RLWE-based Zero-Knowledge Proofs for linear and multiplicative relations

We present efficient Zero-Knowledge Proofs of Knowledge (ZKPoK) for linear and multiplicative relations among secret messages hidden as Ring Learning With Errors (RLWE) samples. Messages are polynomials in \mathbb{Z}_q[x]/\left and our proposed protocols for a ZKPoK are based on the celebrated paper by Stern on identification schemes using coding problems (Crypto\u2793). Our $5$-move protocol achieves a soundness error slightly above $1/2$ and perfect Zero-Knowledge. As an application we present Zero-Knowledge Proofs of Knowledge of relations between committed messages. The resulting commitment scheme is perfectly binding with overwhelming probability over the choice of the public key, and computationally hiding under the RLWE assumption. Compared with previous Stern-based commitment scheme proofs we decrease computational complexity, improve the size of the parameters and reduce the soundness error of each round

Implementation and performance of a RLWE-based commitment scheme and ZKPoK for its linear and multiplicative relations

In this paper we provide the implementation details and performance analysis of the lattice-based post-quantum commitment scheme introduced by Martínez and Morillo in their work titled «RLWE-Based Zero-Knowledge Proofs for Linear and Multiplicative Relations» together with the corresponding Zero-Knowledge Proofs of Knowledge (ZKPoK) of valid openings, linear and multiplicative relations among committed elements. We bridge the gap between the existing theoretical proposals and practical applications, thoroughly revisiting the security proofs of the aforementioned paper to obtain tight conditions that allow us to find the best sets of parameters for actual instantiations of the commitment scheme and its companion ZKPoK. Our implementation is very flexible and its parameters can be adjusted to obtain a trade-off between speed and memory usage, analyzing how suitable for practical use are the underlying lattice-based techniques. Moreover, our implementation further extends the literature of exact Zero-Knowledge proofs, providing ZKPoK of committed elements without any soundness slack

LNCS

We extend a commitment scheme based on the learning with errors over rings (RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge. Our scheme maps elements from the ring (or equivalently, n elements fro

Lattice-based zero-knowledge proofs of knowledge

(English) The main goal of this dissertation is to develop new lattice-based cryptographic schemes. Most of the cryptographic protocols that each and every one of us use on a daily basis are only secure under the assumption that two mathematical problems, namely the discrete logarithm on elliptic curves and the factorization of products of two primes, are computationally hard. That is believed to be true for classical computers, but quantum computers would be able to solve these problems much more efficiently, demolishing the foundations of plenty of cryptographic constructions. This reveals the importance of post-quantum alternatives, cryptographic schemes whose security relies on different problems intractable for both classical and quantum computers. The most promising family of problems widely believed to be hard for quantum computers are lattice-based problems. We increase the supply of lattice-based tools providing new Zero-Knowledge Proofs of Knowledge for the Ring Learning With Errors (RLWE) problem, perhaps the most popular lattice-based problem. Zero-knowledge proofs are protocols between a prover and a verifier where the prover convinces the verifier of the validity of certain statements without revealing any additional relevant information. Our proofs extend the literature of Stern-based proofs, following the techniques presented by Jacques Stern in 1994. His original idea involved a code-based problem, but it has been reiteratedly improved and generalized to be used with lattices. We illustrate our proposal defining a variant of the commitment scheme, a cryptographic primitive that allows us to ensure some message was already determined at some point without revealing it until a future time, defined by Benhamouda et al. in ESORICS 2015, and proving in zero-knowledge the knowledge of a valid opening. Most importantly we also show how to prove that the message committed in one commitment is a linear combination, with some public coefficients, of the committed messages from two other commitments, again without revealing any further information about the messages. Finally, we also present a zero-knowledge proof analogous to the previous one but for multiplicative relations, something much more involved that allows us to prove any arithmetic circuit. We give first an interactive version of these proofs and then show how to construct a non-interactive one. We diligently prove that both the commitment and the companion Zero-Knowledge Proofs of Knowledge are secure under the assumption of the hardness of the underlying lattice problems. Furthermore, we specifically develop such proofs so that the arising conditions can be directly used to compute parameters that satisfy them. This way we provide a general method to instantiate our commitment and proofs with any desired security level. Thanks to this practical approach we have been able to implement all the proposed schemes and benchmark the prototype im-plementation with actually secure parameters, which allows us to obtain meaningful results and compare its performance with the existing alternatives. Moreover, provided that multiplication of polynomials in the quotient ring ℤₚ[]/⟨ⁿ + 1⟩, with prime and a power of two, is the most basic operation when working with ideal lattices we comprehensively study what are the necessary and sufficient conditions needed for applying (a generalized version of) the Fast Fourier Transform (FFT) to obtain an efficient multiplication algorithm in quotient rings as ℤₘ[]/⟨ⁿ − ⟩ (where we consider any positive integer and generalize the quotient), as we think it is of independent interest. We believe such a theoretical analysis is fundamental to be able to determine when a given generalization can also be applied to design an efficient multiplication algorithm when the FFT is not defined for the ring we are considering. That is the case of the rings used for the commitment and proofs described before, where only a partial FFT is available.(Español) El objetivo principal de esta tesis es obtener nuevos esquemas criptográficos basados en retículos. La mayoría de los protocolos criptográficos que usamos a diario son únicamente seguros bajo la hipótesis de que el problema del logaritmo discreto en curvas elípticas y la factorización de productos de dos primos son computacionalmente difíciles. Se cree que esto es cierto para los ordenadores clásicos, pero los ordenadores cuánticos podrían resolver estos problemas de forma mucho más eficiente, acabando con las bases sobre las que se fundamenta una multitud de construcciones criptográficas. Esto evidencia la importancia de las alternativas poscuánticas, cuya seguridad se basa en problemas diferentes que sean inasumibles tanto para los ordenadores clásicos como los cuánticos. Los problemas de retículos son los candidatos más prometedores, puesto que se considera que son problemas difíciles para los ordenadores cuánticos. Presentamos nuevas herramientas basadas en retículos con unas Pruebas de Conocimiento Nulo para el problema Ring Learning With Errors (RLWE), seguramente el problema de retículos más popular. Las pruebas de Conocimiento Nulo son protocolos entre un probador y un verificador en los que el primero convence al segundo de la validez de una proposición, sin revelar ninguna información adicional relevante. Nuestras pruebas se basan en el protocolo de Stern, siguiendo sus técnicas presentadas en 1994. Su idea original involucraba un problema de códigos, pero se ha mejorado y generalizado reiteradamente para poder aplicarse a retículos. Ilustramos nuestra propuesta definiendo una variante del esquema de compromiso, una primitiva criptográfica que nos permite asegurar que un mensaje fue determinado en cierto momento sin revelarlo hasta pasado un tiempo, definido por Benhamouda et al. en ESORICS 2015, y probando que conocemos una apertura válida. Además mostramos cómo probar que el mensaje comprometido es una combinación lineal, con coeficientes públicos, de los mensajes comprometidos en otros dos compromisos. Finalmente también presentamos una prueba de Conocimiento Nulo análoga a la anterior pero para relaciones multiplicativas, algo mucho más laborioso que nos permite realizar circuitos aritméticos. Todo esto sin revelar ninguna información adicional sobre los mensajes. Mostramos tanto una versión interactiva como una no interactiva. Probamos que tanto el compromiso como las pruebas de Conocimiento Nulo que le acompañan son seguras bajo la hipótesis de que el problema de retículos subyacente sea difícil. Además planteamos estas pruebas específicamente con el objetivo de que las condiciones que surjan puedan ser utilizadas directamente para calcular los parámetros que las satisfagan. De esta forma proporcionamos un método genérico para instanciar nuestro compromiso y pruebas con cualquier nivel de seguridad. Gracias a este enfoque práctico hemos podido implementar todos los esquemas propuestos y evaluar el rendimiento con parámetros seguros, lo que nos permite obtener resultados relevantes que poder comparar con las alternativas existentes. Por otra parte, dado que la multiplicación de polinomios en el anillo cociente ℤₚ[]/⟨ⁿ + 1⟩, con primo y una potencia de 2, es la operación más utilizada al trabajar con retículos ideales, estudiamos de forma exhaustiva cuáles son las condiciones suficientes y necesarias para aplicar (una versión generalizada de) la Transformada Rápida de Fourier (FFT, por sus siglas en inglés) para obtener algoritmos de multiplicación eficientes en anillos cociente ℤₘ[]/⟨ⁿ − ⟩, (considerando cualquier positiva y generalizando el cociente), de interés por sí mismo. Creemos que este análisis teórico es fundamental para determinar cuándo puede diseñarse un algoritmo eficiente de multiplicación si la FFT no está definida para el anillo considerado. Es el caso de los anillos que utilizamos en el compromiso y las pruebas descritas anteriormente, donde solo es posible calcular una FFT parcial.DOCTORAT EN MATEMÀTICA APLICADA (Pla 2012

New lattice-based protocols for proving correctness of a shuffle

In an electronic voting procedure, mixing networks are used to ensure anonymity of the casted votes. Each node of the network re-encrypts the input and randomly permutes it in a process named shuffle, and must prove that the process was applied honestly. State-of-the-art classical proofs achieve logarithmic communication complexity on N (the number of votes to be shuffled) but they are based on assumptions which are weak against quantum computers. To maintain security in a post-quantum scenario, new proofs are based on different mathematical assumptions, such as lattice-based problems. Nonetheless, the best lattice-based protocols to ensure verifiable shuffling have linear communication complexity on N. In this thesis we propose the first sub-linear post-quantum proof for the correctness of a shuffe, for which we have mainly used two ideas: arithmetic circuit satisfiability and Benes networks to model a permutation of N elements

Accountable Tracing Signatures from Lattices

Group signatures allow users of a group to sign messages anonymously in the name of the group, while incorporating a tracing mechanism to revoke anonymity and identify the signer of any message. Since its introduction by Chaum and van Heyst (EUROCRYPT 1991), numerous proposals have been put forward, yielding various improvements on security, efficiency and functionality. However, a drawback of traditional group signatures is that the opening authority is given too much power, i.e., he can indiscriminately revoke anonymity and there is no mechanism to keep him accountable. To overcome this problem, Kohlweiss and Miers (PoPET 2015) introduced the notion of accountable tracing signatures (ATS) - an enhanced group signature variant in which the opening authority is kept accountable for his actions. Kohlweiss and Miers demonstrated a generic construction of ATS and put forward a concrete instantiation based on number-theoretic assumptions. To the best of our knowledge, no other ATS scheme has been known, and the problem of instantiating ATS under post-quantum assumptions, e.g., lattices, remains open to date. In this work, we provide the first lattice-based accountable tracing signature scheme. The scheme satisfies the security requirements suggested by Kohlweiss and Miers, assuming the hardness of the Ring Short Integer Solution (RSIS) and the Ring Learning With Errors (RLWE) problems. At the heart of our construction are a lattice-based key-oblivious encryption scheme and a zero-knowledge argument system allowing to prove that a given ciphertext is a valid RLWE encryption under some hidden yet certified key. These technical building blocks may be of independent interest, e.g., they can be useful for the design of other lattice-based privacy-preserving protocols.Comment: CT-RSA 201

Improved Lattice-Based Mix-Nets for Electronic Voting

Mix-networks were first proposed by Chaum in the late 1970s -- early 1980s as a general tool for building anonymous communication systems. Classical mix-net implementations rely on standard public key primitives (e.g. ElGamal encryption) that will become vulnerable when a sufficiently powerful quantum computer will be built. Thus, there is a need to develop quantum-resistant mix-nets. This paper focuses on the application case of electronic voting where the number of votes to be mixed may reach hundreds of thousands or even millions. We propose an improved architecture for lattice-based post-quantum mix-nets featuring more efficient zero-knowledge proofs while maintaining established security assumptions. Our current implementation scales up to 100000 votes, still leaving a lot of room for future optimisation

Private and Secure Post-Quantum Verifiable Random Function with NIZK Proof and Ring-LWE Encryption in Blockchain

We present a secure and private blockchain-based Verifiable Random Function (VRF) scheme addressing some limitations of classical VRF constructions. Given the imminent quantum computing adversarial scenario, conventional cryptographic methods face vulnerabilities. To enhance our VRF's secure randomness, we adopt post-quantum Ring-LWE encryption for synthesizing pseudo-random sequences. Considering computational costs and resultant on-chain gas costs, we suggest a bifurcated architecture for VRF design, optimizing interactions between on-chain and off-chain. Our approach employs a secure ring signature supported by NIZK proof and a delegated key generation method, inspired by the Chaum-Pedersen equality proof and the Fiat-Shamir Heuristic. Our VRF scheme integrates multi-party computation (MPC) with blockchain-based decentralized identifiers (DID), ensuring both security and randomness. We elucidate the security and privacy aspects of our VRF scheme, analyzing temporal and spatial complexities. We also approximate the entropy of the VRF scheme and detail its implementation in a Solidity contract. Also, we delineate a method for validating the VRF's proof, matching for the contexts requiring both randomness and verification. Conclusively, using the NIST SP800-22 of the statistical randomness test suite, our results exhibit a 98.86% pass rate over 11 test cases, with an average p-value of 0.5459 from 176 total tests.Comment: 21 pages, 5 figures, In the 2023 Proceedings of International Conference on Cryptography and Blockchai

Round-optimal Verifiable Oblivious Pseudorandom Functions from Ideal Lattices

timestamp: Fri, 07 May 2021 15:40:46 +0200 biburl: https://dblp.org/rec/conf/pkc/AlbrechtDDS21.bib bibsource: dblp computer science bibliography, https://dblp.orgstatus: publishe