fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-04-11 17:35:11 +02:00
parent 71f9598540
commit e9b4ab0a3c
7 changed files with 70 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sec-stern.tex
View File

@ -142,7 +142,7 @@ $\mathsf{VALID} = \{
The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow \U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow \U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$
The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{fig:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08}).
The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{fig:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08} described in~\cref{de:sis-commitment}).
\begin{theorem}\label{Theorem:zk-protocol}
The protocol in Figure~\ref{fig:Interactive-Protocol} is a statistical \emph{\textsf{ZKAoK}} with perfect completeness, soundness error~$2/3$, and communication cost~$\mathcal{O}(D \cdot \log q)$. Namely: