A Lattice-based Enhanced Privacy ID

(1)

Nada EL Kassem1_{, Lu´ıs Fiolhais}2_{, Paulo Martins}3_{, Liqun Chen}1_{, and Leonel} Sousa4

1

University of Surrey, UK

[email protected], [email protected] 2 _{INESC-ID, Portugal}

[email protected] 3 _{Universidade T´}_{ecnica de Lisboa, Portugal}

[email protected] 4 _{Universidade de Lisboa, Portugal}

Abstract. The Enhanced Privacy ID (EPID) scheme is currently used for hardware enclave attestation by an increasingly large number of plat-forms that implement Intel Software Guard Extensions (SGX). However, the scheme currently deployed by Intel is supported on Elliptic Curve Cryptography (ECC), and will become insecure should a large quantum computer become available. As part of National Institute of Standards and Technology (NIST)’s effort for the standardisation of post-quantum cryptography, there has been a great boost in research on lattice-based cryptography. As this type of cryptography is more widely used, one ex-pects that hardware platforms start integrating specific instructions that accelerate its execution. In this article, a new EPID scheme is proposed, supported on lattice primitives, that may benefit not only from future research developments in post-quantum cryptography, but also from in-structions that may extend Intel’s Instruction Set Architecture (ISA) in the future. This paper presents a new security model for EPID in the Universal Composability (UC) framework. The proposed Lattice-based EPID (LEPID) scheme is proved secure under the new model. Experi-mentally compared with a closely related Lattice-based Direct Anony-mous Attestation (DAA) (LDAA) scheme from related art, it is shown that the private-key size is reduced 1.5 times, and that signature and ver-ification times are sped up up to 1.4 and 1.1 times, respectively, for the considered parameters, when LEPID is compared with LDAA. Moreover, the signature size compares favourably to LDAA for small and medium-sized communities.

1 Introduction

(2)

EPID can be seen as Direct Anonymous Attestation (DAA) with different linkability requirements [2]. The DAA scheme was built having the Trusted Plat-form Module (TPM) standard in mind. In this context, the TPM holds a rep-resentation of the host machine state, and wishes to provide a verifier with a signature of the state representation, without revealing their identity. During an offline phase, an issuer provisions the TPM and the host with membership credentials. Based on this cryptographic material, the TPM and the host jointly prove that they belong to the DAA community in zero-knowledge, while produc-ing the above-mentioned signature. Unlike other privacy-preservproduc-ing systems, like group signatures, DAA does not support the property of traceability, wherein a group manager can identify the signer from a given signature.

Alternatively, the DAA provides two approaches to prevent a malicious signer from abusing their anonymity. Firstly, when a private-key is leaked, anyone can check whether a specific DAA signature was created under this key or not. Sec-ondly, two DAA signatures created by the same signer may or may not be linked from a verifier’s point of view. The linkability is controlled by a parameter called basename. When the same basename is used by the same signer for two signa-tures, they are linked; otherwise they are not. However, there are situations where this model does not suffice to prevent malicious actions. For instance, should an attacker corrupt a TPM and obtain the private-key without ever pub-lishing it, there is no way to revoke it. While this latter problem can be mitigated by having TPMs use the same basename whenever they access a certain service, this option removes the anonymity for all uses with the same basename.

EPID is a more general scheme than DAA and thus does not split signers into TPMs and hosts, but also targets the creation of anonymous signatures. An EPID scheme consists of an issuer, signers, verifiers and a revocation manager. Like with DAA, one can check whether a certain signature was generated by a leaked private-key. Nonetheless, the ability to link signatures with the same basename is removed. Instead, whenever a signer is corrupted, they may be revoked by including one of their signatures as part of a revocation list. As a result, EPID is capable of revoking corrupted signers from the system, even when their private-key is kept hidden, whilst providing maximum privacy for the platforms. Enhanced Privacy ID signatures can also be constructed on the top of group signatures that allow members of a group to anonymously sign messages on behalf of the group, with the added property that a group manager can revoke the credentials of a misbehaving or compromised group member. This construction was adopted by a recently proposed post-quantum EPID scheme from symmetric primitives [3], an overview of the scheme will be given in Section 7.

(3)

extended to EPID. The LEPID signature size compares favourably to Lattice-based DAA (LDAA) for small and medium-sized communities.

Organisation: The next section introduces the lattice-based hard problems and the two building blocks that support the proposed LEPID scheme, namely the LDAA scheme from [8] and the Zero Knowledge Proof of Knowledge (ZKPoK) of Ring-Learning With Errors (Ring-LWE) secrets from [6]. Section 3 presents a new security model for EPID in the UC framework. The novel LEPID scheme is proposed in Section 4 and proven secure in Section 5. The performance of the LEPID scheme is discussed in Section 6. Section 7 briefly discusses the related work. Finally, Section 8 concludes the paper.

2 Preliminaries

Throughout this paper we will use the polynomial ringsRq =Zq[X]/hXn_{+ 1i,} where Zq is the quotient ring Z/qZand na power of 2. We use names in bold, like a, both to denote elements of Rq and their coefficient embeddings in Znq. kak∞ represents the infinity norm of a polynomiala, kak∞ = maxi|ai|, and

kak =

q Pn

i=1(ai)2 where the ai are the coefficients of a. ˆA = (a1, . . . ,am) denotes a vector where mis a positive integer anda1, . . . ,amare polynomials. kAˆk∞ denotes the infinity norm of ˆA, defined as kAˆk∞ = maxikaik∞. B3d represents the set of vectorsu∈ {−1,0,1}3d _{having exactly}_d_{coordinates equal} to -1, d coordinates equal to 0, and d coordinates equal to 1. We represent a challenge set by C=nXcv_,|_c

v ∈ {0,1, . . .2n−1}

o

, where ¯C denotes the set of

differences C − C except 0. Dh

s represents the discrete Gaussian distribution of standard deviations, s.t. Prx←Dh

s[kxk> √

2hs]≤2−h/4_{. We define the following} rejection sampling algorithm from [9] to avoid the dependency ofzon the secret

b,rej(z,b, ξ) : Letu←[0,1); ifu >1/3 exp−2hz,b₂_ξi2+kbk2

return 0, else return

1, withξrepresenting a standard deviation of some distribution.

Definition 1 (The Ring Short Integer Solution Problem (Ring-SISn,m,q,β) [10]). Given m uniformly random elements ai ∈ Rq defining a vector Aˆ = (a1,a2, . . . ,am), find a nonzero vector of polynomialsZˆ∈ Rm

q of normkZˆk∞≤

β such that: fAˆ( ˆZ) =

P

i∈[m]aizi = 0 ∈ Rq. The Ring Inhomogeneous Short

Integer Solution (Ring-ISISn,m,q,β)problem asks to find Zˆ of normkZˆk∞≤β, and such that:f_Aˆ( ˆZ) =y∈ Rq for some uniform random polynomial y.

Definition 2 (The Ring Learning With Error Problem (Ring-LWE) [11]). Let χ be an error distribution defined over R ands ← Rq a uniformly random ring element, the Ring-LWE distributionAs,χ overRq× Rq is sampled

by choosing a ∈ Rq uniformly at random, randomly choosing the noise e← χ

and outputting (a,b) = (a, sa+e modq) ∈ Rq × Rq. Let u be uniformly sampled fromRq. The decision problem of Ring-LWE asks to distinguish between

(4)

Ring-LWE problem asks to return the secret vector s ∈ Rq given a Ring-LWE sample (a,b)←As,χ.

2.1 Lattice-based Direct Anonymous Attestation

The DAA scheme proposed in [8] can be split at a high level into three parts. In a first part, a TPM-host pair with identifierid= (id1, ...,id`)∈ {0,1}`joins a DAA community. This consists of the TPM sampling small ˆXt= (x1, . . . ,xm)∈ Rmq ,

and sending ut = ˆAtXˆt to the issuer, where ˆAt ∈ Rmq is part of the issuer’s public-key. A signature proof of knowledge based on [12], showing that u is well formed is also sent, along with a link token that prevents two TPMs from having the same secret-key. Using its private-key, the issuer then samples small

ˆ

Xh= (xm+1, . . . , x3m)∈ R2qmsuch that ÂhXˆh=u−ut, where Âh= [ ÂI|Aˆ0+

Pl

i=1idiAî] ∈ R2qm, and u ∈ Rq, ÂI ∈ Rmq and Âi ∈ Rmq ∀i ∈ {0, . . . , l} are part of the issuer’s public-key. The vector ˆXhis sent back to the host. After this process, the TPM and host own small key-shares satisfying

[Xt|Xh][ ˆAt|Aˆh] =u, (1)

In a second part, the TPM and the host jointly generate a signature with respect to a messageµ. The signature corresponds to a tuple (nym,bsn, π), where nym is a link token,bsn is the basename, andπis a signature-based proof:

π=SPKnpublic:={pp,nym,bsn},witness:={Xˆ = (x1, . . . ,x3m),id, e}:

u= ˆX[ ˆAt|Aˆh] modq∧ kXˆk∞≤β∧nym=H(bsn)x1+emodq∧ kek∞≤β o

(µ)

demonstrating not only (1) but also thatnym=H(bsn)x1+e modq, whereH is a random oracle mappingbsn to a polynomial andeis small.

A final part deals with signature verification. First,π is verified. Then, the verifier iterates over the list of revoked private-keys, consisting of the elements x₁(i)of the ˆXt(i)in (1) of the corrupt signers. In the case thatknym−H(bsn)x

(i) 1 k∞ is small, the signature has been generated by the i-th revoked user and is re-jected. Similarly, two signatures (nym,bsn, π) and (nym0_,_bsn_{, π}0_{) having the same}

basename are linked whenknym−nym0k∞is small.

2.2 Zero Knowledge Proof of the Ring-LWE Secrets

(5)

3 UC based Security Model for EPID

The security model for the DAA given by Camenisch et al. in [13] has been modified by replacing linkability with a revocation interface, adding the signature revocation check from [14], and introducing other modifications that results in a new EPID security model in the Universal Composability (UC) framework. Our new security definition is given in the UC model with respect to an ideal functionalityFl

EPID. In UC, an environmentE should not be able to distinguish

with a non-negligible probability between two worlds: the real world, where each party in the EPID protocol Π executes its assigned part of the protocol and the network is controlled by an adversaryAthat communicates withE; and the ideal world, in which all parties forward their inputs toFl

EPID, which internally

performs all the required tasks and creates the party’s outputs. A protocol Π is said to securely realise Fl

EPID if, for every adversaryA performing an attack

in the real world, there is an ideal world adversary S that performs the same attack in the ideal world.

An EPID scheme should satisfy:i) unforgeability, i.e. for honest issuer and signers, no adversary can output a valid signature on a messageµwithout know-ing the signer’s secret key;ii) correctness, i.e. honestly generated signatures are always valid; and iii) anonymity, i.e. even for a corrupt issuer, no adversary can tell whether two honestly generated signatures were produced by the same signer. The UC framework allows us to focus on the analysis of a single protocol instance with a globally unique session identifiersid. Fl

EPID uses session

identi-fiers of the form sid = (I,sid0) for some issuerI and a unique string sid0. In the procedures, functions CheckTtdHonest and CheckTtdCorrupt are used that return ‘1’ when a key belongs to a honest signer that has produced no signature, and when a key belongs to a corrupt user such that there is no signature simul-taneously linking back to the inputted key and another one, respectively; and return ‘0’ otherwise. We label the checks that are done by the ideal functionality in roman numerals.

Fl

EPID Setup: On input (SETUP,sid) from the issuer I, F

l

EPID verifies that

(I,sid0) =sid and outputs (SETUP,sid) toS. Fl

EPID receives from the

simula-tor S the algorithms Kgen, sig, ver, identify and revoke. These algorithms are responsible for generating keys for honest signers, creating signatures for honest signers, verifying the validity of signatures, checking whether a signature was generated by a given key, and updating the revocation lists respectively. Fl

EPID

stores the algorithms, checks that the algorithms ver, identify and revoke are deterministic [Check-I], and outputs (SETUPDONE,sid) toI.

Fl

EPID Join:

1. JOIN REQUEST: On input (JOIN,sid, jsid) from a signerMi, create a join sessionhjsid,Mi,requesti. Output (JOINSTART,sid, jsid,Mi) toS. 2. JOIN REQUEST DELIVERY: Proceed upon receiving delivery notification

fromS by updating the session record tohjsid,Mi,deliveryi.

(6)

– Output (JOINPROCEED,sid, jsid,Mi) toI. 3. JOIN PROCEED: Upon receiving an approval fromI,Fl

EPIDupdates the

ses-sion record tohjsid,sid,Mi,completei. Then it outputs (JOINCOMPLETE, sid, jsid) toS.

4. KEY GENERATION: On input (JOINCOMPLETE,sid, jsid,tsk) from S. – If the signer is honest, settsk =⊥, else verify that the providedtsk is

eligible by performing the following two checks that are described above:

• CheckTtdHonest(tsk)=1 [Check III].

• CheckTtdCorrupt(tsk)=1 [Check IV].

– InserthMi,tskiinto Member ListML, and output JOINED.

Fl

EPID Sign:

1. SIGN REQUEST: On input (SIGN,sid, ssid,Mi, µ,p) from the signer on a messageµ with respect top, the ideal functionality aborts ifI is honest and no entryhMi, ?iexists inML, else creates a sign sessionhssid,Mi, µ,p, requestiand outputs (SIGNSTART, sid, ssid,Mi, l(µ,p)) toS.

2. SIGN REQUEST DELIVERY: On input (SIGNSTART,sid, ssid) from S, update the session tohssid,Mi, µ,p,deliveredi, and output (SIGNPROCEED,

sid, ssid, µ, p) toMi.

3. SIGN PROCEED: On input (SIGNPROCEED, sid, ssid) from Mi, FEPIDl

updates the recordshssid,Mi, µ,p,deliveredi, and outputs (SIGNCOMPLETE, sid, ssid,KRL,SRL) to S, whereKRL andSRLrepresent the key and the sig-nature revocation lists respectively.

4. SIGNATURE GENERATION: On input (SIGNCOMPLETE,sid, ssid, σ,KRL,

SRL) fromS, ifMi is honest then Fl

EPID will:

– Ignore an adversary’s signatureσ, and generate the signature for a fresh or establishedtsk.

– Check CheckTtdHonest(tsk)=1 [Check V], and store hMi,tski in Do-mainKeys.

– Generate the signatureσ←sig(tsk, µ,p).

– Check ver(σ, µ,p,KRL,SRL)=1 [Check VI], and check identify(σ, µ,p,tsk) = 1 [Check VII].

– Check that there is no signer other thanMi with keytsk0 registered in Members or DomainKeys such that identify(σ, µ,p,tsk0)=1 [Check VIII]. – For all (σ∗, µ∗,p∗) ∈ SRL, find all (tsk∗,M∗_{) from Members and}

Do-mainKeys such that identify(σ∗, µ∗,p∗, ?,tsk∗) = 1 • Check that no two distinct keystsk∗ trace back toσ∗. • Check that no pair (tsk∗,Mi) was found.

– IfMiis honest, then storehσ, µ,Mi,piin Signed and output (SIGNATURE,

sid, ssid, σ,KRL,SRL).

Fl

EPIDVerify: On input (VERIFY,sid, µ,p, σ,KRL,SRL), from a partyV to check

whether σis a valid signature on a message µwith respect to p, KRLandSRL, the ideal functionality does the following:

(7)

• More than one keytski was found [Check IX].

• I is honest and no pair (tski,Mi) was found [Check X].

• An honestMiwas found, but no entryh?, µ,Mi,piwas found in Signed [Check XI].

• There is a keytsk∗∈KRL, such that identify(σ, µ,p,tsk∗)=1 and no pair (tsk,Mi) for an honestMi was found [Check XII].

• For some matchingtskiand (σ∗, µ∗,p∗)∈SRL, identify(σ∗, µ∗,p∗,tski) = 1

– Ifb6= 0, setb←ver(σ, µ,p,SRL,KRL). [Check XIII]

– Addhσ, µ,p,KRL,SRL, bito VerResults, and output (VERIFIED, sid, b) toV.

Fl

EPID Revoke: On input (tsk ∗_,

KRL), the ideal functionality replaces KRLwith

KRL∪tsk∗. On input (σ∗, µ∗,SRL), the ideal functionality replaces SRL with

SRL∪σ∗ after verifyingσ∗.

4 The Proposed LEPID Scheme

The DAA scheme proposed in [8] is herein modified so as to support the security model described in Section 3. We give a general overview of the proposed Lattice-based EPID (LEPID) scheme in Subsection 4.1 before proceeding with the details in Subsection 4.2.

4.1 High Level Description of the LEPID Scheme

The first part of the DAA protocol described in Subsection 2.1 is herein mirrored, with the exception that the TPM and the host are fused into a single signer. In particular, the issuer makes one further polynomialbavailable in Procedure 1. When requesting to join a DAA community in Procedure 2, the signer with identifier id = (id1, ...,id`) ∈ {0,1}` samples a small ˆXt = (x1, . . . ,xm+1) ∈ Rm+1

q and sends ut = [b|AˆI] ˆXtmodq to the issuer, along with a link token

nym_I=H(bsnI)x1+eI and a zero-knowledge proofπut from [8] showing that ut is well formed. Upon receiving this message, the issuer uses nym_I to check that no other signer has the same x1, verifies πut and samples small ˆXh = [ ˆXh1|Xˆh2] = (y2, . . . ,y2m+1)∈ R

m q × R

m

q such that ˆAhXˆh=u−utmodq, with ˆ

Ah= [ ˆAI|A0ˆ +Pli=1idiAˆi]∈ R 2m

q . ˆXh is sent back to the signer, that updates their key as ˆX = (x1,∀i=(2,...,m+1)xi := xi +yi,∀i=(m+2,...,2m+1)xi := yi) in Procedure 3.

Signatures are generated in Procedures 4 and 5 as in Subsection 2.1 for the DAA, but the basename is always chosen at random, generating link tokens

(8)

randomising the (nym∗_i =p∗_ifi+li,p∗_i) pairs from the list of revoked signatures, where fi corresponds to the x1 polynomial of thei-th revoked user andli has small norm, as

di=nym∗iqi+l 000

i (2)

oi=p∗_iqi+l0_i (3)

for small qi, l_i000 and l0_i sampled from a Gaussian distribution. Note that di = oi·fi+ei for a small ei. The signature includes not only di and oi, but also ki = oix1+l

00

i along with a zero-knowledge proof of the construction of di, oi and ki. This zero-knowledge proof is an adaptation of the one described in Subsection 2.2, the details of which can be found in Appendix A.2.

Signature verification in Procedure 6 is similar to that of the DAA, with the difference that now the proof of the shape ofdi, oi andki is verified, and the norm of di−ki is assessed to ascertain whether the x1 used to produce the signature under verification is the same as the one used to produce thei-th revoked signature. Finally, the community revocation manager may revoke users by updating the list of revoked private-keys (KRL) or the list of signatures of revoked users (SRL) using Procedure 7.

4.2 Detailed Description of the LEPID Scheme

We now present our LEPID scheme in detail. We start by recalling some standard functionalities that are used in the UC model of the DAA [13]:

– FCA is a common certificate authority functionality that is available to all

parties.

– FCRS is a common reference string functionality that provides participants

with all system parameters. – F∗

auth is a special authenticated communication functionality that provides

an authenticated channel between the issuer and the signer.

The LEPID scheme includes the Setup, Join, Sign, Verify and Revoke pro-cedures that are as follows.

Procedure 1 (Setup).FCRS creates the system parameters:sp= (λ, t, q,

n, m,Rq, β, `, r, s, ξ), where λ, tare positive integer security parameters,β is a positive real number such that β < q, `is the length of the users’ identifiers, andr, sandξrepresent standard deviations of Gaussian distributions.

Upon input (SETUP,sid), where sid is a unique session identifier, the is-suer first checks that sid = (I,sid0) for some sid0, then creates its key pair. The Issuer’s public key is pp = (sp,b,AˆI,Aˆ0,Aˆ1, . . . ,Aˆ`, u, H0,H, H), where

ˆ

AI,Aˆi(i= 0,1, . . . , `)∈ Rmq ,b,u∈ Rq,H0:{0,1}∗ → {1,2,3}t,H:{0,1}∗→ Rq, andH:{0,1}∗_{→ {0}_,₁_,₂_{, . . . ,}₂_n₋_{1}. The Issuer’s private key is ˆ}_T

I, which

(9)

The issuer initialises the Member List ML ← ∅. The issuer proves that his secret key is well formed in πI, and registers the key ( ˆTI, πI) with FCA and

outputs (SETUPDONE,sid).

Procedure 2 (Join Request). On input query (JOIN,sid, jsid,M), the signerMforwards (JOIN,sid, jsid) toI, who replies by sending (sid, jsid, ρ,bsnI)

back to the signer, whereρis a uniform random nonceρ← {0,1}λ_{, and}_bsn

I is

the issuer’s base name. The signerMproceeds as follows:

1. It checks that no such entry exists in its storage.

2. It samples a private key: x1 ← Ds and (x2, . . . ,xm+1) ← Drm. Let ˆXt = (x1, . . . ,xm+1) correspond to M’s secret key with the conditionk(x2, . . . , xm+1)k∞≤β/2 andkx1k∞≤β.Mstores its key as (sid,Xˆt), and computes the corresponding public key ut = [b|AˆI] ˆXt modq, a link token nymI =

H(bsnI)x1+eI modqfor some erroreI ← Ds such thatkeIk∞≤β, and

generates a signature based proof:

πut =SPK

n

public:={pp,ut,bsnI,nymI},witness:={Xˆt= (x1, . . . ,xm+1),

eI}, ut= [b|AˆI] ˆXt modq∧ kXˆt/x1k∞≤β/2 ∧ kx1k ≤β

∧nym_I =H(bsnI)x1+eI modq ∧ keIk∞≤β o

(ρ).

3. It sends (nym_I,ut, πut) to the issuer by givingF

∗

authan input (SEND,nymI,

πut,sid, jsid).

I, upon receiving (SENT,nym_I, πut,sid, jsid,M) fromF

∗

auth, verifies the proof

πut and makes sure that the signer M ∈/ ML. I stores (jsid,nymI, πut,M), and generates the message (JOINPROCEED,sid, jsid,id, πut), for some identity

id∈ {0,1}` _{assigned to}_{M, and not used before by any joined member.}

Procedure 3 (Join Proceed). If the signer chooses to proceed with the Join session, the message (JOINPROCEED,sid, jsid) is sent to the issuer, who performs as follows:

1. It checks the record (jsid,nym_I,id,M, πut). For all nym0Ifrom the previous

Join records, the issuer checks whetherknym_I−nym0_Ik∞≤2β holds; if yes,

the issuer further checks ifut=u0_t. If the equalityut=u0_tholds, the issuer will jump to Step 4 returning ˆXh = ˆXh0, if not the issuer will abort. Note that this double check will make sure that no two EPID keys will include the samex1value.

2. For allnym∗

I in the Issuer’s Revocation recordIR, the issuer checks whether

the equation

knym_I−nym∗_Ik∞≤2β

holds, if yes the issuer aborts.

3. It calculates the vector of polynomials Âh= [ ÂI|A0ˆ +Pi`=1idiAî]∈ R2qm. 4. It samples, using the issuer’s private key ˆTI, a preimage ˆXh= [ ˆXh1|Xˆh2] =

(10)

5. The issuer adds (nym_I,id,M, πut) to his data base, and sends (sid, jsid,Xˆh) toMviaF∗

auth.

WhenM receives the message (sid, jsid,Xˆh), it checks that the equations ˆ

AhXˆh = uh modq and u = ut+uh are satisfied with kXˆh1k∞ ≤ β/2 and

kXˆh2k∞≤β. It stores (sid,M,id,Xˆh,ut) and outputs (JOINED,sid, jsid).M

then computes ˆX = (x1,∀i=(2,...,m+1)xi:=xi+yi,∀i=(m+2,...,2m+1)xi:=yi), wherekXˆk∞≤β.

Procedure 4 (Sign Request). Upon input (SIGN,sid, ssid,M, µ), the signer does the following:

1. It makes sure to have a Join record (sid,id,X,ˆ M). 2. It generates a sign entry (sid, ssid, µ) in its record. 3. Finally it outputs (SIGNPROCEED,sid, ssid, µ).

Procedure 5 (Sign Proceed). When M gets permission to proceed for ssid, the signer proceeds as follows:

1. It retrieves the records (sid,id, πut) and (sid, ssid, µ).

2. M samples a random polynomial p and computes the polynomial nym = px1+e modq, for an error term e ← Ds such that kek∞ ≤β. M then

generates a signature based knowledge proofπ.

π=SPKnpublic:={pp,nym,p},

witness:={Xˆ = (x1, ...,x2m+1),id,e}:

[b|Aˆh] ˆX =u ∧ kXˆk∞≤β ∧ nym=px1+e ∧ kek∞≤β o

(µ).

The details of the proofπ are presented in Appendix A.1.

3. The signer proves that it is not using any of the keys that produced a revoked signature (σ∗_i,p∗_i,nym∗_i) in the signature revocation list (more details about the proof can be found in Appendix A.2).

– Letnym∗_i =p∗_ifi+li, where (fi,li) were used before to createnym∗_i by someMi∗ _{that generated a revoked signature}_σ∗

i ∈SRL.Mproceeds as follows:

• qi,l0i,l00i,l000i ← Ds

• oi=p∗iqi+li0, ki=oix1+l00i,di=nym∗iqi+l000i • rx1,re,rqi,rl0i,rl00i,rl000i ← Ds

• tnym=prx1+re,toi =p

∗

irqi+rl0i, tk_i =oirx₁+rl00

i, tdi =nym

∗

irqi+rl000i .

– Calculates the challengecv=H(tnym|toi|tki|tdi|µ)∈ {0,1,2, . . . ,2n−1}. – The following responses are computed:

• sx₁ =rx₁+Xcv_x

1,se=re+Xcve,sqi=rqi+X cv_qi,

sl0

i =rl0i+X cv_l0

i,sl00i =rl00i +X cv_l00

i,sl000i =rl000i +X cv_l000

i . Abort if any of these rejection samples outputs 1:

• rej(sx1, X

cv_x_{1, ξ}_),_rej_(se_{, X}cv_e_{, ξ}_),_rej_(sqi_{, X}cv_qi_{, ξ}_),

rej(sl0 i, X

cv_l0

i, ξ),rej(sl00i, X cv_l00

i, ξ) orrej(sl000i , X cv_l000

(11)

4. Finally,Moutputsσ= (π,nym,oi,ki,di,sx₁,se,sq_i,sl0

i,sl00i,sl000i , cv,KRL,SRL).

Procedure 6 (Verify).LetKRLdenotes the revocation list with all the rogue signer’s secret keys x∗₁. Upon input (VERIFY,sid, σ, µ,KRL,SRL), the verifier proceeds as follows:

1. It checks the zero-knowledge proof regarding the statement:{[b|Aˆh] ˆX =u ∧ kXˆk∞ ≤β ∧nym =p x1 +e modq ∧ kek∞≤β.}

2. For allx∗₁∈KRL, ifkpx∗

1−nymk∞≤β the verifier outputs 0.

3. For allσ∗_i = (πnym∗ i,nym

∗

i,p∗i)∈SRL, the verifier (a) computes:

– t0ki=oisx1+sl00i −X cv_ki,_t0

di=nym

∗

isqi+sl000i −X cv_di,

t0oi=p

∗

isqi+sli0−X cv_oi,_t0

nym=psx1+se−X

cv_nym_.

(b) checks cv ?

= H(t0nym|t0oi|t

0

ki|t

0

di|µ) and that all the following norms satisfyksx1k∞, ksek∞,ksqik∞,ksl0_ik∞,ksl00_ik∞,ksl000_i k∞≤β+

√ nβ. 4. For all σ_i∗ = (πnym∗

i,nym

∗

i,p∗i), the verifier checks 2kdi−kik< Γ, whereΓ is a function ofβ. If 2kdi−kik< Γ the verifier outputs 0, otherwise 1.

Procedure 7 (Revoke).On input (Revoke, sid,x∗₁,KRL) or (Revoke, sid, σ∗, µ∗,SRL), the revocation manager addsx∗₁toKRLorσ∗toSRLafter verifyingσ∗.

5 A Sketched Security Proof for LEPID

In this section, we provide a sketch of the security proof of the LEPID scheme. A detailed security proof is presented in Appendix B. A variant of the sequence of games of [13] is presented, showing that no environmentEcan distinguish the real world protocolΠ with an adversaryA, from the ideal worldFl

EPID with a

simulatorS. Starting with the real world protocol game, we change the protocol game by game in a computationally indistinguishable way, finally ending with the ideal world protocol.

Game 1.This is the real world protocol.

Game 2.An entityCis introduced, that receives all inputs from the honest parties and simulatesΠ for them. This is equivalent to Game 1.

Game 3. C is split into F and S. F behaves as an ideal functionality, receiving all inputs and forwarding them to S, who simulates the real world protocol for honest parties.S sends the outputs toF, who forwards them toE. This game is similar to Game 2, but with a different structure.

Game 4. F now behaves differently in the setup interface. It stores the algorithms for the issuer I, and checks that the structure ofsid is correct for an honestI, aborting if not. In caseI is corrupt,S extracts the secret key for I and proceeds in the setup interface on behalf of I. Clearly E will notice no change.

(12)

uses does not contain any key or signature revocation checks. F can perform this check separately, so the outcomes are equal.

Game 6.Fstores in its records the members that have joined. IfIis honest, Fstores the secret keytsk, extracted fromS, for corrupt platforms.Salways has enough information to simulate the real world protocol except when the issuer is the only honest party. In this case,S does not know who initiated the join, and so cannot make a join query with F on the signer’s behalf. Thus, to deal with this case,F can safely choose any corrupt signer and put it into Members. The identities of signers are only used for creating signatures for honest signers, so corrupted signers do not matter. In the case that the signer is already registered in Members, F would abort the protocol, but I will have already tested this case before continuing with the query JOINPROCEED. HenceFwill not abort. Thus in all cases,F andS can interact to simulate the real world protocol.

Game 7. (Anonymity). In this game, F creates anonymous signatures for honest platforms by running the algorithms defined in the setup interface. Let us start by defining Game 7.k.k0. In this game F handles the first k0 signing inputs of Mi fori < k using algorithms, and subsequent inputs are forwarded to S who creates signatures as before. We note that Game 7.0.0=Game 6. For increasing k0, Game 7.k.k0 will be at some stage equal to Game 7.k+ 1.0, this is because there can only be a polynomial number of signing queries to be pro-cessed. Therefore, for large enough k andk0, F handles all the signing queries of all signers, and Game 7 is indistinguishable from Game 7.k.k0_{. To prove that}

Game 7.k.k0+ 1 is indistinguishable from Game 7.k.k0, suppose that there ex-ists an environment that can distinguish a signature of an honest party using

tsk =x1 from a signature using a differenttskj=x j

1, then the environment can solve the Decision Ring -LWE Problem.

The firstj≤k0signing queries on behalf ofMkare handled byFusing the al-gorithms, and subsequent inputs are then forwarded toSas before. Now suppose that F outputs the tuples (nymj_,_pj_,_oj

i,k j i,d

j i,sjx1,s

j e,sjqi,s

j l0 i

,sj_l00 i

,sj_l000 i

, cj v,SRL) for j ≤ k0, with nymj ₌ _pj_x

1+ej, for an error term ej ← Ds, and the re-maining proofs are honestly generated. The j = k0 + 1-th query for Mk is as follows: (nymS,pS,oS_i,ks

i,dSi,sSx1,s

S

e,sSqi,sSl0 i,s

S

l00 i,s

S

l000 i , c

S

v, µS,SRL).S is chal-lenged to decide if (nymS,pS,oS_i,ks

i,dSi,sSx1,s

S

e,sSqi,s

S

l0 i

,sS_l00 i

,sS_l000 i

, cS_v, µS,SRL) is chosen from a Ring LWE distribution for some secret x1 or uniformly at ran-dom.S proceeds in simulating the signer without knowing the secretx1.S can answer all the H queries, as S is controllingFCRS. S sets: tSki=o

S

isSx1 +s

S

l00 i − XcS_v_kS

i;tSdi=nym

∗

isSqi+sSl000 i −X

cS_v_dS

i; tSoi=p∗isSqi+sSl0 i−X

cS_v_oS

i;tSnym=pSsSx1+

sS

e −Xc S

vnymS; and, finally, cS

v : =H(tSnym|tSoi|t

S

ki|tSdi|µS). For i > k0 + 1, S outputs the tuples (nymj_,_pj_,_oj

i,k j i,d

j i,sjx1,s

j e,sjqi,s

j l0

i,s j l00

i,s j l000

i , c j

v, µj,SRL), with

nymj ₌_pj_xj

1+ej modq, for some freshly generated secretx j

1 and error term ej ← Ds. For each case, Mk can provide a simulated proof as follows.S sets tj_k

i=o j is

j x1+s

j l00

i −X cj

v_kj i;t

j di=nym

∗

is j qi+s

j l000

i −X cj

v_dj i;t

j oi=p

∗

is j qi+s

j l0

i−X cj

v_oj i; tjnym=pjsjx1+s

j e−Xc

j

v_nymj_{; and, finally,}_cj

v: =H(tjnym|tjoi|t j ki|t

j di|µ

(13)

Thus, any distinguisher between Game 7.k.k0 and Game 7.k.k0+ 1 can solve the Decision Ring LWE Problem.

Game 8.Fnow no longer informsSabout the message andpthat are being signed. If the signer Mis honest, then S can learn nothing about the message µand p. Instead,S knows only the leakagel(µ,p). To simulate the real world, S chooses a pair (µ0,p0) such thatl(µ0,p0)=l(µ,p). An environmentE observes no difference, and thus Game 8=Game 7.

Game 9. If I is honest, then F now only allows members that joined to sign. An honest signer will always check whether it has joined before signing in the real world protocol, so there is no difference for honest signers. Therefore Game 9=Game 8.

Game 10.When storing a newtsk=x1,FchecksCheckTskCorrupt(tsk)=1

orCheckTskHonest(tsk)=1. We want to show that these checks will always pass.

In fact, valid signatures always satisfy nym =px1+e where kx1k∞ ≤ β and

kek∞ ≤ β. By the unique Shortest Vector Problem, there exists only one

tu-ple (x1,e) such that kx1k∞ ≤ β and kek∞ ≤ β for small enough β. Thus,

CheckTskCorrupt(tsk) will always give the correct output. Also, due to the large

min-entropy of discrete Gaussians the probability of samplingx0₁=x1, and thus of having a signature already using the sametsk =x1, is negligible, which im-plies that CheckTskHonest(tsk) will give the correct output with overwhelming probability. Hence Game 10=Game 9.

Game 11. (Completeness). In this game, F checks that honestly gener-ated signatures are always valid. This is true as sig algorithm always pro-duces signatures passing through verification checks. Those signatures satisfy

identify(tsk, σ, µ,p) = 1, which is checked via nym.F also makes sure, using its

internal records Members and DomainKeys that honest users are not sharing the same secret keytsk. If there exists a keytsk0=x0₁in Members and DomainKeys such thatknym−px0₁k∞≤β, then this breaks search Ring-LWE.

Game 12.Check-IX is added to ensure that there are no multipletsktracing back to the same signature. Since there exists only one pair (x1,eI),kx1k∞≤β,

keIk∞ ≤ β, satisfying nymI = H(bsnI)x1+eI, two different signers cannot

share the samex1, thus any valid signature traces back to a singletsk.

Game 13.(Unforgeability). To prevent accepting signatures that were issued by the use of join credentials not issued by an honest issuer, F further adds Check-X. This is due to the unforgeability of Boyen signatures [15].

Game 14. (Unforgeability). Check-XI is added to F, preventing the forg-ing of signatures with honest tsk and credentials. If a valid signature is given on a message that the signer has never signed, the proof could not have been simulated. x1 would be extracted and Ring-LWE would be broken. So Game 14=Game 13.

(14)

problem instance and a proper keyKRLis found, it must be the secret key of the target instance. This is equivalent to solving the search Ring-LWE problem.

Game 16.Fnow performs signature based revocation when verifying signa-tures.Fchecks that there is no (σ∗,nym∗,p∗)∈SRLsuch that for some matching

tskiand (σ∗, µ∗,p∗)∈SRL, we have identify(σ∗, µ∗,p∗,tski) = 1. By the sound-ness of the proof presented in Appendix A.2, this check will always pass with

overwhelming probability.

6 Experimental Results

Letq≥2 represents an integer modulus such thatq=poly(n). For correctness, we require the main hardness parametern, to be large enough (e.g.,n≥100) and q > βas both being at least a small polynomial inn. We also letm=O(logq) as in [10]. A concrete choice of parameters can be as follows:n= 512, l= 32, q= 8380417, m= 24,andβ = 275.

Both LDAA and LEPID were implemented in C, emulating all entities in a single machine. The code was compiled with gcc 4.8.5 with the -O3 and

-march=native flags and executed on an Intel i9 7900X CPU with 64GB

run-ning at 3.3 GHz operated by CentOS 7.5. The obtained experimental results can be found in Table 1. Note that the measured times for signing and verification do not take into account transfer times between the entities or object creation and destruction.

By construing the signer as a single entity instead of two as in the LDAA, the proposed LEPID scheme achieves a reduction of the private-key size of 1.5 times. While the comparison in signatures sizes between both schemes yields favourably for the proposed LEPID scheme with a small amount of rejected users, as the number of users in the SRLincreases, its signature size increases linearly at a rate of 18kB per rejected user (9 polynomials and an integer). When theSRLcontains 500 users, the LEPID signature size closely matches that of the LDAA scheme. Should LEPID signing be implemented on a device with limited computational resources like the TPM, its constrained memory resources and the cost of data transfer might limit its application to small and medium-sized communities. In particular, if one considers a revocation rate of 0.1%, LEPID

Scheme Private-key

(kB)

Signature (MB)

Signing Time (s)

Verification Time (s)

LDAA 147 847 541 129

LEPID (no revoked users) 100 836 361 114

LEPID (100 users inSRL) 100 838 371 117

(15)

signatures will compare favourably in size to LDAA signatures for communities with fewer than 500,000 users.

The signing time in the LEPID scheme is dominated by the signature based knowledge proof π. The addition of the SRL, and consequently of 13 polyno-mial multiplications per rejected user, shows no meaningful impact in the final signing time, where LEPID maintains a speedup of 1.4 over the LDAA scheme. Likewise, in the verification time, the additional 2 polynomial multiplications per rejected user incurred by the SRL are negligible compared to the verifica-tion of π. Hence, the proposed LEPID scheme achieves a speedup of 1.1 when compared with the LDAA scheme across both small and medium rejection lists. For the computational complexity introduced by the SRLto be meaningful, the number of rejected users must be in the order of millions. Once more, the pro-posed LEPID scheme shows improved signature and verification times for small and medium communities when compared with the LDAA.

7 Related Work

A post-quantum EPID scheme has been proposed in [3] built on hash and pseudorandom functions. More concretely, the EPID credential corresponds to a hash-based signature generated by the issuer, and proofs-of-knowledge are con-structed from the Multi-Party Computation (MPC) in the head technique from Ishai et al. [16]. While [3] achieves signature sizes in the order of MBs, execution times are not considered. The main goal of this article is not to outperform [16], but rather to ignite research on lattice-based EPID partially propelled by the National Institute of Standards and Technology (NIST)’s effort on post-quantum cryptography standardisation [17]. By basing our construction on lattices, future versions of EPID might leverage the research resulting from this standardisation process to improve their efficiency. Moreover, since post-quantum cryptography is still in its infancy, it might be useful for implementers to consider multiple security assumptions, to mitigate the effects of cryptanalysis against one of them.

8 Conclusion

(16)

to medium-sized communities. Finally, it is expected that the proposed LEPID may benefit from theoretical developments and hardware accelerators that result from the increased interest that lattice-based cryptography has gathered in the last few years.

Acknowledgements. This research was supported by European Unions Hori-zon 2020 research and innovation programme under grant agreement No. 779391 (FutureTPM), and by national funds through Funda¸c˜ao para a Ciˆencia e a Tecnologia (FCT) with references UID/CEC/50021/2019 and FCT Grant No. SFRH/BD/145477/2019.

References

1. Simon Johnson, Vinnie Scarlata, Carlos Rozas, Ernie Brickel, and Frank Mck-een. Intel Software Guard Extensions: EPID Provisioning and Attestation Ser-vices Intel, 2016. https://software.intel.com/en-us/download/intel-sgx-intel-epid-provisioning-and-attestation-services.

2. Ernie Brickell, Jan Camenisch, and Liqun Chen. Direct anonymous attestation. In Proceedings of the 11th ACM conference on Computer and communications security, pages 132–145. ACM, 2004.

3. Dan Boneh, Saba Eskandarian and Ben Fisch. Post-quantum EPID Signatures from Symmetric Primitives. InTopics in Cryptology – CT-RSA 2019, pages 251– 271. Springer, 2019.

4. Vadim Lyubashevsky. Towards practical lattice-based cryptography. University of California, San Diego, 2008.

5. Carsten Baum, Ivan Damg˚ard, Sabine Oechsner, and Chris Peikert. Efficient com-mitments and zero-knowledge protocols from ring-sis with applications to lattice-based threshold cryptosystems. IACR Cryptology ePrint Archive, 2016:997, 2016. 6. Fabrice Benhamouda, Jan Camenisch, Stephan Krenn, Vadim Lyubashevsky, and Gregory Neven. Better zero-knowledge proofs for lattice encryption and their application to group signatures. In ASIACRYPT (1), pages 551–572. Springer, 2014.

7. Hamid Nejatollahi, Nikil Dutt, Indranil Banerjee and Rosario Cammarota Domain-specific Accelerators for Ideal Lattice-based Public Key ProtocolsIACR Cryptology ePrint Archive, 2018:608, 2018.

8. Nada Kassem, Liqun Chen, Rachid El Bansarkhani, Ali El Kaafarani, Jan Ca-menisch, Patrick Hough, Paulo Martins, and Leonel Sousa. More efficient, provably-secure direct anonymous attestation from lattices. Future Generation Computer Systems, 2019.

9. Vadim Lyubashevsky. Lattice signatures without trapdoors. In EUROCRYPT, volume 7237 ofLNCS, 2012.

10. Chris Peikert et al. A decade of lattice cryptography. Foundations and TrendsR in Theoretical Computer Science, 10(4):283–424, 2016.

11. Oded Regev. The learning with errors problem (invited survey). In2010 IEEE 25th Annual Conference on Computational Complexity.

(17)

13. Jan Camenisch, Manu Drijvers, and Anja Lehmann. Universally composable direct anonymous attestation. InPublic-Key Cryptography – PKC 2016, volume 9615 of LNCS, pages 234–264. Springer, 2016.

14. Jan Camenisch, Liqun Chen, Manu Drijvers, Anja Lehmann, David Novick and Rainer Urian. One TPM to Bind Them All: Fixing TPM 2.0 for Provably Secure Anonymous Attestation. InIEEE Security & Privacy – S&P 2017, IEEE, 2017. 15. Xavier Boyen. Lattice mixing and vanishing trapdoors: A framework for fully

secure short signatures and more. InInternational Workshop on Public Key Cryp-tography, pages 499–517. Springer, 2010.

16. Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, and Amit Sahai. Zero-knowledge proofs fromsecure multiparty computation. InSIAM J. Comput., 39(3):1121–1152, 2009.

17. National Institute of Standards and Technology Post-Quantum Cryptography. 2019. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography.

A

Zero Knowledge Proofs in the LEPID Scheme

A.1 The details of π

Now we explain the details on how to compute π. Letk =blogβc+ 1 and let {β1, ..., βk} ∈ {0,1}k _{be the binary representation of}_β_{. Since we are operating} in the ring Rq =Zq[X]/hXn+ 1i with n =O(λ), then we can transform any linear transformation into a matrix vector product. We construct the matrices

¯

Ai =rot(ai) for i= (1,2, ...,(`+ 2)m+ 1) for all polynomialsai in b, ÂI, Â0, ..., Â` respectively.

Let’s consider the following extensions:

– id={id1, ...,id`} ∈ {0,1}`is extended toid∗∈B2`which is the set of vectors in{0,1}2` _{of hamming weight}_`_.

– A¯∗_i = [ ¯Ai|0∈Zn×2n] fori= 1to i= (2 +`)m+ 1.

We apply the techniques of decomposition and extension described in [12] on each of the vectors of ˆX and the vectore, to get the vectors:

{ej}k j=1,{x

j 1}

k j=1,{x

j 2}

k

j=1, . . . ,{x j 2m+1}

k

j=1∈B3n.

Let ¯A∗_i₊₍_j₊₁₎_m₊₁=0forj > `, and letx(1+i)m+j =id∗·xm+1+j for 1≤i≤2` and 1≤j≤m, andxi=0∈Zn for 2m+ 1< i≤(2 + 2`)m+ 1. Then,

u= [b|Aˆh]·Xˆ = [b|AˆI|A0ˆ +

`

X

i=1

idi·Aˆi]·Xˆ

= 2m+1

X

i=1 ¯ Ai·xi+

`

X

j=1

idj· m

X

i=1 ¯

Ai+(j+1)m+1·xi+m+1

= 2m+1

X

i=1 ¯ A∗_i ·

k

X

d=1 βdxd_i

!

+ 2`

X

j=1

id∗_j· m

X

i=1 ¯

A∗_i₊₍_j₊₁₎_m₊₁· k

X

d=1

βdxd_i₊_m₊₁

!

(18)

1. Samples the following masking vectors: {rj

e←Z3qn}kj=1, {r j

i ←Z3qn}kj=1 for i∈[2(1 +`)m+ 1] andj∈[k], andrid∗←_Z2`

q .

2. Defines the following terms: D = [rot(p)|0]∈ Znq×3n, v j i =x

j i +r

j i, vej = ej+rej, andvid∗=id∗+r_id∗.

Note that the above selection needs to satisfy the following equation:

u+

2(1+`)m+1

X

i=1 ¯ A∗i ·





k

X

j=1 βj·rij



=

2(1+`)m+1

X

i=1 ¯ A∗i ·





k

X

j=1 βj·vji





3. Samples the permutations as follows:τ ←S2`forid∗,{φj←S3n}kj=1for ˆX1, {ψj←S3n}kj=1 for ˆX2, where ˆX = [ ˆX1∈ Rmq+1|X2ˆ ∈ Rmq ],

Now, we are ready to explain the result.

To createπ,Mfirst generates the commitmentsCM T = (C1,C2,C3) where:

– C1=COM(P m+1 i=1 A¯∗i·(

Pk

j=1βjr j i)+

P2(1+`)m+1

i=m+2 A¯∗i·(

Pk

j=1βjr j i), D·(

Pk

j=1βjr j 1) +[I|0]·(Pk

j=1βjr j

e), τ,{φj}kj=1,{ψj} k

j=1,{ϕj} k j=1).

– C2=COM({φj(r1j),· · · , φj(rmj+1), ψj(r j

m+2),· · ·, ψj(r j

2m+1), ψj(r₍j_τ₍₁₎₊₁₎_m₊₂), · · ·, ψj(r₍j_τ₍₁₎₊₂₎_m₊₁),· · · ψj(r₍j_τ₍₂_`₎₊₁₎_m₊₂),· · ·, ψj(r₍j_τ₍₂_`₎₊₂₎_m₊₁)}kj=1, {ϕj(rj

e)}kj=1, τ(rid∗)).

– C3=COM({φj(v j

1),· · ·, φj(v j

m+1), ψj(v j

m+2),· · ·, ψj(v j

2m+1), ψj(v j

(τ(1)+1)m+2), · · ·ψj(vj₍_τ₍₁₎₊₂₎_m₊₁),· · · , ψj(vj₍_τ₍₂_`₎₊₁₎_m₊₂),· · ·, ψj(v₍j_τ₍₂_`₎₊₂₎_m₊₁)}kj=1,

{ϕj(vej)}kj=1, τ(vid∗)).

The following step is the Fiat-Shamir transformation, which has been used in the existing DAA schemes. The only difference is that the hash-function output is used as a random distribution of{1,2,3}t_.

Challenge: The prover generates the challenges using Fiat-Shamir’s hash-function transformation, which is based on a random oracle, which should only include CM T:

{CHj}t

j=1 =H0(µ,{CM Tj}tj=1,pp) ={1,2,3} t_.

Response: For each challenge,Msends its own response to to the verifier. The resulting responses are treated as follows:

– CH= 1 :revealC2 andC3, i.e., output all the permutedτ(id∗), τ(rid∗), {φj(xj_i)}k

j=1,{ψj(x j i)}

k

j=1,{ϕj(e j_)}k

j=1, {ϕj(r j

e)}kj=1, {φj(rij)} k j=1, {ψj(rj_i)}k

j=1.

– CH= 2 :revealC1 andC3, i.e., output all the permutationsτ,{φj}kj=1, {ψj}k

j=1,{ϕj}kj=1, and all thev values.

– CH= 3 :revealC1 andC2, i.e., output all the permutationsτ,{φj}kj=1, {ψj}k

j=1,{ϕj}kj=1, and all thervalues.

(19)

A.2 Signature Proof of knowledgeπk_i(same for πd_i, πo_i)

The proofsπki,πdi andπoiallow the prover to efficiently demonstrate knowledge of small secrets 2qi,2li0,2l00i,2l000i ← Ds0 such that:

– 2oi= 2p∗_iqi+ 2l0_i – 2ki= 2oix1+ 2l00i – 2di= 2nym∗_iqi+ 2l000_i

We now explain in detail the proofπkiand show its properties: completeness, honest-verifier zero-knowledge and special soundness.

The following lemma shows that there is always a subset of polynomials in the ringRq that are invertible such that their inverses have only small coefficients.

Lemma 1. [6] Let 0 < i, j < 2n−1, then the polynomial 2(Xi ₋_Xj₎−1 _has

infinite norm at most 1 over the ringRq.

Letki=oix1+l00i, wherex1 andl00i are chosen fromDs and play the roles of the LWE-secrets. Our scheme convinces the verifier that the signer knows some secret ¯x1and a random polynomial ¯l_i00with norms larger thanβ such that ¯

cvki=oix1¯ + ¯l00_i. However ¯cv ∈C¯is unknown to the verifier. On the other hand, to check that σ is not in SRL we need to measure the exact distance between thekis anddis, thus the verifier has to know ¯cv. Therefore, we need the signer Mto construct a proof that allows a verifier to check the distance even without knowing ¯cv. We adopt the ZKP from [6] to let the signer prove that it actually knows small secrets ¯x1and ¯li00with norms greater thenβthat satisfy the equation 2ki = 2oix¯1+ 2 ¯l00i, i.e. the verifier ensures that the prover knows short secrets for twiceki (same proof fordi,oi applies).

Proof. We prove now that our modified SPK satisfies the following:

Lemma 2. [4]: Let a and b be two polynomials in _Zq/(Xn_{+ 1)}_{. If a}

polyno-mial b is chosen randomly with mean 0, then with high probability kabk∞ ≈

√

nkak∞kbk∞.

– Completeness: In fact the verifier can always verify the equation since:

Xcv_k i+tki

=Xcv_(oix

1+l00i) +oirx1+rl00i

=Xcv_(oix

1+l00i) +oi(sx1−x

cv_x 1) +sl00

i −x cv_l00

i

=oisx₁+sl00 i

For the norms we have thatksx₁k∞≈β+

√

nβ with overwhelming proba-bility using lemma 2, and the same applies forksl00

(20)

– Honest-verifier zero-knowledge: Given a challenge cv, a simulator S pro-ceeds as follows: chooses ss_t and sl00

i randomly from Ds0, computes tki = oiss_t+sl00

i −X

cv_{ki. Finally}_S _{outputs (}_c

v,tki,ki,sst,sl00i). If no abort oc-curs, then the distribution of (sx₁,sl00

i) does not depend on (x1,l

00

i), thus the simulated and real protocol transcripts are indistinguishable.

– Special soundness: Given two accepted transcripts (c1v,s1x1,s

1 l00

i) and (c 2 v,s2x1,s

2 l00

i), that share the sametk_i. We also proved the verification equalityXcv_ki+tk

i= oisx1+sl00_i. Therefore,

we have:

Xc1v_k

i+tki =ois1x1+s

1 l00

i (4)

and

Xc2v_ki₊_tk i =ois

2 x1+s

2 l00

i (5)

Subtracting the two above equations we get:

ki(Xc

1

v₋_Xc2v_{) =}_o

i(s1x1−s

2 x1) + (s

1 l00

i −s 2 l00

i)

dividing both sides by (Xc1_v₋_Xc2_v_{) and multiplying by 2 we get:}

2ki=oi 2(s1

x1−s

2 x1)

(Xc1

v−Xc2v) + 2(s1 l00 i − s2 l00 i )

(Xc1

v−Xc2v) The equation can be written in the form:

2ki=oix1¯ + ¯l00_i (6)

where ¯x1= 2 (s1_x

1−s 2

x1)

(Xc1

v−Xc2

v) and ¯l

00

i = 2 (s1_l00

i

−s2_l00 i

)

(Xc1

v−Xc2

v).

Thus, relying on lemmas 1 and 2, the infinite norm of the extracted witness ¯

x1 is as follows:

kx1¯k∞≤

√ nk(s1

x1−s

2

x1)k∞k2(X

c1_v ₋_Xc2_v₎−1_k

∞≤2

√

n(β+√nβ)

Similarly, for the extracted ¯l00_i, we have

kl¯00_ik∞≤

√ nk(s1

l00 i −s

2 l00

i)k∞k2(X

c1_v ₋_Xc2_v₎−1_k

∞≤2

√

n(β+√nβ)

since k(s1 x1−s

2

x1)k∞ ≤ 2(β +

√

nβ) and k2(Xc1v−_Xc2v₎

−1

k∞ = 1 from

lemma 1.

(21)

– SETUP

On input (SETUP, sid) from I, output (FORWARD, (SETUP,sid,I) toS.

– JOIN

1. On input (JOIN, sid, jsid) from the platform Mi, output (FORWARD, (JOIN,sid, jsid,Mi)) toS.

2. On input (JOINPROCEED,sid, jsid) from I, output (FORWARD, (JOINPROCEED,sid, jsid),I) toS.

– SIGN

1. On input (SIGN,sid, ssid,p) from Mi, output (FORWARD, (SIGN,sid, ssid,Mi,p)) toS.

2. On input (SIGNPROCEED,sid, ssid) fromMi, output (FORWARD, (SIGN-PROCEED,sid, ssid),Mi) toS.

– VERIFY

On input (VERIFY, sid, µ,p, σ,KRL,SRL) from V, output (FORWARD, (VER-IFY,sid, µ,p, σ,KRL,SRL),V) toS.

– REVOKE: On the input tsk∗ from a party R, output (FORWARD, (REVOKE,

sid, µ,tsk∗,KRL,SRL),R) toS.

On the input (σ∗, µ∗,p∗) from a party R, (FORWARD, (REVOKE,

sid, µ∗,p∗, σ∗,KRL,SRL),R) toS. – OUTPUT

On input (OUTPUT,P,µ) fromS, outputµtoP.

Fig. 1: Game 3 forF

– KeyGen

Upon receiving input (FORWARD, (SETUP, sid,I)from F, give “I” (SETUP,

sid) . – JOIN

1. Upon receiving (FORWARD, (JOIN,sid, jsid,Mi) fromF, give input (JOIN,

sid, jsid) to “Mi”

2. Upon receiving input (FORWARD, (JOINPROCEED,sid, jsid), I) fromF, give “I” input (JOINPROCEED,sid, jsid).

– SIGN

1. Upon receiving input (FORWARD, (SIGN, sid, ssid,Mi,p) from F, give “Mi” input (SIGN,sid, ssid, p).

(22)

– VERIFY

Upon receiving input (FORWARD, (VERIFY,sid, µ,p, σ,KRL,SRL),V) fromF, give “V” input (VERIFY,sid, µ,p, σ,KRL,SRL).

– REVOKE

Upon receiving (FORWARD, (REVOKE, sid, µ,tsk∗,KRL,SRL),R) fromF, give “R” an input (REVOKE, sid, µ,tsk∗,KRL,SRL).

Upon receiving (FORWARD, (REVOKE, sid, µ∗_,_p∗_{, σ}∗_,_KRL_,_SRL_), _R_{) from} _F_,

give “R” an input (REVOKE,sid, µ∗_,_p∗_{, σ}∗_,_KRL_,_SRL_).

– OUTPUT

When any simulated party “P” outputs a messageµ,Ssends (OUTPUT,P, µ)to F.

Fig. 2: Game 3 forS

– SETUP

1. On input (SETUP, sid) from I, verify that sid = (I,sid0) and output (SETUP,sid) toS.

2. On input (ALGORITHMS, sid, sign, ver, revoke, identify, Kgen) from S, check that ver, revoke, and identify are deterministic. Store (sid, sign, ver, revoke, identify, Kgen) and output (SETUPDONE,sid) toI.

– JOIN

– SIGN

1. On input (SIGN, sid, ssid,p) from Mi, output (FORWARD, (SIGN,

sid, ssid,Mi,p)) toS.

2. On input (SIGNPROCEED,sid, ssid) from Mi, output (FORWARD, (SIGNPROCEED,sid, ssid),Mi) toS.

– VERIFY

(23)

– REVOKE

On the input tsk∗ from a party R, output (FORWARD, (REVOKE,

sid, µ,tsk∗,KRL),R) toS.

On the input (σ∗, µ∗,p∗,KRL,SRL) from a party R, (FORWARD, (REVOKE,

sid, µ∗,p∗, σ∗,KRL,SRL),R) toS . – OUTPUT

Fig. 3: Game 4 forF

– KeyGen: HonestI: On input (SETUP,sid) fromF • Checksid = (I,sid0), output⊥toI if the check fails. • Give “I” input (SETUP,sid).

• Upon receiving output (SETUPDONE,sid) from “I”,Stakes its private key ˆ

TI.

• Define Sign(tsk, µ,p,KRL,SRL) as follows:

Define SamplePre( ˆTI,ut,u,id) that outputs a signature ˆXh = [ ˆXh1|Xˆh2] as

satisfying

ˆ

Ah·Xˆh=uh modq,

withkXˆh1k∞≤β/2 andkXˆh2k∞≤β, andidis a fresh tag will be the L-EPID

credential.

∗ nym=p·tsk+e modq, for an error terme← Ds such thatkek∞< β.

∗ ∀(σ∗_i,p∗_i,nym∗_i)∈SRL

· qi,l0_i,l_i00,l000_i ← Ds · oi=p∗iqi+l0i · ki=oix1+l00i · di=nym∗iqi+l000i

· rx1,re,rqi,rl0i,rli00,rl000i ← Ds · tnym=prx1+re

· to_i=p∗_irq_i+rl0 i. · tk_i =oirx₁+rl00 i. · td_i =nym∗_irq_i+rl000

i .

· cv=H(tnym|toi|tki|tdi|µ)∈ {0,1,2,· · · ,2n−1}. · sx₁ =rx₁+xcv_x

1 · se=re+xcv_e · sq_i =rq_i+xcv_qi · sl0

i =rl 0 i+x

cv_l0 i · sl00

i =rl 00 i +x

cv_l00 i · sl000

i =rl 000 i +x

cv_l000 i

∗ rej(sx₁, xcv_x_{1, ξ}_), _rej_(se_{, x}cv_e_{, ξ}_), _rej_(sq i, x

cv_qi_{, ξ}_), _rej_(sl0 i, x

cv_l0 i, ξ),

rej(sl00 i, x

cv_l00

i, ξ) orrej(sl000i , x cv_l000

(24)

∗ σ= (π,nym,oi,ki,di,sx₁,se,sq_i,sl0

i,sl00i,sl000i , cv,KRL,SRL) • Define ver(σ, µ,p,KRL,SRL) as follows:

∗ ∀ tsk∗∈KRL, ifkp·tsk∗−nymk∞≤β outputs 0.

1. ∀σ_i∗= (πnym∗ i,nym

∗

i,p∗i)∈SRL, 2. compute:

3. t0ki=oisx1+sli00−x cv_ki

4. t0di=nym

∗

isqi+sl000i −x cv_di

5. t0oi=p

∗

isqi+sl0i−x cv_oi

6. t0nym=psx1+se−x

cv_nym

7. cv ?

=H(t0nym|t0oi|t

0

ki|t

0

di|µ).

8. checkksx₁k∞,ksek∞,ksqik∞,ksl0ik∞,ksl00ik∞,ksl000i k∞≤β+ √

nβ. 9. check 2kdi−kik< Γ, whereΓ is a function ofβ. If 2kdi−kik< Γ

the verifier outputs 0, otherwise 1.

∗ If all checks pass, output (VERIFIED,sid,1), (VERIFIED,sid,0) otherwise. • Define revoke( tsk∗, σ∗, µ∗,p∗), add tsk∗ to KRLor σ∗ to SRLafter verifying

σ∗_.

• Define Identify(σ, µ,p, tsk) as follows: It parsesσas (nym,p) and checks that tsk∈ Ds, ver(σ, µ,p)=1 andknym−p·tskk∞≤β. If so output 1, otherwise

output 0.

• Define Kgen, taketsk∈ Dsand outputtsk.

• S sends (KEYS,sid, Sign, Verify, Revoke, Identify, Kgen) toF.

Corrupt I:S notices this setup as it noticesI registering a public key withFCA withsid = (I,sid0).

• If the registered key is in the form ( ˆAI, πI) and πI is valid, thenS extracts

ˆ

TI fromπI.

• Sdefines the algorithms Sign, Verify, Revoke, and Identify as before, but now depending on the extracted key.S sends (SETUP,sid) toF on behalf of I. On input (KEYGEN,sid) fromF,Ssends (KEYS,sid, Sign, Verify, Revoke, Identify, Kgen) toF.

• On input (SETUPDONE,sid) from F.S continues simulating “I”. – JOIN, SIGN, VERIFY,REVOKE: Unchanged.

Fig. 4: Game 4 forS

– SETUP

(25)

– SIGN

– VERIFY

On input (VERIFY, sid, µ,p, σ,KRL,SRL) fromV • Setf = 0 if

∗ There is atsk∗∈KRLsuch that Identify(σ, µ,p, tsk∗) = 1 • Iff 6= 0, setf=Verify(σ, µ,p).

• Add (σ, µ,p,KRL, f) to VerResults, output (VERIFIED,sid,f) toV. – REVOKE

On input (REVOKE, tsk∗, σ∗, µ∗,p∗), the revocation manager adds tsk∗ to KRL

or σ∗ toSRLafter verifyingσ∗. – OUTPUT

Fig. 5: Game 5 forF

– KeyGen,JOIN,SIGN : Unchanged. – VERIFY,REVOKE: Nothing to simulate.

Fig. 6: Game 5 forS

– SETUP

– JOIN

1. JOINREQUEST: On input (JOIN,sid, jsid) fromMi • Create a join session hjsid,Mi, requesti.

(26)

2. JOIN REQUEST DELIVERY: Proceed upon receiving delivery notification fromS.

• Update the session record tohjsid,Mi, deliveredi.

• IfI or Mi is honest andhMi, ?iis already in Members, output⊥. • Output (JOINPROCEED,sid, jsid,Mi) toI.

3. JOIN PROCEED: Upon receiving (JOINPROCEED,sid, jsid,Mi) fromI • Update the session record tohjsid,sid,Mi,completei.

• Output (JOINCOMPLETE,sid, jsid) toS.

4. KEY GENERATION: On input (JOINCOMPLETE,sid, jsid,tsk) fromS. • Update the session record tohjsid,Mi, completei

• IfMi is honest, settsk=⊥.

• InserthMi, tskiinto Members, and output (JOINED,sid, jsid) toMi. – SIGN

– VERIFY

∗ There is atsk∗∈KRLsuch that Identify(σ, µ,p, tsk∗) = 1

• Iff 6= 0, setf=Verify(σ, µ,p,KRL,SRL).

• Add (σ, µ,p,KRL, f) to VerResults, output (VERIFIED,sid,f) toV.

– REVOKE

On input (REVOKE, tsk∗, σ∗_{, µ}∗_,_p∗_{), the revocation manager adds} _tsk∗ _to KRL

or σ∗ toSRLafter verifyingσ∗.

– OUTPUT

Fig. 7: Game 6 forF

– KeyGen: Unchanged. JOIN: HonestMi,I

• WhenS receives (JOINSTART,sid, jsid,Mi) fromF

• It simulates the real world protocol by giving “Mi” input (JOIN, sid, jsid) and waits for output (JOINPROCEED,sid, jsid,Mi) from “I”.

• AsMi is honest,S already knowstsk as it is simulatingMi. • S sends (JOINSTART,sid, jsid) toF.

(27)

• Upon receiving input (JOINCOMPLETE,sid, jsid) fromF,S sends (JOIN-COMPLETE,sid, jsid,⊥) toF.

HonestI, CorruptMi :

• S notices this join as “I” receives (SENT,sid0,(ut, πut)) fromF

∗ auth.

• S doesn’t know the identity of the signer that started this join, soS chooses any corrupt M∗ _{and proceeds as if this signer initiated this join, although}

this may not be the correct signer. This makes no difference as when creating signatures we only look for corrupt signers as they are not considered in generating signatures.

• S then extractstsk from the proofπut.

• S makes a join query withM∗ _{by sending (JOIN,}_sid_{, jsid,}_M∗_{) to}_F.

• Upon receiving input (JOINSTART,sid, jsid,M∗_{) from}_F,_S _continues

sim-ulating “I” until it outputs (JOINPROCEED, sid, jsid,M∗_).

• S sends (JOINSTART,sid, jsid) toF.

• Upon receiving (JOINCOMPLETE,sid, jsid) from F,S sends (JOINCOM-PLETE,sid, jsid,tsk) toF.

• Upon receiving (JOINED, sid, jsid) from F as Mi is corrupt,S gives “I” input (JOINPROCEED,sid, jsid).

HonestMi, CorruptI:

• On input (JOINSTART, sid, jsid,Mi) fromF, S gives “Mi” input (JOIN,

sid, jsid) and waits for output (JOINED,sid, jsid,Mi) from “Mi”. • S sends (JOINSTART,sid, jsid) toF.

• Upon receiving input (JOINPROCEED,sid, jsid) fromF, S sends (JOIN-PROCEED,sid, jsid) toF on behalf ofI.

• Upon receiving input (JOINCOMPLETE,sid, jsid) fromF,S sends (JOIN-COMPLETE,sid, jsid,⊥) toF.

– SIGN,VERIFY,LINK: Unchanged.

Fig. 8: Game 6 forS

– SETUP,JOIN: Unchanged. – SIGN

• SIGN REQUEST: On input (SIGN,sid, ssid, µ,p) fromMi, ∗ Create a sign sessionhssid,Mi, µ,p, requesti.

∗ Output (SIGNSTART, sid, ssid,Mi) toS.

• SIGN REQUEST DELIVERY: On input (SIGNSTART, sid, ssid) from S, update the session tohssid,Mi, µ,p, deliveredi.

• Output (SIGNPROCEED,sid, ssid, µ,p) toMi.

• SIGN PROCEED: On input (SIGNPROCEED,sid, ssid) fromMi ∗ Update the recordshssid,Mi, µ,p, deliveredi.

∗ Output (SIGNCOMPLETE, sid, ssid) toS.

(28)

∗ Ignore the adversary’s signatureσ.

∗ Generate the signatureσ←Sign(tsk, µ,p).

∗ For all (σ∗, µ∗,p∗) ∈ SRL, find all (tsk∗,M∗_{) from Members and}

Do-mainKeys such that identify(σ∗, µ∗,p∗, ?,tsk∗) = 1 · Check that no two distinct keystsk∗ trace back toσ∗. · Check that no pair (tsk∗,Mi) was found.

∗ If Mi is honest, then storehσ, µ,Mi,piin Signed and output (SIGNA-TURE, sid, ssid, σ) toMi.

– VERIFY

• Iff 6= 0, setf=Verify(σ, µ,p).

– REVOKE

– OUTPUT

Fig. 9: Game 7 forF

– KeyGen,JOIN: Unchanged. – SIGN :HonestMi

Upon receiving (SIGNSTART,sid, ssid,Mi,p, µ) fromF.

• S starts the simulation by giving “Mi” input (SIGN,sid, ssid,, µ,p). • When “Mi” outputs (SIGNPROCEED, sid, ssid, µ,p), S sends

(SIGN-START,sid, ssid) toF.

• Upon receiving (SIGNCOMPLETE, sid, ssid) from F, output (SIGNPRO-CEED,sid, ssid) to “Mi”.

• When “Mi” outputs (SIGNATURE,sid, ssid, σ), send (SIGNCOMPLETE,

sid, ssid,⊥) toF. CorruptMi

Upon receiving (SIGNSTART, sid, ssid,Mi,p, µ) from F, send (SIGNSTART,

sid, ssid) toF.

• Upon receiving (SIGNPROCEED,sid, ssid, µ,p) fromFon behalf ofMi, as Mi is corrupt,S sends (SIGN,sid, ssid,Mi, µ,p) toF on behalf ofMi. • Upon receiving (SIGNCOMPLETE,sid, ssid) fromF,S sends

(SIGNCOM-PLETE,sid, ssid, σ) toF.

– VERIFY,LINK: Nothing to simulate.

(29)

• SIGN REQUEST: On input (SIGN,sid, ssid, µ,p) fromMi,

∗ Create a sign sessionhssid,Mi, µ,p, requesti.

∗ Output (SIGNSTART, sid, ssid,Mi,l(µ.bsn))toS.

• SIGN PROCEED: On input (SIGNPROCEED,sid, ssid) fromMi

∗ Update the recordshssid,Mi, µ,p, deliveredi.

• SIGNATURE GENERATION: On the input (SIGNCOMPLETE,sid, ssid, σ) fromS, ifMi is honest then:

∗ For all (σ∗, µ∗,p∗) ∈ SRL, find all (tsk∗,M∗_{) from Members and}

Do-mainKeys such that identify(σ∗, µ∗,p∗, ?,tsk∗) = 1

· Check that no two distinct keystsk∗ trace back toσ∗.

· Check that no pair (tsk∗,Mi) was found.

– VERIFY

• Iff 6= 0, setf=Verify(σ, µ,p,KRL,SRL).

– REVOKE

– OUTPUT

Fig. 11: Game 8 forF

– KeyGen,JOIN: Unchanged. – SIGN

HonestMi:

Upon receiving (SIGNSTART,sid, ssid,Mi, l) from F. • S takes a dummy pair (µ0,bsn0) such thatl(µ0,bsn0) =l.

(30)

• When “Mi” outputs (SIGNPROCEED, sid, ssid, µ0,p0), S sends (SIGN-START,sid, ssid) toF.

• Upon receiving (SIGNCOMPLETE, sid, ssid) from F, output (SIGNPRO-CEED,sid, ssid) to “Mi”.

• When “Mi” outputs (SIGNATURE,sid, ssid, σ), send (SIGNCOMPLETE,

sid, ssid,⊥) toF. CorruptMi

Upon receiving (SIGNSTART,sid, ssid,Mi, l) from F. • Send (SIGNSTART,sid, ssid) toF.

• Upon receiving (SIGNPROCEED,sid, ssid, µ,p) fromFon behalf ofMi, as Mi is corrupt, S sends (SIGNPROCEED, sid, ssid, µ,p) to F on behalf of Mi.

• Upon receiving (SIGNCOMPLETE, sid, ssid) from F, send (SIGNCOM-PLETE,sid, ssid, σ) toF.

– VERIFY,LINK: Nothing to simulate.

Fig. 12: Game 8 forS

• SIGN REQUEST: On input (SIGN,sid, ssid, µ,p) fromMi,

• Abort ifI is honest and no entryhMi, ?iexistsML. ∗ Create a sign sessionhssid,Mi, µ,p, requesti.

∗ Output (SIGNSTART, sid, ssid,Mi,l(µ.bsn)) toS.

• SIGN PROCEED: On input (SIGNPROCEED,sid, ssid) fromMi

∗ Update the recordshssid,Mi, µ,p, deliveredi.

• SIGNATURE GENERATION: On the input (SIGNCOMPLETE,sid, ssid, σ) fromS, ifMi is honest then:

∗ For all (σ∗, µ∗,p∗) ∈ SRL, find all (tsk∗,M∗) from Members and Do-mainKeys such that identify(σ∗, µ∗,p∗, ?,tsk∗) = 1

· Check that no two distinct keystsk∗ trace back toσ∗.

· Check that no pair (tsk∗,Mi) was found.

– VERIFY