1,127 research outputs found

    Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs

    Get PDF
    Higher-level cryptographic privacy-enhancing protocols such as anonymous credentials, voting schemes, and e-cash are often constructed by suitably combining signature, commitment, and encryption schemes with zero-knowledge proofs. Indeed, a large body of protocols have been constructed in that manner from Camenisch-Lysyanskaya signatures and generalized Schnorr proofs. In this paper, we build a similar framework for lattice-based schemes by presenting a signature and commitment scheme that are compatible with Lyubashevsky\u27s Fiat-Shamir proofs with abort, currently the most efficient zero-knowledge proofs for lattices. To cope with the relaxed soundness guarantees of these proofs, we define corresponding notions of relaxed signature and commitment schemes. We demonstrate the flexibility and efficiency of our new primitives by constructing a new lattice-based anonymous attribute token scheme and providing concrete parameters to securely instantiate this scheme

    Floppy-Sized Group Signatures from Lattices

    Get PDF
    We present the first lattice-based group signature scheme whose cryptographic artifacts are of size small enough to be usable in practice: for a group of 2252^{25} users, signatures take 910 kB and public keys are 501 kB. Our scheme builds upon two recently proposed lattice-based primitives: the verifiable encryption scheme by Lyubashevsky and Neven (Eurocrypt 2017) and the signature scheme by Boschini, Camenisch, and Neven (IACR ePrint 2017). To achieve such short signatures and keys, we first re-define verifiable encryption to allow one to encrypt a function of the witness, rather than the full witness. This definition enables more efficient realizations of verifiable encryption and is of independent interest. Second, to minimize the size of the signatures and public keys of our group signature scheme, we revisit the proof of knowledge of a signature and the proofs in the verifiable encryption scheme provided in the respective papers

    Sharp: Short Relaxed Range Proofs

    Get PDF

    Real-time evolution for weak interaction quenches in quantum systems

    Full text link
    Motivated by recent experiments in ultracold atomic gases that explore the nonequilibrium dynamics of interacting quantum many-body systems, we investigate the nonequilibrium properties of a Fermi liquid. We apply an interaction quench within the Fermi liquid phase of the Hubbard model by switching on a weak interaction suddenly; then we follow the real-time dynamics of the momentum distribution by a systematic expansion in the interaction strength based on the flow equation method. In this paper we derive our main results, namely the applicability of a quasiparticle description, the observation of a new type of quasi-stationary nonequilibrium Fermi liquid like state and a delayed thermalization of the momentum distribution. We explain the physical origin of the delayed relaxation as a consequence of phase space constraints in fermionic many-body systems. This brings about a close relation to similar behavior of one-particle systems which we illustrate by a discussion of the squeezed oscillator; we generalize to an extended class of systems with discrete energy spectra and point out the generic character of the nonequilibrium Fermi liquid results for weak interaction quenches. Both for discrete and continuous systems we observe that particular nonequilibrium expectation values are twice as large as their corresponding analogues in equilibrium. For a Fermi liquid, this shows up as an increased correlation-induced reduction of the quasiparticle residue in nonequilibrium.Comment: 54 page

    Lattice-based Zero-Knowledge Proofs: New Techniques for Shorter and Faster Constructions and Applications

    Get PDF
    We devise new techniques for design and analysis of efficient lattice-based zero-knowledge proofs (ZKP). First, we introduce one-shot proof techniques for non-linear polynomial relations of degree k2k\ge 2, where the protocol achieves a negligible soundness error in a single execution, and thus performs significantly better in both computation and communication compared to prior protocols requiring multiple repetitions. Such proofs with degree k2k\ge 2 have been crucial ingredients for important privacy-preserving protocols in the discrete logarithm setting, such as Bulletproofs (IEEE S&P \u2718) and arithmetic circuit arguments (EUROCRYPT \u2716). In contrast, one-shot proofs in lattice-based cryptography have previously only been shown for the linear case (k=1k=1) and a very specific quadratic case (k=2k=2), which are obtained as a special case of our technique. Moreover, we introduce two speedup techniques for lattice-based ZKPs: a CRT-packing technique supporting ``inter-slot\u27\u27 operations, and ``NTT-friendly\u27\u27 tools that permit the use of fully-splitting rings. The former technique comes at almost no cost to the proof length, and the latter one barely increases it, which can be compensated for by tweaking the rejection sampling parameters while still having faster computation overall. To illustrate the utility of our techniques, we show how to use them to build efficient relaxed proofs for important relations, namely proof of commitment to bits, one-out-of-many proof, range proof and set membership proof. Despite their relaxed nature, we further show how our proof systems can be used as building blocks for advanced cryptographic tools such as ring signatures. Our ring signature achieves a dramatic improvement in length over all the existing proposals from lattices at the same security level. The computational evaluation also shows that our construction is highly likely to outperform all the relevant works in running times. Being efficient in both aspects, our ring signature is particularly suitable for both small-scale and large-scale applications such as cryptocurrencies and e-voting systems. No trusted setup is required for any of our proposals

    Return Codes from Lattice Assumptions

    Get PDF
    We present an approach for creating return codes for latticebased electronic voting. For a voting system with four control components and two rounds of communication our scheme results in a total of 2.3MB of communication per voter, taking less than 1 s of computation. Together with the shuffle and the decryption protocols by Aranha et al. [1,2], the return codes presented can be used to build a post-quantum secure cryptographic voting scheme

    Efficient Hybrid Exact/Relaxed Lattice Proofs and Applications to Rounding and VRFs

    Get PDF
    In this work, we study hybrid exact/relaxed zero-knowledge proofs from lattices, where the proved relation is exact in one part and relaxed in the other. Such proofs arise in important real-life applications such as those requiring verifiable PRF evaluation and have so far not received significant attention as a standalone problem. We first introduce a general framework, LANES+, for realizing such hybrid proofs efficiently by combining standard relaxed proofs of knowledge RPoK and the LANES framework (due to a series of works in Crypto\u2720, Asiacrypt\u2720, ACM CCS\u2720). The latter framework is a powerful lattice-based proof system that can prove exact linear and multiplicative relations. The advantage of LANES+ is its ability to realize hybrid proofs more efficiently by exploiting RPoK for the high-dimensional part of the secret witness while leaving a low-dimensional secret witness part for the exact proof that is proven at a significantly lower cost via LANES. Thanks to the flexibility of LANES+, other exact proof systems can also be supported. We apply our LANES+ framework to construct substantially shorter proofs of rounding, which is a central tool for verifiable deterministic lattice-based cryptography. Based on our rounding proof, we then design an efficient long-term verifiable random function (VRF), named LaV. LaV leads to the shortest VRF outputs among the proposals of standard (i.e., long-term and stateless) VRFs based on quantum-safe assumptions. Of independent interest, we also present generalized results for challenge difference invertibility, a fundamental soundness security requirement for many proof systems

    Subtractive Sets over Cyclotomic Rings:Limits of Schnorr-like Arguments over Lattices

    Get PDF
    We study when (dual) Vandermonde systems of the form VT()z=sw{V}_T^{{(\intercal)}} \cdot \vec{z} = s\cdot \vec{w} admit a solution z\vec{z} over a ring R\mathcal{R}, where VT{V}_T is the Vandermonde matrix defined by a set TT and where the slack ss is a measure of the quality of solutions. To this end, we propose the notion of (s,t)(s,t)-subtractive sets over a ring R\mathcal{R}, with the property that if SS is (s,t)(s,t)-subtractive then the above (dual) Vandermonde systems defined by any tt-subset TST \subseteq S are solvable over R\mathcal{R}. The challenge is then to find large sets SS while minimising (the norm of) ss when given a ring R\mathcal{R}. By constructing families of (s,t)(s,t)-subtractive sets SS of size n=n = poly over cyclotomic rings R=Z[ζp]\mathcal{R} = \mathbb{Z}[\zeta_{p^\ell}] for prime pp, we construct Schnorr-like lattice-based proofs of knowledge for the SIS relation Ax=symodq{A} \cdot \vec{x} = s \cdot \vec{y} \bmod q with O(1/n)O(1/n) knowledge error, and s=1s = 1 in case p=p = poly. Our technique slots naturally into the lattice Bulletproof framework from Crypto\u2720, producing lattice-based succinct arguments for NP with better parameters. We then give matching impossibility results constraining nn relative to ss, which suggest that our Bulletproof-compatible protocols are optimal unless fundamentally new techniques are discovered. Noting that the knowledge error of lattice Bulletproofs is Ω(logk/n)\Omega(\log k/n) for witnesses in Rk\mathcal{R}^k and subtractive set size nn, our result represents a barrier to practically efficient lattice-based succinct arguments in the Bulletproof framework. Beyond these main results, the concept of (s,t)(s,t)-subtractive sets bridges group-based threshold cryptography to lattice settings, which we demonstrate by relating it to distributed pseudorandom functions

    One-Shot Verifiable Encryption from Lattices

    Get PDF
    Verifiable encryption allows one to prove properties about encrypted data and is an important building block in the design of cryptographic protocols, e.g., group signatures, key escrow, fair exchange protocols, etc. Existing lattice-based verifiable encryption schemes, and even just proofs of knowledge of the encrypted data, require parallel composition of proofs to reduce the soundness error, resulting in proof sizes that are only truly practical when amortized over a large number of ciphertexts. In this paper, we present a new construction of a verifiable encryption scheme, based on the hardness of the Ring-LWE problem in the random-oracle model, for short solutions to linear equations over polynomial rings. Our scheme is one-shot , in the sense that a single instance of the proof already has negligible soundness error, yielding compact proofs even for individual ciphertexts. Whereas verifiable encryption usually guarantees that decryption can recover a witness for the original language, we relax this requirement to decrypt a witness of a related but extended language. This relaxation is sufficient for many applications and we illustrate this with example usages of our scheme in key escrow and verifiably encrypted signatures. One of the interesting aspects of our construction is that the decryption algorithm is probabilistic and uses the proof as input (rather than using only the ciphertext). The decryption time for honestly-generated ciphertexts only depends on the security parameter, while the expected running time for decrypting an adversarially-generated ciphertext is directly related to the number of random-oracle queries of the adversary who created it. This property suffices in most practical scenarios, especially in situations where the ciphertext proof is part of an interactive protocol, where the decryptor is substantially more powerful than the adversary, or where adversaries can be otherwise discouraged to submit malformed ciphertexts
    corecore