Ajout introduction GS-LWE

This commit is contained in:
Fabrice Mouhartem 2018-05-02 15:50:49 +02:00
parent afe5c83cf8
commit b7e10e24f5
4 changed files with 186 additions and 110 deletions

View File

@ -1,12 +1,93 @@
\section{Introduction}
In this Chapter, we present the first dynamic group signature scheme that relies on lattice assumptions.
This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, and it is used in a similar fashion.
As a consequence, it is possible to construct lattice-based anonymous credential from this building block.
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} in order to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
The group signature security is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well studied assumptions.
For security parameter $\lambda$ and for group of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
Our scheme thus achieves a level of efficiency comparable to recent proposals based on standard (i.e. non-ideal) lattices~\cite{LLLS13,NZZ15,LNW15,LLNW16} in the static setting as depicted in \cref{table:lattice-gs-comparison}.
In particular, the cost of moving to dynamic group is reasonable: while using the scheme from~\cite{LNW15} as a building block, our construction lengthens the signature size only by a (small) constant factor.
\begin{table}
\scriptsize \centering
\begin{tabular}{|c||c|c|c|c|c|c|c|}
\hline
% after \\: \hline or \cline{col1-col2} \cline{col3-col4} ...
Scheme & \cite{LLLS13} & \cite{NZZ15} & \cite{LNW15} & \cite{LLNW16} & Ours \\
\hline
\rule{0pt}{3ex}
Group PK & $\widetilde{\mathcal{O}}(\lambda^2)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda^2)$ & $\widetilde{\mathcal{O}}(\lambda^2)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda^2)$& $\widetilde{\mathcal{O}}(\lambda^2)\cdot \log N_\mathsf{gs}$ \\
\hline
\rule{0pt}{3ex}
User's SK & $\widetilde{\mathcal{O}}(\lambda^2)$ & $\widetilde{\mathcal{O}}(\lambda^2)$ & $\widetilde{\mathcal{O}}(\lambda)$ &$\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs} $ & $\widetilde{\mathcal{O}}(\lambda)$ \\
\hline
\rule{0pt}{3ex}
Signature & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda + \log^2 N_\mathsf{gs})$ & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $ \widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ \\
\hline
\end{tabular}
\caption{Efficiency comparison among recent lattice-based group signatures for static groups and our dynamic scheme. The evaluation is done with respect to $2$ governing parameters: security parameter $\lambda$ and the maximum expected group size $N_\mathsf{gs}$. We do not include the earlier schemes~\cite{GKV10,CNR12} that have signature size $\widetilde{\mathcal{O}}(\lambda^2)\cdot N_\mathsf{gs}$.}
\label{table:lattice-gs-comparison}
\end{table}
The signature scheme with efficient protocols is here built upon the $\SIS$-based signature of Böhl \textit{et al.}~\cite{BHJ+15}, which is itself a variant of Boyen's signature~\cite{Boy10}.
The latter scheme involves a public key containing matrices $\mathbf{A}, \mathbf{A}_0, \ldots, \mathbf{A}_\ell \in \Zq^{n \times m}$ and signs an $\ell$-bit message $\mathfrak m \in \bit^\ell$ by computing a short vector $\mathbf{v} \in \ZZ^{2m}_{}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \mathfrak m[j] \mathbf{A}_j ]} \cdot \mathbf{v} = \mathbf 0^n \bmod q$.
The variant proposed by Böhl \textit{et al.} only uses a constant number of matrices $\mathbf{A}, \mathbf{A}_0, \mathbf{A}_1 \in \Zq^{n \times m}$ where each signature is assigned with a single-use tag $\tau$ and the public key involves an extra matrix $\mathbf{D} \in \Zq^{n \times m}$ and a vector $\mathbf{u} \in \Zq^n$.
A message $\mathfrak m$ is then signed by first applying a chameleon hash function $\mathbf{h} = \mathcal{H}(\mathfrak m, \mathbf{s}) \in \bit^m_{}$ and signing $\mathbf{h}$ by computing a short $\mathbf{v} \in \ZZ^{2m}_{}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \tau \mathbf{A}_1 ]} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathbf{h} \bmod q$.
Our scheme extends~\cite{BHJ+15} so that an $N$-block message $(\mathfrak m_1, \ldots, \mathfrak m_N) \in (\bit^L)^N$, for some $L \in \NN$, is signed by outputting a tag $\tau \in \bit^\ell$ and a short $\mathbf{v} \in \ZZ^{2m}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \tau[j] \mathbf{A}_j ]} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathcal{H}(\mathfrak{m}_1, \ldots, \mathfrak{m}_N, \mathbf s) \bmod q$, where the chameleon hash function computes $\mathbf{c}_M = \mathbf D_0 \cdot \mathbf s + \sum_{k=1}^{N} \mathbf D_k \cdot \mathfrak{m}_k \bmod q$, for some short vector $\mathbf s$, before re-encoding $\mathbf c_M$ so as to enable multiplication by $\mathbf D$.
In order to obtain a signature scheme that possesses efficient protocols akin to Camenish and Lysyanskaya~\cite{CL02}, our idea is to have the tag $\tau \in \bit^\ell$ play the same role as the prime exponent in Strong-RSA-based schemes~\cite{CL02a}.
To adapt this idea in the context of signatures with efficient protocols, we have to overcome several difficulties.
The first one is to map $\mathbf c_M$ back in the domain of the chameleon hash function while preserving the compatibility with ZK proofs.
To solve this issue, we extend a technique used in~\cite{LLNW16} in order to build a ``zero-knowledge-friendly'' chameleon hash function.
This function hashes the message by outputting the coordinate-wise binary decomposition $\mathbf w$ of $\mathbf D_0 \cdot \mathbf s + \sum_{k=1}^{N} \mathbf D_k \cdot \mathfrak{m}_k$. Using the ``power-of-two'' matrix $\mathbf H = \mathbf I \otimes [ 1 \mid 2 \mid \cdots \mid 2^{\lceil \log q\rceil} ]$, we can prove that $\mathbf w = \mathcal{H}(\mathfrak{m}_1, \ldots, \mathfrak{m}_N, \mathbf s)$ by demonstrating the knowledge of short vectors $(\mathfrak{m}_1, \ldots, \mathfrak{m}_N, \mathbf s, \mathbf w)$ that verifies $\mathbf H \cdot \mathbf w = \mathbf D_0 \cdot \mathbf s + \sum_{k=1}^{N} \mathbf D_k \cdot \mathfrak{m}_k \bmod q$ which can be proven using the ZKAoK of \cref{sse:stern}.
The second problem is to prove knowledge of $(\tau,\mathbf{v},\mathbf{s})$ and $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ satisfying $[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell
\tau[j] \cdot \mathbf{A}_j ] \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathsf{CMHash}(\mathfrak{m}_1,\ldots,\mathfrak{m}_N,\mathbf{s})$, without revealing any of the witnesses. To
this end, we provide a framework for proving all the involved statement (and many other relations that naturally arise in lattice-based cryptography) as
special cases. We reduce the statements to asserting that a short integer vector $\mathbf{x}$ satisfies an equation of the form $\mathbf{P} \cdot \mathbf{x} = \mathbf{v}
\bmod q$, for some public matrix $\mathbf{P}$ and vector~$\mathbf{v}$, and belongs to a set $\mathsf{VALID}$ of short vectors with a particular structure. While the
small-norm property of $\mathbf{x}$ is provable using standard techniques (e.g., \cite{Lyu08}), we argue its membership of $\mathsf{VALID}$ by leveraging
the properties of Stern-like protocols \cite{Ste96,KTX08,LNSW13}. In particular, we rely on the fact that their underlying permutations interact well with
combinatorial statements pertaining to $\mathbf{x}$, especially $\mathbf{x}$ being a bitstring with a specific pattern. We believe our framework to be of independent
interest as it provides a blueprint for proving many other intricate relations in a modular manner.
When we extend the scheme with a protocol for signing committed messages, we need the signer to re-randomize the user's commitment before signing the hidden
messages. This is indeed necessary to provide the reduction with a backdoor allowing to correctly answer the $i^\dagger$-th query by ``programming'' the
randomness of the commitment. Since we work with integers vectors, a straightforward simulation incurs a non-negligible statistical distance between the
simulated distributions of re-randomization coins and the real one (which both have a discrete Gaussian distribution). Camenisch and Lysyanskaya \cite{CL02}
address a similar problem by choosing the signer's randomness to be exponentially larger than that of the user's commitment so as to statistically ``drown''
the aforementioned discrepancy. Here, the same idea would require to work with an exponentially large modulus~$q$. Instead, we adopt a more efficient
solution, inspired by Bai \textit{et al.} \cite{BLL+15}, which is to apply an analysis based on the R\'enyi divergence rather than the statistical distance. In
short, the R\'enyi divergence's properties tell us that, if some event~$E$ occurs with noticeable probability in some probability space~$P$, so does it in a
different probability space~$Q$ for which the second order divergence $R_2(P||Q)$ is sufficiently small. In our setting, $R_2(P||Q)$ is precisely polynomially
bounded since the two probability spaces only diverge in one signing query.
Our dynamic group signature scheme avoids these difficulties because the group manager only signs known messages: instead of signing the user's secret key as
in anonymous credentials, it creates a membership certificate by signing the user's public key. Our zero-knowledge arguments accommodate the requirements of
the scheme in the following way. In the joining protocol that dynamically introduces new group members, the user $i$ chooses a membership secret consisting of
a short discrete Gaussian vector $\mathbf{z}_i $. This user generates a public syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i \mod q$, for some public matrix
$\mathbf{F}$, which constitutes his public key. In order to certify $\mathbf{v}_i$, the group manager computes the coordinate-wise binary expansion
$\mathsf{bin}(\mathbf{v}_i) $ of $\mathbf{v}_i$. The vector $\mathsf{bin}(\mathbf{v}_i) $ is then signed using our signature scheme. Using the resulting signature
$(\tau,\mathbf{v},\mathbf{s}) $ as a membership certificate, the group member is able to sign a message by proving that: (i) He holds a valid signature
$(\tau,\mathbf{v},\mathbf{s})$ on some secret binary message $\mathsf{bin}(\mathbf{v}_i) $; (ii) The latter vector $\mathsf{bin}(\mathbf{v}_i) $ is the binary expansion of
some syndrome $\mathbf{v}_i$ of which he knows a GPV pre-image $\mathbf{z}_i $. We remark that condition (ii) can be proved by providing evidence that we have $
\mathbf{v}_i = \mathbf{H} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \bmod q$, for some short integer vector $\mathbf{z}_i $ and some binary $\mathsf{bin}(\mathbf{v}_i) $,
where $\mathbf{H}$ is the ``powers-of-$2$'' matrix. Our abstraction of Stern-like protocols \cite{Ste96,KTX08,LNSW13} allows us to efficiently argue such
statements. The fact that the underlying chameleon hash function smoothly interacts with Stern-like zero-knowledge arguments is the property that maintains
the user's capability of efficiently proving knowledge of the underlying secret key.
Given the state of $\NIZK$ proofs in the lattice setting, it seems hard to provide group signature schemes in the standard model.
In the forthcoming sections, we first provide the description of our signature with efficient protocols; then a description of our dynamic group signature will be given and finally, we will explain how to use the Stern abstraction of \cref{sse:stern} to provide the required zero-knowledge arguments.
\section{A Lattice-Based Signature with Efficient Protocols} \label{se:gs-lwe-sigep}
%We first specify the parameters used in our scheme. Let $\lambda$ be the security parameter, and let $n = \bigO(\lambda)$, $q = \mathsf{poly}(n)$, and $m \geq 2n \log q$.
%We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
%block is an $L$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[L] \in \{0,1\}^L$ for $k \in \{1,\ldots, N\}$.
Our scheme can be seen as a variant of the B\"ohl \textit{et al.} signature \cite{BHJ+15}, where
each signature is a triple $(\tau,\mathbf{v},\mathbf{s})$, made of a tag $\tau \in \{0,1\}^\ell$ and integer vectors $(\mathbf{v},\mathbf{s})$ satisfying
$[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \tau[j] \cdot \mathbf{A}_j ] \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathbf{h} \bmod q$,
@ -41,17 +122,17 @@ coordinate of $\mathbf{v}$ by its binary representation.
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A}).$ This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
\item[2.] Choose random matrices $\mathbf{D} \sample U(\Zq^{n \times m})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_{N} \sample U(\Zq^{2n \times 2m})$ as well as a random vector
$\mathbf{u} \sample U(\Zq^n)$. \smallskip
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample \U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
\item[2.] Choose random matrices $\mathbf{D} \sample \U(\Zq^{n \times m})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_{N} \sample \U(\Zq^{2n \times 2m})$ as well as a random vector
$\mathbf{u} \sample \U(\Zq^n)$. \smallskip
\end{itemize}
The private key consists of $SK:= \mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and the public key is
$${PK}:=\big( \mathbf{A}, ~ \{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big).$$
The private key consists of $SK \coloneqq \mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and the public key is
$${PK}\coloneqq \big( \mathbf{A}, ~ \{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big).$$
% \smallskip
\item[\textsf{Sign}$\big(SK, \mathsf{Msg} \big)$:] To sign an $N$-block message
$\mathsf{Msg}=\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right) \in \left(\{0,1\}^{2m} \right)^N$,
\begin{enumerate}[1.]
\item Choose a random string $\tau \sample U(\{0,1\}^\ell )$. Then, using $SK:=
\item Choose a random string $\tau \sample \U(\{0,1\}^\ell )$. Then, using $SK\coloneqq
\mathbf{T}_{\mathbf{A}}$, compute with $\ExtBasis$ a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
for the matrix
\begin{eqnarray} \label{tau-matrix}
@ -129,9 +210,9 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
\Zq^{n \times m}$ and computes $\mathbf{v} \in
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$.
Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it
Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample \U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it
guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this
end, $\bdv$ chooses $i^\dagger \sample U(\{1,\ldots, Q\})$ and $t^\dagger \sample U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest
end, $\bdv$ chooses $i^\dagger \sample \U(\{1,\ldots, Q\})$ and $t^\dagger \sample \U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest
common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)} \right\}_{i=1}^Q$ is the string
$\tau^\star[1] \ldots \tau^\star[t^\dagger-1] =\tau^{(i^\dagger)}[1] \ldots \tau^{(i^\dagger)}[t^\dagger-1] \in \{0,1\}^{t^\dagger -1}$ comprised of the
first $(t^\dagger-1)$-th bits of $\tau^\star \in \{0,1\}^\ell$. We define $ \tau^\dagger \in \{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1] \ldots \tau^\star[t^\dagger] $. By construction, with probability $1/(Q \cdot \ell)$, we have $\tau^\dagger \not \in \left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}} \right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes
@ -159,7 +240,6 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
\end{eqnarray*}
It also sets $\mathbf{A}=\bar{\mathbf{A}}$.
We note that we have
% \vspace*{-.1cm}
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i)}} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}} & \mathbf{A}_0 +
\sum_{j=1}^\ell \tau^{(i)}[j] \mathbf{A}_j
@ -182,13 +262,13 @@ The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$
$\tau^{(i)}_{|t^\dagger}$ and $\tau^\star_{|t^\dagger}$. Note that, with probability $1/(Q \cdot \ell)$ and since $q>\ell$, we have
$ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$.
Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample \U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
and computes
\begin{eqnarray*}
\mathbf{D} &=& \bar{\mathbf{A}} \cdot \mathbf{R}. % \qquad \qquad \qquad \quad~ \forall k \in \{0,\ldots,N\}.
\end{eqnarray*}
Finally, $\bdv$ samples a short vector $\mathbf{e}_u \sample D_{\ZZ^m,\sigma_1}$ and computes the vector $\mathbf{u} \in \Zq^n$
as $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u \in \Zq^n$. The public key $${PK}:=\big( \mathbf{A}, ~
as $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u \in \Zq^n$. The public key $${PK}\coloneqq \big( \mathbf{A}, ~
\{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big)$$
is given to $\adv$.
@ -251,7 +331,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
Given that \textsf{Game} $1$ is identical to \textsf{Game} $0$ until $F_1$ occurs, we have $|\Pr[W_1]-\Pr[W_0]| \leq \Pr[F_1] < Q^2/2^\ell$.
\item[\textsf{Game} 2:] This game is like \textsf{Game} $1$ with the following difference. At the outset of the game, the challenger $\bdv$ chooses a random index
$i^\dagger \sample U(\{1,\ldots,Q\})$ as a guess that $\adv$'s forgery will recycle the $\ell$-bit string $\tau^{(i^\dagger)} \in \{0,1\}^\ell$ of the $i^\dagger$-th signing query.
$i^\dagger \sample (\{1,\ldots,Q\})$ as a guess that $\adv$'s forgery will recycle the $\ell$-bit string $\tau^{(i^\dagger)} \in \{0,1\}^\ell$ of the $i^\dagger$-th signing query.
When $\adv$ outputs its Type II forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, the challenger aborts
in the event that $\tau^{(i^\dagger)} \neq \tau^\star$ (i.e., $i^\dagger \neq i^\star$). Since the choice of $i^\dagger $ in $\{1,\ldots,Q\}$ is independent of $\adv$'s view, we
have $\Pr[W_2]=\Pr[W_1]/Q$.
@ -267,7 +347,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
trapdoors $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\mathbf{T}_{\mathbf{D}_0} \in \ZZ^{2m \times 2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_0)$, respectively. Then,
$\bdv$
chooses
a uniformly random $\mathbf{D} \sample U(\Zq^{n \times m})$ and re-randomizes it using short matrices
a uniformly random $\mathbf{D} \sample (\Zq^{n \times m})$ and re-randomizes it using short matrices
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$, which are obtained
by sampling their columns from the distribution $D_{\ZZ^m,\sigma}$. Namely, from $\mathbf{D} \in \Zq^{n \times m}$, $\bdv$
defines
@ -277,7 +357,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
\mathbf{A}_j &=& \mathbf{D} \cdot \mathbf{S}_j + h_j \cdot \mathbf{C} \qquad \qquad \forall j \in \{1,\ldots,\ell\} %\\ \nonumber
%\mathbf{D}_k &=& \mathbf{D} \cdot \mathbf{R}_k \qquad \qquad \qquad \quad~ \forall k \in \{1,\ldots,N\}.
\end{eqnarray}
In addition, $\bdv$ picks random matrices $\mathbf{D}_1,\ldots,\mathbf{D}_N \sample U(\Zq^{2n \times 2m})$ and a random vector $\mathbf{c}_M \sample U(\Zq^{2n})$. It samples
In addition, $\bdv$ picks random matrices $\mathbf{D}_1,\ldots,\mathbf{D}_N \sample (\Zq^{2n \times 2m})$ and a random vector $\mathbf{c}_M \sample (\Zq^{2n})$. It samples
short vectors $\mathbf{v}_1 ,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ and computes $\mathbf{u} \in \Zq^n$
as $\mathbf{u} = \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
\left[
@ -456,16 +536,16 @@ encrypted values.%, the protocols of Ling \textit{et al.} \cite{LNW15} come in h
Let $p = \sigma \cdot \omega(\sqrt{m})$ upper-bound entries of vectors sampled from the distribution~$D_{\ZZ^{2m},\sigma}$.
Generate two public keys for the dual Regev encryption scheme
in its multi-bit variant. These keys consists of a public random matrix
$\mathbf{B} \sample U(\Zq^{n \times m})$ and random matrices $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \Zq^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \Zq^{n \times 2m}$,
$\mathbf{B} \sample (\Zq^{n \times m})$ and random matrices $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \Zq^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \Zq^{n \times 2m}$,
where $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ are short Gaussian matrices with columns sampled from $D_{\ZZ^{m},\sigma}$. These matrices will be
used to encrypt integer vectors of dimension $\ell$ and $2m$, respectively. Finally, generate public parameters $CK:=\{ \mathbf{D}_k \}_{k=0}^N$ consisting of uniformly
random matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ for a statistically hiding commitment
used to encrypt integer vectors of dimension $\ell$ and $2m$, respectively. Finally, generate public parameters $CK\coloneqq \{ \mathbf{D}_k \}_{k=0}^N$ consisting of uniformly
random matrices $\mathbf{D}_k \sample (\Zq^{2n \times 2m})$ for a statistically hiding commitment
to vectors in $(\{0,1\}^{2m})^N$.
Return public parameters consisting of
$$ \mathsf{par}:= \{ ~\mathbf{B} \in \Zq^{n \times m} ,~\mathbf{G}_0 \in \Zq^{n \times \ell},~\mathbf{G}_1 \in \Zq^{n \times 2m},~CK \}. $$
$$ \mathsf{par}\coloneqq \{ ~\mathbf{B} \in \Zq^{n \times m} ,~\mathbf{G}_0 \in \Zq^{n \times \ell},~\mathbf{G}_1 \in \Zq^{n \times 2m},~CK \}. $$
%where $p > \sigma_1 \sqrt{m}$ upper-bounds entries of vectors sampled from the distribution $D_{\ZZ^m,\sigma_1}$,
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK:=\{ \mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u} \}$, $SK:=\mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK\coloneqq \{ \mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u} \}$, $SK\coloneqq \mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
who has a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, in the following interactive protocol. \smallskip
\begin{itemize}
\item[1.] $U$ samples $\mathbf{s}' \sample D_{\ZZ^{2m},\sigma} $ and computes $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n}$
@ -612,10 +692,10 @@ probabilities during hybrid games where the two distributions are not close in t
%--------- PROOF ----------
\begin{proof} The proof is very similar to the proof of \cref{th:gs-lwe-security-cma-sig} and we will only explain the changes.
Assuming that an adversary $\adv$ can prove possession of a signature on a message $(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ which has not been blindly signed by the issuer,
Let us assume that an adversary $\adv$ can prove possession of a signature on a message $(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ which has not been blindly signed by the issuer,
we outline an algorithm $\bdv$ that solves a $\mathsf{SIS}_{n,2m,q,\beta}$ instance $\bar{\mathbf{A}}$, where $\bar{\mathbf{A}} =
[ \bar{\mathbf{A}}_1 \mid \bar{\mathbf{A}}_2 ] \in \ZZ_q^{ n \times 2m}$ with
$\bar{\mathbf{A}}_1, \bar{\mathbf{A}}_2 \in U(\ZZ_q^{n \times m})$.
[ \bar{\mathbf{A}}_1 \mid \bar{\mathbf{A}}_2 ] \in \ZZ_q^{ n \times 2m}$ with matrices
$\bar{\mathbf{A}}_1, \bar{\mathbf{A}}_2 \sample \U(\ZZ_q^{n \times m})$.
At the outset of the game, $\bdv$ generates the common parameters $\mathsf{par}$ by choosing
$\mathbf{B} \in_R \ZZ_q^{n \times m}$ and defining $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \ZZ_q^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \ZZ_q^{n \times 2m}$.
@ -647,7 +727,7 @@ probabilities during hybrid games where the two distributions are not close in t
the sum $$\mathbf{A}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot \mathbf{S}_j) + (h_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot h_j ) \cdot \mathbf{C} $$ does not depend on the matrix $\mathbf{C} \in \ZZ_q^{n \times m}$
(of which a trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ is known to $\bdv$) when $\tau^{(i)} = \tau^{(i^\dagger)}$, but it does for all other tags $\tau^{(i)} \neq \tau^{(i^\dagger)}$. In the setup phase,
$\bdv$ also sets up a random matrix $\mathbf{D}_0 \in U(\ZZ_q^{2n \times 2m})$ which it obtains by choosing
$\mathbf{A}' \sample U(\ZZ_q^{n \times 2m})$ to define
$\mathbf{A}' \sample (\ZZ_q^{n \times 2m})$ to define
\begin{eqnarray} \label{def-D0}
\mathbf{D}_0=\begin{bmatrix} \bar{\mathbf{A}} \\ \hline \mathbf{A}' \end{bmatrix} \in \ZZ_q^{2n \times 2m}.
\end{eqnarray}
@ -655,9 +735,9 @@ probabilities during hybrid games where the two distributions are not close in t
$\mathbf{s}_0 \sample D_{\ZZ^{2m},\sigma_0}$, which will be used in the $i^\dagger$-th query.
Next, it samples short vectors $\mathbf{v}_1,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ to define
$$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1 \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \bit (\mathbf{c}_M) ~ \in \ZZ_q^n.$$
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \in \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
are used to define randomizations of $\mathbf{D}_0$ by computing $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
The adversary is given public parameters $\mathsf{par}:=\{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK:=\big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
The adversary is given public parameters $\mathsf{par}\coloneqq \{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK\coloneqq \big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
Using $\mathbf{T}_{\mathbf{C}}$,
$\bdv$ can perfectly emulate the signing oracle at all queries, except the $i^\dagger$-th query where the
@ -811,15 +891,14 @@ Choose a hash function $H:\{0,1\}^*
\rightarrow \{1,2,3\}^t$ for some $t = \omega(\log n)$,
which will be modeled as a random oracle in the security analysis.
Then, do the following. \smallskip \smallskip
% \vspace{-0.3 cm}
\begin{itemize}
\item[1.] Generate a key pair for the signature of Section \ref{desc-sig-protoc} for signing single-block messages. Namely, run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
\ZZ_q^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A})$, which allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with Gaussian parameter $\sigma$.
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
Next, choose matrices
$\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell},\mathbf{D} \sample U(\ZZ_q^{n \times m})$, $ \mathbf{D}_0,\mathbf{D}_1 \sample U(\ZZ_q^{2n \times 2m})$ and a vector $\mathbf{u} \sample U(\ZZ_q^n)$.
\item[2.] Choose an additional random matrix $\mathbf{F} \sample U(\ZZ_q^{4n \times 4m})$ uniformly. Looking ahead, this matrix will be used to ensure security against framing attacks.
$\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell},\mathbf{D} \sample (\ZZ_q^{n \times m})$, $ \mathbf{D}_0,\mathbf{D}_1 \sample (\ZZ_q^{2n \times 2m})$ and a vector $\mathbf{u} \sample (\ZZ_q^n)$.
\item[2.] Choose an additional random matrix $\mathbf{F} \sample (\ZZ_q^{4n \times 4m})$ uniformly. Looking ahead, this matrix will be used to ensure security against framing attacks.
\item[3.]
Generate a master key pair for the Gentry-Peikert-Vaikuntanathan IBE scheme
in its multi-bit variant. This key pair consists of a statistically uniform matrix
@ -831,10 +910,10 @@ Gaussian parameter $\sigma_{\mathrm{GPV}} \geq \| \widetilde{\mathbf{T}}_{\mathb
that will be modeled as random oracles.
\end{itemize}
The group public key is defined
as $$\mathcal{Y}:=\big( \mathbf{A}, ~
as $$\mathcal{Y}\coloneqq \big( \mathbf{A}, ~
\{\mathbf{A}_j \}_{j=0}^{\ell},~\mathbf{B}, ~\mathbf{D},~ \mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}, ~\mathbf{u} , ~\Pi^\mathrm{OTS}, ~ H,~H_0 \big).$$
The opening authority's private key is $\mathcal{S}_{\OA}:=
\mathbf{T}_{\mathbf{B}} $ and the private key of the group manager consists of $\mathcal{S}_{\GM}:= \mathbf{T}_{\mathbf{A}}$. The algorithm outputs
The opening authority's private key is $\mathcal{S}_{\OA}\coloneqq
\mathbf{T}_{\mathbf{B}} $ and the private key of the group manager consists of $\mathcal{S}_{\GM}\coloneqq \mathbf{T}_{\mathbf{A}}$. The algorithm outputs
$\big( \mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA} \big)$.
\bigskip
@ -906,7 +985,7 @@ and $\bit(\mathbf{v}_i) \in \{0,1\}^{2m}, \mathbf{w}_{i} \in \{0,1\}^m$, that
- \mathbf{D} \cdot \mathbf{w}_i = \mathbf{u} \in \ZZ_q^n
\end{eqnarray}
and
\vspace*{-0.75cm}
\begin{eqnarray} \label{eq:rel-3}
\left\{
\begin{array}{l}
@ -987,10 +1066,10 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\begin{proof}
We prove that any adversary $\adv$ with non-negligible success probability $\varepsilon$ implies an algorithm $\bdv$ solving the \textsf{SIS} problem
in the random oracle model. \\
\indent
Let $\adv$ be such a $\ppt$ adversary. We build a $\ppt$
algorithm $\bdv$ that uses $\adv$ to
in the random oracle model.
Let $\adv$ be such a $\ppt$ adversary.
We then build a $\ppt$ reduction~$\bdv$ that uses the adversary~$\adv$ to
solve~$\SIS_{n,2m,q,\beta'}$: specifically, $\bdv$ takes as input~$\bar{\mathbf{A}} = \begin{bmatrix} \bar{\mathbf{A}}_1 | \bar{\mathbf{A}}_2 \end{bmatrix} \in
\Zq^{n \times 2m}$, where $\bar{\mathbf{A}}_1,\bar{\mathbf{A}}_2 \in \Zq^{n \times m}$, and finds $\mathbf{w} \in
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{w}\| \leq \beta'$.
@ -999,11 +1078,11 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\noindent \textbf{Initialization.} Algorithm~$\bdv$ first chooses a random $coin \sample
U(\{0,1,2\})$ as a guess for the kind of misidentification attack that $\adv$ will mount. Also, $\bdv$
chooses a random $\ell$-bit string $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$.
chooses a random $\ell$-bit string $\mathsf{id}^\dagger \sample (\{0,1\}^\ell)$.
In
addition, $\bdv$
samples~$i^\star
\sample U([1,Q_a])$. \\
\sample ([1,Q_a])$. \\
\indent
Looking ahead, $coin=0$ corresponds to the case where, after repeated executions of $\adv$, the knowledge extractor of the proof system
reveals witnesses containing a new identifier $\mathsf{id}^\star \in \{0,1\}^\ell$ that does not belong to any user in $U^a$.
@ -1029,7 +1108,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
Depending on $coin \in \{0,1,2\}$, the group public key $\mathcal{Y}$ is
generated using different methods. \smallskip
\noindent $\bullet$ If $coin=0$, algorithm~$\bdv$ first randomly chooses $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$ as a guess for the $\ell$-bit string
\noindent $\bullet$ If $coin=0$, algorithm~$\bdv$ first randomly chooses $\mathsf{id}^\dagger \sample (\{0,1\}^\ell)$ as a guess for the $\ell$-bit string
that will be revealed by the knowledge extractor of the proof system after repeated executions of the adversary $\adv$.
Then, it runs
$\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a
@ -1051,7 +1130,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\end{eqnarray*}
It also defines $\mathbf{A}=\bar{\mathbf{A}}_1$.
Next, it samples a vector $\mathbf{e}_u \sample D_{\ZZ,\sigma}^m$ and computes a syndrome $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \in \Zq^n$. It picks $\mathbf{D}_0,\mathbf{D}_1
\sample U(\Zq^{2n \times 2m})$ at random and also faithfully generates the GPV master key pair $(\mathbf{B},\mathbf{T}_{\mathbf{B}})$ as in Step~3 of the real setup algorithm. The group
\sample (\Zq^{2n \times 2m})$ at random and also faithfully generates the GPV master key pair $(\mathbf{B},\mathbf{T}_{\mathbf{B}})$ as in Step~3 of the real setup algorithm. The group
public key $\mathcal{Y}=\big(\mathbf{A},\{\mathbf{A}_j \}_{j=0}^{\ell}, \mathbf{B}, \mathbf{D},\mathbf{D}_0,\mathbf{D}_1,\mathbf{F}, \mathbf{u},\mathcal{OTS},H,H_0 \big)$
is finally given to~$\adv$. \\
\indent Note that, for each $\mathsf{id} \neq \mathsf{id}^\dagger$, we have
@ -1067,7 +1146,6 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\left[
\begin{array}{c|c} \bar{\mathbf{A}}_1 ~&~ \bar{\mathbf{A}}_1 + h_{\mathsf{id}} \cdot \mathbf{C}
\end{array} \right]
% \vspace*{-.1cm}
\end{eqnarray}
where $h_{\mathsf{id}} \in [1,\ell]$ denotes the Hamming distance between
the identifiers $\mathsf{id}$ and $\mathsf{id}^\dagger$. Since $q>\ell$, we have
@ -1100,7 +1178,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
Next, $\bdv$ runs $(\mathbf{C},\mathbf{T}_{\mathbf{C}}) \leftarrow \mathsf{TrapGen}(1^n,1^m,q)$, $(\mathbf{D}_1,\mathbf{T}_{\mathbf{D}_1}) \leftarrow \mathsf{TrapGen}(1^{2n},1^{2m},q)$ so as to obtain statistically random matrices $\mathbf{C} \in \Zq^{n \times m}$, $ \mathbf{D}_1 \in \Zq^{2n \times 2m}$ together with
trapdoors $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m} $, $\mathbf{T}_{\mathbf{D}_1} \in \ZZ^{2m \times 2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_1)$, respectively. Then,
$\bdv$
picks a random $\mathbf{D}_0 \sample U(\Zq^{2n \times 2m})$ and re-randomizes $\mathbf{D}=\bar{\mathbf{A}}_1 \in \Zq^{n \times m}$ using Gaussian matrices
picks a random $\mathbf{D}_0 \sample (\Zq^{2n \times 2m})$ and re-randomizes $\mathbf{D}=\bar{\mathbf{A}}_1 \in \Zq^{n \times m}$ using Gaussian matrices
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$ whose columns are sampled from the distribution $D_{\ZZ^m,\sigma}$.
Namely, from $\mathbf{D} =\bar{\mathbf{A}}_1 $, $\bdv$
defines
@ -1123,12 +1201,12 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
- \mathbf{D} \cdot \bit(\mathbf{c}_M),
\end{eqnarray}
where
$\mathbf{c}_{M} \sample U(\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1}
$\mathbf{c}_{M} \sample (\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1}
\sample D_{\ZZ^m,\sigma}$, the distribution of
$\mathbf{u} $ is statistically close to $U(\Zq^n)$.
\medskip
\noindent $\bullet$ If $coin=2$, $\bdv$ picks $\bar{\mathbf{A}}' \sample U(\Zq^{n \times 2m})$
\noindent $\bullet$ If $coin=2$, $\bdv$ picks $\bar{\mathbf{A}}' \sample (\Zq^{n \times 2m})$
and a random matrix $\mathbf{Q} \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^{2m},\sigma}$. These
are used to define $$\mathbf{D}_0= \begin{bmatrix} \bar{\mathbf{A}} \\ \hline \bar{\mathbf{A}}' \end{bmatrix} \in \Zq^{2n \times 2m} ,$$
and $\mathbf{D}_1=\mathbf{D}_0 \cdot \mathbf{Q} \bmod q$, which is statistically close to $U(\Zq^{2n \times 2m})$. All other components of $\mathcal{Y}$ are obtained by faithfully running the setup algorithm. \medskip
@ -1173,7 +1251,6 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\left[
\begin{array}{c|c} \bar{\mathbf{A}} \cdot \mathbf{S} ~&~ \bar{\mathbf{A}} + h_{\mathsf{id}_i} \cdot \mathbf{C}
\end{array} \right]
% \vspace*{-.1cm}
\end{eqnarray}
Since $h_{\mathsf{id}_i} \neq 0$, $\bdv$ can use the trapdoor
$\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$ to compute a short vector $\mathbf{d}_i = [ \mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ such that
@ -1205,34 +1282,23 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
more than once, then~$\bdv$ consistently returns the previously defined
value. Queries to the random oracle $H_0$ are answered in the usual way, by returning a uniformly random value in the appropriate range. \medskip
\noindent \textbf{Forgery.} When $\adv$ halts, it outputs a
\textbf{Forgery.} When $\adv$ halts, it outputs a
signature $ \Sigma^\star=\big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}_i}^\star, \pi_K^\star,sig^\star \big)$ on some message $M^\star$. At this point, $\bdv$ uses the
trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\bit(\mathbf{v}^\star) \in \{0,1\}^m$.
%We know that, with probability $\Pr[W_2]$, it holds that
%\begin{itemize}
%\item[-] The pair $(M^\star,\Sigma^\star)$ results in a successful misidentification attack and, when $\bdv$ runs the $\mathsf{Open}$ algorithm on $\Sigma^\star$, the $\ell$-bit %identifier $\mathsf{id}^\star$ revealed at step 2
%coincides with $\mathsf{id}^\dagger$.
%\item[-]
%If $coin=0$, $\mathsf{id}^\dagger$ did not appear in any membership certificate returned by $\mathcal{Q}_{\ajoin}$ whereas, if $coin=1$, $\mathsf{id}^\dagger$ is the identifier used by
%$\mathcal{Q}_{\ajoin}$ at the $i^\star$-th query.
%\item[-] If $coin=2$, the opening of $\Sigma^\star$ reveals vectors $\bit(\mathbf{v}^\star)$ and $\mathbf{s}^\star$ that result in a collision (\ref{collide})
% with those $(\bit(\mathbf{v}_{i^\star}),\mathbf{s}_{i^\star})$
%of the $i^\star$-th joining query.
%\end{itemize}
%In any other situation, $\bdv$ aborts and reports failure. Note that, in the case $coin=2$, $\bdv$ is done since the collision (\ref{collide}) directly provides a
%$\mathsf{SIS}$ solution. We thus assume $coin \in \{0,1\}$.
If we parse the proof $\pi_K^\star$ as
$(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$, with high
probability, the adversary $\adv$ must have invoked the random oracle~$H$ on the
input~$ (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$.
$(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$,
the adversary $\adv$ must have invoked the random oracle~$H$ on the
input~$(M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$ with high probability.
Otherwise, the probability that
$\mathsf{Chall}_K^\star=H (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
is negligible (at most~$3^{-t}$). It comes that, with probability at least $ \varepsilon' := \varepsilon-
is negligible (at most~$3^{-t}$).
It comes that, with probability at least $ \varepsilon' \coloneqq \varepsilon-
3^{-t} $, $ (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
coincides with the $\kappa^\star$-th random oracle query for some $\kappa^\star
\leq Q_H$. \\
\indent
\leq Q_H$.
At this stage, the reduction $\bdv$ runs the
adversary $\adv$ up to $32 \cdot Q_H / (\varepsilon - 3^{-t})$ times with the \textit{same} random tape and input as in the
initial run. All queries are answered as previously with
@ -1276,15 +1342,16 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\item[-] $coin=2$ and the knowledge extraction yields vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
(\ref{collide}) does not occur.
\end{itemize}
We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample U(\{0,1,2\})$ and $i^\star \sample U([1,Q_a])$ are completely independent of $\adv$'s view,
the choice of $coin$ is correct with probability $1/3$. If $coin=0$, $\bdv$'s choice of $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$ is correct with probability $1/(N_{\mathsf{gs}}-Q_a) \geq 1/N_{\mathsf{gs}}$ and, when
We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample (\{0,1,2\})$ and $i^\star \sample ([1,Q_a])$ are completely independent of $\adv$'s view,
the choice of $coin$ is correct with probability $1/3$. If $coin=0$, $\bdv$'s choice of $\mathsf{id}^\dagger \sample (\{0,1\}^\ell)$ is correct with probability $1/(N_{\mathsf{gs}}-Q_a) \geq 1/N_{\mathsf{gs}}$ and, when
$coin=1$, $\bdv$'s correctly guesses $i^\star \in [1,Q_a]$ with probability $1/Q_a$. We find
$$\Pr[ \neg \mathsf{fail}] \geq \frac{1}{3 \cdot \max(N_{\mathsf{gs}},Q_a)} =\frac{1}{3 \cdot N_{\mathsf{gs}} } .$$
Assuming that $\mathsf{fail}$ does not occur, $\bdv$ can solve the problem instance as follows. \smallskip
Assuming that $\mathsf{fail}$ does not occur, $\bdv$ can solve the problem instance as follows.
\noindent $\bullet$ If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$ and $\bdv$ knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector
\begin{itemize}
\item If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$ and $\bdv$ knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector
\begin{eqnarray*}
\mathbf{h} = {\mathbf{d}_1^\star} + \big( \mathbf{Q}_0 + \sum_{i=1}^\ell \mathsf{id}^\dagger [i] \mathbf{Q}_i \big) \cdot {\mathbf{d}_2^\star} - \mathbf{Q}_D
\cdot \bit(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
@ -1294,11 +1361,8 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
$\mathbf{e}_u \in \ZZ^m$
in $\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}_1)$. Finally, the norm of $\mathbf{h}$ is at most $\| \mathbf{h} \|_2 \leq (\ell+1) \sigma^2 m^{3/2} + \sigma m^{1/2} (m+2)$.
This implies that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ is a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ and solves the initial $\mathsf{SIS}$ instance.
\smallskip
\smallskip
\noindent $\bullet$ If $coin=1$, the extracted
\item If $coin=1$, the extracted
witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\bit(\mathbf{v}^\star)$
satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
\neq \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star} $$
@ -1338,13 +1402,14 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
Indeed, we know that $\mathbf{w}^\star \neq \mathbf{w}_{i^\star}$ if $\neg \mathsf{fail}$ occurs.
This implies that the last term of (\ref{the-vec}) is non-zero, which rules out that $(\mathbf{d}_1^\star,\mathbf{d}_2^\star)=(\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2})$.
Since the columns of $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ have a lot of entropy conditionally on $\mathcal{Y}$, this implies that we can only have $\mathbf{h}=\mathbf{0}^m$ with negligible probability. Furthermore, the norm of $\mathbf{h}$ can be bounded by $\| \mathbf{h} \|_2 \leq 4 \sigma^2 m^{3/2} (\ell+2) + 2 m^{1/2} $,
so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance. \medskip
so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance.
\noindent $\bullet$ If $coin=2$, $\bdv$ is done as well since the collision (\ref{collide}) directly provides a vector
\item If $coin=2$, $\bdv$ is done as well since the collision (\ref{collide}) directly provides a vector
$$\mathbf{h}=\bit(\mathbf{v}^\star) - \bit(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
the lattice $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ by construction) and has
norm $\| \mathbf{h} \|_2 \leq 2(\sigma^2 (2m)^{3/2} + (2m)^{1/2}) $. Moreover, $\mathbf{h} \in \ZZ^{2m}$ is non-zero with overwhelming probability
given that $\bit(\mathbf{v}^\star) \neq \bit(\mathbf{v}_i^\star)$ and the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
\end{itemize}
\end{proof}
@ -1365,7 +1430,7 @@ The scheme is secure against framing attacks under the $\mathsf{SIS}_{4n,4m,q,\b
As a result of having generated $\mathcal{Y}$ itself, $\bdv$ knows
$\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ and $\mathcal{S}_{\OA}= \mathbf{T}_{\mathbf{B}}$. The adversary $\bdv$ is run on input of the
group public key
$$ \mathcal{Y}:=\Bigl(\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{B},~\mathbf{D},~\mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}=\bar{\mathbf{A}},~\mathbf{u},~\Pi^{\mathsf{OTS}},~H,~H_0 ) \Bigr). $$
$$ \mathcal{Y}\coloneqq \Bigl(\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{B},~\mathbf{D},~\mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}=\bar{\mathbf{A}},~\mathbf{u},~\Pi^{\mathsf{OTS}},~H,~H_0 ) \Bigr). $$
If $\adv$ chooses
to corrupt the group manager or the opening authority during the
@ -1416,7 +1481,7 @@ probability, $\adv$ must have queried~$H$ on the
input~$ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$.
Otherwise, we would only have
$\mathsf{Chall}_K^\star=H (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
with negligible probability~$3^{-t}$. It comes that, with probability at least $ \varepsilon' := \varepsilon-
with negligible probability~$3^{-t}$. It comes that, with probability at least $ \varepsilon' \coloneqq \varepsilon-
3^{-t} $, the tuple $ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
was the input of the $\kappa^\star$-th random oracle query for some index $\kappa^\star
\leq Q_H$. \\
@ -1487,7 +1552,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
\smallskip
\item[$\textsf{Game}^{(d)}$~2:] In this game, we program the random oracle $H_0$ in the following way: at the beginning of the game, we choose
a uniformly random matrix $\mathbf{G}_0^\star \sample U(\Zq^{n \times 2m})$ and set $H_0(\vk^\star) = \mathbf{G}^\star_0$. From the adversary's view, the distribution of
a uniformly random matrix $\mathbf{G}_0^\star \sample (\Zq^{n \times 2m})$ and set $H_0(\vk^\star) = \mathbf{G}^\star_0$. From the adversary's view, the distribution of
$\mathbf{G}_0^\star$ is statistically close to the one in the real attack game, as in \cite{GPV08}.
As for other queries, for each fresh $H_0$-queries on $\vk$,
the challenger samples small-norm matrices $\mathbf{E}_{0,\vk} \sample D_{\ZZ^m, \sigma}^{2m}$ and programs the oracle such that
@ -1529,7 +1594,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
\mathbf{r}_1 \\ \mathbf{r}_2 + \bit(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
\end{pmatrix}, \]
%where $\mathbf{v}_{i_b}^\star= \mathbf{F} \cdot \mathbf{z}_{i_b}^\star $, and
where $\mathbf{r}_1 \sample U(\Zq^{m})$, $\mathbf{r}_2 \sample U(\Zq^{2m})$ are uniformly random.
where $\mathbf{r}_1 \sample (\Zq^{m})$, $\mathbf{r}_2 \sample (\Zq^{2m})$ are uniformly random.
The hardness of the decisional $\LWE_{n, q, \chi}$ problem implies that $\mathbf{c}^\star_{\mathbf{v}_d}$ in \ extsf{Game} $4$ and \ extsf{Game} $5$ are computationally indistinguishable.
If $\adv$ can distinguish between these two games, it can furthermore distinguish
\[ \begin{pmatrix}
@ -1543,7 +1608,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
\smallskip
\item[\textsf{Game}~6:] We finally make a conceptual modification on the previous game. Namely we sample uniformly random $\mathbf{r}_1^\prime
\sample U(\Zq^{m})$, $\mathbf{r}_2^\prime \sample U(\Zq^{2m})$ and assign
\sample (\Zq^{m})$, $\mathbf{r}_2^\prime \sample (\Zq^{2m})$ and assign
\[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
\mathbf{r}_1^\prime \\ \mathbf{r}_2^\prime
\end{pmatrix} .\]
@ -1571,7 +1636,7 @@ The argument system used in our protocol for signing a committed value in Sectio
$\mathbf{e}_{0,1}\in [-B,B]^m; \hspace*{5pt} \mathbf{e}_{0,2}\in [-B,B]^{2m}$; \hspace*{5pt} $\mathbf{s}' \in [-(p-1), (p-1)]^{2m}$ \smallskip
\item[Prover's Goal:] Convince the verifier in \textsf{ZK} that:
\end{description}
\vspace*{-10pt}
\begin{eqnarray}\label{equation:R-commit-statement}
\hspace*{-5pt}
\begin{cases}
@ -1672,20 +1737,18 @@ To do so, we first form the following vectors and matrices:
We then observe that (\ref{equation:R-commit-statement}) can be rewritten as:
\begin{eqnarray}\label{equation:R-commit-unified}
\vspace*{-5pt}
\mathbf{M}_1 \cdot \mathbf{x}_1 + \mathbf{M}_2 \cdot \mathfrak{m} + \mathbf{M}_3 \cdot \mathbf{s}' = \mathbf{v} \in \mathbb{Z}_q^D,
\end{eqnarray}
where $D = 2n + 3m(N+1)$.
Now we employ the techniques from \cref{sse:stern-abstraction} to convert~\eqref{equation:R-commit-unified} into the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$. Specifically, if we let:
\[
\vspace*{-5pt}
\begin{cases}
\mathsf{DecExt}_{(n+3m)(N+1),B}(\mathbf{x}_1) \rightarrow \hat{\mathbf{x}}_1 \in \mathsf{B}^3_{(n+3m)(N+1)\delta_B}; \\[2.5pt]
{\mathbf{M}}'_1 = \mathbf{M}_1 \cdot \widehat{\mathbf{K}}_{(n+3m)(N+1),B} \in \ZZ_q^{D \times 3(n+3m)(N+1)\delta_B}; \\[2.5pt]
%\mathsf{Ext}_{2mN}(\mathbf{x}_2) \rightarrow \hat{\mathbf{x}}_2 \in \mathsf{B}_{2(2mN)}; \hspace*{5pt}
%{\mathbf{M}}'_2 = \big[\mathbf{M}_2 | \mathbf{0}^{D \times 2mN}] \in \mathbb{Z}_q^{D \times 4mN}; \\[5pt]
\mathsf{DecExt}_{2m, p-1}(\mathbf{s}') \rightarrow \hat{\mathbf{s}} \in \mathsf{B}^3_{2m\delta_{p-1}}; \hspace*{5pt}
{\mathbf M}'_3 = \mathbf{M}_3 \cdot \widehat{\mathbf K}_{2m,p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}},
{\mathbf{M}}'_3 = \mathbf{M}_3 \cdot \widehat{\mathbf{K}}_{2m,p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}},
\end{cases}
\]
$L = 3(n+3m)(N+1)\delta_B + 2mN + 6m\delta_{p-1}$, and $\mathbf{P} \hspace*{-1pt}= \hspace*{-1pt}\big[\mathbf{M}'_1 | \mathbf{M}_2 | \mathbf{M}'_3\big] \hspace*{-2pt}\in \hspace*{-1pt}\mathbb{Z}_q^{D \times L}$, and $\mathbf{x} = \big(\hat{\mathbf{x}}_1^T \| \mathfrak{m}^T \| \hat{\mathbf{s}}^T\big)^T$, then we will obtain the desired equation:
@ -1700,12 +1763,12 @@ Having performed the above unification, we now define $\mathsf{VALID}$ as the se
\begin{itemize}
\item Define $\mathcal{S}: = \mathcal{S}_{3(n+3m)(N+1)\delta_B} \times \{0,1\}^{mN} \times \mathcal{S}_{6m\delta_{p-1}}$. \smallskip
\item For $\pi = (\pi_1, \mathbf{b}, \pi_3) \in \mathcal{S}$, and for vector $\mathbf{w} = \big(\mathbf{w}_1^T \| \mathbf{w}_2^T \| \mathbf{w}_3^T\big)^T \in \mathbb{Z}_q^L$, where $\mathbf{w}_1 \in \ZZ_q^{3(n+3m)(N+1)\delta_B}$, $\mathbf{w}_2 \in \ZZ_q^{2mN}$, $\mathbf{w}_3 \in \ZZ_q^{6m\delta_{p-1}}$, we define: \vspace*{-5pt}
\item For $\pi = (\pi_1, \mathbf{b}, \pi_3) \in \mathcal{S}$, and for vector $\mathbf{w} = \big(\mathbf{w}_1^T \| \mathbf{w}_2^T \| \mathbf{w}_3^T\big)^T \in \mathbb{Z}_q^L$, where $\mathbf{w}_1 \in \ZZ_q^{3(n+3m)(N+1)\delta_B}$, $\mathbf{w}_2 \in \ZZ_q^{2mN}$, $\mathbf{w}_3 \in \ZZ_q^{6m\delta_{p-1}}$, we define:
\[
T_{\pi} = \big(\pi_1(\mathbf{w}_1)^T \| E_{\mathbf{b}}(\mathbf{w}_2)^T \| \pi_3(\mathbf{w}_3)^T\big)^T.
\]
\end{itemize}
\vspace*{-2.5pt}
By inspection, it can be seen that the properties in~(\ref{eq:zk-equivalence}) are satisfied, as desired. As a result, we can obtain the required argument system by running the protocol in \cref{sse:stern-abstraction} with common input $(\mathbf{P}, \mathbf{v})$ and prover's input $\mathbf{x}$.
%--------------------------------------------------
@ -1737,10 +1800,10 @@ We now describe how to derive the protocol for proving the possession of a signa
$\mathbf{e}_{\tau,2} \in [-B,B]^\ell$.
\end{description}
\textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that: \vspace*{-7.5pt}
\textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that:
\begin{eqnarray}\label{equation:R-sign-signature}
\hspace*{-5pt}
\mathbf{A}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{v}_1 + \mathbf{A}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 + \sum_{i=1}^\ell \mathbf{A}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i] \mathbf{v}_2 - \mathbf{D}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) = \mathbf{u} \bmod q,\vspace*{-10pt}
\mathbf{A}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{v}_1 + \mathbf{A}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 + \sum_{i=1}^\ell \mathbf{A}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i] \mathbf{v}_2 - \mathbf{D}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) = \mathbf{u} \bmod q,
\end{eqnarray}
and that (modulo $q$)
\begin{eqnarray}\label{equation:R-sign-ciphertext}
@ -1856,10 +1919,8 @@ then we will obtain the equation $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod
Before going on, we define $\mathsf{VALID}$ as the set of
$\mathbf{w} \in \{-1,0,1\}^L$ of the form:
\vspace*{-5pt}
\[
\mathbf{w} = \big(\mathbf{w}_{1}^T \| \mathbf{w}_2^T \| g_1 \mathbf{w}_2^T\| \ldots \| g_{2\ell}\mathbf{w}_2^T \| \mathbf{g}^T\| \mathbf{w}_3^T\| \mathbf{w}_4^T \| \mathbf{w}_5^T \| \mathbf{w}_6^T\big)^T
\vspace*{-5pt}
\]
for some $\mathbf{w}_1, \mathbf{w}_2 \in \mathsf{B}^3_{m\delta_\beta}$, $\mathbf{g} = (g_1, \ldots, g_{2\ell}) \in \mathsf{B}_{2\ell}$, $\mathbf{w}_3 \in \mathsf{B}^2_{m}$, $\mathbf{w}_4 \in \mathsf{CorEnc}(mN)$, $\mathbf{w}_5 \in \mathsf{B}^3_{2m\delta_{p-1}}$, and $\mathbf{w}_6 \in \mathsf{B}^3_{L_0\delta_B}$.
It can be checked that the constructed vector $\mathbf{x}$ belongs to this tailored set $\mathsf{VALID}$.\\
@ -1907,7 +1968,7 @@ The argument system upon which our group signature scheme is built can be summar
Using the same strategy as in Sections~\ref{subsection:zk-for-commitments} and~\ref{subsection:zk-for-signature}, we can derive a statistical \textsf{ZKAoK} for the above relation from the protocol in Section~\ref{sse:stern-abstraction}. As the transformations are similar to those in Section~\ref{subsection:zk-for-signature}, we only sketch main points.
In the first step, we combine the given equations to an equation of the form:
\[\vspace*{-3.5pt}
\[
\mathbf{M}\cdot \left(
\begin{array}{c}
\mathbf{d}_1 \\

View File

@ -80,7 +80,7 @@ We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that
\item[\textsf{Join}$^{\join_{\user}, \join_{\GM}}$:] is an \emph{interactive} protocol between the group manager GM and a user $\mathcal{U}_i$ where the latter becomes a group member.
The protocol involves two interactive Turing machines $\join_{\user}$ and $\join_{\GM}$ that both take the group public key $\gspk$ as input.
The execution $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$, ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i}$, that no one else knows, and a membership certificate $\crt_{i }$.
If the protocol is successful, the group manager updates the public state $\mathsf{st}$ by updating the following state informations $\mathsf{st}_{\users}:=\mathsf{st}_{\users} \cup \{ i \}$ as well as $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( i ,\transcript_i )$.
If the protocol is successful, the group manager updates the public state $\mathsf{st}$ by updating the following state informations $\mathsf{st}_{\users}\coloneqq \mathsf{st}_{\users} \cup \{ i \}$ as well as $\mathsf{st}_{\trans}\coloneqq \mathsf{st}_{\trans} || ( i ,\transcript_i )$.
%
%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM
%to generate an updated revocation list $RL_t$ for the new revocation period $t$.
@ -226,7 +226,7 @@ following oracles:
the prospective user in the join protocol. If this protocol successfully
ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user
$n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets
$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
$\mathsf{st}_{\trans}\coloneqq \mathsf{st}_{\trans} || ( n, \transcript_n )$.
%
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
to introduce new honest group members of its choice. The interface
@ -234,7 +234,7 @@ following oracles:
interaction with the adversary who runs $\join_{\GM}$. If the protocol
successfully completes, the interface increments $n$, adds user $n$ to
$\mathsf{st}_{users}$ and $U^b$ and sets
$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
$\mathsf{st}_{\trans}\coloneqq \mathsf{st}_{\trans} || ( n, \transcript_n )$.
It stores the membership certificate $\crt_{n }$
and the membership secret $\scr_{n }$ in a \textit{private} part of
$\mathsf{state}_{\interface}$.

View File

@ -6,7 +6,12 @@
In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with companion zero-knowledge proofs that allow a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{Cha85,CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
In other words, an anonymous credential scheme involves one (or more) credential issuer(s) and a set of users who have a long term secret key which can be seen as their digital identity, and pseudonyms that can be seen as commitments to their secret key.
Users can dynamically obtain credentials from an issuer that only knows users' pseudonyms and obliviously sign users' secret keys as well as a set of attributes.
Later on, users can make themselves known to verifiers under a different pseudonym and demonstrate possession of the issuer's certificate on their secret key withour revealing neither the signature nor the key.
In this context, signature with efficient protocols can typically be used as follows:
the user obtains the issuer's signature on a committed message via an interactive protocol, and uses a protocol for proving that two commitments open to the same value (which allows proving that the same secret underlies two distinct pseudonyms) and finally a protocol for proving possession of a secret message-signature pair.
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
@ -130,7 +135,7 @@ Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assump
$\mathsf{crs}=\left(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z^{},~\{ \hat{g}_j \}_{j=1}^{2\ell+4} \right)$.
\bigskip
\item[]
The private key is $ \mathsf{sk}:=\omega $ and the public key is
The private key is $ \mathsf{sk}\coloneqq \omega $ and the public key is
\begin{align*}
\mathsf{pk}=\Bigl(
\mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w)
@ -508,8 +513,8 @@ clear), proving knowledge of a valid signature still requires proving a statem
\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps.
\end{description}
\begin{enumerate}
\item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
and $d_2:=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$.
\item Commit to $d_1\coloneqq \hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
and $d_2\coloneqq \hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$.
To this end, choose
$r_1,r_2\sample\U(\Zp)$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$.
@ -560,7 +565,7 @@ clear), proving knowledge of a valid signature still requires proving a statem
\item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $,
and $\bar{r}_2= \rho\cdot r_2 +s_2 $;
\item $w_z= \rho\cdot t_z + v_z $ and $w_i= \rho\cdot t_i + v_i $, for $i=0$ to $3$;
\item $w_4= \rho\cdot t_4 + v_4 $, where $t_4:=t_0-t_1 \cdot r_1-t_2 \cdot r_2$;
\item $w_4= \rho\cdot t_4 + v_4 $, where $t_4\coloneqq t_0-t_1 \cdot r_1-t_2 \cdot r_2$;
\item $z_i= \rho\cdot x_i + y_i $ for each $i \in \{0,2,3,4\}$. \smallskip
\item[~~~Output] $\mathsf{resp}\in \GG\times \Zp^{\ell+12}$ as
\begin{align*}
@ -687,7 +692,7 @@ a constant additive overhead.
\cdot e(\Omega^{a_0},\hat{g})\cdot e(\Omega^{a_1},\hat{g}_1)\cdot e(\Omega^{a_2},\hat{D}_1)
\cdot e(\Omega^{a_z},\hat{g}_z)$, so that we can set $C_0=\Omega^{-a_0}$,
$C_1=\Omega^{a_1}$, $C_2=\Omega^{a_2}$ and $C_z=\Omega^{a_z}$.
Let $\hat{B}:=\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}$.
Let $\hat{B}\coloneqq \hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}$.
Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\Zp$ since
$e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set
$\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a
@ -1282,7 +1287,7 @@ Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ an
To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \U(\Zp)$.
In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)
As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip
As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk\coloneqq (\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip
\\
Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested.
%At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows.
@ -1307,7 +1312,7 @@ A straightforward calculation
$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2.
As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes
\begin{eqnarray*}
\quad\hat{G}_{j,i} := (\hat{g}^a)^{\delta_i(\alpha_z\chi_j+\alpha_r\gamma_j)}
\quad\hat{G}_{j,i} \coloneqq (\hat{g}^a)^{\delta_i(\alpha_z\chi_j+\alpha_r\gamma_j)}
= (\hat{g}_z^{\chi_j}\hat{g}_r^{\gamma_j})^{\ID_i} = \hat{g}_j^{\ID_i},
\end{eqnarray*}
%where $g^a$ is a component of the discrete logarithm problem it is trying to solve.
@ -1351,7 +1356,7 @@ with distinct challenges
$c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses
$(\theta^\star,\ID^\star)$ satisfying ${C}_\ID^\star=v^{\ID^\star}X_\ID^{\theta^\star}$ and
which identifies $V_i^\star=v^{\ID^\star}$. At this stage, $\bdv$ can compute and output the sought-after SDL solution
$a:=\ID^\star/\delta_i$ in $\Zp$.
$a\coloneqq \ID^\star/\delta_i$ in $\Zp$.
\\
This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $.

View File

@ -2811,4 +2811,14 @@
publisher = {Springer},
}
@InProceedings{CHK04,
author = {Canetti, Ran and Halevi, Shai and Katz, Jonathan},
title = {{Chosen-Ciphertext Security from Identity-Based Encryption}},
booktitle = {Eurocrypt},
year = {2004},
series = {LNCS},
pages = {207--222},
publisher = {Springer},
}
@Comment{jabref-meta: databaseType:bibtex;}