that transforms vector $\mathbf{v} = (v_1^{(0)}, v_1^{(1)}, \ldots, v_t^{(0)}, v_t^{(1)})^T \in \ZZ^{2t}$ into vector $F_{\mathbf{c}}^{(t)}(\mathbf{v}) = (v_1^{(c_1)}, v_1^{(\bar{c}_1)}, \ldots, v_t^{(c_t)}, v_t^{(\bar{c}_t)})^T$.
\end{itemize}
Note that the following equivalence holds for all $t, \mathbf{c}$:
\begin{eqnarray}\label{eq:equivalence-encoding}
@ -519,25 +605,25 @@ Moreover, the argument system should be readily extended to proving that $\mathb
Let $q_1, \ldots, q_k \in \Zq$ be the sequence of integers obtained by decomposing $q-1$ using the technique recalled in
Section \ref{subsection:decomposition}, and define the row vector $\mathbf{g} = (q_1, \ldots, q_k)$.
Let $\mathbf{X} = [\mathbf{x}_1 | \ldots | \mathbf{x}_n] \in \Zq^{m \times n}$ and $\mathbf{s}= (s_1, \ldots, s_n)^\top$.
For each index $i \in [n]$, let us consider $\mathsf{vdec}_{m,q-1}(\mathbf{x}_i) = (x_{i,1}, \ldots, x_{i,mk})^\top \in \{0,1\}^{mk}$.
Let $\mathbf{X} = [\mathbf{x}_1 | \ldots | \mathbf{x}_n] \in \Zq^{m \times n}$ and $\mathbf{s}= (s_1, \ldots, s_n)^T$.
For each index $i \in [n]$, let us consider $\mathsf{vdec}_{m,q-1}(\mathbf{x}_i) = (x_{i,1}, \ldots, x_{i,mk})^T \in \{0,1\}^{mk}$.
Let
\[ \mathsf{vdec}_{n,q-1}(\mathbf{s})= (s_{1,1}, \ldots, s_{1,k}, s_{2,1}, \ldots, s_{2,k}, \ldots, s_{n,1}, \ldots s_{n,k})^\top \in \{0,1\}^{nk} \]
and observe that $s_i = \mathbf{g} \cdot \mathsf{idec}_{q-1}(s_i)= \mathbf{g}\cdot (s_{i,1}, \ldots, s_{i,k})^\top$ for each $i \in [n]$.
\[ \mathsf{vdec}_{n,q-1}(\mathbf{s})= (s_{1,1}, \ldots, s_{1,k}, s_{2,1}, \ldots, s_{2,k}, \ldots, s_{n,1}, \ldots s_{n,k})^T \in \{0,1\}^{nk} \]
and observe that $s_i = \mathbf{g} \cdot \mathsf{idec}_{q-1}(s_i)= \mathbf{g}\cdot (s_{i,1}, \ldots, s_{i,k})^T$ for each $i \in [n]$.
We have:
\begin{eqnarray*}
\mathbf{X}\cdot \mathbf{s} &=& \sum_{i=1}^n \mathbf{x}_i\cdot s_i = \sum_{i=1}^n \mathbf{H}_{m,q-1}\cdot \mathsf{vdec}_{m,q-1}(\mathbf{x}_i)\cdot s_i \\
&=& \mathbf{H}_{m,q-1}\cdot \Big(\sum_{i=1}^n (x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^\top\Big) \bmod q.
&=& \mathbf{H}_{m,q-1}\cdot \Big(\sum_{i=1}^n (x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^T\Big) \bmod q.
\end{eqnarray*}
Observe that, for each $i \in [n]$ and each $j \in [mk]$, we have
\begin{align*}
x_{i,j}\cdot s_i &= x_{i,j}\cdot \mathbf{g} \cdot (s_{i,1}, \ldots, s_{i,k})^\top \\
&= (q_1, \ldots, q_k) \cdot (x_{i,j}\cdot s_{i,1}, \ldots, x_{i,j}\cdot s_{i,k})^\top.
x_{i,j}\cdot s_i &= x_{i,j}\cdot \mathbf{g} \cdot (s_{i,1}, \ldots, s_{i,k})^T \\
&= (q_1, \ldots, q_k) \cdot (x_{i,j}\cdot s_{i,1}, \ldots, x_{i,j}\cdot s_{i,k})^T.
\end{align*}
We now extend vector $(q_1, q_2, \ldots, q_k)$ to $\mathbf{g}' \hspace*{-1.5pt}=\hspace*{-1.5pt} (0,0,0,q_1, 0,0,0, q_2, \ldots, 0,0,0,q_k) \in \Zq^{4k}$.
For all $(i,j) \in [n]\times [mk]$, we have:
$$
x_{i,j}\cdot s_i = \mathbf{g}' \cdot (\mathsf{ext}^\top(x_{i,j}, s_{i,1}) \| \ldots \| \mathsf{ext}^\top(x_{i,j},s_{i,k}))^\top.
x_{i,j}\cdot s_i = \mathbf{g}' \cdot (\mathsf{ext}^T(x_{i,j}, s_{i,1}) \| \ldots \| \mathsf{ext}^T(x_{i,j},s_{i,k}))^T.
$$
Let us define the matrices
\begin{eqnarray} \label{Q0-def}
@ -549,17 +635,17 @@ Let us define the matrices
\end{eqnarray}
and $\widehat{\mathbf{Q}} = [\overbrace{\mathbf{Q}_0 | \ldots | \mathbf{Q}_0}^{n \text{ times }}] \in \Zq^{mk \times 4nmk^2}$. For each $i \in [n]$, define
\begin{align*}
\mathbf{y}_i = \bigl( &\mathsf{ext}^\top(x_{i,1}, s_{i,1}) \| \ldots \| \mathsf{ext}^\top(x_{i,1},s_{i,k}))^\top \| \mathsf{ext}^\top(x_{i,2},s_{i,1}) \| \ldots \| \mathsf{ext}^\top(x_{i,2}, s_{i,k}) \\
& \| \ldots \|\mathsf{ext}^\top(x_{i,mk},s_{i,1} \| \ldots \| \mathsf{ext}^\top(x_{i,mk}, s_{i,k}) \bigr)^\top \in \{0,1\}^{4mk^2}.
\mathbf{y}_i = \bigl( &\mathsf{ext}^T(x_{i,1}, s_{i,1}) \| \ldots \| \mathsf{ext}^T(x_{i,1},s_{i,k}))^T \| \mathsf{ext}^T(x_{i,2},s_{i,1}) \| \ldots \| \mathsf{ext}^T(x_{i,2}, s_{i,k}) \\
& \| \ldots \|\mathsf{ext}^T(x_{i,mk},s_{i,1} \| \ldots \| \mathsf{ext}^T(x_{i,mk}, s_{i,k}) \bigr)^T \in \{0,1\}^{4mk^2}.
\end{align*}
Then, for all $i \in [n]$, we have:
$
(x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^\top = \mathbf{Q}_0 \cdot \mathbf{y}_i.
(x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^T = \mathbf{Q}_0 \cdot \mathbf{y}_i.
$
Now, we note that $$(\mathbf{y}_1^\top \| \ldots \| \mathbf{y}_n^\top)^\top = \expandtimes \bigl(\mathsf{mdec}_{n,m,q}(\mathbf{X}), \mathsf{vdec}_{n,q-1}(\mathbf{s})\bigr),$$
Now, we note that $$(\mathbf{y}_1^T \| \ldots \| \mathbf{y}_n^T)^T = \expandtimes \bigl(\mathsf{mdec}_{n,m,q}(\mathbf{X}), \mathsf{vdec}_{n,q-1}(\mathbf{s})\bigr),$$
and
\begin{multline} \label{almost}
\sum_{i=1}^n (x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^\top \\ = \sum_{i=1}^n \mathbf{Q}_0 \cdot \mathbf{y}_i = \widehat{\mathbf{Q}}\cdot \expandtimes \bigl(\mathsf{mdec}_{n,m,q}(\mathbf{X}), \mathsf{vdec}_{n,q-1}(\mathbf{s}) \bigr). \qquad
\sum_{i=1}^n (x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^T \\ = \sum_{i=1}^n \mathbf{Q}_0 \cdot \mathbf{y}_i = \widehat{\mathbf{Q}}\cdot \expandtimes \bigl(\mathsf{mdec}_{n,m,q}(\mathbf{X}), \mathsf{vdec}_{n,q-1}(\mathbf{s}) \bigr). \qquad
\end{multline}
Letting $\mathbf{Q}= \mathbf{H}_{m,q-1}\cdot \widehat{\mathbf{Q}} \in \Zq^{m \times 4nmk^2}$ and left-multiplying~\eqref{almost} by $ \mathbf{H}_{m,q-1}$, we obtain the equation:
@ -575,11 +661,11 @@ Letting $\mathbf{Q}= \mathbf{H}_{m,q-1}\cdot \widehat{\mathbf{Q}} \in \Zq^{m \t
$x_1$ & $x_2$ & $b_1$ & $b_2$ & ~$\mathsf{ext}(x_1,x_2)$~ & ~$T_{b_1,b_2}(\mathsf{ext}(x_1,x_2))$~ & ~$x_1 \oplus b_1$~& ~$x_2 \oplus b_2$~ &~$\mathsf{ext}(x_1 \oplus b_1, x_2 \oplus b_2)$~\\
\hline
\rule{0pt}{3ex}
$0$ & $0$ & $0$ & $0$ & $(1000)^\top$ & $(1000)^\top$ & $0$ & $0$ & $(1000)^\top$ \\[5pt]
$0$ & $0$ & $0$ & $0$ & $(1000)^T$ & $(1000)^T$ & $0$ & $0$ & $(1000)^T$ \\[5pt]
$0$ & $0$ & $0$ & $1$ & $(1000)^\top$ & $(0100)^\top$ & $0$ & $1$ & $(0100)^\top$ \\[5pt]
$0$ & $0$ & $0$ & $1$ & $(1000)^T$ & $(0100)^T$ & $0$ & $1$ & $(0100)^T$ \\[5pt]
$0$ & $0$ & $1$ & $0$ & $(1000)^\top$ & $(0010)^\top$ & $1$ & $0$ & $(0010)^\top$ \\[5pt]
$0$ & $0$ & $1$ & $0$ & $(1000)^T$ & $(0010)^T$ & $1$ & $0$ & $(0010)^T$ \\[5pt]
\hline
\end{tabular}
@ -607,7 +693,7 @@ We will explain in detail how this technique can be realized in the next subse
%**************************************************
\section{Our Lattice-Based Group Encryption Scheme} \label{groupenc-scheme}
To build a $\GE$ scheme using our zero-knowledge argument system, we need to choose a specific key-private CCA2-secure encryption scheme.
To build a $\mathsf{GE}$ scheme using our zero-knowledge argument system, we need to choose a specific key-private CCA2-secure encryption scheme.
The first idea is to use the CCA2-secure public-key cryptosystem which is implied by the Agrawal-Boneh-Boyen identity-based encryption (IBE) scheme \cite{ABB10} (which is
recalled in \cref{ap:ABB-IBE}) via the Canetti-Halevi-Katz (CHK) transformation \cite{CHK04}.
The ABB scheme is a natural choice since it has pseudo-random ciphertexts (which implies the key-privacy \cite{BBDP01} when the CHK paradigm
@ -640,18 +726,18 @@ trapdoor allowing to sample short vectors in $\Lambda_q^{\perp}(\mathbf{G})$, th
by running the $\mathsf{SampleRight}$ algorithm of Lemma \ref{lem:sampler}.
Having encrypted the witness $\mathbf{w} \in \{0,1\}^m$ by running the ABB encryption algorithm, the sender proceeds by encrypting a hash value of $\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$ under the public key $\mathbf{B}_{\OA} = \bar{\mathbf{A}} \cdot \mathbf{T}_{\OA} \in \Zq^{n \times \bar{m}}$ of the opening authority. The latter hash value
is obtained as a bit-wise decomposition of $\mathbf{F} \cdot \mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^\top) \in \Zq^{2n}$, where $\mathbf{F} \in \Zq^{2n \times n \bar{m} \lceil \log q \rceil}$
is a random public matrix and $\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^\top) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil}$ denotes an entry-wise binary decomposition of the matrix $\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$.
is obtained as a bit-wise decomposition of $\mathbf{F} \cdot \mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^T) \in \Zq^{2n}$, where $\mathbf{F} \in \Zq^{2n \times n \bar{m} \lceil \log q \rceil}$
is a random public matrix and $\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^T) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil}$ denotes an entry-wise binary decomposition of the matrix $\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$.
By combining our new argument for quadratic relations and the extensions of Stern's protocol suggested in \cite{LNW15,LLM+16},
we are able to prove that some component of the ciphertext is of the form $\mathbf{c}=\mathbf{B}_{\mathsf{U}}^{\top} \cdot \mathbf{s} + \mathbf{e} \in \Zq^{\bar{m}}$, for some $\mathbf{s} \in \Zq^n$
we are able to prove that some component of the ciphertext is of the form $\mathbf{c}=\mathbf{B}_{\mathsf{U}}^{T} \cdot \mathbf{s} + \mathbf{e} \in \Zq^{\bar{m}}$, for some $\mathbf{s} \in \Zq^n$
and a small-norm $\mathbf{e} \in \ZZ^{\bar{m}}$ while also arguing possession of a signature on the binary decomposition
$\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^\top) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil}$ of $\mathbf{B}_{\mathsf{U}}^\top$. For this purpose, we use a variant of a signature scheme
$\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^T) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil}$ of $\mathbf{B}_{\mathsf{U}}^T$. For this purpose, we use a variant of a signature scheme
due to B\"ohl \textit{et al.}'s
signature \cite{BHJ+15} which was described in \cref{ch:gs-lwe}
(and of which a description is given in \cref{se:gs-lwe-sigep}).
At the same time, the prover $\mathcal{P}$ can also
argue that a hash value of $\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^\top) $ is properly
argue that a hash value of $\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^T) $ is properly
encrypted under the $\OA$'s public key using the ABB encryption scheme.
@ -659,7 +745,7 @@ encrypted under the $\OA$'s public key using the ABB encryption scheme.
\subsection{Description of the Scheme}
Our $\GE$ scheme allows encrypting witnesses for the \ISIS relation (as in \cref{de:sis}) $ \mathrm{R}_{\ISIS}(n,m,q,1)$, which
Our $\mathsf{GE}$ scheme allows encrypting witnesses for the \ISIS relation (as in \cref{de:sis}) $ \mathrm{R}_{\ISIS}(n,m,q,1)$, which
consists of pairs $((\mathbf{A}_R, \mathbf{u}_R), \mathbf{w}) \in (\Zq^{n \times m} \times \Zq^n) \times \{0,1\}^m $ satisfying $\mathbf{u}_R=\mathbf{A}_R \cdot \mathbf{w} \bmod q$.
This relation is in the same spirit as the one of Kiayias, Tsiounis and Yung \cite{KTY07}, who consider the verifiable encryption of discrete logarithms. While the construction of
\cite{KTY07} allow verifiably encrypting discrete-logarithm-type secret keys under the public key of some anonymous trusted third party, our construction makes it possible to encrypt GPV-type secret keys \cite{GPV08}. \smallskip
@ -727,7 +813,7 @@ $(\sk_{\OA},\pk_{\OA})=(\mathbf{T}_{\OA},\mathbf{B}_{\OA})$.
\item[2.] Upon receiving a public key $\mathsf{pk}_{\mathsf{U}} = \mathbf{B}_{\mathsf{U}} \in \mathbb{Z}_q^{n \times \bar{m}}$ from the user, the $\GM$ certifies $\pk_U$ via the following steps:
\smallskip
\begin{enumerate}
\item[a.] Compute $\mathbf{h}_{\mathsf{U}} = \mathbf{F}\cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\mathsf{U}}^\top) \in \mathbb{Z}_q^{2n}$ as a hash value
\item[a.] Compute $\mathbf{h}_{\mathsf{U}} = \mathbf{F}\cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\mathsf{U}}^T) \in \mathbb{Z}_q^{2n}$ as a hash value
of the public key $\pk_{\mathsf{U}}=\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$. \smallskip %and let $\mathbf{e_M} = \mathsf{encode}(\mathsf{bin}(\mathbf{h_M})) \in \{0,1\}^{m}$.
\item[b.] Use the trapdoor $\sk_{\GM} = \mathbf{T_A}$ to generate a signature
\begin{eqnarray}\label{eq:cert-description}
@ -757,14 +843,14 @@ $(\sk_{\OA},\pk_{\OA})=(\mathbf{T}_{\OA},\mathbf{B}_{\OA})$.
\item[3.] Encrypt the witness $\mathbf{w} \in \{0,1\}^m$ under $\mathsf{U}$'s public key $\mathbf{B}_\mathsf{U} \in \Zq^{n \times \bar{m}}$ using the tag $\vk$ by taking the following steps: \smallskip
\begin{enumerate}
\item[a.] Sample $\mathbf{s}_{\rec} \leftarrow U(\mathbb{Z}_q^n)$, $\mathbf{R}_{\rec} \leftarrow D_{\ZZ,\sigma}^{m \times \bar{m}} $ and
$\mathbf{x}_{\rec}, \mathbf{y}_{\rec} \leftarrow \chi^m$. Compute $\mathbf{z}_{\rec} = \mathbf{R}_{\rec}^\top\cdot \mathbf{y}_{\rec} \in \mathbb{Z}^{\bar{m}}$.
$\mathbf{x}_{\rec}, \mathbf{y}_{\rec} \leftarrow \chi^m$. Compute $\mathbf{z}_{\rec} = \mathbf{R}_{\rec}^T\cdot \mathbf{y}_{\rec} \in \mathbb{Z}^{\bar{m}}$.
\item[b.] Compute
\begin{eqnarray}\label{eq:c-recipient}
\begin{cases}
\mathbf{c}_{\rec}^{(1)} = \bar{\mathbf{A}}^\top\cdot \mathbf{s}_{\rec} + \mathbf{y}_{\rec} \bmod q \\
\mathbf{c}_{\rec}^{(2)} %= \mathbf{B}_{\vk}^\top \cdot \mathbf{s}_{\rec} + \mathbf{z}_{\rec} \bmod q
= (\mathbf{B}_\mathsf{U} + \mathbf{H}_{\vk} \cdot \mathbf{G})^\top \cdot \mathbf{s}_{\rec} + \mathbf{z}_{\rec} \bmod q ; \\
\mathbf{c}_{\rec}^{(3)} = \mathbf{U}^\top \cdot \mathbf{s}_{\rec} + \mathbf{x}_{\rec} + \mathbf{w}\cdot \Big\lfloor\frac{q}{2}\Big\rfloor,
\mathbf{c}_{\rec}^{(1)} = \bar{\mathbf{A}}^T\cdot \mathbf{s}_{\rec} + \mathbf{y}_{\rec} \bmod q \\
\mathbf{c}_{\rec}^{(2)} %= \mathbf{B}_{\vk}^T \cdot \mathbf{s}_{\rec} + \mathbf{z}_{\rec} \bmod q
= (\mathbf{B}_\mathsf{U} + \mathbf{H}_{\vk} \cdot \mathbf{G})^T \cdot \mathbf{s}_{\rec} + \mathbf{z}_{\rec} \bmod q ; \\
\mathbf{c}_{\rec}^{(3)} = \mathbf{U}^T \cdot \mathbf{s}_{\rec} + \mathbf{x}_{\rec} + \mathbf{w}\cdot \Big\lfloor\frac{q}{2}\Big\rfloor,
\end{cases}
\end{eqnarray}
and let $\mathbf{c}_{\rec} = \big(\mathbf{c}_{\rec}^{(1)}, \mathbf{c}_{\rec}^{(2)}, \mathbf{c}_{\rec}^{(3)}\big)
@ -777,13 +863,13 @@ $(\sk_{\OA},\pk_{\OA})=(\mathbf{T}_{\OA},\mathbf{B}_{\OA})$.
the $\OA$'s public key $\mathbf{B}_{\OA} \in \Zq^{n \times \bar{m}}$ w.r.t. the tag $\vk \in \Zq^n$. Namely, conduct the following steps: \smallskip
\begin{enumerate}
\item[a.] Sample $\mathbf{s}_{\mathsf{oa}} \leftarrow U( \mathbb{Z}_q^n)$, $\mathbf{R}_{\mathsf{oa}} \leftarrow D_{\ZZ,\sigma}^{m \times \bar{m}}$,
$\mathbf{x}_{\mathsf{oa}} \leftarrow \chi^{m}, \mathbf{y}_{\mathsf{oa}} \leftarrow \chi^m$. Set $\mathbf{z}_{\mathsf{oa}} = \mathbf{R}_{\mathsf{oa}}^\top\cdot \mathbf{y}_{\mathsf{oa}} \in \ZZ^{\bar{m}}$.
$\mathbf{x}_{\mathsf{oa}} \leftarrow \chi^{m}, \mathbf{y}_{\mathsf{oa}} \leftarrow \chi^m$. Set $\mathbf{z}_{\mathsf{oa}} = \mathbf{R}_{\mathsf{oa}}^T\cdot \mathbf{y}_{\mathsf{oa}} \in \ZZ^{\bar{m}}$.
\item[b.] Compute
\begin{eqnarray}\label{eq:c-open}
\begin{cases}
\mathbf{c}_{\mathsf{oa}}^{(1)} = \bar{\mathbf{A}}^\top \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{y}_{\mathsf{oa}} \bmod q; \\
\mathbf{c}_{\mathsf{oa}}^{(2)} = (\mathbf{B}_\OA + \mathbf{H}_{\vk} \cdot \mathbf{G})^\top \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{z}_{\mathsf{oa}} \bmod q; \\
\mathbf{c}_{\mathsf{oa}}^{(3)} = \mathbf{V}^\top \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{x}_{\mathsf{oa}} + \mathsf{vdec}_{n,q-1}(\mathbf{h_\mathsf{U}})\cdot \Big\lfloor\frac{q}{2}\Big\rfloor,
\mathbf{c}_{\mathsf{oa}}^{(1)} = \bar{\mathbf{A}}^T \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{y}_{\mathsf{oa}} \bmod q; \\
\mathbf{c}_{\mathsf{oa}}^{(2)} = (\mathbf{B}_\OA + \mathbf{H}_{\vk} \cdot \mathbf{G})^T \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{z}_{\mathsf{oa}} \bmod q; \\
\mathbf{c}_{\mathsf{oa}}^{(3)} = \mathbf{V}^T \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{x}_{\mathsf{oa}} + \mathsf{vdec}_{n,q-1}(\mathbf{h_\mathsf{U}})\cdot \Big\lfloor\frac{q}{2}\Big\rfloor,
\end{cases}
\end{eqnarray}
and let $\mathbf{c}_{\mathsf{oa}} = \big(\mathbf{c}_{\mathsf{oa}}^{(1)}, \mathbf{c}_{\mathsf{oa}}^{(2)}, \mathbf{c}_{\mathsf{oa}}^{(3)}\big) \in \mathbb{Z}_q^m \times \mathbb{Z}_q^{\bar{m}} \times \mathbb{Z}_q^{m}$.
@ -815,7 +901,7 @@ and the state information $coins_{\mathbf{\Psi}}=\big( \mathbf{s}_{\rec}, \mathb
algorithm of Lemma \ref{lem:sampler}.
\item[b.] Compute
\begin{eqnarray*}
\mathbf{w} = \left\lfloor \Bigl( \mathbf{c}_{\rec}^{(3)} - \mathbf{E}_{\vk}^\top \cdot \begin{bmatrix} \mathbf{c}_{\rec}^{(1)} \\ \mathbf{c}_{\rec}^{(2)} \end{bmatrix} \Bigr) / \left\lfloor \frac{q}{2} \right\rfloor \right\rceil \in \ZZ^m
\mathbf{w} = \left\lfloor \Bigl( \mathbf{c}_{\rec}^{(3)} - \mathbf{E}_{\vk}^T \cdot \begin{bmatrix} \mathbf{c}_{\rec}^{(1)} \\ \mathbf{c}_{\rec}^{(2)} \end{bmatrix} \Bigr) / \left\lfloor \frac{q}{2} \right\rfloor \right\rceil \in \ZZ^m
\end{eqnarray*}
and return the obtained $\mathbf{w} \in \{0,1\}^m$.
\end{itemize}
@ -834,16 +920,16 @@ and the state information $coins_{\mathbf{\Psi}}=\big( \mathbf{s}_{\rec}, \mathb
a small-norm $\mathbf{E}_{\OA,\vk} \in \ZZ^{(m+\bar{m}) \times m} $ satisfying $\mathbf{B}_{\OA,\vk} \cdot \mathbf{E}_{\OA,\vk} = \mathbf{V} \bmod q$.
\item[b.] Compute
\begin{eqnarray*}
\mathbf{h} = \left\lfloor \Bigl( \mathbf{c}_{\mathsf{oa}}^{(3)} - \mathbf{E}_{\OA,\vk}^\top \cdot \begin{bmatrix} \mathbf{c}_{\mathsf{oa}}^{(1)} \\ \mathbf{c}_{\mathsf{oa}}^{(2)} \end{bmatrix} \Bigr) /
\mathbf{h} = \left\lfloor \Bigl( \mathbf{c}_{\mathsf{oa}}^{(3)} - \mathbf{E}_{\OA,\vk}^T \cdot \begin{bmatrix} \mathbf{c}_{\mathsf{oa}}^{(1)} \\ \mathbf{c}_{\mathsf{oa}}^{(2)} \end{bmatrix} \Bigr) /
\left\lfloor \frac{q}{2} \right\rfloor \right\rceil \in \{0,1\}^{m}
\end{eqnarray*}
and $\mathbf{h}_\mathsf{U}'=\mathbf{H}_{2n,q-1} \cdot \mathbf{h} \in \Zq^{2n}$.
\end{itemize}
\item[3.] Look up $\mathsf{database}$ to find a public key $\pk_\mathsf{U}=\mathbf{B}_\mathsf{U} \in \Zq^{n \times \bar{m}}$ that hashes
to $\mathbf{h}_\mathsf{U}' \in \Zq^{2n}$ (i.e., such that $\mathbf{h}_\mathsf{U}'= \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_\mathsf{U}^\top)$). If more than one such key exists, return
to $\mathbf{h}_\mathsf{U}' \in \Zq^{2n}$ (i.e., such that $\mathbf{h}_\mathsf{U}'= \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_\mathsf{U}^T)$). If more than one such key exists, return
$\perp$.
If only one key $\pk_\mathsf{U}=\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$ satisfies $\mathbf{h}_\mathsf{U}'= \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_\mathsf{U}^\top)$, return that key $\pk_\mathsf{U}$.
If only one key $\pk_\mathsf{U}=\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$ satisfies $\mathbf{h}_\mathsf{U}'= \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_\mathsf{U}^T)$, return that key $\pk_\mathsf{U}$.
In any other situation, return $\bot$.
\end{enumerate}
@ -870,7 +956,7 @@ and the state information $coins_{\mathbf{\Psi}}=\big( \mathbf{s}_{\rec}, \mathb
\medskip \smallskip
To this end $\mathcal{P}$ conducts the following steps. \medskip \smallskip \smallskip
\begin{itemize}
\item[1.] Decompose the matrix $\mathbf{B}_\mathsf{U} \in \Zq^{n \times \bar{m}}$ into $\mathbf{b}_{\mathsf{U}} = \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\mathsf{U}}^\top) \in \{0,1\}^{n\bar{m}k}$ and the vectors $\mathbf{s}_{\rec} ,\mathbf{s}_{\mathsf{oa}} \in \Zq^n$ into $\mathbf{s}_{0,\rec} = \mathsf{vdec}_{n,q-1}(\mathbf{s}_{\rec}) \in \{0,1\}^{nk}$ and $\mathbf{s}_{0,\mathsf{oa}} = \mathsf{vdec}_{n,q-1}(\mathbf{s}_{\mathsf{oa}}) \in \{0,1\}^{nk}$. Combine the first two binary vectors into $\mathbf{z}_{\mathbf{\Psi}} = \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec}) \in \{0,1\}^{4n \bar{m} k^2}
\item[1.] Decompose the matrix $\mathbf{B}_\mathsf{U} \in \Zq^{n \times \bar{m}}$ into $\mathbf{b}_{\mathsf{U}} = \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\mathsf{U}}^T) \in \{0,1\}^{n\bar{m}k}$ and the vectors $\mathbf{s}_{\rec} ,\mathbf{s}_{\mathsf{oa}} \in \Zq^n$ into $\mathbf{s}_{0,\rec} = \mathsf{vdec}_{n,q-1}(\mathbf{s}_{\rec}) \in \{0,1\}^{nk}$ and $\mathbf{s}_{0,\mathsf{oa}} = \mathsf{vdec}_{n,q-1}(\mathbf{s}_{\mathsf{oa}}) \in \{0,1\}^{nk}$. Combine the first two binary vectors into $\mathbf{z}_{\mathbf{\Psi}} = \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec}) \in \{0,1\}^{4n \bar{m} k^2}
$. Define
$$\mathbf{Q} = \mathbf{H}_{\bar{m},q-1} \cdot [\overbrace{\mathbf{Q}_0 | \ldots | \mathbf{Q}_0}^{n \text{ times }}] \in \Zq^{\bar{m} \times 4n \bar{m} k^2} ,$$ where
$\mathbf{Q}_0 = \mathbf{I}_{\bar{m} k} \otimes \mathbf{g}' \in \Zq^{\bar{m}k \times 4 \bar{m} k^2}$ is the matrix defined as in (\ref{Q0-def}).
@ -879,7 +965,7 @@ $. Define
\begin{eqnarray*}
\left\{
\begin{array}{l}
\tau \in \{0,1\}^\ell, ~\mathbf{d}=[\mathbf{d}_1^\top | \mathbf{d}_2^\top ]^\top \in [-\beta,\beta]^{2m},~\mathbf{r} \in [-\beta,\beta]^m \\
\tau \in \{0,1\}^\ell, ~\mathbf{d}=[\mathbf{d}_1^T | \mathbf{d}_2^T ]^T \in [-\beta,\beta]^{2m},~\mathbf{r} \in [-\beta,\beta]^m \\
\mathbf{t}_{\mathsf{U}} \in \{0,1\}^{m},~\mathbf{w}_{\mathsf{U}} \in \{0,1\}^{\bar{m}} \\
\mathbf{b}_{\mathsf{U}} \in \{0,1\}^{n \bar{m} k}, ~\mathbf{s}_{0,\rec} \in \{0,1\}^{nk}, ~
\mathbf{z}_{\mathbf{\Psi}} = \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec})
@ -902,25 +988,25 @@ $. Define
\end{eqnarray}
as well as
\begin{eqnarray} \nonumber
\mathbf{c}_{\rec}^{(1)} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}}^\top \cdot \mathbf{H}_{n,q-1} ~ &~ \mathbf{I}_m \end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\rec} \\ \hline \mathbf{y}_{\rec} \end{bmatrix} , \qquad \quad \\ \label{rel-deux}
\mathbf{c}_{\rec}^{(1)} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}}^T \cdot \mathbf{H}_{n,q-1} ~ &~ \mathbf{I}_m \end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\rec} \\ \hline \mathbf{y}_{\rec} \end{bmatrix} , \qquad \quad \\ \label{rel-deux}
\mathbf{z}_{\mathbf{\Psi}} &= & \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec}) \qquad \qquad \\ \nonumber
\mathbf{c}_{\rec}^{(2)} &=&
\left[ \begin{array}{c|c|c} \mathbf{Q} ~&~ \mathbf{G}^\top \cdot \mathbf{H}_\vk^\top \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_{\bar{m}}
\left[ \begin{array}{c|c|c} \mathbf{Q} ~&~ \mathbf{G}^T \cdot \mathbf{H}_\vk^T \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_{\bar{m}}
\end{array} \right] \cdot \begin{bmatrix} \mathbf{z}_{\mathbf{\Psi}} \\ \hline \mathbf{s}_{0,\rec} \\ \hline \mathbf{z}_{\rec} \end{bmatrix} , \qquad \quad \\ \nonumber
\mathbf{c}_{\rec}^{(3)} &=&
\left[ \begin{array}{c|c|c} ~ \mathbf{U}^\top \cdot \mathbf{H}_{n,q-1} ~~& ~~ \mathbf{I}_m ~~& ~~\mathbf{I}_m \cdot \lfloor \frac{q}{p} \rfloor ~
\left[ \begin{array}{c|c|c} ~ \mathbf{U}^T \cdot \mathbf{H}_{n,q-1} ~~& ~~ \mathbf{I}_m ~~& ~~\mathbf{I}_m \cdot \lfloor \frac{q}{p} \rfloor ~
\end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\rec} \\ \hline \mathbf{x}_{\rec} \\ \hline \mathbf{w} \end{bmatrix} , \\ \nonumber
\mathbf{u}_R &=& \mathbf{A}_R \cdot \mathbf{w} \bmod q
\end{eqnarray}
and
\begin{eqnarray} \nonumber
\mathbf{c}_{\mathsf{oa}}^{(1)} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}}^\top \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_m
\mathbf{c}_{\mathsf{oa}}^{(1)} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}}^T \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_m
\end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\mathsf{oa}} \\ \hline \mathbf{y}_{\mathsf{oa}} \end{bmatrix} , \qquad \quad \\ \label{rel-trois}
\mathbf{c}_{\mathsf{oa}}^{(2)} &=&
\left[ \begin{array}{c|c} (\mathbf{B}_\OA + \mathbf{H}_\vk \cdot \mathbf{G} )^\top \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_{\bar{m}}
\left[ \begin{array}{c|c} (\mathbf{B}_\OA + \mathbf{H}_\vk \cdot \mathbf{G} )^T \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_{\bar{m}}
\end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\mathsf{oa}} \\ \hline \mathbf{z}_{\mathsf{oa}} \end{bmatrix} , \qquad \quad \\ \nonumber
\mathbf{c}_{\mathsf{oa}}^{(3)} &=&
\left[ \begin{array}{c|c|c} ~ \mathbf{V}^\top \cdot \mathbf{H}_{n,q-1} ~~& ~ ~ \mathbf{I}_m~~& ~~\mathbf{I}_m \cdot \lfloor \frac{q}{2} \rfloor ~
\left[ \begin{array}{c|c|c} ~ \mathbf{V}^T \cdot \mathbf{H}_{n,q-1} ~~& ~ ~ \mathbf{I}_m~~& ~~\mathbf{I}_m \cdot \lfloor \frac{q}{2} \rfloor ~
\end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\mathsf{oa}} \\ \hline \mathbf{x}_{\mathsf{oa}} \\ \hline \mathbf{t}_{\mathsf{U}} \end{bmatrix} .
\end{eqnarray}
The protocol is repeated $\kappa$ times to make the soundness error negligibly small.
@ -944,17 +1030,17 @@ such that the following system of $10$ equations holds:
+ (-\mathbf{D})\cdot\mathbf{w}_\textsf{U} \bmod q, \\[5pt]
\mathbf{0} = \mathbf{H}_{n, q-1}\cdot \mathbf{w}_\textsf{U} + (-\mathbf{D}_0)\cdot \mathbf{r} + (-\mathbf{D}_1)\cdot \mathbf{t}_\textsf{U} \bmod q, \\[5pt]
\mathbf{0} = \mathbf{H}_{2n,q-1}\cdot \mathbf{t}_\textsf{U} + (-\mathbf{F})\cdot\mathbf{b}_\textsf{U}\bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(1)} = (\bar{\mathbf{A}}^\top\cdot \mathbf{H}_{n,q-1}) \cdot \mathbf{s}_{0,\rec} + \mathbf{I}_m\cdot \mathbf{y}_{\rec} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(2)} = \mathbf{Q}\cdot \mathbf{z}_{\mathbf{\Psi}} + (\mathbf{G}^\top\cdot \mathbf{H}_{\vk}^\top \cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\rec} + \mathbf{I}_{\bar{m}} \cdot \mathbf{z}_{\rec} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(3)} = (\mathbf{U}^\top\cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\rec} + \mathbf{I}_m\cdot \mathbf{x}_{\rec} + (\lfloor \frac{q}{2}\rfloor\cdot \mathbf{I}_m)\cdot \mathbf{w} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(1)} = (\bar{\mathbf{A}}^T\cdot \mathbf{H}_{n,q-1}) \cdot \mathbf{s}_{0,\rec} + \mathbf{I}_m\cdot \mathbf{y}_{\rec} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(2)} = \mathbf{Q}\cdot \mathbf{z}_{\mathbf{\Psi}} + (\mathbf{G}^T\cdot \mathbf{H}_{\vk}^T \cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\rec} + \mathbf{I}_{\bar{m}} \cdot \mathbf{z}_{\rec} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(3)} = (\mathbf{U}^T\cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\rec} + \mathbf{I}_m\cdot \mathbf{x}_{\rec} + (\lfloor \frac{q}{2}\rfloor\cdot \mathbf{I}_m)\cdot \mathbf{w} \bmod q, \\[5pt]
\mathbf{u}_R = \mathbf{A}_R\cdot \mathbf{w} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(1)} = (\bar{\mathbf{A}}^\top \cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\mathsf{oa}} + \mathbf{I}_m\cdot \mathbf{y}_{\mathsf{oa}} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(2)} = [(\mathbf{B}_{\OA} + \mathbf{H}_{\vk}\cdot \mathbf{G})^\top\cdot \mathbf{H}_{n,q-1}]\cdot \mathbf{s}_{0,\mathsf{oa}} + \mathbf{I}_{\bar{m}}\cdot \mathbf{z}_{\mathsf{oa}} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(3)} = (\mathbf{V}^\top\cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0, \mathsf{oa}} + \mathbf{I}_m\cdot \mathbf{x}_{\mathsf{oa}} + (\lfloor \frac{q}{2}\rfloor\cdot \mathbf{I}_m)\cdot \mathbf{t}_{\mathsf{U}} \bmod q.
\mathbf{c}_{\mathsf{oa}}^{(1)} = (\bar{\mathbf{A}}^T \cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\mathsf{oa}} + \mathbf{I}_m\cdot \mathbf{y}_{\mathsf{oa}} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(2)} = [(\mathbf{B}_{\OA} + \mathbf{H}_{\vk}\cdot \mathbf{G})^T\cdot \mathbf{H}_{n,q-1}]\cdot \mathbf{s}_{0,\mathsf{oa}} + \mathbf{I}_{\bar{m}}\cdot \mathbf{z}_{\mathsf{oa}} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(3)} = (\mathbf{V}^T\cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0, \mathsf{oa}} + \mathbf{I}_m\cdot \mathbf{x}_{\mathsf{oa}} + (\lfloor \frac{q}{2}\rfloor\cdot \mathbf{I}_m)\cdot \mathbf{t}_{\mathsf{U}} \bmod q.
\end{cases}
\end{eqnarray}
Let $\mathbf{w}_1 = \mathbf{b}_{\mathsf{U}}$, $\mathbf{w}_2 = \mathbf{s}_{0,\rec}$, $\mathbf{w}_3 = \mathbf{z}_{\mathbf{\Psi}} = \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec})$, $\mathbf{w}_4 = \mathbf{w}_{\mathsf{U}}$, $\mathbf{w}_5 = \mathbf{t}_{\mathsf{U}}$,
$\mathbf{w}_6 = \mathbf{s}_{0,\mathsf{oa}}$, $\mathbf{w}_7 = \mathbf{w}$, $\mathbf{w}_8 = \mathbf{x}_{\rec}$, $\mathbf{w}_9 = \mathbf{y}_{\rec}$, $\mathbf{w}_{10} = \mathbf{z}_{\rec}$, $\mathbf{w}_{11} = \mathbf{r}$, $\mathbf{w}_{12} = \mathbf{x}_{\mathsf{oa}}$, $\mathbf{w}_{13} = \mathbf{y}_{\mathsf{oa}}$, $\mathbf{w}_{14}= \mathbf{z}_{\mathsf{oa}}$ and $$\mathbf{w}_{15}= \big(\hspace*{1.5pt}\mathbf{d}_1^\top \hspace*{1.5pt}\|\hspace*{1.5pt} \mathbf{d}_2^\top \hspace*{1.5pt}\|\hspace*{1.5pt} \tau[1]\hspace*{-1.5pt}\cdot\hspace*{1.5pt}\mathbf{d}_2^\top \hspace*{1.5pt}\| \ldots \|\hspace*{1.5pt} \tau[\ell]\hspace*{-1.5pt}\cdot\hspace*{1.5pt}\mathbf{d}_2^\top\hspace*{1.5pt}\big)^\top.$$
$\mathbf{w}_6 = \mathbf{s}_{0,\mathsf{oa}}$, $\mathbf{w}_7 = \mathbf{w}$, $\mathbf{w}_8 = \mathbf{x}_{\rec}$, $\mathbf{w}_9 = \mathbf{y}_{\rec}$, $\mathbf{w}_{10} = \mathbf{z}_{\rec}$, $\mathbf{w}_{11} = \mathbf{r}$, $\mathbf{w}_{12} = \mathbf{x}_{\mathsf{oa}}$, $\mathbf{w}_{13} = \mathbf{y}_{\mathsf{oa}}$, $\mathbf{w}_{14}= \mathbf{z}_{\mathsf{oa}}$ and $$\mathbf{w}_{15}= \big(\hspace*{1.5pt}\mathbf{d}_1^T \hspace*{1.5pt}\|\hspace*{1.5pt} \mathbf{d}_2^T \hspace*{1.5pt}\|\hspace*{1.5pt} \tau[1]\hspace*{-1.5pt}\cdot\hspace*{1.5pt}\mathbf{d}_2^T \hspace*{1.5pt}\| \ldots \|\hspace*{1.5pt} \tau[\ell]\hspace*{-1.5pt}\cdot\hspace*{1.5pt}\mathbf{d}_2^T\hspace*{1.5pt}\big)^T.$$
Then system (\ref{eq:big-system-main-scheme}) can be rewritten as:
\begin{eqnarray}\label{eq:big-system-main-scheme-2}
\begin{cases}
@ -987,9 +1073,9 @@ It can be seen that the given group encryption scheme can be implemented in poly
The given group encryption scheme is correct with overwhelming probability.
We first remark that the scheme parameters are set up so that the two instances of the ABB identity-based encryption~\cite{ABB10} are correct. Indeed, during the decryption procedure of $\mathsf{DEC}(\mathsf{sk}_\USR, \mathbf{\Psi},L)$, we have:
\[
\mathbf{c}_{\rec}^{(3)} - \mathbf{E}_{\vk}^\top \cdot \begin{bmatrix} \mathbf{c}_{\rec}^{(1)} \\ \mathbf{c}_{\rec}^{(2)} \end{bmatrix} = \mathbf{x}_{\rec} - \mathbf{E}_{\vk}^\top \cdot \begin{bmatrix} \mathbf{y}_{\rec} \\ \mathbf{z}_{\rec} \end{bmatrix} + \mathbf{w}\cdot \left\lfloor \frac{q}{2} \right\rfloor.
\mathbf{c}_{\rec}^{(3)} - \mathbf{E}_{\vk}^T \cdot \begin{bmatrix} \mathbf{c}_{\rec}^{(1)} \\ \mathbf{c}_{\rec}^{(2)} \end{bmatrix} = \mathbf{x}_{\rec} - \mathbf{E}_{\vk}^T \cdot \begin{bmatrix} \mathbf{y}_{\rec} \\ \mathbf{z}_{\rec} \end{bmatrix} + \mathbf{w}\cdot \left\lfloor \frac{q}{2} \right\rfloor.
\]
Note that $\|\mathbf{x}_{\rec}\|_\infty$ and $\|\mathbf{y}_{\rec}\|_\infty$ are bounded by $B$, and $\|\mathbf{z}_{\rec}\|_\infty = \|\mathbf{R}_{\rec}^\top\cdot \mathbf{y}_{\rec}\|_\infty \leq \beta m B = \widetilde{\mathcal{O}}(n^2)$. Furthermore, the entries of the discrete Gaussian matrix $\mathbf{E}_{\vk}^\top$ are bounded by $\widetilde{\mathcal{O}}(\sqrt{n})$. Hence, the error term $\mathbf{x}_{\rec} - \mathbf{E}_{\vk}^\top \cdot \begin{bmatrix} \mathbf{y}_{\rec} \\ \mathbf{z}_{\rec} \end{bmatrix}$ is bounded by $\widetilde{\mathcal{O}}(n^{3.5})$ which is much smaller than $q/4 = \widetilde{\mathcal{O}}(n^4)$. As a result, the decryption algorithm returns $\mathbf{w}$ with overwhelming probability. The correctness of algorithm $\mathsf{OPEN}(\mathsf{sk}_{\OA}, \mathbf{\Psi},L)$ also follows from a similar argument.
Note that $\|\mathbf{x}_{\rec}\|_\infty$ and $\|\mathbf{y}_{\rec}\|_\infty$ are bounded by $B$, and $\|\mathbf{z}_{\rec}\|_\infty = \|\mathbf{R}_{\rec}^T\cdot \mathbf{y}_{\rec}\|_\infty \leq \beta m B = \widetilde{\mathcal{O}}(n^2)$. Furthermore, the entries of the discrete Gaussian matrix $\mathbf{E}_{\vk}^T$ are bounded by $\widetilde{\mathcal{O}}(\sqrt{n})$. Hence, the error term $\mathbf{x}_{\rec} - \mathbf{E}_{\vk}^T \cdot \begin{bmatrix} \mathbf{y}_{\rec} \\ \mathbf{z}_{\rec} \end{bmatrix}$ is bounded by $\widetilde{\mathcal{O}}(n^{3.5})$ which is much smaller than $q/4 = \widetilde{\mathcal{O}}(n^4)$. As a result, the decryption algorithm returns $\mathbf{w}$ with overwhelming probability. The correctness of algorithm $\mathsf{OPEN}(\mathsf{sk}_{\OA}, \mathbf{\Psi},L)$ also follows from a similar argument.
Finally, we note that if a certified group user honestly follows all the prescribed algorithms, then he should be able to compute valid witness-vectors to be used in the protocol $\langle \mathcal{P}, \mathcal{V}\rangle$, and he should be accepted by the verifier, thanks to the perfect completeness of the argument system in \cref{sse:stern}.
@ -1053,7 +1139,7 @@ The security results are explicited in the following theorems.
\noindent \textbf{Game $4$:} We now modify the generation of the challenge ciphertext $\Psi^\star$.
In this game, the challenger computes the ciphertext
$\mathbf{c}_{\oa}^\star$ as an ABB encryption under the identity $\vk^\star$ of a random $m$-bit string instead of a decomposition
$\mathsf{vdec}_{n,q-1}(\mathbf{h}_{\USR,b}) \in \{0,1\}^m$ of $\mathbf{h}_{\USR,b} = \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\USR,b}^\top) \in \ZZ_q^{2n}$. Since
$\mathsf{vdec}_{n,q-1}(\mathbf{h}_{\USR,b}) \in \{0,1\}^m$ of $\mathbf{h}_{\USR,b} = \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\USR,b}^T) \in \ZZ_q^{2n}$. Since
the random encryption coins $\mathbf{s}_{\oa}^\star, \mathbf{R}_{\oa}^\star ,\mathbf{x}_{\oa}^\star, \mathbf{y}_{\oa}^\star $ are no longer used to generate proofs
$\pi_{\Psi^\star}$, we can show that any noticeable change in $\adv$'s output distribution implies
a selective adversary against the ABB IBE, as established by Lemma \ref{ABB-un}, which would contradict the $\LWE$ assumption.
@ -1130,7 +1216,7 @@ we can assess % corresponds to \SFGame 3.
\[ \mathsf{PP} = \big(\bar{\mathbf A}, \mathbf B, \mathbf U \big) \in \Zq^{n \times m} \times \Zq^{n \times \bar{m}} \times \Zq^{n \times m} \]
from its real-or-random (ROR) challenger.
Our reduction uses $\mathsf{PP}$ to compute public parameters for our $\GE$ scheme. To this end, it samples $\mathbf F \sample U(\Zq^{2n \times n \bar{m}k})$,
Our reduction uses $\mathsf{PP}$ to compute public parameters for our $\mathsf{GE}$ scheme. To this end, it samples $\mathbf F \sample U(\Zq^{2n \times n \bar{m}k})$,
$\mathbf V \sample U(\Zq^{n\times m})$ as in the real $\mathsf{SETUP}_\mathsf{init}$ algorithm.
The reduction $\bdv$ also computes $\mathbf B_\OA =\bar{\mathbf{A}} \cdot \mathbf T_\OA \bmod q $,
where the small-norm matrix $\mathbf{T}_\OA$ is sampled from $D_{\ZZ,\sigma}^{m \times \bar{m}}$, and sends $\adv$ the parameters
@ -1314,7 +1400,7 @@ $\pk_{\mathcal{R}}=(\mathbf{A}_{{R}},\mathbf{u}_{R}) \in \ZZ_q^{n \times m} \tim
$\Psi^\star= (\vk^\star,\mathbf{c}_{\rec}^\star, \mathbf{c}_{\oa}^\star, \Sigma^\star)$, a label $L$ and produce a convincing proof $\pi_{\Psi^\star}$ such that either
\begin{enumerate}
\item $\mathbf{c}_{\oa}^\star$ does not decrypt to a string $\mathbf{h} \in \{0,1\}^m$ such that $\mathbf{h}_{\USR} = \mathbf{H}_{2n,q-1} \cdot \mathbf{h} \in \ZZ_q^{2n}$ coincides
with $\mathbf{h}_{\USR} = \mathbf{F} \cdot \mathsf{mdec}_{n,m,q}(\mathbf{B}_{\USR}^\top)$ for some $\pk_{\USR}=\mathbf{B}_{\USR} \in \ZZ_q^{n \times \bar{m}}$ appearing in $\mathsf{database}$.
with $\mathbf{h}_{\USR} = \mathbf{F} \cdot \mathsf{mdec}_{n,m,q}(\mathbf{B}_{\USR}^T)$ for some $\pk_{\USR}=\mathbf{B}_{\USR} \in \ZZ_q^{n \times \bar{m}}$ appearing in $\mathsf{database}$.
\item $\mathbf{c}_{\oa}^\star$ opens to a certified public key $\pk_{\USR}=\mathbf{B}_{\USR} \in \ZZ_q^{n \times \bar{m}}$, which belongs to $\mathsf{database}$ (and for which a certificate
was issued), but $\mathbf{B}_{\USR} $ is outside the language $\mathcal{PK}$ of valid public keys. This case is immediately ruled out
by the density of the public key space.
@ -1326,10 +1412,10 @@ $\Psi^\star= (\vk^\star,\mathbf{c}_{\rec}^\star, \mathbf{c}_{\oa}^\star, \Sigma^
$\mathbf{u}_R= \mathbf{A}_R \cdot \mathbf{w} \bmod q$.
\item The opening algorithm fails to uniquely identify the receiver. This occurs if $\mathbf{c}_{\oa}^\star$ decrypts to a string $\mathbf{h} \in \{0,1\}^m$ such that $\mathbf{h}_{\USR}' = \mathbf{H}_{2n,q-1} \cdot \mathbf{h} \in \ZZ_q^{2n}$ corresponds to
at least two distinct public keys $\mathbf{B}_{\USR,0} ,\mathbf{B}_{\USR,1} \in \ZZ_q^{n \times \bar{m}}$ which satisfy
$$\mathbf{h}_{\USR}' = \mathbf{F} \cdot \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,0}^\top ) \bmod q=\mathbf{F} \cdot \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,1}^\top ) \bmod q. $$
$$\mathbf{h}_{\USR}' = \mathbf{F} \cdot \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,0}^T ) \bmod q=\mathbf{F} \cdot \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,1}^T ) \bmod q. $$
Since $\mathsf{mdec}_{n,\bar{m},q}(.) : \ZZ_q^{\bar{m} \times n} \rightarrow \{0,1\}^{n \bar{m} k}$ is an injective function, the above equality necessarily implies a
collision for the $\mathsf{SIS}$-based hash function built upon $\mathbf{F} \in \ZZ_q^{2n \times n \bar{m} k}$: namely,
$$ \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,0}^\top ) - \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,1}^\top ) ~~\in \{-1,0,1\}^{n\bar{m} k} $$
$$ \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,0}^T ) - \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,1}^T ) ~~\in \{-1,0,1\}^{n\bar{m} k} $$
is a short non-zero vector of $\Lambda_q^\perp (\mathbf{F})$.
\end{enumerate}
Having shown that cases \textit{b} and \textit{d} cannot occur if the $\mathsf{SIS}$ assumption holds, we only need to consider cases \textit{a} and \textit{c}. The computational soundness of the argument system ensures that, by replaying
@ -1340,7 +1426,7 @@ the knowledge extractor will be able to extract either:
\begin{eqnarray*}
\left\{
\begin{array}{l}
\tau \in \{0,1\}^\ell, ~\mathbf{d}=[\mathbf{d}_1^\top | \mathbf{d}_2^\top ]^\top \in [-\beta,\beta]^{2m},~\mathbf{r} \in [-\beta,\beta]^m \\
\tau \in \{0,1\}^\ell, ~\mathbf{d}=[\mathbf{d}_1^T | \mathbf{d}_2^T ]^T \in [-\beta,\beta]^{2m},~\mathbf{r} \in [-\beta,\beta]^m \\
\mathbf{t}_{\USR} \in \{0,1\}^{m},~\mathbf{w}_{\USR} \in \{0,1\}^{\bar{m}} \\
\mathbf{b}_{\USR} \in \{0,1\}^{n \bar{m} k}, ~\mathbf{s}_{0,\rec} \in \{0,1\}^{nk}, ~
\mathbf{z}_{\mathbf{\Psi}} \in \{0,1\}^{4n \bar{m} k^2}

3
chap-GS-LWE.tex
View File

@ -25,7 +25,7 @@ In particular, the cost of moving to dynamic group is reasonable: while using th
Signature & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda + \log^2 N_\mathsf{gs})$ & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $ \widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ \\
\hline
\end{tabular}
\caption{Efficiency comparison among recent lattice-based group signatures for static groups and our dynamic scheme. The evaluation is done with respect to $2$ governing parameters: security parameter $\lambda$ and the maximum expected group size $N_\mathsf{gs}$. We do not include the earlier schemes~\cite{GKV10,CNR12} that have signature size $\widetilde{\mathcal{O}}(\lambda^2)\cdot N_\mathsf{gs}$.}
\caption[Comparison between recent lattice-based group signatures]{Efficiency comparison among recent lattice-based group signatures for static groups and our dynamic scheme. The evaluation is done with respect to $2$ governing parameters: security parameter $\lambda$ and the maximum expected group size $N_\mathsf{gs}$. We do not include the earlier schemes~\cite{GKV10,CNR12} that have signature size $\widetilde{\mathcal{O}}(\lambda^2)\cdot N_\mathsf{gs}$.}
\label{table:lattice-gs-comparison}
\end{table}
@ -81,7 +81,6 @@ the user's capability of efficiently proving knowledge of the underlying secret
Given the state of $\NIZK$ proofs in the lattice setting, it seems hard to provide group signature schemes in the standard model.
In the forthcoming sections, we first provide the description of our signature with efficient protocols; then a description of our dynamic group signature will be given and finally, we will explain how to use the Stern abstraction of \cref{sse:stern} to provide the required zero-knowledge arguments.
\section{A Lattice-Based Signature with Efficient Protocols} \label{se:gs-lwe-sigep}

3
chap-GS-background.tex
View File

@ -51,8 +51,7 @@ This section recalls the syntax and the security definitions of dynamic group s
\begin{figure}
\centering
\input fig-gs-relations
\caption{Relations between the protagonists in a dynamic group signature
scheme}
\caption{Relations between the protagonists in a dynamic group signature scheme.}
\label{fig:gs-relations}
\end{figure}

296
chap-OT-LWE.tex
View File

@ -1,9 +1,132 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\chapter{Lattice-Based Oblivious Transfer with Access Control}
%\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}
%\label{ch:ot-lwe}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{comment}
\section{Introduction}
\end{comment}
Oblivious transfer ($\mathsf{OT}$) is a central cryptographic primitive coined by Rabin~\cite{Rab81} and extended by Even \textit{et al.} \cite{EGL85}.
It involves a
sender $\mathsf{S}$ with a database of messages $M_1, \ldots, M_N$ and a receiver $\mathsf{R}$ with an index $\rho \in \{1,\ldots,N\}$. The
protocol allows $\mathsf{R}$ to retrieve the $\rho$-th entry $M_{\rho}$ from $\mathsf{S}$ without letting $\mathsf{S}$ infer anything
on $\mathsf{R}$'s choice $\rho$. Moreover, $\mathsf{R}$ only obtains $M_{\rho}$ learns nothing about $\{M_i\}_{i \neq \rho}$.
In its adaptive flavor \cite{NP99}, $\mathsf{OT}$ allows the receiver to interact $k$ times with $\mathsf{S}$ to retrieve
$M_{\rho_1},\ldots,M_{\rho_k}$ in such a way that, for each index $i \in \{2,\ldots,k\}$, the $i$-th index $\rho_{i} $ may depend on the messages
$M_{\rho_1},\ldots,M_{\rho_{i-1}}$ previously obtained by $\mathsf{R}$.
$\mathsf{OT}$ is known to be a complete building block for cryptography (as for example, \cite{GMW87}) in that, if it can be realized, then
any secure multiparty computation can be. In its adaptive variant, $\mathsf{OT}$ is motivated by applications in privacy-preserving access
to sensitive databases (e.g., medical records or financial data) stored in encrypted form on remote servers, oblivious searches or location-based
services.
As far as efficiency goes, adaptive $\mathsf{OT}$ protocols should be designed in such a way that, after an inevitable initialization phase with
linear communication complexity in $N$ and the security parameter $\lambda$, the complexity of each transfer is at most poly-logarithmic in $N$. At the same time, this asymptotic efficiency should not come at the expense of sacrificing ideal security properties.
The most efficient adaptive $\mathsf{OT}$ protocols that satisfy the latter criterion stem from the work of Camenisch, Neven and shelat
\cite{CNS07} and its follow-ups \cite{GH07,GH08,GH11}.
In its basic form, (adaptive) $\mathsf{OT}$ does not restrict in any way the population of users who can obtain specific records. In many
sensitive databases (e.g., DNA databases or patients' medical history),
however, not all users should be able to download all records: it is vital access to certain entries be conditioned on the receiver holding suitable credentials delivered by authorities. At the same time, privacy protection mandates that authorized users be able to query database records while
leaking as little as possible about their interests or activities. In medical datasets, for example, the specific entries retrieved by a given doctor
could reveal which disease his patients are suffering from. In financial or patent datasets, the access pattern of a company could betray its investment
strategy or the invention it is developing.
In order to combine user-privacy and fine-grained database security, it is thus desirable to enrich adaptive $\mathsf{OT}$ protocols with refined access control mechanisms in many of their natural use cases.
This motivated Camenisch, Dubovitskaya and Neven \cite{CDN09} to introduce
a variant
named \textit{ oblivious transfer with access control} (OT-AC), where each database record is protected by a different access control policy $P : \{0,1\}^\ast
\rightarrow \{0,1\}$.
Based on their attributes, users can obtain credentials generated by pre-determined authorities, which entitle them to anonymously retrieve database records of which the access policy accepts their certified attributes: in other words, the user can only download the records for which he has a
valid credential $\mathsf{Cred}_x$ for an attribute string $x \in \{0,1\}^\ast$ such that
$P(x)=1$. During the transfer phase, the user demonstrates possession of a pair $(\mathsf{Cred}_x,x)$ and simultaneously
convinces the sender that he is querying some record $M_{\rho}$ associated with a policy $P$ such that $P(x)=1$. The only
information that the database holder eventually learns is that some user retrieved some record which he was authorized to obtain.
Camenisch \textit{et al.} formalized the OT-AC primitive and provided a construction in groups with a bilinear map \cite{CDN09}.
While efficient, their solution ``only'' supports access policies consisting of conjunctions: each policy $P$ is specified by a list
of attributes that a given user should obtain a credential for in order to complete the transfer. Several subsequent works
\cite{ZAW+10,CDNZ11,CDEN12}
considered more expressive access policies while even hiding the access policies in some cases \cite{CDNZ11,CDEN12}. Unfortunately,
all of them rely on non-standard assumptions (known as ``$q$-type assumptions'' as described in~\cref{ch:proofs}) in groups with a bilinear maps. For the sake of not putting
all one's eggs in the same basket, a primitive as powerful as OT-AC ought to have alternative realizations based on firmer foundations.
In this chapter, we propose a solution based on lattice assumptions where access policies consist of any branching program of width $5$,
which is known \cite{Bar86} to suffice for the realization of any access policy in $\mathsf{NC1}$. As a result of independent interest, we provide
protocols for proving the correct evaluation of a committed branching program. More precisely, we give zero-knowledge arguments for demonstrating possession of a secret input $\mathbf x \in \{0,1\}^\kappa$ and
a secret (and possibly certified) branching program $\BPR$ such that $\BPR(\mathbf x)=1$.
\index{Complexity classes!$\mathsf{NC}1$}
\paragraph{Related Work.}
Oblivious transfer with adaptive queries dates back to the work of Naor and Pinkas \cite{NP99}, which
requires $O( \log N)$ interaction rounds per transfer.
Naor and Pinkas \cite{NP05} also gave generic constructions of
(adaptive) $k$-out-of-$N$ OT from private information retrieval (PIR) \cite{CGKS95}. The constructions of~\cite{NP99,NP05}, however, are only secure in the half-simulation model, where simulation-based
security is only considered for one of the two parties (receiver security being formalized in terms of a game-based definition).
Moreover, the constructions of Adaptive OT from PIR \cite{NP05}
requires a complexity $O(N^{1/2})$ at each transfer where Adaptive OT allows for $O(\log N)$ cost.
Before 2007, many OT protocols (e.g., \cite{NP01,AIR01,tau05}) were analyzed in terms of half-simulation.
While several efficient fully simulatable protocols appeared the last 15 years (e.g., \cite{DN03,Lin08,PVW08} and references therein),
full simulatability
remained elusive in
the adaptive $k$-out-of-$N$ setting \cite{NP99} until the work~\cite{CNS07} of
Camenisch, Neven and shelat, who introduced the ``assisted decryption''
paradigm. The latter consists in having the sender obliviously decrypt a re-randomized version of one of the original ciphertexts contained in the database. This technique served as a blueprint for many subsequent protocols \cite{GH07,GH08,GH11,JL09}, including those with access control
\cite{CDN09,CDNZ11,CDEN12,ACDN13} and those presented in this chapter. In the adaptive $k$-out-of-$N$ setting (which we denote as \OTA),
the difficulty is to achieve full simulatability without having to transmit a $O(N)$ bits at each transfer. To our knowledge, except
the oblivious-PRF-based approach of Jarecki and Liu \cite{JL09},
all known fully simulatable \OTA protocols rely on bilinear maps\footnote{Several
pairing-free candidates were suggested in \cite{KPN10,KPN11} but, as pointed out in \cite{GH11},
they cannot achieve full simulatability in the sense of \cite{CNS07}. In particular, the sender can detect if the receiver fetches the same
record in two distinct transfers.
%The constructions of \cite{KN09} do achieve full simulatability but each transfer costs $\Theta(N)$ bits in terms
%of communication.
}. A recent work of D\"ottling \textit{et al.}~\cite{DFKS16} uses non-black-box techniques to realize $\LWE$-based $2$-round oblivious PRF (OPRF) protocols~\cite{FIPR05}. However, while fully simulatable OPRFs imply \cite{JL09}
fully simulatable adaptive OT, the OPRF construction of~\cite{DFKS16} does not satisfy the standard
notion of full simulation-based security against malicious adversaries (which is impossible to achieve in two rounds). It also relies on the full power of
homomorphic encryption, which we do not require.
A number of works introduced various forms of access control in OT. Priced OT \cite{AIR01}
assigns variable prices to all database records. In conditional OT \cite{DCOR99}, access to a record is made contingent on the user's secret
satisfying some predicate. Restricted OT \cite{Her11} explicitly protects each record with an independent access policy. Still, none of these
OT flavors aims at protecting the anonymity of users. The model of Coull, Green and Hohenberger \cite{CGH09} does consider user anonymity via stateful
credentials. For the applications of OT-AC, it would nevertheless require re-issuing user credentials at each transfer.
While efficient, the initial OT-AC protocol of Camenisch \textit{et al.} \cite{CDN09} relies on non-standard
assumptions in groups with a bilinear map and only realizes access policies made of conjunctions. Abe \textit{et al.} \cite{ACDN13}
gave a different protocol which they proved secure under more standard assumptions in the universal composability framework \cite{Can01}.
Their policies, however, remain limited to conjunctions. It was mentioned in \cite{CDN09,ACDN13}
that disjunctions and DNF formulas can be handled by duplicating database entries. Unfortunately, this approach rapidly
becomes prohibitively expensive in the case of $(t,n)$-threshold policies with $t \approx n/2$.
Moreover, securing the protocol against malicious senders
requires them to prove that
all duplicates encrypt the same message. More expressive policies were considered by Zhang \textit{et al.} \cite{ZAW+10} who
gave a construction based on attribute-based encryption \cite{SW05} that
extends to access policies expressed by any Boolean formulas (and thus $\mathsf{NC}1$ circuits).
Camenisch, Dubovitskaya, Neven and Zaverucha \cite{CDNZ11} generalized the OT-AC functionality so as
to hide the access policies. In \cite{CDEN12}, Camenisch \textit{et al.} gave a more efficient
construction with hidden policies based on the attribute-based
encryption scheme of \cite{NYO08}. At the expense of a proof in the generic group model, \cite{CDEN12} improves upon the expressiveness
of \cite{CDNZ11} in that its policies
extend into CNF formulas. While the solutions of \cite{CDNZ11,CDEN12} both hide the access policies to users (and the successful termination
of transfers to the database), their policies can only live in a proper subset of $\mathsf{NC1}$. As of now,
threshold policies can only be efficiently handled by the ABE-based construction of Zhang \textit{et al.} \cite{ZAW+10}, which requires
\textit{ad hoc} assumptions in groups with a bilinear map.
\bigskip
In the forthcoming sections, we first present the adaptive oblivious transfer scheme and its access control flavour, then we present the needed building blocks, in particular a simpler version of the signature scheme presented in~\cref{se:gs-lwe-sigep}.
We next present our constructions and the zero-knowledge protocol to guarantee the correct execution of a branching program.
Finally, we close this chapter with the description of a shift of our scheme from the standard model to the random oracle model to reduce the communication complexity cost, and a comparison table between the different existing solutions.
\section{Adaptive Oblivious Transfer}
\label{sec:def-OT}
In the syntax of \cite{CNs07}, an adaptive $k$-out-of-$N$ OT scheme $\OT_k^N$ is a tuple of stateful $\ppt$ algorithms $(\SI, \RI, \ST, \RT)$.
\index{Adaptive Oblivious Transfer}
In the syntax of \cite{CNS07}, an adaptive $k$-out-of-$N$ OT scheme $\OT_k^N$ is a tuple of stateful $\ppt$ algorithms $(\SI, \RI, \ST, \RT)$.
The sender $\mathsf{S}=(\SI,\ST)$ consists of two interactive algorithms $\SI$ and $\ST$ and the receiver has a similar representation as algorithms $\RI$ and $\RT$.
In the \textit{initialization phase}, the sender and the receiver run interactive algorithms $\SI$ and $\RI$, respectively, where $\SI$ takes as input messages $M_1, \ldots, M_N$ while $\RI$ has no input.
This phase ends with the two algorithms $\SI$ and $\RI$ outputting their state information $S_0$ and $R_0$ respectively.
@ -15,14 +138,14 @@ The sender starts runs $\ST(S_{i-1})$ to obtain its updated state information
We consider protocols that are secure (against static corruptions) in the sense of simulation-based definitions. The security
properties against a cheating sender and a cheating receiver are formalized via the ``real-world/ideal-world'' paradigm. The
security definitions of \cite{CNs07} are recalled in the following Section.
security definitions of \cite{CNS07} are recalled in the following Section.
\subsection{Security Definitions for Adaptive $k$-out-of-$N$ Oblivious Transfer} \label{def-AOT}
Security is defined via the ``real-world/ideal-world'' paradigm which was first introduced in the Universal Composability (UC) framework~\cite{Can01}. Like \cite{CNs07,CDN09}, however, we do not incorporate all the formalities of the UC framework.
Security is defined via the ``real-world/ideal-world'' paradigm which was first introduced in the Universal Composability (UC) framework~\cite{Can01}. Like \cite{CNS07,CDN09}, however, we do not incorporate all the formalities of the UC framework.
We define two experiments: the \textbf{Real} experiment, where the two parties run the actual protocol, and the \textbf{Ideal} experiment wherein a \textit{trusted third party} assumes the role of the functionality.
The model of \cite{CNs07} formalizes two security notions called \textit{sender security} and \textit{receiver security}.
The model of \cite{CNS07} formalizes two security notions called \textit{sender security} and \textit{receiver security}.
The former considers the security of honest senders against cheating senders whereas the latter considers the security of honest receivers interacting
with malicious senders.
@ -65,6 +188,7 @@ $\rho_i$, the definition prevents the cheating sender
$\hS'$ from deciding to cause a failure of the transfer for specific values of $\rho_i$.
\begin{definition}[Sender Security] \label{def:sender-sec}
\index{Adaptive Oblivious Transfer!Sender Security}
An $\OT_k^N$ protocol is \textit{sender-secure} if, for any PPT real-world cheating receiver $\hR$, there exists a PPT ideal-world receiver $\hR'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can separate the two following distributions with noticeable advantage:
\[ \mathbf{Real}_{\mathsf{S},\hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
and
@ -72,6 +196,7 @@ $\hS'$ from deciding to cause a failure of the transfer for specific values of $
\end{definition}
\begin{definition}[Receiver Security] \label{def:receiver-sec}
\index{Adaptive Oblivious Transfer!Receiver Security}
An $\OT_k^N$ protocol is \textit{receiver-secure} if, for any PPT real-world cheating sender $\hS$, there exists a PPT ideal-world sender $\hS'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can tell apart the two following distributions with non-negligible advantage:
\[ \mathbf{Real}_{\hS,\mathsf{R}}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
and
@ -102,6 +227,7 @@ The distribution of outputs of the environment in the different settings is deno
\medskip
\begin{definition}
\index{Adaptive Oblivious Transfer!with Access Control}
An AC-OT protocol is said to securely implement the functionality if for any real-world adversary $\adv$ and any real world environment $\mathcal E$, there exists an ideal-world simulator $\mathcal A'$ controlling the same parties in the ideal-world as $\adv$ does in the real-world, such that
\[ | \mathbf{Real}_{\mathcal E, \adv}(\lambda) - \mathbf{Ideal}_{\mathcal{E}, \adv}(\lambda) | \leq \negl(\lambda). \]
\end{definition}
@ -175,8 +301,9 @@ We consider a stateful variant of the scheme in Section \ref{se:gs-lwe-sigep}
In the modified scheme hereunder, the string $\tau \in \{0,1\}^\ell$ is an $\ell$-bit counter maintained by the signer to keep track of the number of previously signed messages.
This simplified variant resembles
the $\mathsf{SIS}$-based signature scheme of B\"ohl \textit{et al.} \cite{BHJ+15}. \\
\indent In this version, the message space is $ \{0,1\}^{n \lceil \log q \rceil} $ so that vectors of $\Zq^n$ can be signed by first decomposing them using
the $\mathsf{SIS}$-based signature scheme of B\"ohl \textit{et al.} \cite{BHJ+15}.
In this version, the message space is $ \{0,1\}^{n \lceil \log q \rceil} $ so that vectors of $\Zq^n$ can be signed by first decomposing them using
$\mathsf{vdec}_{n,q-1}(.)$.
\begin{description}
@ -235,7 +362,6 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
\item[Type II attacks,] where in the adversary's forgery $sig^\star = (\tau^\star, \mathbf v^\star)$, $\tau^\star$ has been recycled from an output $sig^{(i^\star)} = \bigl(\tau^{(i^\star)}, \mathbf v^{(i^\star)} \bigr)$ of the signing oracle for some query $i^\star \in \{ 1, \ldots, Q \}$.
\end{description}
\noindent
Lemma~\ref{le-type1-RMA} states that the signature scheme is secure against Type I forgery using the same technique as is~\cite{ABB10,Boy10,MP12}.
Lemma~\ref{le-type2-RMA} claims that the signature scheme resists Type II attacks, with a proof that is very similar to the one of Lemma~\ref{le-type1-RMA}. Both security proofs assume the computational hardness of the $\SIS$ problem.
\end{proof}
@ -254,7 +380,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
At first, $\bdv$ calls $\adv$ to obtain the messages to be queried: $\mathfrak m^{(1)}, \ldots, \mathfrak m^{(Q)}$.
For the sake of readability, let us define $\tau^{(i)} = i$, viewed as a bit-string, to be the tag corresponding to the $i$-th signature in our scheme. \medskip
\noindent \textbf{Setup.} As in~\cite{HW09}, the reduction guesses the shortest prefix such that the string $\tau^\star$ embedded in $\adv$'s forgery differs from all prefixes to $\{\tau^{(1)}, \dots, \tau^{(Q)}\}$.
\textbf{Setup.} As in~\cite{HW09}, the reduction guesses the shortest prefix such that the string $\tau^\star$ embedded in $\adv$'s forgery differs from all prefixes to $\{\tau^{(1)}, \dots, \tau^{(Q)}\}$.
To achieve this, $\bdv$ chooses at random $i^\dag \sample U(\{1, \ldots, Q\})$ and $t^\dag \sample U(\{1, \ldots, \ell\})$.
Then, with probability $1/(Q \cdot \ell)$, the longest common prefix between $\tau^\star$ and one of the tags $\{ \tau^{(i)} \}_{i = 1}^{Q}$ is the string $\tau^\star[1] \cdots \tau^\star[t^\dag - 1] \in \bit^{t^\dag - 1}$: the first $(t^\dag - 1)$-th bits of $\tau^\star$.
Let us define $\tau^\dag = \tau^\star_{\mid t^\dag}$, where $s_{|i}$ denotes the $i$-th prefix for a string~$s$.
@ -283,17 +409,17 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
To finish, $\bdv$ samples a short vector $\mathbf e_u \in D_{\ZZ^m, \sigma}$ and computes the vector $\mathbf u = \bar{\mathbf A} \cdot \mathbf e_u$. The following public key is finally given to \adv:
\[ PK := (\mathbf A, \{ \mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u). \]
\noindent \textbf{Signing queries.} To handle signature queries, the reduction $\bdv$ uses the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ to generate a signature.
\textbf{Signing queries.} To handle signature queries, the reduction $\bdv$ uses the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ to generate a signature.
To this end, $\bdv$ starts by computing the vector $\mathbf u_M = \mathbf u + \mathbf D \cdot \mathfrak m^{(i)}$.
Then $\bdv$ can use $\mathbf{T_C}$ with the algorithm \textsf{SampleRight} from Lemma~\ref{lem:sampler} to
compute a short vector $\mathbf v^{(i)}$ in $D_{\Lambda^\perp(\mathbf A_{\tau^{(i)}}), \sigma}^{\mathbf u_M}$, distributed like a
valid signature and satisfying the verification equation~\eqref{ver-eq-block}.
\medskip
\noindent \textbf{Output.} At some point, the attacker $\adv$ halts and outputs a \textit{valid} signature $sig^\star = (\tau^\star, \mathbf v^\star)$ for a message $\mathfrak m^\star \notin \{ \mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}\}$.
\textbf{Output.} At some point, the attacker $\adv$ halts and outputs a \textit{valid} signature $sig^\star = (\tau^\star, \mathbf v^\star)$ for a message $\mathfrak m^\star \notin \{ \mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}\}$.
Since the signature is valid, it satisfies $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
\noindent Parsing $\mathbf v^\star$ as $[ \mathbf{v}_1^\star \mid \mathbf{v}_2^\star]$ with $\mathbf v_1^\star, \mathbf v_2^\star \in \ZZ^m$ and injecting it in~\eqref{ver-eq-block} give:
Parsing $\mathbf v^\star$ as $[ \mathbf{v}_1^\star \mid \mathbf{v}_2^\star]$ with $\mathbf v_1^\star, \mathbf v_2^\star \in \ZZ^m$ and injecting it in~\eqref{ver-eq-block} give:
\begin{align*}
\Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^\star[j] \cdot \mathbf Q_j\bigr) \Bigl] \cdot \begin{bmatrix} \mathbf v_1^\star \\ \hline \mathbf v_2^\star \end{bmatrix}
& = \mathbf u + \mathbf D \cdot \mathfrak m^\star \mod q \\
@ -316,11 +442,11 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
We will prove this result using techniques analogous to the previous proof. We show that given an adversary $\adv$ that comes out with a Type II signature in the \textsf{na-CMA} game with non negligible probability $\varepsilon$, we can construct a PPT $\bdv$ that breaks the $\SIS$ assumption with advantage $\varepsilon/Q$ using $\adv$.
\medskip
\noindent Firstly, the reduction $\bdv$ is given a matrix $\mathbf{A} \in \Zq^{n \times m_d}$ as input and has to output an integer vector $\mathbf v \in \ZZ^{m_d}$ in $\Lambda^\perp_q(\mathbf{A})$ such that $0 < \| \mathbf v \| \leq \beta''$.
Firstly, the reduction $\bdv$ is given a matrix $\mathbf{A} \in \Zq^{n \times m_d}$ as input and has to output an integer vector $\mathbf v \in \ZZ^{m_d}$ in $\Lambda^\perp_q(\mathbf{A})$ such that $0 < \| \mathbf v \| \leq \beta''$.
Next, $\bdv$ receives from $\adv$ the messages $\mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}$ for which $\adv$ will further ask signature queries.
\medskip
\noindent To compute the public key, at the outset of the game, the reduction $\bdv$ starts by sampling $i^\dag \sample U(\{1, \ldots, Q\})$ corresponding to the guess that $\adv$'s forgery will recycle $\tau^{(i\dag)}$.
To compute the public key, at the outset of the game, the reduction $\bdv$ starts by sampling $i^\dag \sample U(\{1, \ldots, Q\})$ corresponding to the guess that $\adv$'s forgery will recycle $\tau^{(i\dag)}$.
This is independent of $\adv$'s view, and the guess will be correct with probability $1/Q$.
Using this guess to compute $PK$, the reduction $\bdv$ picks $h_0, \ldots, h_\ell \in \Zq$ subject to the constraints
\begin{equation} \label{eq:h-constraints}
@ -330,7 +456,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
\end{cases}
\end{equation}
\noindent \bdv then runs $(\mathbf C, \mathbf{T_C}) \gets \TrapGen(1^n, 1^m, q)$.
\bdv then runs $(\mathbf C, \mathbf{T_C}) \gets \TrapGen(1^n, 1^m, q)$.
The resulting matrix $\mathbf C \in \Zq^{n \times m}$ is statistically random, and the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ is a short basis of $\Lambda^\perp_q(\mathbf C)$.
Next \bdv re-randomize $\mathbf{A}$ using short matrices $\mathbf S, \mathbf S_0, \mathbf S_1, \ldots, \mathbf S_\ell \in \ZZ^{m_d \times m}$ which are obtained by sampling their columns from the distribution $D_{\ZZ^{m_d}, \sigma}$.
The challenger $\bdv$ then uses these matrices to define:
@ -345,7 +471,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
\mathbf u = \mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\dag} \\\hline \mathbf v_2^{\dag} \end{bmatrix} - \mathbf{A} \cdot \mathfrak m^{(i^\dag)} \mod q.
\end{equation}
\noindent Finally, $\bdv$ sends to $\adv$ the public key
Finally, $\bdv$ sends to $\adv$ the public key
\[ PK := \bigl( \mathbf A, \{\mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u \bigr) \]
which is distributed as the $PK$ of the real scheme.
\smallskip \smallskip
@ -366,7 +492,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
To answer this specific query, the challenger $\bdv$ returns $sig^{(i^\dag)} = (\tau^{(i^\dag)}, \mathbf v^{(i^\dag)})$ where $\mathbf v^{(i^\dag)} = ( \mathbf v_1^{\dag T} \mid \mathbf v_2^{\dag T})^T$ verifying~\eqref{eq:rel-uM}, which furthermore implies that $sig^{(i^\dag)}$ verifies~\eqref{ver-eq-block}.
\end{itemize}
\noindent Thus we claim that $\bdv$ can solve the $\SIS$ problem using the Type II forgery provided by $\adv$.
Thus we claim that $\bdv$ can solve the $\SIS$ problem using the Type II forgery provided by $\adv$.
At the end of the game, the adversary outputs a valid signature $sig^\star = (\tau^{(i^\star)}, \mathbf v^\star)$ on a message $\mathfrak m^\star$ with $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
In the event that $\tau^{(i^\star)} \neq \tau^{i^\dag}$, the reduction aborts. The latter event happens with probability $1-1/Q$.
If we parse $\mathbf v^\star$ as $(\mathbf v_1^{\star, T} \mid \mathbf v_2^{\star T})^T \in \ZZ^{2m}$, with $\mathbf v_1^{\star}, \mathbf v_2^\star \in \ZZ^m$, it holds that:
@ -395,7 +521,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
\section{A Fully Simulatable Adaptive OT Protocol} \label{OT-scheme}
Our basic \OTA protocol builds on the ``assisted decryption'' technique \cite{CNs07}. The databases holder encrypts all entries
Our basic \OTA protocol builds on the ``assisted decryption'' technique \cite{CNS07}. The databases holder encrypts all entries
using a multi-bit variant \cite{PVW08} of Regev's cryptosystem \cite{Reg05} and proves the well-formedness of its public key and all ciphertexts. In addition,
all ciphertexts are signed using a signature scheme. At each
transfer, the receiver statistically re-randomizes a blinded version of the desired ciphertext, where the blinding is done via the additive
@ -405,7 +531,7 @@ a transformation of one of the original ciphertexts by arguing knowledge of a si
the sender obliviously decrypts the modified ciphertext and argues in zero-knowledge that the response is correct.
Adapting the technique of \cite{CNs07} to the lattice setting requires the following building blocks:
Adapting the technique of \cite{CNS07} to the lattice setting requires the following building blocks:
(i) A signature scheme allowing to sign ciphertexts while remaining compatible with ZK proofs; (ii) A ZK protocol allowing to prove knowledge of a signature on some hidden ciphertext which belongs to a public set and was transformed into a given ciphertext; (iii) A protocol for proving the correct decryption of a ciphertext; (iv) A method of statistically re-randomizing an $\LWE$-encrypted ciphertext in a way that enables oblivious decryption. The first three ingredients can be obtained from \cref{ch:gs-lwe}. Since component (i) only needs to be secure against random-message attacks as
long as the adversary obtains at most $N$ signatures, we use the simplified $\SIS$-based signature scheme
of Section \ref{RMA-sec}.
@ -506,8 +632,7 @@ In the initialization phase, the sender has to repeat step 5 with each
%and $\mathbf{E} \in \ZZ^{m \times t}$.
Knowing a short basis of $\Lambda_q^{\perp}(\mathbf{F})$, the simulator can extract
the columns of $\mathbf{S}$ from the public key $\mathbf{P} \in \Zq^{n \times m}$. Details are given in Appendix~\ref{optimized}.
% \indent In
%Appendix \ref{ot-proofs}, we prove the security of the above \OTA protocol against static corruptions under the $\SIS$ and $\LWE$ assumptions.
\subsection{Security}
The security of the above \OTA protocol against static corruptions is stated by the following theorems.
@ -518,7 +643,9 @@ The $\OTA$ protocol provides receiver security under the $\SIS$ assumption.
\begin{proof}
We prove that any real-world cheating sender $\hat{\mathsf{S}}$ implies an ideal-world cheating sender $\hat{\mathsf{S}}'$ such that, under the $\SIS$ assumption,
the two distributions $\REAL_{\hat{\mathsf{S}},{\mathsf{R}}}$ and $\IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'}$ with common inputs $(N,k,M_1,\ldots,M_N,\rho_1,\ldots,\rho_k)$ are indistinguishable
to any PPT distinguisher $\ddv$. \\ \indent To this end, we consider a sequence of hybrid experiments with binary outputs. In each experiment $\textsf{Exp}_i$, a distinguisher $\ddv$ takes
to any PPT distinguisher $\ddv$.
To this end, we consider a sequence of hybrid experiments with binary outputs. In each experiment $\textsf{Exp}_i$, a distinguisher $\ddv$ takes
as input the states $(S_k,R_k)$ produced by $\hat{\mathsf{S}}$ and $\mathsf{R}'$ at the end of the experiment and outputs a bit. We define $W_i$ as the event that the output of experiment $\textsf{Exp}_i$ is $1$. The first experiment outputs whatever the distinguisher $\ddv$ outputs and corresponds to the real interaction between the cheating sender $\hat{\mathsf{S}}$ and the
receiver $\mathsf{R}$. \smallskip
\begin{description}
@ -578,8 +705,9 @@ extracted matrix $\mathbf{S} \in \ZZ^{n \times t}$, by applying the test
\eqref{test-deux}), it aborts the interaction as in $\textsf{Exp}_3$.
If the ZK
argument involves a true statement, $\hat{\mathsf{S}}'$ sends $1$ to the trusted party $\mathsf{T}$ so as to authorize the transfer in the ideal world. Otherwise, $\hat{\mathsf{S}}'$ sends $0$ to $\mathsf{T}$.
At the end of the $k$-th transfer phase, $\hat{\mathsf{S}}'$ outputs whatever $\hat{\mathsf{S}}$ outputs as its final state $S_k$. \\
\indent In $\textsf{Exp}_3$, it is easy to see that
At the end of the $k$-th transfer phase, $\hat{\mathsf{S}}'$ outputs whatever $\hat{\mathsf{S}}$ outputs as its final state $S_k$.
In $\textsf{Exp}_3$, it is easy to see that
$$ \Pr[W_3] = \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'} ] .$$
When putting the above altogether, we find that there exists a PPT $\SIS$ solver $\bdv$ such that
\begin{multline*}
@ -690,8 +818,9 @@ Note that, by Lemma \ref{sig-rely}, such an index must exist unless $\hat{\maths
database entry, $\hat{\mathsf{R}}'$ sends $\rho_i$ to the trusted party $\mathsf{T}$ which returns the message $M_{\rho_i} \in \{0,1\}^t$. The latter is used together with the
extracted witness $\mu \in \{0,1\}^t$ to define the response $M'=M_{\rho_i} \oplus \mu \in \{0,1\}^t$ that $\hat{\mathsf{R}}'$ generates on behalf of the sender $\hat{\mathsf{S}}'$ at step 2 of the transfer. In addition,
the ideal-world dishonest receiver $\hat{\mathsf{R}}'$ appeals to the simulator of the zero-knowledge argument system to simulate an argument of knowledge
of $\{(\mathbf{s}_j,\mathbf{e}_j,\mathbf{y}[j])\}_{j=1}^t$ for the statement~\eqref{eq:protocol-2-original}.\\% (\ref{sender-proof-two}). \\
\indent It is easy to see that, when $\hat{\mathsf{R}}$ interacts with the simulator $\hat{\mathsf{R}}'$ that emulates the real-world sender $\mathsf{S}'$, its view is identical to that
of $\{(\mathbf{s}_j,\mathbf{e}_j,\mathbf{y}[j])\}_{j=1}^t$ for the statement~\eqref{eq:protocol-2-original}.
It is easy to see that, when $\hat{\mathsf{R}}$ interacts with the simulator $\hat{\mathsf{R}}'$ that emulates the real-world sender $\mathsf{S}'$, its view is identical to that
of $\textsf{Exp}_4$: we have
$$ \Pr[W_4] = \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{{\mathsf{S}}',\hat{\mathsf{R}}'} ] .$$
When combining the above, we conclude that there exist PPT algorithms $\bdv$ and $\bdv'$ such that
@ -1300,8 +1429,9 @@ Next, we specify the set $\mathcal{S}$ and permutations of $D$ elements $\{\Gamm
\item For $\phi = (\phi_1, \phi_2) \in \mathcal{S}$ and for $\mathbf{t} = (\mathbf{t}_1^T \mid \mathbf{t}_2^T)^T \in \mathbb{Z}^D$, where $\mathbf{t}_1 \in \mathbb{Z}^{3(n+m+N)t\delta_{B_\chi}}$ and $\mathbf{t}_2 \in \mathbb{Z}^{2Nt}$, we define $\Gamma_\phi(\mathbf{t}) = (\phi_1(\mathbf{t}_1)^T \mid \phi_2(\mathbf{t}_2)^T )^T $.
\end{itemize}
By inspection, it can be seen that the desired properties in \eqref{eq:zk-equivalence} are satisfied. As a result, we can obtain the required \textsf{ZKAoK} by running the protocol from \cref{sse:stern-abstraction} with common input $(\mathbf{M}, \mathbf{v})$ and prover's input $\mathbf{w}$.
The protocol has communication cost $\mathcal{O}(D\log q)= \widetilde{\mathcal{O}}(\lambda)\cdot \mathcal{O}(Nt)$ bits. \\
\indent While this protocol has linear complexity in $N$, it is only used in the initialization phase, where $\Omega(N)$ bits inevitably have to be transmitted anyway.
The protocol has communication cost $\mathcal{O}(D\log q)= \widetilde{\mathcal{O}}(\lambda)\cdot \mathcal{O}(Nt)$ bits.
While this protocol has linear complexity in $N$, it is only used in the initialization phase, where $\Omega(N)$ bits inevitably have to be transmitted anyway.
@ -1452,7 +1582,9 @@ These steps can be treated as explained below.
At each step $\theta \in [L]$, the prover demonstrates knowledge of a path consisting of $\delta_\kappa$ nodes $\mathbf{g}_{\theta,1}, \ldots, \mathbf{g}_{\theta, \delta_\kappa} \in \{0,1\}^{n\lceil \log q\rceil}$ determined by $d_{\theta, 1}, \ldots, d_{\theta, \delta_\kappa}$, as well as their sibling nodes $\mathbf{t}_{\theta, 1}, \ldots, \mathbf{t}_{\theta, \delta_\kappa} \in \{0,1\}^{n\lceil \log q\rceil}$.
Also, the prover argues knowledge of an opening $(y_\theta , \mathbf{r}_\theta) \in \{0,1\} \times \{0,1\}^m $ for the commitment of which $\mathbf{g}_{\theta, \delta_\kappa}$ is a binary decomposition.
As shown in~\cref{sse:stern}. (and recalled in Appendix~\ref{appendix:bit-commit+Merkle-tree}), it suffices to prove the following relations (mod $q$):
As shown in~\cref{sse:stern},
%(and recalled in Appendix~\ref{appendix:bit-commit+Merkle-tree}),
it suffices to prove the following relations (mod $q$):
\begin{eqnarray} \label{Merkle-layer}
\forall \theta\in [L] \begin{cases}
@ -1851,7 +1983,7 @@ which has communication cost $\mathcal{O}(D \log q)= \mathcal{O}(L\cdot \log \ka
\section{Reducing the Communication Complexity in the Random Oracle Model} \label{optimized}
One limitation of our basic adaptive OT protocol is that it requires the sender to repeat the zero-knowledge proofs of the initialization phase
for each user. In total, the communication cost of the initialization phase thus amounts to $\Omega(\lambda N U)$, which is even more expensive
than the $O(\lambda (N+U))$ complexities of \cite{CNs07,GH07,CDN09,JL09}. As pointed out by Green and Hohenberger \cite{GH11}, decreasing the
than the $O(\lambda (N+U))$ complexities of \cite{CNS07,GH07,CDN09,JL09}. As pointed out by Green and Hohenberger \cite{GH11}, decreasing the
cost of the initialization phase to be independent of the number of users is highly
desirable: ideally, one would certainly prefer a non-interactive initialization phase where the Sender can publicize a $O(\lambda N)$-size
commitment to the database, which can subsequently be used by arbitrarily many receivers.
@ -1894,7 +2026,7 @@ $${PK}_{sig}:=\big( \mathbf{A},
\item[2.] Choose a matrix $\mathbf{S} \sample \chi^{n \times t}$ that will serve as a secret key for an $\LWE$-based encryption scheme.
Then, define the matrix $\mathbf{F} =H_{F}(\varepsilon) \in \Zq^{n \times m}$ and sample a matrix $\mathbf{E} \sample \chi^{m \times t }$ to compute
\begin{eqnarray} \label{PK-gen-app}
\mathbf{P} = \left[ \mathbf{p}_1 \mid \ldots \mid \mathbf{p}_t \right] = \mathbf{F}^\top \cdot \mathbf{S} + \mathbf{E} ~\in \Zq^{m \times t}
\mathbf{P} = \left[ \mathbf{p}_1 \mid \ldots \mid \mathbf{p}_t \right] = \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~\in \Zq^{m \times t}
\end{eqnarray}
so that $(\mathbf{F},\mathbf{P}) \in \Zq^{n \times m} \times \Zq^{m \times t }$ forms a public key for a $t$-bit variant of Regev's encryption scheme \cite{Reg05}
(or, equivalently,
@ -1904,12 +2036,12 @@ $${PK}_{sig}:=\big( \mathbf{A},
U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
compute
\begin{eqnarray} \label{init-db-app}
(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{S}^\top \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N]
(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N]
\qquad
\end{eqnarray}
\item[4.] For each $i=1$ to $N$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the message
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i|\mathbf{b}_i) \in \{0,1\}^{m_d}$ obtained by decomposing $(\mathbf{a}_i^\top | \mathbf{b}_i^\top)^\top \in \Zq^{n+t}$.
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i|\mathbf{b}_i) \in \{0,1\}^{m_d}$ obtained by decomposing $(\mathbf{a}_i^T | \mathbf{b}_i^T)^T \in \Zq^{n+t}$.
\item[5.] $\mathsf{S}_\mathsf{I}$ sends $\mathsf{R}_\mathsf{I}$ the initialization data
\begin{eqnarray} \label{init-data}
R_0= \bigl( PK_{sig} ,~(\mathbf{F},\mathbf{P}),~\{(\mathbf{a}_i,\mathbf{b}_i),(\tau_i,\mathbf{v}_i )\}_{i=1}^N , ~\pi_K \bigr),
@ -1924,13 +2056,13 @@ that are consistent with \eqref{PK-gen-app}-\eqref{init-db-app}. The argument $\
$\mathbf{X}=[\mathbf{x}_1 | \ldots | \mathbf{x}_N] \in \chi^{ t \times N}$
and parse $\mathbf{S}$ and $\mathbf{E}$ as $\mathbf{S}=[\mathbf{s}_1 | \ldots | \mathbf{s}_t] \in \chi^{n \times t}$,
$\mathbf{E}=[\mathbf{e}_1 | \ldots | \mathbf{e}_t] \in \chi^{m \times t}$.
\item[b.] For each $j \in [t]$, define $\bar{M}_j \in \{0,1\}^N$ to be the $j$-th column of $\mathbf{M}^\top = [ \bar{M}_1 | \ldots | \bar{M}_t ]$. Likewise,
let $\bar{\mathbf{b}}_j \in \Zq^N$ (resp. $\bar{\mathbf{x}}_j \in \chi^N$) be the $j$-th column of $\mathbf{B}_{\textsf{DB}}^\top=[\bar{\mathbf{b}}_1 | \ldots | \bar{\mathbf{b}}_t ] \in \Zq^{N \times t} $
(resp. $\mathbf{X}^\top=[\bar{\mathbf{x}}_1 | \ldots | \bar{\mathbf{x}}_t ] $) and generate a signature of knowledge
\item[b.] For each $j \in [t]$, define $\bar{M}_j \in \{0,1\}^N$ to be the $j$-th column of $\mathbf{M}^T = [ \bar{M}_1 | \ldots | \bar{M}_t ]$. Likewise,
let $\bar{\mathbf{b}}_j \in \Zq^N$ (resp. $\bar{\mathbf{x}}_j \in \chi^N$) be the $j$-th column of $\mathbf{B}_{\textsf{DB}}^T=[\bar{\mathbf{b}}_1 | \ldots | \bar{\mathbf{b}}_t ] \in \Zq^{N \times t} $
(resp. $\mathbf{X}^T=[\bar{\mathbf{x}}_1 | \ldots | \bar{\mathbf{x}}_t ] $) and generate a signature of knowledge
of $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$, $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$, for $j \in [t]$, such that
\begin{eqnarray} \label{sender-proof-app}
\left[ \begin{array}{c|c|c|c} ~ \mathbf{F}^\top ~ & ~ \mathbf{I}_m ~ & ~ & ~ ~\\ \hline
\rule{0pt}{2.5ex}~\mathbf{A}_{\textsf{DB}}^\top ~ & ~ ~ & ~ \mathbf{I}_N ~ & ~ \lfloor q/2 \rfloor \cdot \mathbf{I}_N ~
\left[ \begin{array}{c|c|c|c} ~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~ & ~ ~\\ \hline
\rule{0pt}{2.5ex}~\mathbf{A}_{\textsf{DB}}^T ~ & ~ ~ & ~ \mathbf{I}_N ~ & ~ \lfloor q/2 \rfloor \cdot \mathbf{I}_N ~
\end{array} \right]
\cdot \begin{bmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \bar{\mathbf{x}}_j \\ \hline \rule{0pt}{2.5ex} \bar{{M}}_j \end{bmatrix} = \begin{bmatrix}
\mathbf{p}_j \\ \hline
@ -1943,7 +2075,7 @@ where $\mathsf{Chall}_K = H_{\mathsf{FS}}\big( (\mathbf{F},\mathbf{P}, \mathbf{A
\{ \mathsf{Comm}_{K,j}\}_{j=1}^\varsigma \big) \in \{1,2,3\}^\varsigma$.
\item[c.] If the proof of knowledge $\pi_K$ does not verify
or if there exists $i \in [N]$ such that $(\tau_i,\mathbf{v}_i)$ is an invalid signature on
$\mathsf{vdec}_{n+t,q-1}\big((\mathbf{a}_i^\top|\mathbf{b}_i^\top)^\top \big)^\top $, then $\mathsf{R}_\mathsf{I}$ aborts.
$\mathsf{vdec}_{n+t,q-1}\big((\mathbf{a}_i^T|\mathbf{b}_i^T)^T \big)^T $, then $\mathsf{R}_\mathsf{I}$ aborts.
\end{itemize}
\item[6.] Finally $\mathsf{S}_\mathsf{I}$ defines $S_0= \big( (\mathbf{S},\mathbf{E}) ,(\mathbf{F},\mathbf{P}),PK_{sig} \big)$, which it keeps to itself. \medskip \smallskip
\end{itemize}
@ -1953,17 +2085,17 @@ an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}
\begin{itemize}
\item[1.] $\mathsf{R}_\mathsf{T}$ samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and a random $\nu \sample U([-B,B]^t)$ to compute
\begin{eqnarray} \label{rand-CT-app}
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho_i} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho_i} + \mathbf{P}^\top \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho_i} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho_i} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
\qquad
\end{eqnarray}
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The resulting ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some index $\rho_i \in [N]$.
To this end, $\mathsf{R}_\mathsf{T}$ argues knowledge of short vectors $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_i| \mathbf{b}_i) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^\top | \mathbf{v}_2^\top)^\top \in \ZZ^{2m}$ such that
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ such that
\begin{eqnarray} \label{statement-rand-un-app}
\left[ \begin{array}{cc|c|c|c}
\mathbf{H}_{n,q-1} ~ & ~ ~ & ~ \mathbf{F} ~& ~ &~ \\ \hline
& ~\mathbf{H}_{t,q-1}~ & \rule{0pt}{2.5ex} ~\mathbf{P}^{\top}~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~
& ~\mathbf{H}_{t,q-1}~ & \rule{0pt}{2.5ex} ~\mathbf{P}^{T}~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~
\end{array} \right] \cdot \begin{bmatrix} \mathfrak{m} \\ \hline \mathbf{e} \\ \hline \mu \\ \hline \nu \end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \end{bmatrix}
\end{eqnarray}
and
@ -1974,25 +2106,25 @@ and
\end{eqnarray}
\item[2.] If the WI argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S} \in \chi^{n \times t}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and
obtain $$M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^\top \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$$
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a NIZK argument $\pi_T$ of knowledge of $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^\top \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
obtain $$M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$$
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a NIZK argument $\pi_T$ of knowledge of $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and $\mathbf{E}=[\mathbf{e}_1|\ldots | \mathbf{e}_t] \in \chi^{m \times t}$ satisfying (modulo $q$)
\begin{eqnarray} \label{test-fin-trans}
\mathbf{P} &=& \mathbf{F}^\top \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^\top \cdot \mathbf{S} + \mathbf{y}^\top = \mathbf{c}_1^\top - {M'}^\top \cdot \lfloor q/2 \rfloor .
\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
\end{eqnarray}
Given $\mathbf{y}=(\mathbf{y}[1],\ldots,\mathbf{y}[t])^\top \in \ZZ^t$ and $\mathbf{S}=[\mathbf{s}_1| \ldots | \mathbf{s}_t]$, this amounts to proving, for each $j \in [t]$, knowledge
Given $\mathbf{y}=(\mathbf{y}[1],\ldots,\mathbf{y}[t])^T \in \ZZ^t$ and $\mathbf{S}=[\mathbf{s}_1| \ldots | \mathbf{s}_t]$, this amounts to proving, for each $j \in [t]$, knowledge
of $\mathbf{s}_j \in \chi^n$, $\mathbf{y}[j] \in \ZZ$ such that $|\mathbf{y}[j] | < q/4$ and $\mathbf{e}_j \in \chi^m$, such that
\begin{eqnarray} \label{sender-proof-two-app}
\left[ \begin{array}{c|c|c}
~ \mathbf{F}^\top ~ & ~ \mathbf{I}_m ~ & ~~ \\ \hline
\rule{0pt}{2.5ex} \mathbf{c}_0^\top ~ & & 1
~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~~ \\ \hline
\rule{0pt}{2.5ex} \mathbf{c}_0^T ~ & & 1
\end{array} \right]
\cdot \begin{pmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \mathbf{y}[j] \end{pmatrix} = \begin{pmatrix}
\mathbf{p}_j \\ \hline
\rule{0pt}{2.5ex} \mathbf{c}_1[j] - M'[j] \cdot \lfloor q/2 \rfloor
\end{pmatrix} \qquad~ \forall j \in [t], \qquad
\end{eqnarray}
where $\mathbf{c}_1=(\mathbf{c}_1[1],\ldots,\mathbf{c}_1[t])^\top $ and $M' = (M'[1],\ldots,M'[t])^\top$. Let the NIZK argument be $\pi_T=(
where $\mathbf{c}_1=(\mathbf{c}_1[1],\ldots,\mathbf{c}_1[t])^T $ and $M' = (M'[1],\ldots,M'[t])^T$. Let the NIZK argument be $\pi_T=(
\{\mathsf{Comm}_{T,j}\}_{j=1}^\varsigma,\mathsf{Chall}_T,\{\mathsf{Resp}_{T,j}\}_{j=1}^\varsigma)$,
where $\mathsf{Chall}_T = H_{\mathsf{FS}}\big( (\mathbf{F},\mathbf{P}, \mathbf{c}_0, \mathbf{c}_{1}),
\{ \mathsf{Comm}_{T,j}\}_{j=1}^\varsigma \big) \in \{1,2,3\}^\varsigma$.
@ -2035,7 +2167,7 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
\item[\textsf{Exp}$_2$:] is as $\textsf{Exp}_1$ but, at step 5 of the initialization phase, $\mathsf{R}'$ uses the short basis
$\mathbf{T}_{\mathbf{F}} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{F})$ (which satisfies $\mathbf{F} \cdot \mathbf{T}_{\mathbf{F}} = \mathbf{0}^n \bmod q$) to
extract witnesses $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$ from the columns $\mathbf{p}_j = \mathbf{F}^\top \cdot \mathbf{s}_j + \mathbf{e}_j \in \ZZ^m$ of the
extract witnesses $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$ from the columns $\mathbf{p}_j = \mathbf{F}^T \cdot \mathbf{s}_j + \mathbf{e}_j \in \ZZ^m$ of the
matrix $\mathbf{P}= \left[\mathbf{p}_1 \mid \ldots \mid \mathbf{p}_t\right] \in \Zq^{m \times t}$
%and
% $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$,
@ -2044,11 +2176,11 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
$\mathsf{R}'$ aborts the interaction in the event that one of the following conditions holds: \smallskip
\begin{itemize}
\item[E.1:] The $\LWE$-inversion algorithm
fails to compute small-norm vectors $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$ such that $\mathbf{p}_j = \mathbf{F}^\top \cdot \mathbf{s}_j + \mathbf{e}_j \in \Zq^m$ for some $j \in [t]$. %(which happens if $\mathbf{T}_{\mathbf{F}}^\top \cdot \mathbf{p}_j $ is not small)
fails to compute small-norm vectors $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$ such that $\mathbf{p}_j = \mathbf{F}^T \cdot \mathbf{s}_j + \mathbf{e}_j \in \Zq^m$ for some $j \in [t]$. %(which happens if $\mathbf{T}_{\mathbf{F}}^T \cdot \mathbf{p}_j $ is not small)
\item[E.2:] The
columns of $\mathbf{S} = \left [\mathbf{s}_1 \mid \ldots \mid \mathbf{s}_t \right] \in \chi^{n \times t}$ are successfully extracted but there exists $i \in [N]$ such that one of the coordinates of
$\mathbf{b}_i - \mathbf{S}^\top \cdot \mathbf{a}_i \bmod q$ is neither close to $0$ nor $\lfloor q/2 \rfloor$ (i.e., the inequalities $ |\mathbf{b}_i - \mathbf{S}^\top \cdot \mathbf{a}_i \bmod q | > \alpha q$ and $ |(\mathbf{b}_i - \mathbf{S}^\top \cdot \mathbf{a}_i \bmod q) - \lfloor q/2 \rfloor | > \alpha q $ are both satisfied). \smallskip
$\mathbf{b}_i - \mathbf{S}^T \cdot \mathbf{a}_i \bmod q$ is neither close to $0$ nor $\lfloor q/2 \rfloor$ (i.e., the inequalities $ |\mathbf{b}_i - \mathbf{S}^T \cdot \mathbf{a}_i \bmod q | > \alpha q$ and $ |(\mathbf{b}_i - \mathbf{S}^T \cdot \mathbf{a}_i \bmod q) - \lfloor q/2 \rfloor | > \alpha q $ are both satisfied). \smallskip
\end{itemize}
In either of the above situations, $\mathsf{R}'$ infers that $\hat{\mathsf{S}}$ managed to create a convincing argument for a false statement and aborts the interaction. In such a situation, however, $\mathsf{R}'$ can be turned into an algorithm that breaks the binding property
of the commitment scheme used in the ZK argument (which contradicts the $\SIS$ assumption if the statistically hiding commitment of \cite{KTX08} is used) by replaying the adversary with the same random tape but a different random oracle $H_{\mathsf{FS}}$. According to the General Forking Lemma of \cite{BPVY00},
@ -2070,7 +2202,7 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
uses the previously extracted $\mathbf{S} \in \chi^{n \times t}$ to determine if there exists $\mathbf{y} \in \ZZ^t$ of norm $\| \mathbf{y} \|_{\infty}
\leq q/5$ such that
\begin{eqnarray} \label{test-trois}
\mathbf{c}_0^\top \cdot \mathbf{S} + \mathbf{y}^\top = \mathbf{c}_1^\top - {M'}^\top \cdot \lfloor q/2 \rfloor .
\mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
\end{eqnarray}
If such vector $\mathbf{y}$ turns out not to exist, $\mathsf{R}'$ deduces $\mathsf{R}'$ that $\hat{\mathsf{S}}$ was able to fake a convincing argument for a false statement and aborts the interaction. However, $\mathsf{R}'$ can then be turned into a PPT adversary against the binding property
of the commitment scheme used in the ZK argument (and thus the $\SIS$ assumption if the commitment of \cite{KTX08} is used) by replaying the adversary according to the General Forking technique \cite{BPVY00}. The result of \cite{BPVY00} tells us that
@ -2083,12 +2215,12 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
the first message of the encrypted database. In more details, at each transfer, $\mathsf{R}'$
samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and $\nu \sample U([-B,B]^t)$ to compute and send
\begin{eqnarray*}
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^\top \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
\end{eqnarray*}
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$. Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^\top | \mathbf{v}_2^\top)^\top \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}.
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}.
%(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$ whatsoever.
We have $ | \Pr[W_4] -\Pr[W_3] | \in \mathsf{negl}(\lambda). $ \smallskip
@ -2131,4 +2263,60 @@ sender in a sequential manner. This restriction is important since
the simulator has to rewind the receiver's zero-knowledge arguments at step 1 of each transfer, which would not be possible in concurrent sessions.
\section{Comparison of Oblivious Transfer Schemes} \label{sec-comp}
\begin{table}[h]
\centering
\scriptsize
\begin{tabular}{|ccccc|}
\hline
Protocol & \begin{minipage}{\widthof{Initialization}}\vspace{3pt}\centering Initialization Cost \vspace{3pt}\end{minipage} & Transfer Cost & Assumptions & Security \\
\hline \hline
Folklore & $\cdot$ & $\bigO(\lambda N)$ & general & Full Sim \\ \hline
%KN~\cite{KN06} & $\bigO(\lambda(N+U))$ & $\bigO(\lambda N)$ & Decisional $n$-th residuosity + DDH & Full Sim \\ \hline
NP~\cite{NP99} & $\cdot$ & $\bigO(\lambda \cdot \log(N))$ & DDH + $\OT_1^2$ & Half Sim \\ \hline
KPN~\cite{KPN10} & $\bigO(\lambda (N \cdot U))$ & $\bigO(\lambda)$ & DDH & Full Sim \\ \hline
CNS~\cite{CNS07} & $\bigO(\lambda (N + U))$ & $\bigO(\lambda)$ & $q$-type & Full Sim \\
GH08~\cite{GH08} & $\bigO(\lambda (N + U))$ & $\bigO(\lambda)$ & DLIN + $q$-type & UC \\
JL~\cite{JL09} & $\bigO(\lambda (N + U))$ & $\bigO(\lambda)$ & Comp. Dec. Residuosity + $q$-type & Full Sim \\
%RKP~\cite{RKP09} & $\bigO(\lambda (N + U))$ & $\bigO(\lambda)$ & DLIN + $q$-Hidden SDH + $q$-TDH & UC \\
GH11~\cite{GH11} & $\bigO(\lambda (N+U))$ & $\bigO(\lambda)$ & Decision 3-Party DH & Full Sim \\ \hline
GH11~\cite{GH11} & $\bigO(\lambda N)$ & $\bigO(\lambda)$ & 3-Party DDH + DLIN & Full Sim \\ \hline \hline
Ours, §\ref{sec:def-OT} & $\bigO(\lambda (N \cdot U))$ & $\bigO(\lambda \cdot \log N)$ & LWE + SIS & Full Sim \\
Ours, App \ref{optimized} & $\bigO(\lambda N)$ & $\bigO(\lambda \cdot \log N)$ & LWE + SIS & Full Sim (ROM)\\ \hline
\end{tabular}
\medskip
\caption[Comparison of the different adaptive OT protocols secure in the standard model]{Overview of the different adaptive OT (without access control) protocols secure in the standard model (except for our scheme in Section~\ref{optimized} of this Supplementary Material). In this table, $\lambda$ denotes the security parameter, $N$ the size of the database and $U$ the number of receivers. The horizontal lines separate the different schemes into categories based of their efficiency. We note that, like those of \cite{KPN11}, the KPN~\cite{KPN10} scheme is secure in a strictly weaker model than ours. In particular, the sender detects if the same record is obtained twice, as pointed out in \cite{GH11}.
%We also note that, while the proceedings version of \cite{KPN11} claims a construction based on $\LWE$, this claim was removed from the revised
%ePrint version in August 2014.
}
\label{tab:comparison}
\end{table}
In this section, we present, in Tables~\ref{tab:comparison} and \ref{tab:AC-comparison}, comparisons between existing adaptive oblivious transfer protocols and ours. These results are to be taken carefully, as the existing schemes are mostly designed in the pairing-based cryptography setting.
The communication complexities thus take into account the number of underlying mathematical objects exchanged during each interactive protocols, which are group elements in the previous constructions, and vectors in our case.
Another remark is that the other schemes which support access control, shown in Table~\ref{tab:AC-comparison}, manage access policy in the fashion of Camenisch \textit{et al.}~\cite{CDN09}. In their work, they model the \textit{access policy} as access categories bounded to users (like their role, or their permission) which are delivered by the issuer. A given message in the database is made available for a \textit{conjunction} of access categories: meaning that to access a given file, a user has to be in \textit{all} the categories the message in linked to. To handle disjunctions, the file is duplicated. The number of messages in the database $N$ in these schemes is then dependent of the access policy, and a cost for duplications is to take into account, as the database has to prove that encryption of the same message with different access policy is indeed the encryption of the same message.
By handling access control through branching programs, we avoid the hidden cost of disjunctions, while enabling access control for attribute's language in $\mathsf{NC}1$.
\begin{table}[h]
\centering
\scriptsize
\begin{tabular}{|ccccccc|}
\hline
Protocol & \begin{minipage}{\widthof{Initialization}}\centering\vspace{3pt} Initialization Cost\vspace{3pt}\end{minipage} & Transfer Cost & Assumptions & Policies & \begin{minipage}{\widthof{Policies}}Private Policies\end{minipage} & Security \\
\hline \hline
CDN~\cite{CDN09} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda) \cdot \poly[\lambda]$ & $q$-type & Conj. & \nocross & Full Sim \\
%ZAWHMCY~\cite{ZA+10} & $\bigO(\lambda N)$ & $\bigO(\lambda)$ & ABE & Full Sim \\
CDNZ~\cite{CDNZ11} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda) \cdot \poly[\lambda]$ & $q$-type + XDDH & Conj. & \okcross & Full Sim \\
ACDN~\cite{ACDN13} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda) \cdot \poly[\lambda]$ & DLIN + SXDH& Conj. & \nocross & UC \\ \hline
ZAW+~\cite{ZAW+10} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda)$ & CP-ABE + $q$-type & $\mathsf{NC}1$ & \nocross & Full-Sim \\ \hline
CDEN~\cite{CDEN12} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda \log N) + \poly[\lambda]$ & CP-ABE + GGM & $\mbox{CNF}^{-}$ & \okcross & Full-Sim \\ \hline \hline
Ours, §\ref{OT-AC-scheme} & $\bigO(\lambda \cdot N) $ & $\widetilde{\bigO}(\lambda \log N) + \poly[\lambda]$ & LWE + SIS & $\mathsf{NC}1$ & \nocross & Full Sim \\ \hline
\end{tabular}
\medskip
\caption[Comparison of the different adaptive OT-AC schemes secure in the standard model]{Overview of the different adaptive OT-AC protocols secure in the standard model. Here $N$ denotes the size of the database. The polynomial $\poly[\lambda]$ in transfer costs captures the expense of access policies. In CDEN, GGM stands for generic group model, and $\mbox{CNF}^{-}$ means a restricted version of conjunctive normal form formulas, namely a user has to possess \textit{all} attributes in its access credentials, and to do so, it is able to provides a disjunction of its accesses. Finally ``Conj.'' means ``Conjunctions'', meaning that the user has to possess all the credential for a given message, and disjunctions can be achieved at the expense of duplications of database entries.}
\label{tab:AC-comparison}
\end{table}

2
chap-ZK.tex
View File

@ -211,7 +211,7 @@ In the trusted setup model (also known as common reference string model) describ
Quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} are \NIZK where the common reference string $\crs$ may depend on the language for which proofs have to be generated (that is, the distribution $\dst_\crs$ is a function of the language we want to prove). A formal definition can be found in~\cite{JR13,KW15,LPJY15}, where completeness, soundness and zero-knowledge properties are adapted to take into account the \crs.
\begin{definition}[Quasi-Adaptive Non-Interactive Zero-Knowledge Argument]
\index{Zero Knowledge!QANIZK}
\index{Zero Knowledge!\QANIZK}
\label{de:qa-nizk}
A \textit{Quasi-Adaptive Non-Interactive Zero-Knowledge Argument} argument (or \textbf{\QANIZK}) over a collection of relations $\mathcal{R}=\{ R_\rho \}$ parametrized by a string $\rho$ consists in four $\ppt$ algorithms $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$.
There should also be a simulator $S$ for the entire class of languages.

9
chap-proofs.tex
View File

@ -87,7 +87,7 @@ In order to work with them, we will define the principle of polynomial time redu
\begin{figure}
\centering
\input fig-poly-red
\caption{Illustration of a polynomial-time reduction from $A$ to $B$~{\cite[Fig. 2.1]{AB09}}.} \label{fig:poly-reduction}
\caption[Illustration of a polynomial-time reduction from $A$ to $B$.]{Illustration of a polynomial-time reduction from $A$ to $B$~{\cite[Fig. 2.1]{AB09}}.} \label{fig:poly-reduction}
\end{figure}
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
@ -118,7 +118,6 @@ an attack is successful if the probability that it succeed is noticeable.
\end{description}
\end{definition}
\index{Negligible function}
\begin{definition}[Negligible, noticeable, overwhelming probability] \label{de:negligible}
\index{Probability!Negligible} \index{Probability!Noticeable} \index{Probability!Overwhelming}
Let $f : \NN \to [0,1]$ be a function. The function $f$ is said to be \emph{negligible} if $f(n) = n^{-\omega(1)}_{}$, and this is written $f(n) = \negl[n]$.\\
@ -131,7 +130,7 @@ Namely, the \textit{security notions} and the \textit{hardness assumptions}.
The former are the statements we need to prove, and the latter are the hypotheses on which we rely.
\index{Hardness assumptions} \index{Security notions}
The details of the hardness assumptions we use are given in Chapter~\ref{ch:structures}.
The details of the hardness assumptions we use are given in \cref{ch:structures}.
Nevertheless, some notions are common to these and are evoked here.
The confidence one can put in a hardness assumption depends on many criteria.
@ -225,7 +224,7 @@ For instance, non-interactive zero-knowledge (\NIZK) proofs for all $\NP$ langua
Another reason to use the \ROM in cryptography, is because it enables much more efficient constructions and we have no example of a failure in the random oracle methodology for a natural cryptographic construction~\cite{BR93}.
The example we built earlier is artificial, and in practice there is no known attacks against the \ROM for a natural scheme used in real-life applications.
Thus, for practical purposes, constructions in the \ROM are usually more efficient.
For instance, the scheme we present in Chapter~\ref{ch:sigmasig} adapts the construction of dynamic group signature in the standard model from Libert, Peters and Yung~\cite{LPY15} to the \ROM.
For instance, the scheme we present in \cref{ch:sigmasig} adapts the construction of dynamic group signature in the standard model from Libert, Peters and Yung~\cite{LPY15} to the \ROM.
Doing this transform reduces the signature size from $32$ elements in $\GG$, $14$ elements in $\Gh$ and \textit{one} scalar in the standard model~\cite[App. J]{LPY15} down to $7$ elements in $\GG$ and $3$ scalars in the \ROM.
We now have defined the context we are working on and the base tools that allows security proofs.
@ -263,7 +262,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\pcreturn (vk, \ensemble{sign}, m^\star, \sigma^\star)
}}
}
\caption{Some security games examples} \label{fig:sec-game-examples}
\caption{Some security games examples.} \label{fig:sec-game-examples}
\end{figure}
\index{Reduction!Advantage} \index{Encryption!IND-CPA}

27
chap-sigmasig.tex
View File

@ -35,7 +35,32 @@ Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background
This construction is competitive both in term of signature size and computation time with the best solutions based on non-interactive assumptions~\cite{BBS04,DP06} (in these cases, the Strong Diffie-Hellman assumption~\cite{BB04}).
Concretely, at the 128-bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).
In this chapter, we will first recall the useful building blocks that are used to design and prove our signature scheme that supports efficient protocols in the~\cite{CL02a} fashion. Then we describe this scheme and we next give the construction and the proof for the group signature scheme for dynamically growing groups. Finally, we show the experimental results we obtain for this group signature scheme.
\paragraph{Our Contribution.}
In this chapter, we propose a new signature scheme with efficient protocols and re-randomizable signatures under simple, well-studied assumptions. The security of our scheme is proved in the standard model under the Symmetric eXternal Diffie-Hellman (SXDH) assumption, which
is a well-established, constant-size assumption (i.e., described using a constant number of elements, regardless of the number of adversarial queries)
in groups with a bilinear map. Remarkably, we can sign $\ell$-block messages using only $4$ group elements under the SXDH assumption.
Our signature length is made possible by the use of efficient Quasi-Adaptive Non-Interactive Zero-Knowledge (\QANIZK) arguments for linear subspaces (described in~\cref{de:qa-nizk}). It was shown
\cite{LPJY14,JR14,KW15} that, for the task of arguing that a vector of group elements belongs to some linear subspace, the size of arguments may be independent of
the dimensions of the considered subspace. Our signature scheme crucially exploits this observation as $\ell$-block messages are signed by generating a \QANIZK
argument for a subspace of dimension $O(\ell)$.
Our signature natively supports efficient privacy-enhancing protocols. We describe
a two-party protocol allowing a user to obtain a signature on a committed multi-block message as well as a honest-verifier zero-knowledge protocol for efficiently demonstrating
knowledge of a signature on a committed message revealing neither the message nor the signature. Hence, our scheme readily enables the design of an efficient anonymous
credentials system based on the sole SXDH assumption.
As another application of our signature scheme, we describe a truly practical group signature (for dynamic groups) based on simple assumptions in the
random oracle model. Our scheme is competitive with the best solutions \cite{BBS04,DP06} based on non-interactive assumptions (which are those relying on the Strong Diffie-Hellman assumption \cite{BB04}) in terms of computational cost and signature length. Concretely, at the $128$-bit security level, each signature fits within $320$ bytes while providing
anonymity in the strongest sense (i.e., against adversaries equipped with a signature opening oracle). To the best of our knowledge, the new scheme thus features the shortest group signatures based on
standard assumptions.
It seems that our signature scheme has many other potential applications. For example, combining it with the ideas of \cite{CHL05} and a pseudo-random function based on standard assumptions
(e.g., \cite{NR97}) readily gives a compact e-cash system based on simple hardness assumptions.
\bigskip
The rest of the chapter is organized as follows. We will first recall the useful building blocks that are used to design and prove our signature scheme that supports efficient protocols in the~\cite{CL02a} fashion. Then we describe this scheme and we next give the construction and the proof for the group signature scheme for dynamically growing groups. Finally, we show the experimental results we obtain for this group signature scheme.
%--------------------------------------------------
\section{Building blocks}

5
macros.tex
View File

@ -147,6 +147,11 @@
\newcommand{\Transfer}{\ensuremath{\mathsf{Transfer}}\xspace}
% Tables
\usepackage{pifont}
\newcommand\okcross{\ding{51}}
\newcommand\nocross{\ding{55}}
% Other
\newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}\xspace}

7
sec-lattices.tex
View File

@ -10,7 +10,7 @@ For instance, fully homomorphic encryption~\cite{Gen09,GSW13} is only known to b
In the context of provable security, lattice assumptions benefit from a worst-case-to-average-case reduction~\cite{Reg05,GPV08,MP12,AFG14}.
Concurrently, worst-case lattice problems have been extensively analyzed in the last decade~\cite{ADS15,ADRS15,HK17}, both classically and quantumly.
This gives us a good confidence in lattice assumptions (given the \emph{caveats} of Chapter~\ref{ch:proofs}) such as Learning-with-Errors ($\LWE$) and Short Integer Solutions ($\SIS$) which are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful tools that rely on \emph{lattice trapdoors}.
This gives us a good confidence in lattice assumptions (given the \emph{caveats} of \cref{ch:proofs}) such as Learning-with-Errors ($\LWE$) and Short Integer Solutions ($\SIS$) which are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful tools that rely on \emph{lattice trapdoors}.
\subsection{Lattices and Hard Lattice Problems}
\label{sse:lattice-problems}
@ -134,6 +134,7 @@ Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice
\scbf{Recall.} Given a matrix $\mathbf{A}$, $\widetilde{\mathbf{A}}$ denotes the Gram-Schmidt orthogonalization of $\mathbf{A}$.
\begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
\index{Lattice Trapdoors!\GPVSample}
\label{le:GPV}
There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that inputs a
basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a
@ -149,6 +150,8 @@ The following Lemma states that it is possible to efficiently compute a statisti
\begin{lemma}[{\cite[Th.~3.2]{AP09}}]
\label{le:TrapGen}
\index{Lattice Trapdoors!\TrapGen}
\label{le:GPV}
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$\U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$.
\end{lemma}
@ -157,6 +160,7 @@ There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and
We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ for which a $m$-subset of its columns is $\mathbf{A}$. For the sake of simplicity we will consider the case where~$\mathbf{A}$ is the left~$n \times m$ submatrix of~$\mathbf{B}$.
\begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis}
\index{Lattice Trapdoors!\ExtBasis}
There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a
matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
@ -169,6 +173,7 @@ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ
In some of our security proofs, analogously to \cite{Boy10,BHJ+15}, we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
\begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
\index{Lattice Trapdoors!\SampleR}
There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf{A}, \mathbf{C} \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf{R} \in \ZZ^{m \times m}$,
a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf{u} \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
\widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf{A} ~ &~ \mathbf{A}

2
sec-stern.tex
View File

@ -67,6 +67,8 @@ This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf{w}}
To construct such a transfer matrix $\mathbf{K}$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf{x} \in [-B,B]^m$ as a vector $\tilde{\mathbf{x}} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf{x}} \in \mathsf{B}^3_{m \delta_B}$ leads to a new statement that can be proven using the variant of Stern's protocol described in~\cite{KTX08}.
The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf{0}^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf{I}_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$, for all $j \in \{1,\ldots,j\}$, can be computed from public parameters.
In \cref{ch:ge-lwe}, we extend Stern-like protocols to handle statements where the matrix~$\mathbf M$ of~\eqref{eq:isis-stern-relation} is kept hidden. For this purpose, we define the decomposition-extension method in more detail in~\cref{se:decomposition-extensions-permutations}.
\subsection{Abstraction of Stern's Protocol} \label{sse:stern-abstraction}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Abstraction du protocole de Stern}