fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Behavior

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-06-12 17:46:55 +02:00
parent bafc4d2420
commit f1c0e67fd7
4 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
chap-GS-LWE.tex
View File

@@ -1541,7 +1541,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
The adversary's view remains the same as in $\mathsf{Game}^{(d)}~1$, analogously to the security proof of the GPV IBE~\cite{GPV08}. The adversary's view remains the same as in $\mathsf{Game}^{(d)}~1$, analogously to the security proof of the GPV IBE~\cite{GPV08}.
\smallskip \smallskip
\item[$\textsf{Game}^{(d)}$~3:] Here, we will change the behaviour of the opening algorithm. \item[$\textsf{Game}^{(d)}$~3:] Here, we will change the behavior of the opening algorithm.
Namely, at each fresh oracle query, we still store the matrices $\mathbf{E}_{0,\vk} \in \Zq^{m \times 2m}$ and, at the beginning of the game, the challenger Namely, at each fresh oracle query, we still store the matrices $\mathbf{E}_{0,\vk} \in \Zq^{m \times 2m}$ and, at the beginning of the game, the challenger
samples an uniformly random $\mathbf{B^\star} \in \Zq^{n \times m}$ that is later used in place of $\mathbf{B}$ to answer $H_0$-queries. samples an uniformly random $\mathbf{B^\star} \in \Zq^{n \times m}$ that is later used in place of $\mathbf{B}$ to answer $H_0$-queries.
To answer the adversary's queries of the opening of a signature To answer the adversary's queries of the opening of a signature

2
chap-GS-background.tex
View File

@@ -30,7 +30,7 @@ This notion expresses the impossibility to frame a group of honest users in orde
One application of this primitive can be to handle anonymous access control for public transportation systems. One application of this primitive can be to handle anonymous access control for public transportation systems.
In order to commute, a person should prove the possession of a valid subscription to the transportation service. In order to commute, a person should prove the possession of a valid subscription to the transportation service.
Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group. Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group.
In case of misbehaviour, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine. In case of misbehavior, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine.
Then, the public transportation company is unable to learn anything from seeing the signatures, except the validity of the subscription of a user, and on the other hand, the police does not have access to the logs except if the public transportation company hands them to it. Then, the public transportation company is unable to learn anything from seeing the signatures, except the validity of the subscription of a user, and on the other hand, the police does not have access to the logs except if the public transportation company hands them to it.
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building. Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.

3
chap-ZK.tex
View File

@@ -61,6 +61,7 @@ In this section, we first present the general principles and basic tools to hand
A way to construct zero-knowledge proofs --\,that will be described with more details in \cref{sse:schnorr}\,-- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}~\cite{Dam00,GMY03}. The resulting proof remains secure against malicious verifiers. A way to construct zero-knowledge proofs --\,that will be described with more details in \cref{sse:schnorr}\,-- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}~\cite{Dam00,GMY03}. The resulting proof remains secure against malicious verifiers.
\begin{definition}[$\Sigma$-protocol~{\cite{Cra96}}] \index{Zero Knowledge!$\Sigma$-protocol} \begin{definition}[$\Sigma$-protocol~{\cite{Cra96}}] \index{Zero Knowledge!$\Sigma$-protocol}
\label{de:sigma-protocol}
Let $R = \{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is a $3$-move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties. Let $R = \{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is a $3$-move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties.
\begin{description} \begin{description}
\item[Completeness.] For any $(x,w) \in R$, $P(x,w)$ and $V(x)$ that follows the protocol, the verifier always accepts. \item[Completeness.] For any $(x,w) \in R$, $P(x,w)$ and $V(x)$ that follows the protocol, the verifier always accepts.
@@ -308,7 +309,7 @@ This part induced a noticeable error-rate where the prover aborts the proof. As
\label{fig:schnorr-lwe} \label{fig:schnorr-lwe}
\end{figure} \end{figure}
One can notice that this is \textit{not} a $\Sigma$-protocol in the strict sense as the knowledge extractor outputs \textit{witnesses} that can be up to $\softO(n)$ larger than the actual witness in infinity norm. This behaviour is sometimes called ``\textit{imperfect soundness}'' or ``\textit{soundness slack}''. One can notice that this is \textit{not} a $\Sigma$-protocol in the strict sense as the knowledge extractor outputs \textit{witnesses} that can be up to $\softO(n)$ larger than the actual witness in infinity norm. This behavior is sometimes called ``\textit{imperfect soundness}'' or ``\textit{soundness slack}''.
However, this method suffers from \textit{limited expressiveness}: the relations that can be proved with this proof system are essentially restricted to be knowledge of a Ring-\SIS secret, which is not sufficient to prove, for instance, the knowledge of a signature on a committed message. Moreover, the gap in the extraction makes it hard, although, to prove that an underlying message under an encryption is binary~\cite{dPLNS17}. However, this method suffers from \textit{limited expressiveness}: the relations that can be proved with this proof system are essentially restricted to be knowledge of a Ring-\SIS secret, which is not sufficient to prove, for instance, the knowledge of a signature on a committed message. Moreover, the gap in the extraction makes it hard, although, to prove that an underlying message under an encryption is binary~\cite{dPLNS17}.

2
chap-proofs.tex
View File

@@ -31,7 +31,7 @@ Let us now define more formally the notions of reduction and computability using
\begin{itemize} \begin{itemize}
\item A finite set $\Gamma$, called the \textit{tape alphabet}, which contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``$\square$'', and ``$\triangleright$'' that denotes the beginning of a tape. \item A finite set $\Gamma$, called the \textit{tape alphabet}, which contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``$\square$'', and ``$\triangleright$'' that denotes the beginning of a tape.
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}. \item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
\item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\ \item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behavior of the internal state of the machine and the TM heads.\\
\smallskip \smallskip
Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads as dictated by $m_1, \ldots, m_k$. Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads as dictated by $m_1, \ldots, m_k$.
\end{itemize} \end{itemize}