Update

chap-GS-LWE.tex

@@ -1,2 +1,2 @@
-\chapter{Lattice-Based Dynamic Group Signatures}
+\chapter{Lattice-Based Dynamic Group Signatures} \label{ch:gs-lwe}
 \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de réseaux euclidiens}

chap-ZK.tex

@@ -102,7 +102,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i
   A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Open)$ that acts as follows:
   \begin{description}
     \item[\textsf{Setup}$(1^\lambda)$:] This algorithm outputs the commitment scheme's parameters $\param$.
-    \item[\textsf{Commit}$(\param, M)$:] From a message $M$ and parameters $\param$, this algorithms outputs a commitment $\com$ and an opening $\open$.
+    \item[\textsf{Commit}$(\param, M)$:] From a message $M$ and parameters $\param$, this algorithms outputs a commitment $\com$ and an opening $\open$. The randomness $\rho$ used in the commitment is sometimes made explicit.
     \item[\textsf{Verify}$(\param, \com, \open, M)$:] Using parameters $\param$ a message $M$, its commitment $\com$ and its opening $\open$, this algorithms returns bit $b$.
   \end{description}
 
@@ -123,6 +123,36 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i
 
 Commitment schemes are thus used to \textit{oblige} the verifier of the $\Sigma$-protocol to be honest: it commits its challenge at the outset of the interaction, and opens it at the challenge phase, so that it cannot change its challenge with respect to the commitment of the prover.
 
+An example of commitment scheme that will prove useful in \cref{sse:stern} is the Kawachi, Tanaka, Xagawa \SIS-based commitment scheme~\cite{KTX08}.
+
+This construction relies on the following hash function:
+\begin{definition}[$\SIS$-based hash function] \label{de:sis-hash}
+  Let $n,\ell,q \in \ZZ$ be parameters such that the $\SIS_{n,\ell,q, \sqrt \ell}$ assumption holds.
+  Let $\mathbf A \in \Zq^{n \times \ell}$, and let $f_{\mathbf A}: \bit^\ell \to \Zq^n$ be the function that maps its input string $x$ into a binary vector $\mathbf x \in \Zq^n$ and outputs $\mathbf A \mathbf x \bmod q \in \Zq^n$.
+
+  One can notice that $f_{\mathbf A}$ is indeed a collision resistant one-way function under the $\SIS$ assumption, as finding two inputs $x \neq \tilde{x}$ such that $\mathbf A \cdot \mathbf x = \mathbf A \cdot \tilde{\mathbf x} \bmod q$ leads to a non-zero vector $\mathbf x'  =\mathbf x - \tilde{\mathbf x} \in \ZZ$ such that $\|\mathbf x'\|_2 \leq \sqrt \ell$.
+
+  It is thus possible to apply the \textit{Merkle-Damg{\aa}rd construction}~\cite{Mer79,Mer89,Dam89} on $f_{\mathbf A}$ to obtain a \textit{collision resistant hash function} $h_{\mathbf A}: \bit^\star \to \Zq^n$ that is secure under $\SIS_{n,\ell, q, \sqrt \ell}$.
+\end{definition}
+
+It is then possible to use this hash function $h_{\mathbf A}$ to construct the following string commitment scheme.
+
+\begin{definition}[\SIS-based commitment scheme] \label{de:sis-commitment}
+  Given parameters $n,m,q \in \ZZ$, let us define the following commitment scheme due to~\cite{KTX08}.
+  \begin{description}
+    \item[\textsf{Setup}$(1^\lambda)$:] Pick two random matrices $\mathbf A_M, \mathbf A_\rho \in \U(\Zq^{n \times m})$ and define the public parameters as the matrix $\mathbf A = [ \mathbf A_M \mid \mathbf A_\rho]$.
+    \item[$\textsf{Commit}(\mathbf A, M; \rho)$:] To commit to a string $M \in \{0,1\}^\star$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf A \in \Zq^{n \times 2m}$ as $[\mathbf A_M \mid \mathbf A_\rho]$ as in the \textsf{\textbf{Setup}} algorithm,
+      then compute $\com = h_{\mathbf A_M}(M) + f_{\mathbf A_\rho}(\rho) \in \Zq^n$,
+      where $h_{\mathbf A_M}$ and $f_{\mathbf A_\rho}$ are the hash function and the one-way collision resistant function defined in \cref{de:sis-hash}.
+      The opening corresponds to the randomness $\rho$ used in the computation.
+    \item[$\textsf{Verify}(\mathbf A, \com, \open, M)$:] First parse $\mathbf A$ as in the \textsf{\textbf{Setup}} algorithm. Then accept if and only if $\open \in \bit^m$ and $\com = h_{\mathbf A_M}(M) + f_{\mathbf A_\rho}(\rho)$.
+  \end{description}
+\end{definition}
+
+\begin{lemma}[{\cite[Le. 3.4]{KTX08}}]
+  If $m > 5n \log q$, the above commitment scheme is \emph{statistically hiding} and \emph{binding} under the $\SIS_{n,m,q,\sqrt{m}}$ assumption in the trusted setup model.
+\end{lemma}
+
 Another useful primitives are the non-interactive version of zero-knowledge proofs.
 
 \begin{definition}[Non Interactive Zero Knowledge]

chap-proofs.tex

@@ -90,7 +90,7 @@ That's why we'll now define the principle of polynomial time reduction.
 \begin{figure}
   \centering
   \input fig-poly-red
-  \caption{Illustration of a polynomial-time reduction~{\cite[Fig. 2.1]{AB09}}.} \label{fig:poly-reduction}
+  \caption{Illustration of a polynomial-time reduction from $A$ to $B$~{\cite[Fig. 2.1]{AB09}}.} \label{fig:poly-reduction}
 \end{figure}
 
 In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
@@ -105,13 +105,15 @@ an attack is successful if the probability that it succeed is noticeable.
 
 \index{Negligible function}
 \begin{definition}[Negligible, noticeable, overwhelming probability] \label{de:negligible}
+  \index{Probability!Negligible} \index{Probability!Noticeable} \index{Probability!Overwhelming}
   Let $f : \NN \to [0,1]$ be a function. The function $f$ is said to be \emph{negligible} if $f(n) = n^{-\omega(1)}_{}$, and this is written $f(n) = \negl[n]$.\\
   Non-negligible functions are also called \emph{noticeable} functions.\\
   Finally, if $f = 1- \negl[n]$, $f$ is said to be \emph{overwhelming}.
 \end{definition}
 
-Once that we define the notions related to the core of the proof, we have to define the objects on what we work on.
-Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''.
+Once we defined these notions related to the core of the proof, we have to define the objects on what we work on.
+Namely, defining \textit{what we want to prove}, and the hypotheses on which we rely, also called ``\textit{hardness assumption}''.
+\index{Hardness assumptions}
 
 The details of the hardness assumptions we use are given in Chapter~\ref{ch:structures}.
 Nevertheless, some notions are common to these and are evoked here.
@@ -127,7 +129,7 @@ To illustrate this, let us consider the two following assumptions:
   The \emph{discrete algorithm problem} is defined as follows. Let $(\GG, \cdot)$ be a cyclic group of order $p$.
   Given $g,h \in \GG$, the goal is to find an integer $a \in \Zp^{}$ such that: $g^a_{} = h$.
 
-  The \textit{discrete logarithm assumption} is the intractability of this problem.
+  The \textit{discrete logarithm assumption} is the intractability of this problem for any \ppt{} algorithm with noticeable probability.
 \end{definition}
 
 \begin{restatable}[Decisional Diffie-Hellman]{definition}{defDDH}
@@ -168,7 +170,7 @@ For instance, cryptographic hash functions enjoy several different associated se
 The weakest is the collision resistance, that states that it is intractable to find two strings that maps to the same digest.
 A stronger notion is the second pre-image resistance, that states that given $x \in \bit^\star_{}$, it is not possible for a $\ppt$ algorithm to find $\tilde{x} \in \bit^\star_{}$ such that $h(x) = h(\tilde{x})$.
 Similarly to what we saw in the previous section about $\DDH$ and $\DLP$, we can see that collision resistance implies second pre-image resistance.
-Indeed, if there is an attacker against second pre-image, then one can choose a string $x \in \bit^\star_{}$ and obtains from this attacker a second string $\tilde{x} \in \bit^\star_{}$ such that $h(x) = h(\tilde{x})$. So a hash function that is collision resistant is also second pre-image resistant.
+Indeed, if there is an attacker against second pre-image, then one can choose a string $x \in \bit^\star_{}$ and obtains from this attacker another string $\tilde{x} \neq x \in \bit^\star_{}$ such that $h(x) = h(\tilde{x})$. So a hash function that is collision resistant is also second pre-image resistant.
 
 \index{Random Oracle Model}
 The \textit{random oracle model}~\cite{FS86,BR93}, or \ROM, is an idealized security model where hash functions are assumed to behave as a truly random function.

main.tex

@@ -105,6 +105,8 @@
 \label{pa:gs-ac}
 \addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes}
 
+\input chap-GS-background
+
 \input chap-sigmasig
 
 \input chap-GS-LWE

sec-lattices.tex

@@ -40,7 +40,7 @@ In the following, we work with $q$-ary lattices, for some prime number $q$, defi
   is a shift of   $\Lambda_q^{\perp} (\mathbf{A})$.
 \end{definition}
 
-\begin{definition}[Gaussian distribution over a lattice] \index{Lattices!Gaussian distribution}
+\begin{definition}[Gaussian distribution over a lattice] \index{Probability!Gaussian distribution}
   For a lattice~$\Lambda$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the distribution function
   $\rho_{\sigma,\mathbf{c}}(\mathbf{x}) \triangleq \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$.
   The discrete Gaussian distribution of support~$\Lambda$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as

sec-stern.tex

@@ -142,7 +142,7 @@ $\mathsf{VALID} = \{
 The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow \U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow \U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$
 
 
-The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{fig:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08}).
+The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{fig:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08} described in~\cref{de:sis-commitment}).
 
 \begin{theorem}\label{Theorem:zk-protocol}
 The protocol in Figure~\ref{fig:Interactive-Protocol} is a statistical \emph{\textsf{ZKAoK}} with perfect completeness, soundness error~$2/3$, and communication cost~$\mathcal{O}(D \cdot \log q)$. Namely:

these.bib

@@ -844,7 +844,7 @@
   title     = {About the security of {MTI/C0} and {MQV}},
   booktitle = {SCN'06},
   year      = {2006},
-  editor    = {Springer},
+  publisher = {Springer},
   pages     = {156--172},
 }
 
@@ -942,6 +942,8 @@
   title     = {{A Certified Digital Signature}},
   booktitle = {{Crypto}},
   year      = {1989},
+  pages     = {218--238},
+  publisher = {Springer},
 }
 
 @InProceedings{MRV99,
@@ -1125,7 +1127,7 @@
   title     = {Universally composable adaptive priced oblivious transfer},
   booktitle = {Pairing'09},
   year      = {2009},
-  editor    = {Springer},
+  publisher    = {Springer},
   series    = {LNCS},
   pages     = {231--247},
 }
@@ -2100,7 +2102,7 @@
   title     = {Security Analysis of the Strong Diffie-Hellman Problem},
   booktitle = {Eurocrypt},
   year      = {2006},
-  editor    = {Springer},
+  publisher    = {Springer},
   volume    = {4004},
   series    = {LNCS},
 }
@@ -2471,7 +2473,7 @@
   title     = {{Coin Flipping by Telephone}},
   booktitle = {Crypto},
   year      = {1981},
-  editor    = {Springer},
+  publisher    = {Springer},
   pages     = {11--15},
 }
 
@@ -2495,7 +2497,7 @@
   title     = {{Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing}},
   booktitle = {Crypto},
   year      = {1991},
-  editor    = {Springer},
+  publisher    = {Springer},
   pages     = {129--140},
 }
 
@@ -2504,7 +2506,7 @@
   title     = {{Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures}},
   booktitle = {Asiacrypt},
   year      = {2009},
-  editor    = {Springer},
+  publisher    = {Springer},
   pages     = {598--616},
 }
 
@@ -2520,7 +2522,7 @@
   title     = {{Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash}},
   booktitle = {Asiacrypt},
   year      = {2017},
-  editor    = {Springer},
+  publisher    = {Springer},
   series    = {LNCS},
   pages     = {304--335},
 }
@@ -2543,4 +2545,22 @@
   pages     = {416--426},
 }
 
+@PhdThesis{Mer79,
+  author = {Merkle, Ralph Charles},
+  title  = {Secrecy, Authentication, and Public Key Systems},
+  school = {Stanford University},
+  year   = {1979},
+  month  = jun,
+  note   = {\url{http://www.merkle.com/papers/Thesis1979.pdf}},
+}
+
+@InProceedings{Dam89,
+  author    = {Damg{\aa}rd, Ivan},
+  title     = {{A Design Principle for Hash Functions}},
+  booktitle = {Crypto},
+  year      = {1989},
+  publisher    = {Springer},
+  pages     = {416--427},
+}
+
 @Comment{jabref-meta: databaseType:bibtex;}