181 research outputs found
Lattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability
We present a group signature scheme, based on the hardness of lattice problems, whose outputs are more than an order of magnitude smaller than the currently most efficient schemes in the literature. Since lattice-based schemes are also usually non-trivial to efficiently implement, we additionally provide the first experimental implementation of lattice-based group signatures demonstrating that our construction is indeed practical -- all operations take less than half a second on a standard laptop.
A key component of our construction is a new zero-knowledge proof system for proving that a committed value belongs to a particular set of small size. The sets for which our proofs are applicable are exactly those that contain elements that remain stable under Galois automorphisms of the underlying cyclotomic number field of our lattice-based protocol. We believe that these proofs will find applications in other settings as well.
The motivation of the new zero-knowledge proof in our construction is to allow the efficient use of the selectively-secure signature scheme (i.e. a signature scheme in which the adversary declares the forgery message before seeing the public key) of Agrawal et al. (Eurocrypt 2010) in constructions of lattice-based group signatures and other privacy protocols. For selectively-secure schemes to be meaningfully converted to standard signature schemes, it is crucial that the size of the message space is not too large. Using our zero-knowledge proofs, we can strategically pick small sets for which we can provide efficient zero-knowledge proofs of membership
A Generic Construction of an Anonymous Reputation System and Instantiations from Lattices
With an anonymous reputation system one can realize the process of rating sellers anonymously in an online shop. While raters can stay anonymous, sellers still have the guarantee that they can be only be reviewed by raters who bought their product.We present the first generic construction of a reputation system from basic building blocks, namely digital signatures, encryption schemes, non-interactive zero-knowledge proofs, and linking indistinguishable tags. We then show the security of the reputation system in a strong security model. Among others, we instantiate the generic construction with building blocks based on lattice problems, leading to the first module lattice-based reputation system
Practical product proofs for lattice commitments
We construct a practical lattice-based zero-knowledge argument for proving multiplicative relations between committed values. The underlying commitment scheme that we use is the currently most efficient one of Baum et al. (SCN 2018), and the size of our multiplicative proof (9Â KB) is only slightly larger than the 7Â KB required for just proving knowledge of the committed values. We additionally expand on the work of Lyubashevsky and Seiler (Eurocrypt 2018) by showing that the above-mentioned result can also apply when working over rings Zq[X]/(Xd+1) where Xd+1 splits into low-degree factors, which is a desirable property for many applications (e.g. range proofs, multiplications over
Practical Exact Proofs from Lattices: New Techniques to Exploit Fully-Splitting Rings
We propose a very fast lattice-based zero-knowledge proof system for exactly proving knowledge of a ternary solution to a linear equation over , which improves upon the protocol by Bootle, Lyubashevsky and Seiler (CRYPTO 2019) by producing proofs that are shorter by a factor of .
At the core lies a technique that utilizes the module-homomorphic BDLOP commitment scheme (SCN 2018) over the fully splitting cyclotomic ring to prove scalar products with the NTT vector of a secret polynomial
Accountable Tracing Signatures from Lattices
Group signatures allow users of a group to sign messages anonymously in the
name of the group, while incorporating a tracing mechanism to revoke anonymity
and identify the signer of any message. Since its introduction by Chaum and van
Heyst (EUROCRYPT 1991), numerous proposals have been put forward, yielding
various improvements on security, efficiency and functionality. However, a
drawback of traditional group signatures is that the opening authority is given
too much power, i.e., he can indiscriminately revoke anonymity and there is no
mechanism to keep him accountable. To overcome this problem, Kohlweiss and
Miers (PoPET 2015) introduced the notion of accountable tracing signatures
(ATS) - an enhanced group signature variant in which the opening authority is
kept accountable for his actions. Kohlweiss and Miers demonstrated a generic
construction of ATS and put forward a concrete instantiation based on
number-theoretic assumptions. To the best of our knowledge, no other ATS scheme
has been known, and the problem of instantiating ATS under post-quantum
assumptions, e.g., lattices, remains open to date.
In this work, we provide the first lattice-based accountable tracing
signature scheme. The scheme satisfies the security requirements suggested by
Kohlweiss and Miers, assuming the hardness of the Ring Short Integer Solution
(RSIS) and the Ring Learning With Errors (RLWE) problems. At the heart of our
construction are a lattice-based key-oblivious encryption scheme and a
zero-knowledge argument system allowing to prove that a given ciphertext is a
valid RLWE encryption under some hidden yet certified key. These technical
building blocks may be of independent interest, e.g., they can be useful for
the design of other lattice-based privacy-preserving protocols.Comment: CT-RSA 201
Lattice-Based Zero-Knowledge Proofs and Applications: Shorter, Simpler, and More General
We present a much-improved practical protocol, based on the hardness of Module-SIS and Module-LWE problems, for proving knowledge of a short vector satisfying . The currently most-efficient technique for constructing such a proof works by showing that the norm of is small. It creates a commitment to a polynomial vector whose CRT coefficients are the coefficients of and then shows that (1) and (2) in the case that we want to prove that the norm is at most , the polynomial product equals to . While these schemes are already quite good for practical applications, the requirement of using the CRT embedding and only being naturally adapted to proving the -norm, somewhat hinders the efficiency of this approach.
In this work, we show that there is a more direct and more efficient way to prove that the coefficients of have a small norm which does not require an equivocation with the norm, nor any conversion to the CRT representation. We observe that the inner product between two vectors and can be made to appear as a coefficient of a product (or sum of products) between polynomials which are functions of and . Thus, by using a polynomial product proof system and hiding all but one coefficient, we are able to prove knowledge of the inner product of two vectors modulo . Using a cheap, approximate range proof, one can then lift the proof to be over instead of . Our protocols for proving short norms work over all (interesting) polynomial rings, but are particularly efficient for rings like in which the function relating the inner product of vectors and polynomial products happens to be a ``nice\u27\u27 automorphism.
The new proof system can be plugged into constructions of various lattice-based privacy primitives in a black-box manner. As examples, we instantiate a verifiable encryption scheme and a group signature scheme which are more than twice as compact as the previously best solutions
Provably Secure Group Signature Schemes from Code-Based Assumptions
We solve an open question in code-based cryptography by introducing two
provably secure group signature schemes from code-based assumptions. Our basic
scheme satisfies the CPA-anonymity and traceability requirements in the random
oracle model, assuming the hardness of the McEliece problem, the Learning
Parity with Noise problem, and a variant of the Syndrome Decoding problem. The
construction produces smaller key and signature sizes than the previous group
signature schemes from lattices, as long as the cardinality of the underlying
group does not exceed , which is roughly comparable to the current
population of the Netherlands. We develop the basic scheme further to achieve
the strongest anonymity notion, i.e., CCA-anonymity, with a small overhead in
terms of efficiency. The feasibility of two proposed schemes is supported by
implementation results. Our two schemes are the first in their respective
classes of provably secure groups signature schemes. Additionally, the
techniques introduced in this work might be of independent interest. These are
a new verifiable encryption protocol for the randomized McEliece encryption and
a novel approach to design formal security reductions from the Syndrome
Decoding problem.Comment: Full extension of an earlier work published in the proceedings of
ASIACRYPT 201
- …