Some typos
This commit is contained in:
parent
9a5610a920
commit
e75cf7d31d
@ -121,7 +121,6 @@ coordinate of $\mathbf{v}$ by its binary representation.
|
||||
\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
|
||||
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
|
||||
$\Lambda_q^{\perp}(\mathbf{A}).$ This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
|
||||
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
|
||||
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample \U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
|
||||
\item[2.] Choose random matrices $\mathbf{D} \sample \U(\Zq^{n \times m})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_{N} \sample \U(\Zq^{2n \times 2m})$ as well as a random vector
|
||||
$\mathbf{u} \sample \U(\Zq^n)$. \smallskip
|
||||
@ -303,7 +302,6 @@ which implies that the vector
|
||||
is in $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. Moreover, with overwhelming probability, this vector is non-zero since, in $\adv$'s view, the distribution of
|
||||
$\mathbf{e}_u \in \ZZ^m$ is $D_{\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}),\sigma_1}$, which ensures that $\mathbf{e}_u$ is statistically hidden by
|
||||
the syndrome $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u $. Finally, the norm of $\mathbf{w}$ is smaller than
|
||||
% modified by Khoa: $\| \mathbf{w} \| \leq m^{3/2} \sigma ( \sigma_1 + N / \sqrt{2}) + m^{1/2} ( \sigma + \sigma_1) + (\ell+1) \sigma m$,
|
||||
$\beta' = m^{3/2} \sigma^2 ( \ell+3) + m^{1/2} \sigma_1 $
|
||||
which yields a valid solution of the given $\mathsf{SIS}_{n,m,q,\beta'}$ instance
|
||||
with overwhelming probability.
|
||||
@ -355,7 +353,6 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
|
||||
\mathbf{A} &=& \mathbf{D} \cdot \mathbf{S} \\ \label{setup-sig3}
|
||||
\mathbf{A}_0 &=& \mathbf{D} \cdot \mathbf{S}_0 + h_0 \cdot \mathbf{C} \\ \nonumber
|
||||
\mathbf{A}_j &=& \mathbf{D} \cdot \mathbf{S}_j + h_j \cdot \mathbf{C} \qquad \qquad \forall j \in \{1,\ldots,\ell\} %\\ \nonumber
|
||||
%\mathbf{D}_k &=& \mathbf{D} \cdot \mathbf{R}_k \qquad \qquad \qquad \quad~ \forall k \in \{1,\ldots,N\}.
|
||||
\end{eqnarray}
|
||||
In addition, $\bdv$ picks random matrices $\mathbf{D}_1,\ldots,\mathbf{D}_N \sample (\Zq^{2n \times 2m})$ and a random vector $\mathbf{c}_M \sample (\Zq^{2n})$. It samples
|
||||
short vectors $\mathbf{v}_1 ,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ and computes $\mathbf{u} \in \Zq^n$
|
||||
@ -508,21 +505,6 @@ $\mathbf{C}=\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mat
|
||||
commitment key $(\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_N) \in (\Zq^{2n \times 2m})^{N+1} $. It is easy to see that the resulting commitment remains statistically hiding and computationally
|
||||
binding under the $\mathsf{SIS}$ assumption.
|
||||
|
||||
%If we assume that the signer only sees perfectly hiding commitments $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$ and $\mathbf{C}= \mathbf{B}_0 \cdot %\mathbf{r} + \sum_{k=1}^N \mathbf{B}_k \cdot \mathfrak{m}_k$ to the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N) \in (\{0,1\}^m)^N$ on which the
|
||||
%user wants to obtain a signature, a simple way for the
|
||||
%user to prove that $\mathbf{C}$ and $ \mathbf{c}_{\mathfrak{m}}$ are commitments to the same message is to
|
||||
% generate a witness indistinguishable proof of knowledge of a short vector
|
||||
% $$\mathbf{v}=[ \mathfrak{m}_1^T \mid \ldots \mid \mathfrak{m}_N^T \mid \mathbf{r}^T \mid {\mathbf{s}'}^T ]^T \in (\{0,1\}^m)^N \times (\ZZ^m)^2 $$ satisfying
|
||||
% \begin{eqnarray*}
|
||||
% \left[ \begin{array}{c|c|c|c|c|c}
|
||||
%\mathbf{B}_1 ~ & ~ \mathbf{B}_2 ~ & ~ \ldots ~ &~ \mathbf{B}_{N} ~& ~ \mathbf{B}_0 ~ & \\ \hline
|
||||
% \mathbf{D}_1 ~ & ~ \mathbf{D}_2~ & ~ \ldots ~ & ~\mathbf{D}_N~ & & ~ \mathbf{D}_0~
|
||||
% \end{array} \right] \cdot \mathbf{v}
|
||||
%= \begin{bmatrix}
|
||||
%\mathbf{C} \\ \hline \mathbf{c}_{\mathfrak{m}}
|
||||
%\end{bmatrix}.
|
||||
%\end{eqnarray*}
|
||||
|
||||
In order to make our construction usable in the definitional framework of Camenisch \textit{et al.} \cite{CKL+15}, we assume common public parameters
|
||||
(i.e., a common reference string) and encrypt all witnesses of which knowledge is being proved under a public key included in the common reference string. The resulting ciphertexts thus serve as statistically binding commitments
|
||||
to the witnesses.
|
||||
@ -566,7 +548,6 @@ sent to $S$ along with $\mathbf{c}_{\mathfrak{m}}$.
|
||||
Then, $U$ generates an interactive zero-knowledge argument to convince~$S$ that
|
||||
$ \mathbf{c}_{\mathfrak{m}}$ is a commitment to $(\mathfrak{m}_1, \ldots, \mathfrak{m}_N)$ with the randomness $\mathbf{s}'$ such that $\{\mathfrak{m}_k\}_{k=1}^N$ and
|
||||
$\mathbf{s}'$ were honestly encrypted to $\{ \mathbf{c}_{k} \}_{i=1}^N$ and $\mathbf{c}_{s'}$, as in~(\ref{enc-Mk}) and~(\ref{enc-s}).
|
||||
%is consistent with the messages encrypted in $\{ \mathbf{c}_{k} \}_{i=1}^N$ and $\mathbf{c}_{s'}$.
|
||||
For convenience, this argument system will be described in Section~\ref{subsection:zk-for-commitments}, where we demonstrate that, together with other zero-knowledge protocols used in this work, it can be derived from a Stern-like~\cite{Ste96} protocol constructed in \cref{se:gs-lwe-stern}.
|
||||
|
||||
\item[2.] If the argument of step 1 properly verifies, $S$ samples $\mathbf{s}'' \sample D_{\ZZ^{2m},\sigma_0}$ and computes
|
||||
@ -603,9 +584,7 @@ where $\mathbf{s}_{\tau}, \mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{\tau,1}
|
||||
as well as
|
||||
\begin{align*}
|
||||
\mathbf{c}_{\mathbf{v}} & = (\mathbf{c}_{\mathbf{v},1},\mathbf{c}_{\mathbf{v},2}) \\
|
||||
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
|
||||
\\
|
||||
%\mathbf{c}_{\mathbf{v}_2} &=& (\mathbf{c}_{\mathbf{v}_2,1},\mathbf{c}_{\mathbf{v}_2,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ,~ \mathbf{G}_1^T %\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2} + \mathbf{v}_2 \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^m \\
|
||||
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} \\
|
||||
\mathbf{c}_{s} & = (\mathbf{c}_{s,1},\mathbf{c}_{s,2}) \\
|
||||
& = \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} ,
|
||||
\end{align*}
|
||||
@ -617,7 +596,6 @@ as well as
|
||||
\end{itemize}
|
||||
\end{description}
|
||||
|
||||
%To establish the security of the protocol,
|
||||
We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally
|
||||
obtain a credential by interacting with the issuer. Note that the messages that are blindly signed by the issuer are uniquely defined since, at each signing
|
||||
query, the adversary is required to supply perfectly binding commitments $\{\mathbf{c}_k\}_{k=1}^N$ to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$.
|
||||
@ -711,9 +689,10 @@ probabilities during hybrid games where the two distributions are not close in t
|
||||
was never used by the signing oracle. If $coin=1$, $\bdv$ expects $\adv$ to recycle a tag $\tau^\star$ involved in some signing query in its forgery. Namely,
|
||||
if $coin=1$, $\bdv$ expects an attack which is either a Type II forgery or a Type III forgery.
|
||||
If $coin=2$, $\bdv$ rather bets that $\adv$ will break the soundness of the interactive argument systems used in the signature issuing protocol or the $\mathsf{Prove}$ protocol.
|
||||
Depending on the value of $coin \in \{0,1,2 \}$, $\bdv$ generates the issuer's public key $PK$ and simulates $\adv$'s view in different ways. \medskip
|
||||
Depending on the value of $coin \in \{0,1,2 \}$, $\bdv$ generates the issuer's public key $PK$ and simulates $\adv$'s view in different ways.
|
||||
|
||||
\noindent $\bullet$ If $coin=0$, $\bdv$ undertakes to find a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)$, which in turn yields a short non-zero vector
|
||||
\begin{itemize}
|
||||
\item If $coin=0$, $\bdv$ undertakes to find a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)$, which in turn yields a short non-zero vector
|
||||
of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. To this end, it defines $\mathbf{A}=\bar{\mathbf{A}}_1$ and
|
||||
generates $PK$ by computing $\{\mathbf{A}_j\}_{j=0}^\ell$ as re-randomizations of $\mathbf{A} \in \ZZ_q^{n \times m}$ as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}. This implies that $\bdv$ can always answer signing queries using the trapdoor $\mathbf{T}_{\mathbf{C}}
|
||||
\in \ZZ^{m \times m}$ of the matrix $\mathbf{C}$ without even knowing the messages hidden in the commitments $ \mathbf{c}_{\mathfrak{m}}$ and $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{s'}$.
|
||||
@ -722,9 +701,8 @@ probabilities during hybrid games where the two distributions are not close in t
|
||||
from the ciphertexts
|
||||
$\{ \mathbf{c}_k^\star\}_{k=1}^N$ $(\mathbf{c}_{\mathbf{v}_1}^\star,\mathbf{c}_{\mathbf{v}_2^\star})$, $\mathbf{c}_{\tau}^\star$, $\mathbf{c}_{\mathbf{s}}^\star$ produced by $\adv$ as part of its forgery.
|
||||
If the extracted $\tau^\star$ is not a new tag, then $\bdv$ aborts. Otherwise, it can solve the given $\mathsf{SIS}$ instance exactly as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}.
|
||||
\medskip
|
||||
|
||||
\noindent $\bullet$ If $coin=1$, the proof proceeds as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks} with one difference in \textsf{Game} $3$. This difference is that \textsf{Game} $3$ is no longer statistically
|
||||
\item If $coin=1$, the proof proceeds as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks} with one difference in \textsf{Game} $3$. This difference is that \textsf{Game} $3$ is no longer statistically
|
||||
indistinguishable from \textsf{Game} $2$: instead, we rely on an argument based on the R\'enyi divergence.
|
||||
In \textsf{Game} $3$, $\bdv$ generates $PK$ exactly as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}. This implies that $\bdv$ takes a guess $i^\dagger \leftarrow U(\{1,\ldots,Q\})$
|
||||
with the hope that $\adv$ will choose to recycle the tag $\tau^{(i^\dagger)} $ of the $i^\dagger$-th signing query (i.e., $ \tau^\star =\tau^{(i^\dagger)} $).
|
||||
@ -745,6 +723,7 @@ probabilities during hybrid games where the two distributions are not close in t
|
||||
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \in \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
|
||||
are used to define randomizations of $\mathbf{D}_0$ by computing $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
|
||||
The adversary is given public parameters $\mathsf{par}\coloneqq \{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK\coloneqq \big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
|
||||
\end{itemize}
|
||||
|
||||
Using $\mathbf{T}_{\mathbf{C}}$,
|
||||
$\bdv$ can perfectly emulate the signing oracle at all queries, except the $i^\dagger$-th query where the
|
||||
@ -793,14 +772,14 @@ probabilities during hybrid games where the two distributions are not close in t
|
||||
Due to the definition of $\mathbf{D}_0 \in \ZZ_q^{2n \times 2m}$ in (\ref{def-D0}), we finally note that
|
||||
$\mathbf{w} \in \ZZ^{2m}$ is also a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$.
|
||||
|
||||
\medskip
|
||||
|
||||
\noindent $\bullet$ If $coin=2$, $\bdv$ faithfully generates $\mathsf{par}$ and $PK$, but it retains the extraction trapdoor $(\mathbf{E}_0,\mathbf{E}_1)$ associated with the dual Regev public keys
|
||||
\begin{itemize}
|
||||
\item If $coin=2$, $\bdv$ faithfully generates $\mathsf{par}$ and $PK$, but it retains the extraction trapdoor $(\mathbf{E}_0,\mathbf{E}_1)$ associated with the dual Regev public keys
|
||||
$(\mathbf{G}_0,\mathbf{G}_1)$. Note that $\adv$ can break the soundness of the proof system by either: (i) Generating ciphertexts
|
||||
$\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ that do not encrypt an opening of $\mathbf{c}_{\mathfrak{m}}$ in the signature issuing protocol; (ii) Generating ciphertexts
|
||||
$\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{\tau}$, $\mathbf{c}_{\mathbf{v}_1}$, $\mathbf{c}_{\mathbf{v}_2}$ and $\mathbf{c}_{s}$ that do not encrypt a valid signature in the $\mathsf{Prove}$ protocol.
|
||||
In either case, the reduction $\bdv$ is able to detect the event by decrypting dual Regev ciphertext using $(\mathbf{E}_0,\mathbf{E}_1)$ and create a breach in the
|
||||
soundness of the argument system. \medskip
|
||||
soundness of the argument system.
|
||||
\end{itemize}
|
||||
|
||||
It it easy to see that, since $coin \in \{0,1,2 \}$ is chosen independently of $\adv$'s view, it turns out to be correct with probability $1/3$. As a consequence, if $\adv$'s advantage
|
||||
is non-negligible, so is $\bdv$'s.
|
||||
@ -835,7 +814,7 @@ The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
|
||||
\end{description}
|
||||
\medskip
|
||||
|
||||
\noindent In \textsf{Game} $2$, we can notice that the adversary is interacting with a simulator that emulates the user in the $\mathsf{Prove}$ protocol \textit{without} using
|
||||
In \textsf{Game} $2$, we can notice that the adversary is interacting with a simulator that emulates the user in the $\mathsf{Prove}$ protocol \textit{without} using
|
||||
any message-signature pair. We thus conclude that, under the $\LWE_{n,q,\chi}$ assumption, $\adv$'s view cannot distinguish a real proof of signature possession from a simulated proof
|
||||
produced without any witness.
|
||||
\end{proof}
|
||||
@ -847,37 +826,37 @@ In this section, the signature scheme of Section \ref{se:gs-lwe-sigep} is used
|
||||
In the notations hereunder, for any positive integers $\mathfrak{n}$, and $q \geq 2$, we define the ``powers-of-2'' matrix $\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \in \ZZ_q^{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil}$ to be:
|
||||
\begin{eqnarray*}
|
||||
\mathbf{H}_{\mathfrak{n} \times \mathfrak{n} \lceil\log q\rceil } &=& \mathbf{I}_{\mathfrak{n}} \otimes [1 \mid 2 \mid 4 \mid \ldots \mid 2^{\lceil\log q\rceil-1} ] .
|
||||
%\\ &=& \begin{bmatrix} 1 ~2~4 ~ \ldots ~2^{\lceil\log q\rceil-1} & & & & \\
|
||||
% & & & \ddots & \\
|
||||
% & & & & 1 ~2~4 ~ \ldots ~2^{\lceil\log q\rceil-1} \\
|
||||
%\end{bmatrix}.
|
||||
\end{eqnarray*}
|
||||
Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\bit(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion.
|
||||
Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \bit(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$. \\
|
||||
\indent
|
||||
Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \bit(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$.
|
||||
|
||||
In our scheme, each group membership certificate is a
|
||||
signature generated by the group manager on the user's public key. Since the group manager only needs to sign known (rather than committed) messages, we can
|
||||
use a simplified version of the signature, where the chameleon hash function does not need to choose
|
||||
the discrete Gaussian vector $\mathbf{s}$ with a larger standard deviation than other vectors. \\
|
||||
\indent
|
||||
the discrete Gaussian vector $\mathbf{s}$ with a larger standard deviation than other vectors.
|
||||
|
||||
A key component of the scheme is the two-message joining protocol whereby the group manager admits new group members by signing their public key. The first message is sent by
|
||||
the new user $\mathcal{U}_i$ who samples a membership secret consisting of a short vector $\mathbf{z}_i \sample D_{\ZZ^{4m},\sigma}$ (where $m= 2n \lceil\log q\rceil$), which is used to compute a
|
||||
syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ for some public matrix $\mathbf{F} \in \ZZ_q^{4n \times 4m} $. This syndrome $\mathbf{v}_i \in \ZZ_q^{4n}$ must be signed by $\mathcal{U}_i$ using his long term secret key $\mathsf{usk}[i]$ (as in
|
||||
\cite{KY06,BSZ05}, we assume that each user has a long-term key $\mathsf{upk}[i]$ for a digital signature, which is registered in some PKI) and will uniquely
|
||||
identify $\mathcal{U}_i$.
|
||||
In order to generate a membership certificate for $\mathbf{v}_i \in \ZZ_q^{4n}$, the group manager $\mathsf{GM}$ signs its binary expansion
|
||||
$\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$ using the scheme of Section \ref{se:gs-lwe-sigep}. \\ \indent Equipped with his membership
|
||||
$\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$ using the scheme of Section \ref{se:gs-lwe-sigep}.
|
||||
|
||||
Equipped with his membership
|
||||
certificate $(\tau,\mathbf{d},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$, the new group member $\mathcal{U}_i$ can sign a message using a Stern-like protocol for
|
||||
demonstrating his knowledge of
|
||||
a valid certificate for which he also knows the secret key associated with the certified public key $\mathbf{v}_i \in \ZZ_q^{4n}$. This boils down to
|
||||
providing evidence that the membership certificate is a valid signature on some binary message $\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$
|
||||
for which he also knows a short $\mathbf{z}_i \in \ZZ^{4m}$
|
||||
such that
|
||||
$ \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$. \\
|
||||
\indent Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures
|
||||
$ \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$.
|
||||
|
||||
Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures
|
||||
\cite{AFG+10}, the joining protocol thus remains secure in environments where many users want
|
||||
to register at the same time in concurrent sessions. \\
|
||||
\indent We remark that a similar Stern-like protocol could also be directly used to prove knowledge of a Boyen signature \cite{Boy10} on a binary expansion of the
|
||||
to register at the same time in concurrent sessions.
|
||||
|
||||
We remark that a similar Stern-like protocol could also be directly used to prove knowledge of a Boyen signature \cite{Boy10} on a binary expansion of the
|
||||
user's syndrome $\mathbf{v}_i \in \ZZ_q^{4n}$ while preserving the user's ability to prove knowledge of a short $\mathbf{z}_i \in \ZZ^{4m}$ such that $\mathbf{F} \cdot \mathbf{z}_i =
|
||||
\mathbf{v}_i \bmod q$. However, this would require considerably longer private keys containing $ 4n \cdot \log q$ matrices $\{\mathbf{A}_j\}_{j=0}^\ell$ of dimension $n \times
|
||||
m$ each (i.e., we would need $\ell= \Theta(n \cdot \log q)$). In contrast, by using the signature scheme of Section \ref{se:gs-lwe-sigep}, we only need the group public key
|
||||
@ -902,7 +881,6 @@ Then, do the following. \smallskip \smallskip
|
||||
\item[1.] Generate a key pair for the signature of Section \ref{desc-sig-protoc} for signing single-block messages. Namely, run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
|
||||
\ZZ_q^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
|
||||
$\Lambda_q^{\perp}(\mathbf{A})$, which allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with Gaussian parameter $\sigma$.
|
||||
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
|
||||
Next, choose matrices
|
||||
$\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell},\mathbf{D} \sample (\ZZ_q^{n \times m})$, $ \mathbf{D}_0,\mathbf{D}_1 \sample (\ZZ_q^{2n \times 2m})$ and a vector $\mathbf{u} \sample (\ZZ_q^n)$.
|
||||
\item[2.] Choose an additional random matrix $\mathbf{F} \sample (\ZZ_q^{4n \times 4m})$ uniformly. Looking ahead, this matrix will be used to ensure security against framing attacks.
|
||||
@ -977,7 +955,6 @@ $\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mat
|
||||
$\scr_i=\mathbf{z}_i \in \mathbb{Z}^{4m}$ for the matrix $\mathbf{F}$. Namely, compute $ \mathbf{c}_{\mathbf{v}_i} \in \ZZ_q^m \times \ZZ_q^{2m}$ as
|
||||
\begin{eqnarray} \label{enc1}
|
||||
\mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=& \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~ \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \bit(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor \big) \qquad
|
||||
%\\ \nonumber && \hspace{4cm}\in \ZZ_q^m \times \ZZ_q^{2m}
|
||||
\end{eqnarray}
|
||||
for randomly chosen $\mathbf{e}_0 \sample \chi^n$, $\mathbf{x}_1 \sample \chi^m, \mathbf{x}_2 \sample \chi^{2m} $.
|
||||
Notice that, as in the construction of \cite{LNW15}, the columns of $\mathbf{G}_0$ can be interpreted as public keys for the multi-bit version
|
||||
@ -1054,7 +1031,6 @@ The size of each group signature is largely dominated by that of the non-interac
|
||||
|
||||
|
||||
\smallskip
|
||||
\noindent
|
||||
\textsc{Correctness.} The correctness of algorithm \textsf{Verify}$(\mathcal{Y},M,\Sigma)$ follows from the facts that every certified group member is able to compute valid witness vectors satisfying equations~(\ref{enc1}), (\ref{rel-deux}) and (\ref{eq:rel-3}), and that the underlying argument system is perfectly complete. Moreover, the scheme parameters are chosen so that the GPV IBE~\cite{GPV08} is correct, which implies that algorithm \textsf{Open}$(\mathcal{Y},\mathcal{S}_{\OA},M,\Sigma)$ is also correct.
|
||||
|
||||
|
||||
@ -1277,9 +1253,6 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
|
||||
before returning $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} =[ \mathbf{d}_{i^\star,1}^T \mid \mathbf{d}_{i^\star,2}^T]^T,\mathbf{s}_{i^\star})$
|
||||
to $\adv$. From the definition of $\mathbf{u} \in \Zq^n$ (\ref{def-u}), it is easy to see that $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} ,\mathbf{s}_{i^\star})$ forms a valid membership certificate for
|
||||
any membership secret $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ corresponding to the syndrome $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$.
|
||||
%Moreover, the distribution of
|
||||
%$\mathbf{s}_{i^\star}$ is
|
||||
% $D_{\ZZ^m,\sigma}^{\mathbf{c}_{v_{i^\star}}}$, where $\mathbf{c}_{v_{i^\star}} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) \in \Zq^n $, as in \GGame $2$.
|
||||
\end{itemize}
|
||||
|
||||
Regardless of the value of $coin$, queries to the random oracle~$H$
|
||||
@ -1664,9 +1637,7 @@ To do so, we first form the following vectors and matrices:
|
||||
\scriptsize
|
||||
\begin{cases}
|
||||
\mathbf{x}_1 \hspace*{-1pt}= \hspace*{-1pt}\big(\mathbf{s}_0^T \| \mathbf{e}_{0,1}^T \| \mathbf{e}_{0,2}^T \| \mathbf{s}_{1}^T \| \mathbf{e}_{1,1}^T \| \mathbf{e}_{1,2}^T \| \ldots \| \mathbf{s}_{N}^T \| \mathbf{e}_{N,1}^T \| \mathbf{e}_{N,2}^T \big)^T\hspace*{-3.5pt} \in \hspace*{-1.5pt}[-B,B]^{(n+3m)(N+1)}; \\[2.5pt]
|
||||
%\mathbf{x}_2 = \big(\mathfrak{m}_1^T \| \ldots\| \mathfrak{m}_N^T\big)^T \in \mathsf{CorEnc}(mN); \hspace*{10pt} \mathbf{x}_3 = \mathbf{s}' \in [-(p-1), (p-1)]^{2m};\\[2.5pt]
|
||||
\mathbf{v} = \big(\mathbf{c}_{\mathfrak{m}}^T \| \mathbf{c}_{\mathbf{s}',1}^T\| \mathbf{c}_{\mathbf{s}',2}^T\| \mathbf{c}_{1,1}^T \|\mathbf{c}_{1,2}^T \| \ldots \|\mathbf{c}_{N,1}^T \|\mathbf{c}_{N,2}^T \big)^T \in \mathbb{Z}_q^{2n + 3m(N+1)};\\[5pt]
|
||||
%\mathbf{D} = [\mathbf{D}_1 | \ldots | \mathbf{D}_N]; \hspace*{5pt}
|
||||
\mathbf{P}_1 = \left(
|
||||
\begin{array}{ccc}
|
||||
\begin{array}{c}
|
||||
@ -1752,8 +1723,6 @@ Now we employ the techniques from \cref{sse:stern-abstraction} to convert~\eqref
|
||||
\begin{cases}
|
||||
\mathsf{DecExt}_{(n+3m)(N+1),B}(\mathbf{x}_1) \rightarrow \hat{\mathbf{x}}_1 \in \mathsf{B}^3_{(n+3m)(N+1)\delta_B}; \\[2.5pt]
|
||||
{\mathbf{M}}'_1 = \mathbf{M}_1 \cdot \widehat{\mathbf{K}}_{(n+3m)(N+1),B} \in \ZZ_q^{D \times 3(n+3m)(N+1)\delta_B}; \\[2.5pt]
|
||||
%\mathsf{Ext}_{2mN}(\mathbf{x}_2) \rightarrow \hat{\mathbf{x}}_2 \in \mathsf{B}_{2(2mN)}; \hspace*{5pt}
|
||||
%{\mathbf{M}}'_2 = \big[\mathbf{M}_2 | \mathbf{0}^{D \times 2mN}] \in \mathbb{Z}_q^{D \times 4mN}; \\[5pt]
|
||||
\mathsf{DecExt}_{2m, p-1}(\mathbf{s}') \rightarrow \hat{\mathbf{s}} \in \mathsf{B}^3_{2m\delta_{p-1}}; \hspace*{5pt}
|
||||
{\mathbf{M}}'_3 = \mathbf{M}_3 \cdot \widehat{\mathbf{K}}_{2m,p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}},
|
||||
\end{cases}
|
||||
@ -1815,27 +1784,24 @@ We now describe how to derive the protocol for proving the possession of a signa
|
||||
\end{eqnarray}
|
||||
and that (modulo $q$)
|
||||
\begin{eqnarray}\label{equation:R-sign-ciphertext}
|
||||
\hspace*{-12.5pt}
|
||||
\begin{cases}
|
||||
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
|
||||
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
|
||||
|
||||
\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
|
||||
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \lfloor\frac{q}{p}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \left(\hspace*{-2pt}
|
||||
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(
|
||||
\begin{array}{c}
|
||||
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
|
||||
\mathbf{0}\\
|
||||
\end{array}
|
||||
\hspace*{-2pt}\right)\cdot \mathbf{v}_1
|
||||
\hspace*{-2pt}+ \hspace*{-2pt} \left(\hspace*{-2pt}
|
||||
\right)\cdot \mathbf{v}_1
|
||||
+ \left(
|
||||
\begin{array}{c}
|
||||
\mathbf{0}\\
|
||||
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
|
||||
\end{array}
|
||||
\hspace*{-2pt}\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v}_2
|
||||
\right)\cdot \mathbf{v}_2
|
||||
; \\
|
||||
|
||||
%\mathbf{c}_{\mathbf{v}_2, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ; \hspace*{2.5pt}
|
||||
%\mathbf{c}_{\mathbf{v}_2,2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2}+ \lfloor\frac{q}{p}\rfloor \cdot %\mathbf{v}_2 ; \\
|
||||
|
||||
\mathbf{c}_{\mathbf{s}, 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} ; \hspace*{5pt}\mathbf{c}_{\mathbf{s},2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s} ; \\
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user