ASPECTOS SOCIO-ECONÓMICOS: CANASTA DE ALIMENTOS DE MANOS

We use a sequence of hybrids, each identified by a gameG_i, to prove that the outputs of the environmentEwhen

interacting with the real-world (dummy) adversaryAand the ideal-world simulatorS are computationally

indistinguishable. We denote byOutput_i(E)the output ofEin gameG_i, and byG₀the real-world execution.

• G₁(sample parameters):

This game is the real-world execution modified as follows.

– Einteracts withSinstead ofA.

– SusesDPC.Setupto generate public parameterspp, and gives these toE.

– Smaintains the ledgerLforE(it appends toLany pushed transaction passing the checks inDPC.Verify). – Sforwards messages fromE toLand other parties.

– Sforwards messages from other honest parties toE.

Output₁(E)is perfectly indistinguishable fromOutput₀(E)sinceSsamples the public parameters honestly,

maintains the ledger identically to the ideal ledger, and otherwise behaves like the dummy adversary. • G₂(simulate setup):

S invokes DPC.SimSetup instead of DPC.Setup. Output₂(E) is perfectly indistinguishable from

Output₁(E)sinceNIZKis perfect zero knowledge.

• G₃(simulate proofs):

In all honest party transactions,Sreplaces NIZK proofs with simulated proofs produced viaNIZK.Simulate. Output₃(E)is perfectly indistinguishable fromOutput₂(E)sinceNIZKis perfect zero knowledge.

• G₄(simulate serial numbers):

In all honest party transactions,Sreplaces all serial numbers with uniformly random elements sampled

fromPRF’s codomain. SincePRFis a pseudorandom function, andEdoes not know the secret key used to

compute it,Output₄(E)is computationally indistinguishable fromOutput₃(E).

• G₅(simulate commitments and equivocate commitment openings):

In all honest party transactions,Sreplaces record commitments with commitments to the empty string

ε. In all messages from honest parties to corrupted parties containing record contents,S replaces the

actual commitment randomness with randomness produced byTCM.Equivocate.Output₅(E)is perfectly

indistinguishable fromOutput₄(E)sinceTCMis perfectly hiding and equivocation produces commitment

randomness that is statistically close to uniform. • G₆(handle adversarial transactions):

For every corrupted party transaction,Sextracts an NP instancex_eand witnessw_eforR_efrom the included

proof and then proceeds as follows.

– If(xe,we)6∈ R,Saborts. IfNIZKis simulation-extractable, this occurs with negligible probability.

– For alli∈ {1, . . . , m}, if the contents of anyriare different from those seen in anyRecordAuthfrom

an honest party or in the output of a previously extracted transaction,S aborts. IfTCMis a binding

commitment scheme, then this occurs with negligible probability.

– For alli∈ {1, . . . , m}, if the extracted secret keyaskiforapkidiffers from the secret key extracted for

apk_iin a prior transaction,S aborts. IfCMis a binding commitment scheme, then this occurs with

negligible probability.

– For allj ∈ {1, . . . , n}, if the serial number nonceρj matches one extracted in a prior transaction,S

aborts. IfCRHis a collision-resistant hash, then this occurs with negligible probability because the serial

number nonce is the output ofCRHevaluated (in part) over the serial numbers of the input records. If

this input is distinct across two different invocations ofCRH, then collision resistance guarantees that a

nonce collision happens with negligible probability. Now for the transaction to be valid, it must contain serial numbers not seen before on the ledger. Therefore, the inputs toCRHare never repeated.

Output₆(E)is therefore computationally indistinguishable fromOutput₅(E).

The final game is distributed identically to the operation ofS from the point of view ofE. We have thus

B

Construction of a delegable DPC scheme

We provide more details on the delegable DPC scheme discussed in Section 5. First we give details on randomizable signatures (Appendix B.1), and then give pseudocode for the DPC construction (Appendix B.2). B.1 Definition and construction of a randomizable signature scheme

A randomizable signature scheme is a tuple of algorithmsSIG = (Setup,Keygen,Sign,Verify,RandPk,

RandSig) that enables a party to sign messages, while also allowing randomization of public keys and

signatures to prevent linking across multiple signatures.

We have already described the syntax of the scheme’s algorithms, and summarized its security properties, in Section 5.2. Now we discuss in more detail the security properties, and the construction used in our code.

Security properties. The signature schemeSIGsatisfies the following security properties.

• Existential unforgeability under randomization (EUR).For every efficient adversary A, the following

probability is negligible: Pr     

m∗6∈QandSIG.Verify(pp_SIG,pk_SIG, m∗, σ∗)

or

m∗6∈QandSIG.Verify(pp_SIG,pkˆ_SIG, m∗, σ∗)

pp_SIG←SIG.Setup(1λ) (pk_SIG,skSIG)←SIG.Keygen(ppSIG)

(m∗, σ∗, rSIG∗ )← AS(

·)

(pp_SIG,pk_SIG) ˆ

pk_SIG←SIG.RandPk(pp_SIG,pk_SIG, r_SIG∗ )



   

whereS(m) :=SIG.Sign(pp_SIG,sk_SIG, m)andQare the queries made byAto the signing oracleS. • Unlinkability. Every efficient adversaryA= (A₁,A₂)has at most negligible advantage in guessing the bit

bin theIND-RSIGgame below.

IND-RSIGSIGA (1λ):

1. Generate public parameters:ppSIG←SIG.Setup(1 λ

).

2. Generate key pair:(pk_SIG,skSIG)←SIG.Keygen(ppSIG).

3. Obtain message from adversary:m← ASIG.Sign(ppSIG,skSIG,·)

1 (ppSIG,pkSIG).

4. Sample a bitbuniformly at random.

5. Ifb= 0:

(a) Sample new key pair:(pk0_SIG,skSIG0 )←SIG.Keygen(ppSIG).

(b) Sign message:σ←SIG.Sign(ppSIG,sk 0 SIG, m).

(c) Setc:= (pk0_SIG, σ).

6. Ifb= 1:

(a) Sign message:σ←SIG.Sign(pp_SIG,skSIG, m).

(b) Sample randomnessrSIG.

(c) Randomize public key:_pkˆ

SIG←SIG.RandPk(ppSIG,pkSIG, rSIG).

(d) Randomize signature:σˆ←SIG.RandSig(pp_SIG, σ, rSIG).

(e) Setc:= ( ˆpkSIG,ˆσ).

7. OutputASIG.Sign(ppSIG,skSIG,·)

2 (ppSIG,pkSIG, c).

• Injective randomization. For every efficient adversaryA, the following probability is negligible: Pr

r₁6=r₂

SIG.RandPk(pp_SIG,pk_SIG, r1) =SIG.RandPk(ppSIG,pkSIG, r2)

pp_SIG ←SIG.Setup(1λ) (pk_SIG, r1, r2)← A(ppSIG)

.

Construction. In Fig. 21 we provide a modification of the Schnorr signature scheme [Sch91] that is

randomizable. We briefly explain why this modification satisfies the security properties above.

• Existential unforgeability under randomization (EUR).Given an efficient adversaryAthat breaks EUR of

randomizable Schnorr signatures, we construct an efficient adversaryA0that breaks existential unforgeability

of standard Schnorr signatures. In detail,A0forwards signature queries fromAto its own signing oracle

and returns the answers toAand then, whenAoutputs a tuple(m∗, σ∗, r_SIG∗ ),A0 outputs the tuple(m∗, σ)

whereσis computed as follows. Ifσ∗is a valid signature form∗ underpk_SIGthenσ :=σ∗. Otherwise,A0

“undoes” the randomization ofσ∗ = (s, e)by settingσ:= (s+e·r∗SIG, e); thus ifAoutputs a forgery for

a randomization ofpk_SIG,A0 translates it back into a forgery forpk_SIG. In sum, since standard Schnorr

signatures are secure in the random oracle model assuming hardness of discrete logarithms [PS00], so is the randomizable variant under the same assumptions.

• Unlinkability of public keys. Public keys are unlinkable becauseSIG.RandPkmultiplies the public keypk

(which is a group element) by a random group element; the result is statistically independent ofpk.

• Unlinkability of signatures. The only part of a Schnorr signature that depends on the public or secret key is the scalars. SinceSIG.RandSigadds a random shift tos, the result is statistically independent of the signature’s original key pair.

• Injective randomization. Fixing all inputs but forr_SIG,SIG.RandPkis a permutation overG. Hence, finding collisions over the randomness is not possible.

SIG.Setup(1λ)→ppSIG

1. Sample a group:(_G, q, g)←SampleGrp(1λ).

2. Sample cryptographic hash functionH.

3. Outputpp_SIG:= (G, q, g, H).

SIG.Keygen(pp_SIG)→(pk_SIG,skSIG)

1. ParseppSIGas(G, q, g, H).

2. Sample a scalarxuniformly fromZq.

3. Output(pkSIG,skSIG) := (g x

, x).

SIG.Verify(ppSIG,pkSIG, m, σ)→b

1. Parsepp_SIGas(G, q, g, H). 2. Parseσas(s, e). 3. Setrv:=g s pke_SIG=gs+xe. 4. Setev:=H(rvkm). 5. Check ife=ev.

SIG.Sign(ppSIG,skSIG, m)→σ

1. Parsepp_SIGas(_G, q, g, H).

2. Sample a scalarkuniformly fromZq.

3. Setr:=gkande:=H(rkm).

4. Sets:=k−xe.

5. Outputσ:= (s, e).

SIG.RandPk(pp_SIG,pk_SIG, rSIG)→pkˆSIG

1. ParseppSIGas(G, q, g, H).

2. Output_pkˆ

SIG:=pkSIG·g r_SIG

.

SIG.RandSig(pp_SIG, σ, rSIG)→ˆσ

1. ParseppSIGas(G, q, g, H).

2. Parseσas(s, e).

3. Outputσˆ:= (s−e·rSIG, e).

Figure 21:Construction of a randomizable signature scheme based on the Schnorr signature scheme [Sch91].