Cleaning the code
This commit is contained in:
@ -26,8 +26,9 @@ $\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$
|
||||
\subsection{Description} \label{desc-sig-protoc}
|
||||
|
||||
We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
|
||||
block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$. \\
|
||||
\indent For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
|
||||
block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$.
|
||||
|
||||
For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
|
||||
coordinate of $\mathbf{v}$ by its binary representation.
|
||||
|
||||
|
||||
@ -76,8 +77,8 @@ coordinate of $\mathbf{v}$ by its binary representation.
|
||||
\end{description}
|
||||
When the scheme is used for obliviously signing committed messages,
|
||||
the security proof follows Bai \textit{et al.} \cite{BLL+15} in that it applies an argument based on the R\'enyi divergence in one signing query. This argument requires
|
||||
to sample $\mathbf{s}$ from a Gaussian distribution whose standard deviation $\sigma_1$ is polynomially larger than $\sigma$. \\
|
||||
\indent
|
||||
to sample $\mathbf{s}$ from a Gaussian distribution whose standard deviation $\sigma_1$ is polynomially larger than $\sigma$.
|
||||
|
||||
We note that, instead of being included in the public key, the matrices $ \{\mathbf{D}_k\}_{k=0}^{N}$ can be part of common public parameters shared by many signers. Indeed,
|
||||
only the matrices $(\mathbf{A},\{\mathbf{A}_i\}_{i=0}^\ell)$ should be specific to the user who holds the secret key $SK=\mathbf{T}_{\mathbf{A}}$. In Section \ref{commit-sig}, we use a variant where $ \{\mathbf{D}_k\}_{k=0}^{N}$
|
||||
belong to public parameters.
|
||||
@ -88,7 +89,7 @@ The security analysis in Theorem \ref{th:gs-lwe-security-cma-sig} requires that
|
||||
|
||||
|
||||
\begin{theorem} \label{th:gs-lwe-security-cma-sig}
|
||||
The signature scheme is secure under chosen-message attacks under the $\mathsf{SIS}$ assumption.
|
||||
The signature scheme is secure under chosen-message attacks under the $\SIS$ assumption.
|
||||
\end{theorem}
|
||||
|
||||
\begin{proof}
|
||||
@ -111,7 +112,8 @@ $\tau^{(i^\star)}= \tau^\star$ for some index $i^\star \in \{1,\ldots,Q\}$) and
|
||||
Type III attacks imply a collision for the chameleon hash function of Kawachi \textit{et al.} \cite{KTX08}: if (\ref{collision}) holds,
|
||||
a short vector
|
||||
of $\Lambda_q^{\perp}([ \mathbf{D}_0 \mid \mathbf{D}_1 \mid \ldots \mid \mathbf{D}_N])$ is obtained as
|
||||
$$\big({\mathbf{s}^\star}^T- {\mathbf{s}^{(i^\star)}}^T \mid {\mathfrak{m}_1^\star }^T - {\mathfrak{m}_1^{(i^\star)} }^T \mid \ldots \mid {\mathfrak{m}_N^\star }^T - {\mathfrak{m}_N^{(i^\star)} }^T \big)^T,$$ so that a collision breaks the $\mathsf{SIS}$ assumption. \\ \indent
|
||||
$$\big({\mathbf{s}^\star}^T- {\mathbf{s}^{(i^\star)}}^T \mid {\mathfrak{m}_1^\star }^T - {\mathfrak{m}_1^{(i^\star)} }^T \mid \ldots \mid {\mathfrak{m}_N^\star }^T - {\mathfrak{m}_N^{(i^\star)} }^T \big)^T,$$ so that a collision breaks the $\mathsf{SIS}$ assumption.
|
||||
|
||||
The security against Type I attacks is proved by \cref{le:lwe-gs-type-I-attacks} which applies the same technique as in \cite{Boy10,MP12}. In particular, the prefix guessing technique
|
||||
of \cite{HW09} allows keeping the modulus smaller than the number $Q$ of adversarial queries as in \cite{MP12}.
|
||||
In order to deal with Type II attacks, we can leverage the technique of~\cite{BHJ+15}. In \cref{le:lwe-gs-type-II-attacks}, we prove that Type II attack would also contradict $\mathsf{SIS}$.
|
||||
@ -125,16 +127,16 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
|
||||
Let $\adv$ be a $\ppt$ adversary that can mount a Type I attack with non-negligible success probability $\varepsilon$. We construct a $\ppt$
|
||||
algorithm $\bdv$ that uses $\adv$ to break the~$\SIS_{n,m,q,\beta'}$ assumption. It takes as input~$\bar{\mathbf{A}} \in
|
||||
\Zq^{n \times m}$ and computes $\mathbf{v} \in
|
||||
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$. \\
|
||||
\indent
|
||||
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$.
|
||||
|
||||
Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it
|
||||
guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this
|
||||
end, $\bdv$ chooses $i^\dagger \sample U(\{1,\ldots, Q\})$ and $t^\dagger \sample U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest
|
||||
common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)} \right\}_{i=1}^Q$ is the string
|
||||
$\tau^\star[1] \ldots \tau^\star[t^\dagger-1] =\tau^{(i^\dagger)}[1] \ldots \tau^{(i^\dagger)}[t^\dagger-1] \in \{0,1\}^{t^\dagger -1}$ comprised of the
|
||||
first $(t^\dagger-1)$-th bits of $\tau^\star \in \{0,1\}^\ell$. We define $ \tau^\dagger \in \{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1] \ldots \tau^\star[t^\dagger] $. By construction, with probability $1/(Q \cdot \ell)$, we have $\tau^\dagger \not \in \left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}} \right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes
|
||||
the $t^\dagger$-th prefix of $\tau^{(i)}$ for each $i\in \{1,\ldots,Q\}$. \\
|
||||
\indent
|
||||
the $t^\dagger$-th prefix of $\tau^{(i)}$ for each $i\in \{1,\ldots,Q\}$.
|
||||
|
||||
Then, $\bdv$ runs
|
||||
$\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a
|
||||
basis $\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ with
|
||||
@ -178,8 +180,9 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
|
||||
\end{eqnarray*}
|
||||
where $ h_{\tau^{(i)}} \in [1,t^\dagger] \subset [1,\ell]$ stands for the Hamming distance between
|
||||
$\tau^{(i)}_{|t^\dagger}$ and $\tau^\star_{|t^\dagger}$. Note that, with probability $1/(Q \cdot \ell)$ and since $q>\ell$, we have
|
||||
$ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$. \\
|
||||
\indent Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
|
||||
$ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$.
|
||||
|
||||
Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
|
||||
and computes
|
||||
\begin{eqnarray*}
|
||||
\mathbf{D} &=& \bar{\mathbf{A}} \cdot \mathbf{R}. % \qquad \qquad \qquad \quad~ \forall k \in \{0,\ldots,N\}.
|
||||
@ -198,8 +201,9 @@ At the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\ma
|
||||
To do this, $\bdv$ first samples $\mathbf{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes a vector $\mathbf{u}_M \in \Zq^m$ as
|
||||
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } \bigr) ~~ \bmod q.$$
|
||||
Using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\bdv$ can then sample a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
|
||||
that $\big(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)} \big)$ satisfies the verification equation (\ref{ver-eq-block}). \\
|
||||
\indent When $\adv$ halts, it outputs a valid signature $sig^\star=\big(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star \big)$ on a
|
||||
that $\big(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)} \big)$ satisfies the verification equation (\ref{ver-eq-block}).
|
||||
|
||||
When $\adv$ halts, it outputs a valid signature $sig^\star=\big(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star \big)$ on a
|
||||
message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$.
|
||||
At this point, $\bdv$ aborts and declares failure if it was unfortunate in its choice of $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$. Otherwise,
|
||||
with probability $1/(Q \cdot \ell)$, $\bdv$ correctly guessed $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$, in which case it can solve the given $\mathsf{SIS}$ instance as follows.
|
||||
@ -350,7 +354,6 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
|
||||
We conclude that $\Pr[W_2]$ is negligibly far apart from $\Pr[W_3]$ since, by the Leftover Hash Lemma (see \cite[Le. 13]{ABB10}), the public key $PK$ in \textsf{Game} $3$ is statistically close to its distribution in \textsf{Game} $2$.
|
||||
\medskip
|
||||
|
||||
\noindent
|
||||
In \textsf{Game} $3$, we claim that the challenger $\bdv$ can use $\adv$ to solve the $\mathsf{SIS}$ problem by finding a short vector of $\Lambda_q^\perp(\mathbf{D})$ with probability $\Pr[W_3]$. Indeed,
|
||||
with proba\-bility $\Pr[W_3]$, the adversary outputs a valid signature $sig^\star=(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$.
|
||||
If we parse $\mathbf{v}^\star \in \ZZ^{2m}$ as $({\mathbf{v}_1^\star }^T \mid {\mathbf{v}_2^\star }^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star \in \ZZ^m$, we have
|
||||
@ -413,8 +416,9 @@ holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star \neq \mathbf{v}
|
||||
|
||||
|
||||
|
||||
We first show a two-party protocol whereby a user can interact with the signer in order to obtain a signature on a committed message. \\
|
||||
\indent In order to prove that the scheme still guarantees unforgeability for obliviously signed messages,
|
||||
We first show a two-party protocol whereby a user can interact with the signer in order to obtain a signature on a committed message.
|
||||
|
||||
In order to prove that the scheme still guarantees unforgeability for obliviously signed messages,
|
||||
we will assume that each message block $\mathfrak{m}_k \in \{0,1\}^{2m}$ is obtained by encoding
|
||||
the actual message $M_k =M_k[1] \ldots M_k[m] \in \{0,1\}^m$ as $\mathfrak{m}_k= \mathsf{Encode}(M_k)=( \bar{M}_k[1] , M_k[1],\ldots, \bar{M}_k[m] , M_k[m] ) $. Namely,
|
||||
each $0$ (respectively each $1$) is encoded as a pair $(1,0)$ (resp. $(0,1)$). The reason for this encoding is that the proof of Theorem \ref{commit-thm} requires that at least one block
|
||||
@ -500,8 +504,9 @@ the vector $( \tau,\mathbf{v},\mathbf{s}'') \in \{0,1\}^\ell \times \ZZ^{2m} \t
|
||||
\end{itemize}
|
||||
\end{description}
|
||||
Note that, if both parties faithfully run the protocol, the user obtains a valid signature $(\tau,\mathbf{v},\mathbf{s})$ for which the distribution of $\mathbf{s}$ is $D_{\ZZ^{2m},\sigma_1}$,
|
||||
where $\sigma_1=\sqrt{\sigma^2 + \sigma_0^2}$. \\
|
||||
\indent The following protocol allows proving possession of a message-signature pair.
|
||||
where $\sigma_1=\sqrt{\sigma^2 + \sigma_0^2}$.
|
||||
|
||||
The following protocol allows proving possession of a message-signature pair.
|
||||
|
||||
\begin{description}
|
||||
\item[\textsf{Prove}:] On input of a signature $(\tau,\mathbf{v}=(\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T,\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$ on the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, the user
|
||||
@ -531,7 +536,7 @@ as well as \begin{eqnarray*} \nonumber
|
||||
\end{description}
|
||||
|
||||
%To establish the security of the protocol,
|
||||
\noindent We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally
|
||||
We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally
|
||||
obtain a credential by interacting with the issuer. Note that the messages that are blindly signed by the issuer are uniquely defined since, at each signing
|
||||
query, the adversary is required to supply perfectly binding commitments $\{\mathbf{c}_k\}_{k=1}^N$ to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$.
|
||||
|
||||
@ -566,6 +571,52 @@ than the standard deviations of the columns of $\{\mathbf{R}_k\}_{k=1}^N$.
|
||||
protocols are secure protocols for obtaining a signature on a committed message and proving possession of a valid message-signature pair.
|
||||
\end{theorem}
|
||||
|
||||
In the following proof, we make use of the Rényi divergence in a similar way to~\cite{BLL+15}:
|
||||
instead of the classical statistical distance we sometimes use the R\'enyi divergence, which is a measurement of the distance between two distributions.
|
||||
Its use in security proofs for lattice-based systems was first considered by Bai {\em et al.}~\cite{BLL+15} and further improved by Prest~\cite{Pre17}. We first recall its definition.
|
||||
|
||||
\defRenyi*
|
||||
|
||||
|
||||
We will focus on the following properties of the R\'enyi divergence, the proofs can be found in~\cite{LSS14}.
|
||||
|
||||
\begin{lemma}[{\cite[Le. 2.7]{BLL+15}}]
|
||||
\label{lem:renyi}
|
||||
Let $a \in [1, +\infty]$. Let $P$ and $Q$ denote distributions with $\Supp(P)
|
||||
\subseteq \Supp(Q)$. Then the following properties hold:
|
||||
\begin{description}
|
||||
\item[Log. Positivity:] $R_a(P||Q) \geq R_a(P||P) = 1$
|
||||
\item[Data Processing Inequality:] $R_a(P^f || Q^f) \leq R_a(P||Q)$ for any
|
||||
function $f$, where $P^f$ denotes the distribution of $f(y)$ induced by
|
||||
sampling $y \sample P$ (resp. $y \sample Q$)
|
||||
\item[Multiplicativity:] Assume $P$ and $Q$ are two distributions of a pair
|
||||
of random variables $(Y_1, Y_2)$. For $i \in \{1,2\}$, let $P_i$ (resp.
|
||||
$Q_i$) denote the marginal distribution of $Y_i$ under $P$ (resp. $Q$),
|
||||
and let $P_{2|1}(\cdot|y_1)$ (resp. $Q_{2|1}(\cdot|y_1)$) denote the conditional distribution of $Y_2$ given that $Y_1 = y_1$. Then we have:
|
||||
\begin{itemize} \renewcommand\labelitemi{$\bullet$}
|
||||
\item $R_a(P||Q) = P_a(P_1 || Q_1) \cdot R_a(P_2||Q_2)$ if $Y_B$ and $Y_2$ are independent;
|
||||
\item $R_a(P||Q) \leq R_\infty (P_1 || Q_1) \cdot max_{y_1 \in X} R_a\left( P_{2|1}(\cdot | y_1) || Q_{2|1}(\cdot | y_1) \right)$.
|
||||
\end{itemize}
|
||||
\item[Probability Preservation:] Let $A \subseteq \Supp(Q)$ be an arbitrary
|
||||
event. If $a \in ]1, +\infty[$, then $Q(A) \geq
|
||||
P(A)^{\frac{a}{a-1}}/R_a(P||Q)$. Further we have:
|
||||
\[ Q(A) \geq P(A) / R_\infty(P||Q) \]
|
||||
\item[Weak Triangle Inequality:] Let $P_1, P_2, P_3$ be three distributions
|
||||
with \[\Supp(P_1) \subseteq \Supp(P_2) \subseteq \Supp(P_3).\]
|
||||
Then we have:
|
||||
\[ R_a(P_1||P_3) \leq \begin{cases}
|
||||
R_a(P_1 || P_2) \cdot R_\infty(P_2 || P_3),\\[2mm]
|
||||
R_\infty(P_1||P_2)^{\frac{a}{a-1}} \cdot R_a(P_2||P_3) & \mbox{if } a \in ]1, +\infty[.
|
||||
\end{cases}\]
|
||||
\end{description}
|
||||
\end{lemma}
|
||||
|
||||
In our proofs, we mainly use the probability preservation to bound the
|
||||
probabilities during hybrid games where the two distributions are not close in terms of statistical distance.
|
||||
|
||||
%--------- PROOF ----------
|
||||
\input merge
|
||||
|
||||
\begin{theorem} \label{anon-cred}
|
||||
The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
|
||||
\end{theorem}
|
||||
@ -602,7 +653,7 @@ We will show that the above argument system can be obtained from the one in \cre
|
||||
|
||||
\smallskip \smallskip
|
||||
|
||||
\noindent \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-commit-statement}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
|
||||
\textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-commit-statement}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
|
||||
|
||||
To do so, we first form the following vectors and matrices:
|
||||
\[
|
||||
@ -713,7 +764,6 @@ Having performed the above unification, we now define $\mathsf{VALID}$ as the se
|
||||
|
||||
\smallskip
|
||||
|
||||
\noindent
|
||||
\textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
|
||||
|
||||
\begin{itemize}
|
||||
@ -755,7 +805,6 @@ We now describe how to derive the protocol for proving the possession of a signa
|
||||
$\mathbf{e}_{\tau,2} \in [-B,B]^\ell$.
|
||||
\end{description}
|
||||
|
||||
\noindent
|
||||
\textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that: \vspace*{-7.5pt}
|
||||
\begin{eqnarray}\label{equation:R-sign-signature}
|
||||
\hspace*{-5pt}
|
||||
@ -794,7 +843,7 @@ $~$ \\
|
||||
We proceed in two steps.
|
||||
\medskip \smallskip
|
||||
|
||||
\noindent \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-sign-signature}) and~(\ref{equation:R-sign-ciphertext}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
|
||||
\textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-sign-signature}) and~(\ref{equation:R-sign-ciphertext}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
|
||||
|
||||
Note that, if we let $\mathbf{y} = \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) \in \{0,1\}^{m}$, then we have $\mathbf{H}_{2n \times m}\cdot \mathbf{y} = \mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k \bmod q$, and~(\ref{equation:R-sign-signature}) can be equivalently written as:
|
||||
\begin{eqnarray*}\label{equation:R-sign-signature-2}
|
||||
@ -887,7 +936,6 @@ It can be checked that the constructed vector $\mathbf{x}$ belongs to this tailo
|
||||
|
||||
|
||||
|
||||
\noindent
|
||||
\textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
|
||||
|
||||
\begin{itemize}
|
||||
|
||||
Reference in New Issue
Block a user