fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some typos

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-05-17 14:11:51 +02:00
parent 9a5610a920
commit e75cf7d31d
1 changed files with 61 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
chap-GS-LWE.tex
View File

@@ -121,7 +121,6 @@ coordinate of $\mathbf{v}$ by its binary representation.
\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A}).$ This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample \U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
\item[2.] Choose random matrices $\mathbf{D} \sample \U(\Zq^{n \times m})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_{N} \sample \U(\Zq^{2n \times 2m})$ as well as a random vector
$\mathbf{u} \sample \U(\Zq^n)$. \smallskip
@@ -303,7 +302,6 @@ which implies that the vector
is in $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. Moreover, with overwhelming probability, this vector is non-zero since, in $\adv$'s view, the distribution of
$\mathbf{e}_u \in \ZZ^m$ is $D_{\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}),\sigma_1}$, which ensures that $\mathbf{e}_u$ is statistically hidden by
the syndrome $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u $. Finally, the norm of $\mathbf{w}$ is smaller than
% modified by Khoa: $\| \mathbf{w} \| \leq m^{3/2} \sigma ( \sigma_1 + N / \sqrt{2}) + m^{1/2} ( \sigma + \sigma_1) + (\ell+1) \sigma m$,
$\beta' = m^{3/2} \sigma^2 ( \ell+3) + m^{1/2} \sigma_1 $
which yields a valid solution of the given $\mathsf{SIS}_{n,m,q,\beta'}$ instance
with overwhelming probability.
@@ -355,7 +353,6 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
\mathbf{A} &=& \mathbf{D} \cdot \mathbf{S} \\ \label{setup-sig3}
\mathbf{A}_0 &=& \mathbf{D} \cdot \mathbf{S}_0 + h_0 \cdot \mathbf{C} \\ \nonumber
\mathbf{A}_j &=& \mathbf{D} \cdot \mathbf{S}_j + h_j \cdot \mathbf{C} \qquad \qquad \forall j \in \{1,\ldots,\ell\} %\\ \nonumber
%\mathbf{D}_k &=& \mathbf{D} \cdot \mathbf{R}_k \qquad \qquad \qquad \quad~ \forall k \in \{1,\ldots,N\}.
\end{eqnarray}
In addition, $\bdv$ picks random matrices $\mathbf{D}_1,\ldots,\mathbf{D}_N \sample (\Zq^{2n \times 2m})$ and a random vector $\mathbf{c}_M \sample (\Zq^{2n})$. It samples
short vectors $\mathbf{v}_1 ,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ and computes $\mathbf{u} \in \Zq^n$
@@ -508,21 +505,6 @@ $\mathbf{C}=\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mat
commitment key $(\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_N) \in (\Zq^{2n \times 2m})^{N+1} $. It is easy to see that the resulting commitment remains statistically hiding and computationally
binding under the $\mathsf{SIS}$ assumption.
%If we assume that the signer only sees perfectly hiding commitments $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$ and $\mathbf{C}= \mathbf{B}_0 \cdot %\mathbf{r} + \sum_{k=1}^N \mathbf{B}_k \cdot \mathfrak{m}_k$ to the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N) \in (\{0,1\}^m)^N$ on which the
%user wants to obtain a signature, a simple way for the
%user to prove that $\mathbf{C}$ and $ \mathbf{c}_{\mathfrak{m}}$ are commitments to the same message is to
% generate a witness indistinguishable proof of knowledge of a short vector
% $$\mathbf{v}=[ \mathfrak{m}_1^T \mid \ldots \mid \mathfrak{m}_N^T \mid \mathbf{r}^T \mid {\mathbf{s}'}^T ]^T \in (\{0,1\}^m)^N \times (\ZZ^m)^2 $$ satisfying
% \begin{eqnarray*}
% \left[ \begin{array}{c|c|c|c|c|c}
%\mathbf{B}_1 ~ & ~ \mathbf{B}_2 ~ & ~ \ldots ~ &~ \mathbf{B}_{N} ~& ~ \mathbf{B}_0 ~ & \\ \hline
% \mathbf{D}_1 ~ & ~ \mathbf{D}_2~ & ~ \ldots ~ & ~\mathbf{D}_N~ & & ~ \mathbf{D}_0~
% \end{array} \right] \cdot \mathbf{v}
%= \begin{bmatrix}
%\mathbf{C} \\ \hline \mathbf{c}_{\mathfrak{m}}
%\end{bmatrix}.
%\end{eqnarray*}
In order to make our construction usable in the definitional framework of Camenisch \textit{et al.} \cite{CKL+15}, we assume common public parameters
(i.e., a common reference string) and encrypt all witnesses of which knowledge is being proved under a public key included in the common reference string. The resulting ciphertexts thus serve as statistically binding commitments
to the witnesses.
@@ -566,7 +548,6 @@ sent to $S$ along with $\mathbf{c}_{\mathfrak{m}}$.
Then, $U$ generates an interactive zero-knowledge argument to convince~$S$ that
$ \mathbf{c}_{\mathfrak{m}}$ is a commitment to $(\mathfrak{m}_1, \ldots, \mathfrak{m}_N)$ with the randomness $\mathbf{s}'$ such that $\{\mathfrak{m}_k\}_{k=1}^N$ and
$\mathbf{s}'$ were honestly encrypted to $\{ \mathbf{c}_{k} \}_{i=1}^N$ and $\mathbf{c}_{s'}$, as in~(\ref{enc-Mk}) and~(\ref{enc-s}).
%is consistent with the messages encrypted in $\{ \mathbf{c}_{k} \}_{i=1}^N$ and $\mathbf{c}_{s'}$.
For convenience, this argument system will be described in Section~\ref{subsection:zk-for-commitments}, where we demonstrate that, together with other zero-knowledge protocols used in this work, it can be derived from a Stern-like~\cite{Ste96} protocol constructed in \cref{se:gs-lwe-stern}.
\item[2.] If the argument of step 1 properly verifies, $S$ samples $\mathbf{s}'' \sample D_{\ZZ^{2m},\sigma_0}$ and computes
@@ -603,9 +584,7 @@ where $\mathbf{s}_{\tau}, \mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{\tau,1}
as well as
\begin{align*}
\mathbf{c}_{\mathbf{v}} & = (\mathbf{c}_{\mathbf{v},1},\mathbf{c}_{\mathbf{v},2}) \\
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
\\
%\mathbf{c}_{\mathbf{v}_2} &=& (\mathbf{c}_{\mathbf{v}_2,1},\mathbf{c}_{\mathbf{v}_2,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ,~ \mathbf{G}_1^T %\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2} + \mathbf{v}_2 \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^m \\
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} \\
\mathbf{c}_{s} & = (\mathbf{c}_{s,1},\mathbf{c}_{s,2}) \\
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} ,
\end{align*}
@@ -617,7 +596,6 @@ as well as
\end{itemize}
\end{description}
%To establish the security of the protocol,
We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally
obtain a credential by interacting with the issuer. Note that the messages that are blindly signed by the issuer are uniquely defined since, at each signing
query, the adversary is required to supply perfectly binding commitments $\{\mathbf{c}_k\}_{k=1}^N$ to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$.
@@ -711,40 +689,41 @@ probabilities during hybrid games where the two distributions are not close in t
was never used by the signing oracle. If $coin=1$, $\bdv$ expects $\adv$ to recycle a tag $\tau^\star$ involved in some signing query in its forgery. Namely,
if $coin=1$, $\bdv$ expects an attack which is either a Type II forgery or a Type III forgery.
If $coin=2$, $\bdv$ rather bets that $\adv$ will break the soundness of the interactive argument systems used in the signature issuing protocol or the $\mathsf{Prove}$ protocol.
Depending on the value of $coin \in \{0,1,2 \}$, $\bdv$ generates the issuer's public key $PK$ and simulates $\adv$'s view in different ways. \medskip
Depending on the value of $coin \in \{0,1,2 \}$, $\bdv$ generates the issuer's public key $PK$ and simulates $\adv$'s view in different ways.
\noindent $\bullet$ If $coin=0$, $\bdv$ undertakes to find a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)$, which in turn yields a short non-zero vector
of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. To this end, it defines $\mathbf{A}=\bar{\mathbf{A}}_1$ and
generates $PK$ by computing $\{\mathbf{A}_j\}_{j=0}^\ell$ as re-randomizations of $\mathbf{A} \in \ZZ_q^{n \times m}$ as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}. This implies that $\bdv$ can always answer signing queries using the trapdoor $\mathbf{T}_{\mathbf{C}}
\in \ZZ^{m \times m}$ of the matrix $\mathbf{C}$ without even knowing the messages hidden in the commitments $ \mathbf{c}_{\mathfrak{m}}$ and $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{s'}$.
When the adversary generates a proof of possession of its own at the end of the game, $\bdv$ uses the matrices $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$
as an extraction trapdoor to extract a plain message-signature pair $\big( (\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star), (\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star) \big)$
from the ciphertexts
$\{ \mathbf{c}_k^\star\}_{k=1}^N$ $(\mathbf{c}_{\mathbf{v}_1}^\star,\mathbf{c}_{\mathbf{v}_2^\star})$, $\mathbf{c}_{\tau}^\star$, $\mathbf{c}_{\mathbf{s}}^\star$ produced by $\adv$ as part of its forgery.
If the extracted $\tau^\star$ is not a new tag, then $\bdv$ aborts. Otherwise, it can solve the given $\mathsf{SIS}$ instance exactly as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}.
\medskip
\begin{itemize}
\item If $coin=0$, $\bdv$ undertakes to find a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)$, which in turn yields a short non-zero vector
of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. To this end, it defines $\mathbf{A}=\bar{\mathbf{A}}_1$ and
generates $PK$ by computing $\{\mathbf{A}_j\}_{j=0}^\ell$ as re-randomizations of $\mathbf{A} \in \ZZ_q^{n \times m}$ as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}. This implies that $\bdv$ can always answer signing queries using the trapdoor $\mathbf{T}_{\mathbf{C}}
\in \ZZ^{m \times m}$ of the matrix $\mathbf{C}$ without even knowing the messages hidden in the commitments $ \mathbf{c}_{\mathfrak{m}}$ and $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{s'}$.
When the adversary generates a proof of possession of its own at the end of the game, $\bdv$ uses the matrices $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$
as an extraction trapdoor to extract a plain message-signature pair $\big( (\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star), (\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star) \big)$
from the ciphertexts
$\{ \mathbf{c}_k^\star\}_{k=1}^N$ $(\mathbf{c}_{\mathbf{v}_1}^\star,\mathbf{c}_{\mathbf{v}_2^\star})$, $\mathbf{c}_{\tau}^\star$, $\mathbf{c}_{\mathbf{s}}^\star$ produced by $\adv$ as part of its forgery.
If the extracted $\tau^\star$ is not a new tag, then $\bdv$ aborts. Otherwise, it can solve the given $\mathsf{SIS}$ instance exactly as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}.
\noindent $\bullet$ If $coin=1$, the proof proceeds as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks} with one difference in \textsf{Game} $3$. This difference is that \textsf{Game} $3$ is no longer statistically
indistinguishable from \textsf{Game} $2$: instead, we rely on an argument based on the R\'enyi divergence.
In \textsf{Game} $3$, $\bdv$ generates $PK$ exactly as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}. This implies that $\bdv$ takes a guess $i^\dagger \leftarrow U(\{1,\ldots,Q\})$
with the hope that $\adv$ will choose to recycle the tag $\tau^{(i^\dagger)} $ of the $i^\dagger$-th signing query (i.e., $ \tau^\star =\tau^{(i^\dagger)} $).
As in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}, $\bdv$ defines $\mathbf{D}=\bar{\mathbf{A}}_1 \in \ZZ_q^{n \times m}$ and $\mathbf{A}= \bar{\mathbf{A}}_1 \cdot \mathbf{S} $ for a small-norm
matrix $\mathbf{S} \in \ZZ^{m \times m}$ with Gaussian entries. It also ``programs'' the matrices $\{ \mathbf{A}_j\}_{j=0}^\ell$ in such a way that
the trapdoor precisely vanishes at the $i^\dagger$-th signing query: in other words,
the sum $$\mathbf{A}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot \mathbf{S}_j) + (h_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot h_j ) \cdot \mathbf{C} $$ does not depend on the matrix $\mathbf{C} \in \ZZ_q^{n \times m}$
(of which a trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ is known to $\bdv$) when $\tau^{(i)} = \tau^{(i^\dagger)}$, but it does for all other tags $\tau^{(i)} \neq \tau^{(i^\dagger)}$. In the setup phase,
$\bdv$ also sets up a random matrix $\mathbf{D}_0 \in U(\ZZ_q^{2n \times 2m})$ which it obtains by choosing
$\mathbf{A}' \sample (\ZZ_q^{n \times 2m})$ to define
\begin{eqnarray} \label{def-D0}
\mathbf{D}_0=\begin{bmatrix} \bar{\mathbf{A}} \\ \hline \mathbf{A}' \end{bmatrix} \in \ZZ_q^{2n \times 2m}.
\end{eqnarray}
Then, it computes $\mathbf{c}_M = \mathbf{D}_0 \cdot \mathbf{s}_0 \in \ZZ_q^{2n}$ for a short Gaussian vector
$\mathbf{s}_0 \sample D_{\ZZ^{2m},\sigma_0}$, which will be used in the $i^\dagger$-th query.
Next, it samples short vectors $\mathbf{v}_1,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ to define
$$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1 \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \bit (\mathbf{c}_M) ~ \in \ZZ_q^n.$$
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \in \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
are used to define randomizations of $\mathbf{D}_0$ by computing $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
The adversary is given public parameters $\mathsf{par}\coloneqq \{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK\coloneqq \big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
\item If $coin=1$, the proof proceeds as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks} with one difference in \textsf{Game} $3$. This difference is that \textsf{Game} $3$ is no longer statistically
indistinguishable from \textsf{Game} $2$: instead, we rely on an argument based on the R\'enyi divergence.
In \textsf{Game} $3$, $\bdv$ generates $PK$ exactly as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}. This implies that $\bdv$ takes a guess $i^\dagger \leftarrow U(\{1,\ldots,Q\})$
with the hope that $\adv$ will choose to recycle the tag $\tau^{(i^\dagger)} $ of the $i^\dagger$-th signing query (i.e., $ \tau^\star =\tau^{(i^\dagger)} $).
As in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}, $\bdv$ defines $\mathbf{D}=\bar{\mathbf{A}}_1 \in \ZZ_q^{n \times m}$ and $\mathbf{A}= \bar{\mathbf{A}}_1 \cdot \mathbf{S} $ for a small-norm
matrix $\mathbf{S} \in \ZZ^{m \times m}$ with Gaussian entries. It also ``programs'' the matrices $\{ \mathbf{A}_j\}_{j=0}^\ell$ in such a way that
the trapdoor precisely vanishes at the $i^\dagger$-th signing query: in other words,
the sum $$\mathbf{A}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot \mathbf{S}_j) + (h_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot h_j ) \cdot \mathbf{C} $$ does not depend on the matrix $\mathbf{C} \in \ZZ_q^{n \times m}$
(of which a trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ is known to $\bdv$) when $\tau^{(i)} = \tau^{(i^\dagger)}$, but it does for all other tags $\tau^{(i)} \neq \tau^{(i^\dagger)}$. In the setup phase,
$\bdv$ also sets up a random matrix $\mathbf{D}_0 \in U(\ZZ_q^{2n \times 2m})$ which it obtains by choosing
$\mathbf{A}' \sample (\ZZ_q^{n \times 2m})$ to define
\begin{eqnarray} \label{def-D0}
\mathbf{D}_0=\begin{bmatrix} \bar{\mathbf{A}} \\ \hline \mathbf{A}' \end{bmatrix} \in \ZZ_q^{2n \times 2m}.
\end{eqnarray}
Then, it computes $\mathbf{c}_M = \mathbf{D}_0 \cdot \mathbf{s}_0 \in \ZZ_q^{2n}$ for a short Gaussian vector
$\mathbf{s}_0 \sample D_{\ZZ^{2m},\sigma_0}$, which will be used in the $i^\dagger$-th query.
Next, it samples short vectors $\mathbf{v}_1,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ to define
$$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1 \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \bit (\mathbf{c}_M) ~ \in \ZZ_q^n.$$
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \in \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
are used to define randomizations of $\mathbf{D}_0$ by computing $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
The adversary is given public parameters $\mathsf{par}\coloneqq \{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK\coloneqq \big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
\end{itemize}
Using $\mathbf{T}_{\mathbf{C}}$,
$\bdv$ can perfectly emulate the signing oracle at all queries, except the $i^\dagger$-th query where the
@@ -793,14 +772,14 @@ probabilities during hybrid games where the two distributions are not close in t
Due to the definition of $\mathbf{D}_0 \in \ZZ_q^{2n \times 2m}$ in (\ref{def-D0}), we finally note that
$\mathbf{w} \in \ZZ^{2m}$ is also a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$.
\medskip
\noindent $\bullet$ If $coin=2$, $\bdv$ faithfully generates $\mathsf{par}$ and $PK$, but it retains the extraction trapdoor $(\mathbf{E}_0,\mathbf{E}_1)$ associated with the dual Regev public keys
$(\mathbf{G}_0,\mathbf{G}_1)$. Note that $\adv$ can break the soundness of the proof system by either: (i) Generating ciphertexts
$\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ that do not encrypt an opening of $\mathbf{c}_{\mathfrak{m}}$ in the signature issuing protocol; (ii) Generating ciphertexts
$\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{\tau}$, $\mathbf{c}_{\mathbf{v}_1}$, $\mathbf{c}_{\mathbf{v}_2}$ and $\mathbf{c}_{s}$ that do not encrypt a valid signature in the $\mathsf{Prove}$ protocol.
In either case, the reduction $\bdv$ is able to detect the event by decrypting dual Regev ciphertext using $(\mathbf{E}_0,\mathbf{E}_1)$ and create a breach in the
soundness of the argument system. \medskip
\begin{itemize}
\item If $coin=2$, $\bdv$ faithfully generates $\mathsf{par}$ and $PK$, but it retains the extraction trapdoor $(\mathbf{E}_0,\mathbf{E}_1)$ associated with the dual Regev public keys
$(\mathbf{G}_0,\mathbf{G}_1)$. Note that $\adv$ can break the soundness of the proof system by either: (i) Generating ciphertexts
$\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ that do not encrypt an opening of $\mathbf{c}_{\mathfrak{m}}$ in the signature issuing protocol; (ii) Generating ciphertexts
$\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{\tau}$, $\mathbf{c}_{\mathbf{v}_1}$, $\mathbf{c}_{\mathbf{v}_2}$ and $\mathbf{c}_{s}$ that do not encrypt a valid signature in the $\mathsf{Prove}$ protocol.
In either case, the reduction $\bdv$ is able to detect the event by decrypting dual Regev ciphertext using $(\mathbf{E}_0,\mathbf{E}_1)$ and create a breach in the
soundness of the argument system.
\end{itemize}
It it easy to see that, since $coin \in \{0,1,2 \}$ is chosen independently of $\adv$'s view, it turns out to be correct with probability $1/3$. As a consequence, if $\adv$'s advantage
is non-negligible, so is $\bdv$'s.
@@ -835,7 +814,7 @@ The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
\end{description}
\medskip
\noindent In \textsf{Game} $2$, we can notice that the adversary is interacting with a simulator that emulates the user in the $\mathsf{Prove}$ protocol \textit{without} using
In \textsf{Game} $2$, we can notice that the adversary is interacting with a simulator that emulates the user in the $\mathsf{Prove}$ protocol \textit{without} using
any message-signature pair. We thus conclude that, under the $\LWE_{n,q,\chi}$ assumption, $\adv$'s view cannot distinguish a real proof of signature possession from a simulated proof
produced without any witness.
\end{proof}
@@ -847,37 +826,37 @@ In this section, the signature scheme of Section \ref{se:gs-lwe-sigep} is used
In the notations hereunder, for any positive integers $\mathfrak{n}$, and $q \geq 2$, we define the ``powers-of-2'' matrix $\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \in \ZZ_q^{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil}$ to be:
\begin{eqnarray*}
\mathbf{H}_{\mathfrak{n} \times \mathfrak{n} \lceil\log q\rceil } &=& \mathbf{I}_{\mathfrak{n}} \otimes [1 \mid 2 \mid 4 \mid \ldots \mid 2^{\lceil\log q\rceil-1} ] .
%\\ &=& \begin{bmatrix} 1 ~2~4 ~ \ldots ~2^{\lceil\log q\rceil-1} & & & & \\
% & & & \ddots & \\
% & & & & 1 ~2~4 ~ \ldots ~2^{\lceil\log q\rceil-1} \\
%\end{bmatrix}.
\end{eqnarray*}
Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\bit(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion.
Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \bit(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$. \\
\indent
Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \bit(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$.
In our scheme, each group membership certificate is a
signature generated by the group manager on the user's public key. Since the group manager only needs to sign known (rather than committed) messages, we can
use a simplified version of the signature, where the chameleon hash function does not need to choose
the discrete Gaussian vector $\mathbf{s}$ with a larger standard deviation than other vectors. \\
\indent
the discrete Gaussian vector $\mathbf{s}$ with a larger standard deviation than other vectors.
A key component of the scheme is the two-message joining protocol whereby the group manager admits new group members by signing their public key. The first message is sent by
the new user $\mathcal{U}_i$ who samples a membership secret consisting of a short vector $\mathbf{z}_i \sample D_{\ZZ^{4m},\sigma}$ (where $m= 2n \lceil\log q\rceil$), which is used to compute a
syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ for some public matrix $\mathbf{F} \in \ZZ_q^{4n \times 4m} $. This syndrome $\mathbf{v}_i \in \ZZ_q^{4n}$ must be signed by $\mathcal{U}_i$ using his long term secret key $\mathsf{usk}[i]$ (as in
\cite{KY06,BSZ05}, we assume that each user has a long-term key $\mathsf{upk}[i]$ for a digital signature, which is registered in some PKI) and will uniquely
identify $\mathcal{U}_i$.
In order to generate a membership certificate for $\mathbf{v}_i \in \ZZ_q^{4n}$, the group manager $\mathsf{GM}$ signs its binary expansion
$\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$ using the scheme of Section \ref{se:gs-lwe-sigep}. \\ \indent Equipped with his membership
$\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$ using the scheme of Section \ref{se:gs-lwe-sigep}.
Equipped with his membership
certificate $(\tau,\mathbf{d},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$, the new group member $\mathcal{U}_i$ can sign a message using a Stern-like protocol for
demonstrating his knowledge of
a valid certificate for which he also knows the secret key associated with the certified public key $\mathbf{v}_i \in \ZZ_q^{4n}$. This boils down to
providing evidence that the membership certificate is a valid signature on some binary message $\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$
for which he also knows a short $\mathbf{z}_i \in \ZZ^{4m}$
such that
$ \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$. \\
\indent Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures
$ \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$.
Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures
\cite{AFG+10}, the joining protocol thus remains secure in environments where many users want
to register at the same time in concurrent sessions. \\
\indent We remark that a similar Stern-like protocol could also be directly used to prove knowledge of a Boyen signature \cite{Boy10} on a binary expansion of the
to register at the same time in concurrent sessions.
We remark that a similar Stern-like protocol could also be directly used to prove knowledge of a Boyen signature \cite{Boy10} on a binary expansion of the
user's syndrome $\mathbf{v}_i \in \ZZ_q^{4n}$ while preserving the user's ability to prove knowledge of a short $\mathbf{z}_i \in \ZZ^{4m}$ such that $\mathbf{F} \cdot \mathbf{z}_i =
\mathbf{v}_i \bmod q$. However, this would require considerably longer private keys containing $ 4n \cdot \log q$ matrices $\{\mathbf{A}_j\}_{j=0}^\ell$ of dimension $n \times
m$ each (i.e., we would need $\ell= \Theta(n \cdot \log q)$). In contrast, by using the signature scheme of Section \ref{se:gs-lwe-sigep}, we only need the group public key
@@ -902,7 +881,6 @@ Then, do the following. \smallskip \smallskip
\item[1.] Generate a key pair for the signature of Section \ref{desc-sig-protoc} for signing single-block messages. Namely, run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
\ZZ_q^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A})$, which allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with Gaussian parameter $\sigma$.
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
Next, choose matrices
$\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell},\mathbf{D} \sample (\ZZ_q^{n \times m})$, $ \mathbf{D}_0,\mathbf{D}_1 \sample (\ZZ_q^{2n \times 2m})$ and a vector $\mathbf{u} \sample (\ZZ_q^n)$.
\item[2.] Choose an additional random matrix $\mathbf{F} \sample (\ZZ_q^{4n \times 4m})$ uniformly. Looking ahead, this matrix will be used to ensure security against framing attacks.
@@ -977,7 +955,6 @@ $\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mat
$\scr_i=\mathbf{z}_i \in \mathbb{Z}^{4m}$ for the matrix $\mathbf{F}$. Namely, compute $ \mathbf{c}_{\mathbf{v}_i} \in \ZZ_q^m \times \ZZ_q^{2m}$ as
\begin{eqnarray} \label{enc1}
\mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=& \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~ \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \bit(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor \big) \qquad
%\\ \nonumber && \hspace{4cm}\in \ZZ_q^m \times \ZZ_q^{2m}
\end{eqnarray}
for randomly chosen $\mathbf{e}_0 \sample \chi^n$, $\mathbf{x}_1 \sample \chi^m, \mathbf{x}_2 \sample \chi^{2m} $.
Notice that, as in the construction of \cite{LNW15}, the columns of $\mathbf{G}_0$ can be interpreted as public keys for the multi-bit version
@@ -1054,7 +1031,6 @@ The size of each group signature is largely dominated by that of the non-interac
\smallskip
\noindent
\textsc{Correctness.} The correctness of algorithm \textsf{Verify}$(\mathcal{Y},M,\Sigma)$ follows from the facts that every certified group member is able to compute valid witness vectors satisfying equations~(\ref{enc1}), (\ref{rel-deux}) and (\ref{eq:rel-3}), and that the underlying argument system is perfectly complete. Moreover, the scheme parameters are chosen so that the GPV IBE~\cite{GPV08} is correct, which implies that algorithm \textsf{Open}$(\mathcal{Y},\mathcal{S}_{\OA},M,\Sigma)$ is also correct.
@@ -1277,9 +1253,6 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
before returning $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} =[ \mathbf{d}_{i^\star,1}^T \mid \mathbf{d}_{i^\star,2}^T]^T,\mathbf{s}_{i^\star})$
to $\adv$. From the definition of $\mathbf{u} \in \Zq^n$ (\ref{def-u}), it is easy to see that $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} ,\mathbf{s}_{i^\star})$ forms a valid membership certificate for
any membership secret $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ corresponding to the syndrome $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$.
%Moreover, the distribution of
%$\mathbf{s}_{i^\star}$ is
% $D_{\ZZ^m,\sigma}^{\mathbf{c}_{v_{i^\star}}}$, where $\mathbf{c}_{v_{i^\star}} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) \in \Zq^n $, as in \GGame $2$.
\end{itemize}
Regardless of the value of $coin$, queries to the random oracle~$H$
@@ -1664,9 +1637,7 @@ To do so, we first form the following vectors and matrices:
\scriptsize
\begin{cases}
\mathbf{x}_1 \hspace*{-1pt}= \hspace*{-1pt}\big(\mathbf{s}_0^T \| \mathbf{e}_{0,1}^T \| \mathbf{e}_{0,2}^T \| \mathbf{s}_{1}^T \| \mathbf{e}_{1,1}^T \| \mathbf{e}_{1,2}^T \| \ldots \| \mathbf{s}_{N}^T \| \mathbf{e}_{N,1}^T \| \mathbf{e}_{N,2}^T \big)^T\hspace*{-3.5pt} \in \hspace*{-1.5pt}[-B,B]^{(n+3m)(N+1)}; \\[2.5pt]
%\mathbf{x}_2 = \big(\mathfrak{m}_1^T \| \ldots\| \mathfrak{m}_N^T\big)^T \in \mathsf{CorEnc}(mN); \hspace*{10pt} \mathbf{x}_3 = \mathbf{s}' \in [-(p-1), (p-1)]^{2m};\\[2.5pt]
\mathbf{v} = \big(\mathbf{c}_{\mathfrak{m}}^T \| \mathbf{c}_{\mathbf{s}',1}^T\| \mathbf{c}_{\mathbf{s}',2}^T\| \mathbf{c}_{1,1}^T \|\mathbf{c}_{1,2}^T \| \ldots \|\mathbf{c}_{N,1}^T \|\mathbf{c}_{N,2}^T \big)^T \in \mathbb{Z}_q^{2n + 3m(N+1)};\\[5pt]
%\mathbf{D} = [\mathbf{D}_1 | \ldots | \mathbf{D}_N]; \hspace*{5pt}
\mathbf{P}_1 = \left(
\begin{array}{ccc}
\begin{array}{c}
@@ -1752,8 +1723,6 @@ Now we employ the techniques from \cref{sse:stern-abstraction} to convert~\eqref
\begin{cases}
\mathsf{DecExt}_{(n+3m)(N+1),B}(\mathbf{x}_1) \rightarrow \hat{\mathbf{x}}_1 \in \mathsf{B}^3_{(n+3m)(N+1)\delta_B}; \\[2.5pt]
{\mathbf{M}}'_1 = \mathbf{M}_1 \cdot \widehat{\mathbf{K}}_{(n+3m)(N+1),B} \in \ZZ_q^{D \times 3(n+3m)(N+1)\delta_B}; \\[2.5pt]
%\mathsf{Ext}_{2mN}(\mathbf{x}_2) \rightarrow \hat{\mathbf{x}}_2 \in \mathsf{B}_{2(2mN)}; \hspace*{5pt}
%{\mathbf{M}}'_2 = \big[\mathbf{M}_2 | \mathbf{0}^{D \times 2mN}] \in \mathbb{Z}_q^{D \times 4mN}; \\[5pt]
\mathsf{DecExt}_{2m, p-1}(\mathbf{s}') \rightarrow \hat{\mathbf{s}} \in \mathsf{B}^3_{2m\delta_{p-1}}; \hspace*{5pt}
{\mathbf{M}}'_3 = \mathbf{M}_3 \cdot \widehat{\mathbf{K}}_{2m,p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}},
\end{cases}
@@ -1815,27 +1784,24 @@ We now describe how to derive the protocol for proving the possession of a signa
\end{eqnarray}
and that (modulo $q$)
\begin{eqnarray}\label{equation:R-sign-ciphertext}
\hspace*{-12.5pt}
\begin{cases}
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \lfloor\frac{q}{p}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \left(\hspace*{-2pt}
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(
\begin{array}{c}
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
\mathbf{0}\\
\end{array}
\hspace*{-2pt}\right)\cdot \mathbf{v}_1
\hspace*{-2pt}+ \hspace*{-2pt} \left(\hspace*{-2pt}
\right)\cdot \mathbf{v}_1
+ \left(
\begin{array}{c}
\mathbf{0}\\
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
\end{array}
\hspace*{-2pt}\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v}_2
\right)\cdot \mathbf{v}_2
; \\
%\mathbf{c}_{\mathbf{v}_2, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ; \hspace*{2.5pt}
%\mathbf{c}_{\mathbf{v}_2,2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2}+ \lfloor\frac{q}{p}\rfloor \cdot %\mathbf{v}_2 ; \\
\mathbf{c}_{\mathbf{s}, 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} ; \hspace*{5pt}\mathbf{c}_{\mathbf{s},2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s} ; \\