Merge Group Encryption
This commit is contained in:
parent
644846cbf1
commit
b9b5ea7137
1007
chap-GE-LWE.tex
1007
chap-GE-LWE.tex
File diff suppressed because it is too large
Load Diff
@ -542,8 +542,7 @@ Let $p = \sigma \cdot \omega(\sqrt{m})$ upper-bound entries of vectors sampled
|
|||||||
random matrices $\mathbf{D}_k \sample (\Zq^{2n \times 2m})$ for a statistically hiding commitment
|
random matrices $\mathbf{D}_k \sample (\Zq^{2n \times 2m})$ for a statistically hiding commitment
|
||||||
to vectors in $(\{0,1\}^{2m})^N$.
|
to vectors in $(\{0,1\}^{2m})^N$.
|
||||||
Return public parameters consisting of
|
Return public parameters consisting of
|
||||||
$$ \mathsf{par}\coloneqq \{ ~\mathbf{B} \in \Zq^{n \times m} ,~\mathbf{G}_0 \in \Zq^{n \times \ell},~\mathbf{G}_1 \in \Zq^{n \times 2m},~CK \}. $$
|
\[ \mathsf{par}\coloneqq \{ \mathbf{B} \in \Zq^{n \times m} ,\mathbf{G}_0 \in \Zq^{n \times \ell},\mathbf{G}_1 \in \Zq^{n \times 2m},CK \}. \]
|
||||||
%where $p > \sigma_1 \sqrt{m}$ upper-bounds entries of vectors sampled from the distribution $D_{\ZZ^m,\sigma_1}$,
|
|
||||||
|
|
||||||
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK\coloneqq \{ \mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u} \}$, $SK\coloneqq \mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
|
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK\coloneqq \{ \mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u} \}$, $SK\coloneqq \mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
|
||||||
who has a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, in the following interactive protocol. \smallskip
|
who has a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, in the following interactive protocol. \smallskip
|
||||||
@ -551,15 +550,17 @@ Let $p = \sigma \cdot \omega(\sqrt{m})$ upper-bound entries of vectors sampled
|
|||||||
\item[1.] $U$ samples $\mathbf{s}' \sample D_{\ZZ^{2m},\sigma} $ and computes $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n}$
|
\item[1.] $U$ samples $\mathbf{s}' \sample D_{\ZZ^{2m},\sigma} $ and computes $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n}$
|
||||||
which is sent to $S$ as a commitment to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$. In addition, $U$ encrypts $\{\mathfrak{m}_k\}_{k=1}^N$ and $\mathbf{s}'$ under the dual-Regev public key $(\mathbf{B},\mathbf{G}_1)$
|
which is sent to $S$ as a commitment to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$. In addition, $U$ encrypts $\{\mathfrak{m}_k\}_{k=1}^N$ and $\mathbf{s}'$ under the dual-Regev public key $(\mathbf{B},\mathbf{G}_1)$
|
||||||
by computing for all $k \in \{1,\ldots,N\}$:
|
by computing for all $k \in \{1,\ldots,N\}$:
|
||||||
\begin{eqnarray} \label{enc-Mk} \nonumber
|
\begin{align} \label{enc-Mk} \nonumber
|
||||||
\mathbf{c}_{k} &=& (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m} \qquad %\forall k\in \{1,\ldots,N\}
|
\mathbf{c}_{k} & = (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\
|
||||||
%\qquad
|
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||||
\end{eqnarray}
|
\end{align}
|
||||||
for randomly chosen $\mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
|
for randomly chosen $\mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
|
||||||
and \begin{eqnarray} \label{enc-s} \nonumber
|
and
|
||||||
\mathbf{c}_{s'} &=& (\mathbf{c}_{s',1},\mathbf{c}_{s',2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s}' \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
\begin{align} \label{enc-s} \nonumber
|
||||||
\end{eqnarray}
|
\mathbf{c}_{s'} & = (\mathbf{c}_{s',1},\mathbf{c}_{s',2}) \\
|
||||||
where $\mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{0,1} \sample \chi^m$, $\mathbf{e}_{0,2} \sample \chi^{2m}$. The ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ are
|
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s}' \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||||
|
\end{align}
|
||||||
|
where $\mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{0,1} \sample \chi^m$, $\mathbf{e}_{0,2} \sample \chi^{2m}$. The ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ are
|
||||||
sent to $S$ along with $\mathbf{c}_{\mathfrak{m}}$.
|
sent to $S$ along with $\mathbf{c}_{\mathfrak{m}}$.
|
||||||
|
|
||||||
Then, $U$ generates an interactive zero-knowledge argument to convince~$S$ that
|
Then, $U$ generates an interactive zero-knowledge argument to convince~$S$ that
|
||||||
@ -589,19 +590,25 @@ does the following. \smallskip \smallskip
|
|||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item[1.] Using $(\mathbf{B},\mathbf{G}_0)$ and $(\mathbf{B},\mathbf{G}_1)$ generate perfectly binding commitments to $\tau \in \{0,1\}^\ell$, $\{\mathfrak{m}_k \}_{k=1}^N$,
|
\item[1.] Using $(\mathbf{B},\mathbf{G}_0)$ and $(\mathbf{B},\mathbf{G}_1)$ generate perfectly binding commitments to $\tau \in \{0,1\}^\ell$, $\{\mathfrak{m}_k \}_{k=1}^N$,
|
||||||
$\mathbf{v}_1,\mathbf{v}_2 \in \ZZ^m$ and $\mathbf{s} \in \ZZ^{2m}$. Namely, compute
|
$\mathbf{v}_1,\mathbf{v}_2 \in \ZZ^m$ and $\mathbf{s} \in \ZZ^{2m}$. Namely, compute
|
||||||
\begin{eqnarray*} \nonumber
|
\begin{align*}
|
||||||
\mathbf{c}_{\tau} &=& (\mathbf{c}_{\tau,1},\mathbf{c}_{\tau,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,1} ,~ \mathbf{G}_0^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,2} + \tau
|
\mathbf{c}_{\tau} & = (\mathbf{c}_{\tau,1},\mathbf{c}_{\tau,2}) \\
|
||||||
|
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,1} ,~ \mathbf{G}_0^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,2} + \tau
|
||||||
\cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^\ell, \\
|
\cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^\ell, \\
|
||||||
\mathbf{c}_{k} &=& (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
%
|
||||||
\\ && \hspace{7.6cm} \forall k\in \{1,\ldots,N\} \qquad
|
\mathbf{c}_{k} & = (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\
|
||||||
\end{eqnarray*}
|
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m} \\
|
||||||
|
& \hspace{7.6cm} \forall k\in \{1,\ldots,N\}
|
||||||
|
\end{align*}
|
||||||
where $\mathbf{s}_{\tau}, \mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{\tau,1} , \mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{\tau,2} \sample \chi^\ell$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
|
where $\mathbf{s}_{\tau}, \mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{\tau,1} , \mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{\tau,2} \sample \chi^\ell$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
|
||||||
as well as \begin{eqnarray*} \nonumber
|
as well as
|
||||||
\mathbf{c}_{\mathbf{v}} &=& (\mathbf{c}_{\mathbf{v},1},\mathbf{c}_{\mathbf{v},2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
\begin{align*}
|
||||||
\\
|
\mathbf{c}_{\mathbf{v}} & = (\mathbf{c}_{\mathbf{v},1},\mathbf{c}_{\mathbf{v},2}) \\
|
||||||
|
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||||
|
\\
|
||||||
%\mathbf{c}_{\mathbf{v}_2} &=& (\mathbf{c}_{\mathbf{v}_2,1},\mathbf{c}_{\mathbf{v}_2,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ,~ \mathbf{G}_1^T %\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2} + \mathbf{v}_2 \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^m \\
|
%\mathbf{c}_{\mathbf{v}_2} &=& (\mathbf{c}_{\mathbf{v}_2,1},\mathbf{c}_{\mathbf{v}_2,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ,~ \mathbf{G}_1^T %\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2} + \mathbf{v}_2 \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^m \\
|
||||||
\mathbf{c}_{s} &=& (\mathbf{c}_{s,1},\mathbf{c}_{s,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} ,
|
\mathbf{c}_{s} & = (\mathbf{c}_{s,1},\mathbf{c}_{s,2}) \\
|
||||||
\end{eqnarray*}
|
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} ,
|
||||||
|
\end{align*}
|
||||||
where $\mathbf{s}_{\mathbf{v}}, \mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{\mathbf{v},1},\mathbf{e}_{0,1} \sample \chi^m$,
|
where $\mathbf{s}_{\mathbf{v}}, \mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{\mathbf{v},1},\mathbf{e}_{0,1} \sample \chi^m$,
|
||||||
$\mathbf{e}_{\mathbf{v},2},\mathbf{e}_{0,2}\sample \chi^{2m}$.
|
$\mathbf{e}_{\mathbf{v},2},\mathbf{e}_{0,2}\sample \chi^{2m}$.
|
||||||
\item[2.] Prove in zero-knowledge that $\mathbf{c}_{\tau}$, $\mathbf{c}_{s}$, $\mathbf{c}_{\mathbf{v} }$, $\{\mathbf{c}_k\}_{k=1}^N$ encrypt a valid message-signature pair. In Section~\ref{subsection:zk-for-signature}, we show that this involved zero-knowledge protocol can be derived from the statistical zero-knowledge argument of knowledge for a simpler, but more general relation that we explicitly present in \cref{se:gs-lwe-stern}. The proof system can be made statistically ZK for a malicious verifier using standard techniques (assuming a common reference string, we can use \cite{Dam00}). In the random oracle model, it can
|
\item[2.] Prove in zero-knowledge that $\mathbf{c}_{\tau}$, $\mathbf{c}_{s}$, $\mathbf{c}_{\mathbf{v} }$, $\{\mathbf{c}_k\}_{k=1}^N$ encrypt a valid message-signature pair. In Section~\ref{subsection:zk-for-signature}, we show that this involved zero-knowledge protocol can be derived from the statistical zero-knowledge argument of knowledge for a simpler, but more general relation that we explicitly present in \cref{se:gs-lwe-stern}. The proof system can be made statistically ZK for a malicious verifier using standard techniques (assuming a common reference string, we can use \cite{Dam00}). In the random oracle model, it can
|
||||||
|
10
these.bib
10
these.bib
@ -2821,4 +2821,14 @@
|
|||||||
publisher = {Springer},
|
publisher = {Springer},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@InProceedings{BBDP01,
|
||||||
|
author = {Bellare, Mihir and Boldyreva, Alexandra and Desai, Anand and Pointcheval, David},
|
||||||
|
title = {{Key-Privacy in Public-Key Encryption}},
|
||||||
|
booktitle = {PKC},
|
||||||
|
year = {2001},
|
||||||
|
series = {LNCS},
|
||||||
|
pages = {566--582},
|
||||||
|
publisher = {Springer},
|
||||||
|
}
|
||||||
|
|
||||||
@Comment{jabref-meta: databaseType:bibtex;}
|
@Comment{jabref-meta: databaseType:bibtex;}
|
||||||
|
Loading…
Reference in New Issue
Block a user