2,378 research outputs found
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions
International audienceA recent line of works – initiated by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010) – gave lattice-based realizations of privacy-preserving protocols allowing users to authenticate while remaining hidden in a crowd. Despite five years of efforts, known constructions remain limited to static populations of users, which cannot be dynamically updated. For example, none of the existing lattice-based group signatures seems easily extendable to the more realistic setting of dynamic groups. This work provides new tools enabling the design of anonymous authen-tication systems whereby new users can register and obtain credentials at any time. Our first contribution is a signature scheme with efficient protocols, which allows users to obtain a signature on a committed value and subsequently prove knowledge of a signature on a committed message. This construction, which builds on the lattice-based signature of Böhl et al. (Eurocrypt'13), is well-suited to the design of anonymous credentials and dynamic group signatures. As a second technical contribution, we provide a simple, round-optimal joining mechanism for introducing new members in a group. This mechanism consists of zero-knowledge arguments allowing registered group members to prove knowledge of a secret short vector of which the corresponding public syndrome was certified by the group manager. This method provides similar advantages to those of structure-preserving signatures in the realm of bilinear groups. Namely, it allows group members to generate their public key on their own without having to prove knowledge of the underlying secret key. This results in a two-round join protocol supporting concurrent enrollments, which can be used in other settings such as group encryption
Efficient Post-Quantum SNARKs for RSIS and RLWE and their Applications to Privacy
In this paper we give efficient statistical zero-knowledge proofs (SNARKs) for Module/Ring LWE and Module/Ring SIS relations, providing the remaining ingredient for building efficient cryptographic protocols from lattice-based hardness assumptions.
We achieve our results by exploiting the linear-algebraic nature of the statements supported by the Aurora proof system (Ben-Sasson et al.), which allows us to easily and efficiently encode the linear-algebraic statements that arise in lattice schemes and to side-step the issue of relaxed extractors , meaning extractors that only recover a witness for a larger relation than the one for which completeness is guaranteed.
We apply our approach to the example use case of partially dynamic group signatures and obtain a lattice-based group signature that protects users against corrupted issuers, and that produces signatures smaller than the state of the art, with signature sizes of less than 300 KB for the comparably secure version of the scheme.
To obtain our argument size estimates for proof of knowledge of RLWE secret, we implemented the NIZK using libiop
Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease
In this work, we provide the first lattice-based group signature that offers
full dynamicity (i.e., users have the flexibility in joining and leaving the
group), and thus, resolve a prominent open problem posed by previous works.
Moreover, we achieve this non-trivial feat in a relatively simple manner.
Starting with Libert et al.'s fully static construction (Eurocrypt 2016) -
which is arguably the most efficient lattice-based group signature to date, we
introduce simple-but-insightful tweaks that allow to upgrade it directly into
the fully dynamic setting. More startlingly, our scheme even produces slightly
shorter signatures than the former, thanks to an adaptation of a technique
proposed by Ling et al. (PKC 2013), allowing to prove inequalities in
zero-knowledge. Our design approach consists of upgrading Libert et al.'s
static construction (EUROCRYPT 2016) - which is arguably the most efficient
lattice-based group signature to date - into the fully dynamic setting.
Somewhat surprisingly, our scheme produces slightly shorter signatures than the
former, thanks to a new technique for proving inequality in zero-knowledge
without relying on any inequality check. The scheme satisfies the strong
security requirements of Bootle et al.'s model (ACNS 2016), under the Short
Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.
Furthermore, we demonstrate how to equip the obtained group signature scheme
with the deniability functionality in a simple way. This attractive
functionality, put forward by Ishida et al. (CANS 2016), enables the tracing
authority to provide an evidence that a given user is not the owner of a
signature in question. In the process, we design a zero-knowledge protocol for
proving that a given LWE ciphertext does not decrypt to a particular message
A Code-Based Group Signature Scheme
International audienceIn this work we propose the first code-based group signature. As it will be described below, its security is based on a relaxation of the model of Bel-lare, Shi and Zhang [3] (BSZ model) verifying the properties of anonymity, traceability and non-frameability. Furthermore, it has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to dynamically add new members and signature and public key sizes are constant with respect to the number of group members. Last but not least, our scheme can be extended into a traceable signature according to the definition of Kiayias, Tsiounis and Yung [19] (KTY model) and handles membership revocation. The main idea of our scheme consists in building a collision of two syndromes associated to two different matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome. These two small weight vectors will constitute the group member's secret signing key whose knowledge will be proved thanks to a variation of Stern's authentication protocol. For applications , we consider the case of the code-based CFS signature scheme [11] of Courtois, Finiasz and Sendrier
Provably Secure Group Signature Schemes from Code-Based Assumptions
We solve an open question in code-based cryptography by introducing two
provably secure group signature schemes from code-based assumptions. Our basic
scheme satisfies the CPA-anonymity and traceability requirements in the random
oracle model, assuming the hardness of the McEliece problem, the Learning
Parity with Noise problem, and a variant of the Syndrome Decoding problem. The
construction produces smaller key and signature sizes than the previous group
signature schemes from lattices, as long as the cardinality of the underlying
group does not exceed , which is roughly comparable to the current
population of the Netherlands. We develop the basic scheme further to achieve
the strongest anonymity notion, i.e., CCA-anonymity, with a small overhead in
terms of efficiency. The feasibility of two proposed schemes is supported by
implementation results. Our two schemes are the first in their respective
classes of provably secure groups signature schemes. Additionally, the
techniques introduced in this work might be of independent interest. These are
a new verifiable encryption protocol for the randomized McEliece encryption and
a novel approach to design formal security reductions from the Syndrome
Decoding problem.Comment: Full extension of an earlier work published in the proceedings of
ASIACRYPT 201
Group Signatures and Accountable Ring Signatures from Isogeny-based Assumptions
Group signatures are an important cryptographic primitive providing both
anonymity and accountability to signatures. Accountable ring signatures combine
features from both ring signatures and group signatures, and can be directly
transformed to group signatures. While there exists extensive work on
constructing group signatures from various post-quantum assumptions, there has
not been any using isogeny-based assumptions. In this work, we propose the
first construction of isogeny-based group signatures, which is a direct result
of our isogeny-based accountable ring signature. This is also the first
construction of accountable ring signatures based on post-quantum assumptions.
Our schemes are based on the decisional CSIDH assumption (D-CSIDH) and are
proven secure under the random oracle model (ROM)
Accountable Tracing Signatures from Lattices
Group signatures allow users of a group to sign messages anonymously in the
name of the group, while incorporating a tracing mechanism to revoke anonymity
and identify the signer of any message. Since its introduction by Chaum and van
Heyst (EUROCRYPT 1991), numerous proposals have been put forward, yielding
various improvements on security, efficiency and functionality. However, a
drawback of traditional group signatures is that the opening authority is given
too much power, i.e., he can indiscriminately revoke anonymity and there is no
mechanism to keep him accountable. To overcome this problem, Kohlweiss and
Miers (PoPET 2015) introduced the notion of accountable tracing signatures
(ATS) - an enhanced group signature variant in which the opening authority is
kept accountable for his actions. Kohlweiss and Miers demonstrated a generic
construction of ATS and put forward a concrete instantiation based on
number-theoretic assumptions. To the best of our knowledge, no other ATS scheme
has been known, and the problem of instantiating ATS under post-quantum
assumptions, e.g., lattices, remains open to date.
In this work, we provide the first lattice-based accountable tracing
signature scheme. The scheme satisfies the security requirements suggested by
Kohlweiss and Miers, assuming the hardness of the Ring Short Integer Solution
(RSIS) and the Ring Learning With Errors (RLWE) problems. At the heart of our
construction are a lattice-based key-oblivious encryption scheme and a
zero-knowledge argument system allowing to prove that a given ciphertext is a
valid RLWE encryption under some hidden yet certified key. These technical
building blocks may be of independent interest, e.g., they can be useful for
the design of other lattice-based privacy-preserving protocols.Comment: CT-RSA 201
- …