3 research outputs found
Provably Secure Group Signature Schemes from Code-Based Assumptions
We solve an open question in code-based cryptography by introducing two
provably secure group signature schemes from code-based assumptions. Our basic
scheme satisfies the CPA-anonymity and traceability requirements in the random
oracle model, assuming the hardness of the McEliece problem, the Learning
Parity with Noise problem, and a variant of the Syndrome Decoding problem. The
construction produces smaller key and signature sizes than the previous group
signature schemes from lattices, as long as the cardinality of the underlying
group does not exceed , which is roughly comparable to the current
population of the Netherlands. We develop the basic scheme further to achieve
the strongest anonymity notion, i.e., CCA-anonymity, with a small overhead in
terms of efficiency. The feasibility of two proposed schemes is supported by
implementation results. Our two schemes are the first in their respective
classes of provably secure groups signature schemes. Additionally, the
techniques introduced in this work might be of independent interest. These are
a new verifiable encryption protocol for the randomized McEliece encryption and
a novel approach to design formal security reductions from the Syndrome
Decoding problem.Comment: Full extension of an earlier work published in the proceedings of
ASIACRYPT 201
Two-round -out-of- and Multi-Signatures and Trapdoor Commitment from Lattices
Although they have been studied for a long time, distributed signature protocols have garnered renewed interest in recent years in view of novel applications to topics like blockchains. Most recent works have focused on distributed versions of ECDSA or variants of Schnorr signatures, however, and in particular, little attention has been given to constructions based on post-quantum secure assumptions like the hardness of lattice problems. A few lattice-based threshold signature and multi-signature schemes have been proposed in the literature, but they either rely on hash-and-sign lattice signatures (which tend to be comparatively inefficient), use expensive generic transformations, or only come with incomplete security proofs.
In this paper, we construct several lattice-based distributed signing protocols with low round complexity following the Fiat–Shamir with Aborts (FSwA) paradigm of Lyubashevsky (Asiacrypt 2009). Our protocols can be seen as distributed variants of the fast Dilithium-G signature scheme and the full security proof can be made assuming the hardness of module SIS and LWE problems. A key step to achieving security (unexplained in some earlier papers) is to prevent the leakage that can occur when parties abort after their first message—which can inevitably happen in the Fiat–Shamir with Aborts setting. We manage to do so using homomorphic commitments.
Exploiting the similarities between FSwA and Schnorr-style signatures, our approach makes the most of observations from recent advancements in the discrete log setting, such as Drijvers et al.’s seminal work on two-round multi-signatures (S&P 2019). In particular, we observe that the use of commitment not only resolves the subtle issue with aborts, but also makes it possible to realize secure two-round -out-of- distributed signing and multi-signature in the plain public key model, by equipping the commitment with a trapdoor feature. The construction of suitable trapdoor commitment from lattices is a side contribution of this paper
Improved Lattice-Based Threshold Ring Signature Scheme
ISBN : 978-3-642-38615-2International audienceWe present in this paper an improvement of the lattice-based threshold ring signature proposed by Cayrel, Lindner, Rückert and Silva (CLRS) [LATINCRYPT '10]. We generalize the same identification scheme CLRS to obtain a more efficient threshold ring signature. The security of our scheme relies on standard lattice problems. The improvement is a significant reduction of the size of the signature. Our result is a t-out-of-N threshold ring signature which can be seen as t different ring signatures instead of N for the other schemes. We describe the ring signature induced by the particular case of only one signer. To the best of our knowledge, the resulted signatures are the most efficient lattice-based ring signature and threshold signature