diff --git a/chap-GS-LWE.tex b/chap-GS-LWE.tex index f012e6e..1f9c6dc 100644 --- a/chap-GS-LWE.tex +++ b/chap-GS-LWE.tex @@ -1,6 +1,3 @@ \chapter{Lattice-Based Dynamic Group Signatures} \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de réseaux euclidiens} \label{ch:gs-lwe} - -% TODO: remove -\clearpage diff --git a/chap-GS-background.tex b/chap-GS-background.tex index a55bffb..bd90491 100644 --- a/chap-GS-background.tex +++ b/chap-GS-background.tex @@ -11,20 +11,33 @@ This construction has been the first fully secure group signature scheme from la Before describing those scheme, let us recall in this Chapter the definition of a dynamic group signature and its related security definitions. -\section{State of the art of ZK proofs} \label{sse:gs-definitions} -\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction} +\section{Background} \label{sse:gs-background} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Historique} + +Dynamic group signatures are a solution to allow a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}) that can be publicly verified while remaining anonymous inside its group. +On the other hand, the user remains accountable for the signatures it provides as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using its own secret key. +In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to enroll the group after an interaction with it. +This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03} in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang ({BSZ}) in 2005~\cite{BSZ05}. +The \cite{BMW03}~model summarize the security of a group signature scheme in two notions: \textit{anonymity} and \textit{traceability}. +The former notions models the fact that without the opening authority's secret, even if everyone colludes, no one can trace back a user from a signature; the latter sum up the fact that even if everyone is corrupted (even the opening authority), it is impossible to forge a valid signature that does not open to a valid user. + +One application of this primitive can be to handle anonymous access control for public transportation systems. +In order to commute, a person should prove the possession of a valid subscription to the transportation service. +Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group. +In case of misbehaviour, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine. +Then, the public transportation company is unable to learn anything from seeing the signatures, except the validity of the subscription of a user, and on the other hand, the police does not have access to the logs except if the public transportation company hands them to it. + +Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building. +As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful. + +Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group ---\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,--- we do not consider this approach. \section{Formal Definition and Correctness} \label{sse:gs-definitions} -\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction} This section recalls the syntax and the security definitions of dynamic group signatures based on the model of Kiayias and Yung~\cite{KY06}. -A \emph{group signature} allows a group member to -attest that a message was provided by a member of a \emph{group} without being -altered during the process and preserving the \emph{anonymity} of the users. -This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03} -in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang -({BSZ}) in 2005~\cite{BSZ05}. +%A \emph{group signature} allows a group member to attest that a message was provided by a member of a \emph{group} without being altered during the process and preserving the \emph{anonymity} of the users. \begin{figure} @@ -155,20 +168,20 @@ provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$. % \item If $[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$ - is run by two honest parties following the protocol and - $\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then + is run by two honest parties following the protocol and + $\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$. % \item For each %revocation period $t$ and any $\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i } - \leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have + \leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have $ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i - },M),M,\mathcal{Y}\big)=1$. + },M),M,\mathcal{Y}\big)=1$. % - \item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid + \item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid $St$, if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then - $\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$ + $\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$ % \end{enumerate} % @@ -249,7 +262,7 @@ following oracles: certificate $\crt_{i }$ and a membership secret $\scr_{i }$. If no such elements $(\crt_i,\scr_i)$ exist or if $i \not\in U^b$, the interface returns $\bot$. Otherwise, it outputs a signature $\sigma$ on behalf of user - $i$ + $i$ and also sets $\mathsf{Sigs} \leftarrow \mathsf{Sigs} || (i,M,\sigma)$. % \item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid @@ -272,7 +285,7 @@ following oracles: \end{itemize} -\noindent Based on the above syntax, the +\noindent Based on the above syntax, the security properties are formalized as follows. \subsection{Security Against Misidentification Attacks} @@ -300,7 +313,7 @@ security properties are formalized as follows. In a misidentification attack, the adversary can corrupt the opening authority using the $Q_{\mathsf{keyOA}}$ oracle and introduce -malicious users in the group via $Q_{\ajoin}$-queries. +malicious users in the group via $Q_{\ajoin}$-queries. It aims at producing a valid signature $\sigma^\star$ that does not open to any adversarially-controlled user. @@ -309,11 +322,11 @@ adversarially-controlled user. A dynamic group signature scheme is secure against \emph{misidentification attacks} if, for any $\ppt$ adversary $\adv$ involved in Experiment~$\Exp{\textrm{mis-id}}{\adv}(\lambda)$ described in Figure~\ref{exp:mis-id}, we have: - \[\advantage{\adv}{\mathrm{mis}\textrm{-}\mathrm{id}}(\lambda) \triangleq + \[\advantage{\adv}{\mathrm{mis}\textrm{-}\mathrm{id}}(\lambda) \triangleq \Proba{\,\Exp{\mathrm{mis}\textrm{-}\mathrm{id}}{\adv}(\lambda)=1} = \negl[\lambda].\] \end{definition} - + \subsection{Non-Frameability} @@ -334,7 +347,7 @@ adversarially-controlled user. \pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \mathcal{Y},St') \not \in U^b \pcthen\\ \pcind \pcreturn 0\\ - \pcif + \pcif \bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast) \not\in \mathsf{Sigs} \pcthen \\ \pcind \pcreturn 1\\ @@ -425,7 +438,7 @@ to query $Q_{\mathsf{open}}$ for $(M^\star,\sigma^\star)$. % A dynamic group signature scheme is fully anonymous if, for any $\ppt$ adversary $\adv$ -in the experiment~$\Exp{\mathrm{anon}}{\adv, d}(\lambda)$ described in Figure~\ref{exp:anon}, the following distance is negligible: +in the experiment~$\Exp{\mathrm{anon}}{\adv, d}(\lambda)$ described in Figure~\ref{exp:anon}, the following distance is negligible: \[\advantage{\adv}{\mathrm{anon}}\left( \lambda \right) \triangleq \left| \Proba{\,\Expt_{\adv, 1}^{\mathrm{anon}}(\lambda) = 1} -\Proba{\,\Expt_{\adv, 0}^{\mathrm{anon}}(\lambda) = 1} \right|\] diff --git a/chap-ZK.tex b/chap-ZK.tex index aaccdc7..2ce6be5 100644 --- a/chap-ZK.tex +++ b/chap-ZK.tex @@ -128,24 +128,24 @@ An example of commitment scheme that will prove useful in \cref{sse:stern} is th This construction relies on the following hash function: \begin{definition}[$\SIS$-based hash function] \label{de:sis-hash} Let $n,\ell,q \in \ZZ$ be parameters such that the $\SIS_{n,\ell,q, \sqrt \ell}$ assumption holds. - Let $\mathbf A \in \Zq^{n \times \ell}$, and let $f_{\mathbf A}: \bit^\ell \to \Zq^n$ be the function that maps its input string $x$ into a binary vector $\mathbf x \in \Zq^n$ and outputs $\mathbf A \mathbf x \bmod q \in \Zq^n$. + Let $\mathbf{A} \in \Zq^{n \times \ell}$, and let $f_{\mathbf{A}}: \bit^\ell \to \Zq^n$ be the function that maps its input string $x$ into a binary vector $\mathbf{x} \in \Zq^n$ and outputs $\mathbf{A} \mathbf{x} \bmod q \in \Zq^n$. - One can notice that $f_{\mathbf A}$ is indeed a collision resistant one-way function under the $\SIS$ assumption, as finding two inputs $x \neq \tilde{x}$ such that $\mathbf A \cdot \mathbf x = \mathbf A \cdot \tilde{\mathbf x} \bmod q$ leads to a non-zero vector $\mathbf x' =\mathbf x - \tilde{\mathbf x} \in \ZZ$ such that $\|\mathbf x'\|_2 \leq \sqrt \ell$. + One can notice that $f_{\mathbf{A}}$ is indeed a collision resistant one-way function under the $\SIS$ assumption, as finding two inputs $x \neq \tilde{x}$ such that $\mathbf{A} \cdot \mathbf{x} = \mathbf{A} \cdot \tilde{\mathbf{x}} \bmod q$ leads to a non-zero vector $\mathbf{x}' =\mathbf{x} - \tilde{\mathbf{x}} \in \ZZ$ such that $\|\mathbf{x}'\|_2 \leq \sqrt \ell$. - It is thus possible to apply the \textit{Merkle-Damg{\aa}rd construction}~\cite{Mer79,Mer89,Dam89} on $f_{\mathbf A}$ to obtain a \textit{collision resistant hash function} $h_{\mathbf A}: \bit^\star \to \Zq^n$ that is secure under $\SIS_{n,\ell, q, \sqrt \ell}$. + It is thus possible to apply the \textit{Merkle-Damg{\aa}rd construction}~\cite{Mer79,Mer89,Dam89} on $f_{\mathbf{A}}$ to obtain a \textit{collision resistant hash function} $h_{\mathbf{A}}: \bit^\star \to \Zq^n$ that is secure under $\SIS_{n,\ell, q, \sqrt \ell}$. \end{definition} -It is then possible to use this hash function $h_{\mathbf A}$ to construct the following string commitment scheme. +It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the following string commitment scheme. \begin{definition}[\SIS-based commitment scheme] \label{de:sis-commitment} Given parameters $n,m,q \in \ZZ$, let us define the following commitment scheme due to~\cite{KTX08}. \begin{description} - \item[\textsf{Setup}$(1^\lambda)$:] Pick two random matrices $\mathbf A_M, \mathbf A_\rho \in \U(\Zq^{n \times m})$ and define the public parameters as the matrix $\mathbf A = [ \mathbf A_M \mid \mathbf A_\rho]$. - \item[$\textsf{Commit}(\mathbf A, M; \rho)$:] To commit to a string $M \in \{0,1\}^\star$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf A \in \Zq^{n \times 2m}$ as $[\mathbf A_M \mid \mathbf A_\rho]$ as in the \textsf{\textbf{Setup}} algorithm, - then compute $\com = h_{\mathbf A_M}(M) + f_{\mathbf A_\rho}(\rho) \in \Zq^n$, - where $h_{\mathbf A_M}$ and $f_{\mathbf A_\rho}$ are the hash function and the one-way collision resistant function defined in \cref{de:sis-hash}. + \item[\textsf{Setup}$(1^\lambda)$:] Pick two random matrices $\mathbf{A}_M, \mathbf{A}_\rho \in \U(\Zq^{n \times m})$ and define the public parameters as the matrix $\mathbf{A} = [ \mathbf{A}_M \mid \mathbf{A}_\rho]$. + \item[$\textsf{Commit}(\mathbf{A}, M; \rho)$:] To commit to a string $M \in \{0,1\}^\star$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf{A} \in \Zq^{n \times 2m}$ as $[\mathbf{A}_M \mid \mathbf{A}_\rho]$ as in the \textsf{\textbf{Setup}} algorithm, + then compute $\com = h_{\mathbf{A}_M}(M) + f_{\mathbf{A}_\rho}(\rho) \in \Zq^n$, + where $h_{\mathbf{A}_M}$ and $f_{\mathbf{A}_\rho}$ are the hash function and the one-way collision resistant function defined in \cref{de:sis-hash}. The opening corresponds to the randomness $\rho$ used in the computation. - \item[$\textsf{Verify}(\mathbf A, \com, \open, M)$:] First parse $\mathbf A$ as in the \textsf{\textbf{Setup}} algorithm. Then accept if and only if $\open \in \bit^m$ and $\com = h_{\mathbf A_M}(M) + f_{\mathbf A_\rho}(\rho)$. + \item[$\textsf{Verify}(\mathbf{A}, \com, \open, M)$:] First parse $\mathbf{A}$ as in the \textsf{\textbf{Setup}} algorithm. Then accept if and only if $\open \in \bit^m$ and $\com = h_{\mathbf{A}_M}(M) + f_{\mathbf{A}_\rho}(\rho)$. \end{description} \end{definition} @@ -231,29 +231,29 @@ In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commi Given its effiency, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}. This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct zero-knowledge proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}. -In this description $D_y$ and $D_c$ are the distributions from which $\mathbf y_1, \mathbf y_2$ and $\mathbf c$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf z_1, \mathbf z_2$ in order not to leak informations about $\mathbf s_1, \mathbf s_2$. -The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf z_1, \mathbf z_2$ will not leak any information about $\mathbf s_1, \mathbf s_2$ to V. +In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$. +The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V. This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}. \begin{figure} - \textbf{Common input:} A public element $\mathbf a \in R$ where $R = \ZZ_p[\mathbf x]/\langle \mathbf x^n + 1 \rangle$. + \textbf{Common input:} A public element $\mathbf{a} \in R$ where $R = \ZZ_p[\mathbf{x}]/\langle \mathbf{x}^n + 1 \rangle$. \bigskip \centering \procedure{Schnorr's Protocol for Ring-SIS}{% - P(\mathbf t = \mathbf a \cdot \mathbf s_1 + \mathbf s_2, (\mathbf s_1, \mathbf s_2)) \> \> V(\mathbf t) \\ - \mathbf y_1, \mathbf y_2 \sample D_y \in R \> \> \\ - \mathbf w = \mathbf a \cdot \mathbf y_1 + \mathbf y_2 \in R \\ - \> \sendmessageright*{\mathbf w} \> \\ - \> \> \mathbf c \sample D_c \in R \mbox{ (small)} \\ - \> \sendmessageleft*{\mathbf c} \> \\ - \mathbf z_1 \gets \mathbf s_1 \mathbf c + \mathbf y_1 \in R\\ - \mathbf z_2 \gets \mathbf s_2 \mathbf c + \mathbf y_2 \in R\\{} - [\pcif \mathbf z_1, \mathbf z_2 \notin G^2 \pcthen\\ - \pcind \mathbf z_1, \mathbf z_2 \gets \bot, \bot ]\\ - \> \sendmessageright*{\mathbf z_1, \mathbf z_2} \> \\ - \> \> \pcif \mathbf z_1 \in G \wedge \mathbf z_2 \in G \wedge\\ - \>\> \pcind \mathbf a \cdot \mathbf z_1 + \mathbf z_2 = \mathbf t \mathbf c + \mathbf w \pcthen\\ + P(\mathbf{t} = \mathbf{a} \cdot \mathbf{s}_1 + \mathbf{s}_2, (\mathbf{s}_1, \mathbf{s}_2)) \> \> V(\mathbf{t}) \\ + \mathbf{y}_1, \mathbf{y}_2 \sample D_y \in R \> \> \\ + \mathbf{w} = \mathbf{a} \cdot \mathbf{y}_1 + \mathbf{y}_2 \in R \\ + \> \sendmessageright*{\mathbf{w}} \> \\ + \> \> \mathbf{c} \sample D_c \in R \mbox{ (small)} \\ + \> \sendmessageleft*{\mathbf{c}} \> \\ + \mathbf{z}_1 \gets \mathbf{s}_1 \mathbf{c} + \mathbf{y}_1 \in R\\ + \mathbf{z}_2 \gets \mathbf{s}_2 \mathbf{c} + \mathbf{y}_2 \in R\\{} + [\pcif \mathbf{z}_1, \mathbf{z}_2 \notin G^2 \pcthen\\ + \pcind \mathbf{z}_1, \mathbf{z}_2 \gets \bot, \bot ]\\ + \> \sendmessageright*{\mathbf{z}_1, \mathbf{z}_2} \> \\ + \> \> \pcif \mathbf{z}_1 \in G \wedge \mathbf{z}_2 \in G \wedge\\ + \>\> \pcind \mathbf{a} \cdot \mathbf{z}_1 + \mathbf{z}_2 = \mathbf{t} \mathbf{c} + \mathbf{w} \pcthen\\ \>\> \pcind \pcreturn 1\\ \>\> \pcelse \\ \>\> \pcind \pcreturn 0 diff --git a/chap-proofs.tex b/chap-proofs.tex index 9201299..5536f00 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -233,7 +233,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t \caption{Some security games examples} \label{fig:sec-game-examples} \end{figure} -\index{Reduction!Advantage} +\index{Reduction!Advantage} \index{Encryption!IND-CPA} The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions. To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as \[ @@ -255,6 +255,7 @@ The goal of the adversary is not to distinguish between two distributions, but t Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability. +\index{Signatures!EU-CMA} For EU-CMA, the advantage of an adversary $\adv$ is defined as \[ \advantage{\textrm{EU-CMA}}{\adv}(\lambda) diff --git a/chap-publications.tex b/chap-publications.tex index f60b84f..a94a5ab 100644 --- a/chap-publications.tex +++ b/chap-publications.tex @@ -1,4 +1,4 @@ -\chapter*{List of Publications} +\chapter*[Publication List]{List of Publications} \addcontentsline{toc}{chapter}{List of publications} \addcontentsline{tof}{chapter}{Liste des publications} @@ -30,4 +30,3 @@ Available at \url{https://hal.inria.fr/hal-01622197v1/}.\\ \doi{10.1007/978-3-319-70694-8_19}. \end{description} - diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index 8fe6b47..141625b 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -2,5 +2,451 @@ \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages} \label{ch:sigmasig} -This section present the result of~\cite{LMPY16} + +%----------------------------------------------------------------------- +\section{Building blocks} + +We use bilinear maps $e:\GG \times \Gh \to \GT$ over +groups of prime order $p$ and we rely on the assumed security of the \SDL and \SXDH problems defined in \cref{se:pairings}. All these definitions are recalled below. + +\defPairings* + +\defSXDH* + +\defSDL* + +\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Briques de base} +\subsection{Quasi-Adaptive NIZK Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk} +\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Argument NIZK quasi-adaptatif pour un sous-espace linéaire} + +Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS) +may depend on the language for which proofs have to be generated. +Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK}. + +This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix. +In the description below, we assume that all +algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric +bilinear groups $(\GG,\Gh,\GG_T,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter. +In this setting the problem is to convince that $\boldsymbol v$ is a linear combination of the rows of a given +$\mathbf{M}\in\GG^{t\times n}$. + +Kiltz and Wee \cite{KW15} suggested the following construction which simplifies \cite{LPJY14} and remains secure under \SXDH. +We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}_1\cdots\vec{M}_t)^T$. + +\begin{description} +\item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:] + Given public parameters $\mathsf{cp}=(\GG,\Gh,\GG_T,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$. + Then, choose $\hat{g_z} \sample \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$ + and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$. + Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and + output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big) + \in \GG^t\times\Gh^{n+1}$. + +\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol v}, \{\omega_i\}_{i=1}^t)$:] + To prove that ${\boldsymbol v}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$, + for some witness $\omega_1,\ldots,\omega_t \in \Zp$, + where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$, + parse $\mathsf{crs}$ as above + and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$. + +\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol v})$:] + In order to simulate a proof for a vector ${\boldsymbol v} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $, + output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $. + +\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol v}, \pi)$:] + Given $\pi \in \GG$ and ${\boldsymbol v}=(v_1,\dotsc,v_n)$, + return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies + $ 1_{\GG_T} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ +\end{description} + +The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. +This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$. +This requirement is compatible with our security proofs. + +\section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig} + +In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme + implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme +compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace. +Moreover, we show that their scheme remains unforgeable under the SXDH assumption. + +\begin{description} +\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$ + of prime order $p>2^{\lambda}$ with $g \sample \GG$, $\hat{g} \sample \Gh$. +\end{description} +\begin{enumerate} +\item Choose $\omega,a \sample \Zp$, + and set $h=g^a$, + $\Omega=h^{\omega}$. +\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \GG^{\ell+1}$. +\item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$ + \begin{equation}\label{matrix-scal-sig} + \mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} = + \setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3} + \left(\begin{array}{c|c|c|c} + g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline + \vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}} + & \mathbf{1}_{{}_{\ell+1}}^\top + \end{array}\right) , + \end{equation} + where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$. +\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk} + to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$. + \bigskip +\item[] +The private key is $ \mathsf{sk}:=\omega $ and the public key is +\begin{align*} + \mathsf{pk}=\Bigl( + \mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w) + ,~\Omega=h^\omega,~\mathsf{crs} + \Bigr). +\end{align*} +\end{enumerate} + +\begin{description} +\item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given +the private key $\mathsf{sk}=\omega$ and a message +$\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute +\begin{align*} + \sigma_1 & + = g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, & + \sigma_2 & = g^{s}, & \sigma_3 & = h^{s} . +\end{align*} +Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that +the following vector of $\GG^{2\ell+4}$ +\begin{align} \label{eq:vector} + (\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, + \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega) +\end{align} +is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot + z_{\ell+2})^{s}.$ + +Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$. + +\item[\textsf{Verify}$(\mathsf{pk},\sigma,\vec{m}):$] + parse $\sigma$ as above and $\vec{m}$ as a tuple $(m_1,\ldots,m_\ell)$ in $\Zp^\ell$ and return $1$ + if and only if + \begin{align} \label{sig-ver-1} + e(\Omega,\hat{g}_{2\ell+4})^{-1} = + &~ e(\pi,\hat{g}_z) \cdot e(\sigma_1,\hat{g_1}) \\ \nonumber + &~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} ) \\ \nonumber + &~~~ \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) . + \end{align} + +\end{description} + +The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$ +while the verification equation only involves a computation of 5 pairings. + +\begin{theorem} \label{th:eu-cma-1} +The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GG_T)$. +\end{theorem} + +\begin{proof} + We will proceed as in~\cite{LPY15} to prove that the scheme of + section~\ref{scal-sig} is secure under chosen-message attacks. Namely we will consider a sequence of hybrid games involving two + kinds of signatures. \vspace{-0.1 cm} + + \begin{description} + \item[Type A signatures:] These are real signatures: + \begin{equation} \label{eq:rel-sig-A} + \begin{aligned} + \sigma_1 &= g^\omega \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, & + \sigma_2 &= g^s, \\ + \pi &= z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot + z_{\ell+2})^{s} ,& + \sigma_3 &= h^s. + \end{aligned} + \end{equation} + Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$ + is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as + \begin{equation} + \label{eq:rel-sim-A} + \begin{aligned} + \pi &= \sigma_1^{-\chi_1} \cdot \left( \prod_{i=2}^{\ell+1} \sigma_2^{-\chi_i m_{i-1}} \right) \cdot \sigma_2^{-\chi_{\ell + 2}} \cdot \quad \\ \quad & + \left( \prod_{i=\ell + 3}^{2 \ell + 2} \sigma_3^{-\chi_i m_{i - \ell - 2}} \right) \cdot + \sigma_3^{-\chi_{2\ell+3}} \cdot \Omega^{-\chi_{2 \ell + 4}} . + \end{aligned} + \end{equation} + \end{description} \smallskip + + \noindent We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of + Type A signatures where only condition~\eqref{eq:rel-sig-A} are imposed and no + restriction is given on $\pi$ beyond the fact that it should be a valid + homomorphic signature on vector~\eqref{eq:vector}. + \smallskip + + \begin{description} + \item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \Zp$ and + compute: + \begin{equation*} + \begin{gathered} + (\sigma_1,\sigma_2,\sigma_3) =( g^{\omega'} \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, ~ g^s, ~ h^{s+s_1}), + \end{gathered} + \label{eq:rel-sig-B} + \end{equation*} + The QA-NIZK proof $\pi$ is + computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$. + \end{description} + \smallskip + + + We consider a sequence of games. + In Game $i$, $S_i$ denotes the event that $\adv$ + produces a valid signature $\sigma^\star$ on $M^\star$ such that + $(M^\star, \sigma^\star)$ was not queried before, and by $E_i$ the event that + $\adv$ produces a Type $\mathrm{A}'$ signature. + + \begin{description} + \item[Game 0:] This is the real game. The challenger $\bdv$ produces + a key pair $(\mathsf{sk}, \mathsf{pk})$ and sends $\mathsf{pk}$ to $\adv$. Then $\adv$ + makes $Q$ signature queries: $\adv$ sends messages $M_i$ to $\bdv$, and $\bdv$ + answers by sending $\sigma_i = \Sign(\mathsf{sk}, M_i)$ to $\adv$. Finally $\adv$ + sends a pair $(M^\star, \sigma^\star) \notin \{ (M_i, \sigma_i) \}_{i=1}^Q$ + and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$. + + \item[Game 1:] We change the way $\bdv$ answers signing queries. + The QA-NIZK proofs $\pi$ are then computed as simulated QA-NIZK proofs + using $\mathsf{tk}$ + as in~\eqref{eq:rel-sim-A}. These QA-NIZK proofs are thus simulated + proofs for true statements, and then their distribution remains unchanged. + We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge + \neg E_1]$. + Lemma~\ref{le:type-a-sig} states + that the event $S_1 \wedge + \neg E_1$ happens with all but negligible probability: $\Pr[S_1 \wedge + \neg E_1] \leq \advantage{\DDH}{\Gh}(\lambda) - 1/p$. Thus our task is now + to upper-bound the probability $\Pr[S_1 \wedge E_1]$. + + \item[Game 2.$\boldsymbol{k~(0 \leq k \leq Q)}$:] In Game $2.k$, the + challenger returns a Type B signature for the first $k$ queries. At the + last $Q - k$ signature queries, the challenger answers a type $A$ + signature. \cref{le:type-b-sig} ensures that + \[\left| \Pr\Bigl[S_{2.k} \wedge E_{2.k}\Bigr] - \Pr\Bigl[S_{2.(k-1)} \wedge E_{2.(k-1)}\Bigr] \right|\] + is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$. + \end{description} + + In Game $2.Q$, we know that if SXDH holds, $\adv$ can only output a type $\mathrm{A}'$ + forgery even if it only obtains type B signatures during the game. + Nevertheless, lemma~\ref{le:final-forgery} shows + that a type $\mathrm{A}'$ forgery in Game + $2.Q$ contradicts the DDH assumptions in $\GG$. Therefore we have + $\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by + \begin{multline*} + \advantage{\DDH}{\Gh}(\lambda) + \frac{1}{p} + Q \left( \advantage{\DDH}{\GG}(\lambda) + \frac{1}{p} \right) + \advantage{\DDH}{\GG}(\lambda) \\ + < (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right). + \end{multline*} +\end{proof} + + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\begin{lemma} \label{le:type-a-sig} + In \textbf{Game 1}, if the DDH assumption holds in $\Gh$, $\adv$ can only output a type $A'$ + forgery. +\end{lemma} + +\begin{proof} + Let $\adv$ be an attacker that does not + output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the + Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing + problem that reduces from DDH as explained in~\cite{LPJY13}. + Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as + \[ + \ssigma \triangleq (\sigma_1^\star, \sigma_2^{\star m_1}, \ldots, \sigma_2^{\star m_\ell}, \sigma_2^\star, \sigma_3^{\star m_1}, \ldots, \sigma_3^{\star m_\ell}, \sigma_3^\star, \Omega) + \in \GG^{2\ell + 4}. + \] + If $(M^\star, \sigma^\star)$ is not a type $\mathrm{A}'$ forgery, $\ssigma$ is then not in the row + space of $\mathbf{M}$. + + Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\hat\GG,\GG_T,p)$, a matrix ${\mathbf{M}}$ as in + (\ref{matrix-scal-sig}) and a common + reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the + QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. + The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$. + After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$. + Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key: + \begin{align*} + \mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr). + \end{align*} + + Since $\bdv$ knows the secret key $\omega \in \Zp$, it can answer all signing queries by honestly + running the $\Sign$ algorithm, in particular, it does not need to know $\mathsf{tk}$ to do this. + + When $\adv$ halts, it outputs $(M^\star, \sigma^\star)$ where $\sigma^\star$ is not a Type $\mathrm{A}'$ forgery, so that $\ssigma$ is not in the row space of $\mathbf{M}$. + Therefore, outputting $\pi^\star$ constitutes a valid proof against the soundness property of the + scheme, and thus implies an algorithm against DDH as in~\cite{KW15} since the matrix can be + witness-samplable. +\end{proof} + +\begin{lemma} \label{le:type-b-sig} +If DDH holds in $\GG$, for each $k \in + \{1,\ldots, Q \}$, $\adv$ produces a type $A'$ forgery with negligibly different probabilities in \textbf{Game $\boldsymbol{2.k}$} and \textbf{Game $\boldsymbol{2.(k-1)}$}. +\end{lemma} +% +\begin{proof} + Let us assume there exists an index $k \in \{1, \ldots, Q\}$ and an adversary $\adv$ that outputs a + Type $\mathrm{A}'$ forgery with smaller probability in Game $2.k$ than in Game + $2.(k-1)$. We build a DDH distinguisher $\bdv$. \medskip + \\ + Algorithm $\bdv$ takes in $(g^a, g^b, \eta) \in \GG^3$, where $\eta = + g^{a(b+c)}$, and decides if $c=0$ or $c \in_R \Zp$. To do this, $\bdv$ sets $h = g^a$. It + picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \Zp$ + and sets $\Omega = h^\omega$ as well as: + \[ \forall i \in \{1,\dots, \ell \}:~~ v_i = g^{a_{v_i}} \cdot h^{b_{v_i}}, \quad w = g^{a_w} \cdot h^{b_w}. \] + % in order to have the discrete logs of $v_i$ and $w$. \medskip + % \\ + + The reduction $\bdv$ also chooses $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ and + computes $\mathsf{crs} = ( \{z_j\}_{j=1}^{2\ell+4}, \hat g_z, \{ \hat g_i \}_{i=1}^{2\ell + 4})$ + as in steps 3-4 of \textsf{Keygen}. It then outputs $\mathsf{pk}=(g,h,\hat g, \vec{v}, \omega,\mathsf{crs})$. + \smallskip + + Then, queries are answered depending on their index~$j$:\\ + \textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2, + \sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QA-NIZK simulator + to computes $\pi$. + + \noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as + Type A signatures, which $\bdv$ is able to generate using the secret key $\omega \in \Zp$ he knows + and $\mathsf{crs}$ or $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ to produces valid proofs. + + \noindent\textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$ + embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$ + depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$, + and + $ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $ + Then $\bdv$ simulates QA-NIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$. + \smallskip + + If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is + a Type A signature with $s=b$. If $\eta = g^{a(b+c)}$ for some $c + \in_R \Zp$, we have: + \begin{align*} + \sigma_1 & = g^\omega g^{ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b\\ + & = g^{\omega'} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b \\ + \sigma_2 &= g^b, \qquad \qquad \qquad \qquad \qquad + \sigma_3 = h^{b+c} + \end{align*} + Where $\omega' = \omega + ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)$. Since the term $b_w + + \sum_{i=1}^\ell b_{v_i}m_i$ is uniform and independent of $\adv$'s view, $\sigma$ is + distributed as a Type B signature if $\eta = g^{a(b+c)}$. + + When $\adv$ terminates, it outputs a couple $(m_1^\star\cdots m_\ell^\star, \sigma^\star)$ that has not been queried + during the signing queries. Now the reduction $\bdv$ has to determine whether $\sigma^\star$ is a + Type $\mathrm{A}'$ forgery or not. To this end, it tests if the equality: + \begin{equation} \label{eq:verif-proof} + \sigma_1^\star = g^\omega \sigma_2^{\star a_w + \sum_{i=1}^\ell a_{v_i} m_i^\star} \sigma_3^{\star b_w + \sum_{i=1}^\ell b_{v_i} m_i^\star} + \end{equation} + is satisfied. If it is, $\bdv$ outputs $1$ to indicate that $\eta = g^{ab}$. Otherwise it outputs + $0$ and rather bets that $\eta \in_R \GG$. + + To see why this test allows recognizing Type $\mathrm{A}'$ forgeries, + we remark that $\sigma^\star$ is of the form: + \begin{align*} + \sigma^\star_2 & = g^s , & + \sigma^\star_3 & = h^{s + s_1} , & + \sigma^\star_1 & = g^{\omega + s_0} (v_1^{m^\star_1} \cdots v_\ell^{m^\star_\ell} w)^s , + \end{align*} + and the goal of $\bdv$ is to decide whether $(s_0, s_1) = (0, 0)$ or not. We notice that + $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell b_{v_i} \cdot m_i^\star)$ if the forgery fulfills + relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$ + meaning that Type $\mathrm{B}$ forgery passes the test with the same probability. + + %\noindent And the goal of $\bdv$ is to decide if $(s_0, s_1) = (0, 0)$ or not. We notice that if + %$s_0 \neq 0$ and $s_1 = 0$, then the relation~\eqref{eq:verif-proof} cannot be satisfied. We then + %have the case $s_1 \neq 0$ left which implies that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell + %b_{v_i} \cdot m_i^\star)$ to satisfy~\eqref{eq:verif-proof}, which can only happen with + %probability $1/p$. + + From the entire game, and assuming a forgery which passes the test, we have the following linear system: + %On the other hand, the information that $\adv$ can infer about + %$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$ + %during the game amounts to the first + %$\ell + 2$ rows of the right-hand-side member in the following linear system: + \[ + \left( + \bgroup + \def\arraystretch{1.5} + \begin{array}{c|c} + \mathbf{I}_{\ell+1} & a \cdot \mathbf{I}_{\ell + 1}\\ \hline + \boldsymbol{0}_{\ell + 1}^{\top} & ac \cdot( m_1 | \cdots | m_\ell | 1) \\ \hline + \boldsymbol{0}_{\ell + 1}^{\top} & a s_1 \cdot( m_1^\star | \cdots | m_\ell^\star | 1) + \end{array} + \egroup + \right) \cdot +% \begin{pmatrix} +% 1 & & & a & & \\ +% & \ddots & & & \ddots & \\ +% & & 1 & & & & a \\ +% & & & a c \cdot m_1 & \cdots & a c \cdot m_\ell & ac \\ +% & & & a c \cdot m_1^\star & \cdots & a c \cdot m_\ell^\star & ac +% \end{pmatrix} \cdot + \begin{pmatrix} + a_{v_1} \\ \vdots \\ a_{v_\ell} \\ a_w\\ + b_{v_1} \\ \vdots \\ b_{v_\ell} \\ b_w + \end{pmatrix} + = + \begin{pmatrix} + \log_g(v_1) \\ \vdots \\ \log_g(v_\ell) \\ \log_g(w) \\ + \omega' - \omega \\ s_0 + \end{pmatrix} + \] + where, $\boldsymbol{0}_{\ell + 1}$ denotes the zero vector of length $\ell + 1$ and $m_1, \ldots, m_\ell$ + is the message involved in the $k$-th signing query. Note that the $(l+2)$-th equation is meaningless when + $c=0$ since then $\omega' = \omega$. However, even if $c\neq 0$ the information that $\adv$ can infer about + $(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$ + during the game amounts to the first $\ell+2$ equations of the system which is of full rank. It means that + this vector is unpredictable since all the solutions of this linear system live in a sub-space of dimension + at least one (actually $\ell=(2\ell+2) -(\ell+2)$). Finally, as long as $s_1\neq 0$, the right value $s_0$ + can only be guessed with probability $1/p$ since the last row of the matrix is independent of the others + as soon as $(m_1, \ldots, m_\ell) \neq (m^\star_1, \ldots, m^\star_\ell) \neq 0$. + + To conclude the proof, since $\bdv$ is able the tell apart the type of the forgery, if $\adv$'s probability to + output a forgery of some Type in Game $k-1$ (\textit{i.e.}, $c=0$) was significantly different than in Game $k$ + (\textit{i.e.}, $c\neq0$) then $B$ would be able to solve the DDH problem with non-negligible advantage. + +\end{proof} + +\begin{lemma} \label{le:final-forgery} + In \textbf{Game $\boldsymbol{2.Q}$}, a PPT adversary outputting a type $A'$ forgery would contradict + the DDH assumption in $\GG$: + $ \Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda).$ +\end{lemma} + +\begin{proof} + We will build an algorithm $\bdv$ for solving the Computational Diffie Hellman problem~(CDH) which is at + least as hard as the DDH problem. The reduction $\bdv$ takes as input a tuple $(g, h, \Omega = + h^\omega)$ and computes $g^\omega$. To generate $\mathsf{pk}$, $\bdv$ picks $\hat g + \sample \Gh$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \Zp$ and computes + $ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates + $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$, + $\mathsf{crs} = (\{ z_j\}_{j=1}^{\ell + 2}, \hat g_z, \{\hat g_i\}_{i=1}^{2\ell + 4})$ + as in step 3-4 of the key generation algorithm, then sends the public key + $ pk = \bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, \mathsf{crs}\bigr) $ to $\adv$. + %\begin{multline*} + % pk = \Bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, + % \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr) + %\end{multline*} + + \noindent $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle + signing queries. We recall that during the game, signing queries are answered by returning a + Type B signature so that, using $\mathsf{tk}$, $\bdv$ can answer all queries without knowing the + $\omega = \log_h(\Omega)$ which is part of the CDH challenge. + + The results of Lemma~\ref{le:type-b-sig} implies that even if $\adv$ only obtains Type B signatures, + it will necessarily output a Type $\mathrm{A}'$ forgery + $\sigma^\star = (\sigma^\star_1, \sigma^\star_2, \sigma^\star_3, \pi^\star)$ + unless the DDH assumption does not hold in $\GG$. + This event thus allows $\bdv$ to compute + \[g^\omega = \sigma_1^\star \cdot {\sigma_2^\star}^{-a_w - \sum_{i=1}^\ell a_{v_i} m_i^\star}_{},\] + which contradicts the DDH assumption in $\GG$. +\end{proof} + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + diff --git a/chap-structures.tex b/chap-structures.tex index c798500..902cc3b 100644 --- a/chap-structures.tex +++ b/chap-structures.tex @@ -18,7 +18,7 @@ In this chapter, we describe the different structures on which the cryptography \section{Pairing-Based Cryptography} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de couplage} -\label{se:pairing} +\label{se:pairings} \input sec-pairings diff --git a/fig-lwe-sis.tex b/fig-lwe-sis.tex index a6a511a..2684028 100644 --- a/fig-lwe-sis.tex +++ b/fig-lwe-sis.tex @@ -11,9 +11,9 @@ \draw[matA, xshift=-2cm, yshift=.5cm] (0,0) rectangle node {$\mathbf{A}$} (1.5,1); \node at (-.2, .75) {$,$}; \draw[matA] (0,0) rectangle node {$\mathbf{A}^T_{}$} (1,1.5); - \draw[|-|, vecS] (1.2, 1.5) -- node[right] {$\mathbf s$} ++(0, -1); + \draw[|-|, vecS] (1.2, 1.5) -- node[right] {$\mathbf{s}$} ++(0, -1); \node at (1.8, .75) {$+$}; - \draw[|-|, vecE] (2.1, 1.5) -- node[right] {$\mathbf e$} ++ (0, -1.5); + \draw[|-|, vecE] (2.1, 1.5) -- node[right] {$\mathbf{e}$} ++ (0, -1.5); \end{tikzpicture} \right)$\\[.5em] $\in \Zq^{n \times m} \times \Zq^{m}$, @@ -22,15 +22,15 @@ \begin{minipage}[t]{.4\textwidth} \textbf{$\SIS_{n,m,q,\beta}$ problem:}\\Given\\[.5em] $\tikz[baseline=.3cm]{ \draw[fill=blue!10] (0,0) rectangle node {$\mathbf{A}$} (1.5,1); } \in \Zq^{n \times m},$ - find $\textcolor{red!70!black}{\mathbf x} \in \ZZ^m_{}$ such that\\[.5em] + find $\textcolor{red!70!black}{\mathbf{x}} \in \ZZ^m_{}$ such that\\[.5em] $\begin{tikzpicture}[baseline=.25cm] \tikzstyle{matA}=[fill=blue!10] \tikzstyle{vecX}=[color=red!70!black] \draw[matA] (0,0) rectangle node {$\mathbf{A}$} (1.5,1); - \draw[|-|, vecX] (1.7, 1) -- node[right] {$\mathbf x$} ++ (0, -1.5); + \draw[|-|, vecX] (1.7, 1) -- node[right] {$\mathbf{x}$} ++ (0, -1.5); \node at (2.4, .25) {$=$}; \draw[|-|] (2.8, 1) -- node[right] {$\mathbf 0^n$} ++ (0, -1); - \end{tikzpicture},$ and\\$0< \|\textcolor{red!70!black}{\mathbf x}\| \leq \beta$. + \end{tikzpicture},$ and\\$0< \|\textcolor{red!70!black}{\mathbf{x}}\| \leq \beta$. \end{minipage} \hfill \medskip diff --git a/frtoc.tex b/frtoc.tex index 15a2a6d..52c3aef 100644 --- a/frtoc.tex +++ b/frtoc.tex @@ -1,7 +1,7 @@ \makeatletter \newcommand\frenchtableofcontents{% \selectlanguage{french}% - \chapter*{\contentsname + \chapter*[\contentsname]{\contentsname \@mkboth{% \MakeUppercase\contentsname}{\MakeUppercase\contentsname}}% \@starttoc{tof}% diff --git a/macros.tex b/macros.tex index 43ac21c..a8be67f 100644 --- a/macros.tex +++ b/macros.tex @@ -14,6 +14,7 @@ \newcommand{\redto}{\ensuremath{\preceq_P}} %% Primitives \newcommand{\ZK}{\textsf{ZK}\xspace} +\newcommand{\ZKAoK}{\textsf{ZKAoK}\xspace} \newcommand{\NIZK}{\textsf{NIZK}\xspace} \newcommand{\PKE}{\textsf{PKE}\xspace} \newcommand{\OT}{\textsf{OT}\xspace} @@ -105,6 +106,7 @@ \newcommand{\bjoin}{\mathsf{b}\textrm{-}\mathsf{join}} \newcommand{\pjoin}{\mathsf{p}\textrm{-}\mathsf{join}} \newcommand{\interface}{\mathcal{I}} +\newcommand{\ssigma}{\boldsymbol{\sigma}\xspace} % Other \newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}} diff --git a/main.tex b/main.tex index 3f4a193..9052586 100644 --- a/main.tex +++ b/main.tex @@ -76,6 +76,7 @@ À \ldots \end{flushright} \vspace*{\stretch{2}} +%%%%%%%%%%%%% \input abstract @@ -86,12 +87,15 @@ \cleardoublepage \tableofcontents +\cleardoublepage \input symbols + \mainmatter \pagestyle{ruled} \input chap-introduction +\cleardoublepage {\let\newpage\relax \part{Background} \label{pa:background} @@ -104,6 +108,7 @@ \input chap-ZK +\cleardoublepage {\let\newpage\relax \part{Group Signatures and Anonymous Credentials} \label{pa:gs-ac} @@ -116,6 +121,7 @@ \input chap-GS-LWE +\cleardoublepage {\let\newpage\relax \part{Group Encryption and Adaptive Oblivious Transfer} \label{pa:ge-ot} diff --git a/sec-lattices.tex b/sec-lattices.tex index 69b3628..52ff1db 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -67,13 +67,13 @@ In order to define the $\SIVP$ problem and assumption, let us first define the s \begin{definition}[Successive minima] \label{de:lattice-lambda} For a lattice $\Lambda$ of dimension $n$, let us define for $i \in \{1,\ldots,n\}$ the $i$-th successive minimum as \[ \lambda_i(\Lambda) = \inf \bigl\{ r \mid \dim \left( \Span\left(\lambda \cap \mathcal B\left(\mathbf 0, r \right) \right) \right) \geq i \bigr\}, \] - where $\mathcal B(\mathbf c, r)$ denotes the ball of radius $r$ centered in $\mathbf c$. + where $\mathcal B(\mathbf{c}, r)$ denotes the ball of radius $r$ centered in $\mathbf{c}$. \end{definition} This leads us to the $\SIVP$ problem, which is finding a set of sufficiently short linearly independent vectors given a lattice basis. \begin{definition}[$\SIVP$] \label{de:sivp} - For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$. + For a dimension $n$ lattice described by a basis $\mathbf{B} \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf{B})$. \end{definition} As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting, which are illustrated in Figure~\ref{fig:lwe-sis}. @@ -84,7 +84,7 @@ In other words, it means that no polynomial time algorithms can solve those prob Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$. - The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$ and $\mathbf u \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf u}(\mathbf A)$ with~$0 < \| \mathbf x \| \leq \beta$. + The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$ and $\mathbf{u} \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf{u}}(\mathbf{A})$ with~$0 < \| \mathbf{x} \| \leq \beta$. \end{definition} Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the following Lemma, which reduced these problems from $\SIVP$. @@ -168,10 +168,10 @@ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ In some of our security proofs, analogously to \cite{Boy10,BHJ+15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting. \begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler} - There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$, - a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \| - \widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A - \cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted - lattice $\Lambda^\mathbf{u}_q \left( \left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \right)$. - %$\{ \mathbf x \in \ZZ^{2 m} : \left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \cdot \mathbf x = \mathbf u \bmod q \}$. + There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf{A}, \mathbf{C} \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf{R} \in \ZZ^{m \times m}$, + a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf{u} \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \| + \widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf{A} ~ &~ \mathbf{A} + \cdot \mathbf{R} + \mathbf{C} \end{array} \right]\cdot \mathbf{b} = \mathbf{u} \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted + lattice $\Lambda^\mathbf{u}_q \left( \left[ \begin{array}{c|c} \mathbf{A} ~&~ \mathbf{A} \cdot \mathbf{R} + \mathbf{C} \end{array} \right] \right)$. + %$\{ \mathbf{x} \in \ZZ^{2 m} : \left[ \begin{array}{c|c} \mathbf{A} ~&~ \mathbf{A} \cdot \mathbf{R} + \mathbf{C} \end{array} \right] \cdot \mathbf{x} = \mathbf{u} \bmod q \}$. \end{lemma} diff --git a/sec-pairings.tex b/sec-pairings.tex index 01d2355..e5ac460 100644 --- a/sec-pairings.tex +++ b/sec-pairings.tex @@ -11,14 +11,14 @@ In the following, we rely on the black-box definition of cryptographic pairings %\subsection{Bilinear maps} -\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} \index{Pairings} +\begin{restatable}[Pairings~\cite{BSS05}]{definition}{defPairings} \label{de:pairings} \index{Pairings} A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$: \begin{enumerate}[\quad (i)] \item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$. \item non-degeneracy: $e(g,\hat{g}) = 1_{\GT} \iff g = 1_{\GG}$ or $\hat{g} = 1_{\Gh}$. \item the map is computable in polynomial time in the size of the input. \end{enumerate} -\end{definition} +\end{restatable} For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field. @@ -29,9 +29,9 @@ described in \cref{de:DDH} and recalled here. This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption. -\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}] \index{Pairings!SXDH} \label{de:SXDH} +\begin{restatable}[{$\SXDH$~\cite[As.~1]{BGdMM05}}]{definition}{defSXDH} \index{Pairings!SXDH} \label{de:SXDH} The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$. -\end{definition} +\end{restatable} In \cref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption. Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle. @@ -41,12 +41,12 @@ For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem fo In the aforementioned chapter, we also rely on the following assumption, which generalizes the Discrete Logarithm problem to asymmetric groups. -\begin{definition}[$\SDL$] +\begin{restatable}[$\SDL$]{definition}{defSDL} \label{de:SDL} \index{Pairings!SDL} In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given $\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$ where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$. -\end{definition} +\end{restatable} This assumption is still a static and non-interactive assumption. diff --git a/sec-stern.tex b/sec-stern.tex index c00c766..6444e06 100644 --- a/sec-stern.tex +++ b/sec-stern.tex @@ -5,16 +5,16 @@ On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}. \index{Syndrome Decoding Problem} -Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf M \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf w \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf M \cdot \mathbf w = \mathbf v \bmod 2$. +Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf{M} \in \FF_2^{n \times m}$ and a syndrome $\mathbf{v} \in \FF_2^n$, the goal is to find a binary vector $\mathbf{w} \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf{M} \cdot \mathbf{w} = \mathbf{v} \bmod 2$. -This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$. +This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf{x}$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$. After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems). These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc. -Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf w \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf w$ satisfies these conditions if and only if $\pi(\mathbf x)$ also does. +Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf{w} \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf{w}$ satisfies these conditions if and only if $\pi(\mathbf{x})$ also does. Therefore, the randomness of $\pi$ is used to verify these two constraints (being binary and the hamming weight) in a zero-knowledge fashion. -We can notice that this can be extended to vectors $\mathbf w \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements. +We can notice that this can be extended to vectors $\mathbf{w} \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements. In \cref{sse:stern-abstraction}, we describes these permutations while abstracting the set of ZK-provable statements as the set $\mathsf{VALID}$ that satisfies conditions~\eqref{eq:zk-equivalence}. It is worth noticing that this argument on knowledge does not form a $\Sigma$-protocol, as the challenge space is ternary as described in \cref{sse:stern-abstraction}. @@ -31,8 +31,8 @@ In this Section, we describe in a high-level view how Stern's protocol works, an %%%%%%%%%%%%%%%%%%%%% \begin{figure}[h] \begin{itemize} - \item $\mathsf B^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$. - \item $\mathsf B^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$. + \item $\mathsf{B}^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$. + \item $\mathsf{B}^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$. \end{itemize} \caption{Notations for Stern-like protocols.} \label{fig:stern-notations} @@ -40,7 +40,7 @@ In this Section, we describe in a high-level view how Stern's protocol works, an The original Stern protocol was designed to prove knowledge of a SDP preimage. That is, to prove the knowledge of a vector $\mathbf{w} \in \bit^m$ that verifies \begin{equation} \label{eq:sdp-statement} - \mathbf M \cdot \mathbf{w} = \mathbf v \bmod 2. + \mathbf{M} \cdot \mathbf{w} = \mathbf{v} \bmod 2. \end{equation} A first improvement by~\cite{KTX08} was to extend this protocol using a statistically hiding SIS-based commitment scheme as described in~\ref{fig:Interactive-Protocol} to prove in (statistical) zero-knowledge that @@ -51,7 +51,7 @@ A first improvement by~\cite{KTX08} was to extend this protocol using a statisti The details of this proof is given in \cref{sse:stern-abstraction}, but it can be summarized in the following Lemma. \begin{lemma}[{\cite[Se. 4]{KTX08}}] \label{le:zk-ktx} - There exists a statistical \textsf{ZKAoK} with perfect completeness and soundness error 2/3 to prove the knowledge of a secret vector $\mathbf{w} \in \bit^m$ that verifies relation~\eqref{eq:isis-stern-relation} for public input $(\mathbf M, \mathbf v) \in \Zq^{n \times m} \times \Zq^{n}$. + There exists a statistical \textsf{ZKAoK} with perfect completeness and soundness error 2/3 to prove the knowledge of a secret vector $\mathbf{w} \in \bit^m$ that verifies relation~\eqref{eq:isis-stern-relation} for public input $(\mathbf{M}, \mathbf{v}) \in \Zq^{n \times m} \times \Zq^{n}$. \end{lemma} Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$. @@ -59,12 +59,12 @@ Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}). \index{Lattices!Inhomogeneous \SIS} -To prove the knowledge of an \ISIS preimage, i.e. -the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf w$ as $\bar{\mathbf w} = \mathbf K \cdot \mathbf w \bmod q$ with a public transfer matrix $\mathbf K$ such that $\bar{\mathbf w} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$. -This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf w} \in \nbit^{m'}$ for public input $(\mathbf M \cdot \mathbf K, \mathbf v)$. +To prove the knowledge of an \ISIS preimage, i.e. +the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf{w}$ as $\bar{\mathbf{w}} = \mathbf{K} \cdot \mathbf{w} \bmod q$ with a public transfer matrix $\mathbf{K}$ such that $\bar{\mathbf{w}} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$. +This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf{w}} \in \nbit^{m'}$ for public input $(\mathbf{M} \cdot \mathbf{K}, \mathbf{v})$. -To construct such a transfer matrix $\mathbf K$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf x \in [-B,B]^m$ as a vector $\tilde{\mathbf x} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf x} \in \mathsf B^3_{m \delta_B}$ leads to a new statement that can be proven using the~\cite{KTX08} variant of Stern's protocol. -The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf 0^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf I_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$ for all $j \in \{1,\ldots,j\}$ can be computed from public parameters. +To construct such a transfer matrix $\mathbf{K}$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf{x} \in [-B,B]^m$ as a vector $\tilde{\mathbf{x}} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf{x}} \in \mathsf{B}^3_{m \delta_B}$ leads to a new statement that can be proven using the~\cite{KTX08} variant of Stern's protocol. +The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf 0^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf{I}_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$ for all $j \in \{1,\ldots,j\}$ can be computed from public parameters. \subsection{Abstraction of Stern's Protocol} \label{sse:stern-abstraction} @@ -189,7 +189,7 @@ The proof of the theorem relies on standard simulation and extraction techniques \noindent \item[\textsf{Case} $\overline{Ch}=2$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$. - + Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where \begin{gather*} C'_1 = \mathsf{COM}(\pi, \mathbf{M}\cdot \mathbf{r}; \rho_1), \qquad @@ -209,7 +209,7 @@ The proof of the theorem relies on standard simulation and extraction techniques \noindent \item[Case $\overline{Ch}=3$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$. - + Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where \[ C'_2 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{r}); \rho_2), \qquad C'_3 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{w}' + \mathbf{r}); \rho_3)\] as in the previous two cases, while @@ -231,7 +231,7 @@ The proof of the theorem relies on standard simulation and extraction techniques \medskip \noindent - \scbf{Argument of Knowledge.} Let us assume that + \scbf{Argument of Knowledge.} Let us assume that \begin{gather*} \mathrm{RSP}_1 = (\mathbf{t}_x, \mathbf{t}_r, \rho_{2}^{(1)}, \rho_{3}^{(1)}), \qquad \mathrm{RSP}_2 = (\phi_2, \mathbf{y}, \rho_{1}^{(2)}, \rho_{3}^{(2)}),\\ diff --git a/symbols.tex b/symbols.tex index f283c5f..5534821 100644 --- a/symbols.tex +++ b/symbols.tex @@ -1,41 +1,54 @@ -\chapter*{List of Symbols} +\chapter*[List of Symbols]{List of Symbols} \addcontentsline{toc}{chapter}{List of Symbols} \addcontentsline{tof}{chapter}{Liste des symboles et abréviations} \begin{longtable}{ll} - \multicolumn{2}{l}{\scbf{General Notations}} \\ - TM & Turing Machine \\ - $\ppt$ & Probabilistic Polynomial Time \\ - $\epsilon$ & empty word \\ - $\mathbf A$ & bold uppercase letters represent matrices\\ - $\mathbf b$ & bold lowercase letters represent column vectors\\ - $\widetilde{\mathbf A}$ & Gram-Schmidt orthogonalization of matrix $\mathbf A$\\ - $\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively\\ - $\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$ \\ - [1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\ - $\QQ$ & the set of rational numbers \\ - $\RR$ & the set of real numbers \\ - $\ZZ$ & the set of relative integers \\ - $\ZZ_q$ & the field $\ZZ_{/q\ZZ}$, with $q$ prime \\ - $\FF_2$ & the field $\ZZ_{/2\ZZ}$ \\ - [1ex] \multicolumn{2}{l}{\scbf{Protocols}} \\ - $\PKE$ & Public Key Encryption \\ - $\ZK$ & Zero-Knowledge \\ - $\NIZK$ & Non-Interactive Zero-Knowledge \\ - $\OT$ & Oblivious Transfer \\ - [1ex] \multicolumn{2}{l}{\scbf{Security Models}} \\ - $\ROM$ & Random-Oracle Model \\ - $\UC$ & Universal Composability \\ - [1ex] \multicolumn{2}{l}{\scbf{Security Assumptions}} \\ - [.5ex] \multicolumn{2}{l}{\quad\textbf{Lattice-based}} \\ - $\SIS$ & Short Integer Solution \\ - $\ISIS$ & Inhomogeneous Short Integer Solution \\ - $\LWE$ & Learning with Errors \\ - $\SIVP$ & Shortest Independent Vectors Problem \\ - [.5ex] \multicolumn{2}{l}{\quad\textbf{Cyclic groups}} \\ - $\DLP$ & Discrete Logarithm Problem \\ - $\DDH$ & Decisional Diffie-Hellman \\ - [.5ex] \multicolumn{2}{l}{\quad\textbf{Bilinear groups}} \\ - $\SXDH$ & Symmetric eXternal Diffie-Hellman \\ - $\SDL$ & Symmetric Discrete Logarithm + \multicolumn{2}{l}{\scbf{General Notations}} \\ + TM & Turing Machine \\ + $\ppt$ & Probabilistic Polynomial Time \\ + $\epsilon$ & empty word \\ + $\mathbf{A}$ & bold uppercase letters represent matrices \\ + $\mathbf{b}$ & bold lowercase letters represent column vectors \\ + $\widetilde{\mathbf{A}}$ & Gram-Schmidt orthogonalization of matrix $\mathbf{A}$ \\ + $\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively \\ + $\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\ + $\Pr[E]$ & Probability that an event $E$ occurs \\ + [1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\ + $\QQ$ & the set of rational numbers \\ + $\RR$ & the set of real numbers \\ + $\ZZ$ & the set of relative integers \\ + $\ZZ_q$ & the field $\ZZ_{/q\ZZ}$, with $q$ prime \\ + $\FF_2$ & the field $\ZZ_{/2\ZZ}$ \\ + $\mathbb{S}^d$ & the set of vectors of dimension $d$ in the set $\mathbb{S}$ \\ + $\mathbb{S}^{n \times m}$ & the set of matrices with $n$ rows and $m$ columns in the set $\mathbb{S}$ \\ + [1ex] \multicolumn{2}{l}{\scbf{Protocols}} \\ + $\PKE$ & Public Key Encryption \\ + $\ZK$ & Zero-Knowledge \\ + $\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\ + $\NIZK$ & Non-Interactive Zero-Knowledge \\ + $\OT$ & Oblivious Transfer \\ + [1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\ + EU-CMA & Existentially Unforgeable under chosen-message attacks \\ + EU-RMA & Existentially Unforgeable under random-message attacks \\ + IND-CPA & Indistinguishable under chosen-plaintext attacks (passive adversary) \\ + IND-CCA1 & Indistinguishable under non-adaptive active adversary\\ + IND-CCA2 & Indistinguishable under adaptive active adversary\\ + [1ex] \multicolumn{2}{l}{\scbf{Security Models}} \\ + $\ROM$ & Random-Oracle Model \\ + $\UC$ & Universal Composability \\ + [1ex] \multicolumn{2}{l}{\scbf{Security Assumptions}} \\ + [.5ex] \multicolumn{2}{l}{\quad\textbf{Lattices}} \\ + $\SIS$ & Short Integer Solution \\ + $\ISIS$ & Inhomogeneous Short Integer Solution \\ + $\LWE$ & Learning with Errors \\ + $\SIVP$ & Shortest Independent Vectors Problem \\ + [.5ex] \multicolumn{2}{l}{\quad\textbf{Cyclic groups}} \\ + $\DLP$ & Discrete Logarithm Problem \\ + $\DDH$ & Decisional Diffie-Hellman \\ + [.5ex] \multicolumn{2}{l}{\quad\textbf{Bilinear groups}} \\ + $\SXDH$ & Symmetric eXternal Diffie-Hellman \\ + $\SDL$ & Symmetric Discrete Logarithm \\ + [1ex] \multicolumn{2}{l}{\scbf{Stern-like protocol}} \\ + $\mathsf{B}^2_{\mathfrak m}$ & The set of $\bit$ vector of hamming weight $\mathfrak m$ \\ + $\mathsf{B}^3_{\mathfrak m}$ & The set of $\nbit$ vectors with $\mathfrak m$ elements in $-1$, $0$ and $1$ \\ \end{longtable}