Continue

chap-GE-LWE.tex

@@ -1,3 +1,4 @@
+
 \section{Syntax and Definitions of Group Encryption} \label{GE-model}
 
 We use the syntax and the security model of Kiayias, Tsiounis and Yung \cite{KTY07}. 
@@ -1062,7 +1063,7 @@ The security results are explicited in the following theorems.
   In Game $4$, we can show that, if the adversary $\adv$ has noticeable advantage in the anonymity game, we can break the anonymity of the ABB IBE system, as shown
   in the proof of Lemma \ref{ABB-deux}.
   From the result of \cite[Theorem 23]{ABB10}, we deduce that $|\Pr[W_4]-1/2| \leq \mathbf{Adv}^{\mathsf{LWE}}(\lambda)$,
-  which implies the announced result. %\qed
+  which implies the announced result.
 \end{proof}
 
 \begin{lemma}\label{ABB-un}
@@ -1113,7 +1114,7 @@ we can assess % corresponds to \SFGame 3.
   &= \left|\Pr[W_4] - \Pr[W_3]\right|\\
   &= \varepsilon,
   \end{align*}
-	which proves the result. %\qed
+	which proves the result.
 \end{proof}
 
 \begin{lemma} \label{ABB-deux}
@@ -1158,9 +1159,7 @@ we can assess % corresponds to \SFGame 3.
   When  $\adv$ ends, it  outputs a bit $b' \in \{0,1\}$. If $b' = b$,  the reduction outputs  \textsf{Real}. Otherwise, it outputs \textsf{Random}.
   Indeed, if the ROR challenger is playing the real game, we are exactly in Game $4$: we have $\Pr[b'=b | \mathsf{Real}] = \Pr[W_4]$.
   Otherwise, the  challenge ciphertext $\mathbf{\Psi}^\star$ is completely independent of $b \in \{0,1\}$
-  so that we can only have $b'=b$ with probability $\Pr[b'=b| \mathsf{Random}]=1/2$. It follows that $\advantage{\mathrm{ROR}}{\bdv}(\lambda) \geq | \Pr[W_4] -1/2 |$. %\qed
-  %as it is comprised of random encryptions $\mathbf c_\rec$ and $\mathbf c_\OA$,
-  %and thus an adversary cannot win with probability further than $\negl(\lambda)$ from
+  so that we can only have $b'=b$ with probability $\Pr[b'=b| \mathsf{Random}]=1/2$. It follows that $\advantage{\mathrm{ROR}}{\bdv}(\lambda) \geq | \Pr[W_4] -1/2 |$.
 \end{proof}
 
 \subsubsection{Message Secrecy}
@@ -1240,7 +1239,6 @@ we can assess % corresponds to \SFGame 3.
   does not need to know any witness. It thus mirrors  the experiment of Definition \ref{security-def} where the
   challenger's bit is $b=0$.  Putting everything altogether, we get
   $|\Pr[W_5]-\Pr[W_1]| \in \mathsf{negl}(\lambda) $, which yields the claimed result.
-  %\qed
 \end{proof}
 
 \begin{lemma} \label{ABB-simple}
@@ -1291,7 +1289,7 @@ of the ABB scheme, which would contradict the $\LWE$ assumption, as established
   \advantage{\textrm{sID-CPA}}{\bdv}(\lambda) &= \left| \Pr[b'=1 | \textsf{Real}] - \Pr[b'=1 | \mathsf{Random}] \right| = \left|\Pr[W_3] - \Pr[W_4] \right|\\
   &= \varepsilon,
 \end{align*}
-  which concludes our proof. %\qed
+  which concludes our proof.
 \end{proof}
 
 
@@ -1362,6 +1360,5 @@ signed by the reduction during  an execution of $\mathsf{JOIN}$. This implies th
 the pair
 $\big(\mathbf{t}_{\USR} ,  (\tau,\mathbf{d},\mathbf{r})  \big)$ forms a forgery for the $\mathsf{SIS}$-based signature scheme of Section~\ref{se:gs-lwe-sigep}. The reduction is straightforward
 and omitted.
-%\qed
 \end{proof}
 

chap-GS-LWE.tex

@@ -1,5 +1,3 @@
-\section{Introduction}
-
 In this Chapter, we present the first dynamic group signature scheme that relies on lattice assumptions.
 This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, and it is used in a similar fashion.
 As a consequence, it is possible to construct lattice-based anonymous credential from this building block.