fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Continue

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-05-29 21:18:48 +02:00
parent 76a1ea2673
commit ec61d1a19f
3 changed files with 1261 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
chap-GE-LWE.tex
View File

@ -1,3 +1,4 @@
\section{Syntax and Definitions of Group Encryption} \label{GE-model} \section{Syntax and Definitions of Group Encryption} \label{GE-model}
We use the syntax and the security model of Kiayias, Tsiounis and Yung \cite{KTY07}. We use the syntax and the security model of Kiayias, Tsiounis and Yung \cite{KTY07}.
@ -1062,7 +1063,7 @@ The security results are explicited in the following theorems.
In Game $4$, we can show that, if the adversary $\adv$ has noticeable advantage in the anonymity game, we can break the anonymity of the ABB IBE system, as shown In Game $4$, we can show that, if the adversary $\adv$ has noticeable advantage in the anonymity game, we can break the anonymity of the ABB IBE system, as shown
in the proof of Lemma \ref{ABB-deux}. in the proof of Lemma \ref{ABB-deux}.
From the result of \cite[Theorem 23]{ABB10}, we deduce that $|\Pr[W_4]-1/2| \leq \mathbf{Adv}^{\mathsf{LWE}}(\lambda)$, From the result of \cite[Theorem 23]{ABB10}, we deduce that $|\Pr[W_4]-1/2| \leq \mathbf{Adv}^{\mathsf{LWE}}(\lambda)$,
which implies the announced result. %\qed which implies the announced result.
\end{proof} \end{proof}
\begin{lemma}\label{ABB-un} \begin{lemma}\label{ABB-un}
@ -1113,7 +1114,7 @@ we can assess % corresponds to \SFGame 3.
&= \left|\Pr[W_4] - \Pr[W_3]\right|\\ &= \left|\Pr[W_4] - \Pr[W_3]\right|\\
&= \varepsilon, &= \varepsilon,
\end{align*} \end{align*}
which proves the result. %\qed which proves the result.
\end{proof} \end{proof}
\begin{lemma} \label{ABB-deux} \begin{lemma} \label{ABB-deux}
@ -1158,9 +1159,7 @@ we can assess % corresponds to \SFGame 3.
When $\adv$ ends, it outputs a bit $b' \in \{0,1\}$. If $b' = b$, the reduction outputs \textsf{Real}. Otherwise, it outputs \textsf{Random}. When $\adv$ ends, it outputs a bit $b' \in \{0,1\}$. If $b' = b$, the reduction outputs \textsf{Real}. Otherwise, it outputs \textsf{Random}.
Indeed, if the ROR challenger is playing the real game, we are exactly in Game $4$: we have $\Pr[b'=b | \mathsf{Real}] = \Pr[W_4]$. Indeed, if the ROR challenger is playing the real game, we are exactly in Game $4$: we have $\Pr[b'=b | \mathsf{Real}] = \Pr[W_4]$.
Otherwise, the challenge ciphertext $\mathbf{\Psi}^\star$ is completely independent of $b \in \{0,1\}$ Otherwise, the challenge ciphertext $\mathbf{\Psi}^\star$ is completely independent of $b \in \{0,1\}$
so that we can only have $b'=b$ with probability $\Pr[b'=b| \mathsf{Random}]=1/2$. It follows that $\advantage{\mathrm{ROR}}{\bdv}(\lambda) \geq | \Pr[W_4] -1/2 |$. %\qed so that we can only have $b'=b$ with probability $\Pr[b'=b| \mathsf{Random}]=1/2$. It follows that $\advantage{\mathrm{ROR}}{\bdv}(\lambda) \geq | \Pr[W_4] -1/2 |$.
%as it is comprised of random encryptions $\mathbf c_\rec$ and $\mathbf c_\OA$,
%and thus an adversary cannot win with probability further than $\negl(\lambda)$ from
\end{proof} \end{proof}
\subsubsection{Message Secrecy} \subsubsection{Message Secrecy}
@ -1240,7 +1239,6 @@ we can assess % corresponds to \SFGame 3.
does not need to know any witness. It thus mirrors the experiment of Definition \ref{security-def} where the does not need to know any witness. It thus mirrors the experiment of Definition \ref{security-def} where the
challenger's bit is $b=0$. Putting everything altogether, we get challenger's bit is $b=0$. Putting everything altogether, we get
$|\Pr[W_5]-\Pr[W_1]| \in \mathsf{negl}(\lambda) $, which yields the claimed result. $|\Pr[W_5]-\Pr[W_1]| \in \mathsf{negl}(\lambda) $, which yields the claimed result.
%\qed
\end{proof} \end{proof}
\begin{lemma} \label{ABB-simple} \begin{lemma} \label{ABB-simple}
@ -1291,7 +1289,7 @@ of the ABB scheme, which would contradict the $\LWE$ assumption, as established
\advantage{\textrm{sID-CPA}}{\bdv}(\lambda) &= \left| \Pr[b'=1 | \textsf{Real}] - \Pr[b'=1 | \mathsf{Random}] \right| = \left|\Pr[W_3] - \Pr[W_4] \right|\\ \advantage{\textrm{sID-CPA}}{\bdv}(\lambda) &= \left| \Pr[b'=1 | \textsf{Real}] - \Pr[b'=1 | \mathsf{Random}] \right| = \left|\Pr[W_3] - \Pr[W_4] \right|\\
&= \varepsilon, &= \varepsilon,
\end{align*} \end{align*}
which concludes our proof. %\qed which concludes our proof.
\end{proof} \end{proof}
@ -1362,6 +1360,5 @@ signed by the reduction during an execution of $\mathsf{JOIN}$. This implies th
the pair the pair
$\big(\mathbf{t}_{\USR} , (\tau,\mathbf{d},\mathbf{r}) \big)$ forms a forgery for the $\mathsf{SIS}$-based signature scheme of Section~\ref{se:gs-lwe-sigep}. The reduction is straightforward $\big(\mathbf{t}_{\USR} , (\tau,\mathbf{d},\mathbf{r}) \big)$ forms a forgery for the $\mathsf{SIS}$-based signature scheme of Section~\ref{se:gs-lwe-sigep}. The reduction is straightforward
and omitted. and omitted.
%\qed
\end{proof} \end{proof}

2
chap-GS-LWE.tex
View File

@ -1,5 +1,3 @@
\section{Introduction}
In this Chapter, we present the first dynamic group signature scheme that relies on lattice assumptions. In this Chapter, we present the first dynamic group signature scheme that relies on lattice assumptions.
This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, and it is used in a similar fashion. This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, and it is used in a similar fashion.
As a consequence, it is possible to construct lattice-based anonymous credential from this building block. As a consequence, it is possible to construct lattice-based anonymous credential from this building block.

1342
chap-OT-LWE.tex
View File

File diff suppressed because it is too large Load Diff