38 research outputs found
Group Signatures without NIZK: From Lattices in the Standard Model
In a group signature scheme, users can anonymously sign messages on behalf of the group they belong to, yet it is possible to trace the signer when needed. Since the first proposal of lattice-based group signatures in the random oracle model by Gordon, Katz, and Vaikuntanathan (ASIACRYPT 2010), the realization of them in the standard model from lattices has attracted much research interest, however, it has remained unsolved. In this paper, we make progress on this problem by giving the first such construction. Our schemes satisfy CCA-selfless anonymity and full traceability, which are the standard security requirements for group signatures proposed by
Bellare, Micciancio, and Warinschi (EUROCRYPT 2003) with a slight relaxation in the anonymity requirement suggested by Camenisch and Groth (SCN 2004). We emphasize that even with this relaxed anonymity requirement, all previous group signature constructions rely on random oracles or NIZKs, where currently NIZKs are not known to be implied from lattice-based assumptions. We propose two constructions that provide tradeoffs regarding the security assumption and efficiency:
- Our first construction is proven secure assuming the standard LWE and the SIS assumption. The sizes of the public parameters and the signatures grow linearly in the number of users in the system.
- Our second construction is proven secure assuming the standard LWE and the subexponential hardness of the SIS problem. The sizes of the public parameters and the signatures are independent of the number of users in the system.
Technically, we obtain the above schemes by combining a secret key encryption scheme with additional properties and a special type of attribute-based signature (ABS) scheme, thus bypassing the utilization of NIZKs. More specifically, we introduce the notion of \emph{indexed} ABS, which is a relaxation of standard ABS. The above two schemes are obtained by instantiating the indexed ABS with different constructions. One is a direct construction we propose and the other is based on previous work
On Structure-Preserving Cryptography and Lattices
The Groth-Sahai proof system is a highly efficient pairing-based proof system for a specific class of group-based languages. Cryptographic primitives that are compatible with these languages (such that we can express, e.g., that a ciphertext contains a valid signature for a given message) are called structure-preserving . The combination of structure-preserving primitives with Groth-Sahai proofs allows to prove complex statements that involve encryptions and signatures, and has proved useful in a variety of applications. However, so far, the concept of structure-preserving cryptography has been confined to the pairing setting.
In this work, we propose the first framework for structure-preserving cryptography in the lattice setting. Concretely, we
- define structure-preserving sets as an abstraction of (typically noisy) lattice-based languages,
- formalize a notion of generalized structure-preserving encryption and signature schemes capturing a number of existing lattice-based encryption and signature schemes),
- construct a compatible zero-knowledge argument system that allows to argue about lattice-based structure-preserving primitives,
- offer a lattice-based construction of verifiably encrypted signatures in our framework. Along the way, we also discover a new and efficient strongly secure lattice-based signature scheme. This scheme combines RĂĽckert\u27s lattice-based signature scheme with the lattice delegation strategy of Agrawal et al., which yields more compact and efficient signatures.
We hope that our framework provides a first step towards a modular and versatile treatment of cryptographic primitives in the lattice setting
Malleable Commitments from Group Actions and Zero-Knowledge Proofs for Circuits based on Isogenies
Zero-knowledge proofs for NP statements are an essential tool
for building various cryptographic primitives and have been extensively
studied in recent years. In a seminal result from Goldreich, Micali and
Wigderson (JACM\u2791), zero-knowledge proofs for NP statements can be built
from any one-way function, but this construction leads very inefficient
proofs. To yield practical constructions, one often uses the additional
structure provided by homomorphic commitments.
In this paper, we introduce a relaxed notion of homomorphic commitments,
called malleable commitments, which requires less structure to
be instantiated. We provide a malleable commitment construction from
the ElGamal-type isogeny-based group action (Eurocrypt’22). We show how malleable commitments with a group structure in the malleability can be used to build zero-knowledge proofs for NP statements, improving on the naive construction from one-way functions. We consider three representations: arithmetic circuits, rank-1 constraint systems and branching programs.
This work gives the first attempt at constructing a post-quantum generic proof system from isogeny assumptions (the group action DDH problem).
Though the resulting proof systems are linear in the circuit size, they possess interesting features such as non-interactivity, statistical zero-knowledge, and online-extractability
Towards Tightly Secure Short Signature and IBE
Constructing short signatures with tight security from standard assumptions is a long-standing open problem. We present an adaptively secure, short (and stateless) signature scheme, featuring a constant security loss relative to a conservative hardness assumption, Short Integer Solution (SIS), and the security of a concretely instantiated pseudorandom function (PRF).
This gives a class of tightly secure short lattice signature schemes whose security is based on SIS and the underlying assumption of the instantiated PRF.
Our signature construction further extends to give a class of tightly and adaptively secure ``compact Identity-Based Encryption (IBE) schemes, reducible with constant security loss
from Regev\u27s vanilla Learning With Errors (LWE) hardness assumption and the security of a concretely instantiated PRF. Our approach is a novel combination of a number of techniques, including Katz and Wang signature, Agrawal et al.\ lattice-based secure IBE, and Boneh et al.\ key-homomorphic encryption.
Our results, at the first time, eliminate the dependency between the number of adversary\u27s queries and the security of short signature/IBE schemes
in the context of lattice-based cryptography. They also indicate that tightly secure PRFs (with constant security loss) would imply tightly, adaptively secure short signature and IBE schemes (with constant security loss)
Universally Composable Verifiable Random Oracles
Random Oracles werden häufig in der Kryptographie eingesetzt um sehr effiziente Instanziierungen mächtiger kryptographischer Primitive zu konstruieren. Jedoch ist diese Praxis im Allgemeinen nicht zulässig wie verschiedene Nicht-Instanziierungs-Ergebnisse für Random Oracles mittels lokal berechenbarer Familien von Funktionen durch Halevi et al. (JACM ’04) zeigt.
Die Random Oracle Modell kann sicher eingesetzt werden, indem Random Oracles nicht mit einer lokal berechenbaren Hashfunktion, sondern stattdessen mit einem interaktiven Protokoll instanziiert werden. In der realen Welt könnte solch ein interaktives Protokoll beispielsweise aus einem vertrauenswürdigen Server, welcher über das Internet erreichbar ist, bestehen. Dieser Server würde sodann eine der bekannten Techniken wie lazy sampling oder das Auswerten einer Pseudo-Zufälligen Funktion verwenden, um die Funktionalität eines Random Oracle bereitzustellen.
Ein klarer Nachteil dieses Ansatzes ist die große Menge an Interaktion, die bei jeder Berechnung, die eine Auswertung des Random Oracle beinhaltet, nötig ist. Wir wollen diese Interaktion auf ein Minimum reduzieren. Um obiges Unmöglichkeitsresultat zu umgehen, muss die Auswertung des Random Oracle auf einer frischen Eingabe Interaktion der auswertenden Partei mit einer anderen Partei beinhalten. Dies ist jedoch nicht der einzige Verwendungszweck von Random Oracles, der häufig in kryptographischen Protokollen auftritt. Bei einem weiteren solchen Zweck wertet zunächst eine Partei A das Orakel auf einer Eingabe aus und erhält einen Hashwert. Im Anschluss sendet A Eingabe und Ausgabe (im Kontext eines Protokolls) an eine zweite Partei B und möchte B davon überzeugen, dass das Random Oracle korrekt ausgewertet wurde. Eine einfache Möglichkeit dies zu prüfen besteht darin, dass B selbst eine Auswertung des Random Oracle auf der erhaltenen Eingabe tätigt und die beiden Ausgaben vergleicht. In unserem Kontext benötigt dies jedoch erneut Interaktion.
Der Wunsch diesen zweiten Verwendungszweck nicht-interaktiv zu machen führt uns zum Begriff eines Verifiable Random Oracle (VRO) als Erweiterung eines Random Oracle. Abstrakt besteht ein VRO aus zwei Orakeln. Das erste Orakel verhält sich wie ein Random Oracle dessen Ausgabe um einen Korrektheitsbeweis erweitert wurde. Mit Hilfe dieses Beweises kann das zweite Orakel dazu verwendet werden öffentlich die korrekte Auswertung des Random Oracle zu verifizieren. Obwohl diese Orakel-basierte Formulierung nicht notwendigerweise nicht-interaktive Verifikation besitzt, so erlaubt jedoch die Einführung expliziter Korrektheitsbeweise dies.
In dieser Masterarbeit formalisieren wir zunächst den Begriff eines VRO im Universal Composability Framework von Canetti (FOCS ’01). Danach wenden wir VROs auf zwei kryptographische Anwendungen an, die in ihrer ursprünglichen Formulierung das Random Oracle Modell verwenden, und zeigen, das deren Sicherheitseigenschaften erhalten bleiben. Um zu zeigen, dass unsere Definition realisierbar ist, konstruieren wir mehrere Protokolle, die die ideale VRO Funktionalität realisieren. Diese reichen von Protokollen für eine einzelne vertrauenswürdige Partei bis hin zu verteilten Protokollen, die eine gewisse Menge an böswilliger Korruption erlauben. Wir vergleichen weiterhin VROs mit ähnlichen existierenden Primitiven
Cryptography based on the Hardness of Decoding
This thesis provides progress in the fields of for lattice and coding based cryptography. The first contribution consists of constructions of IND-CCA2 secure public key cryptosystems from both the McEliece and the low noise learning parity with noise assumption. The second contribution is a novel instantiation of the lattice-based learning with errors problem which uses uniform errors
RLWE-based Zero-Knowledge Proofs for linear and multiplicative relations
We present efficient Zero-Knowledge Proofs of Knowledge (ZKPoK) for linear and multiplicative relations among secret messages hidden as Ring Learning With Errors (RLWE) samples. Messages are polynomials in \mathbb{Z}_q[x]/\left and our proposed protocols for a ZKPoK are based on the celebrated paper by Stern on identification schemes using coding problems (Crypto\u2793). Our -move protocol achieves a soundness error slightly above and perfect Zero-Knowledge.
As an application we present Zero-Knowledge Proofs of Knowledge of relations between committed messages. The resulting commitment scheme is perfectly binding with overwhelming probability over the choice of the public key, and computationally hiding under the RLWE assumption. Compared with previous Stern-based commitment scheme proofs we decrease computational complexity, improve the size of the parameters and reduce the soundness error of each round
(Inner-Product) Functional Encryption with Updatable Ciphertexts
We propose a novel variant of functional encryption which supports ciphertext updates, dubbed ciphertext-updatable functional encryption (CUFE). Such a feature further broadens the practical applicability of the functional-encryption paradigm and allows for fine-grained access control even after a ciphertext is generated. Updating ciphertexts is carried out via so-called update tokens which a dedicated party can use to convert ciphertexts. However, allowing update tokens requires some care for the security definition. Our contribution is three-fold:
a) We define our new primitive with a security notion in the indistinguishability setting. Within CUFE, functional decryption keys and ciphertexts are labeled with tags such that only if the tags of the decryption key and the ciphertext match, then decryption succeeds. Furthermore, we allow ciphertexts to switch their tags to any other tag via update tokens. Such tokens are generated by the holder of the main secret key and can only be used in the desired direction.
b) We present a generic construction of CUFE for any functionality as well as predicates different from equality testing on tags which relies on the existence of indistinguishability obfuscation (iO).
c) We present a practical construction of CUFE for the inner-product functionality from standard assumptions (i.e., LWE) in the random-oracle model. On the technical level, we build on the recent functional-encryption schemes with fine-grained access control and linear operations on encrypted data (Abdalla et al., AC\u2720) and introduce an additional ciphertext-updatability feature. Proving security for such a construction turned out to be non-trivial, particularly when revealing keys for the updated challenge ciphertext is allowed. Overall, such construction enriches the set of known inner-product functional-encryption schemes with the additional updatability feature of ciphertexts