Ajout introduction GS-LWE
This commit is contained in:
parent
afe5c83cf8
commit
b7e10e24f5
257
chap-GS-LWE.tex
257
chap-GS-LWE.tex
@ -1,12 +1,93 @@
|
|||||||
|
\section{Introduction}
|
||||||
|
|
||||||
|
In this Chapter, we present the first dynamic group signature scheme that relies on lattice assumptions.
|
||||||
|
This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, and it is used in a similar fashion.
|
||||||
|
As a consequence, it is possible to construct lattice-based anonymous credential from this building block.
|
||||||
|
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} in order to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
|
||||||
|
|
||||||
|
The group signature security is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well studied assumptions.
|
||||||
|
For security parameter $\lambda$ and for group of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
|
||||||
|
Our scheme thus achieves a level of efficiency comparable to recent proposals based on standard (i.e. non-ideal) lattices~\cite{LLLS13,NZZ15,LNW15,LLNW16} in the static setting as depicted in \cref{table:lattice-gs-comparison}.
|
||||||
|
In particular, the cost of moving to dynamic group is reasonable: while using the scheme from~\cite{LNW15} as a building block, our construction lengthens the signature size only by a (small) constant factor.
|
||||||
|
|
||||||
|
\begin{table}
|
||||||
|
\scriptsize \centering
|
||||||
|
\begin{tabular}{|c||c|c|c|c|c|c|c|}
|
||||||
|
\hline
|
||||||
|
% after \\: \hline or \cline{col1-col2} \cline{col3-col4} ...
|
||||||
|
Scheme & \cite{LLLS13} & \cite{NZZ15} & \cite{LNW15} & \cite{LLNW16} & Ours \\
|
||||||
|
\hline
|
||||||
|
\rule{0pt}{3ex}
|
||||||
|
Group PK & $\widetilde{\mathcal{O}}(\lambda^2)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda^2)$ & $\widetilde{\mathcal{O}}(\lambda^2)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda^2)$& $\widetilde{\mathcal{O}}(\lambda^2)\cdot \log N_\mathsf{gs}$ \\
|
||||||
|
\hline
|
||||||
|
\rule{0pt}{3ex}
|
||||||
|
User's SK & $\widetilde{\mathcal{O}}(\lambda^2)$ & $\widetilde{\mathcal{O}}(\lambda^2)$ & $\widetilde{\mathcal{O}}(\lambda)$ &$\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs} $ & $\widetilde{\mathcal{O}}(\lambda)$ \\
|
||||||
|
\hline
|
||||||
|
\rule{0pt}{3ex}
|
||||||
|
Signature & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda + \log^2 N_\mathsf{gs})$ & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $ \widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ \\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\caption{Efficiency comparison among recent lattice-based group signatures for static groups and our dynamic scheme. The evaluation is done with respect to $2$ governing parameters: security parameter $\lambda$ and the maximum expected group size $N_\mathsf{gs}$. We do not include the earlier schemes~\cite{GKV10,CNR12} that have signature size $\widetilde{\mathcal{O}}(\lambda^2)\cdot N_\mathsf{gs}$.}
|
||||||
|
\label{table:lattice-gs-comparison}
|
||||||
|
\end{table}
|
||||||
|
|
||||||
|
The signature scheme with efficient protocols is here built upon the $\SIS$-based signature of Böhl \textit{et al.}~\cite{BHJ+15}, which is itself a variant of Boyen's signature~\cite{Boy10}.
|
||||||
|
The latter scheme involves a public key containing matrices $\mathbf{A}, \mathbf{A}_0, \ldots, \mathbf{A}_\ell \in \Zq^{n \times m}$ and signs an $\ell$-bit message $\mathfrak m \in \bit^\ell$ by computing a short vector $\mathbf{v} \in \ZZ^{2m}_{}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \mathfrak m[j] \mathbf{A}_j ]} \cdot \mathbf{v} = \mathbf 0^n \bmod q$.
|
||||||
|
The variant proposed by Böhl \textit{et al.} only uses a constant number of matrices $\mathbf{A}, \mathbf{A}_0, \mathbf{A}_1 \in \Zq^{n \times m}$ where each signature is assigned with a single-use tag $\tau$ and the public key involves an extra matrix $\mathbf{D} \in \Zq^{n \times m}$ and a vector $\mathbf{u} \in \Zq^n$.
|
||||||
|
A message $\mathfrak m$ is then signed by first applying a chameleon hash function $\mathbf{h} = \mathcal{H}(\mathfrak m, \mathbf{s}) \in \bit^m_{}$ and signing $\mathbf{h}$ by computing a short $\mathbf{v} \in \ZZ^{2m}_{}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \tau \mathbf{A}_1 ]} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathbf{h} \bmod q$.
|
||||||
|
|
||||||
|
Our scheme extends~\cite{BHJ+15} so that an $N$-block message $(\mathfrak m_1, \ldots, \mathfrak m_N) \in (\bit^L)^N$, for some $L \in \NN$, is signed by outputting a tag $\tau \in \bit^\ell$ and a short $\mathbf{v} \in \ZZ^{2m}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \tau[j] \mathbf{A}_j ]} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathcal{H}(\mathfrak{m}_1, \ldots, \mathfrak{m}_N, \mathbf s) \bmod q$, where the chameleon hash function computes $\mathbf{c}_M = \mathbf D_0 \cdot \mathbf s + \sum_{k=1}^{N} \mathbf D_k \cdot \mathfrak{m}_k \bmod q$, for some short vector $\mathbf s$, before re-encoding $\mathbf c_M$ so as to enable multiplication by $\mathbf D$.
|
||||||
|
|
||||||
|
In order to obtain a signature scheme that possesses efficient protocols akin to Camenish and Lysyanskaya~\cite{CL02}, our idea is to have the tag $\tau \in \bit^\ell$ play the same role as the prime exponent in Strong-RSA-based schemes~\cite{CL02a}.
|
||||||
|
To adapt this idea in the context of signatures with efficient protocols, we have to overcome several difficulties.
|
||||||
|
The first one is to map $\mathbf c_M$ back in the domain of the chameleon hash function while preserving the compatibility with ZK proofs.
|
||||||
|
To solve this issue, we extend a technique used in~\cite{LLNW16} in order to build a ``zero-knowledge-friendly'' chameleon hash function.
|
||||||
|
This function hashes the message by outputting the coordinate-wise binary decomposition $\mathbf w$ of $\mathbf D_0 \cdot \mathbf s + \sum_{k=1}^{N} \mathbf D_k \cdot \mathfrak{m}_k$. Using the ``power-of-two'' matrix $\mathbf H = \mathbf I \otimes [ 1 \mid 2 \mid \cdots \mid 2^{\lceil \log q\rceil} ]$, we can prove that $\mathbf w = \mathcal{H}(\mathfrak{m}_1, \ldots, \mathfrak{m}_N, \mathbf s)$ by demonstrating the knowledge of short vectors $(\mathfrak{m}_1, \ldots, \mathfrak{m}_N, \mathbf s, \mathbf w)$ that verifies $\mathbf H \cdot \mathbf w = \mathbf D_0 \cdot \mathbf s + \sum_{k=1}^{N} \mathbf D_k \cdot \mathfrak{m}_k \bmod q$ which can be proven using the ZKAoK of \cref{sse:stern}.
|
||||||
|
|
||||||
|
The second problem is to prove knowledge of $(\tau,\mathbf{v},\mathbf{s})$ and $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ satisfying $[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell
|
||||||
|
\tau[j] \cdot \mathbf{A}_j ] \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathsf{CMHash}(\mathfrak{m}_1,\ldots,\mathfrak{m}_N,\mathbf{s})$, without revealing any of the witnesses. To
|
||||||
|
this end, we provide a framework for proving all the involved statement (and many other relations that naturally arise in lattice-based cryptography) as
|
||||||
|
special cases. We reduce the statements to asserting that a short integer vector $\mathbf{x}$ satisfies an equation of the form $\mathbf{P} \cdot \mathbf{x} = \mathbf{v}
|
||||||
|
\bmod q$, for some public matrix $\mathbf{P}$ and vector~$\mathbf{v}$, and belongs to a set $\mathsf{VALID}$ of short vectors with a particular structure. While the
|
||||||
|
small-norm property of $\mathbf{x}$ is provable using standard techniques (e.g., \cite{Lyu08}), we argue its membership of $\mathsf{VALID}$ by leveraging
|
||||||
|
the properties of Stern-like protocols \cite{Ste96,KTX08,LNSW13}. In particular, we rely on the fact that their underlying permutations interact well with
|
||||||
|
combinatorial statements pertaining to $\mathbf{x}$, especially $\mathbf{x}$ being a bitstring with a specific pattern. We believe our framework to be of independent
|
||||||
|
interest as it provides a blueprint for proving many other intricate relations in a modular manner.
|
||||||
|
|
||||||
|
When we extend the scheme with a protocol for signing committed messages, we need the signer to re-randomize the user's commitment before signing the hidden
|
||||||
|
messages. This is indeed necessary to provide the reduction with a backdoor allowing to correctly answer the $i^\dagger$-th query by ``programming'' the
|
||||||
|
randomness of the commitment. Since we work with integers vectors, a straightforward simulation incurs a non-negligible statistical distance between the
|
||||||
|
simulated distributions of re-randomization coins and the real one (which both have a discrete Gaussian distribution). Camenisch and Lysyanskaya \cite{CL02}
|
||||||
|
address a similar problem by choosing the signer's randomness to be exponentially larger than that of the user's commitment so as to statistically ``drown''
|
||||||
|
the aforementioned discrepancy. Here, the same idea would require to work with an exponentially large modulus~$q$. Instead, we adopt a more efficient
|
||||||
|
solution, inspired by Bai \textit{et al.} \cite{BLL+15}, which is to apply an analysis based on the R\'enyi divergence rather than the statistical distance. In
|
||||||
|
short, the R\'enyi divergence's properties tell us that, if some event~$E$ occurs with noticeable probability in some probability space~$P$, so does it in a
|
||||||
|
different probability space~$Q$ for which the second order divergence $R_2(P||Q)$ is sufficiently small. In our setting, $R_2(P||Q)$ is precisely polynomially
|
||||||
|
bounded since the two probability spaces only diverge in one signing query.
|
||||||
|
|
||||||
|
Our dynamic group signature scheme avoids these difficulties because the group manager only signs known messages: instead of signing the user's secret key as
|
||||||
|
in anonymous credentials, it creates a membership certificate by signing the user's public key. Our zero-knowledge arguments accommodate the requirements of
|
||||||
|
the scheme in the following way. In the joining protocol that dynamically introduces new group members, the user $i$ chooses a membership secret consisting of
|
||||||
|
a short discrete Gaussian vector $\mathbf{z}_i $. This user generates a public syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i \mod q$, for some public matrix
|
||||||
|
$\mathbf{F}$, which constitutes his public key. In order to certify $\mathbf{v}_i$, the group manager computes the coordinate-wise binary expansion
|
||||||
|
$\mathsf{bin}(\mathbf{v}_i) $ of $\mathbf{v}_i$. The vector $\mathsf{bin}(\mathbf{v}_i) $ is then signed using our signature scheme. Using the resulting signature
|
||||||
|
$(\tau,\mathbf{v},\mathbf{s}) $ as a membership certificate, the group member is able to sign a message by proving that: (i) He holds a valid signature
|
||||||
|
$(\tau,\mathbf{v},\mathbf{s})$ on some secret binary message $\mathsf{bin}(\mathbf{v}_i) $; (ii) The latter vector $\mathsf{bin}(\mathbf{v}_i) $ is the binary expansion of
|
||||||
|
some syndrome $\mathbf{v}_i$ of which he knows a GPV pre-image $\mathbf{z}_i $. We remark that condition (ii) can be proved by providing evidence that we have $
|
||||||
|
\mathbf{v}_i = \mathbf{H} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \bmod q$, for some short integer vector $\mathbf{z}_i $ and some binary $\mathsf{bin}(\mathbf{v}_i) $,
|
||||||
|
where $\mathbf{H}$ is the ``powers-of-$2$'' matrix. Our abstraction of Stern-like protocols \cite{Ste96,KTX08,LNSW13} allows us to efficiently argue such
|
||||||
|
statements. The fact that the underlying chameleon hash function smoothly interacts with Stern-like zero-knowledge arguments is the property that maintains
|
||||||
|
the user's capability of efficiently proving knowledge of the underlying secret key.
|
||||||
|
|
||||||
|
|
||||||
|
Given the state of $\NIZK$ proofs in the lattice setting, it seems hard to provide group signature schemes in the standard model.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
In the forthcoming sections, we first provide the description of our signature with efficient protocols; then a description of our dynamic group signature will be given and finally, we will explain how to use the Stern abstraction of \cref{sse:stern} to provide the required zero-knowledge arguments.
|
||||||
|
|
||||||
\section{A Lattice-Based Signature with Efficient Protocols} \label{se:gs-lwe-sigep}
|
\section{A Lattice-Based Signature with Efficient Protocols} \label{se:gs-lwe-sigep}
|
||||||
|
|
||||||
%We first specify the parameters used in our scheme. Let $\lambda$ be the security parameter, and let $n = \bigO(\lambda)$, $q = \mathsf{poly}(n)$, and $m \geq 2n \log q$.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
%We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
|
|
||||||
%block is an $L$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[L] \in \{0,1\}^L$ for $k \in \{1,\ldots, N\}$.
|
|
||||||
|
|
||||||
Our scheme can be seen as a variant of the B\"ohl \textit{et al.} signature \cite{BHJ+15}, where
|
Our scheme can be seen as a variant of the B\"ohl \textit{et al.} signature \cite{BHJ+15}, where
|
||||||
each signature is a triple $(\tau,\mathbf{v},\mathbf{s})$, made of a tag $\tau \in \{0,1\}^\ell$ and integer vectors $(\mathbf{v},\mathbf{s})$ satisfying
|
each signature is a triple $(\tau,\mathbf{v},\mathbf{s})$, made of a tag $\tau \in \{0,1\}^\ell$ and integer vectors $(\mathbf{v},\mathbf{s})$ satisfying
|
||||||
$[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \tau[j] \cdot \mathbf{A}_j ] \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathbf{h} \bmod q$,
|
$[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \tau[j] \cdot \mathbf{A}_j ] \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathbf{h} \bmod q$,
|
||||||
@ -41,17 +122,17 @@ coordinate of $\mathbf{v}$ by its binary representation.
|
|||||||
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
|
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
|
||||||
$\Lambda_q^{\perp}(\mathbf{A}).$ This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
|
$\Lambda_q^{\perp}(\mathbf{A}).$ This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
|
||||||
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
|
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
|
||||||
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
|
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample \U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
|
||||||
\item[2.] Choose random matrices $\mathbf{D} \sample U(\Zq^{n \times m})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_{N} \sample U(\Zq^{2n \times 2m})$ as well as a random vector
|
\item[2.] Choose random matrices $\mathbf{D} \sample \U(\Zq^{n \times m})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_{N} \sample \U(\Zq^{2n \times 2m})$ as well as a random vector
|
||||||
$\mathbf{u} \sample U(\Zq^n)$. \smallskip
|
$\mathbf{u} \sample \U(\Zq^n)$. \smallskip
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
The private key consists of $SK:= \mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and the public key is
|
The private key consists of $SK \coloneqq \mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and the public key is
|
||||||
$${PK}:=\big( \mathbf{A}, ~ \{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big).$$
|
$${PK}\coloneqq \big( \mathbf{A}, ~ \{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big).$$
|
||||||
% \smallskip
|
% \smallskip
|
||||||
\item[\textsf{Sign}$\big(SK, \mathsf{Msg} \big)$:] To sign an $N$-block message
|
\item[\textsf{Sign}$\big(SK, \mathsf{Msg} \big)$:] To sign an $N$-block message
|
||||||
$\mathsf{Msg}=\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right) \in \left(\{0,1\}^{2m} \right)^N$,
|
$\mathsf{Msg}=\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right) \in \left(\{0,1\}^{2m} \right)^N$,
|
||||||
\begin{enumerate}[1.]
|
\begin{enumerate}[1.]
|
||||||
\item Choose a random string $\tau \sample U(\{0,1\}^\ell )$. Then, using $SK:=
|
\item Choose a random string $\tau \sample \U(\{0,1\}^\ell )$. Then, using $SK\coloneqq
|
||||||
\mathbf{T}_{\mathbf{A}}$, compute with $\ExtBasis$ a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
|
\mathbf{T}_{\mathbf{A}}$, compute with $\ExtBasis$ a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
|
||||||
for the matrix
|
for the matrix
|
||||||
\begin{eqnarray} \label{tau-matrix}
|
\begin{eqnarray} \label{tau-matrix}
|
||||||
@ -129,9 +210,9 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
|
|||||||
\Zq^{n \times m}$ and computes $\mathbf{v} \in
|
\Zq^{n \times m}$ and computes $\mathbf{v} \in
|
||||||
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$.
|
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$.
|
||||||
|
|
||||||
Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it
|
Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample \U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it
|
||||||
guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this
|
guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this
|
||||||
end, $\bdv$ chooses $i^\dagger \sample U(\{1,\ldots, Q\})$ and $t^\dagger \sample U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest
|
end, $\bdv$ chooses $i^\dagger \sample \U(\{1,\ldots, Q\})$ and $t^\dagger \sample \U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest
|
||||||
common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)} \right\}_{i=1}^Q$ is the string
|
common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)} \right\}_{i=1}^Q$ is the string
|
||||||
$\tau^\star[1] \ldots \tau^\star[t^\dagger-1] =\tau^{(i^\dagger)}[1] \ldots \tau^{(i^\dagger)}[t^\dagger-1] \in \{0,1\}^{t^\dagger -1}$ comprised of the
|
$\tau^\star[1] \ldots \tau^\star[t^\dagger-1] =\tau^{(i^\dagger)}[1] \ldots \tau^{(i^\dagger)}[t^\dagger-1] \in \{0,1\}^{t^\dagger -1}$ comprised of the
|
||||||
first $(t^\dagger-1)$-th bits of $\tau^\star \in \{0,1\}^\ell$. We define $ \tau^\dagger \in \{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1] \ldots \tau^\star[t^\dagger] $. By construction, with probability $1/(Q \cdot \ell)$, we have $\tau^\dagger \not \in \left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}} \right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes
|
first $(t^\dagger-1)$-th bits of $\tau^\star \in \{0,1\}^\ell$. We define $ \tau^\dagger \in \{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1] \ldots \tau^\star[t^\dagger] $. By construction, with probability $1/(Q \cdot \ell)$, we have $\tau^\dagger \not \in \left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}} \right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes
|
||||||
@ -159,7 +240,6 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
|
|||||||
\end{eqnarray*}
|
\end{eqnarray*}
|
||||||
It also sets $\mathbf{A}=\bar{\mathbf{A}}$.
|
It also sets $\mathbf{A}=\bar{\mathbf{A}}$.
|
||||||
We note that we have
|
We note that we have
|
||||||
% \vspace*{-.1cm}
|
|
||||||
\begin{eqnarray*}
|
\begin{eqnarray*}
|
||||||
\mathbf{A}_{\tau^{(i)}} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}} & \mathbf{A}_0 +
|
\mathbf{A}_{\tau^{(i)}} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}} & \mathbf{A}_0 +
|
||||||
\sum_{j=1}^\ell \tau^{(i)}[j] \mathbf{A}_j
|
\sum_{j=1}^\ell \tau^{(i)}[j] \mathbf{A}_j
|
||||||
@ -182,13 +262,13 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
|
|||||||
$\tau^{(i)}_{|t^\dagger}$ and $\tau^\star_{|t^\dagger}$. Note that, with probability $1/(Q \cdot \ell)$ and since $q>\ell$, we have
|
$\tau^{(i)}_{|t^\dagger}$ and $\tau^\star_{|t^\dagger}$. Note that, with probability $1/(Q \cdot \ell)$ and since $q>\ell$, we have
|
||||||
$ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$.
|
$ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$.
|
||||||
|
|
||||||
Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
|
Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample \U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
|
||||||
and computes
|
and computes
|
||||||
\begin{eqnarray*}
|
\begin{eqnarray*}
|
||||||
\mathbf{D} &=& \bar{\mathbf{A}} \cdot \mathbf{R}. % \qquad \qquad \qquad \quad~ \forall k \in \{0,\ldots,N\}.
|
\mathbf{D} &=& \bar{\mathbf{A}} \cdot \mathbf{R}. % \qquad \qquad \qquad \quad~ \forall k \in \{0,\ldots,N\}.
|
||||||
\end{eqnarray*}
|
\end{eqnarray*}
|
||||||
Finally, $\bdv$ samples a short vector $\mathbf{e}_u \sample D_{\ZZ^m,\sigma_1}$ and computes the vector $\mathbf{u} \in \Zq^n$
|
Finally, $\bdv$ samples a short vector $\mathbf{e}_u \sample D_{\ZZ^m,\sigma_1}$ and computes the vector $\mathbf{u} \in \Zq^n$
|
||||||
as $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u \in \Zq^n$. The public key $${PK}:=\big( \mathbf{A}, ~
|
as $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u \in \Zq^n$. The public key $${PK}\coloneqq \big( \mathbf{A}, ~
|
||||||
\{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big)$$
|
\{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big)$$
|
||||||
is given to $\adv$.
|
is given to $\adv$.
|
||||||
|
|
||||||
@ -251,7 +331,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
|
|||||||
Given that \textsf{Game} $1$ is identical to \textsf{Game} $0$ until $F_1$ occurs, we have $|\Pr[W_1]-\Pr[W_0]| \leq \Pr[F_1] < Q^2/2^\ell$.
|
Given that \textsf{Game} $1$ is identical to \textsf{Game} $0$ until $F_1$ occurs, we have $|\Pr[W_1]-\Pr[W_0]| \leq \Pr[F_1] < Q^2/2^\ell$.
|
||||||
|
|
||||||
\item[\textsf{Game} 2:] This game is like \textsf{Game} $1$ with the following difference. At the outset of the game, the challenger $\bdv$ chooses a random index
|
\item[\textsf{Game} 2:] This game is like \textsf{Game} $1$ with the following difference. At the outset of the game, the challenger $\bdv$ chooses a random index
|
||||||
$i^\dagger \sample U(\{1,\ldots,Q\})$ as a guess that $\adv$'s forgery will recycle the $\ell$-bit string $\tau^{(i^\dagger)} \in \{0,1\}^\ell$ of the $i^\dagger$-th signing query.
|
$i^\dagger \sample (\{1,\ldots,Q\})$ as a guess that $\adv$'s forgery will recycle the $\ell$-bit string $\tau^{(i^\dagger)} \in \{0,1\}^\ell$ of the $i^\dagger$-th signing query.
|
||||||
When $\adv$ outputs its Type II forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, the challenger aborts
|
When $\adv$ outputs its Type II forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, the challenger aborts
|
||||||
in the event that $\tau^{(i^\dagger)} \neq \tau^\star$ (i.e., $i^\dagger \neq i^\star$). Since the choice of $i^\dagger $ in $\{1,\ldots,Q\}$ is independent of $\adv$'s view, we
|
in the event that $\tau^{(i^\dagger)} \neq \tau^\star$ (i.e., $i^\dagger \neq i^\star$). Since the choice of $i^\dagger $ in $\{1,\ldots,Q\}$ is independent of $\adv$'s view, we
|
||||||
have $\Pr[W_2]=\Pr[W_1]/Q$.
|
have $\Pr[W_2]=\Pr[W_1]/Q$.
|
||||||
@ -267,7 +347,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
|
|||||||
trapdoors $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\mathbf{T}_{\mathbf{D}_0} \in \ZZ^{2m \times 2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_0)$, respectively. Then,
|
trapdoors $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\mathbf{T}_{\mathbf{D}_0} \in \ZZ^{2m \times 2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_0)$, respectively. Then,
|
||||||
$\bdv$
|
$\bdv$
|
||||||
chooses
|
chooses
|
||||||
a uniformly random $\mathbf{D} \sample U(\Zq^{n \times m})$ and re-randomizes it using short matrices
|
a uniformly random $\mathbf{D} \sample (\Zq^{n \times m})$ and re-randomizes it using short matrices
|
||||||
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$, which are obtained
|
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$, which are obtained
|
||||||
by sampling their columns from the distribution $D_{\ZZ^m,\sigma}$. Namely, from $\mathbf{D} \in \Zq^{n \times m}$, $\bdv$
|
by sampling their columns from the distribution $D_{\ZZ^m,\sigma}$. Namely, from $\mathbf{D} \in \Zq^{n \times m}$, $\bdv$
|
||||||
defines
|
defines
|
||||||
@ -277,7 +357,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
|
|||||||
\mathbf{A}_j &=& \mathbf{D} \cdot \mathbf{S}_j + h_j \cdot \mathbf{C} \qquad \qquad \forall j \in \{1,\ldots,\ell\} %\\ \nonumber
|
\mathbf{A}_j &=& \mathbf{D} \cdot \mathbf{S}_j + h_j \cdot \mathbf{C} \qquad \qquad \forall j \in \{1,\ldots,\ell\} %\\ \nonumber
|
||||||
%\mathbf{D}_k &=& \mathbf{D} \cdot \mathbf{R}_k \qquad \qquad \qquad \quad~ \forall k \in \{1,\ldots,N\}.
|
%\mathbf{D}_k &=& \mathbf{D} \cdot \mathbf{R}_k \qquad \qquad \qquad \quad~ \forall k \in \{1,\ldots,N\}.
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
In addition, $\bdv$ picks random matrices $\mathbf{D}_1,\ldots,\mathbf{D}_N \sample U(\Zq^{2n \times 2m})$ and a random vector $\mathbf{c}_M \sample U(\Zq^{2n})$. It samples
|
In addition, $\bdv$ picks random matrices $\mathbf{D}_1,\ldots,\mathbf{D}_N \sample (\Zq^{2n \times 2m})$ and a random vector $\mathbf{c}_M \sample (\Zq^{2n})$. It samples
|
||||||
short vectors $\mathbf{v}_1 ,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ and computes $\mathbf{u} \in \Zq^n$
|
short vectors $\mathbf{v}_1 ,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ and computes $\mathbf{u} \in \Zq^n$
|
||||||
as $\mathbf{u} = \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
|
as $\mathbf{u} = \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
|
||||||
\left[
|
\left[
|
||||||
@ -456,16 +536,16 @@ encrypted values.%, the protocols of Ling \textit{et al.} \cite{LNW15} come in h
|
|||||||
Let $p = \sigma \cdot \omega(\sqrt{m})$ upper-bound entries of vectors sampled from the distribution~$D_{\ZZ^{2m},\sigma}$.
|
Let $p = \sigma \cdot \omega(\sqrt{m})$ upper-bound entries of vectors sampled from the distribution~$D_{\ZZ^{2m},\sigma}$.
|
||||||
Generate two public keys for the dual Regev encryption scheme
|
Generate two public keys for the dual Regev encryption scheme
|
||||||
in its multi-bit variant. These keys consists of a public random matrix
|
in its multi-bit variant. These keys consists of a public random matrix
|
||||||
$\mathbf{B} \sample U(\Zq^{n \times m})$ and random matrices $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \Zq^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \Zq^{n \times 2m}$,
|
$\mathbf{B} \sample (\Zq^{n \times m})$ and random matrices $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \Zq^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \Zq^{n \times 2m}$,
|
||||||
where $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ are short Gaussian matrices with columns sampled from $D_{\ZZ^{m},\sigma}$. These matrices will be
|
where $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ are short Gaussian matrices with columns sampled from $D_{\ZZ^{m},\sigma}$. These matrices will be
|
||||||
used to encrypt integer vectors of dimension $\ell$ and $2m$, respectively. Finally, generate public parameters $CK:=\{ \mathbf{D}_k \}_{k=0}^N$ consisting of uniformly
|
used to encrypt integer vectors of dimension $\ell$ and $2m$, respectively. Finally, generate public parameters $CK\coloneqq \{ \mathbf{D}_k \}_{k=0}^N$ consisting of uniformly
|
||||||
random matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ for a statistically hiding commitment
|
random matrices $\mathbf{D}_k \sample (\Zq^{2n \times 2m})$ for a statistically hiding commitment
|
||||||
to vectors in $(\{0,1\}^{2m})^N$.
|
to vectors in $(\{0,1\}^{2m})^N$.
|
||||||
Return public parameters consisting of
|
Return public parameters consisting of
|
||||||
$$ \mathsf{par}:= \{ ~\mathbf{B} \in \Zq^{n \times m} ,~\mathbf{G}_0 \in \Zq^{n \times \ell},~\mathbf{G}_1 \in \Zq^{n \times 2m},~CK \}. $$
|
$$ \mathsf{par}\coloneqq \{ ~\mathbf{B} \in \Zq^{n \times m} ,~\mathbf{G}_0 \in \Zq^{n \times \ell},~\mathbf{G}_1 \in \Zq^{n \times 2m},~CK \}. $$
|
||||||
%where $p > \sigma_1 \sqrt{m}$ upper-bounds entries of vectors sampled from the distribution $D_{\ZZ^m,\sigma_1}$,
|
%where $p > \sigma_1 \sqrt{m}$ upper-bounds entries of vectors sampled from the distribution $D_{\ZZ^m,\sigma_1}$,
|
||||||
|
|
||||||
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK:=\{ \mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u} \}$, $SK:=\mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
|
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK\coloneqq \{ \mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u} \}$, $SK\coloneqq \mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
|
||||||
who has a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, in the following interactive protocol. \smallskip
|
who has a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, in the following interactive protocol. \smallskip
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item[1.] $U$ samples $\mathbf{s}' \sample D_{\ZZ^{2m},\sigma} $ and computes $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n}$
|
\item[1.] $U$ samples $\mathbf{s}' \sample D_{\ZZ^{2m},\sigma} $ and computes $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n}$
|
||||||
@ -612,10 +692,10 @@ probabilities during hybrid games where the two distributions are not close in t
|
|||||||
%--------- PROOF ----------
|
%--------- PROOF ----------
|
||||||
\begin{proof} The proof is very similar to the proof of \cref{th:gs-lwe-security-cma-sig} and we will only explain the changes.
|
\begin{proof} The proof is very similar to the proof of \cref{th:gs-lwe-security-cma-sig} and we will only explain the changes.
|
||||||
|
|
||||||
Assuming that an adversary $\adv$ can prove possession of a signature on a message $(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ which has not been blindly signed by the issuer,
|
Let us assume that an adversary $\adv$ can prove possession of a signature on a message $(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ which has not been blindly signed by the issuer,
|
||||||
we outline an algorithm $\bdv$ that solves a $\mathsf{SIS}_{n,2m,q,\beta}$ instance $\bar{\mathbf{A}}$, where $\bar{\mathbf{A}} =
|
we outline an algorithm $\bdv$ that solves a $\mathsf{SIS}_{n,2m,q,\beta}$ instance $\bar{\mathbf{A}}$, where $\bar{\mathbf{A}} =
|
||||||
[ \bar{\mathbf{A}}_1 \mid \bar{\mathbf{A}}_2 ] \in \ZZ_q^{ n \times 2m}$ with
|
[ \bar{\mathbf{A}}_1 \mid \bar{\mathbf{A}}_2 ] \in \ZZ_q^{ n \times 2m}$ with matrices
|
||||||
$\bar{\mathbf{A}}_1, \bar{\mathbf{A}}_2 \in U(\ZZ_q^{n \times m})$.
|
$\bar{\mathbf{A}}_1, \bar{\mathbf{A}}_2 \sample \U(\ZZ_q^{n \times m})$.
|
||||||
|
|
||||||
At the outset of the game, $\bdv$ generates the common parameters $\mathsf{par}$ by choosing
|
At the outset of the game, $\bdv$ generates the common parameters $\mathsf{par}$ by choosing
|
||||||
$\mathbf{B} \in_R \ZZ_q^{n \times m}$ and defining $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \ZZ_q^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \ZZ_q^{n \times 2m}$.
|
$\mathbf{B} \in_R \ZZ_q^{n \times m}$ and defining $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \ZZ_q^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \ZZ_q^{n \times 2m}$.
|
||||||
@ -647,7 +727,7 @@ probabilities during hybrid games where the two distributions are not close in t
|
|||||||
the sum $$\mathbf{A}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot \mathbf{S}_j) + (h_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot h_j ) \cdot \mathbf{C} $$ does not depend on the matrix $\mathbf{C} \in \ZZ_q^{n \times m}$
|
the sum $$\mathbf{A}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot \mathbf{S}_j) + (h_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot h_j ) \cdot \mathbf{C} $$ does not depend on the matrix $\mathbf{C} \in \ZZ_q^{n \times m}$
|
||||||
(of which a trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ is known to $\bdv$) when $\tau^{(i)} = \tau^{(i^\dagger)}$, but it does for all other tags $\tau^{(i)} \neq \tau^{(i^\dagger)}$. In the setup phase,
|
(of which a trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ is known to $\bdv$) when $\tau^{(i)} = \tau^{(i^\dagger)}$, but it does for all other tags $\tau^{(i)} \neq \tau^{(i^\dagger)}$. In the setup phase,
|
||||||
$\bdv$ also sets up a random matrix $\mathbf{D}_0 \in U(\ZZ_q^{2n \times 2m})$ which it obtains by choosing
|
$\bdv$ also sets up a random matrix $\mathbf{D}_0 \in U(\ZZ_q^{2n \times 2m})$ which it obtains by choosing
|
||||||
$\mathbf{A}' \sample U(\ZZ_q^{n \times 2m})$ to define
|
$\mathbf{A}' \sample (\ZZ_q^{n \times 2m})$ to define
|
||||||
\begin{eqnarray} \label{def-D0}
|
\begin{eqnarray} \label{def-D0}
|
||||||
\mathbf{D}_0=\begin{bmatrix} \bar{\mathbf{A}} \\ \hline \mathbf{A}' \end{bmatrix} \in \ZZ_q^{2n \times 2m}.
|
\mathbf{D}_0=\begin{bmatrix} \bar{\mathbf{A}} \\ \hline \mathbf{A}' \end{bmatrix} \in \ZZ_q^{2n \times 2m}.
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
@ -655,9 +735,9 @@ probabilities during hybrid games where the two distributions are not close in t
|
|||||||
$\mathbf{s}_0 \sample D_{\ZZ^{2m},\sigma_0}$, which will be used in the $i^\dagger$-th query.
|
$\mathbf{s}_0 \sample D_{\ZZ^{2m},\sigma_0}$, which will be used in the $i^\dagger$-th query.
|
||||||
Next, it samples short vectors $\mathbf{v}_1,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ to define
|
Next, it samples short vectors $\mathbf{v}_1,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ to define
|
||||||
$$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1 \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \bit (\mathbf{c}_M) ~ \in \ZZ_q^n.$$
|
$$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1 \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \bit (\mathbf{c}_M) ~ \in \ZZ_q^n.$$
|
||||||
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
|
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \in \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
|
||||||
are used to define randomizations of $\mathbf{D}_0$ by computing $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
|
are used to define randomizations of $\mathbf{D}_0$ by computing $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
|
||||||
The adversary is given public parameters $\mathsf{par}:=\{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK:=\big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
|
The adversary is given public parameters $\mathsf{par}\coloneqq \{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK\coloneqq \big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
|
||||||
|
|
||||||
Using $\mathbf{T}_{\mathbf{C}}$,
|
Using $\mathbf{T}_{\mathbf{C}}$,
|
||||||
$\bdv$ can perfectly emulate the signing oracle at all queries, except the $i^\dagger$-th query where the
|
$\bdv$ can perfectly emulate the signing oracle at all queries, except the $i^\dagger$-th query where the
|
||||||
@ -811,15 +891,14 @@ Choose a hash function $H:\{0,1\}^*
|
|||||||
\rightarrow \{1,2,3\}^t$ for some $t = \omega(\log n)$,
|
\rightarrow \{1,2,3\}^t$ for some $t = \omega(\log n)$,
|
||||||
which will be modeled as a random oracle in the security analysis.
|
which will be modeled as a random oracle in the security analysis.
|
||||||
Then, do the following. \smallskip \smallskip
|
Then, do the following. \smallskip \smallskip
|
||||||
% \vspace{-0.3 cm}
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item[1.] Generate a key pair for the signature of Section \ref{desc-sig-protoc} for signing single-block messages. Namely, run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
|
\item[1.] Generate a key pair for the signature of Section \ref{desc-sig-protoc} for signing single-block messages. Namely, run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
|
||||||
\ZZ_q^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
|
\ZZ_q^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
|
||||||
$\Lambda_q^{\perp}(\mathbf{A})$, which allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with Gaussian parameter $\sigma$.
|
$\Lambda_q^{\perp}(\mathbf{A})$, which allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with Gaussian parameter $\sigma$.
|
||||||
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
|
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
|
||||||
Next, choose matrices
|
Next, choose matrices
|
||||||
$\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell},\mathbf{D} \sample U(\ZZ_q^{n \times m})$, $ \mathbf{D}_0,\mathbf{D}_1 \sample U(\ZZ_q^{2n \times 2m})$ and a vector $\mathbf{u} \sample U(\ZZ_q^n)$.
|
$\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell},\mathbf{D} \sample (\ZZ_q^{n \times m})$, $ \mathbf{D}_0,\mathbf{D}_1 \sample (\ZZ_q^{2n \times 2m})$ and a vector $\mathbf{u} \sample (\ZZ_q^n)$.
|
||||||
\item[2.] Choose an additional random matrix $\mathbf{F} \sample U(\ZZ_q^{4n \times 4m})$ uniformly. Looking ahead, this matrix will be used to ensure security against framing attacks.
|
\item[2.] Choose an additional random matrix $\mathbf{F} \sample (\ZZ_q^{4n \times 4m})$ uniformly. Looking ahead, this matrix will be used to ensure security against framing attacks.
|
||||||
\item[3.]
|
\item[3.]
|
||||||
Generate a master key pair for the Gentry-Peikert-Vaikuntanathan IBE scheme
|
Generate a master key pair for the Gentry-Peikert-Vaikuntanathan IBE scheme
|
||||||
in its multi-bit variant. This key pair consists of a statistically uniform matrix
|
in its multi-bit variant. This key pair consists of a statistically uniform matrix
|
||||||
@ -831,10 +910,10 @@ Gaussian parameter $\sigma_{\mathrm{GPV}} \geq \| \widetilde{\mathbf{T}}_{\mathb
|
|||||||
that will be modeled as random oracles.
|
that will be modeled as random oracles.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
The group public key is defined
|
The group public key is defined
|
||||||
as $$\mathcal{Y}:=\big( \mathbf{A}, ~
|
as $$\mathcal{Y}\coloneqq \big( \mathbf{A}, ~
|
||||||
\{\mathbf{A}_j \}_{j=0}^{\ell},~\mathbf{B}, ~\mathbf{D},~ \mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}, ~\mathbf{u} , ~\Pi^\mathrm{OTS}, ~ H,~H_0 \big).$$
|
\{\mathbf{A}_j \}_{j=0}^{\ell},~\mathbf{B}, ~\mathbf{D},~ \mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}, ~\mathbf{u} , ~\Pi^\mathrm{OTS}, ~ H,~H_0 \big).$$
|
||||||
The opening authority's private key is $\mathcal{S}_{\OA}:=
|
The opening authority's private key is $\mathcal{S}_{\OA}\coloneqq
|
||||||
\mathbf{T}_{\mathbf{B}} $ and the private key of the group manager consists of $\mathcal{S}_{\GM}:= \mathbf{T}_{\mathbf{A}}$. The algorithm outputs
|
\mathbf{T}_{\mathbf{B}} $ and the private key of the group manager consists of $\mathcal{S}_{\GM}\coloneqq \mathbf{T}_{\mathbf{A}}$. The algorithm outputs
|
||||||
$\big( \mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA} \big)$.
|
$\big( \mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA} \big)$.
|
||||||
|
|
||||||
\bigskip
|
\bigskip
|
||||||
@ -906,7 +985,7 @@ and $\bit(\mathbf{v}_i) \in \{0,1\}^{2m}, \mathbf{w}_{i} \in \{0,1\}^m$, that
|
|||||||
- \mathbf{D} \cdot \mathbf{w}_i = \mathbf{u} \in \ZZ_q^n
|
- \mathbf{D} \cdot \mathbf{w}_i = \mathbf{u} \in \ZZ_q^n
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
and
|
and
|
||||||
\vspace*{-0.75cm}
|
|
||||||
\begin{eqnarray} \label{eq:rel-3}
|
\begin{eqnarray} \label{eq:rel-3}
|
||||||
\left\{
|
\left\{
|
||||||
\begin{array}{l}
|
\begin{array}{l}
|
||||||
@ -987,10 +1066,10 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
|
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
We prove that any adversary $\adv$ with non-negligible success probability $\varepsilon$ implies an algorithm $\bdv$ solving the \textsf{SIS} problem
|
We prove that any adversary $\adv$ with non-negligible success probability $\varepsilon$ implies an algorithm $\bdv$ solving the \textsf{SIS} problem
|
||||||
in the random oracle model. \\
|
in the random oracle model.
|
||||||
\indent
|
|
||||||
Let $\adv$ be such a $\ppt$ adversary. We build a $\ppt$
|
Let $\adv$ be such a $\ppt$ adversary.
|
||||||
algorithm $\bdv$ that uses $\adv$ to
|
We then build a $\ppt$ reduction~$\bdv$ that uses the adversary~$\adv$ to
|
||||||
solve~$\SIS_{n,2m,q,\beta'}$: specifically, $\bdv$ takes as input~$\bar{\mathbf{A}} = \begin{bmatrix} \bar{\mathbf{A}}_1 | \bar{\mathbf{A}}_2 \end{bmatrix} \in
|
solve~$\SIS_{n,2m,q,\beta'}$: specifically, $\bdv$ takes as input~$\bar{\mathbf{A}} = \begin{bmatrix} \bar{\mathbf{A}}_1 | \bar{\mathbf{A}}_2 \end{bmatrix} \in
|
||||||
\Zq^{n \times 2m}$, where $\bar{\mathbf{A}}_1,\bar{\mathbf{A}}_2 \in \Zq^{n \times m}$, and finds $\mathbf{w} \in
|
\Zq^{n \times 2m}$, where $\bar{\mathbf{A}}_1,\bar{\mathbf{A}}_2 \in \Zq^{n \times m}$, and finds $\mathbf{w} \in
|
||||||
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{w}\| \leq \beta'$.
|
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{w}\| \leq \beta'$.
|
||||||
@ -999,11 +1078,11 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
|
|
||||||
\noindent \textbf{Initialization.} Algorithm~$\bdv$ first chooses a random $coin \sample
|
\noindent \textbf{Initialization.} Algorithm~$\bdv$ first chooses a random $coin \sample
|
||||||
U(\{0,1,2\})$ as a guess for the kind of misidentification attack that $\adv$ will mount. Also, $\bdv$
|
U(\{0,1,2\})$ as a guess for the kind of misidentification attack that $\adv$ will mount. Also, $\bdv$
|
||||||
chooses a random $\ell$-bit string $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$.
|
chooses a random $\ell$-bit string $\mathsf{id}^\dagger \sample (\{0,1\}^\ell)$.
|
||||||
In
|
In
|
||||||
addition, $\bdv$
|
addition, $\bdv$
|
||||||
samples~$i^\star
|
samples~$i^\star
|
||||||
\sample U([1,Q_a])$. \\
|
\sample ([1,Q_a])$. \\
|
||||||
\indent
|
\indent
|
||||||
Looking ahead, $coin=0$ corresponds to the case where, after repeated executions of $\adv$, the knowledge extractor of the proof system
|
Looking ahead, $coin=0$ corresponds to the case where, after repeated executions of $\adv$, the knowledge extractor of the proof system
|
||||||
reveals witnesses containing a new identifier $\mathsf{id}^\star \in \{0,1\}^\ell$ that does not belong to any user in $U^a$.
|
reveals witnesses containing a new identifier $\mathsf{id}^\star \in \{0,1\}^\ell$ that does not belong to any user in $U^a$.
|
||||||
@ -1029,7 +1108,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
Depending on $coin \in \{0,1,2\}$, the group public key $\mathcal{Y}$ is
|
Depending on $coin \in \{0,1,2\}$, the group public key $\mathcal{Y}$ is
|
||||||
generated using different methods. \smallskip
|
generated using different methods. \smallskip
|
||||||
|
|
||||||
\noindent $\bullet$ If $coin=0$, algorithm~$\bdv$ first randomly chooses $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$ as a guess for the $\ell$-bit string
|
\noindent $\bullet$ If $coin=0$, algorithm~$\bdv$ first randomly chooses $\mathsf{id}^\dagger \sample (\{0,1\}^\ell)$ as a guess for the $\ell$-bit string
|
||||||
that will be revealed by the knowledge extractor of the proof system after repeated executions of the adversary $\adv$.
|
that will be revealed by the knowledge extractor of the proof system after repeated executions of the adversary $\adv$.
|
||||||
Then, it runs
|
Then, it runs
|
||||||
$\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a
|
$\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a
|
||||||
@ -1051,7 +1130,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
\end{eqnarray*}
|
\end{eqnarray*}
|
||||||
It also defines $\mathbf{A}=\bar{\mathbf{A}}_1$.
|
It also defines $\mathbf{A}=\bar{\mathbf{A}}_1$.
|
||||||
Next, it samples a vector $\mathbf{e}_u \sample D_{\ZZ,\sigma}^m$ and computes a syndrome $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \in \Zq^n$. It picks $\mathbf{D}_0,\mathbf{D}_1
|
Next, it samples a vector $\mathbf{e}_u \sample D_{\ZZ,\sigma}^m$ and computes a syndrome $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \in \Zq^n$. It picks $\mathbf{D}_0,\mathbf{D}_1
|
||||||
\sample U(\Zq^{2n \times 2m})$ at random and also faithfully generates the GPV master key pair $(\mathbf{B},\mathbf{T}_{\mathbf{B}})$ as in Step~3 of the real setup algorithm. The group
|
\sample (\Zq^{2n \times 2m})$ at random and also faithfully generates the GPV master key pair $(\mathbf{B},\mathbf{T}_{\mathbf{B}})$ as in Step~3 of the real setup algorithm. The group
|
||||||
public key $\mathcal{Y}=\big(\mathbf{A},\{\mathbf{A}_j \}_{j=0}^{\ell}, \mathbf{B}, \mathbf{D},\mathbf{D}_0,\mathbf{D}_1,\mathbf{F}, \mathbf{u},\mathcal{OTS},H,H_0 \big)$
|
public key $\mathcal{Y}=\big(\mathbf{A},\{\mathbf{A}_j \}_{j=0}^{\ell}, \mathbf{B}, \mathbf{D},\mathbf{D}_0,\mathbf{D}_1,\mathbf{F}, \mathbf{u},\mathcal{OTS},H,H_0 \big)$
|
||||||
is finally given to~$\adv$. \\
|
is finally given to~$\adv$. \\
|
||||||
\indent Note that, for each $\mathsf{id} \neq \mathsf{id}^\dagger$, we have
|
\indent Note that, for each $\mathsf{id} \neq \mathsf{id}^\dagger$, we have
|
||||||
@ -1067,7 +1146,6 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
\left[
|
\left[
|
||||||
\begin{array}{c|c} \bar{\mathbf{A}}_1 ~&~ \bar{\mathbf{A}}_1 + h_{\mathsf{id}} \cdot \mathbf{C}
|
\begin{array}{c|c} \bar{\mathbf{A}}_1 ~&~ \bar{\mathbf{A}}_1 + h_{\mathsf{id}} \cdot \mathbf{C}
|
||||||
\end{array} \right]
|
\end{array} \right]
|
||||||
% \vspace*{-.1cm}
|
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
where $h_{\mathsf{id}} \in [1,\ell]$ denotes the Hamming distance between
|
where $h_{\mathsf{id}} \in [1,\ell]$ denotes the Hamming distance between
|
||||||
the identifiers $\mathsf{id}$ and $\mathsf{id}^\dagger$. Since $q>\ell$, we have
|
the identifiers $\mathsf{id}$ and $\mathsf{id}^\dagger$. Since $q>\ell$, we have
|
||||||
@ -1100,7 +1178,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
Next, $\bdv$ runs $(\mathbf{C},\mathbf{T}_{\mathbf{C}}) \leftarrow \mathsf{TrapGen}(1^n,1^m,q)$, $(\mathbf{D}_1,\mathbf{T}_{\mathbf{D}_1}) \leftarrow \mathsf{TrapGen}(1^{2n},1^{2m},q)$ so as to obtain statistically random matrices $\mathbf{C} \in \Zq^{n \times m}$, $ \mathbf{D}_1 \in \Zq^{2n \times 2m}$ together with
|
Next, $\bdv$ runs $(\mathbf{C},\mathbf{T}_{\mathbf{C}}) \leftarrow \mathsf{TrapGen}(1^n,1^m,q)$, $(\mathbf{D}_1,\mathbf{T}_{\mathbf{D}_1}) \leftarrow \mathsf{TrapGen}(1^{2n},1^{2m},q)$ so as to obtain statistically random matrices $\mathbf{C} \in \Zq^{n \times m}$, $ \mathbf{D}_1 \in \Zq^{2n \times 2m}$ together with
|
||||||
trapdoors $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m} $, $\mathbf{T}_{\mathbf{D}_1} \in \ZZ^{2m \times 2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_1)$, respectively. Then,
|
trapdoors $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m} $, $\mathbf{T}_{\mathbf{D}_1} \in \ZZ^{2m \times 2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_1)$, respectively. Then,
|
||||||
$\bdv$
|
$\bdv$
|
||||||
picks a random $\mathbf{D}_0 \sample U(\Zq^{2n \times 2m})$ and re-randomizes $\mathbf{D}=\bar{\mathbf{A}}_1 \in \Zq^{n \times m}$ using Gaussian matrices
|
picks a random $\mathbf{D}_0 \sample (\Zq^{2n \times 2m})$ and re-randomizes $\mathbf{D}=\bar{\mathbf{A}}_1 \in \Zq^{n \times m}$ using Gaussian matrices
|
||||||
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$ whose columns are sampled from the distribution $D_{\ZZ^m,\sigma}$.
|
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$ whose columns are sampled from the distribution $D_{\ZZ^m,\sigma}$.
|
||||||
Namely, from $\mathbf{D} =\bar{\mathbf{A}}_1 $, $\bdv$
|
Namely, from $\mathbf{D} =\bar{\mathbf{A}}_1 $, $\bdv$
|
||||||
defines
|
defines
|
||||||
@ -1123,12 +1201,12 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
- \mathbf{D} \cdot \bit(\mathbf{c}_M),
|
- \mathbf{D} \cdot \bit(\mathbf{c}_M),
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
where
|
where
|
||||||
$\mathbf{c}_{M} \sample U(\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1}
|
$\mathbf{c}_{M} \sample (\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1}
|
||||||
\sample D_{\ZZ^m,\sigma}$, the distribution of
|
\sample D_{\ZZ^m,\sigma}$, the distribution of
|
||||||
$\mathbf{u} $ is statistically close to $U(\Zq^n)$.
|
$\mathbf{u} $ is statistically close to $U(\Zq^n)$.
|
||||||
\medskip
|
\medskip
|
||||||
|
|
||||||
\noindent $\bullet$ If $coin=2$, $\bdv$ picks $\bar{\mathbf{A}}' \sample U(\Zq^{n \times 2m})$
|
\noindent $\bullet$ If $coin=2$, $\bdv$ picks $\bar{\mathbf{A}}' \sample (\Zq^{n \times 2m})$
|
||||||
and a random matrix $\mathbf{Q} \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^{2m},\sigma}$. These
|
and a random matrix $\mathbf{Q} \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^{2m},\sigma}$. These
|
||||||
are used to define $$\mathbf{D}_0= \begin{bmatrix} \bar{\mathbf{A}} \\ \hline \bar{\mathbf{A}}' \end{bmatrix} \in \Zq^{2n \times 2m} ,$$
|
are used to define $$\mathbf{D}_0= \begin{bmatrix} \bar{\mathbf{A}} \\ \hline \bar{\mathbf{A}}' \end{bmatrix} \in \Zq^{2n \times 2m} ,$$
|
||||||
and $\mathbf{D}_1=\mathbf{D}_0 \cdot \mathbf{Q} \bmod q$, which is statistically close to $U(\Zq^{2n \times 2m})$. All other components of $\mathcal{Y}$ are obtained by faithfully running the setup algorithm. \medskip
|
and $\mathbf{D}_1=\mathbf{D}_0 \cdot \mathbf{Q} \bmod q$, which is statistically close to $U(\Zq^{2n \times 2m})$. All other components of $\mathcal{Y}$ are obtained by faithfully running the setup algorithm. \medskip
|
||||||
@ -1173,7 +1251,6 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
\left[
|
\left[
|
||||||
\begin{array}{c|c} \bar{\mathbf{A}} \cdot \mathbf{S} ~&~ \bar{\mathbf{A}} + h_{\mathsf{id}_i} \cdot \mathbf{C}
|
\begin{array}{c|c} \bar{\mathbf{A}} \cdot \mathbf{S} ~&~ \bar{\mathbf{A}} + h_{\mathsf{id}_i} \cdot \mathbf{C}
|
||||||
\end{array} \right]
|
\end{array} \right]
|
||||||
% \vspace*{-.1cm}
|
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
Since $h_{\mathsf{id}_i} \neq 0$, $\bdv$ can use the trapdoor
|
Since $h_{\mathsf{id}_i} \neq 0$, $\bdv$ can use the trapdoor
|
||||||
$\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$ to compute a short vector $\mathbf{d}_i = [ \mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ such that
|
$\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$ to compute a short vector $\mathbf{d}_i = [ \mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ such that
|
||||||
@ -1205,34 +1282,23 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
more than once, then~$\bdv$ consistently returns the previously defined
|
more than once, then~$\bdv$ consistently returns the previously defined
|
||||||
value. Queries to the random oracle $H_0$ are answered in the usual way, by returning a uniformly random value in the appropriate range. \medskip
|
value. Queries to the random oracle $H_0$ are answered in the usual way, by returning a uniformly random value in the appropriate range. \medskip
|
||||||
|
|
||||||
\noindent \textbf{Forgery.} When $\adv$ halts, it outputs a
|
\textbf{Forgery.} When $\adv$ halts, it outputs a
|
||||||
signature $ \Sigma^\star=\big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}_i}^\star, \pi_K^\star,sig^\star \big)$ on some message $M^\star$. At this point, $\bdv$ uses the
|
signature $ \Sigma^\star=\big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}_i}^\star, \pi_K^\star,sig^\star \big)$ on some message $M^\star$. At this point, $\bdv$ uses the
|
||||||
trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\bit(\mathbf{v}^\star) \in \{0,1\}^m$.
|
trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\bit(\mathbf{v}^\star) \in \{0,1\}^m$.
|
||||||
|
|
||||||
%We know that, with probability $\Pr[W_2]$, it holds that
|
|
||||||
%\begin{itemize}
|
|
||||||
%\item[-] The pair $(M^\star,\Sigma^\star)$ results in a successful misidentification attack and, when $\bdv$ runs the $\mathsf{Open}$ algorithm on $\Sigma^\star$, the $\ell$-bit %identifier $\mathsf{id}^\star$ revealed at step 2
|
|
||||||
%coincides with $\mathsf{id}^\dagger$.
|
|
||||||
%\item[-]
|
|
||||||
%If $coin=0$, $\mathsf{id}^\dagger$ did not appear in any membership certificate returned by $\mathcal{Q}_{\ajoin}$ whereas, if $coin=1$, $\mathsf{id}^\dagger$ is the identifier used by
|
|
||||||
%$\mathcal{Q}_{\ajoin}$ at the $i^\star$-th query.
|
|
||||||
%\item[-] If $coin=2$, the opening of $\Sigma^\star$ reveals vectors $\bit(\mathbf{v}^\star)$ and $\mathbf{s}^\star$ that result in a collision (\ref{collide})
|
|
||||||
% with those $(\bit(\mathbf{v}_{i^\star}),\mathbf{s}_{i^\star})$
|
|
||||||
%of the $i^\star$-th joining query.
|
|
||||||
%\end{itemize}
|
|
||||||
%In any other situation, $\bdv$ aborts and reports failure. Note that, in the case $coin=2$, $\bdv$ is done since the collision (\ref{collide}) directly provides a
|
|
||||||
%$\mathsf{SIS}$ solution. We thus assume $coin \in \{0,1\}$.
|
|
||||||
If we parse the proof $\pi_K^\star$ as
|
If we parse the proof $\pi_K^\star$ as
|
||||||
$(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$, with high
|
$(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$,
|
||||||
probability, the adversary $\adv$ must have invoked the random oracle~$H$ on the
|
the adversary $\adv$ must have invoked the random oracle~$H$ on the
|
||||||
input~$ (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$.
|
input~$(M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$ with high probability.
|
||||||
Otherwise, the probability that
|
Otherwise, the probability that
|
||||||
$\mathsf{Chall}_K^\star=H (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
|
$\mathsf{Chall}_K^\star=H (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
|
||||||
is negligible (at most~$3^{-t}$). It comes that, with probability at least $ \varepsilon' := \varepsilon-
|
is negligible (at most~$3^{-t}$).
|
||||||
|
|
||||||
|
It comes that, with probability at least $ \varepsilon' \coloneqq \varepsilon-
|
||||||
3^{-t} $, $ (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
|
3^{-t} $, $ (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
|
||||||
coincides with the $\kappa^\star$-th random oracle query for some $\kappa^\star
|
coincides with the $\kappa^\star$-th random oracle query for some $\kappa^\star
|
||||||
\leq Q_H$. \\
|
\leq Q_H$.
|
||||||
\indent
|
|
||||||
At this stage, the reduction $\bdv$ runs the
|
At this stage, the reduction $\bdv$ runs the
|
||||||
adversary $\adv$ up to $32 \cdot Q_H / (\varepsilon - 3^{-t})$ times with the \textit{same} random tape and input as in the
|
adversary $\adv$ up to $32 \cdot Q_H / (\varepsilon - 3^{-t})$ times with the \textit{same} random tape and input as in the
|
||||||
initial run. All queries are answered as previously with
|
initial run. All queries are answered as previously with
|
||||||
@ -1276,15 +1342,16 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
\item[-] $coin=2$ and the knowledge extraction yields vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
|
\item[-] $coin=2$ and the knowledge extraction yields vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
|
||||||
(\ref{collide}) does not occur.
|
(\ref{collide}) does not occur.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample U(\{0,1,2\})$ and $i^\star \sample U([1,Q_a])$ are completely independent of $\adv$'s view,
|
We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample (\{0,1,2\})$ and $i^\star \sample ([1,Q_a])$ are completely independent of $\adv$'s view,
|
||||||
the choice of $coin$ is correct with probability $1/3$. If $coin=0$, $\bdv$'s choice of $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$ is correct with probability $1/(N_{\mathsf{gs}}-Q_a) \geq 1/N_{\mathsf{gs}}$ and, when
|
the choice of $coin$ is correct with probability $1/3$. If $coin=0$, $\bdv$'s choice of $\mathsf{id}^\dagger \sample (\{0,1\}^\ell)$ is correct with probability $1/(N_{\mathsf{gs}}-Q_a) \geq 1/N_{\mathsf{gs}}$ and, when
|
||||||
$coin=1$, $\bdv$'s correctly guesses $i^\star \in [1,Q_a]$ with probability $1/Q_a$. We find
|
$coin=1$, $\bdv$'s correctly guesses $i^\star \in [1,Q_a]$ with probability $1/Q_a$. We find
|
||||||
$$\Pr[ \neg \mathsf{fail}] \geq \frac{1}{3 \cdot \max(N_{\mathsf{gs}},Q_a)} =\frac{1}{3 \cdot N_{\mathsf{gs}} } .$$
|
$$\Pr[ \neg \mathsf{fail}] \geq \frac{1}{3 \cdot \max(N_{\mathsf{gs}},Q_a)} =\frac{1}{3 \cdot N_{\mathsf{gs}} } .$$
|
||||||
|
|
||||||
Assuming that $\mathsf{fail}$ does not occur, $\bdv$ can solve the problem instance as follows. \smallskip
|
Assuming that $\mathsf{fail}$ does not occur, $\bdv$ can solve the problem instance as follows.
|
||||||
|
|
||||||
|
|
||||||
\noindent $\bullet$ If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$ and $\bdv$ knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector
|
\begin{itemize}
|
||||||
|
\item If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$ and $\bdv$ knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector
|
||||||
\begin{eqnarray*}
|
\begin{eqnarray*}
|
||||||
\mathbf{h} = {\mathbf{d}_1^\star} + \big( \mathbf{Q}_0 + \sum_{i=1}^\ell \mathsf{id}^\dagger [i] \mathbf{Q}_i \big) \cdot {\mathbf{d}_2^\star} - \mathbf{Q}_D
|
\mathbf{h} = {\mathbf{d}_1^\star} + \big( \mathbf{Q}_0 + \sum_{i=1}^\ell \mathsf{id}^\dagger [i] \mathbf{Q}_i \big) \cdot {\mathbf{d}_2^\star} - \mathbf{Q}_D
|
||||||
\cdot \bit(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
|
\cdot \bit(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
|
||||||
@ -1294,11 +1361,8 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
$\mathbf{e}_u \in \ZZ^m$
|
$\mathbf{e}_u \in \ZZ^m$
|
||||||
in $\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}_1)$. Finally, the norm of $\mathbf{h}$ is at most $\| \mathbf{h} \|_2 \leq (\ell+1) \sigma^2 m^{3/2} + \sigma m^{1/2} (m+2)$.
|
in $\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}_1)$. Finally, the norm of $\mathbf{h}$ is at most $\| \mathbf{h} \|_2 \leq (\ell+1) \sigma^2 m^{3/2} + \sigma m^{1/2} (m+2)$.
|
||||||
This implies that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ is a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ and solves the initial $\mathsf{SIS}$ instance.
|
This implies that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ is a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ and solves the initial $\mathsf{SIS}$ instance.
|
||||||
\smallskip
|
|
||||||
|
|
||||||
|
\item If $coin=1$, the extracted
|
||||||
\smallskip
|
|
||||||
\noindent $\bullet$ If $coin=1$, the extracted
|
|
||||||
witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\bit(\mathbf{v}^\star)$
|
witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\bit(\mathbf{v}^\star)$
|
||||||
satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
|
satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
|
||||||
\neq \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star} $$
|
\neq \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star} $$
|
||||||
@ -1338,13 +1402,14 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
|||||||
Indeed, we know that $\mathbf{w}^\star \neq \mathbf{w}_{i^\star}$ if $\neg \mathsf{fail}$ occurs.
|
Indeed, we know that $\mathbf{w}^\star \neq \mathbf{w}_{i^\star}$ if $\neg \mathsf{fail}$ occurs.
|
||||||
This implies that the last term of (\ref{the-vec}) is non-zero, which rules out that $(\mathbf{d}_1^\star,\mathbf{d}_2^\star)=(\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2})$.
|
This implies that the last term of (\ref{the-vec}) is non-zero, which rules out that $(\mathbf{d}_1^\star,\mathbf{d}_2^\star)=(\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2})$.
|
||||||
Since the columns of $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ have a lot of entropy conditionally on $\mathcal{Y}$, this implies that we can only have $\mathbf{h}=\mathbf{0}^m$ with negligible probability. Furthermore, the norm of $\mathbf{h}$ can be bounded by $\| \mathbf{h} \|_2 \leq 4 \sigma^2 m^{3/2} (\ell+2) + 2 m^{1/2} $,
|
Since the columns of $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ have a lot of entropy conditionally on $\mathcal{Y}$, this implies that we can only have $\mathbf{h}=\mathbf{0}^m$ with negligible probability. Furthermore, the norm of $\mathbf{h}$ can be bounded by $\| \mathbf{h} \|_2 \leq 4 \sigma^2 m^{3/2} (\ell+2) + 2 m^{1/2} $,
|
||||||
so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance. \medskip
|
so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance.
|
||||||
|
|
||||||
\noindent $\bullet$ If $coin=2$, $\bdv$ is done as well since the collision (\ref{collide}) directly provides a vector
|
\item If $coin=2$, $\bdv$ is done as well since the collision (\ref{collide}) directly provides a vector
|
||||||
$$\mathbf{h}=\bit(\mathbf{v}^\star) - \bit(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
|
$$\mathbf{h}=\bit(\mathbf{v}^\star) - \bit(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
|
||||||
the lattice $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ by construction) and has
|
the lattice $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ by construction) and has
|
||||||
norm $\| \mathbf{h} \|_2 \leq 2(\sigma^2 (2m)^{3/2} + (2m)^{1/2}) $. Moreover, $\mathbf{h} \in \ZZ^{2m}$ is non-zero with overwhelming probability
|
norm $\| \mathbf{h} \|_2 \leq 2(\sigma^2 (2m)^{3/2} + (2m)^{1/2}) $. Moreover, $\mathbf{h} \in \ZZ^{2m}$ is non-zero with overwhelming probability
|
||||||
given that $\bit(\mathbf{v}^\star) \neq \bit(\mathbf{v}_i^\star)$ and the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
|
given that $\bit(\mathbf{v}^\star) \neq \bit(\mathbf{v}_i^\star)$ and the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
|
||||||
|
\end{itemize}
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
|
||||||
|
|
||||||
@ -1365,7 +1430,7 @@ The scheme is secure against framing attacks under the $\mathsf{SIS}_{4n,4m,q,\b
|
|||||||
As a result of having generated $\mathcal{Y}$ itself, $\bdv$ knows
|
As a result of having generated $\mathcal{Y}$ itself, $\bdv$ knows
|
||||||
$\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ and $\mathcal{S}_{\OA}= \mathbf{T}_{\mathbf{B}}$. The adversary $\bdv$ is run on input of the
|
$\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ and $\mathcal{S}_{\OA}= \mathbf{T}_{\mathbf{B}}$. The adversary $\bdv$ is run on input of the
|
||||||
group public key
|
group public key
|
||||||
$$ \mathcal{Y}:=\Bigl(\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{B},~\mathbf{D},~\mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}=\bar{\mathbf{A}},~\mathbf{u},~\Pi^{\mathsf{OTS}},~H,~H_0 ) \Bigr). $$
|
$$ \mathcal{Y}\coloneqq \Bigl(\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{B},~\mathbf{D},~\mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}=\bar{\mathbf{A}},~\mathbf{u},~\Pi^{\mathsf{OTS}},~H,~H_0 ) \Bigr). $$
|
||||||
|
|
||||||
If $\adv$ chooses
|
If $\adv$ chooses
|
||||||
to corrupt the group manager or the opening authority during the
|
to corrupt the group manager or the opening authority during the
|
||||||
@ -1416,7 +1481,7 @@ probability, $\adv$ must have queried~$H$ on the
|
|||||||
input~$ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$.
|
input~$ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$.
|
||||||
Otherwise, we would only have
|
Otherwise, we would only have
|
||||||
$\mathsf{Chall}_K^\star=H (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
|
$\mathsf{Chall}_K^\star=H (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
|
||||||
with negligible probability~$3^{-t}$. It comes that, with probability at least $ \varepsilon' := \varepsilon-
|
with negligible probability~$3^{-t}$. It comes that, with probability at least $ \varepsilon' \coloneqq \varepsilon-
|
||||||
3^{-t} $, the tuple $ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
|
3^{-t} $, the tuple $ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
|
||||||
was the input of the $\kappa^\star$-th random oracle query for some index $\kappa^\star
|
was the input of the $\kappa^\star$-th random oracle query for some index $\kappa^\star
|
||||||
\leq Q_H$. \\
|
\leq Q_H$. \\
|
||||||
@ -1487,7 +1552,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
|
|||||||
\smallskip
|
\smallskip
|
||||||
|
|
||||||
\item[$\textsf{Game}^{(d)}$~2:] In this game, we program the random oracle $H_0$ in the following way: at the beginning of the game, we choose
|
\item[$\textsf{Game}^{(d)}$~2:] In this game, we program the random oracle $H_0$ in the following way: at the beginning of the game, we choose
|
||||||
a uniformly random matrix $\mathbf{G}_0^\star \sample U(\Zq^{n \times 2m})$ and set $H_0(\vk^\star) = \mathbf{G}^\star_0$. From the adversary's view, the distribution of
|
a uniformly random matrix $\mathbf{G}_0^\star \sample (\Zq^{n \times 2m})$ and set $H_0(\vk^\star) = \mathbf{G}^\star_0$. From the adversary's view, the distribution of
|
||||||
$\mathbf{G}_0^\star$ is statistically close to the one in the real attack game, as in \cite{GPV08}.
|
$\mathbf{G}_0^\star$ is statistically close to the one in the real attack game, as in \cite{GPV08}.
|
||||||
As for other queries, for each fresh $H_0$-queries on $\vk$,
|
As for other queries, for each fresh $H_0$-queries on $\vk$,
|
||||||
the challenger samples small-norm matrices $\mathbf{E}_{0,\vk} \sample D_{\ZZ^m, \sigma}^{2m}$ and programs the oracle such that
|
the challenger samples small-norm matrices $\mathbf{E}_{0,\vk} \sample D_{\ZZ^m, \sigma}^{2m}$ and programs the oracle such that
|
||||||
@ -1529,7 +1594,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
|
|||||||
\mathbf{r}_1 \\ \mathbf{r}_2 + \bit(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
|
\mathbf{r}_1 \\ \mathbf{r}_2 + \bit(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
|
||||||
\end{pmatrix}, \]
|
\end{pmatrix}, \]
|
||||||
%where $\mathbf{v}_{i_b}^\star= \mathbf{F} \cdot \mathbf{z}_{i_b}^\star $, and
|
%where $\mathbf{v}_{i_b}^\star= \mathbf{F} \cdot \mathbf{z}_{i_b}^\star $, and
|
||||||
where $\mathbf{r}_1 \sample U(\Zq^{m})$, $\mathbf{r}_2 \sample U(\Zq^{2m})$ are uniformly random.
|
where $\mathbf{r}_1 \sample (\Zq^{m})$, $\mathbf{r}_2 \sample (\Zq^{2m})$ are uniformly random.
|
||||||
The hardness of the decisional $\LWE_{n, q, \chi}$ problem implies that $\mathbf{c}^\star_{\mathbf{v}_d}$ in \ extsf{Game} $4$ and \ extsf{Game} $5$ are computationally indistinguishable.
|
The hardness of the decisional $\LWE_{n, q, \chi}$ problem implies that $\mathbf{c}^\star_{\mathbf{v}_d}$ in \ extsf{Game} $4$ and \ extsf{Game} $5$ are computationally indistinguishable.
|
||||||
If $\adv$ can distinguish between these two games, it can furthermore distinguish
|
If $\adv$ can distinguish between these two games, it can furthermore distinguish
|
||||||
\[ \begin{pmatrix}
|
\[ \begin{pmatrix}
|
||||||
@ -1543,7 +1608,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
|
|||||||
\smallskip
|
\smallskip
|
||||||
|
|
||||||
\item[\textsf{Game}~6:] We finally make a conceptual modification on the previous game. Namely we sample uniformly random $\mathbf{r}_1^\prime
|
\item[\textsf{Game}~6:] We finally make a conceptual modification on the previous game. Namely we sample uniformly random $\mathbf{r}_1^\prime
|
||||||
\sample U(\Zq^{m})$, $\mathbf{r}_2^\prime \sample U(\Zq^{2m})$ and assign
|
\sample (\Zq^{m})$, $\mathbf{r}_2^\prime \sample (\Zq^{2m})$ and assign
|
||||||
\[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
|
\[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
|
||||||
\mathbf{r}_1^\prime \\ \mathbf{r}_2^\prime
|
\mathbf{r}_1^\prime \\ \mathbf{r}_2^\prime
|
||||||
\end{pmatrix} .\]
|
\end{pmatrix} .\]
|
||||||
@ -1571,7 +1636,7 @@ The argument system used in our protocol for signing a committed value in Sectio
|
|||||||
$\mathbf{e}_{0,1}\in [-B,B]^m; \hspace*{5pt} \mathbf{e}_{0,2}\in [-B,B]^{2m}$; \hspace*{5pt} $\mathbf{s}' \in [-(p-1), (p-1)]^{2m}$ \smallskip
|
$\mathbf{e}_{0,1}\in [-B,B]^m; \hspace*{5pt} \mathbf{e}_{0,2}\in [-B,B]^{2m}$; \hspace*{5pt} $\mathbf{s}' \in [-(p-1), (p-1)]^{2m}$ \smallskip
|
||||||
\item[Prover's Goal:] Convince the verifier in \textsf{ZK} that:
|
\item[Prover's Goal:] Convince the verifier in \textsf{ZK} that:
|
||||||
\end{description}
|
\end{description}
|
||||||
\vspace*{-10pt}
|
|
||||||
\begin{eqnarray}\label{equation:R-commit-statement}
|
\begin{eqnarray}\label{equation:R-commit-statement}
|
||||||
\hspace*{-5pt}
|
\hspace*{-5pt}
|
||||||
\begin{cases}
|
\begin{cases}
|
||||||
@ -1672,20 +1737,18 @@ To do so, we first form the following vectors and matrices:
|
|||||||
|
|
||||||
We then observe that (\ref{equation:R-commit-statement}) can be rewritten as:
|
We then observe that (\ref{equation:R-commit-statement}) can be rewritten as:
|
||||||
\begin{eqnarray}\label{equation:R-commit-unified}
|
\begin{eqnarray}\label{equation:R-commit-unified}
|
||||||
\vspace*{-5pt}
|
|
||||||
\mathbf{M}_1 \cdot \mathbf{x}_1 + \mathbf{M}_2 \cdot \mathfrak{m} + \mathbf{M}_3 \cdot \mathbf{s}' = \mathbf{v} \in \mathbb{Z}_q^D,
|
\mathbf{M}_1 \cdot \mathbf{x}_1 + \mathbf{M}_2 \cdot \mathfrak{m} + \mathbf{M}_3 \cdot \mathbf{s}' = \mathbf{v} \in \mathbb{Z}_q^D,
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
where $D = 2n + 3m(N+1)$.
|
where $D = 2n + 3m(N+1)$.
|
||||||
Now we employ the techniques from \cref{sse:stern-abstraction} to convert~\eqref{equation:R-commit-unified} into the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$. Specifically, if we let:
|
Now we employ the techniques from \cref{sse:stern-abstraction} to convert~\eqref{equation:R-commit-unified} into the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$. Specifically, if we let:
|
||||||
\[
|
\[
|
||||||
\vspace*{-5pt}
|
|
||||||
\begin{cases}
|
\begin{cases}
|
||||||
\mathsf{DecExt}_{(n+3m)(N+1),B}(\mathbf{x}_1) \rightarrow \hat{\mathbf{x}}_1 \in \mathsf{B}^3_{(n+3m)(N+1)\delta_B}; \\[2.5pt]
|
\mathsf{DecExt}_{(n+3m)(N+1),B}(\mathbf{x}_1) \rightarrow \hat{\mathbf{x}}_1 \in \mathsf{B}^3_{(n+3m)(N+1)\delta_B}; \\[2.5pt]
|
||||||
{\mathbf{M}}'_1 = \mathbf{M}_1 \cdot \widehat{\mathbf{K}}_{(n+3m)(N+1),B} \in \ZZ_q^{D \times 3(n+3m)(N+1)\delta_B}; \\[2.5pt]
|
{\mathbf{M}}'_1 = \mathbf{M}_1 \cdot \widehat{\mathbf{K}}_{(n+3m)(N+1),B} \in \ZZ_q^{D \times 3(n+3m)(N+1)\delta_B}; \\[2.5pt]
|
||||||
%\mathsf{Ext}_{2mN}(\mathbf{x}_2) \rightarrow \hat{\mathbf{x}}_2 \in \mathsf{B}_{2(2mN)}; \hspace*{5pt}
|
%\mathsf{Ext}_{2mN}(\mathbf{x}_2) \rightarrow \hat{\mathbf{x}}_2 \in \mathsf{B}_{2(2mN)}; \hspace*{5pt}
|
||||||
%{\mathbf{M}}'_2 = \big[\mathbf{M}_2 | \mathbf{0}^{D \times 2mN}] \in \mathbb{Z}_q^{D \times 4mN}; \\[5pt]
|
%{\mathbf{M}}'_2 = \big[\mathbf{M}_2 | \mathbf{0}^{D \times 2mN}] \in \mathbb{Z}_q^{D \times 4mN}; \\[5pt]
|
||||||
\mathsf{DecExt}_{2m, p-1}(\mathbf{s}') \rightarrow \hat{\mathbf{s}} \in \mathsf{B}^3_{2m\delta_{p-1}}; \hspace*{5pt}
|
\mathsf{DecExt}_{2m, p-1}(\mathbf{s}') \rightarrow \hat{\mathbf{s}} \in \mathsf{B}^3_{2m\delta_{p-1}}; \hspace*{5pt}
|
||||||
{\mathbf M}'_3 = \mathbf{M}_3 \cdot \widehat{\mathbf K}_{2m,p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}},
|
{\mathbf{M}}'_3 = \mathbf{M}_3 \cdot \widehat{\mathbf{K}}_{2m,p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}},
|
||||||
\end{cases}
|
\end{cases}
|
||||||
\]
|
\]
|
||||||
$L = 3(n+3m)(N+1)\delta_B + 2mN + 6m\delta_{p-1}$, and $\mathbf{P} \hspace*{-1pt}= \hspace*{-1pt}\big[\mathbf{M}'_1 | \mathbf{M}_2 | \mathbf{M}'_3\big] \hspace*{-2pt}\in \hspace*{-1pt}\mathbb{Z}_q^{D \times L}$, and $\mathbf{x} = \big(\hat{\mathbf{x}}_1^T \| \mathfrak{m}^T \| \hat{\mathbf{s}}^T\big)^T$, then we will obtain the desired equation:
|
$L = 3(n+3m)(N+1)\delta_B + 2mN + 6m\delta_{p-1}$, and $\mathbf{P} \hspace*{-1pt}= \hspace*{-1pt}\big[\mathbf{M}'_1 | \mathbf{M}_2 | \mathbf{M}'_3\big] \hspace*{-2pt}\in \hspace*{-1pt}\mathbb{Z}_q^{D \times L}$, and $\mathbf{x} = \big(\hat{\mathbf{x}}_1^T \| \mathfrak{m}^T \| \hat{\mathbf{s}}^T\big)^T$, then we will obtain the desired equation:
|
||||||
@ -1700,12 +1763,12 @@ Having performed the above unification, we now define $\mathsf{VALID}$ as the se
|
|||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Define $\mathcal{S}: = \mathcal{S}_{3(n+3m)(N+1)\delta_B} \times \{0,1\}^{mN} \times \mathcal{S}_{6m\delta_{p-1}}$. \smallskip
|
\item Define $\mathcal{S}: = \mathcal{S}_{3(n+3m)(N+1)\delta_B} \times \{0,1\}^{mN} \times \mathcal{S}_{6m\delta_{p-1}}$. \smallskip
|
||||||
\item For $\pi = (\pi_1, \mathbf{b}, \pi_3) \in \mathcal{S}$, and for vector $\mathbf{w} = \big(\mathbf{w}_1^T \| \mathbf{w}_2^T \| \mathbf{w}_3^T\big)^T \in \mathbb{Z}_q^L$, where $\mathbf{w}_1 \in \ZZ_q^{3(n+3m)(N+1)\delta_B}$, $\mathbf{w}_2 \in \ZZ_q^{2mN}$, $\mathbf{w}_3 \in \ZZ_q^{6m\delta_{p-1}}$, we define: \vspace*{-5pt}
|
\item For $\pi = (\pi_1, \mathbf{b}, \pi_3) \in \mathcal{S}$, and for vector $\mathbf{w} = \big(\mathbf{w}_1^T \| \mathbf{w}_2^T \| \mathbf{w}_3^T\big)^T \in \mathbb{Z}_q^L$, where $\mathbf{w}_1 \in \ZZ_q^{3(n+3m)(N+1)\delta_B}$, $\mathbf{w}_2 \in \ZZ_q^{2mN}$, $\mathbf{w}_3 \in \ZZ_q^{6m\delta_{p-1}}$, we define:
|
||||||
\[
|
\[
|
||||||
T_{\pi} = \big(\pi_1(\mathbf{w}_1)^T \| E_{\mathbf{b}}(\mathbf{w}_2)^T \| \pi_3(\mathbf{w}_3)^T\big)^T.
|
T_{\pi} = \big(\pi_1(\mathbf{w}_1)^T \| E_{\mathbf{b}}(\mathbf{w}_2)^T \| \pi_3(\mathbf{w}_3)^T\big)^T.
|
||||||
\]
|
\]
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\vspace*{-2.5pt}
|
|
||||||
By inspection, it can be seen that the properties in~(\ref{eq:zk-equivalence}) are satisfied, as desired. As a result, we can obtain the required argument system by running the protocol in \cref{sse:stern-abstraction} with common input $(\mathbf{P}, \mathbf{v})$ and prover's input $\mathbf{x}$.
|
By inspection, it can be seen that the properties in~(\ref{eq:zk-equivalence}) are satisfied, as desired. As a result, we can obtain the required argument system by running the protocol in \cref{sse:stern-abstraction} with common input $(\mathbf{P}, \mathbf{v})$ and prover's input $\mathbf{x}$.
|
||||||
|
|
||||||
%--------------------------------------------------
|
%--------------------------------------------------
|
||||||
@ -1737,10 +1800,10 @@ We now describe how to derive the protocol for proving the possession of a signa
|
|||||||
$\mathbf{e}_{\tau,2} \in [-B,B]^\ell$.
|
$\mathbf{e}_{\tau,2} \in [-B,B]^\ell$.
|
||||||
\end{description}
|
\end{description}
|
||||||
|
|
||||||
\textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that: \vspace*{-7.5pt}
|
\textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that:
|
||||||
\begin{eqnarray}\label{equation:R-sign-signature}
|
\begin{eqnarray}\label{equation:R-sign-signature}
|
||||||
\hspace*{-5pt}
|
\hspace*{-5pt}
|
||||||
\mathbf{A}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{v}_1 + \mathbf{A}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 + \sum_{i=1}^\ell \mathbf{A}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i] \mathbf{v}_2 - \mathbf{D}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) = \mathbf{u} \bmod q,\vspace*{-10pt}
|
\mathbf{A}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{v}_1 + \mathbf{A}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 + \sum_{i=1}^\ell \mathbf{A}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i] \mathbf{v}_2 - \mathbf{D}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) = \mathbf{u} \bmod q,
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
and that (modulo $q$)
|
and that (modulo $q$)
|
||||||
\begin{eqnarray}\label{equation:R-sign-ciphertext}
|
\begin{eqnarray}\label{equation:R-sign-ciphertext}
|
||||||
@ -1856,10 +1919,8 @@ then we will obtain the equation $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod
|
|||||||
|
|
||||||
Before going on, we define $\mathsf{VALID}$ as the set of
|
Before going on, we define $\mathsf{VALID}$ as the set of
|
||||||
$\mathbf{w} \in \{-1,0,1\}^L$ of the form:
|
$\mathbf{w} \in \{-1,0,1\}^L$ of the form:
|
||||||
\vspace*{-5pt}
|
|
||||||
\[
|
\[
|
||||||
\mathbf{w} = \big(\mathbf{w}_{1}^T \| \mathbf{w}_2^T \| g_1 \mathbf{w}_2^T\| \ldots \| g_{2\ell}\mathbf{w}_2^T \| \mathbf{g}^T\| \mathbf{w}_3^T\| \mathbf{w}_4^T \| \mathbf{w}_5^T \| \mathbf{w}_6^T\big)^T
|
\mathbf{w} = \big(\mathbf{w}_{1}^T \| \mathbf{w}_2^T \| g_1 \mathbf{w}_2^T\| \ldots \| g_{2\ell}\mathbf{w}_2^T \| \mathbf{g}^T\| \mathbf{w}_3^T\| \mathbf{w}_4^T \| \mathbf{w}_5^T \| \mathbf{w}_6^T\big)^T
|
||||||
\vspace*{-5pt}
|
|
||||||
\]
|
\]
|
||||||
for some $\mathbf{w}_1, \mathbf{w}_2 \in \mathsf{B}^3_{m\delta_\beta}$, $\mathbf{g} = (g_1, \ldots, g_{2\ell}) \in \mathsf{B}_{2\ell}$, $\mathbf{w}_3 \in \mathsf{B}^2_{m}$, $\mathbf{w}_4 \in \mathsf{CorEnc}(mN)$, $\mathbf{w}_5 \in \mathsf{B}^3_{2m\delta_{p-1}}$, and $\mathbf{w}_6 \in \mathsf{B}^3_{L_0\delta_B}$.
|
for some $\mathbf{w}_1, \mathbf{w}_2 \in \mathsf{B}^3_{m\delta_\beta}$, $\mathbf{g} = (g_1, \ldots, g_{2\ell}) \in \mathsf{B}_{2\ell}$, $\mathbf{w}_3 \in \mathsf{B}^2_{m}$, $\mathbf{w}_4 \in \mathsf{CorEnc}(mN)$, $\mathbf{w}_5 \in \mathsf{B}^3_{2m\delta_{p-1}}$, and $\mathbf{w}_6 \in \mathsf{B}^3_{L_0\delta_B}$.
|
||||||
It can be checked that the constructed vector $\mathbf{x}$ belongs to this tailored set $\mathsf{VALID}$.\\
|
It can be checked that the constructed vector $\mathbf{x}$ belongs to this tailored set $\mathsf{VALID}$.\\
|
||||||
@ -1907,7 +1968,7 @@ The argument system upon which our group signature scheme is built can be summar
|
|||||||
Using the same strategy as in Sections~\ref{subsection:zk-for-commitments} and~\ref{subsection:zk-for-signature}, we can derive a statistical \textsf{ZKAoK} for the above relation from the protocol in Section~\ref{sse:stern-abstraction}. As the transformations are similar to those in Section~\ref{subsection:zk-for-signature}, we only sketch main points.
|
Using the same strategy as in Sections~\ref{subsection:zk-for-commitments} and~\ref{subsection:zk-for-signature}, we can derive a statistical \textsf{ZKAoK} for the above relation from the protocol in Section~\ref{sse:stern-abstraction}. As the transformations are similar to those in Section~\ref{subsection:zk-for-signature}, we only sketch main points.
|
||||||
|
|
||||||
In the first step, we combine the given equations to an equation of the form:
|
In the first step, we combine the given equations to an equation of the form:
|
||||||
\[\vspace*{-3.5pt}
|
\[
|
||||||
\mathbf{M}\cdot \left(
|
\mathbf{M}\cdot \left(
|
||||||
\begin{array}{c}
|
\begin{array}{c}
|
||||||
\mathbf{d}_1 \\
|
\mathbf{d}_1 \\
|
||||||
|
@ -80,7 +80,7 @@ We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that
|
|||||||
\item[\textsf{Join}$^{\join_{\user}, \join_{\GM}}$:] is an \emph{interactive} protocol between the group manager GM and a user $\mathcal{U}_i$ where the latter becomes a group member.
|
\item[\textsf{Join}$^{\join_{\user}, \join_{\GM}}$:] is an \emph{interactive} protocol between the group manager GM and a user $\mathcal{U}_i$ where the latter becomes a group member.
|
||||||
The protocol involves two interactive Turing machines $\join_{\user}$ and $\join_{\GM}$ that both take the group public key $\gspk$ as input.
|
The protocol involves two interactive Turing machines $\join_{\user}$ and $\join_{\GM}$ that both take the group public key $\gspk$ as input.
|
||||||
The execution $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$, ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i}$, that no one else knows, and a membership certificate $\crt_{i }$.
|
The execution $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$, ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i}$, that no one else knows, and a membership certificate $\crt_{i }$.
|
||||||
If the protocol is successful, the group manager updates the public state $\mathsf{st}$ by updating the following state informations $\mathsf{st}_{\users}:=\mathsf{st}_{\users} \cup \{ i \}$ as well as $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( i ,\transcript_i )$.
|
If the protocol is successful, the group manager updates the public state $\mathsf{st}$ by updating the following state informations $\mathsf{st}_{\users}\coloneqq \mathsf{st}_{\users} \cup \{ i \}$ as well as $\mathsf{st}_{\trans}\coloneqq \mathsf{st}_{\trans} || ( i ,\transcript_i )$.
|
||||||
%
|
%
|
||||||
%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM
|
%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM
|
||||||
%to generate an updated revocation list $RL_t$ for the new revocation period $t$.
|
%to generate an updated revocation list $RL_t$ for the new revocation period $t$.
|
||||||
@ -226,7 +226,7 @@ following oracles:
|
|||||||
the prospective user in the join protocol. If this protocol successfully
|
the prospective user in the join protocol. If this protocol successfully
|
||||||
ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user
|
ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user
|
||||||
$n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets
|
$n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets
|
||||||
$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
|
$\mathsf{st}_{\trans}\coloneqq \mathsf{st}_{\trans} || ( n, \transcript_n )$.
|
||||||
%
|
%
|
||||||
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
|
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
|
||||||
to introduce new honest group members of its choice. The interface
|
to introduce new honest group members of its choice. The interface
|
||||||
@ -234,7 +234,7 @@ following oracles:
|
|||||||
interaction with the adversary who runs $\join_{\GM}$. If the protocol
|
interaction with the adversary who runs $\join_{\GM}$. If the protocol
|
||||||
successfully completes, the interface increments $n$, adds user $n$ to
|
successfully completes, the interface increments $n$, adds user $n$ to
|
||||||
$\mathsf{st}_{users}$ and $U^b$ and sets
|
$\mathsf{st}_{users}$ and $U^b$ and sets
|
||||||
$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
|
$\mathsf{st}_{\trans}\coloneqq \mathsf{st}_{\trans} || ( n, \transcript_n )$.
|
||||||
It stores the membership certificate $\crt_{n }$
|
It stores the membership certificate $\crt_{n }$
|
||||||
and the membership secret $\scr_{n }$ in a \textit{private} part of
|
and the membership secret $\scr_{n }$ in a \textit{private} part of
|
||||||
$\mathsf{state}_{\interface}$.
|
$\mathsf{state}_{\interface}$.
|
||||||
|
@ -6,7 +6,12 @@
|
|||||||
In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
|
In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
|
||||||
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with companion zero-knowledge proofs that allow a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
|
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with companion zero-knowledge proofs that allow a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
|
||||||
|
|
||||||
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
|
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{Cha85,CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
|
||||||
|
In other words, an anonymous credential scheme involves one (or more) credential issuer(s) and a set of users who have a long term secret key which can be seen as their digital identity, and pseudonyms that can be seen as commitments to their secret key.
|
||||||
|
Users can dynamically obtain credentials from an issuer that only knows users' pseudonyms and obliviously sign users' secret keys as well as a set of attributes.
|
||||||
|
Later on, users can make themselves known to verifiers under a different pseudonym and demonstrate possession of the issuer's certificate on their secret key withour revealing neither the signature nor the key.
|
||||||
|
In this context, signature with efficient protocols can typically be used as follows:
|
||||||
|
the user obtains the issuer's signature on a committed message via an interactive protocol, and uses a protocol for proving that two commitments open to the same value (which allows proving that the same secret underlies two distinct pseudonyms) and finally a protocol for proving possession of a secret message-signature pair.
|
||||||
|
|
||||||
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
|
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
|
||||||
Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
|
Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
|
||||||
@ -130,7 +135,7 @@ Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assump
|
|||||||
$\mathsf{crs}=\left(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z^{},~\{ \hat{g}_j \}_{j=1}^{2\ell+4} \right)$.
|
$\mathsf{crs}=\left(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z^{},~\{ \hat{g}_j \}_{j=1}^{2\ell+4} \right)$.
|
||||||
\bigskip
|
\bigskip
|
||||||
\item[]
|
\item[]
|
||||||
The private key is $ \mathsf{sk}:=\omega $ and the public key is
|
The private key is $ \mathsf{sk}\coloneqq \omega $ and the public key is
|
||||||
\begin{align*}
|
\begin{align*}
|
||||||
\mathsf{pk}=\Bigl(
|
\mathsf{pk}=\Bigl(
|
||||||
\mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w)
|
\mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w)
|
||||||
@ -508,8 +513,8 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|||||||
\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps.
|
\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps.
|
||||||
\end{description}
|
\end{description}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
|
\item Commit to $d_1\coloneqq \hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
|
||||||
and $d_2:=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$.
|
and $d_2\coloneqq \hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$.
|
||||||
To this end, choose
|
To this end, choose
|
||||||
$r_1,r_2\sample\U(\Zp)$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$.
|
$r_1,r_2\sample\U(\Zp)$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$.
|
||||||
|
|
||||||
@ -560,7 +565,7 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|||||||
\item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $,
|
\item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $,
|
||||||
and $\bar{r}_2= \rho\cdot r_2 +s_2 $;
|
and $\bar{r}_2= \rho\cdot r_2 +s_2 $;
|
||||||
\item $w_z= \rho\cdot t_z + v_z $ and $w_i= \rho\cdot t_i + v_i $, for $i=0$ to $3$;
|
\item $w_z= \rho\cdot t_z + v_z $ and $w_i= \rho\cdot t_i + v_i $, for $i=0$ to $3$;
|
||||||
\item $w_4= \rho\cdot t_4 + v_4 $, where $t_4:=t_0-t_1 \cdot r_1-t_2 \cdot r_2$;
|
\item $w_4= \rho\cdot t_4 + v_4 $, where $t_4\coloneqq t_0-t_1 \cdot r_1-t_2 \cdot r_2$;
|
||||||
\item $z_i= \rho\cdot x_i + y_i $ for each $i \in \{0,2,3,4\}$. \smallskip
|
\item $z_i= \rho\cdot x_i + y_i $ for each $i \in \{0,2,3,4\}$. \smallskip
|
||||||
\item[~~~Output] $\mathsf{resp}\in \GG\times \Zp^{\ell+12}$ as
|
\item[~~~Output] $\mathsf{resp}\in \GG\times \Zp^{\ell+12}$ as
|
||||||
\begin{align*}
|
\begin{align*}
|
||||||
@ -687,7 +692,7 @@ a constant additive overhead.
|
|||||||
\cdot e(\Omega^{a_0},\hat{g})\cdot e(\Omega^{a_1},\hat{g}_1)\cdot e(\Omega^{a_2},\hat{D}_1)
|
\cdot e(\Omega^{a_0},\hat{g})\cdot e(\Omega^{a_1},\hat{g}_1)\cdot e(\Omega^{a_2},\hat{D}_1)
|
||||||
\cdot e(\Omega^{a_z},\hat{g}_z)$, so that we can set $C_0=\Omega^{-a_0}$,
|
\cdot e(\Omega^{a_z},\hat{g}_z)$, so that we can set $C_0=\Omega^{-a_0}$,
|
||||||
$C_1=\Omega^{a_1}$, $C_2=\Omega^{a_2}$ and $C_z=\Omega^{a_z}$.
|
$C_1=\Omega^{a_1}$, $C_2=\Omega^{a_2}$ and $C_z=\Omega^{a_z}$.
|
||||||
Let $\hat{B}:=\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}$.
|
Let $\hat{B}\coloneqq \hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}$.
|
||||||
Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\Zp$ since
|
Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\Zp$ since
|
||||||
$e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set
|
$e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set
|
||||||
$\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a
|
$\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a
|
||||||
@ -1282,7 +1287,7 @@ Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ an
|
|||||||
To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
|
To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
|
||||||
At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \U(\Zp)$.
|
At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \U(\Zp)$.
|
||||||
In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)
|
In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)
|
||||||
As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip
|
As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk\coloneqq (\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip
|
||||||
\\
|
\\
|
||||||
Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested.
|
Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested.
|
||||||
%At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows.
|
%At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows.
|
||||||
@ -1307,7 +1312,7 @@ A straightforward calculation
|
|||||||
$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2.
|
$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2.
|
||||||
As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes
|
As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes
|
||||||
\begin{eqnarray*}
|
\begin{eqnarray*}
|
||||||
\quad\hat{G}_{j,i} := (\hat{g}^a)^{\delta_i(\alpha_z\chi_j+\alpha_r\gamma_j)}
|
\quad\hat{G}_{j,i} \coloneqq (\hat{g}^a)^{\delta_i(\alpha_z\chi_j+\alpha_r\gamma_j)}
|
||||||
= (\hat{g}_z^{\chi_j}\hat{g}_r^{\gamma_j})^{\ID_i} = \hat{g}_j^{\ID_i},
|
= (\hat{g}_z^{\chi_j}\hat{g}_r^{\gamma_j})^{\ID_i} = \hat{g}_j^{\ID_i},
|
||||||
\end{eqnarray*}
|
\end{eqnarray*}
|
||||||
%where $g^a$ is a component of the discrete logarithm problem it is trying to solve.
|
%where $g^a$ is a component of the discrete logarithm problem it is trying to solve.
|
||||||
@ -1351,7 +1356,7 @@ with distinct challenges
|
|||||||
$c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses
|
$c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses
|
||||||
$(\theta^\star,\ID^\star)$ satisfying ${C}_\ID^\star=v^{\ID^\star}X_\ID^{\theta^\star}$ and
|
$(\theta^\star,\ID^\star)$ satisfying ${C}_\ID^\star=v^{\ID^\star}X_\ID^{\theta^\star}$ and
|
||||||
which identifies $V_i^\star=v^{\ID^\star}$. At this stage, $\bdv$ can compute and output the sought-after SDL solution
|
which identifies $V_i^\star=v^{\ID^\star}$. At this stage, $\bdv$ can compute and output the sought-after SDL solution
|
||||||
$a:=\ID^\star/\delta_i$ in $\Zp$.
|
$a\coloneqq \ID^\star/\delta_i$ in $\Zp$.
|
||||||
\\
|
\\
|
||||||
This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $.
|
This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $.
|
||||||
|
|
||||||
|
10
these.bib
10
these.bib
@ -2811,4 +2811,14 @@
|
|||||||
publisher = {Springer},
|
publisher = {Springer},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@InProceedings{CHK04,
|
||||||
|
author = {Canetti, Ran and Halevi, Shai and Katz, Jonathan},
|
||||||
|
title = {{Chosen-Ciphertext Security from Identity-Based Encryption}},
|
||||||
|
booktitle = {Eurocrypt},
|
||||||
|
year = {2004},
|
||||||
|
series = {LNCS},
|
||||||
|
pages = {207--222},
|
||||||
|
publisher = {Springer},
|
||||||
|
}
|
||||||
|
|
||||||
@Comment{jabref-meta: databaseType:bibtex;}
|
@Comment{jabref-meta: databaseType:bibtex;}
|
||||||
|
Loading…
Reference in New Issue
Block a user