mirror of https://github.com/zcash/zips.git
Add re-randomizable signature section.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
e6c507c995
commit
79c5c67906
|
@ -34,6 +34,7 @@
|
||||||
\RequirePackage{lmodern}
|
\RequirePackage{lmodern}
|
||||||
\RequirePackage{quattrocento}
|
\RequirePackage{quattrocento}
|
||||||
\RequirePackage[bb=ams]{mathalfa}
|
\RequirePackage[bb=ams]{mathalfa}
|
||||||
|
\RequirePackage[scr]{rsfso}
|
||||||
%\RequirePackage{txfonts}
|
%\RequirePackage{txfonts}
|
||||||
|
|
||||||
% Quattrocento is beautiful but doesn't have an italic face. So we scale
|
% Quattrocento is beautiful but doesn't have an italic face. So we scale
|
||||||
|
@ -808,6 +809,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\TransmitCiphertext}[1]{\Ctext^\enc_{#1}}
|
\newcommand{\TransmitCiphertext}[1]{\Ctext^\enc_{#1}}
|
||||||
\newcommand{\TransmitKey}[1]{\Key^\enc_{#1}}
|
\newcommand{\TransmitKey}[1]{\Key^\enc_{#1}}
|
||||||
\newcommand{\Adversary}{\mathcal{A}}
|
\newcommand{\Adversary}{\mathcal{A}}
|
||||||
|
\newcommand{\Oracle}{\mathsf{O}}
|
||||||
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
|
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
|
||||||
|
|
||||||
% Key agreement
|
% Key agreement
|
||||||
|
@ -945,6 +947,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\SigGen}{\Sig\mathsf{.Gen}}
|
\newcommand{\SigGen}{\Sig\mathsf{.Gen}}
|
||||||
\newcommand{\SigSign}[1]{\Sig\mathsf{.Sign}_{#1}}
|
\newcommand{\SigSign}[1]{\Sig\mathsf{.Sign}_{#1}}
|
||||||
\newcommand{\SigVerify}[1]{\Sig\mathsf{.Verify}_{#1}}
|
\newcommand{\SigVerify}[1]{\Sig\mathsf{.Verify}_{#1}}
|
||||||
|
\newcommand{\SigRandom}{\Sig\mathsf{.Random}}
|
||||||
|
\newcommand{\SigRandomizePublic}{\Sig\mathsf{.RandomizePublic}}
|
||||||
|
\newcommand{\SigRandomizePrivate}{\Sig\mathsf{.RandomizePrivate}}
|
||||||
|
\newcommand{\SigRandomnessId}{\Sig\mathsf{.Id}}
|
||||||
|
\newcommand{\SigRandomness}{r}
|
||||||
|
|
||||||
\newcommand{\JoinSplitSig}{\mathsf{JoinSplitSig}}
|
\newcommand{\JoinSplitSig}{\mathsf{JoinSplitSig}}
|
||||||
\newcommand{\JoinSplitSigPublic}{\JoinSplitSig\mathsf{.Public}}
|
\newcommand{\JoinSplitSigPublic}{\JoinSplitSig\mathsf{.Public}}
|
||||||
|
@ -1564,6 +1571,8 @@ $f(x, y)$ can also be written $f_x(y)$.
|
||||||
$\fun{x \typecolon T}{e_x \typecolon U}$ means the function of type $T \rightarrow U$
|
$\fun{x \typecolon T}{e_x \typecolon U}$ means the function of type $T \rightarrow U$
|
||||||
mapping formal parameter $x$ to $e_x$ (an expression depending on $x$).
|
mapping formal parameter $x$ to $e_x$ (an expression depending on $x$).
|
||||||
The types $T$ and $U$ are always explicit.
|
The types $T$ and $U$ are always explicit.
|
||||||
|
|
||||||
|
$\powerset{T}$ means the powerset of $T$.
|
||||||
}
|
}
|
||||||
|
|
||||||
$\typeexp{T}{\ell}$, where $T$ is a type and $\ell$ is an integer,
|
$\typeexp{T}{\ell}$, where $T$ is a type and $\ell$ is an integer,
|
||||||
|
@ -2434,6 +2443,83 @@ pair without access to the signing key.
|
||||||
\end{pnotes}
|
\end{pnotes}
|
||||||
|
|
||||||
|
|
||||||
|
\introlist
|
||||||
|
\nsubsubsubsection{Signature with Re-Randomizable Keys} \label{abstractsigrerand}
|
||||||
|
|
||||||
|
A signature scheme with re-randomizable keys $\Sig$ is a signature scheme that
|
||||||
|
additionally defines:
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item a type of randomizers $\SigRandom$;
|
||||||
|
\item a public key randomization algorithm $\SigRandomizePublic \typecolon \SigPublic \times \SigRandom \rightarrow \SigPublic$;
|
||||||
|
\item a private key randomization algorithm $\SigRandomizePrivate \typecolon \SigPrivate \times \SigRandom \rightarrow \SigPrivate$
|
||||||
|
\item a distinguished ``identity'' randomizer $\SigRandomnessId \typecolon \SigRandom$
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\vspace{-1ex}
|
||||||
|
such that if $(\pk \typecolon \SigPublic, \sk \typecolon \SigPrivate)$ is a
|
||||||
|
valid $\Sig$ key pair, then:
|
||||||
|
\vspace{1ex}
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item $\left(\SigRandomizePublic(\pk, \SigRandomness), \SigRandomizePrivate(\sk, \SigRandomness)\right)$
|
||||||
|
is also a valid $\Sig$ key pair for any $\SigRandomness \typecolon \SigRandom$;
|
||||||
|
\item $\SigRandomizePrivate(\paramdot, \SigRandomness) \typecolon \SigPrivate \rightarrow \SigPrivate$
|
||||||
|
is injective and easily invertible for any $\SigRandomness \typecolon \SigRandom$;
|
||||||
|
\item For \emph{any} key pair $(\pk, \sk)$ returned by $\SigGen()$, the distribution of
|
||||||
|
\begin{formulae}
|
||||||
|
\item $\left(\SigRandomizePublic(\pk, \SigRandomness), \SigRandomizePrivate(\sk, \SigRandomness)\right) :
|
||||||
|
\SigRandomness \leftarrowR \SigRandom$
|
||||||
|
\end{formulae}
|
||||||
|
\vspace{-0.ex} is identical to the distribution of $\SigGen()$.
|
||||||
|
\item $\left(\SigRandomizePublic(\pk, \SigRandomnessId), \SigRandomizePrivate(\sk, \SigRandomnessId)\right) = (\pk, \sk)$.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
The following security requirement for such signature schemes is based on that
|
||||||
|
given in \cite[section 3]{FKMSSS2016}. Note that we require Strong Unforgeability
|
||||||
|
under Re-randomized Keys, not Existential Unforgeability under Re-randomized Keys
|
||||||
|
(the latter is just called ``Unforgeability under Re-randomized Keys'' in
|
||||||
|
\cite[Definition 8]{FKMSSS2016}).
|
||||||
|
|
||||||
|
\introsection
|
||||||
|
\securityrequirement{\textbf{Strong Unforgeability under Re-randomized Keys (SUFRK-CMA)}
|
||||||
|
|
||||||
|
Let $\Oracle \typecolon \SigPrivate \times \SigMessage \times \SigRandom \rightarrow \SigSignature$
|
||||||
|
be a generator of signing oracles.
|
||||||
|
|
||||||
|
A signing oracle $\Oracle_{\sk}$ for private key $\sk$ has state
|
||||||
|
$Q \typecolon \powerset{\SigMessage \times \SigSignature}$ initialized to $\setof{}$
|
||||||
|
that records queried messages and corresponding signatures.
|
||||||
|
|
||||||
|
\begin{formulae}
|
||||||
|
\item $\Oracle_{\sk} :=$ var $Q \leftarrow \setof{}$ in $\fun{(m \typecolon \SigMessage, \SigRandomness \typecolon \SigRandom)}{}$
|
||||||
|
\item \tab let $\sigma = \SigSign{\SigRandomizePrivate(\sk, \SigRandomness)}(m)$
|
||||||
|
\item \tab $Q \leftarrow Q \union \setof{(m, \sigma)}$
|
||||||
|
\item \tab return $\sigma \typecolon \SigSignature$.
|
||||||
|
\end{formulae}
|
||||||
|
|
||||||
|
For random $(\pk, \sk) \leftarrowR \SigGen()$, it must be infeasible for an adversary
|
||||||
|
given $\pk$ and a new instance of $\Oracle_{\sk}$ to find $(m^*, \sigma^*, \SigRandomness^*)$
|
||||||
|
such that $\SigVerify{\SigRandomizePublic(\pk, \SigRandomness^*)}(m^*, \sigma^*) = 1$ and
|
||||||
|
$(m^*, \sigma^*) \not\in \Oracle_{\sk}\mathsf{.}Q$.
|
||||||
|
}
|
||||||
|
|
||||||
|
\begin{pnotes}
|
||||||
|
\item The requirement for $\SigRandomnessId$ simplifies the definition of SUFRK-CMA
|
||||||
|
by removing the need for two oracles (since the oracle for original keys,
|
||||||
|
called $\Oracle_1$ in \cite{FKMSSS2016}, is a special case of the oracle for
|
||||||
|
randomized keys).
|
||||||
|
\item The fact that
|
||||||
|
$\left(\SigRandomizePublic(\pk, \SigRandomness), \SigRandomizePrivate(\sk, \SigRandomness)\right) :
|
||||||
|
\SigRandomness \leftarrowR \SigRandom$ is identically distributed to $\SigGen()$,
|
||||||
|
implies that the combination of a re-randomized public key and signature(s)
|
||||||
|
under that key do not reveal the key from which it was re-randomized.
|
||||||
|
\item Since $\SigRandomizePrivate(\paramdot, \SigRandomness)$ is injective and
|
||||||
|
easily invertible, knowledge of $\SigRandomizePrivate(\sk, \SigRandomness)$
|
||||||
|
\emph{and} $\SigRandomness$ implies knowledge of $\sk$.
|
||||||
|
\end{pnotes}
|
||||||
|
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
\nsubsubsection{Commitment} \label{abstractcommit}
|
\nsubsubsection{Commitment} \label{abstractcommit}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue