Cleaning the code

This commit is contained in:
Fabrice Mouhartem 2018-04-30 16:12:03 +02:00
parent 46e0240867
commit b295212aac
7 changed files with 145 additions and 67 deletions

View File

@ -26,8 +26,9 @@ $\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$
\subsection{Description} \label{desc-sig-protoc} \subsection{Description} \label{desc-sig-protoc}
We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$. \\ block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$.
\indent For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
coordinate of $\mathbf{v}$ by its binary representation. coordinate of $\mathbf{v}$ by its binary representation.
@ -76,8 +77,8 @@ coordinate of $\mathbf{v}$ by its binary representation.
\end{description} \end{description}
When the scheme is used for obliviously signing committed messages, When the scheme is used for obliviously signing committed messages,
the security proof follows Bai \textit{et al.} \cite{BLL+15} in that it applies an argument based on the R\'enyi divergence in one signing query. This argument requires the security proof follows Bai \textit{et al.} \cite{BLL+15} in that it applies an argument based on the R\'enyi divergence in one signing query. This argument requires
to sample $\mathbf{s}$ from a Gaussian distribution whose standard deviation $\sigma_1$ is polynomially larger than $\sigma$. \\ to sample $\mathbf{s}$ from a Gaussian distribution whose standard deviation $\sigma_1$ is polynomially larger than $\sigma$.
\indent
We note that, instead of being included in the public key, the matrices $ \{\mathbf{D}_k\}_{k=0}^{N}$ can be part of common public parameters shared by many signers. Indeed, We note that, instead of being included in the public key, the matrices $ \{\mathbf{D}_k\}_{k=0}^{N}$ can be part of common public parameters shared by many signers. Indeed,
only the matrices $(\mathbf{A},\{\mathbf{A}_i\}_{i=0}^\ell)$ should be specific to the user who holds the secret key $SK=\mathbf{T}_{\mathbf{A}}$. In Section \ref{commit-sig}, we use a variant where $ \{\mathbf{D}_k\}_{k=0}^{N}$ only the matrices $(\mathbf{A},\{\mathbf{A}_i\}_{i=0}^\ell)$ should be specific to the user who holds the secret key $SK=\mathbf{T}_{\mathbf{A}}$. In Section \ref{commit-sig}, we use a variant where $ \{\mathbf{D}_k\}_{k=0}^{N}$
belong to public parameters. belong to public parameters.
@ -88,7 +89,7 @@ The security analysis in Theorem \ref{th:gs-lwe-security-cma-sig} requires that
\begin{theorem} \label{th:gs-lwe-security-cma-sig} \begin{theorem} \label{th:gs-lwe-security-cma-sig}
The signature scheme is secure under chosen-message attacks under the $\mathsf{SIS}$ assumption. The signature scheme is secure under chosen-message attacks under the $\SIS$ assumption.
\end{theorem} \end{theorem}
\begin{proof} \begin{proof}
@ -111,7 +112,8 @@ $\tau^{(i^\star)}= \tau^\star$ for some index $i^\star \in \{1,\ldots,Q\}$) and
Type III attacks imply a collision for the chameleon hash function of Kawachi \textit{et al.} \cite{KTX08}: if (\ref{collision}) holds, Type III attacks imply a collision for the chameleon hash function of Kawachi \textit{et al.} \cite{KTX08}: if (\ref{collision}) holds,
a short vector a short vector
of $\Lambda_q^{\perp}([ \mathbf{D}_0 \mid \mathbf{D}_1 \mid \ldots \mid \mathbf{D}_N])$ is obtained as of $\Lambda_q^{\perp}([ \mathbf{D}_0 \mid \mathbf{D}_1 \mid \ldots \mid \mathbf{D}_N])$ is obtained as
$$\big({\mathbf{s}^\star}^T- {\mathbf{s}^{(i^\star)}}^T \mid {\mathfrak{m}_1^\star }^T - {\mathfrak{m}_1^{(i^\star)} }^T \mid \ldots \mid {\mathfrak{m}_N^\star }^T - {\mathfrak{m}_N^{(i^\star)} }^T \big)^T,$$ so that a collision breaks the $\mathsf{SIS}$ assumption. \\ \indent $$\big({\mathbf{s}^\star}^T- {\mathbf{s}^{(i^\star)}}^T \mid {\mathfrak{m}_1^\star }^T - {\mathfrak{m}_1^{(i^\star)} }^T \mid \ldots \mid {\mathfrak{m}_N^\star }^T - {\mathfrak{m}_N^{(i^\star)} }^T \big)^T,$$ so that a collision breaks the $\mathsf{SIS}$ assumption.
The security against Type I attacks is proved by \cref{le:lwe-gs-type-I-attacks} which applies the same technique as in \cite{Boy10,MP12}. In particular, the prefix guessing technique The security against Type I attacks is proved by \cref{le:lwe-gs-type-I-attacks} which applies the same technique as in \cite{Boy10,MP12}. In particular, the prefix guessing technique
of \cite{HW09} allows keeping the modulus smaller than the number $Q$ of adversarial queries as in \cite{MP12}. of \cite{HW09} allows keeping the modulus smaller than the number $Q$ of adversarial queries as in \cite{MP12}.
In order to deal with Type II attacks, we can leverage the technique of~\cite{BHJ+15}. In \cref{le:lwe-gs-type-II-attacks}, we prove that Type II attack would also contradict $\mathsf{SIS}$. In order to deal with Type II attacks, we can leverage the technique of~\cite{BHJ+15}. In \cref{le:lwe-gs-type-II-attacks}, we prove that Type II attack would also contradict $\mathsf{SIS}$.
@ -125,16 +127,16 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
Let $\adv$ be a $\ppt$ adversary that can mount a Type I attack with non-negligible success probability $\varepsilon$. We construct a $\ppt$ Let $\adv$ be a $\ppt$ adversary that can mount a Type I attack with non-negligible success probability $\varepsilon$. We construct a $\ppt$
algorithm $\bdv$ that uses $\adv$ to break the~$\SIS_{n,m,q,\beta'}$ assumption. It takes as input~$\bar{\mathbf{A}} \in algorithm $\bdv$ that uses $\adv$ to break the~$\SIS_{n,m,q,\beta'}$ assumption. It takes as input~$\bar{\mathbf{A}} \in
\Zq^{n \times m}$ and computes $\mathbf{v} \in \Zq^{n \times m}$ and computes $\mathbf{v} \in
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$. \\ \Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$.
\indent
Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it
guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this
end, $\bdv$ chooses $i^\dagger \sample U(\{1,\ldots, Q\})$ and $t^\dagger \sample U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest end, $\bdv$ chooses $i^\dagger \sample U(\{1,\ldots, Q\})$ and $t^\dagger \sample U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest
common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)} \right\}_{i=1}^Q$ is the string common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)} \right\}_{i=1}^Q$ is the string
$\tau^\star[1] \ldots \tau^\star[t^\dagger-1] =\tau^{(i^\dagger)}[1] \ldots \tau^{(i^\dagger)}[t^\dagger-1] \in \{0,1\}^{t^\dagger -1}$ comprised of the $\tau^\star[1] \ldots \tau^\star[t^\dagger-1] =\tau^{(i^\dagger)}[1] \ldots \tau^{(i^\dagger)}[t^\dagger-1] \in \{0,1\}^{t^\dagger -1}$ comprised of the
first $(t^\dagger-1)$-th bits of $\tau^\star \in \{0,1\}^\ell$. We define $ \tau^\dagger \in \{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1] \ldots \tau^\star[t^\dagger] $. By construction, with probability $1/(Q \cdot \ell)$, we have $\tau^\dagger \not \in \left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}} \right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes first $(t^\dagger-1)$-th bits of $\tau^\star \in \{0,1\}^\ell$. We define $ \tau^\dagger \in \{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1] \ldots \tau^\star[t^\dagger] $. By construction, with probability $1/(Q \cdot \ell)$, we have $\tau^\dagger \not \in \left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}} \right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes
the $t^\dagger$-th prefix of $\tau^{(i)}$ for each $i\in \{1,\ldots,Q\}$. \\ the $t^\dagger$-th prefix of $\tau^{(i)}$ for each $i\in \{1,\ldots,Q\}$.
\indent
Then, $\bdv$ runs Then, $\bdv$ runs
$\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a $\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a
basis $\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ with basis $\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ with
@ -178,8 +180,9 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
\end{eqnarray*} \end{eqnarray*}
where $ h_{\tau^{(i)}} \in [1,t^\dagger] \subset [1,\ell]$ stands for the Hamming distance between where $ h_{\tau^{(i)}} \in [1,t^\dagger] \subset [1,\ell]$ stands for the Hamming distance between
$\tau^{(i)}_{|t^\dagger}$ and $\tau^\star_{|t^\dagger}$. Note that, with probability $1/(Q \cdot \ell)$ and since $q>\ell$, we have $\tau^{(i)}_{|t^\dagger}$ and $\tau^\star_{|t^\dagger}$. Note that, with probability $1/(Q \cdot \ell)$ and since $q>\ell$, we have
$ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$. \\ $ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$.
\indent Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
and computes and computes
\begin{eqnarray*} \begin{eqnarray*}
\mathbf{D} &=& \bar{\mathbf{A}} \cdot \mathbf{R}. % \qquad \qquad \qquad \quad~ \forall k \in \{0,\ldots,N\}. \mathbf{D} &=& \bar{\mathbf{A}} \cdot \mathbf{R}. % \qquad \qquad \qquad \quad~ \forall k \in \{0,\ldots,N\}.
@ -198,8 +201,9 @@ At the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\ma
To do this, $\bdv$ first samples $\mathbf{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes a vector $\mathbf{u}_M \in \Zq^m$ as To do this, $\bdv$ first samples $\mathbf{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes a vector $\mathbf{u}_M \in \Zq^m$ as
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } \bigr) ~~ \bmod q.$$ $$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } \bigr) ~~ \bmod q.$$
Using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\bdv$ can then sample a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such Using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\bdv$ can then sample a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
that $\big(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)} \big)$ satisfies the verification equation (\ref{ver-eq-block}). \\ that $\big(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)} \big)$ satisfies the verification equation (\ref{ver-eq-block}).
\indent When $\adv$ halts, it outputs a valid signature $sig^\star=\big(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star \big)$ on a
When $\adv$ halts, it outputs a valid signature $sig^\star=\big(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star \big)$ on a
message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$. message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$.
At this point, $\bdv$ aborts and declares failure if it was unfortunate in its choice of $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$. Otherwise, At this point, $\bdv$ aborts and declares failure if it was unfortunate in its choice of $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$. Otherwise,
with probability $1/(Q \cdot \ell)$, $\bdv$ correctly guessed $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$, in which case it can solve the given $\mathsf{SIS}$ instance as follows. with probability $1/(Q \cdot \ell)$, $\bdv$ correctly guessed $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$, in which case it can solve the given $\mathsf{SIS}$ instance as follows.
@ -350,7 +354,6 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
We conclude that $\Pr[W_2]$ is negligibly far apart from $\Pr[W_3]$ since, by the Leftover Hash Lemma (see \cite[Le. 13]{ABB10}), the public key $PK$ in \textsf{Game} $3$ is statistically close to its distribution in \textsf{Game} $2$. We conclude that $\Pr[W_2]$ is negligibly far apart from $\Pr[W_3]$ since, by the Leftover Hash Lemma (see \cite[Le. 13]{ABB10}), the public key $PK$ in \textsf{Game} $3$ is statistically close to its distribution in \textsf{Game} $2$.
\medskip \medskip
\noindent
In \textsf{Game} $3$, we claim that the challenger $\bdv$ can use $\adv$ to solve the $\mathsf{SIS}$ problem by finding a short vector of $\Lambda_q^\perp(\mathbf{D})$ with probability $\Pr[W_3]$. Indeed, In \textsf{Game} $3$, we claim that the challenger $\bdv$ can use $\adv$ to solve the $\mathsf{SIS}$ problem by finding a short vector of $\Lambda_q^\perp(\mathbf{D})$ with probability $\Pr[W_3]$. Indeed,
with proba\-bility $\Pr[W_3]$, the adversary outputs a valid signature $sig^\star=(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$. with proba\-bility $\Pr[W_3]$, the adversary outputs a valid signature $sig^\star=(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$.
If we parse $\mathbf{v}^\star \in \ZZ^{2m}$ as $({\mathbf{v}_1^\star }^T \mid {\mathbf{v}_2^\star }^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star \in \ZZ^m$, we have If we parse $\mathbf{v}^\star \in \ZZ^{2m}$ as $({\mathbf{v}_1^\star }^T \mid {\mathbf{v}_2^\star }^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star \in \ZZ^m$, we have
@ -413,8 +416,9 @@ holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star \neq \mathbf{v}
We first show a two-party protocol whereby a user can interact with the signer in order to obtain a signature on a committed message. \\ We first show a two-party protocol whereby a user can interact with the signer in order to obtain a signature on a committed message.
\indent In order to prove that the scheme still guarantees unforgeability for obliviously signed messages,
In order to prove that the scheme still guarantees unforgeability for obliviously signed messages,
we will assume that each message block $\mathfrak{m}_k \in \{0,1\}^{2m}$ is obtained by encoding we will assume that each message block $\mathfrak{m}_k \in \{0,1\}^{2m}$ is obtained by encoding
the actual message $M_k =M_k[1] \ldots M_k[m] \in \{0,1\}^m$ as $\mathfrak{m}_k= \mathsf{Encode}(M_k)=( \bar{M}_k[1] , M_k[1],\ldots, \bar{M}_k[m] , M_k[m] ) $. Namely, the actual message $M_k =M_k[1] \ldots M_k[m] \in \{0,1\}^m$ as $\mathfrak{m}_k= \mathsf{Encode}(M_k)=( \bar{M}_k[1] , M_k[1],\ldots, \bar{M}_k[m] , M_k[m] ) $. Namely,
each $0$ (respectively each $1$) is encoded as a pair $(1,0)$ (resp. $(0,1)$). The reason for this encoding is that the proof of Theorem \ref{commit-thm} requires that at least one block each $0$ (respectively each $1$) is encoded as a pair $(1,0)$ (resp. $(0,1)$). The reason for this encoding is that the proof of Theorem \ref{commit-thm} requires that at least one block
@ -500,8 +504,9 @@ the vector $( \tau,\mathbf{v},\mathbf{s}'') \in \{0,1\}^\ell \times \ZZ^{2m} \t
\end{itemize} \end{itemize}
\end{description} \end{description}
Note that, if both parties faithfully run the protocol, the user obtains a valid signature $(\tau,\mathbf{v},\mathbf{s})$ for which the distribution of $\mathbf{s}$ is $D_{\ZZ^{2m},\sigma_1}$, Note that, if both parties faithfully run the protocol, the user obtains a valid signature $(\tau,\mathbf{v},\mathbf{s})$ for which the distribution of $\mathbf{s}$ is $D_{\ZZ^{2m},\sigma_1}$,
where $\sigma_1=\sqrt{\sigma^2 + \sigma_0^2}$. \\ where $\sigma_1=\sqrt{\sigma^2 + \sigma_0^2}$.
\indent The following protocol allows proving possession of a message-signature pair.
The following protocol allows proving possession of a message-signature pair.
\begin{description} \begin{description}
\item[\textsf{Prove}:] On input of a signature $(\tau,\mathbf{v}=(\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T,\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$ on the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, the user \item[\textsf{Prove}:] On input of a signature $(\tau,\mathbf{v}=(\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T,\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$ on the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, the user
@ -531,7 +536,7 @@ as well as \begin{eqnarray*} \nonumber
\end{description} \end{description}
%To establish the security of the protocol, %To establish the security of the protocol,
\noindent We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally
obtain a credential by interacting with the issuer. Note that the messages that are blindly signed by the issuer are uniquely defined since, at each signing obtain a credential by interacting with the issuer. Note that the messages that are blindly signed by the issuer are uniquely defined since, at each signing
query, the adversary is required to supply perfectly binding commitments $\{\mathbf{c}_k\}_{k=1}^N$ to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$. query, the adversary is required to supply perfectly binding commitments $\{\mathbf{c}_k\}_{k=1}^N$ to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$.
@ -566,6 +571,52 @@ than the standard deviations of the columns of $\{\mathbf{R}_k\}_{k=1}^N$.
protocols are secure protocols for obtaining a signature on a committed message and proving possession of a valid message-signature pair. protocols are secure protocols for obtaining a signature on a committed message and proving possession of a valid message-signature pair.
\end{theorem} \end{theorem}
In the following proof, we make use of the Rényi divergence in a similar way to~\cite{BLL+15}:
instead of the classical statistical distance we sometimes use the R\'enyi divergence, which is a measurement of the distance between two distributions.
Its use in security proofs for lattice-based systems was first considered by Bai {\em et al.}~\cite{BLL+15} and further improved by Prest~\cite{Pre17}. We first recall its definition.
\defRenyi*
We will focus on the following properties of the R\'enyi divergence, the proofs can be found in~\cite{LSS14}.
\begin{lemma}[{\cite[Le. 2.7]{BLL+15}}]
\label{lem:renyi}
Let $a \in [1, +\infty]$. Let $P$ and $Q$ denote distributions with $\Supp(P)
\subseteq \Supp(Q)$. Then the following properties hold:
\begin{description}
\item[Log. Positivity:] $R_a(P||Q) \geq R_a(P||P) = 1$
\item[Data Processing Inequality:] $R_a(P^f || Q^f) \leq R_a(P||Q)$ for any
function $f$, where $P^f$ denotes the distribution of $f(y)$ induced by
sampling $y \sample P$ (resp. $y \sample Q$)
\item[Multiplicativity:] Assume $P$ and $Q$ are two distributions of a pair
of random variables $(Y_1, Y_2)$. For $i \in \{1,2\}$, let $P_i$ (resp.
$Q_i$) denote the marginal distribution of $Y_i$ under $P$ (resp. $Q$),
and let $P_{2|1}(\cdot|y_1)$ (resp. $Q_{2|1}(\cdot|y_1)$) denote the conditional distribution of $Y_2$ given that $Y_1 = y_1$. Then we have:
\begin{itemize} \renewcommand\labelitemi{$\bullet$}
\item $R_a(P||Q) = P_a(P_1 || Q_1) \cdot R_a(P_2||Q_2)$ if $Y_B$ and $Y_2$ are independent;
\item $R_a(P||Q) \leq R_\infty (P_1 || Q_1) \cdot max_{y_1 \in X} R_a\left( P_{2|1}(\cdot | y_1) || Q_{2|1}(\cdot | y_1) \right)$.
\end{itemize}
\item[Probability Preservation:] Let $A \subseteq \Supp(Q)$ be an arbitrary
event. If $a \in ]1, +\infty[$, then $Q(A) \geq
P(A)^{\frac{a}{a-1}}/R_a(P||Q)$. Further we have:
\[ Q(A) \geq P(A) / R_\infty(P||Q) \]
\item[Weak Triangle Inequality:] Let $P_1, P_2, P_3$ be three distributions
with \[\Supp(P_1) \subseteq \Supp(P_2) \subseteq \Supp(P_3).\]
Then we have:
\[ R_a(P_1||P_3) \leq \begin{cases}
R_a(P_1 || P_2) \cdot R_\infty(P_2 || P_3),\\[2mm]
R_\infty(P_1||P_2)^{\frac{a}{a-1}} \cdot R_a(P_2||P_3) & \mbox{if } a \in ]1, +\infty[.
\end{cases}\]
\end{description}
\end{lemma}
In our proofs, we mainly use the probability preservation to bound the
probabilities during hybrid games where the two distributions are not close in terms of statistical distance.
%--------- PROOF ----------
\input merge
\begin{theorem} \label{anon-cred} \begin{theorem} \label{anon-cred}
The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption. The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
\end{theorem} \end{theorem}
@ -602,7 +653,7 @@ We will show that the above argument system can be obtained from the one in \cre
\smallskip \smallskip \smallskip \smallskip
\noindent \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-commit-statement}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.} \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-commit-statement}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
To do so, we first form the following vectors and matrices: To do so, we first form the following vectors and matrices:
\[ \[
@ -713,7 +764,6 @@ Having performed the above unification, we now define $\mathsf{VALID}$ as the se
\smallskip \smallskip
\noindent
\textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.} \textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
\begin{itemize} \begin{itemize}
@ -755,7 +805,6 @@ We now describe how to derive the protocol for proving the possession of a signa
$\mathbf{e}_{\tau,2} \in [-B,B]^\ell$. $\mathbf{e}_{\tau,2} \in [-B,B]^\ell$.
\end{description} \end{description}
\noindent
\textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that: \vspace*{-7.5pt} \textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that: \vspace*{-7.5pt}
\begin{eqnarray}\label{equation:R-sign-signature} \begin{eqnarray}\label{equation:R-sign-signature}
\hspace*{-5pt} \hspace*{-5pt}
@ -794,7 +843,7 @@ $~$ \\
We proceed in two steps. We proceed in two steps.
\medskip \smallskip \medskip \smallskip
\noindent \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-sign-signature}) and~(\ref{equation:R-sign-ciphertext}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.} \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-sign-signature}) and~(\ref{equation:R-sign-ciphertext}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
Note that, if we let $\mathbf{y} = \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) \in \{0,1\}^{m}$, then we have $\mathbf{H}_{2n \times m}\cdot \mathbf{y} = \mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k \bmod q$, and~(\ref{equation:R-sign-signature}) can be equivalently written as: Note that, if we let $\mathbf{y} = \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) \in \{0,1\}^{m}$, then we have $\mathbf{H}_{2n \times m}\cdot \mathbf{y} = \mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k \bmod q$, and~(\ref{equation:R-sign-signature}) can be equivalently written as:
\begin{eqnarray*}\label{equation:R-sign-signature-2} \begin{eqnarray*}\label{equation:R-sign-signature-2}
@ -887,7 +936,6 @@ It can be checked that the constructed vector $\mathbf{x}$ belongs to this tailo
\noindent
\textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.} \textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
\begin{itemize} \begin{itemize}

View File

@ -253,8 +253,40 @@ Which means that the adversary cannot get a single bit of information about the
This kind of definition are also useful to model anonymity. This kind of definition are also useful to model anonymity.
For instance in \cref{sec:RGSdefsecAnon}, the definition of anonymity for group signatures is defined in a similar fashion (\cref{def:anon}). For instance in \cref{sec:RGSdefsecAnon}, the definition of anonymity for group signatures is defined in a similar fashion (\cref{def:anon}).
On the other hand, the security definition for signature scheme is no more an indistinguishability game, but an unforgeability game. To manipulate indistinguishability between distributions, it is useful to quantify the distance between two distributions.
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries. In this context, we define the statistical distance as follows.
\begin{definition}[Statistical Distance] \index{Probability!Statistical Distance}
Let $P$ and $Q$ be two distributions. The \textit{statistical distance} $\Delta(P, Q)$ between $P$ and $Q$ is defined as
\[ \Delta(P, Q) \triangleq \frac{1}{2} \sum_{x \in \Supp(P) \cup \Supp(Q)} | P(x) - Q(x)|. \]
\end{definition}
Two distributions are \textit{statistically close} if their statistical distance is negligible with respect to the security parameter.
It is worth noticing that if two distributions are statistically close, then the advantage of an adversary in distinguishing between them is negligible.
Another property used in the so-called \textit{hybrid argument}\index{Hybrid argument} is the \textit{triangular equality} that follows from the fact that the statistical distance is a distance.
Another interesting metric, that will be used in the security proof of %TODO
is the Rényi Divergence:
\begin{restatable}[Rényi divergence]{definition}{defRenyi}
\label{def:renyi} \index{Probability!Rényi Divergence}
For any two discrete distributions $P$ and $Q$ such that $\Supp(P) \subseteq
\Supp(Q)$, and $a \in ]1, +\infty[$, we define the \emph{R\'enyi divergence} of order $a$ by:
\[ R_a(P||Q) = \left( \sum_{x \in \Supp(P)} \frac{P(x)^a}{Q(x)^{a-1}} \right)^{\frac{1}{a-1}}. \]
We define the R\'enyi divergences of orders $1$ and $+\infty$ by:
\[ R_1(P||Q) = \exp\left( \sum_{x \in \Supp(P)} P(x) \log \frac{P(x)}{Q(x)} \right) \mbox{ and } R_\infty (P||Q) = \max_{x \in \Supp(P)} \frac{P(x)}{Q(x)}. \]
The divergence $R_1$ is the (exponential) of the Kullback-Leibler divergence.
\end{restatable}
Bai, Langlois, Lepoint, Stehlé and Steinfeld~\cite{BLL+15} noticed that the Rényi Divergence has similar property with respect to multiplication, and can be useful in the context of unforgeability game as we will explain it in the following paragraph. Prest further presented multiple uses of the Rényi Divergence in~\cite{Pre17}.
We can notice that security definitions for signature scheme are no more indistinguishability-based games, but unforgeability games.
The goal of the adversary is no more to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability. Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.

View File

@ -206,7 +206,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
\end{equation} \end{equation}
\end{description} \smallskip \end{description} \smallskip
\noindent We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of
Type A signatures where only condition~\eqref{eq:rel-sig-A} are imposed and no Type A signatures where only condition~\eqref{eq:rel-sig-A} are imposed and no
restriction is given on $\pi$ beyond the fact that it should be a valid restriction is given on $\pi$ beyond the fact that it should be a valid
homomorphic signature on vector~\eqref{eq:vector}. homomorphic signature on vector~\eqref{eq:vector}.
@ -345,11 +345,11 @@ If DDH holds in $\GG$, for each $k \in
\sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the \QANIZK simulator \sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the \QANIZK simulator
to computes $\pi$. to computes $\pi$.
\noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as \textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as
Type A signatures, which $\bdv$ is able to generate using the secret key $\omega \in \Zp$ he knows Type A signatures, which $\bdv$ is able to generate using the secret key $\omega \in \Zp$ he knows
and $\mathsf{crs}$ or $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ to produces valid proofs. and $\mathsf{crs}$ or $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ to produces valid proofs.
\noindent\textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$ \textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$
embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$ embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$
depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$, depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$,
and and
@ -391,17 +391,7 @@ If DDH holds in $\GG$, for each $k \in
relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$ relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$
meaning that Type $\mathrm{B}$ forgery passes the test with the same probability. meaning that Type $\mathrm{B}$ forgery passes the test with the same probability.
%\noindent And the goal of $\bdv$ is to decide if $(s_0, s_1) = (0, 0)$ or not. We notice that if
%$s_0 \neq 0$ and $s_1 = 0$, then the relation~\eqref{eq:verif-proof} cannot be satisfied. We then
%have the case $s_1 \neq 0$ left which implies that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell
%b_{v_i} \cdot m_i^\star)$ to satisfy~\eqref{eq:verif-proof}, which can only happen with
%probability $1/p$.
From the entire game, and assuming a forgery which passes the test, we have the following linear system: From the entire game, and assuming a forgery which passes the test, we have the following linear system:
%On the other hand, the information that $\adv$ can infer about
%$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$
%during the game amounts to the first
%$\ell + 2$ rows of the right-hand-side member in the following linear system:
\[ \[
\left( \left(
\bgroup \bgroup
@ -467,7 +457,7 @@ If DDH holds in $\GG$, for each $k \in
% \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr) % \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr)
%\end{multline*} %\end{multline*}
\noindent $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle
signing queries. We recall that during the game, signing queries are answered by returning a signing queries. We recall that during the game, signing queries are answered by returning a
Type B signature so that, using $\mathsf{tk}$, $\bdv$ can answer all queries without knowing the Type B signature so that, using $\mathsf{tk}$, $\bdv$ can answer all queries without knowing the
$\omega = \log_h(\Omega)$ which is part of the CDH challenge. $\omega = \log_h(\Omega)$ which is part of the CDH challenge.
@ -609,7 +599,6 @@ clear), proving knowledge of a valid signature still requires proving a statem
% and $0$ otherwise. % and $0$ otherwise.
\end{enumerate} \end{enumerate}
\noindent
It is worth noticing that no pairing evaluation is required until the final step of $\mathsf{Verify}$, which is almost as efficient as the verification of It is worth noticing that no pairing evaluation is required until the final step of $\mathsf{Verify}$, which is almost as efficient as the verification of
underlying signatures. underlying signatures.
Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by
@ -733,7 +722,7 @@ This concludes the proof. % TODO: ugly
At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$. At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$.
In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the \QANIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the \QANIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip
\noindent \textbf{The protocol.} \textbf{The protocol.}
% %
At the beginning of a new run of the protocol, the committer has a vector ${\mathbf{m}}=(m_1,\ldots,m_\ell)$, the public-key of the signature scheme and the extra generator $u\in\GG$ (which can be a hashed point), the signer also has the secret key of the signature scheme but not ${\mathbf{m}}$. At the beginning of a new run of the protocol, the committer has a vector ${\mathbf{m}}=(m_1,\ldots,m_\ell)$, the public-key of the signature scheme and the extra generator $u\in\GG$ (which can be a hashed point), the signer also has the secret key of the signature scheme but not ${\mathbf{m}}$.
To get a signature on ${\mathbf{m}}$, the committer picks $r\sample \U(\Zp)$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$. To get a signature on ${\mathbf{m}}$, the committer picks $r\sample \U(\Zp)$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$.
@ -767,12 +756,12 @@ Finally the user checks the validity of the signature. Depending on the validity
We notice that the number of transmitted group elements is constant and no pairing is needed before the signature verification phase. We notice that the number of transmitted group elements is constant and no pairing is needed before the signature verification phase.
In comparison, the construction of \cite{CL02a} requires groups of larger hidden order and their protocol for signing committed message blocks requires a linear number of range proofs. \smallskip In comparison, the construction of \cite{CL02a} requires groups of larger hidden order and their protocol for signing committed message blocks requires a linear number of range proofs. \smallskip
\noindent \textbf{Security.} \textbf{Security.}
% %
We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol. We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol.
In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\Zp$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\Zp$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip
\noindent \textbf{Remark.} \textbf{Remark.}
% %
Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying \QANIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form. Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying \QANIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form.
@ -784,14 +773,14 @@ Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i
We adapt the protocol of section~\ref{scal-sig} to build a dynamic group We adapt the protocol of section~\ref{scal-sig} to build a dynamic group
signature~\cite{BSZ05,KY06}. signature~\cite{BSZ05,KY06}.
\indent At a high level, each group member obtains a membership certificate consisting of a signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ on At a high level, each group member obtains a membership certificate consisting of a signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ on
a message $\ID \in \Zp$ which is only known to the group member. During the joining protocol, each group member thus obtains a signature a message $\ID \in \Zp$ which is only known to the group member. During the joining protocol, each group member thus obtains a signature
on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to $\ID$, which suffices to ensure security against framing attacks and allows for a better on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to $\ID$, which suffices to ensure security against framing attacks and allows for a better
efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section). efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section).
For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using
the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using
$\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier $\NIZK$ proofs \cite{CS98}. \\ $\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier $\NIZK$ proofs \cite{CS98}.
\indent
In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact
with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}. with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}.
@ -1160,7 +1149,7 @@ It comes that $\Pr[W_5]=1/2$. \medskip
\begin{proof} \begin{proof}
Let us assume that an adversary $\adv$ wins with noticeably different probabilities in Game $4$ and Game $3$. We Let us assume that an adversary $\adv$ wins with noticeably different probabilities in Game $4$ and Game $3$. We
then construct a DDH distinguisher $\bdv$ from $\adv$. then construct a DDH distinguisher $\bdv$ from $\adv$.
\\ \indent
Our reduction $\bdv$ takes as input a DDH instance $(g^a, g^b, \eta)$, where $\eta = g^{a(b+c)}$ and has to Our reduction $\bdv$ takes as input a DDH instance $(g^a, g^b, \eta)$, where $\eta = g^{a(b+c)}$ and has to
decide with non-negligible probability $\varepsilon$ whether $c = 0$ or $c \in_R \Zp$. To achieve this, $\bdv$ sets $h = g^a$ and computes the challenge signature as $ C_1 = g^b$ and $ C_2 = \eta$. decide with non-negligible probability $\varepsilon$ whether $c = 0$ or $c \in_R \Zp$. To achieve this, $\bdv$ sets $h = g^a$ and computes the challenge signature as $ C_1 = g^b$ and $ C_2 = \eta$.
The rest of the game continues like in Game $3$ (which is also the same as in Game $2$). The rest of the game continues like in Game $3$ (which is also the same as in Game $2$).
@ -1222,27 +1211,28 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
%from Bernhard~{\em et~al.}~\cite{BFW15}, %from Bernhard~{\em et~al.}~\cite{BFW15},
which consists in implicitly rewinding the zero-knowledge proof by running the adversary twice and changing the outputs of the random oracle after the hash query that involves which consists in implicitly rewinding the zero-knowledge proof by running the adversary twice and changing the outputs of the random oracle after the hash query that involves
the forgery message. The Forking Lemma~\cite{PS00} -- more precisely, its generalization given by Bellare and Neven~\cite{BN06} -- ensures that, after two runs of the adversary, the forgery message. The Forking Lemma~\cite{PS00} -- more precisely, its generalization given by Bellare and Neven~\cite{BN06} -- ensures that, after two runs of the adversary,
the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge.\\ the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge.
%After the extraction, the reduction can then call the corresponding oracles to simulate the game without having %After the extraction, the reduction can then call the corresponding oracles to simulate the game without having
%information it does not hold. %information it does not hold.
\indent Let us assume an attacker $\adv$ against the misidentification game that wins with non-negligible
Let us assume an attacker $\adv$ against the misidentification game that wins with non-negligible
probability $\varepsilon$. We build an adversary $\bdv$ against the chosen-message security of the signature probability $\varepsilon$. We build an adversary $\bdv$ against the chosen-message security of the signature
scheme of section~\ref{scal-sig}. \medskip scheme of section~\ref{scal-sig}. \medskip
\\
\noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the
public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\gspk$. Except for $\mathcal{S}_\GM$, all keys public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\gspk$. Except for $\mathcal{S}_\GM$, all keys
are generated as in the normal are generated as in the normal
\textsf{Keygen} algorithm. \medskip \textsf{Keygen} algorithm. \medskip
\\
\noindent \textit{Join.} To answer joining queries without knowing $\sk_s$, $\bdv$ uses the knowledge extractor of the proof \textit{Join.} To answer joining queries without knowing $\sk_s$, $\bdv$ uses the knowledge extractor of the proof
of knowledge of $\ID = \log_v(V_\ID)$ to extract the identity to be signed. Namely, on a of knowledge of $\ID = \log_v(V_\ID)$ to extract the identity to be signed. Namely, on a
\textsf{Join} query, the reduction $\bdv$ rewinds the adversary $\adv$ in order to extract the witness $\ID=\log_v(V_{\ID})$ of which $\adv$ demonstrates knowledge at step 3 of the \textsf{Join} query, the reduction $\bdv$ rewinds the adversary $\adv$ in order to extract the witness $\ID=\log_v(V_{\ID})$ of which $\adv$ demonstrates knowledge at step 3 of the
join protocol. Having extracted $\ID \in \Zp$, $\bdv$ invokes its own join protocol. Having extracted $\ID \in \Zp$, $\bdv$ invokes its own
signing oracle on the message $\ID$ to obtain $(\sigma_1, \sigma_2, \sigma_3, z, r)$. Then, $\bdv$ returns $\crt_i=(i,V_{\ID},\sigma_1,\sigma_2,\sigma_3,z,r)$ as in a normal execution signing oracle on the message $\ID$ to obtain $(\sigma_1, \sigma_2, \sigma_3, z, r)$. Then, $\bdv$ returns $\crt_i=(i,V_{\ID},\sigma_1,\sigma_2,\sigma_3,z,r)$ as in a normal execution
of the join protocol. of the join protocol.
\medskip \medskip
\\
\noindent At some point, the attacker $\adv$ produces a valid forgery At some point, the attacker $\adv$ produces a valid forgery
\[ (M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \[ (M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star,
\tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))\] for \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))\] for
which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value
@ -1286,8 +1276,9 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
In the ROM, the scheme is secure against framing attacks under the SDL assumption. In the ROM, the scheme is secure against framing attacks under the SDL assumption.
\end{theorem} \end{theorem}
\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\ \begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL.
\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.
Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.
To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \U(\Zp)$. At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \U(\Zp)$.
In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.) In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)
@ -1343,8 +1334,8 @@ chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in
The probability to fail at one signing query is $\leq q_s/p^3$, where The probability to fail at one signing query is $\leq q_s/p^3$, where
$q_s$ is the number of signing queries. $q_s$ is the number of signing queries.
\end{itemize} \end{itemize}
%
\noindent When $\adv$ halts, it presumably frames some honest user ${i^\star} \in U^b$ by outputting a signature When $\adv$ halts, it presumably frames some honest user ${i^\star} \in U^b$ by outputting a signature
\begin{align*} \begin{align*}
\Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star) , \quad \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star) , \quad
\end{align*} \end{align*}

View File

@ -70,6 +70,7 @@
\newcommand{\softO}{\ensuremath{\tilde{\mathcal{O}}}} \newcommand{\softO}{\ensuremath{\tilde{\mathcal{O}}}}
\newcommand{\Span}{\ensuremath{\mathrm{span}}\xspace} \newcommand{\Span}{\ensuremath{\mathrm{span}}\xspace}
\newcommand{\U}{\ensuremath{\mathcal U}} \newcommand{\U}{\ensuremath{\mathcal U}}
\newcommand{\Supp}{\mathrm{Supp}}
% Sets % Sets
%% Usual sets %% Usual sets

View File

@ -160,13 +160,11 @@ The proof of the theorem relies on standard simulation and extraction techniques
We now will prove that the protocol is a statistical zero-knowledge argument of knowledge for the relation $\mathrm{R_{abstract}}$ and is given below. We now will prove that the protocol is a statistical zero-knowledge argument of knowledge for the relation $\mathrm{R_{abstract}}$ and is given below.
\smallskip \smallskip
\noindent
\scbf{Zero-Knowledge Property. } We construct a \textsf{PPT} simulator $\mathsf{SIM}$ interacting with a (possibly dishonest) verifier $\widehat{\mathcal{V}}$, such that, given only the public input, $\mathsf{SIM}$ outputs with probability negligibly close to $2/3$ a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction. \scbf{Zero-Knowledge Property. } We construct a \textsf{PPT} simulator $\mathsf{SIM}$ interacting with a (possibly dishonest) verifier $\widehat{\mathcal{V}}$, such that, given only the public input, $\mathsf{SIM}$ outputs with probability negligibly close to $2/3$ a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.
The simulator first chooses a random $\overline{Ch} \in \{1,2,3\}$. This is a prediction of the challenge value that $\widehat{\mathcal{V}}$ will \emph{not} choose. The simulator first chooses a random $\overline{Ch} \in \{1,2,3\}$. This is a prediction of the challenge value that $\widehat{\mathcal{V}}$ will \emph{not} choose.
\smallskip \smallskip
\noindent
\begin{description} \begin{description}
\item[\textsf{Case} $\overline{Ch}=1$]: Using basic linear algebra over $\mathbb{Z}_q$, $\mathsf{SIM}$ computes a vector $\mathbf{w}' \in \mathbb{Z}_q^D$ such that $\mathbf{M}\cdot \mathbf{w}' = \mathbf{v} \bmod q.$ \item[\textsf{Case} $\overline{Ch}=1$]: Using basic linear algebra over $\mathbb{Z}_q$, $\mathsf{SIM}$ computes a vector $\mathbf{w}' \in \mathbb{Z}_q^D$ such that $\mathbf{M}\cdot \mathbf{w}' = \mathbf{v} \bmod q.$
Next, it samples $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$. Next, it samples $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
@ -187,7 +185,6 @@ The proof of the theorem relies on standard simulation and extraction techniques
\smallskip \smallskip
\noindent
\item[\textsf{Case} $\overline{Ch}=2$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$. \item[\textsf{Case} $\overline{Ch}=2$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
@ -207,7 +204,6 @@ The proof of the theorem relies on standard simulation and extraction techniques
\smallskip \smallskip
\noindent
\item[Case $\overline{Ch}=3$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$. \item[Case $\overline{Ch}=3$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
@ -225,12 +221,10 @@ The proof of the theorem relies on standard simulation and extraction techniques
\end{description} \end{description}
\smallskip \smallskip
\noindent
We observe that, in all the above cases, since $\mathsf{COM}$ is statistically hiding, the distribution of the commitment $\mathrm{CMT}$ and the distribution of the challenge~$Ch$ from~$\widehat{\mathcal{V}}$ are statistically close to those in the real interaction. Hence, the probability that the simulator outputs~$\bot$ is negligibly close to~$1/3$. Moreover, one can check that whenever the simulator does not halt, it will provide an accepted transcript, the distribution of which is statistically close to that of the prover in the real interaction. In other words, we have designed a simulator that can successfully emulate the honest prover with probability negligibly far from~$2/3$. We observe that, in all the above cases, since $\mathsf{COM}$ is statistically hiding, the distribution of the commitment $\mathrm{CMT}$ and the distribution of the challenge~$Ch$ from~$\widehat{\mathcal{V}}$ are statistically close to those in the real interaction. Hence, the probability that the simulator outputs~$\bot$ is negligibly close to~$1/3$. Moreover, one can check that whenever the simulator does not halt, it will provide an accepted transcript, the distribution of which is statistically close to that of the prover in the real interaction. In other words, we have designed a simulator that can successfully emulate the honest prover with probability negligibly far from~$2/3$.
\medskip \medskip
\noindent
\scbf{Argument of Knowledge.} Let us assume that \scbf{Argument of Knowledge.} Let us assume that
\begin{gather*} \begin{gather*}
\mathrm{RSP}_1 = (\mathbf{t}_x, \mathbf{t}_r, \rho_{2}^{(1)}, \rho_{3}^{(1)}), \qquad \mathrm{RSP}_1 = (\mathbf{t}_x, \mathbf{t}_r, \rho_{2}^{(1)}, \rho_{3}^{(1)}), \qquad

View File

@ -13,6 +13,7 @@
$\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively \\ $\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively \\
$\mathbf{I}_n$ & the $n$ dimension identity matrix in $\RR^{n \times n}$ \\ $\mathbf{I}_n$ & the $n$ dimension identity matrix in $\RR^{n \times n}$ \\
$\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\ $\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\
$\Supp(D)$ & If $D$ is a probability distribution, $\Supp(D)$ denotes the support of $D$ \\
$\Pr[E]$ & Probability that an event $E$ occurs \\ $\Pr[E]$ & Probability that an event $E$ occurs \\
[1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\ [1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\
$\QQ$ & the set of rational numbers \\ $\QQ$ & the set of rational numbers \\

View File

@ -887,6 +887,7 @@
@InProceedings{Lin08, @InProceedings{Lin08,
author = {Lindell, Andrew Y.}, author = {Lindell, Andrew Y.},
title = {Efficient Fully-Simulatable Oblivious Transfer}, title = {Efficient Fully-Simulatable Oblivious Transfer},
booktitle = {CT-RSA},
year = {2008}, year = {2008},
series = {LNCS}, series = {LNCS},
journaltitle = {CT-RSA}, journaltitle = {CT-RSA},
@ -2811,4 +2812,14 @@
publisher = {ACM}, publisher = {ACM},
} }
@InProceedings{Pre17,
author = {Prest, Thomas},
title = {{Sharper Bounds in Lattice-Based Cryptography Using the Rényi Divergence}},
booktitle = {Asiacrypt},
year = {2017},
series = {LNCS},
pages = {347--374},
publisher = {Springer},
}
@Comment{jabref-meta: databaseType:bibtex;} @Comment{jabref-meta: databaseType:bibtex;}