Merge Group Encryption
This commit is contained in:
1007
chap-GE-LWE.tex
1007
chap-GE-LWE.tex
File diff suppressed because it is too large
Load Diff
@@ -542,8 +542,7 @@ Let $p = \sigma \cdot \omega(\sqrt{m})$ upper-bound entries of vectors sampled
|
||||
random matrices $\mathbf{D}_k \sample (\Zq^{2n \times 2m})$ for a statistically hiding commitment
|
||||
to vectors in $(\{0,1\}^{2m})^N$.
|
||||
Return public parameters consisting of
|
||||
$$ \mathsf{par}\coloneqq \{ ~\mathbf{B} \in \Zq^{n \times m} ,~\mathbf{G}_0 \in \Zq^{n \times \ell},~\mathbf{G}_1 \in \Zq^{n \times 2m},~CK \}. $$
|
||||
%where $p > \sigma_1 \sqrt{m}$ upper-bounds entries of vectors sampled from the distribution $D_{\ZZ^m,\sigma_1}$,
|
||||
\[ \mathsf{par}\coloneqq \{ \mathbf{B} \in \Zq^{n \times m} ,\mathbf{G}_0 \in \Zq^{n \times \ell},\mathbf{G}_1 \in \Zq^{n \times 2m},CK \}. \]
|
||||
|
||||
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK\coloneqq \{ \mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u} \}$, $SK\coloneqq \mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
|
||||
who has a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, in the following interactive protocol. \smallskip
|
||||
@@ -551,15 +550,17 @@ Let $p = \sigma \cdot \omega(\sqrt{m})$ upper-bound entries of vectors sampled
|
||||
\item[1.] $U$ samples $\mathbf{s}' \sample D_{\ZZ^{2m},\sigma} $ and computes $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n}$
|
||||
which is sent to $S$ as a commitment to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$. In addition, $U$ encrypts $\{\mathfrak{m}_k\}_{k=1}^N$ and $\mathbf{s}'$ under the dual-Regev public key $(\mathbf{B},\mathbf{G}_1)$
|
||||
by computing for all $k \in \{1,\ldots,N\}$:
|
||||
\begin{eqnarray} \label{enc-Mk} \nonumber
|
||||
\mathbf{c}_{k} &=& (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m} \qquad %\forall k\in \{1,\ldots,N\}
|
||||
%\qquad
|
||||
\end{eqnarray}
|
||||
\begin{align} \label{enc-Mk} \nonumber
|
||||
\mathbf{c}_{k} & = (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\
|
||||
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||
\end{align}
|
||||
for randomly chosen $\mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
|
||||
and \begin{eqnarray} \label{enc-s} \nonumber
|
||||
\mathbf{c}_{s'} &=& (\mathbf{c}_{s',1},\mathbf{c}_{s',2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s}' \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||
\end{eqnarray}
|
||||
where $\mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{0,1} \sample \chi^m$, $\mathbf{e}_{0,2} \sample \chi^{2m}$. The ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ are
|
||||
and
|
||||
\begin{align} \label{enc-s} \nonumber
|
||||
\mathbf{c}_{s'} & = (\mathbf{c}_{s',1},\mathbf{c}_{s',2}) \\
|
||||
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s}' \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||
\end{align}
|
||||
where $\mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{0,1} \sample \chi^m$, $\mathbf{e}_{0,2} \sample \chi^{2m}$. The ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ are
|
||||
sent to $S$ along with $\mathbf{c}_{\mathfrak{m}}$.
|
||||
|
||||
Then, $U$ generates an interactive zero-knowledge argument to convince~$S$ that
|
||||
@@ -589,19 +590,25 @@ does the following. \smallskip \smallskip
|
||||
\begin{itemize}
|
||||
\item[1.] Using $(\mathbf{B},\mathbf{G}_0)$ and $(\mathbf{B},\mathbf{G}_1)$ generate perfectly binding commitments to $\tau \in \{0,1\}^\ell$, $\{\mathfrak{m}_k \}_{k=1}^N$,
|
||||
$\mathbf{v}_1,\mathbf{v}_2 \in \ZZ^m$ and $\mathbf{s} \in \ZZ^{2m}$. Namely, compute
|
||||
\begin{eqnarray*} \nonumber
|
||||
\mathbf{c}_{\tau} &=& (\mathbf{c}_{\tau,1},\mathbf{c}_{\tau,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,1} ,~ \mathbf{G}_0^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,2} + \tau
|
||||
\begin{align*}
|
||||
\mathbf{c}_{\tau} & = (\mathbf{c}_{\tau,1},\mathbf{c}_{\tau,2}) \\
|
||||
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,1} ,~ \mathbf{G}_0^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,2} + \tau
|
||||
\cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^\ell, \\
|
||||
\mathbf{c}_{k} &=& (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||
\\ && \hspace{7.6cm} \forall k\in \{1,\ldots,N\} \qquad
|
||||
\end{eqnarray*}
|
||||
%
|
||||
\mathbf{c}_{k} & = (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\
|
||||
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m} \\
|
||||
& \hspace{7.6cm} \forall k\in \{1,\ldots,N\}
|
||||
\end{align*}
|
||||
where $\mathbf{s}_{\tau}, \mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{\tau,1} , \mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{\tau,2} \sample \chi^\ell$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
|
||||
as well as \begin{eqnarray*} \nonumber
|
||||
\mathbf{c}_{\mathbf{v}} &=& (\mathbf{c}_{\mathbf{v},1},\mathbf{c}_{\mathbf{v},2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||
\\
|
||||
as well as
|
||||
\begin{align*}
|
||||
\mathbf{c}_{\mathbf{v}} & = (\mathbf{c}_{\mathbf{v},1},\mathbf{c}_{\mathbf{v},2}) \\
|
||||
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||
\\
|
||||
%\mathbf{c}_{\mathbf{v}_2} &=& (\mathbf{c}_{\mathbf{v}_2,1},\mathbf{c}_{\mathbf{v}_2,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ,~ \mathbf{G}_1^T %\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2} + \mathbf{v}_2 \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^m \\
|
||||
\mathbf{c}_{s} &=& (\mathbf{c}_{s,1},\mathbf{c}_{s,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} ,
|
||||
\end{eqnarray*}
|
||||
\mathbf{c}_{s} & = (\mathbf{c}_{s,1},\mathbf{c}_{s,2}) \\
|
||||
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} ,
|
||||
\end{align*}
|
||||
where $\mathbf{s}_{\mathbf{v}}, \mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{\mathbf{v},1},\mathbf{e}_{0,1} \sample \chi^m$,
|
||||
$\mathbf{e}_{\mathbf{v},2},\mathbf{e}_{0,2}\sample \chi^{2m}$.
|
||||
\item[2.] Prove in zero-knowledge that $\mathbf{c}_{\tau}$, $\mathbf{c}_{s}$, $\mathbf{c}_{\mathbf{v} }$, $\{\mathbf{c}_k\}_{k=1}^N$ encrypt a valid message-signature pair. In Section~\ref{subsection:zk-for-signature}, we show that this involved zero-knowledge protocol can be derived from the statistical zero-knowledge argument of knowledge for a simpler, but more general relation that we explicitly present in \cref{se:gs-lwe-stern}. The proof system can be made statistically ZK for a malicious verifier using standard techniques (assuming a common reference string, we can use \cite{Dam00}). In the random oracle model, it can
|
||||
|
||||
10
these.bib
10
these.bib
@@ -2821,4 +2821,14 @@
|
||||
publisher = {Springer},
|
||||
}
|
||||
|
||||
@InProceedings{BBDP01,
|
||||
author = {Bellare, Mihir and Boldyreva, Alexandra and Desai, Anand and Pointcheval, David},
|
||||
title = {{Key-Privacy in Public-Key Encryption}},
|
||||
booktitle = {PKC},
|
||||
year = {2001},
|
||||
series = {LNCS},
|
||||
pages = {566--582},
|
||||
publisher = {Springer},
|
||||
}
|
||||
|
||||
@Comment{jabref-meta: databaseType:bibtex;}
|
||||
|
||||
Reference in New Issue
Block a user