Abstract
We present a novel technique within the MPC-in-the-Head framework, aiming to design efficient zero-knowledge protocols and digital signature schemes. The technique allows for the simultaneous use of additive and multiplicative sharings of secret information, enabling efficient proofs of linear and multiplicative relations. The applications of our technique are manifold. It is first applied to construct zero-knowledge arguments of knowledge for Double Discrete Logarithms. The resulting protocol achieves improved communication complexity without compromising efficiency. We also propose a new zero-knowledge argument of knowledge for the Permuted Kernel Problem. Eventually, we propose a short (candidate) post-quantum digital signature scheme constructed from a new one-way function based on simple polynomials known as fewnomials. This scheme offers simplicity and ease of implementation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Au, M.H., Susilo, W., Mu, Y.: Proof-of-knowledge of representation of committed value and its applications. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 352–369. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14081-5_22
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press, San Francisco, CA, USA (2018)
Bi, J., Cheng, Q., Rojas, J.M.: Sub-linear root detection, and new hardness results, for sparse polynomials over finite fields. In: Kauers, M. (ed.) International Symposium on Symbolic and Algebraic Computation, ISSAC’13, Boston, MA, USA, 26–29 June 2013, pp. 61–68. ACM (2013)
Beullens, W.: Sigma protocols for MQ, PKP and SIS, and fishy signature schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 183–211. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_7
Beullens, W., Faugère, J.-C., Koussa, E., Macario-Rat, G., Patarin, J., Perret, L.: PKP-based signature scheme. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 3–22. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7_1
Bidoux, L., Gaborit, P.: Compact post-quantum signatures from proofs of knowledge leveraging structure for the PKP, SD and RSD problems. CoRR, abs/2204.02915 (2022)
Blazy, O., Towa, P., Vergnaud, D.: Public-key generation with verifiable randomness. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 97–127. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_4
Chase, M., et al.: The Picnic Signature Scheme - Design Document. Version 2.2 - 14 April 2020 (2020)
Canard, S., Gouget, A.: Divisible E-cash systems can be truly anonymous. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 482–497. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_28
Chase, M., Ganesh, C., Mohassel, P.: Efficient zero-knowledge proof of algebraic and non-algebraic statements with applications to privacy preserving credentials. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 499–530. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_18
Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052252
Dao, Q., Grubbs, P.: Spartan and bulletproofs are simulation-extractable (for free!). In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14005, pp. 531–562. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30617-4_18
Dinur, I., et al.: MPC-friendly symmetric cryptography from alternating moduli: candidates, protocols, and applications. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 517–547. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_18
Dobraunig, C., Kales, D., Rechberger, C., Schofnegger, M., Zaverucha, G.: Shorter signatures based on tailor-made minimalist symmetric-key crypto. In: Yin, H., Stavrou, A., Cremers, C., Shi, E. (eds.) ACM CCS 2022, pp. 843–857. ACM Press, Los Angeles, CA, USA (2022)
Feneuil, T.: Building MPCitH-based signatures from MQ, MinRank, rank SD and PKP. Cryptology ePrint Archive, Report 2022/1512 (2022)
Feneuil, T., Joux, A., Rivain, M.: Shared permutation for syndrome decoding: new zero-knowledge protocol and code-based signature. Des. Codes Cryptogr. 91(2), 563–608 (2023)
Feneuil, T., Maire, J., Rivain, M., Vergnaud, D.: Zero-knowledge protocols for the subset sum problem from MPC-in-the-head with rejection. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022. LNCS, vol. 13792, pp. 371–402. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22966-4_13
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Ganesh, C., Orlandi, C., Pancholi, M., Takahashi, A., Tschudi, D.: Fiat-Shamir bulletproofs are non-malleable (in the algebraic group model). In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13276, pp. 397–426. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07085-3_14
Ghodosi, H., Pieprzyk, J., Steinfeld, R.: Multi-party computation with conversion of secret sharing. Des. Codes Cryptogr. 62(3), 259–272 (2012)
Guillou, L.C., Quisquater, J.-J.: A “paradoxical’’ indentity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_16
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 28th ACM STOC, pp. 212–219. ACM Press, Philadephia, PA, USA (1996)
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Johnson, D.S., Feige, U. (eds.) 39th ACM STOC, pp. 21–30. ACM Press, San Diego, CA, USA (2007)
Joux, A.: MPC in the head for isomorphisms and group actions. IACR Cryptol. ePrint Arch., p. 664 (2023)
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 525–537. ACM Press, Toronto, ON, Canada (2018)
Kales, D., Zaverucha, G.: An attack on some signature schemes constructed from five-pass identification schemes. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) CANS 2020. LNCS, vol. 12579, pp. 3–22. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65411-5_1
Kales, D., Zaverucha, G.: Efficient lifting for shorter zero-knowledge proofs and post-quantum signatures. Cryptology ePrint Archive, Paper 2022/588 (2022)
Aguilar-Melchor, C., Gama, N., Howe, J., Hülsing, A., Joseph, D., Yue, D.: The return of the SDitH. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14008, pp. 564–596. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_20
Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)
Shamir, A.: An efficient identification scheme based on permuted kernels (extended abstract). In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 606–609. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_54
Stadler, M.: Publicly verifiable secret sharing. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_17
Stern, J.: Designing identification schemes with keys of short size. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 164–173. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_18
Winternitz, R.S.: A secure one-way hash function built from DES. In: Proceedings of the 1984 IEEE Symposium on Security and Privacy, Oakland, California, USA, April 29 - May 2, 1984, pp. 88–90. IEEE Computer Society (1984)
Zippel, R.: Probabilistic algorithms for sparse polynomials. In: Ng, E.W. (ed.) Symbolic and Algebraic Computation. LNCS, vol. 72, pp. 216–226. Springer, Heidelberg (1979). https://doi.org/10.1007/3-540-09519-5_73
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Security Proofs
A Security Proofs
Proof
(Theorem 1). For any sampling of the random coins of \(\mathcal {P}\) and \(\mathcal {V}\), if the computation described in the protocol 3 is honestly performed, all the checks of \(\mathcal {V}\) pass. The completeness is hence perfect. \(\square \)
Proof
(Theorem 2). To prove the special soundness, one has to build an efficient knowledge extractor that returns a solution of the DDLP instance. We first show how to extract a DDLP solution from 3 specific transcripts. Then we explain how to get such transcripts from rewindable black-box access to \(\tilde{\mathcal {P}}\). First, assume that we can get three transcripts \(T_i = (\textsc {Com}^{(i)}, \textsc {Ch}_1^{(i)}, \textsc {Rsp}_1^{(i)}, \textsc {Ch}_2^{(i)}, \textsc {Rsp}_2^{(i)})\) for \(i\in \{1,2,3\}\) from \(\tilde{\mathcal {P}}\), with \(\textsc {Ch}_1^{(i)}:= J^{(i)}\), \( \textsc {Ch}_2^{(i)} := \{\ell ^{(i)}_j\}_{j \in J^{(i)}}\), which satisfy the conditions:
-
1.
\(\textsc {Com}^{(1)} = \textsc {Com}^{(2)} = \textsc {Com}^{(3)} = h\),
-
2.
there exists \( j_0 \in (J^{(1)} \cap J^{(2)}) \setminus J^{(3)}\) s.t. \(\ell _{j_0}^{(1)} \not = \ell _{j_0}^{(2)}\)
-
3.
\(T_1\) and \(T_2\) are success transcripts (i.e. which pass all the tests of \(\mathcal {V}\)),
-
4.
\(\textsf {seed}^{[j_0]}\) from \(\textsc {Rsp}_1^{(3)}\) is consistent with the \((x^{[j_0]}, r^{[j_0]}, s^{[j_0]})\) from \(T_1\) and \(T_2\).
We show how to extract a solution of the DDLP instance (g, h, y) from the three transcripts. First, we can assume that all the revealed shares are mutually consistent between the three transcripts. Otherwise, we find a hash collision via condition 1. Thus, we know all the shares for the iteration \(j_0\) from \(T_1\) and \(T_2\) using condition 2. For the sake of clarity, we only consider the variables of the iteration \(j_0\). Thus, this notation is omitted in the following. Consider \(x' := \sum _{j=1}^N \llbracket x\rrbracket _j \bmod p\) as a natural candidate solution for x. Via the multi-party computation, we know
-
\(h^{x'}=h^{\sum _{j=1}^N \llbracket x\rrbracket _j} =\prod _{j=1}^N h^{\llbracket x\rrbracket _j}=\prod _{j=1}^N \langle h^{x}\rangle _j \bmod q\)
-
the broadcasting of \(\langle \alpha \rangle =\frac{\langle h^{x}\rangle }{\langle s\rangle }\) i.e. \( \alpha =\frac{h^{x}}{s}\bmod q\)
-
an additive sharing of \(h^x\) via \(\alpha \llbracket r\rrbracket =\frac{h^{x}}{s}\llbracket r\rrbracket =\llbracket h^{x}\rrbracket \), since from the checked equations at the end of \(T_3\) we get that \(r=s\).
-
\(y=\prod _{j=1}^N \langle y\rangle _j \bmod q\) with \(\langle y\rangle _j=g^{\llbracket h^x\rrbracket _j} \bmod q\).
Hence, \(g^{h^{x'}}=g^{\prod _{j=1}^N \langle h^x\rangle _j}=g^{\sum _{j=1}^N \llbracket h^{x}\rrbracket _j}=\prod _{j=1}^N g^{\llbracket h^{x}\rrbracket _j}=\prod _{j=1}^N \langle y\rangle _j = y \bmod q.\) Therefore, \(x'\) is a solution of the considered DDLP. Now, the extractor for the three transcripts can be the one described in appendix E of [FJR23]. \(\square \)
Proof
(Theorem 3). We build a simulator that outputs transcripts indistinguishable from real transcripts without knowing the secret. It has oracle access to some probabilistic polynomial time \(\tilde{\mathcal {V}}\).
-
1.
Sample \(J \xleftarrow {\$}\{J\subset [1,M]; |J| = \tau \} \text { and } L = \{\ell _e\}_{e\in J} \xleftarrow {\$}[1,N]^\tau \)
-
2.
Sample \(\textsf {mseed}^{[0]} \xleftarrow {\$}\{0,1\}^{\lambda }\)
-
3.
\((\textsf {mseed}^{[e]})_{e \in [1,M]} \leftarrow {\text {TreePRG}}(\textsf {mseed}^{[0]})\)
-
4.
For \(e\in [1,M]\backslash J\), follow honestly the protocol and deduce \(h_e\)
-
5.
For \(e\in J\),
-
Compute \((\textsf {seed}_1^{[e]}, \rho _1^{[e]}), \ldots , (\textsf {seed}_N^{[e]}, \rho _N^{[e]})\) with \({\text {TreePRG}}(\textsf {mseed}^{[e]})\)
-
For each party \(j \in [1,N]\backslash \{\ell _e\}: (\llbracket x^{[e]}\rrbracket _j,\llbracket r^{[e]}\rrbracket _j,\langle s^{[e]}\rangle _j) \leftarrow {\text {PRG}}(\textsf {seed}_j^{[e]}), \textsf {com}_j^{[e]} = \textsf {Com} (\textsf {seed}_j^{[e]}; \rho _j^{[e]})\)
-
Sample \(\varDelta x^{[e]} \xleftarrow {\$}\mathbb {F}_p,\llbracket r^{[e]}\rrbracket _{\ell _e} \xleftarrow {\$}\mathbb {F}_{q}, \langle s^{[e]}\rangle _{\ell _e} \xleftarrow {\$}\mathbb {F}^\times _{q}\)
-
\(\varDelta s^{[e]} = \sum _{j=1}^N \llbracket r^{[e]}\rrbracket _j/ \prod _j \langle s\rangle ^{[e]}_j \bmod q\)
-
\(\alpha ^{[e]}=h^{\sum _{j=1}^N\llbracket x^{[e]}\rrbracket _j+\varDelta x^{[e]}}/ (\varDelta s^{[e]} \prod _{j=1}^N\langle s^{[e]}\rangle _j) \bmod q\)
-
\(\langle g^{h^{x^{[e]}}}\rangle _j=g^{\alpha ^{[e]}\llbracket r^{[e]}\rrbracket _j} \bmod q\)
-
Adapt the output of the party \(\ell _e\): \(\langle g^{h^{x^{[e]}}}\rangle _{\ell _e}=y/\prod _{j\ne \ell _e} \langle g^{h^{x^{[e]}}}\rangle _j \bmod q\)
-
Sample a random commitment \(\textsf {com}_{\ell _e}^{[e]}\).
-
Compute \(h_e = \mathcal {H}_1(\varDelta s^{[e]},\textsf {com}_1^{[e]},\ldots ,\textsf {com}_n^{[e]}), h'_e = \mathcal {H}_3(\varDelta x^{[e]},\langle g^{h^{x^{[e]}}}\rangle ,\alpha ^{[e]})\)
-
-
6.
Compute \(h=\mathcal {H}_2(h_1,\ldots ,h_M),h'=\mathcal {H}_4((h'_e)_{e\in J})\)
-
7.
Outputs the transcript
$$\big (h, h', (\textsf {mseed}^{[e]})_{e\in [1,M]\backslash J}, ((\textsf {seed}_i^{[e]}, \rho _i^{[e]})_{i\not =\ell _e}, \textsf {com}_{\ell _e}^{[e]}, \varDelta x^{[e]}, \varDelta s^{[e]}, \alpha ^{[e]})_{e\in J}\big )~.$$
The distribution of the output transcript is identical to a real one, except for the commitment of the party \(\ell _e\) in each execution \(e\in J\). Distinguishing them means breaking the commitment hiding property or the PRG security. \(\square \)
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Maire, J., Vergnaud, D. (2024). Efficient Zero-Knowledge Arguments and Digital Signatures via Sharing Conversion in the Head. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14344. Springer, Cham. https://doi.org/10.1007/978-3-031-50594-2_22
Download citation
DOI: https://doi.org/10.1007/978-3-031-50594-2_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-50593-5
Online ISBN: 978-3-031-50594-2
eBook Packages: Computer ScienceComputer Science (R0)