Advertisement

Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs

  • Cecilia Boschini
  • Jan Camenisch
  • Gregory Neven
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11060)

Abstract

Advanced cryptographic protocols such as anonymous credentials, voting schemes, and e-cash are typically constructed by suitably combining signature, commitment, and encryption schemes with zero-knowledge proofs. Indeed, a large body of protocols have been constructed in that manner from Camenisch-Lysyanskaya signatures and generalized Schnorr proofs. In this paper, we build a similar framework for lattice-based schemes by presenting a signature and commitment scheme that are compatible with Lyubashevsky’s Fiat-Shamir proofs with abort, currently the most efficient zero-knowledge proofs for lattices. The latter proofs provide a weaker, relaxed form of soundness, i.e., the witnesses that the knowledge extractor can obtain are guaranteed to lie only in a domain that is larger than the one from which the inputs of honest provers need to come. To cope with this soundness problem, we define corresponding notions of relaxed signature and commitment schemes. We demonstrate the flexibility and efficiency of our new primitives by constructing a new lattice-based anonymous attribute token scheme and providing concrete parameters to securely instantiate this scheme.

Notes

Acknowledgements

Working on this paper, we have enjoyed many discussions with Vadim Lyubashevsky. Thank you! This work was supported by the ERC under grant #321310 PERCY) and the SNF under grant #\(200021\_157080\) (Efficient Lattice-Based Cryptographic Protocols).

References

  1. 1.
    Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_12CrossRefGoogle Scholar
  2. 2.
    Abe, M., Ohkubo, M.: A framework for universally composable non-committing blind signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 435–450. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_26CrossRefGoogle Scholar
  3. 3.
    Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_28CrossRefzbMATHGoogle Scholar
  4. 4.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange: a new hope. In: USENIX Security Symposium (2016)Google Scholar
  5. 5.
    Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_16CrossRefGoogle Scholar
  6. 6.
    Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: ACM CCS (2008)Google Scholar
  7. 7.
    Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen 296(1), 625–635 (1993)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78524-8_20CrossRefGoogle Scholar
  9. 9.
    Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_38CrossRefGoogle Scholar
  10. 10.
    Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_29CrossRefGoogle Scholar
  11. 11.
    Böhl, F., Hofheinz, D., Jager, T., Koch, J., Striecks, C.: Confined guessing: new signatures from standard assumptions. J. Cryptol. 28(1), 176–208 (2015)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28628-8_3CrossRefGoogle Scholar
  13. 13.
    Boschini, C., Camenisch, J., Neven, G.: Relaxed lattice-based signatures with short zero-knowledge proofs. Cryptology ePrint Archive, Report 2017/1123 (2017)Google Scholar
  14. 14.
    Boyen, X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13013-7_29CrossRefGoogle Scholar
  15. 15.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: 45th ACM STOC (2013)Google Scholar
  16. 16.
    Brickell, E.F., Camenisch, J., Chen, L.: Direct anonymous attestation. In: ACM CCS (2004)Google Scholar
  17. 17.
    Camenisch, J., Dubovitskaya, M., Neven, G., Zaverucha, G.M.: Oblivious transfer with hidden access control policies. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 192–209. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19379-8_12CrossRefGoogle Scholar
  18. 18.
    Camenisch, J., Haralambiev, K., Kohlweiss, M., Lapon, J., Naessens, V.: Structure preserving CCA secure encryption and applications. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 89–106. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_5CrossRefGoogle Scholar
  19. 19.
    Camenisch, J., Kiayias, A., Yung, M.: On the portability of generalized Schnorr proofs. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 425–442. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_25CrossRefGoogle Scholar
  20. 20.
    Camenisch, J., Krenn, S., Lehmann, A., Mikkelsen, G.L., Neven, G., Pedersen, M.Ø.: Formal treatment of privacy-enhancing credential systems. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 3–24. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31301-6_1CrossRefGoogle Scholar
  21. 21.
    Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_7CrossRefGoogle Scholar
  22. 22.
    Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36413-7_20CrossRefGoogle Scholar
  23. 23.
    Camenisch, J., Neven, G., Rückert, M.: Fully anonymous attribute tokens from lattices. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 57–75. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32928-9_4CrossRefGoogle Scholar
  24. 24.
    Camenisch, J., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-72540-4_33
  25. 25.
    Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_8CrossRefGoogle Scholar
  26. 26.
    Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, New York (1990).  https://doi.org/10.1007/0-387-34799-2_25CrossRefGoogle Scholar
  27. 27.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-662-02945-9
  28. 28.
    Cramer, R.: Modular design of secure, yet practical cryptographic protocols. Ph.D. thesis, University of Amsterdam (1996)Google Scholar
  29. 29.
    Damgård, I.: On \(\sigma \)-protocols. Lecture Notes, Department for Computer Science, University of Aarhus (2002)Google Scholar
  30. 30.
    Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-36178-2_8CrossRefGoogle Scholar
  31. 31.
    Faust, S., Kohlweiss, M., Marson, G.A., Venturi, D.: On the non-malleability of the Fiat-Shamir transform. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 60–79. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34931-7_5CrossRefGoogle Scholar
  32. 32.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987).  https://doi.org/10.1007/3-540-47721-7_12CrossRefGoogle Scholar
  33. 33.
    Fischlin, M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006).  https://doi.org/10.1007/11818175_4CrossRefGoogle Scholar
  34. 34.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_3CrossRefGoogle Scholar
  35. 35.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: 40th ACM STOC (2008)Google Scholar
  36. 36.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract). In: 27th FOCS (1986)Google Scholar
  37. 37.
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_24CrossRefGoogle Scholar
  38. 38.
    Hirt, M., Sako, K.: Efficient receipt-free voting based on homomorphic encryption. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 539–556. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_38CrossRefGoogle Scholar
  39. 39.
    Kiayias, A., Yung, M.: Group signatures with efficient concurrent join. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 198–214. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_12CrossRefGoogle Scholar
  40. 40.
    Laguillaumie, F., Langlois, A., Libert, B., Stehlé, D.: Lattice-based group signatures with logarithmic signature size. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 41–61. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-42045-0_3CrossRefGoogle Scholar
  41. 41.
    Langlois, A., Ling, S., Nguyen, K., Wang, H.: Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 345–361. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54631-0_20CrossRefGoogle Scholar
  42. 42.
    Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53890-6_13CrossRefGoogle Scholar
  43. 43.
    Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 1–31. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_1CrossRefGoogle Scholar
  44. 44.
    Ling, S., Nguyen, K., Wang, H.: Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 427–449. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46447-2_19CrossRefGoogle Scholar
  45. 45.
    Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_35CrossRefGoogle Scholar
  46. 46.
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_43CrossRefGoogle Scholar
  47. 47.
    Lyubashevsky, V., Neven, G.: One-shot verifiable encryption from lattices. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 293–323. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56620-7_11CrossRefGoogle Scholar
  48. 48.
    Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_41CrossRefGoogle Scholar
  49. 49.
    Nguyen, P.Q., Zhang, J., Zhang, Z.: Simpler efficient group signatures from lattices. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 401–426. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46447-2_18CrossRefGoogle Scholar
  50. 50.
    Paquin, C., Zaverucha, G.: U-prove cryptographic specification v1. 1, revision 3, December 2013Google Scholar
  51. 51.
    Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48329-2_2CrossRefGoogle Scholar
  52. 52.
    Xue, R., Li, N., Li, J.: Algebraic construction for zero-knowledge sets. J. Comput. Sci. Technol. 23(2), 166–175 (2008)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Cecilia Boschini
    • 1
    • 2
  • Jan Camenisch
    • 1
  • Gregory Neven
    • 1
  1. 1.IBM Research - ZurichZurichSwitzerland
  2. 2.Università della Svizzera ItalianaLuganoSwitzerland

Personalised recommendations