On Lattice-Based Signatures with Advanced Functionalities

Lattice-based cryptography is a prominent class of cryptographic systems that has been emerged as one of the main candidates replacing classical cryptography in future computing environments such as quantum computing. Quantum computers exploit quantum mechanical phenomena to solve computational problems, on which the security of currently deployed (classical) cryptographic systems is based. While these computational problems, e.g., factoring integers and computing discrete logarithms, are intractable for conventional (classical) computers, it is meanwhile known that they can be easily solved on quantum computers (Shor 1997). However, lattice problems, such as finding short non-zero vectors, seem to withstand attacks having quantum computing power. In the last two decades we have seen many cryptographic proposals based on lattices. In particular, lattice-based (ordinary) signature schemes were greatly improved with respect to efficiency and security. This can be observed from the post-quantum standardization process initiated by the National Institute of Standards and Technology (NIST). In fact, from the five signature schemes that have been submitted to this process, there are currently three finalists, where two of them are lattice-based submissions. In this thesis, we are specifically interested in lattice-based signature schemes with advanced functionalities. In addition to the basic security goals that an ordinary signature scheme ensures, i.e., authentication, non-repudiation, and integrity, these schemes provide features that are application-specific. While ordinary signature schemes based on lattices are ready to be deployed in practice, this statement cannot be made for lattice-based signature schemes with advanced functionalities. This thesis makes a significant progress towards deploying the aforementioned type of signature schemes in practice. With focus on privacy-preserving applications in future computing environments, we particularly facilitate the protection of secret keys in cryptocurrencies such as Bitcoin and Ethereum. We provide practical solutions to anonymous e-cash, anonymous credentials, smart contracts, and e-voting. We believe that our techniques can be used to develop further advanced signature schemes to be deployed in other application scenarios. For instance, in information security systems that perform critical operations such as distributed key generation, anonymization of medical data, and updating reliable routing information

BlindOR: An Efficient Lattice-Based Blind Signature Scheme from OR-Proofs

An OR-proof is a protocol that enables a user to prove the possession of a witness for one of two (or more) statements, without revealing which one. Abe and Okamoto (CRYPTO 2000) used this technique to build a partially blind signature scheme whose security is based on the hardness of the discrete logarithm problem. Inspired by their approach, we present BlindOR, an efficient blind signature scheme from OR-proofs based on lattices over modules. Using OR-proofs allows us to reduce the security of our scheme from the MLWE and MSIS problems, yielding a much more efficient solution compared to previous works

A Framework to Select Parameters for Lattice-Based Cryptography

Selecting parameters in lattice-based cryptography is a challenging task, which is essentially accomplished using one of two approaches. The first (very common) approach is to derive parameters assuming that the desired security level is equivalent to the bit hardness of the underlying lattice problem, ignoring the gap implied by available security reductions. The second (barely used) approach takes the gap and thus the security reduction into account. In this work, we investigate how efficient lattice-based schemes are if they respect existing security reductions. Thus, we present a framework to systematically select parameters for any lattice-based scheme using either approaches. We apply our methodology to the schemes by Lindner and Peikert (LP), by El Bansarkhani (LARA), and by Ducas et al. (BLISS). We analyze their security reductions and derive a gap of 2, 3, and 63 bits, respectively. We show how parameters impact the schemes\u27 efficiency when involving these gaps

Deterministic Wallets in a Quantum World

Most blockchain solutions are susceptible to quantum attackers as they rely on cryptography that is known to be insecure in the presence of quantum adversaries. In this work we advance the study of quantum-resistant blockchain solutions by giving a quantum-resistant construction of a deterministic wallet scheme. Deterministic wallets are frequently used in practice in order to secure funds by storing the sensitive secret key on a so-called cold wallet that is not connected to the Internet. Recently, Das et al. (CCS\u2719) developed a formal model for the security analysis of deterministic wallets and proposed a generic construction from certain types of signature schemes that exhibit key rerandomization properties. We revisit the proposed classical construction in the presence of quantum adversaries and obtain the following results. First, we give a generic wallet construction with security in the quantum random oracle model (QROM) if the underlying signature scheme is secure in the QROM. We next design the first post-quantum secure signature scheme with rerandomizable public keys by giving a construction from generic lattice-based Fiat-Shamir signature schemes. Finally, we show and evaluate the practicality by analyzing an instantiation of the wallet scheme based on the signature scheme qTESLA (ACNS\u2720)