195 research outputs found
Noninteractive Zero Knowledge for NP from (Plain) Learning With Errors
We finally close the long-standing problem of constructing a
noninteractive zero-knowledge (NIZK) proof system for any NP language
with security based on the plain Learning With Errors (LWE)
problem, and thereby on worst-case lattice problems. Our proof system
instantiates the framework recently developed by Canetti
et al. [EUROCRYPT\u2718], Holmgren and Lombardi [FOCS\u2718], and Canetti
et al. [STOC\u2719] for soundly applying the Fiat--Shamir transform using
a hash function family that is correlation intractable for a
suitable class of relations. Previously, such hash families were based
either on ``exotic\u27\u27 assumptions (e.g., indistinguishability
obfuscation or optimal hardness of certain LWE variants) or, more
recently, on the existence of circularly secure fully homomorphic
encryption (FHE). However, none of these assumptions are known to be
implied by plain LWE or worst-case hardness.
Our main technical contribution is a hash family that is correlation
intractable for arbitrary size- circuits, for any polynomially
bounded , based on plain LWE (with small polynomial approximation
factors). The construction combines two novel ingredients: a
correlation-intractable hash family for log-depth circuits
based on LWE (or even the potentially harder Short Integer Solution
problem), and a ``bootstrapping\u27\u27 transform that uses (leveled) FHE to
promote correlation intractability for the FHE decryption circuit to
arbitrary (bounded) circuits. Our construction can be
instantiated in two possible ``modes,\u27\u27 yielding a NIZK that is either
computationally sound and statistically zero knowledge
in the common random string model, or vice-versa in the common
reference string model
Noninteractive Zero Knowledge Proof System for NP from Ring LWE
A hash function family is called correlation intractable if for all sparse relations, it hard to find, given a random function from the family, an input output pair that satisfies the relation. Correlation intractability (CI) captures a strong Random Oracle like property of hash functions. In particular, when security holds for all sparse relations, CI suffices for guaranteeing the soundness of the Fiat-Shamir transformation from any constant round, statistically sound interactive proof to a non-interactive argument.
In this paper, based on the method proposed by Chris Peikert and Sina Shiehian, we construct a hash family that is computationally correlation intractable for any polynomially bounded size circuits based on Learning with Errors Over Rings (RLWE) with polynomial approximation factors and Short Integer Solution problem over modules (MSIS), and a hash family that is somewhere statistically intractable for any polynomially bounded size circuits based on RLWE. Similarly, our construction combines two novel ingredients: a correlation intractable hash family for log depth circuits based on RLWE, and a bootstrapping transform that uses leveled fully homomorphic encryption (FHE) to promote correlation intractability for the FHE decryption circuit on arbitrary circuits. Our construction can also be instantiated in two possible modes, yielding a NIZK that is either computationally sound and statistically zero knowledge in the common random string model, or vice-versa in common reference string model. The proposed scheme is much more efficient
2-Message Publicly Verifiable WI from (Subexponential) LWE
We construct a 2-message publicly verifiable witness indistinguishable argument system for NP assuming that the Learning with Errors (LWE) problem is subexponentially hard. Moreover, the protocol is ``delayed input\u27\u27; that is, the verifier message in this protocol does not depend on the instance. This means that a single verifier message can be reused many times.
We construct two variants of this argument system: one variant is adaptively sound, while the other is public-coin (but only non-adaptively sound).
We obtain our result via a generic transformation showing that the correlation intractable hash families constructed by Canetti et al. (STOC 2019) and Peikert and Shiehian (CRYPTO 2019) suffice to construct such 2-message WI arguments when combined with an appropriately chosen ``trapdoor Sigma-protocol.\u27\u27 Our construction can be seen as an adaptation of the Dwork-Naor ``reverse randomization\u27\u27 paradigm (FOCS \u2700) for constructing ZAPs to the setting of computational soundness rather than statistical soundness. Our adaptation of the Dwork-Naor transformation crucially relies on complexity leveraging to prove that soundness is preserved
Fiat-Shamir: From Practice to Theory, Part II (NIZK and Correlation Intractability from Circular-Secure FHE)
We construct non-interactive zero-knowledge (NIZK) arguments for from any circular-secure fully homomorphic encryption (FHE) scheme. In particular, we obtain such NIZKs under a circular-secure variant of the learning with errors (LWE) problem while only assuming a standard (poly/negligible) level of security. Our construction can be modified to obtain NIZKs which are either: (1) statistically zero-knowledge arguments in the common random string model or (2) statistically sound proofs in the common reference string model.
We obtain our result by constructing a new correlation-intractable hash family [Canetti, Goldreich, and Halevi, JACM~\u2704] for a large class of relations, which suffices to apply the Fiat-Shamir heuristic to specific 3-message proof systems that we call ``trapdoor -protocols.\u27\u27 In particular, assuming circular secure FHE, our hash function ensures that for any function of some a-priori bounded circuit size, it is hard to find an input such that . This continues a recent line of works aiming to instantiate the Fiat-Shamir methodology via correlation intractability under progressively weaker and better-understood assumptions. Another consequence of our hash family construction is that, assuming circular-secure FHE, the classic quadratic residuosity protocol of [Goldwasser, Micali, and Rackoff, SICOMP~\u2789] is not zero knowledge when repeated in parallel.
We also show that, under the plain LWE assumption (without circularity), our hash family is a universal correlation intractable family for general relations, in the following sense: If there exists any hash family of some description size that is correlation-intractable for general (even inefficient) relations, then our specific construction (with a comparable size) is correlation-intractable for general (efficiently verifiable) relations
Compact Ring Signatures from Learning With Errors
Ring signatures allow a user to sign a message on behalf of a ``ring\u27\u27 of signers, while hiding the true identity of the signer. As the degree of anonymity guaranteed by a ring signature is directly proportional to the size of the ring, an important goal in cryptography is to study constructions that minimize the size of the signature as a function of the number of ring members.
In this work, we present the first compact ring signature scheme (i.e., where the size of the signature grows logarithmically with the size of the ring) from the (plain) learning with errors (LWE) problem. The construction is in the standard model and it does not rely on a common random string or on the random oracle heuristic. In contrast with the prior work of Backes
et al. [EUROCRYPT\u272019], our scheme does not rely on bilinear pairings, which allows us to show that the scheme is post-quantum secure assuming the quantum hardness of LWE.
At the heart of our scheme is a new construction of compact and statistically witness indistinguishable ZAP arguments for NP coNP, that we show to be sound based on the plain LWE assumption. Prior to our work, statistical ZAPs (for all of NP) were known to exist only assuming sub-exponential LWE. We believe that this scheme might find further applications in the future
Multi-theorem (Malicious) Designated-Verifier NIZK for QMA
We present the first non-interactive zero-knowledge argument system for QMA
with multi-theorem security. Our protocol setup constitutes an additional
improvement and is constructed in the malicious designated-verifier (MDV-NIZK)
model (Quach, Rothblum, and Wichs, EUROCRYPT 2019), where the setup consists of
a trusted part that includes only a common uniformly random string and an
untrusted part of classical public and secret verification keys, which even if
sampled maliciously by the verifier, the zero knowledge property still holds.
The security of our protocol is established under the Learning with Errors
Assumption. Our main technical contribution is showing a general transformation
that compiles any sigma protocol into a reusable MDV-NIZK protocol, using NIZK
for NP. Our technique is classical but works for quantum protocols and allows
the construction of a reusable MDV-NIZK for QMA
Classical Cryptographic Protocols in a Quantum World
Cryptographic protocols, such as protocols for secure function evaluation
(SFE), have played a crucial role in the development of modern cryptography.
The extensive theory of these protocols, however, deals almost exclusively with
classical attackers. If we accept that quantum information processing is the
most realistic model of physically feasible computation, then we must ask: what
classical protocols remain secure against quantum attackers?
Our main contribution is showing the existence of classical two-party
protocols for the secure evaluation of any polynomial-time function under
reasonable computational assumptions (for example, it suffices that the
learning with errors problem be hard for quantum polynomial time). Our result
shows that the basic two-party feasibility picture from classical cryptography
remains unchanged in a quantum world.Comment: Full version of an old paper in Crypto'11. Invited to IJQI. This is
authors' copy with different formattin
Efficient NIZKs from LWE via Polynomial Reconstruction and ``MPC in the Head
All existing works building non-interactive zero-knowledge (NIZK) arguments for from the Learning With Errors (LWE) assumption have studied instantiating the Fiat-Shamir paradigm on a parallel repetition of an underlying honest-verifier zero knowledge (HVZK) protocol, via an appropriately built correlation-intractable (CI) hash function from LWE. This technique has inherent efficiency losses that arise from parallel repetition.
In this work, we show how to make use of the more efficient ``MPC in the Head\u27\u27 technique for building an underlying honest-verifier protocol upon which to apply the Fiat-Shamir paradigm. To make this possible, we provide a new and more efficient construction of CI hash functions from LWE, using efficient algorithms for polynomial reconstruction as the main technical tool.
We stress that our work provides a new and more efficient ``base construction\u27\u27 for building LWE-based NIZK arguments for . Our protocol can be the building block around which other efficiency-focused bootstrapping techniques can be applied, such as the bootstrapping technique of Gentry et al. (Journal of Cryptology 2015)
Order-Revealing Encryption and the Hardness of Private Learning
An order-revealing encryption scheme gives a public procedure by which two
ciphertexts can be compared to reveal the ordering of their underlying
plaintexts. We show how to use order-revealing encryption to separate
computationally efficient PAC learning from efficient -differentially private PAC learning. That is, we construct a concept
class that is efficiently PAC learnable, but for which every efficient learner
fails to be differentially private. This answers a question of Kasiviswanathan
et al. (FOCS '08, SIAM J. Comput. '11).
To prove our result, we give a generic transformation from an order-revealing
encryption scheme into one with strongly correct comparison, which enables the
consistent comparison of ciphertexts that are not obtained as the valid
encryption of any message. We believe this construction may be of independent
interest.Comment: 28 page
Classical cryptographic protocols in a quantum world
Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a crucial role in the development of modern cryptography. The extensive theory of these protocols, however, deals almost exclusively with classical attackers. If we accept that quantum information processing is the most realistic model of physically feasible computation, then we must ask: what classical protocols remain secure against quantum attackers? Our main contribution is showing the existence of classical two-party protocols for the secure evaluation of any polynomial-time function under reasonable computational assumptions (for example, it suffices that the learning with errors problem be hard for quantum polynomial time). Our result shows that the basic two-party feasibility picture from classical cryptography remains unchanged in a quantum world
- …