515 research outputs found
Transcript secure signatures based on modular lattices
We introduce a class of lattice-based digital signature schemes
based on modular properties of the coordinates of lattice vectors. We also
suggest a method of making such schemes transcript secure via a rejection
sampling technique of Lyubashevsky (2009). A particular instantiation
of this approach is given, using NTRU lattices. Although the scheme is
not supported by a formal security reduction, we present arguments for
its security and derive concrete parameters (first version) based on the
performance of state-of-the-art lattice reduction and enumeration tech-
niques. In the revision, we re-evaluate the security of first version of the
parameter sets, under the hybrid approach of lattice reduction attack
the meet-in-the-middle attack. We present new sets of parameters that
are robust against this attack, as well as all previous known attacks
Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease
In this work, we provide the first lattice-based group signature that offers
full dynamicity (i.e., users have the flexibility in joining and leaving the
group), and thus, resolve a prominent open problem posed by previous works.
Moreover, we achieve this non-trivial feat in a relatively simple manner.
Starting with Libert et al.'s fully static construction (Eurocrypt 2016) -
which is arguably the most efficient lattice-based group signature to date, we
introduce simple-but-insightful tweaks that allow to upgrade it directly into
the fully dynamic setting. More startlingly, our scheme even produces slightly
shorter signatures than the former, thanks to an adaptation of a technique
proposed by Ling et al. (PKC 2013), allowing to prove inequalities in
zero-knowledge. Our design approach consists of upgrading Libert et al.'s
static construction (EUROCRYPT 2016) - which is arguably the most efficient
lattice-based group signature to date - into the fully dynamic setting.
Somewhat surprisingly, our scheme produces slightly shorter signatures than the
former, thanks to a new technique for proving inequality in zero-knowledge
without relying on any inequality check. The scheme satisfies the strong
security requirements of Bootle et al.'s model (ACNS 2016), under the Short
Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.
Furthermore, we demonstrate how to equip the obtained group signature scheme
with the deniability functionality in a simple way. This attractive
functionality, put forward by Ishida et al. (CANS 2016), enables the tracing
authority to provide an evidence that a given user is not the owner of a
signature in question. In the process, we design a zero-knowledge protocol for
proving that a given LWE ciphertext does not decrypt to a particular message
Key-and-Signature Compact Multi-Signatures for Blockchain: A Compiler with Realizations
Multi-signature is a protocol where a set of signatures jointly sign a
message so that the final signature is significantly shorter than concatenating
individual signatures together. Recently, it finds applications in blockchain,
where several users want to jointly authorize a payment through a
multi-signature. However, in this setting, there is no centralized authority
and it could suffer from a rogue key attack where the attacker can generate his
own keys arbitrarily. Further, to minimize the storage on blockchain, it is
desired that the aggregated public-key and the aggregated signature are both as
short as possible. In this paper, we find a compiler that converts a kind of
identification (ID) scheme (which we call a linear ID) to a multi-signature so
that both the aggregated public-key and the aggregated signature have a size
independent of the number of signers. Our compiler is provably secure. The
advantage of our results is that we reduce a multi-party problem to a weakly
secure two-party problem. We realize our compiler with two ID schemes. The
first is Schnorr ID. The second is a new lattice-based ID scheme, which via our
compiler gives the first regular lattice-based multi-signature scheme with
key-and-signature compact without a restart during signing process
LNCS
We extend a commitment scheme based on the learning with errors over rings (RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge. Our scheme maps elements from the ring (or equivalently, n elements fro
Deniable Key Establishment Resistance against eKCI Attacks
In extended Key Compromise Impersonation (eKCI) attack against authenticated key establishment (AKE) protocols the adversary impersonates one party, having the long term key and the ephemeral key of the other peer party. Such an attack can be mounted against variety of AKE protocols, including 3-pass HMQV. An intuitive countermeasure, based on BLS (BonehâLynnâShacham) signatures, for strengthening HMQV was proposed in literature. The original HMQV protocol fulfills the deniability property: a party can deny its participation in the protocol execution, as the peer party can create a fake protocol transcript indistinguishable from the real one. Unfortunately, the modified BLS based version of HMQV is not deniable. In this paper we propose a method for converting HMQV (and similar AKE protocols) into a protocol resistant to eKCI attacks but without losing the original deniability property. For that purpose, instead of the undeniable BLS, we use a modification of Schnorr authentication protocol, which is deniable and immune to ephemeral key leakages
A signature scheme from Learning with Truncation
In this paper we revisit the modular lattice signature scheme
and its efficient instantiation known as pqNTRUSign. First, we show that
a modular lattice signature scheme can be based on a standard lattice
problem. As the fundamental problem that needs to be solved by the
signer or a potential forger is recovering a lattice vector with a restricted
norm, given the least significant bits, we refer to this general class of
problems as the âlearning with truncationâ problem.
We show that by replacing the uniform sampling in pqNTRUSign with a
bimodal Gaussian sampling, we can further reduce the size of a signature.
As an example, we show that the size of the signature can be as low as
4608 bits for a security level of 128 bits.
The most significant new contribution, enabled by this Gaussian sam-
pling version of pqNTRUSign, is that we can now perform batch verifi-
cation, which allows the verifier to check approximately 2000 signatures
in a single verification process
Modular lattice signatures, revisited
In this paper we revisit the modular lattice signature scheme
and its efficient instantiation known as pqNTRUSign.
First, we show that a modular lattice
signature scheme can be based on a standard lattice problem.
The fundamental problem that needs to be solved by the signer or a potential forger is recovering a lattice vector with a restricted norm, given the least significant bits. We
show that this problem is equivalent to the short integer solution (SIS) problem
over the corresponding lattice.
In addition, we show that by replacing the uniform sampling in pqNTRUSign
with a bimodal Gaussian sampling, we can further reduce the size
of a signature.
An important new contribution, enabled by this Gaussian sampling version of pqNTRUSign, is that we can now
perform batch verification of messages signed by the same public key, which allows the verifier to check approximately
24 signatures in a single verification process
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption
International audienceGroup encryption (GE) is the natural encryption analogue of group signatures in that it allows verifiably encrypting messages for some anonymous member of a group while providing evidence that the receiver is a properly certified group member. Should the need arise, an opening authority is capable of identifying the receiver of any ciphertext. As introduced by Kiayias, Tsiounis and Yung (Asiacrypt'07), GE is motivated by applications in the context of oblivious retriever storage systems, anonymous third parties and hierarchical group signatures. This paper provides the first realization of group encryption under lattice assumptions. Our construction is proved secure in the standard model (assuming interaction in the proving phase) under the Learning-With-Errors (LWE) and Short-Integer-Solution (SIS) assumptions. As a crucial component of our system, we describe a new zero-knowledge argument system allowing to demonstrate that a given ciphertext is a valid encryption under some hidden but certified public key, which incurs to prove quadratic statements about LWE relations. Specifically, our protocol allows arguing knowledge of witnesses consisting of X â Z mĂn q , s â Z n q and a small-norm e â Z m which underlie a public vector b = X · s + e â Z m q while simultaneously proving that the matrix X â Z mĂn q has been correctly certified. We believe our proof system to be useful in other applications involving zero-knowledge proofs in the lattice setting
- âŠ