Componentes de la propuesta de reforma inmediata al sistema privado de salud.

First, we note that the security for the verifier and the non transferability of the confirmedSign, confirmation, and denial protocols are ensured by using zero knowledge proofs of knowledge. Furthermore, the construction is EUF-CMA secure and INV-CMA secure if the underlying com- ponents are secure.

Theorem 5.6. Given (t, qs) ∈ N2 and ε ∈ [0, 1]2, the construction depicted above is (t, ǫ, qs)-

EUF-CMA secure if it uses a statistically binding commitment scheme and a(t, ǫ, qs)-EUF-CMA

secure digital signature scheme. Proof. (Sketch)

Let_{A be an EUF-CMA attacker against the construction. We construct an EUF-CMA attacker} R against the underlying digital signature scheme as follows.

R gets the parameters of the digital signature from his attacker, and chooses a suitable en- cryption and commitment scheme. Simulation of the confirmedSign queries (on messagesmi) is

done by first computing a commitmentci onmi using some random stringri, then encrypting the

stringri inei and finally requesting the challenger for a digital signatureσi on eikci. The string

(ei, ci, σi) is output toA along with a proof of equality of the decryption of ei and of the opening

value ofci. Such a proof can be issued using the encryption scheme private key thatR knows or

the randomness used to encryptriinei. Confirmation/denial and selective conversion queries can

be perfectly simulated with the knowledge of the encryption scheme private key.

At some point,_{A will output a forgery µ}⋆ = (e⋆_{, c}⋆_{, σ}⋆_{) on some message m}⋆_{, which was never}

an existential forgery on the digital signature scheme ife⋆kc⋆_{was never queried before byR for a}

digital signature. Suppose there exists1 _{≤ i ≤ q}s such thate⋆kc⋆ = eikci whereµi = (ei, ci, σi)

was the output confirmer signature on the querymi. Due to the special way the stringseikci are

created, equality of the strings e⋆_kc⋆ _{and e}

ikci implies equality of their suffixes (that start at the

(κ + 1)-st position), namely c⋆ _{and c}

i. This equality implies the equality of mi and m⋆ since

the used commitment is binding by assumption. Thus,_{R returns (σ}⋆, e⋆_kc⋆_{) as a valid existential}

forgery against the digital signature in question.

Theorem 5.7. Given(t, qs, qv, qsc) ∈ N4 and(ε, ǫ′) ∈ [0, 1]2, the construction depicted above is

(t, ǫ, qs, qv, qsc)-INV-CMA secure if it uses an (t, ǫ′, qs)-SEUF-CMA secure digital signature, an

injective, statistically binding, and (t, ǫh)-hiding commitment, and a(t + qs(qv+ qsc),1₂(ǫ + ǫh)(1−

ǫ′₎qv+qsc_{)-IND-CPA secure encryption scheme.}

Proof. [Parameter generation] Simulation of the key generation is similar to the key generation

in the proof of Theorem 5.5.

[confirmedSign queries] To sign a messagemi, R (the attacker against the encryption scheme)

will proceed exactly as a real signer would do, with the exception of maintaining a list L of records that contains the strings used to form the commitments, their corresponding encryptions along with the random nonces used to produce these encryptions.

[confirm/deny and convert queries] For a verification query on (ei, ci, σi) and mi (whereσi is a

valid digital signature onci),R will simulate the confirmation protocol (using the rewinding

technique or the randomness used to encrypt the opening value ofci inei) if the encryption

ei appears in at least one record of L, or simulate the denial protocol otherwise. Selective

conversion of a confirmer signature whose first field appears in the list is done by revealing the opening value of the commitment, otherwise such a confirmer signature is converted to ⊥.

The difference between this simulation and the real execution of the algorithm manifest when a queried signature, say(ei, ci, σi), is valid but ei was never used to generate confirmer

signatures. We distinguish two cases, either the underlying message mi has been queried

previously on not. In the latter case, such a signature would correspond to an existential forgery on the construction, thus, to an existential forgery on the underlying digital signature. In the former case, let(ej, cj, σj) be the output signature toA on the message mi. We have

eikci 6= ejkcj since ei 6= ej, and both ei and ej are the n-bit prefixes of eikci and ejkcj

resp. We conclude that the adversary would have to compute a digital signature on a string for which he never had obtained a signature. Thus, the query would lead to an existential forgery on the underlying signature scheme. Since the latter is by assumption (t, ǫ′_{, q}

s)-

SEUF-CMA secure, the probability that the simulation differs from the real execution is at least(1− ǫ′₎qv+qsc_.

[Challenge phase] Eventually, the adversary outputs two challenging messagesm0, m1. R will

then produce two different stringsr0, r1 and hands them to his challenger. He gets as re-

sponse a challenge ciphertext eb′ on r_b′ for some b′ ∈ {0, 1}. R will choose two bits

b, b′′ _{←− {0, 1} and produce a commitment c}R

b on the message mb using the string rb′′. Fi-

nally, he will produce a digital signatureσ on eb′kc_b. The challenge confirmer signature is

µ = (eb′, c_b, σ). Note, that if b′ = b′′, the signature is valid on the messagem_b, otherwise, it is

invalid on both messagesm0andm1. Note also that if the advantage ofA is non-negligibly

different from the advantage of an INV-CMA attacker in a real attack, then, according to Lemma 3.5,_{A can be used to break the hiding property of Ω.}

[Post challenge phase] The adversary will continue issuing his queries to _{R who will handle}

them as previously. Note that from now on and during the verification/conversion queries, the adversary may ask a query(eb′, c_b,−) 6= µ on m_b. The probability that such a query is

invalid is at least(1_{− ǫ}′₎qv+qsc _{since the digital signature scheme is(t, ǫ}′_{, q}

s)-SEUF-CMA

secure (if the underlying digital signature is not strongly unforgeable, then the adversary may come up with a new digital signature oneb′kc_b, say σ′ which is different fromσ, and

then queries(eb′, c_b, σ′) for verification or conversion; the result of such a query will enable

him answer his challenge).

[Final output] At the end, the adversary outputs a bitba. Clearly the advantage of the adversary

isǫ = Pr[b′′ _{= b}

a|b = b′]− 1₂. R will output b′′in caseb = baand1− b′′otherwise.

Similarly, the advantage of_{R is:}

Adv(_{R) = (1 − ǫ}′)qv+qsc  Pr[b = ba, b′ = b′′] + Pr[b6= ba, b′6= b′′]− 1 2  = (1− ǫ′)qv+qsc  Pr[b = ba|b′ = b′′] Pr[b′ = b′′] + Pr[b6= ba|b′ 6= b′′] Pr[b′ 6= b′′]−1 2  = (1_{− ǫ}′)qv+qsc  1 2(ǫ + 1 2) + 1 2(ǫh+ 1 2)− 1 2  = 1 2(ǫ + ǫh)(1− ǫ ′₎qv+qsc

Remark 5.2. Both Theorem 5.5 and Theorem 5.7 can be used with computationally binding com-

mitments. The only issue is to have the formulation of both theorems complicated by further terms, e.g.ǫb, if we use a (t, ǫb)-binding commitment.