Behavior
This commit is contained in:
parent
bafc4d2420
commit
f1c0e67fd7
@ -1541,7 +1541,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
|
||||
The adversary's view remains the same as in $\mathsf{Game}^{(d)}~1$, analogously to the security proof of the GPV IBE~\cite{GPV08}.
|
||||
\smallskip
|
||||
|
||||
\item[$\textsf{Game}^{(d)}$~3:] Here, we will change the behaviour of the opening algorithm.
|
||||
\item[$\textsf{Game}^{(d)}$~3:] Here, we will change the behavior of the opening algorithm.
|
||||
Namely, at each fresh oracle query, we still store the matrices $\mathbf{E}_{0,\vk} \in \Zq^{m \times 2m}$ and, at the beginning of the game, the challenger
|
||||
samples an uniformly random $\mathbf{B^\star} \in \Zq^{n \times m}$ that is later used in place of $\mathbf{B}$ to answer $H_0$-queries.
|
||||
To answer the adversary's queries of the opening of a signature
|
||||
|
@ -30,7 +30,7 @@ This notion expresses the impossibility to frame a group of honest users in orde
|
||||
One application of this primitive can be to handle anonymous access control for public transportation systems.
|
||||
In order to commute, a person should prove the possession of a valid subscription to the transportation service.
|
||||
Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group.
|
||||
In case of misbehaviour, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine.
|
||||
In case of misbehavior, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine.
|
||||
Then, the public transportation company is unable to learn anything from seeing the signatures, except the validity of the subscription of a user, and on the other hand, the police does not have access to the logs except if the public transportation company hands them to it.
|
||||
|
||||
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.
|
||||
|
@ -61,6 +61,7 @@ In this section, we first present the general principles and basic tools to hand
|
||||
A way to construct zero-knowledge proofs --\,that will be described with more details in \cref{sse:schnorr}\,-- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}~\cite{Dam00,GMY03}. The resulting proof remains secure against malicious verifiers.
|
||||
|
||||
\begin{definition}[$\Sigma$-protocol~{\cite{Cra96}}] \index{Zero Knowledge!$\Sigma$-protocol}
|
||||
\label{de:sigma-protocol}
|
||||
Let $R = \{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is a $3$-move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties.
|
||||
\begin{description}
|
||||
\item[Completeness.] For any $(x,w) \in R$, $P(x,w)$ and $V(x)$ that follows the protocol, the verifier always accepts.
|
||||
@ -308,7 +309,7 @@ This part induced a noticeable error-rate where the prover aborts the proof. As
|
||||
\label{fig:schnorr-lwe}
|
||||
\end{figure}
|
||||
|
||||
One can notice that this is \textit{not} a $\Sigma$-protocol in the strict sense as the knowledge extractor outputs \textit{witnesses} that can be up to $\softO(n)$ larger than the actual witness in infinity norm. This behaviour is sometimes called ``\textit{imperfect soundness}'' or ``\textit{soundness slack}''.
|
||||
One can notice that this is \textit{not} a $\Sigma$-protocol in the strict sense as the knowledge extractor outputs \textit{witnesses} that can be up to $\softO(n)$ larger than the actual witness in infinity norm. This behavior is sometimes called ``\textit{imperfect soundness}'' or ``\textit{soundness slack}''.
|
||||
|
||||
However, this method suffers from \textit{limited expressiveness}: the relations that can be proved with this proof system are essentially restricted to be knowledge of a Ring-\SIS secret, which is not sufficient to prove, for instance, the knowledge of a signature on a committed message. Moreover, the gap in the extraction makes it hard, although, to prove that an underlying message under an encryption is binary~\cite{dPLNS17}.
|
||||
|
||||
|
@ -31,7 +31,7 @@ Let us now define more formally the notions of reduction and computability using
|
||||
\begin{itemize}
|
||||
\item A finite set $\Gamma$, called the \textit{tape alphabet}, which contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``$\square$'', and ``$\triangleright$'' that denotes the beginning of a tape.
|
||||
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
|
||||
\item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\
|
||||
\item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behavior of the internal state of the machine and the TM heads.\\
|
||||
\smallskip
|
||||
Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads as dictated by $m_1, \ldots, m_k$.
|
||||
\end{itemize}
|
||||
|
Loading…
Reference in New Issue
Block a user