Last modifications
This commit is contained in:
@ -431,7 +431,7 @@ the equality
|
||||
\mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[ \begin{array}{c}
|
||||
\mathbf{v}_1^\star \\ \hline \mathbf{v}_2^\star
|
||||
\end{array} \right]
|
||||
&=& \mathbf{u} + \mathbf{D} \cdot \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
&=& \mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \quad \bmod q.
|
||||
\end{eqnarray}
|
||||
|
||||
@ -442,13 +442,13 @@ such that
|
||||
\mathbf{v}_1 \\ \hline \mathbf{v}_2
|
||||
\end{array} \right] = \mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \mathbf{c}_M ) \bmod q. \end{eqnarray}
|
||||
Relation (\ref{sim-s}) implies that $ \mathbf{c}_M \neq \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bmod q$ by hypothesis. It follows that $\textsf{bin}(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bmod q$ by hypothesis. It follows that $\textsf{bin}(\mathbf{c}_M) - \textsf{bin}( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) $ is a non-zero vector in $\{-1,0,1\}^m$. Subtracting (\ref{second-sol}) from (\ref{first-sol}), we get
|
||||
\begin{eqnarray*}
|
||||
\mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[\begin{array}{c}
|
||||
\mathbf{v}_1^\star - \mathbf{v}_1 \\ \hline \mathbf{v}_2^\star - \mathbf{v}_1
|
||||
\end{array} \right]
|
||||
&=& \mathbf{D} \cdot \bigl( \textsf{bin}(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
&=& \mathbf{D} \cdot \bigl( \textsf{bin}(\mathbf{c}_M) - \textsf{bin}( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q,
|
||||
\end{eqnarray*}
|
||||
which implies
|
||||
@ -456,7 +456,7 @@ which implies
|
||||
\left[
|
||||
\begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~ &~ \mathbf{D} \cdot (\mathbf{S}_0 +
|
||||
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
|
||||
\end{array} \right] \cdot \left[ \begin{array}{c} {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ = \mathbf{D} \cdot \bigl( \textsf{bin}(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
\end{array} \right] \cdot \left[ \begin{array}{c} {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ = \mathbf{D} \cdot \bigl( \textsf{bin}(\mathbf{c}_M) - \textsf{bin}( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q .
|
||||
\end{multline}
|
||||
The above implies that the vector
|
||||
@ -466,7 +466,7 @@ which implies
|
||||
\nonumber && \hspace{2.75cm} ~+ \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) - \textsf{bin}(\mathbf{c}_M)
|
||||
\end{eqnarray}
|
||||
is a short integer vector of $\Lambda_q^{\perp}(\mathbf{D})$. Indeed, its norm can be bounded as $\| \mathbf{w} \| \leq \beta'' = \sqrt{2} (\ell+2) \sigma^2 m^{3/2} + m^{1/2} $. We argue that it is non-zero with overwhelming probability. We already observed that
|
||||
$ \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
$ \textsf{bin}( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
|
||||
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) - \textsf{bin}(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that
|
||||
$({\mathbf{v}_1^\star}, {\mathbf{v}_2^\star} ) =({\mathbf{v}_1} , {\mathbf{v}_2}) $. Hence, we can only have $\mathbf{w}=\mathbf{0}^m$ when the equality
|
||||
\begin{multline} \label{final-eq}
|
||||
@ -716,7 +716,7 @@ probabilities during hybrid games where the two distributions are not close in t
|
||||
Then, it computes $\mathbf{c}_M = \mathbf{D}_0 \cdot \mathbf{s}_0 \in \ZZ_q^{2n}$ for a short Gaussian vector
|
||||
$\mathbf{s}_0 \sample D_{\ZZ^{2m},\sigma_0}$, which will be used in the $i^\dagger$-th query.
|
||||
Next, it samples short vectors $\mathbf{v}_1,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ to define
|
||||
$$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1 \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \bit (\mathbf{c}_M) ~ \in \ZZ_q^n.$$
|
||||
$$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1 \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \textsf{bin}(\mathbf{c}_M) ~ \in \ZZ_q^n.$$
|
||||
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \in \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
|
||||
are used to define randomizations of $\mathbf{D}_0$ by computing $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
|
||||
The adversary is given public parameters $\mathsf{par}\coloneqq \{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK\coloneqq \big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
|
||||
@ -1070,18 +1070,18 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
||||
The case $coin=1$ corresponds to $\bdv$'s expectation that the knowledge extractor will obtain the identifier $ \mathsf{id}^\star = \mathsf{id}^\dagger$ of a group member in
|
||||
$ U^a$ (i.e., a group member that was legitimately introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query, for some $i^\star \in \{1,\ldots,Q_a\}$, where the identifier
|
||||
$\mathsf{id}^\dagger$ is used by $\mathcal{Q}_{\ajoin}$),
|
||||
but $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$ (which is encrypted in in $\mathbf{c}_{\mathbf{v}_i}^\star$ as part of the forgery $\Sigma^\star$) and the extracted $\mathbf{s}^\star \in \ZZ^{2m}$ are such that $ \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) \in \{0,1\}^m $
|
||||
but $\textsf{bin}( \mathbf{v}^\star ) \in \{0,1\}^{2m}$ (which is encrypted in in $\mathbf{c}_{\mathbf{v}_i}^\star$ as part of the forgery $\Sigma^\star$) and the extracted $\mathbf{s}^\star \in \ZZ^{2m}$ are such that $ \bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) \in \{0,1\}^m $
|
||||
does not match
|
||||
the string $ \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr) \in \{0,1\}^{2m} $ for which
|
||||
the string $ \bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr) \in \{0,1\}^{2m} $ for which
|
||||
user $i^\star$ obtained a membership certificate at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query. When $coin=1$, the choice of $i^\star$ corresponds to a guess that the knowledge
|
||||
extractor will reveal an $\ell$-bit identifier that coincides with the identifier $\mathsf{id}^\dagger$ assigned to the user introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query.
|
||||
The last case $coin=2$ corresponds to $\bdv$'s expectation that decrypting $\mathbf{c}_{\mathbf{v}_i}^\star$ (which is part of $\Sigma^\star$) and running
|
||||
the knowledge extractor on $\adv$ will uncover vectors $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$, $\mathbf{w}^\star \in \{0,1\}^m$ and $\mathbf{s}^\star \in \ZZ^{2m}$
|
||||
the knowledge extractor on $\adv$ will uncover vectors $\textsf{bin}( \mathbf{v}^\star ) \in \{0,1\}^{2m}$, $\mathbf{w}^\star \in \{0,1\}^m$ and $\mathbf{s}^\star \in \ZZ^{2m}$
|
||||
such that $\mathbf{w}^\star= \textsf{bin}(\mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )$ and
|
||||
\begin{eqnarray} \label{collide}
|
||||
\bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) = \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr)
|
||||
\bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) = \bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr)
|
||||
\end{eqnarray}
|
||||
but $(\bit ( \mathbf{v}^\star ), \mathbf{s}^\star) \neq ( \bit ( \mathbf{v}_{i^\star} ), \mathbf{s}_{i^\star} ) $, where $ \mathbf{v}_{i^\star} \in \Zq^{4n}$ and $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ are the vectors
|
||||
but $(\textsf{bin}( \mathbf{v}^\star ), \mathbf{s}^\star) \neq ( \textsf{bin}( \mathbf{v}_{i^\star} ), \mathbf{s}_{i^\star} ) $, where $ \mathbf{v}_{i^\star} \in \Zq^{4n}$ and $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ are the vectors
|
||||
involved in the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query.
|
||||
\\
|
||||
\indent
|
||||
|
||||
Reference in New Issue
Block a user