From b295212aacb9f55d99e74f3a1cae105c320b8b49 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Mon, 30 Apr 2018 16:12:03 +0200 Subject: [PATCH] Cleaning the code --- chap-GS-LWE.tex | 98 +++++++++++++++++++++++++++++++++++------------ chap-proofs.tex | 36 ++++++++++++++++- chap-sigmasig.tex | 59 ++++++++++++---------------- macros.tex | 1 + sec-stern.tex | 6 --- symbols.tex | 1 + these.bib | 11 ++++++ 7 files changed, 145 insertions(+), 67 deletions(-) diff --git a/chap-GS-LWE.tex b/chap-GS-LWE.tex index 7a85f85..eb6d216 100644 --- a/chap-GS-LWE.tex +++ b/chap-GS-LWE.tex @@ -26,8 +26,9 @@ $\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$ \subsection{Description} \label{desc-sig-protoc} We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each -block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$. \\ -\indent For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each +block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$. + +For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each coordinate of $\mathbf{v}$ by its binary representation. @@ -76,8 +77,8 @@ coordinate of $\mathbf{v}$ by its binary representation. \end{description} When the scheme is used for obliviously signing committed messages, the security proof follows Bai \textit{et al.} \cite{BLL+15} in that it applies an argument based on the R\'enyi divergence in one signing query. This argument requires - to sample $\mathbf{s}$ from a Gaussian distribution whose standard deviation $\sigma_1$ is polynomially larger than $\sigma$. \\ -\indent + to sample $\mathbf{s}$ from a Gaussian distribution whose standard deviation $\sigma_1$ is polynomially larger than $\sigma$. + We note that, instead of being included in the public key, the matrices $ \{\mathbf{D}_k\}_{k=0}^{N}$ can be part of common public parameters shared by many signers. Indeed, only the matrices $(\mathbf{A},\{\mathbf{A}_i\}_{i=0}^\ell)$ should be specific to the user who holds the secret key $SK=\mathbf{T}_{\mathbf{A}}$. In Section \ref{commit-sig}, we use a variant where $ \{\mathbf{D}_k\}_{k=0}^{N}$ belong to public parameters. @@ -88,7 +89,7 @@ The security analysis in Theorem \ref{th:gs-lwe-security-cma-sig} requires that \begin{theorem} \label{th:gs-lwe-security-cma-sig} -The signature scheme is secure under chosen-message attacks under the $\mathsf{SIS}$ assumption. +The signature scheme is secure under chosen-message attacks under the $\SIS$ assumption. \end{theorem} \begin{proof} @@ -111,7 +112,8 @@ $\tau^{(i^\star)}= \tau^\star$ for some index $i^\star \in \{1,\ldots,Q\}$) and Type III attacks imply a collision for the chameleon hash function of Kawachi \textit{et al.} \cite{KTX08}: if (\ref{collision}) holds, a short vector of $\Lambda_q^{\perp}([ \mathbf{D}_0 \mid \mathbf{D}_1 \mid \ldots \mid \mathbf{D}_N])$ is obtained as - $$\big({\mathbf{s}^\star}^T- {\mathbf{s}^{(i^\star)}}^T \mid {\mathfrak{m}_1^\star }^T - {\mathfrak{m}_1^{(i^\star)} }^T \mid \ldots \mid {\mathfrak{m}_N^\star }^T - {\mathfrak{m}_N^{(i^\star)} }^T \big)^T,$$ so that a collision breaks the $\mathsf{SIS}$ assumption. \\ \indent + $$\big({\mathbf{s}^\star}^T- {\mathbf{s}^{(i^\star)}}^T \mid {\mathfrak{m}_1^\star }^T - {\mathfrak{m}_1^{(i^\star)} }^T \mid \ldots \mid {\mathfrak{m}_N^\star }^T - {\mathfrak{m}_N^{(i^\star)} }^T \big)^T,$$ so that a collision breaks the $\mathsf{SIS}$ assumption. + The security against Type I attacks is proved by \cref{le:lwe-gs-type-I-attacks} which applies the same technique as in \cite{Boy10,MP12}. In particular, the prefix guessing technique of \cite{HW09} allows keeping the modulus smaller than the number $Q$ of adversarial queries as in \cite{MP12}. In order to deal with Type II attacks, we can leverage the technique of~\cite{BHJ+15}. In \cref{le:lwe-gs-type-II-attacks}, we prove that Type II attack would also contradict $\mathsf{SIS}$. @@ -125,16 +127,16 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$ Let $\adv$ be a $\ppt$ adversary that can mount a Type I attack with non-negligible success probability $\varepsilon$. We construct a $\ppt$ algorithm $\bdv$ that uses $\adv$ to break the~$\SIS_{n,m,q,\beta'}$ assumption. It takes as input~$\bar{\mathbf{A}} \in \Zq^{n \times m}$ and computes $\mathbf{v} \in - \Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$. \\ - \indent + \Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$. + Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this end, $\bdv$ chooses $i^\dagger \sample U(\{1,\ldots, Q\})$ and $t^\dagger \sample U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)} \right\}_{i=1}^Q$ is the string $\tau^\star[1] \ldots \tau^\star[t^\dagger-1] =\tau^{(i^\dagger)}[1] \ldots \tau^{(i^\dagger)}[t^\dagger-1] \in \{0,1\}^{t^\dagger -1}$ comprised of the first $(t^\dagger-1)$-th bits of $\tau^\star \in \{0,1\}^\ell$. We define $ \tau^\dagger \in \{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1] \ldots \tau^\star[t^\dagger] $. By construction, with probability $1/(Q \cdot \ell)$, we have $\tau^\dagger \not \in \left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}} \right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes - the $t^\dagger$-th prefix of $\tau^{(i)}$ for each $i\in \{1,\ldots,Q\}$. \\ - \indent + the $t^\dagger$-th prefix of $\tau^{(i)}$ for each $i\in \{1,\ldots,Q\}$. + Then, $\bdv$ runs $\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a basis $\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ with @@ -178,8 +180,9 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$ \end{eqnarray*} where $ h_{\tau^{(i)}} \in [1,t^\dagger] \subset [1,\ell]$ stands for the Hamming distance between $\tau^{(i)}_{|t^\dagger}$ and $\tau^\star_{|t^\dagger}$. Note that, with probability $1/(Q \cdot \ell)$ and since $q>\ell$, we have - $ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$. \\ -\indent Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$ + $ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$. + + Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$ and computes \begin{eqnarray*} \mathbf{D} &=& \bar{\mathbf{A}} \cdot \mathbf{R}. % \qquad \qquad \qquad \quad~ \forall k \in \{0,\ldots,N\}. @@ -198,8 +201,9 @@ At the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\ma To do this, $\bdv$ first samples $\mathbf{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes a vector $\mathbf{u}_M \in \Zq^m$ as $$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } \bigr) ~~ \bmod q.$$ Using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\bdv$ can then sample a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such -that $\big(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)} \big)$ satisfies the verification equation (\ref{ver-eq-block}). \\ -\indent When $\adv$ halts, it outputs a valid signature $sig^\star=\big(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star \big)$ on a +that $\big(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)} \big)$ satisfies the verification equation (\ref{ver-eq-block}). + +When $\adv$ halts, it outputs a valid signature $sig^\star=\big(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star \big)$ on a message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$. At this point, $\bdv$ aborts and declares failure if it was unfortunate in its choice of $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$. Otherwise, with probability $1/(Q \cdot \ell)$, $\bdv$ correctly guessed $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$, in which case it can solve the given $\mathsf{SIS}$ instance as follows. @@ -350,7 +354,6 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$ We conclude that $\Pr[W_2]$ is negligibly far apart from $\Pr[W_3]$ since, by the Leftover Hash Lemma (see \cite[Le. 13]{ABB10}), the public key $PK$ in \textsf{Game} $3$ is statistically close to its distribution in \textsf{Game} $2$. \medskip -\noindent In \textsf{Game} $3$, we claim that the challenger $\bdv$ can use $\adv$ to solve the $\mathsf{SIS}$ problem by finding a short vector of $\Lambda_q^\perp(\mathbf{D})$ with probability $\Pr[W_3]$. Indeed, with proba\-bility $\Pr[W_3]$, the adversary outputs a valid signature $sig^\star=(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$. If we parse $\mathbf{v}^\star \in \ZZ^{2m}$ as $({\mathbf{v}_1^\star }^T \mid {\mathbf{v}_2^\star }^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star \in \ZZ^m$, we have @@ -413,8 +416,9 @@ holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star \neq \mathbf{v} -We first show a two-party protocol whereby a user can interact with the signer in order to obtain a signature on a committed message. \\ -\indent In order to prove that the scheme still guarantees unforgeability for obliviously signed messages, +We first show a two-party protocol whereby a user can interact with the signer in order to obtain a signature on a committed message. + +In order to prove that the scheme still guarantees unforgeability for obliviously signed messages, we will assume that each message block $\mathfrak{m}_k \in \{0,1\}^{2m}$ is obtained by encoding the actual message $M_k =M_k[1] \ldots M_k[m] \in \{0,1\}^m$ as $\mathfrak{m}_k= \mathsf{Encode}(M_k)=( \bar{M}_k[1] , M_k[1],\ldots, \bar{M}_k[m] , M_k[m] ) $. Namely, each $0$ (respectively each $1$) is encoded as a pair $(1,0)$ (resp. $(0,1)$). The reason for this encoding is that the proof of Theorem \ref{commit-thm} requires that at least one block @@ -500,8 +504,9 @@ the vector $( \tau,\mathbf{v},\mathbf{s}'') \in \{0,1\}^\ell \times \ZZ^{2m} \t \end{itemize} \end{description} Note that, if both parties faithfully run the protocol, the user obtains a valid signature $(\tau,\mathbf{v},\mathbf{s})$ for which the distribution of $\mathbf{s}$ is $D_{\ZZ^{2m},\sigma_1}$, -where $\sigma_1=\sqrt{\sigma^2 + \sigma_0^2}$. \\ -\indent The following protocol allows proving possession of a message-signature pair. +where $\sigma_1=\sqrt{\sigma^2 + \sigma_0^2}$. + +The following protocol allows proving possession of a message-signature pair. \begin{description} \item[\textsf{Prove}:] On input of a signature $(\tau,\mathbf{v}=(\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T,\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$ on the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, the user @@ -531,7 +536,7 @@ as well as \begin{eqnarray*} \nonumber \end{description} %To establish the security of the protocol, -\noindent We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally +We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally obtain a credential by interacting with the issuer. Note that the messages that are blindly signed by the issuer are uniquely defined since, at each signing query, the adversary is required to supply perfectly binding commitments $\{\mathbf{c}_k\}_{k=1}^N$ to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$. @@ -566,6 +571,52 @@ than the standard deviations of the columns of $\{\mathbf{R}_k\}_{k=1}^N$. protocols are secure protocols for obtaining a signature on a committed message and proving possession of a valid message-signature pair. \end{theorem} +In the following proof, we make use of the Rényi divergence in a similar way to~\cite{BLL+15}: +instead of the classical statistical distance we sometimes use the R\'enyi divergence, which is a measurement of the distance between two distributions. +Its use in security proofs for lattice-based systems was first considered by Bai {\em et al.}~\cite{BLL+15} and further improved by Prest~\cite{Pre17}. We first recall its definition. + +\defRenyi* + + +We will focus on the following properties of the R\'enyi divergence, the proofs can be found in~\cite{LSS14}. + +\begin{lemma}[{\cite[Le. 2.7]{BLL+15}}] + \label{lem:renyi} + Let $a \in [1, +\infty]$. Let $P$ and $Q$ denote distributions with $\Supp(P) + \subseteq \Supp(Q)$. Then the following properties hold: + \begin{description} + \item[Log. Positivity:] $R_a(P||Q) \geq R_a(P||P) = 1$ + \item[Data Processing Inequality:] $R_a(P^f || Q^f) \leq R_a(P||Q)$ for any + function $f$, where $P^f$ denotes the distribution of $f(y)$ induced by + sampling $y \sample P$ (resp. $y \sample Q$) + \item[Multiplicativity:] Assume $P$ and $Q$ are two distributions of a pair + of random variables $(Y_1, Y_2)$. For $i \in \{1,2\}$, let $P_i$ (resp. + $Q_i$) denote the marginal distribution of $Y_i$ under $P$ (resp. $Q$), + and let $P_{2|1}(\cdot|y_1)$ (resp. $Q_{2|1}(\cdot|y_1)$) denote the conditional distribution of $Y_2$ given that $Y_1 = y_1$. Then we have: + \begin{itemize} \renewcommand\labelitemi{$\bullet$} + \item $R_a(P||Q) = P_a(P_1 || Q_1) \cdot R_a(P_2||Q_2)$ if $Y_B$ and $Y_2$ are independent; + \item $R_a(P||Q) \leq R_\infty (P_1 || Q_1) \cdot max_{y_1 \in X} R_a\left( P_{2|1}(\cdot | y_1) || Q_{2|1}(\cdot | y_1) \right)$. + \end{itemize} + \item[Probability Preservation:] Let $A \subseteq \Supp(Q)$ be an arbitrary + event. If $a \in ]1, +\infty[$, then $Q(A) \geq + P(A)^{\frac{a}{a-1}}/R_a(P||Q)$. Further we have: + \[ Q(A) \geq P(A) / R_\infty(P||Q) \] + \item[Weak Triangle Inequality:] Let $P_1, P_2, P_3$ be three distributions + with \[\Supp(P_1) \subseteq \Supp(P_2) \subseteq \Supp(P_3).\] + Then we have: + \[ R_a(P_1||P_3) \leq \begin{cases} + R_a(P_1 || P_2) \cdot R_\infty(P_2 || P_3),\\[2mm] + R_\infty(P_1||P_2)^{\frac{a}{a-1}} \cdot R_a(P_2||P_3) & \mbox{if } a \in ]1, +\infty[. + \end{cases}\] + \end{description} +\end{lemma} + +In our proofs, we mainly use the probability preservation to bound the +probabilities during hybrid games where the two distributions are not close in terms of statistical distance. + +%--------- PROOF ---------- +\input merge + \begin{theorem} \label{anon-cred} The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption. \end{theorem} @@ -602,7 +653,7 @@ We will show that the above argument system can be obtained from the one in \cre \smallskip \smallskip -\noindent \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-commit-statement}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.} +\textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-commit-statement}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.} To do so, we first form the following vectors and matrices: \[ @@ -713,7 +764,6 @@ Having performed the above unification, we now define $\mathsf{VALID}$ as the se \smallskip -\noindent \textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.} \begin{itemize} @@ -755,7 +805,6 @@ We now describe how to derive the protocol for proving the possession of a signa $\mathbf{e}_{\tau,2} \in [-B,B]^\ell$. \end{description} -\noindent \textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that: \vspace*{-7.5pt} \begin{eqnarray}\label{equation:R-sign-signature} \hspace*{-5pt} @@ -794,7 +843,7 @@ $~$ \\ We proceed in two steps. \medskip \smallskip -\noindent \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-sign-signature}) and~(\ref{equation:R-sign-ciphertext}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.} +\textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-sign-signature}) and~(\ref{equation:R-sign-ciphertext}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.} Note that, if we let $\mathbf{y} = \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) \in \{0,1\}^{m}$, then we have $\mathbf{H}_{2n \times m}\cdot \mathbf{y} = \mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k \bmod q$, and~(\ref{equation:R-sign-signature}) can be equivalently written as: \begin{eqnarray*}\label{equation:R-sign-signature-2} @@ -887,7 +936,6 @@ It can be checked that the constructed vector $\mathbf{x}$ belongs to this tailo -\noindent \textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.} \begin{itemize} diff --git a/chap-proofs.tex b/chap-proofs.tex index d6c45b0..7ded4fb 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -253,8 +253,40 @@ Which means that the adversary cannot get a single bit of information about the This kind of definition are also useful to model anonymity. For instance in \cref{sec:RGSdefsecAnon}, the definition of anonymity for group signatures is defined in a similar fashion (\cref{def:anon}). -On the other hand, the security definition for signature scheme is no more an indistinguishability game, but an unforgeability game. -The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries. +To manipulate indistinguishability between distributions, it is useful to quantify the distance between two distributions. +In this context, we define the statistical distance as follows. + +\begin{definition}[Statistical Distance] \index{Probability!Statistical Distance} + Let $P$ and $Q$ be two distributions. The \textit{statistical distance} $\Delta(P, Q)$ between $P$ and $Q$ is defined as + \[ \Delta(P, Q) \triangleq \frac{1}{2} \sum_{x \in \Supp(P) \cup \Supp(Q)} | P(x) - Q(x)|. \] +\end{definition} + +Two distributions are \textit{statistically close} if their statistical distance is negligible with respect to the security parameter. + +It is worth noticing that if two distributions are statistically close, then the advantage of an adversary in distinguishing between them is negligible. +Another property used in the so-called \textit{hybrid argument}\index{Hybrid argument} is the \textit{triangular equality} that follows from the fact that the statistical distance is a distance. + +Another interesting metric, that will be used in the security proof of %TODO +is the Rényi Divergence: + +\begin{restatable}[Rényi divergence]{definition}{defRenyi} + \label{def:renyi} \index{Probability!Rényi Divergence} + For any two discrete distributions $P$ and $Q$ such that $\Supp(P) \subseteq + \Supp(Q)$, and $a \in ]1, +\infty[$, we define the \emph{R\'enyi divergence} of order $a$ by: + \[ R_a(P||Q) = \left( \sum_{x \in \Supp(P)} \frac{P(x)^a}{Q(x)^{a-1}} \right)^{\frac{1}{a-1}}. \] + + We define the R\'enyi divergences of orders $1$ and $+\infty$ by: + + \[ R_1(P||Q) = \exp\left( \sum_{x \in \Supp(P)} P(x) \log \frac{P(x)}{Q(x)} \right) \mbox{ and } R_\infty (P||Q) = \max_{x \in \Supp(P)} \frac{P(x)}{Q(x)}. \] + + The divergence $R_1$ is the (exponential) of the Kullback-Leibler divergence. +\end{restatable} + +Bai, Langlois, Lepoint, Stehlé and Steinfeld~\cite{BLL+15} noticed that the Rényi Divergence has similar property with respect to multiplication, and can be useful in the context of unforgeability game as we will explain it in the following paragraph. Prest further presented multiple uses of the Rényi Divergence in~\cite{Pre17}. + + +We can notice that security definitions for signature scheme are no more indistinguishability-based games, but unforgeability games. +The goal of the adversary is no more to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries. Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability. diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index 6ab78f4..39fb6d3 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -206,7 +206,7 @@ The above signature scheme is existentially unforgeable under chosen-message att \end{equation} \end{description} \smallskip - \noindent We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of + We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of Type A signatures where only condition~\eqref{eq:rel-sig-A} are imposed and no restriction is given on $\pi$ beyond the fact that it should be a valid homomorphic signature on vector~\eqref{eq:vector}. @@ -345,11 +345,11 @@ If DDH holds in $\GG$, for each $k \in \sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the \QANIZK simulator to computes $\pi$. - \noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as + \textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as Type A signatures, which $\bdv$ is able to generate using the secret key $\omega \in \Zp$ he knows and $\mathsf{crs}$ or $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ to produces valid proofs. - \noindent\textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$ + \textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$ embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$ depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$, and @@ -391,17 +391,7 @@ If DDH holds in $\GG$, for each $k \in relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$ meaning that Type $\mathrm{B}$ forgery passes the test with the same probability. - %\noindent And the goal of $\bdv$ is to decide if $(s_0, s_1) = (0, 0)$ or not. We notice that if - %$s_0 \neq 0$ and $s_1 = 0$, then the relation~\eqref{eq:verif-proof} cannot be satisfied. We then - %have the case $s_1 \neq 0$ left which implies that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell - %b_{v_i} \cdot m_i^\star)$ to satisfy~\eqref{eq:verif-proof}, which can only happen with - %probability $1/p$. - From the entire game, and assuming a forgery which passes the test, we have the following linear system: - %On the other hand, the information that $\adv$ can infer about - %$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$ - %during the game amounts to the first - %$\ell + 2$ rows of the right-hand-side member in the following linear system: \[ \left( \bgroup @@ -467,7 +457,7 @@ If DDH holds in $\GG$, for each $k \in % \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr) %\end{multline*} - \noindent $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle + $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle signing queries. We recall that during the game, signing queries are answered by returning a Type B signature so that, using $\mathsf{tk}$, $\bdv$ can answer all queries without knowing the $\omega = \log_h(\Omega)$ which is part of the CDH challenge. @@ -609,7 +599,6 @@ clear), proving knowledge of a valid signature still requires proving a statem % and $0$ otherwise. \end{enumerate} -\noindent It is worth noticing that no pairing evaluation is required until the final step of $\mathsf{Verify}$, which is almost as efficient as the verification of underlying signatures. Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by @@ -733,7 +722,7 @@ This concludes the proof. % TODO: ugly At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$. In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the \QANIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip -\noindent \textbf{The protocol.} +\textbf{The protocol.} % At the beginning of a new run of the protocol, the committer has a vector ${\mathbf{m}}=(m_1,\ldots,m_\ell)$, the public-key of the signature scheme and the extra generator $u\in\GG$ (which can be a hashed point), the signer also has the secret key of the signature scheme but not ${\mathbf{m}}$. To get a signature on ${\mathbf{m}}$, the committer picks $r\sample \U(\Zp)$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$. @@ -767,12 +756,12 @@ Finally the user checks the validity of the signature. Depending on the validity We notice that the number of transmitted group elements is constant and no pairing is needed before the signature verification phase. In comparison, the construction of \cite{CL02a} requires groups of larger hidden order and their protocol for signing committed message blocks requires a linear number of range proofs. \smallskip -\noindent \textbf{Security.} +\textbf{Security.} % We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol. In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\Zp$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip -\noindent \textbf{Remark.} +\textbf{Remark.} % Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying \QANIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form. @@ -784,14 +773,14 @@ Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i We adapt the protocol of section~\ref{scal-sig} to build a dynamic group signature~\cite{BSZ05,KY06}. -\indent At a high level, each group member obtains a membership certificate consisting of a signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ on +At a high level, each group member obtains a membership certificate consisting of a signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ on a message $\ID \in \Zp$ which is only known to the group member. During the joining protocol, each group member thus obtains a signature on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to $\ID$, which suffices to ensure security against framing attacks and allows for a better efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section). For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using -$\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier $\NIZK$ proofs \cite{CS98}. \\ -\indent +$\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier $\NIZK$ proofs \cite{CS98}. + In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}. @@ -1160,7 +1149,7 @@ It comes that $\Pr[W_5]=1/2$. \medskip \begin{proof} Let us assume that an adversary $\adv$ wins with noticeably different probabilities in Game $4$ and Game $3$. We then construct a DDH distinguisher $\bdv$ from $\adv$. - \\ \indent + Our reduction $\bdv$ takes as input a DDH instance $(g^a, g^b, \eta)$, where $\eta = g^{a(b+c)}$ and has to decide with non-negligible probability $\varepsilon$ whether $c = 0$ or $c \in_R \Zp$. To achieve this, $\bdv$ sets $h = g^a$ and computes the challenge signature as $ C_1 = g^b$ and $ C_2 = \eta$. The rest of the game continues like in Game $3$ (which is also the same as in Game $2$). @@ -1222,27 +1211,28 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re %from Bernhard~{\em et~al.}~\cite{BFW15}, which consists in implicitly rewinding the zero-knowledge proof by running the adversary twice and changing the outputs of the random oracle after the hash query that involves the forgery message. The Forking Lemma~\cite{PS00} -- more precisely, its generalization given by Bellare and Neven~\cite{BN06} -- ensures that, after two runs of the adversary, - the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge.\\ + the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge. %After the extraction, the reduction can then call the corresponding oracles to simulate the game without having %information it does not hold. - \indent Let us assume an attacker $\adv$ against the misidentification game that wins with non-negligible + + Let us assume an attacker $\adv$ against the misidentification game that wins with non-negligible probability $\varepsilon$. We build an adversary $\bdv$ against the chosen-message security of the signature scheme of section~\ref{scal-sig}. \medskip - \\ - \noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the + + \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\gspk$. Except for $\mathcal{S}_\GM$, all keys are generated as in the normal \textsf{Keygen} algorithm. \medskip - \\ - \noindent \textit{Join.} To answer joining queries without knowing $\sk_s$, $\bdv$ uses the knowledge extractor of the proof + + \textit{Join.} To answer joining queries without knowing $\sk_s$, $\bdv$ uses the knowledge extractor of the proof of knowledge of $\ID = \log_v(V_\ID)$ to extract the identity to be signed. Namely, on a \textsf{Join} query, the reduction $\bdv$ rewinds the adversary $\adv$ in order to extract the witness $\ID=\log_v(V_{\ID})$ of which $\adv$ demonstrates knowledge at step 3 of the join protocol. Having extracted $\ID \in \Zp$, $\bdv$ invokes its own signing oracle on the message $\ID$ to obtain $(\sigma_1, \sigma_2, \sigma_3, z, r)$. Then, $\bdv$ returns $\crt_i=(i,V_{\ID},\sigma_1,\sigma_2,\sigma_3,z,r)$ as in a normal execution of the join protocol. \medskip - \\ - \noindent At some point, the attacker $\adv$ produces a valid forgery + + At some point, the attacker $\adv$ produces a valid forgery \[ (M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))\] for which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value @@ -1286,8 +1276,9 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re In the ROM, the scheme is secure against framing attacks under the SDL assumption. \end{theorem} -\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\ -\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. +\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. + +Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \U(\Zp)$. In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.) @@ -1343,8 +1334,8 @@ chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in The probability to fail at one signing query is $\leq q_s/p^3$, where $q_s$ is the number of signing queries. \end{itemize} -% -\noindent When $\adv$ halts, it presumably frames some honest user ${i^\star} \in U^b$ by outputting a signature + +When $\adv$ halts, it presumably frames some honest user ${i^\star} \in U^b$ by outputting a signature \begin{align*} \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star) , \quad \end{align*} diff --git a/macros.tex b/macros.tex index f2844f5..32a7d5d 100644 --- a/macros.tex +++ b/macros.tex @@ -70,6 +70,7 @@ \newcommand{\softO}{\ensuremath{\tilde{\mathcal{O}}}} \newcommand{\Span}{\ensuremath{\mathrm{span}}\xspace} \newcommand{\U}{\ensuremath{\mathcal U}} +\newcommand{\Supp}{\mathrm{Supp}} % Sets %% Usual sets diff --git a/sec-stern.tex b/sec-stern.tex index b7ece28..82ba774 100644 --- a/sec-stern.tex +++ b/sec-stern.tex @@ -160,13 +160,11 @@ The proof of the theorem relies on standard simulation and extraction techniques We now will prove that the protocol is a statistical zero-knowledge argument of knowledge for the relation $\mathrm{R_{abstract}}$ and is given below. \smallskip - \noindent \scbf{Zero-Knowledge Property. } We construct a \textsf{PPT} simulator $\mathsf{SIM}$ interacting with a (possibly dishonest) verifier $\widehat{\mathcal{V}}$, such that, given only the public input, $\mathsf{SIM}$ outputs with probability negligibly close to $2/3$ a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction. The simulator first chooses a random $\overline{Ch} \in \{1,2,3\}$. This is a prediction of the challenge value that $\widehat{\mathcal{V}}$ will \emph{not} choose. \smallskip - \noindent \begin{description} \item[\textsf{Case} $\overline{Ch}=1$]: Using basic linear algebra over $\mathbb{Z}_q$, $\mathsf{SIM}$ computes a vector $\mathbf{w}' \in \mathbb{Z}_q^D$ such that $\mathbf{M}\cdot \mathbf{w}' = \mathbf{v} \bmod q.$ Next, it samples $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$. @@ -187,7 +185,6 @@ The proof of the theorem relies on standard simulation and extraction techniques \smallskip - \noindent \item[\textsf{Case} $\overline{Ch}=2$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$. Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where @@ -207,7 +204,6 @@ The proof of the theorem relies on standard simulation and extraction techniques \smallskip - \noindent \item[Case $\overline{Ch}=3$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$. Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where @@ -225,12 +221,10 @@ The proof of the theorem relies on standard simulation and extraction techniques \end{description} \smallskip - \noindent We observe that, in all the above cases, since $\mathsf{COM}$ is statistically hiding, the distribution of the commitment $\mathrm{CMT}$ and the distribution of the challenge~$Ch$ from~$\widehat{\mathcal{V}}$ are statistically close to those in the real interaction. Hence, the probability that the simulator outputs~$\bot$ is negligibly close to~$1/3$. Moreover, one can check that whenever the simulator does not halt, it will provide an accepted transcript, the distribution of which is statistically close to that of the prover in the real interaction. In other words, we have designed a simulator that can successfully emulate the honest prover with probability negligibly far from~$2/3$. \medskip - \noindent \scbf{Argument of Knowledge.} Let us assume that \begin{gather*} \mathrm{RSP}_1 = (\mathbf{t}_x, \mathbf{t}_r, \rho_{2}^{(1)}, \rho_{3}^{(1)}), \qquad diff --git a/symbols.tex b/symbols.tex index 3b08f0f..1f82783 100644 --- a/symbols.tex +++ b/symbols.tex @@ -13,6 +13,7 @@ $\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively \\ $\mathbf{I}_n$ & the $n$ dimension identity matrix in $\RR^{n \times n}$ \\ $\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\ + $\Supp(D)$ & If $D$ is a probability distribution, $\Supp(D)$ denotes the support of $D$ \\ $\Pr[E]$ & Probability that an event $E$ occurs \\ [1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\ $\QQ$ & the set of rational numbers \\ diff --git a/these.bib b/these.bib index 14e5f51..18610e1 100644 --- a/these.bib +++ b/these.bib @@ -887,6 +887,7 @@ @InProceedings{Lin08, author = {Lindell, Andrew Y.}, title = {Efficient Fully-Simulatable Oblivious Transfer}, + booktitle = {CT-RSA}, year = {2008}, series = {LNCS}, journaltitle = {CT-RSA}, @@ -2811,4 +2812,14 @@ publisher = {ACM}, } +@InProceedings{Pre17, + author = {Prest, Thomas}, + title = {{Sharper Bounds in Lattice-Based Cryptography Using the Rényi Divergence}}, + booktitle = {Asiacrypt}, + year = {2017}, + series = {LNCS}, + pages = {347--374}, + publisher = {Springer}, +} + @Comment{jabref-meta: databaseType:bibtex;}