Modifications

chap-GS-background.tex

@@ -1,7 +1,7 @@
 In this Part, we will present two constructions for dynamic group signatures.
 The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} into the random oracle model to gain efficiency, while keeping the assumptions simple.
-This gives us a constant-size group signature scheme that is competitive with other construction based on less standard assumptions.
-An implementation is available and the timing are detailed in \cref{ch:sigmasig}.
+This gives us a constant-size group signature scheme that is shown to be competitive with other constructions based on less standard assumptions.
+An implementation is available and detailed in \cref{ch:sigmasig}.
 
 The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.
 This construction has been the first fully secure group signature scheme from lattices.
@@ -68,6 +68,7 @@ membership secret, $\scr_i$.
 %\paragraph{Syntax.}
 We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle.
 \begin{definition}[Dynamic Group Signature]
+  \index{Dynamic group signatures}
   A \emph{dynamic group signature} scheme consists of the algorithms or protocols $(\Setup, \mathsf{Join}, \Sign, \Verify, \Open)$ described as follows.
 
   \begin{description}
@@ -272,6 +273,7 @@ security properties are formalized as follows.
 \subsection{Security Against Misidentification Attacks}
 \addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques par identification incorrecte}
 \label{sec:RGSdefsecMisId}
+\index{Dynamic group signatures!Mis-identifications}
 
 \begin{figure}[H]
   \centering
@@ -313,6 +315,7 @@ adversarially-controlled user.
 \subsection{Non-Frameability}
 \addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques ciblées}
 \label{sec:RGSdefsecMonFrame}
+\index{Dynamic group signatures!Non frameability}
 
 \begin{figure}[H]
   \centering
@@ -369,6 +372,7 @@ The adversary eventually aims at framing an honest group member.
 \subsection{Full Anonymity}
 \addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Anonymat complet}
 \label{sec:RGSdefsecAnon}
+\index{Dynamic group signatures!anonymity}
 
 \begin{figure}[H]
   \centering

chap-ZK.tex

@@ -162,6 +162,7 @@ It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the
 
 \subsection{Non Interactive Proofs}
 \addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives}
+\label{sse:zk-nizk}
 
 Another useful primitives are the non-interactive version of zero-knowledge proofs.
 
@@ -177,7 +178,7 @@ Another useful primitives are the non-interactive version of zero-knowledge proo
   \end{description}
 \end{definition}
 
-In the random oracle model, it is possible to transform a ZK proof into an NIZK proof. This techniques is called the Fiat-Shamir transform.
+In the random oracle model~\cite{PS96,GT03}, it is possible to transform a ZK proof into an NIZK proof~\cite{FS86}. This techniques is called the Fiat-Shamir transform.
 
 \begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
   \index{Zero Knowledge!Fiat-Shamir Transform}
@@ -204,7 +205,8 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
 For the sake of completeness, we can also mention $\NIZK$ in the standard model, such at Groth-Sahai proofs~\cite{GOS06,GS08} for bilinear groups, but these will not be used in the context of this thesis.
 
 In the trusted setup model described in \cref{se:games-sim}, there are also another type of $\NIZK$ proofs that are useful for us, for instance in \cref{ch:sigmasig}.
-Namely, the quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} which are \NIZK where the common reference string $\crs$ may depend on the language for which proofs have to be generated. A formal definition can be found in~\cite{JR13,KW15,LPJY13}, where completeness, soundness and zero-knowledge properties are adapted to take into account the \crs.
+Namely, the quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} which are \NIZK where the common reference string $\crs$ may depend on the language for which proofs have to be generated (in other sense, the distribution $D_\crs$ is a function of the language we want to prove). A formal definition can be found in~\cite{JR13,KW15,LPJY13}, where completeness, soundness and zero-knowledge properties are adapted to take into account the \crs.
+\index{Zero Knowledge!QANIZK}
 
 \section{Schnorr Proofs}
 \addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr}

chap-introduction.tex

@@ -1,3 +1 @@
-\chapter{Introduction}
-\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Introduction}
 

chap-proofs.tex

@@ -281,6 +281,7 @@ This security notion illustrates that no malicious collusions of users and the a
 The security definition of $\indcpa$ is defined as an indistinguishability game.
 The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}.
 In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments.
+\index{Universal Composability}
 In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments.
 Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --\,in the \emph{Real world}\,-- that interacts with a challenger $\cdv$
 there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --\,in the \emph{Ideal world}\,-- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}.

chap-sigmasig.tex

@@ -4,25 +4,34 @@
 %-------------------------------------------------
 
 In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
-Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
+Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with companion zero-knowledge proofs that allow a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
 
-This building block proved useful in the design of many efficient anonymity-related protocols as anonymous credentials~\cite{CL01}, which is similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
+This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
 
 As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
 Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
 To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
 Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
 
-We note that beside the scheme presented in this section, we are only aware of two schemes based on a fixed-size assumption: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
+We note that beside the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
 Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
 (2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
 
 In this Chapter, we provide a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
 Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
-From an efficiency point of view, the signature size for an $\ell$-block message consists of only $4$ groups elements.
+From an efficiency point of view, the signature for an $\ell$-block message consists of only $4$ groups elements.
 
-This signature length is made possible by using $\QANIZK$ 
+This signature length is made possible by using efficient $\QANIZK$ arguments -- as presented in~\cref{sse:zk-nizk} and formally defined in~\cite{JR13} -- to prove the belonging to some linear subspace spanned by the rows of a matrix.
+For this purpose, it was shown that for this specific task, the size of the argument may be independent of the dimension of the considered subspace~\cite{JR14,LPJY14,KW15}.
+The signature scheme described in this chapter (\cref{scal-sig}) crucially takes advantage of this observation as $\ell$-block messages are certified using a $\QANIZK$ argument for a subspace of dimension $\bigO(\ell)$.
+This construction natively supports efficient protocols to enhance privacy as described in \cref{new-proto}. Hence, our signature scheme enables the design of an efficient anonymous credentials system based on the sole \SXDH assumption.
 
+As another showcase for this signature, we also design another primitives.
+Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background}, which is practical and relies on simple assumptions (namely \SXDH and \SDL).
+This construction is competitive both in term of signature size and computation time with the best solutions based on non-interactive assumptions~\cite{BBS04,DP06} (in these cases, the Strong Diffie-Hellman assumption~\cite{BB04}).
+Concretely, at the 128-bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).
+
+In this Chapter, we will first recall the useful building blocks that are used to design and prove our signature scheme that supports efficient protocols in the~\cite{CL02a} fashion. Then we describe this scheme and we next give the construction and the proof for the group signature scheme for dynamically growing groups. Finally, we show the experimental results we obtain for this group signature scheme.
 
 %--------------------------------------------------
 \section{Building blocks}
@@ -111,7 +120,7 @@ Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assump
     \setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3}
     \left(\begin{array}{c|c|c|c}
     g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline
-	  \vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}}
+    \vec{v}^\top & g^{\mathbf{I}_{\ell+1}} & h^{\mathbf{I}_{\ell+1}}
 	  & \mathbf{1}_{{}_{\ell+1}}^\top
 	  \end{array}\right) ,
   \end{equation}
@@ -1023,8 +1032,8 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas
 %---------------------------------------------------------------------
 \subsection{Security}
 
-The security of the above dynamic group signature scheme, namely full anonymity, security against mis-identifications and security against framing attacks that are defined in \cref{sse:gs-sec-notions} are expressed in \cref{th:sgsig-anonymity}, \cref{th:sgsig-mis-identification} and~\cref{th:sgsig-non-frameability} respectively.
-The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability.
+The security of the above dynamic group signature scheme, namely full anonymity, security against misidentifications and security against framing attacks that are defined in \cref{sse:gs-sec-notions} are expressed in \cref{th:sgsig-anonymity}, \cref{th:sgsig-mis-identification} and~\cref{th:sgsig-non-frameability} respectively.
+The security relies on the \SXDH assumption for anonymity and misidentification, and on the \SDL assumption for non-frameability.
 
 \begin{theorem} \label{th:sgsig-anonymity}
   If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %
@@ -1205,7 +1214,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
 
 \begin{theorem} \label{th:sgsig-mis-identification}
   In the ROM, the scheme is secure against
-  mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
+  misidentification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
 \end{theorem}
 %
 \begin{proof}
@@ -1216,7 +1225,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
 	the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge.\\
   %After the extraction, the reduction can then call the corresponding oracles to simulate the game without having
   %information it does not hold.
-  \indent Let us assume an attacker $\adv$ against the mis-identification game that wins with non-negligible
+  \indent Let us assume an attacker $\adv$ against the misidentification game that wins with non-negligible
   probability $\varepsilon$. We build an adversary $\bdv$ against the chosen-message security of the signature
   scheme of section~\ref{scal-sig}. \medskip
   \\
@@ -1417,13 +1426,31 @@ Their scheme provides signatures composed of only $2$ group elements in $\GG$ an
 Our main contribution compared to these schemes is to provide size-comparable signatures --\,we recall that our scheme is
 composed of $7$ group elements and $3$ scalars in $\Zp$\,-- while relying on standard, constant-size assumptions.
 Moreover, we can notice that we can save one element in $\GG$ at the expense of a linear-time opening algorithm in the
-number $N$ of group users (like \cite{BCN+10}).
+number $\Ngs$ of group users (like \cite{BCN+10}).
 
 %On the other hand, the comparison of computational cost is not straightforward, as it is not clear if the computation of $e(x^\alpha, \hat x) \cdot e(y^\beta, \hat y)$ is easier than the computation
 
-\section{Implementation results}
-\addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation}
+\section{Experimental Results}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats expérimentaux}
 
-An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
+An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at the following address:~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
 
 The relic toolkit provides implementation for pairing computations, hash functions implementations (here SHA-256) as well as benchmarking macros.
+The benchmarking was made on a single-core of an \textit{Intel\textregistered{} Core\texttrademark{} i5-7500 CPU @ 3.40GHz} (Kaby Lake architecture) with 6MB of cache.
+To implement pairings, the relic library implements the Barreto-Naehrig~\cite{BN06} curve over a 256 bits curve.
+Figures are available in Table~\ref{ta:sigmasig-figures}.
+
+\begin{table}
+  \centering
+  \begin{tabular}{|c|r|r|}
+    \hline
+    \textbf{Algorithm/Protocol} & \textbf{Our scheme} & \textbf{Standard deviation}\\
+    \hline \hline
+    \textsf{Keygen} &  9.70 ms & 2.18 ms \\ \hline
+    \textsf{Join}   & 23.16 ms & 0.11 ms \\ \hline
+    \textsf{Sign}   & 15.70 ms & 0.04 ms \\ \hline
+    \textsf{Verify} & 26.91 ms & 0.04 ms \\ \hline
+  \end{tabular}
+  \caption{Experimental results for the Pairing-Base group signature scheme}
+  \label{ta:sigmasig-figures}
+\end{table}

macros.tex

@@ -116,5 +116,21 @@
 \newcommand{\ID}{\ensuremath{\mathsf{ID}}\xspace}
 
 % Other
-\newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}}
+\newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}\xspace}
 
+
+%added by Khoa
+\newcommand{\xddots}{%
+  \raise 4pt \hbox {.}
+  \mkern 6mu
+  \raise 1pt \hbox {.}
+  \mkern 6mu
+  \raise -2pt \hbox {.}
+}
+\newcommand{\xddotss}{%
+  \raise 15pt \hbox {.}
+  \mkern 6mu
+  \raise 1pt \hbox {.}
+  \mkern 6mu
+  \raise -8pt \hbox {.}
+}

main.tex

@@ -4,6 +4,8 @@
 
 %% Highlight overfull hbox
 \overfullrule=1mm
+%% Show labels
+%\usepackage{showkeys}
 
 \usepackage[utf8x]{inputenc}
 \usepackage[french,english]{babel}
@@ -27,7 +29,7 @@
 \usepackage{multirow}
 \usepackage[pagebackref]{hyperref}
 \renewcommand*{\backref}[1]{}
-\renewcommand*{\backrefalt}[4]{\small Citations: \S{}~#4}
+\renewcommand*{\backrefalt}[4]{\small Citations: \S{}~#2}
 \hypersetup{colorlinks=true, linkcolor=black!50!blue, urlcolor=black!50!red, citecolor=black!50!green, breaklinks=true}
 \hypersetup{pdftitle={Privacy-preserving cryptography from pairings and lattices},
   pdfauthor={Fabrice Mouhartem},
@@ -98,6 +100,10 @@
 \mainmatter
 \pagestyle{ruled}
 
+\chapter{Introduction}
+\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Introduction}
+\label{ch:introduction}
+
 \input chap-introduction
 
 \cleardoublepage

symbols.tex

@@ -11,6 +11,7 @@
   $\mathbf{b}$                         & bold lowercase letters represent column vectors      \\
   $\widetilde{\mathbf{A}}$             & Gram-Schmidt orthogonalization of matrix $\mathbf{A}$ \\
   $\mathbf{A}^T_{}, \mathbf{u}^T_{}$  & the transpose of a matrix or a vector respectively   \\
+  $\mathbf{I}_n$ & the $n$ dimension identity matrix in $\RR^{n \times n}$ \\
   $\U(S)$                             & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\
   $\Pr[E]$ & Probability that an event $E$ occurs \\
   [1ex] \multicolumn{2}{l}{\scbf{Usual sets}}                                                              \\