1,647 research outputs found
Lattice-based (Partially) Blind Signature without Restart
We present in this paper a blind signature and its partially blind variant based on lattices assumptions. Blind signature is a cornerstone in privacy-oriented cryptography and we propose the first lattice based scheme without restart. Compare to related work, the key idea of our construction is to provide a trapdoor to the signer in order to let him perform some gaussian pre-sampling during the signature generation process, preventing this way to restart from scratch the whole protocol. We prove the security of our scheme under the ring k-SIS assumption, in the random oracle model. We also explain security issues in the other existing lattice-based blind signature schemes. Finally, we propose a partially blind variant of our scheme, which is done with no supplementary cost, as the number of elements generated and exchanged during the signing protocol is exactly the same
Constant-size Group Signatures from Lattices
Lattice-based group signature is an active research topic in
recent years. Since the pioneering work by Gordon, Katz and Vaikuntanathan
(Asiacrypt 2010), ten other schemes have been proposed,
providing various improvements in terms of security, efficiency and functionality.
However, in all known constructions, one has to fix the number of group users in the setup stage, and as a consequence, the signature sizes are dependent on .
In this work, we introduce the first constant-size group signature from lattices, which means that the size of signatures produced by the scheme is independent of and only depends on the security parameter . More precisely, in our scheme, the sizes of signatures, public key and users\u27 secret keys are all of order . The scheme supports dynamic enrollment of users and is proven secure in the random oracle model under the Ring Short Integer Solution (RSIS) and Ring Learning With Errors (RLWE) assumptions. At the heart of our design is a zero-knowledge argument of knowledge of a valid message-signature pair for the Ducas-Micciancio signature scheme (Crypto 2014), that may be of independent interest
Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease
In this work, we provide the first lattice-based group signature that offers
full dynamicity (i.e., users have the flexibility in joining and leaving the
group), and thus, resolve a prominent open problem posed by previous works.
Moreover, we achieve this non-trivial feat in a relatively simple manner.
Starting with Libert et al.'s fully static construction (Eurocrypt 2016) -
which is arguably the most efficient lattice-based group signature to date, we
introduce simple-but-insightful tweaks that allow to upgrade it directly into
the fully dynamic setting. More startlingly, our scheme even produces slightly
shorter signatures than the former, thanks to an adaptation of a technique
proposed by Ling et al. (PKC 2013), allowing to prove inequalities in
zero-knowledge. Our design approach consists of upgrading Libert et al.'s
static construction (EUROCRYPT 2016) - which is arguably the most efficient
lattice-based group signature to date - into the fully dynamic setting.
Somewhat surprisingly, our scheme produces slightly shorter signatures than the
former, thanks to a new technique for proving inequality in zero-knowledge
without relying on any inequality check. The scheme satisfies the strong
security requirements of Bootle et al.'s model (ACNS 2016), under the Short
Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.
Furthermore, we demonstrate how to equip the obtained group signature scheme
with the deniability functionality in a simple way. This attractive
functionality, put forward by Ishida et al. (CANS 2016), enables the tracing
authority to provide an evidence that a given user is not the owner of a
signature in question. In the process, we design a zero-knowledge protocol for
proving that a given LWE ciphertext does not decrypt to a particular message
CRPSF and NTRU Signatures over cyclotomic fields
Classical NTRUEncrypt is one of the fastest known lattice-based encryption schemes. Its counterpart, NTRUSign, also has many advantages, such as moderate key sizes, high efficiency and potential of resisting attacks from quantum computers. However, like classical NTRUEncrypt, the security of NTRUSign is also heuristic. Whether we can relate the security of NTRUSign to the worst-case lattice problems like NTRUEncrypt is still an open problem.
Our main contribution is that we propose a detailed construction of Collision Resistance Preimage Sampleable Functions CRPSF over any cyclotomic field based on NTRU. By using GPV\u27s construction, we can give a provably secure NTRU Signature scheme NTRUSign, which is strongly existentially unforgeable under adaptive chosen-message attacks in the quantum random oracle model. The security of CRPSF NTRUSign is reduced to the corresponding ring small integer solution problem Ring-SIS. More precisely, the security of our scheme is based on the worst-case approximate shortest independent vectors problem SIVP over ideal lattices. For any fixed cyclotomic field, we give a probabilistic polynomial time PPT key generation algorithm which shows how to extend the secret key of NTRUEncrypt to the secret key of NTRUSign. This algorithm is important for constructions of many cryptographic primitives based on NTRU, for example, CRPSF, NTRUSign, identity-based encryption and identity-based signature.
We also delve back into former construction of NTRUEncrypt, give a much tighter reduction from decision dual-Ring-LWE problem (where the secret is chosen form the codifferent ideal) to decision primal-Ring-LWE problem (where the secret is chosen form the ring of integers) and give a provably secure NTRUEncrypt over any cyclotomic ring. Some useful results about -ary lattices, regularity and uniformity of distribution of the public keys of NTRUEncrypt are also extended to more general algebraic fields
Ring Signature from Bonsai Tree: How to Preserve the Long-Term Anonymity
Signer-anonymity is the central feature of ring signatures, which enable a
user to sign messages on behalf of an arbitrary set of users, called the ring,
without revealing exactly which member of the ring actually generated the
signature. Strong and long-term signer-anonymity is a reassuring guarantee for
users who are hesitant to leak a secret, especially if the consequences of
identification are dire in certain scenarios such as whistleblowing. The notion
of \textit{unconditional anonymity}, which protects signer-anonymity even
against an infinitely powerful adversary, is considered for ring signatures
that aim to achieve long-term signer-anonymity. However, the existing
lattice-based works that consider the unconditional anonymity notion did not
strictly capture the security requirements imposed in practice, this leads to a
realistic attack on signer-anonymity.
In this paper, we present a realistic attack on the unconditional anonymity
of ring signatures, and formalize the unconditional anonymity model to strictly
capture it. We then propose a lattice-based ring signature construction with
unconditional anonymity by leveraging bonsai tree mechanism. Finally, we prove
the security in the standard model and demonstrate the unconditional anonymity
through both theoretical proof and practical experiments
- …