Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption

Libert, Benoît; Ling, San; Mouhartem, Fabrice; Nguyen, Khoa; Wang, Huaxiong

doi:10.1007/978-3-662-53890-6_4

Benoît Libert¹⁵,
San Ling¹⁶,
Fabrice Mouhartem¹⁵,
Khoa Nguyen¹⁶ &
…
Huaxiong Wang¹⁶

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10032))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

2999 Accesses
29 Citations
7 Altmetric

Abstract

Group encryption ($\mathsf {GE}$) is the natural encryption analogue of group signatures in that it allows verifiably encrypting messages for some anonymous member of a group while providing evidence that the receiver is a properly certified group member. Should the need arise, an opening authority is capable of identifying the receiver of any ciphertext. As introduced by Kiayias, Tsiounis and Yung (Asiacrypt’07), $\mathsf {GE}$ is motivated by applications in the context of oblivious retriever storage systems, anonymous third parties and hierarchical group signatures. This paper provides the first realization of group encryption under lattice assumptions. Our construction is proved secure in the standard model (assuming interaction in the proving phase) under the Learning-With-Errors ($\mathsf {LWE}$) and Short-Integer-Solution ($\mathsf {SIS}$) assumptions. As a crucial component of our system, we describe a new zero-knowledge argument system allowing to demonstrate that a given ciphertext is a valid encryption under some hidden but certified public key, which incurs to prove quadratic statements about $\mathsf {LWE}$ relations. Specifically, our protocol allows arguing knowledge of witnesses consisting of $\mathbf {X} \in \mathbb {Z}_q^{m \times n}$, $\mathbf {s} \in \mathbb {Z}_q^n$ and a small-norm $\mathbf {e} \in \mathbb {Z}^m$ which underlie a public vector $\mathbf {b}=\mathbf {X} \cdot \mathbf {s} + \mathbf {e} \in \mathbb {Z}_q^m$ while simultaneously proving that the matrix $\mathbf {X} \in \mathbb {Z}_q^{m \times n}$ has been correctly certified. We believe our proof system to be useful in other applications involving zero-knowledge proofs in the lattice setting.

You have full access to this open access chapter, Download conference paper PDF

Lattice-based group encryptions with only one trapdoor

Article 16 March 2022

Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures

Forward-Secure Group Encryptions from Lattices

Keywords

1 Introduction

Since the pioneering work of Regev [49] and Gentry, Peikert and Vaikuntanathan (GPV) [23], lattice-based cryptography has been an extremely active research area. Not only do lattices enable powerful functionalities (e.g., [22, 26]) that have no viable realizations under discrete-logarithm or factoring-related assumptions, they also offer a number of advantages over conventional number-theoretic techniques, like simpler arithmetic operations, their conjectured resistance to quantum attacks or a better asymptotic efficiency.

The design of numerous cryptographic protocols crucially relies on zero-knowledge proofs [25] to prove properties about encrypted or committed values so as to enforce honest behavior on behalf of participants or protect the privacy of users. In the lattice settings, efficient zero-knowledge proofs are non-trivial to construct due to the limited amount of algebraic structure. While natural methods of proving knowledge of secret keys [31, 40, 42, 44] are available, they are only known to work for specific languages. When it comes to proving circuit satisfiability, the best known methods are designed for the $\mathsf {LPN}$ setting [30] or take advantage of the extra structure available in the ring $\mathsf {LWE}$ setting [10, 54]. Hence, these methods are not known to readily carry over to standard (i.e., non-ideal) lattices. In the standard model, the problem is even trickier as we do not have a lattice-based counterpart of Groth-Sahai proofs [28] and efficient non-interactive proof systems are only available for specific problems [48].

The difficulty of designing efficient zero-knowledge proofs for lattice-related languages makes it highly non-trivial to adapt privacy-preserving cryptographic primitives in the lattice setting. In spite of these technical hurdles, a recent body of work successfully designed anonymity-enabling mechanisms like ring signatures [2, 31], blind signatures [50], group signatures [9, 27, 35, 36, 38, 41, 45] or, more recently, signature schemes with companion zero-knowledge protocols [37]. A common feature of all these works is that the zero-knowledge layer of the proposed protocols only deals with linear equations, where witnesses are only multiplied by public values.

In this paper, motivated by the design of advanced privacy-preserving protocols in the lattice setting, we construct zero-knowledge arguments for non-linear statements among witnesses consisting of vectors and matrices. For suitable parameters $q,n,m \in \mathbb {Z}$, we consider zero-knowledge argument systems whereby a prover can demonstrate knowledge of secret matrices $\mathbf {X} \in \mathbb {Z}_q^{m \times n}$ and vectors $\mathbf {s} \in \mathbb {Z}_q^n$, $\mathbf {e} \in \mathbb {Z}^m$ such that: (i) $\mathbf {e} \in \mathbb {Z}^m$ has small norm; (ii) A public vector $\mathbf {b} \in \mathbb {Z}_q^n$ equals $\mathbf {b} = \mathbf {X}\cdot \mathbf {s} + \mathbf {e} \bmod q$; (iii) The underlying pair $(\mathbf {X},\mathbf {s})$ satisfies additional algebraic relations: for instance, it should be possible to prove possession of a signature on some representation of the matrix $\mathbf {X}$. In particular, our zero-knowledge argument makes it possible to prove that a given ciphertext is a well-formed $\mathsf {LWE}$-based encryption with respect to some hidden, but certified public key. This protocol comes in handy in the design of group encryption schemes [33], where such languages naturally arise. In this paper, we thus construct the first construction of group encryption under lattice assumptions.

Group Encryption. As suggested by Kiayias, Tsiounis and Yung [33], group encryption ($\mathsf {GE}$) is the encryption analogue of group signatures [19], which allow users to anonymously sign messages on behalf of an entire group they belong to. While group signatures aim at hiding the source of some message within a crowd administered by some group manager, group encryption rather seeks to hide its destination within a group of legitimate receivers. In both cases, a verifier should be convinced that the anonymous signer/receiver indeed belongs to a purported population. In order to keep users accountable for their actions, an opening authority ($\mathsf {OA}$) is further empowered with some information allowing it to un-anonymize signatures/ciphertexts.

Kiayias, Tsiounis and Yung [33] formalized $\mathsf {GE}$ schemes as a primitive allowing the sender to generate publicly verifiable guarantees that: (1) The ciphertext is well-formed and intended for some registered group member who will be able to decrypt; (2) the opening authority will be able identify the receiver if necessary; (3) The plaintext satisfies certain properties such as being a witness for some public relation or the private key that underlies a given public key. In the model of Kiayias et al. [33], the message secrecy and anonymity properties are required to withstand active adversaries, which are granted access to decryption oracles in all security experiments.

As a natural application, group encryption allows a firewall to filter all incoming encrypted emails except those intended for some certified organization member and the content of which is additionally guaranteed to satisfy certain requirements, like the absence of malware.

$\mathsf {GE}$ schemes are also motivated by natural privacy applications such as anonymous trusted third parties, key recovery mechanisms or oblivious retriever storage systems. In optimistic protocols, $\mathsf {GE}$ allows verifiably encrypting messages to anonymous trusted third parties which mostly remain off-line and only come into play to sort out conflicts. In order to protect privacy-sensitive information such as users’ citizenship, group encryption makes it possible to hide the identity of users’ preferred trusted third parties within a set of properly certified trustees.

In cloud storage services, $\mathsf {GE}$ enables privacy-preserving asynchronous transfers of encrypted datasets. Namely, it allows users to archive encrypted datasets on remote servers while convincing those servers that the data is indeed intended for some anonymous certified client who paid a subscription to the storage provider. Moreover, a judge should be able to identify the archive’s recipient in case a misbehaving server is found guilty of hosting suspicious transaction records or any other illegal content.

As pointed out by Kiayias et al. [33], group encryption also implies a form of hierarchical group signatures [53], where signatures can only be opened by a set of eligible trustees operating in a very specific manner determiner by the signer.

Related work. Kiayias, Tsiounis and Yung (KTY) [33] formalized the notion of group encryption and provided a modular design using zero-knowledge proofs, digital signatures, anonymous CCA-secure public-key encryption and commitment schemes. They also gave an efficient instantiation using Paillier’s cryptosystem [46] and Camenisch-Lysyanskaya signatures [15].

Cathalo, Libert and Yung [18] designed a non-interactive system in the standard model under non-interactive pairing-related assumptions. El Aimani and Joye [3] suggested various efficiency improvements with both interactive and non-interactive proofs.

Libert et al. [39] empowered the $\mathsf {GE}$ primitive with a refined traceability mechanism akin to that of traceable signatures [32]. Namely, by releasing a user-specific trapdoor, the opening authority can allow anyone to publicly trace ciphertexts encrypted for this specific group member without affecting the privacy of other users. Back in 2010, Izabachène, Pointcheval and Vergnaud [29] considered the problem of eliminating subliminal channels in a different form of traceable group encryption.

As a matter of fact, all existing realizations of group encryption or similar primitives rely on traditional number theoretic assumptions like the hardness of factoring or computing discrete logarithms. In particular, all of them are vulnerable to quantum attacks. For the sake of not putting all one’s eggs in the same basket, it is highly desirable to have instantiations based on alternative, quantum-resistant foundations.

Our results and techniques. We put forth the first lattice-based realization of the group encryption primitive and prove its security under the Learning-With-Errors ($\mathsf {LWE}$) [49] and Short-Integer-Solution ($\mathsf {SIS}$) [4] assumptions. As in the original design of Kiayias, Tsiounis and Yung [33], the security analysis of our scheme stands in the standard model if we avail ourselves of interaction between the prover and the verifier. In the random oracle model [8], the Fiat-Shamir paradigm [21] readily provides a non-interactive solution based on the same hardness assumptions.

As a core ingredient of our $\mathsf {GE}$ scheme, we develop a new technique allowing to prove that a given ciphertext is a valid $\mathsf {LWE}$-based encryption under some hidden but certified public key. Via a novel extension of Stern-like zero-knowledge arguments [31, 52] in the lattice setting, we provide a method of proving quadratic relations between a secret certified matrix and a secret vector occurring in $\mathsf {LWE}$-related languages. We believe our zero-knowledge arguments to be of independent interest as they find applications in other protocols involving zero-knowledge proofs in lattice-based cryptography.

It was shown by Kiayias et al. [33] that, in order to design a $\mathsf {GE}$ scheme, three ingredients are necessary: we need digital signatures, anonymous (i.e., key-private [7]) public-key encryption and zero-knowledge proofs. While the first two ingredients are available in lattice-based cryptography, suitable zero-knowledge proof systems are currently lacking. The underlying proof system should allow the sender to prove that the ciphertext is well-formed and is decryptable by some certified group member without betraying the latter’s identity. Such statements typically involve equations of the form $\mathbf {b} = \mathbf {X}\cdot \mathbf {s} + \mathbf {e} \bmod q$, for which given integers n, m, q and vector $\mathbf {b} \in \mathbb {Z}_q^m$, the prover has to demonstrate possession of a certified matrix $\mathbf {X} \in \mathbb {Z}_q^{m \times n}$, vector $\mathbf {s} \in \mathbb {Z}_q^n$ and small-norm error vector $\mathbf {e} \in \mathbb {Z}^m$ satisfying the equation. Existing mechanisms of proving relations appearing in lattice-based cryptosystems belong to two main classes. The first one, which uses “rejection sampling” techniques for Schnorr-like protocols [51], was introduced by Lyubashevsky [42]. The second class, which was initiated by Ling et al. [40], appeals to “decomposition-extension-permutation” techniques in lattice-based extensions [31] of Stern’s protocol [52]. These techniques mainly deal with linear equations, where each term is a product of a public matrix with a secret vector, which possibly satisfies some additional constraints (e.g., smallness) to be proven. Here, we are presented with quadratic equations where some terms $\mathbf {X}\cdot \mathbf {s}$ are products of two secret witnesses $\mathbf {X} \in \mathbb {Z}_q^{m \times n}$ and $\mathbf {s} \in \mathbb {Z}_q^n$ which are involved in other equations. Proving such quadratic equations thus requires new ideas.

To overcome the above hurdle, we employ a divide-and-conquer strategy. First, we consider the binary representations of $\mathbf {X}$ and $\mathbf {s}$, and view the product $\mathbf {X}\cdot \mathbf {s}$ as a bunch of bit-wise products $\{x_i\cdot s_j\}_{i,j}$. Now, although these bit-wise products still admit a quadratic nature, but to prove that each of them is well-formed, it suffices to demonstrate in zero-knowledge that $x_i\cdot s_j$ belongs to the set $B = \{0\cdot 0, 0\cdot 1, 1 \cdot 0, 1 \cdot 1\}$ of cardinality 4. This can be done with a Stern-like sub-protocol, using the following extending-then-permuting technique. We first extend $x_i \cdot s_j$ to vector $\mathsf {ext}(x_i,s_j) \mathop {=}\limits ^{\mathsf {def}} (\overline{x}_i\cdot \overline{s}_j, \overline{x}_i\cdot {s}_j, {x}_i\cdot \overline{s}_j, x_i\cdot s_j)^\top \in \{0,1\}^4$ whose entries are elements of B (here, $\bar{c}$ denotes the bit $1-c$). We then employ a special permutation, determined by two random bits $b_x$ and $b_s$, to the entries of $\mathsf {ext}(x_i,s_j)$, such that the permuted vector is exactly the correct extension $\mathsf {ext}(x_i \oplus b_x, s_j \oplus b_s)$, where $\oplus $ denotes the addition modulo 2. Seeing that a permutation of $\mathsf {ext}(x_i, s_j)$ has entries in the set B, the verifier should be convinced that $x_i \cdot s_j \in B$. Meanwhile, the bits $b_x$ and $b_s$ act as one-time pads that perfectly hide $x_i$ and $s_j$. Furthermore, to prove that the same bits $x_i$ and $s_j$ are involved in other equations, we establish similar extending-then-permuting mechanisms for their other appearances, and use the same one-time pads $b_x$ and $b_s$, respectively, as those places.

Having settled the problem of proving quadratic relations, we are able to realize the desired zero-knowledge layer by combining our proof system with the techniques of [37, 41]. These help us demonstrate possession of a signature on the user’s public key while proving that this key is encrypted under the $\mathsf {OA}$’s public key. Since users’ public keys consist of a matrix $\mathbf {B}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times m}$, we actually encrypt a hash value of this matrix under the $\mathsf {OA}$’s public key while the sender proves knowledge of a signature on the binary decomposition of $\mathbf {B}_{\mathsf {U}}$. By using a suitable lattice-based hash function [24], the Stern-like protocols of [37, 41] make it possible to prove that the hashed matrix encrypted under the $\mathsf {OA}$’s public key coincides with the one for which the sender knows a certificate and which served as a public key to encrypt the actual plaintext.

The last issue to sort out is to determine the appropriate encryption schemes to work with in the two public-key encryption components. The CCA2-secure cryptosystem implied by the Agrawal-Boneh-Boyen (ABB) identity-based encryption (IBE) scheme [1] via the CHK transformation [16] is a natural choice as it is one of the most efficient $\mathsf {LWE}$-based candidates in the standard model. For technical reasons, we chose to use a variant of the ABB cryptosystem based on the trapdoor mechanism of Micciancio and Peikert [43] because it allows dispensing with zero-knowledge proofs of public key validity. Indeed, the Kiayias-Tsiounis-Yung model [33] mandates that certified public keys be valid public keys (for which an underlying private key exists). This requirement is easier to handle using Micciancio-Peikert trapdoors [43] since, unlike GPV trapdoors [23], they are guaranteed to exist for any public matrix.

2 Background and Definitions

2.1 Lattices

In our notations, all vectors are denoted in bold lower-case letters while bold upper-case letters will be used for matrices. If $\mathbf {b} \in \mathbb {R}^n$, its Euclidean norm and infinity norm will be denoted by $\Vert \mathbf {b}\Vert $ and $\Vert \mathbf {b}\Vert _\infty $ respectively. The Euclidean norm of matrix $\mathbf {B} \in \mathbb {R}^{m \times n}$ with columns $(\mathbf {b}_i)_{i \le n}$ is denoted by $\Vert \mathbf {B}\Vert = \max _{i\le n} \Vert \mathbf {b}_i\Vert $. If $\mathbf {B}$ is full column-rank, we let $\widetilde{\mathbf {B}}$ denote its Gram-Schmidt orthogonalization.

When S is a finite set, we denote by U(S) the uniform distribution over S and by $x \hookleftarrow D$ the action of sampling x according to the distribution D.

A (full-rank) lattice L is the set of all integer linear combinations of some linearly independent basis vectors $(\mathbf {b}_i)_{i\le n}$ belonging to some $\mathbb {R}^n$. We work with q-ary lattices, for some prime q.

Definition 1

Let $m \ge n \ge 1$, a prime $q \ge 2$ and $\mathbf {A} \in \mathbb {Z}_q^{n \times m}$ and $\mathbf {u} \in \mathbb {Z}_q^n$, define $\varLambda _q(\mathbf {A}) :{=} \{ \mathbf {e} \in \mathbb {Z}^m \mid \exists \mathbf {s} \in \mathbb {Z}_q^n ~\text { s.t. }~\mathbf {A}^T \cdot \mathbf {s} = \mathbf {e} \bmod q \}$ as well as

$$\begin{aligned} \varLambda _q^{\perp } (\mathbf {A}):= & {} \{\mathbf {e} \in \mathbb {Z}^m \mid \mathbf {A} \cdot \mathbf {e} = \mathbf {0}^n \bmod q \}, \, \varLambda _q^{\mathbf {u}} (\mathbf {A}) := \{\mathbf {e} \in \mathbb {Z}^m \mid \mathbf {A} \cdot \mathbf {e} = \mathbf {u} \bmod q \} \end{aligned}$$

For any $\mathbf {t} \in \varLambda _q^{\mathbf {u}} (\mathbf {A})$, $\varLambda _q^{\mathbf {u}}(\mathbf {A})=\varLambda _q^{\perp }(\mathbf {A}) + \mathbf {t}$ so that $\varLambda _q^{\mathbf {u}} (\mathbf {A}) $ is a shift of $\varLambda _q^{\perp } (\mathbf {A})$.

For a lattice L, a vector $\mathbf {c} \in \mathbb {R}^n$ and a real $\sigma >0$, define $\rho _{\sigma ,\mathbf {c}}(\mathbf {x}) = \exp (-\pi \Vert \mathbf {x}- \mathbf {c} \Vert ^2/\sigma ^2) $. The discrete Gaussian distribution of support L, parameter $\sigma $ and center $\mathbf {c}$ is defined as $D_{L,\sigma ,\mathbf {c}}(\mathbf {y}) = \rho _{\sigma ,\mathbf {c}}(\mathbf {y})/\rho _{\sigma ,\mathbf {c}}(L)$ for any $\mathbf {y} \in L$. We denote by $D_{L,\sigma }(\mathbf {y}) $ the distribution centered in $\mathbf {c}=\mathbf {0}$. We will extensively use the fact that samples from $D_{L,\sigma }$ are short with overwhelming probability.

Lemma 1

([6, Lemma 1.5]). For any lattice $L \subseteq \mathbb {R}^n$ and positive real number $\sigma >0$, we have $\Pr _{\mathbf {b} \hookleftarrow D_{L,\sigma }} [\Vert \mathbf {b}\Vert \le \sqrt{n} \sigma ] \ge 1-2^{-\varOmega (n)}.$

As shown in [23], Gaussian distributions with lattice support can be sampled from efficiently, given a sufficiently short basis of the lattice.

Lemma 2

([14, Lemma 2.3]). There exists a $\mathsf {PPT}$ (probabilistic polynomial-time) algorithm $\mathsf {GPVSample}$ that takes as inputs a basis $\mathbf {B}$ of a lattice $L \subseteq \mathbb {Z}^n$ and a rational $\sigma \ge \Vert \widetilde{\mathbf {B}}\Vert \cdot \varOmega (\sqrt{\log n})$, and outputs vectors $\mathbf {b} \in L$ with distribution $D_{L,\sigma }$.

Lemma 3

([5, Theorem 3.2]). There exists a $\mathsf {PPT}$ algorithm $\mathsf {TrapGen}$ that takes as inputs $1^n$, $1^m$ and an integer $q \ge 2$ with $m \ge \varOmega (n \log q)$, and outputs a matrix $\mathbf {A} \in \mathbb {Z}_q^{n \times m}$ and a basis $\mathbf {T}_{\mathbf {A}}$ of $\varLambda _q^{\perp }(\mathbf {A})$ such that $\mathbf {A}$ is within statistical distance $2^{-\varOmega (n)}$ to $U(\mathbb {Z}_q^{n \times m})$, and $\Vert \widetilde{\mathbf {T}_{\mathbf {A}}}\Vert \le \mathcal {O}(\sqrt{n \log q})$.

Lemma 3 is often combined with the sampler from Lemma 2. Micciancio and Peikert [43] recently proposed a more efficient approach for this combined task, which should be preferred in practice but, for the sake of simplicity, we present our schemes using $\mathsf {TrapGen}$.

We rely on a basis delegation algorithm [17] which extends a trapdoor for $\mathbf {A} \in \mathbb {Z}_q^{n \times m}$ into a trapdoor of any $\mathbf {B} \in \mathbb {Z}_q^{n \times m'}$ whose left $n \times m$ submatrix is $\mathbf {A}$.

Lemma 4

([17, Lemma 3.2]). There exists a $\mathsf {PPT}$ algorithm $\mathsf {ExtBasis}$ that takes as inputs a matrix $\mathbf {B} \in \mathbb {Z}_q^{n \times m' }$ whose first m columns span $\mathbb {Z}_q^n$, and a basis $\mathbf {T}_{\mathbf {A}}$ of $\varLambda _q^{\perp }(\mathbf {A})$ where $\mathbf {A}$ is the left $n \times m$ submatrix of $\mathbf {B}$, and outputs a basis $\mathbf {T}_{\mathbf {B}}$ of $\varLambda _q^{\perp }(\mathbf {B})$ with $\Vert \widetilde{\mathbf {T}_{\mathbf {B}}}\Vert \le \Vert \widetilde{\mathbf {T}_{\mathbf {A}}}\Vert $.

Like [11, 13], we use a technique due to Agrawal, Boneh and Boyen [1] that realizes a punctured trapdoor mechanism [12]. Analogously to [43], we will use such a mechanism in the real scheme and not only in the proof.

Lemma 5

([1, Theorem 19]). There exists a $\mathsf {PPT}$ algorithm $\mathsf {SampleRight}$ that takes as inputs matrices $\mathbf A \in \mathbb {Z}_q^{n \times m}, \mathbf C \in \mathbb {Z}_q^{n \times \bar{m}}$, a low-norm matrix $\mathbf R \in \mathbb {Z}^{m \times \bar{m}}$, a short basis $\mathbf {T_C} \in \mathbb {Z}^{\bar{m} \times \bar{m}}$ of $\varLambda _q^{\perp }(\mathbf {C})$, a vector $\mathbf u \in \mathbb {Z}_q^{n}$ and a rational $\sigma $ such that $\sigma \ge \Vert \widetilde{\mathbf {T_C}}\Vert \cdot \varOmega (\sqrt{\log n})$, and outputs a short vector $\mathbf {b} \in \mathbb {Z}^{m + \bar{m}}$ such that $\left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L, \sigma }$ where L denotes the shifted lattice $\varLambda ^\mathbf {u}_q\bigl ( [ \mathbf {A} \mid \mathbf {A} \cdot \mathbf {R} + \mathbf {C} ] \bigr )$.

2.2 Computational Problems

The security of our schemes provably relies on the assumption that both algorithmic problems below are hard, i.e., cannot be solved in polynomial time with non-negligible probability and non-negligible advantage, respectively.

Definition 2

Let $m,q,\beta $ be functions of a parameter n. The Short Integer Solution problem $\mathsf {SIS}_{n,m,q,\beta }$ is as follows: Given $\mathbf {A} \hookleftarrow U(\mathbb {Z}_q^{n \times m})$, find $\mathbf {x} \in \varLambda _q^{\perp }(\mathbf {A})$ with $0 < \Vert \mathbf {x}\Vert \le \beta $.

If $q \ge \sqrt{n} \beta $ and $m,\beta \le \mathsf {poly}(n)$, then $\mathsf {SIS}_{n,m,q,\beta }$ is at least as hard as standard worst-case lattice problem $\mathsf {SIVP}_\gamma $ with $\gamma = \widetilde{\mathcal {O}}(\beta \sqrt{n})$ (see, e.g., [23, Sect. 9]).

Definition 3

Let $n,m \ge 1$, $q \ge 2$, and let $\chi $ be a probability distribution on $\mathbb {Z}$. For $\mathbf {s} \in \mathbb {Z}_q^n$, let $A_{\mathbf {s}, \chi }$ be the distribution obtained by sampling $\mathbf {a} \hookleftarrow U(\mathbb {Z}_q^n)$ and $e \hookleftarrow \chi $, and outputting $(\mathbf {a}, \mathbf {a}^T\cdot \mathbf {s} + e) \in \mathbb {Z}_q^n \times \mathbb {Z}_q$. The Learning With Errors problem $\mathsf {LWE}_{n,q,\chi }$ asks to distinguish m samples chosen according to $\mathcal {A}_{\mathbf {s},\chi }$ (for $\mathbf {s} \hookleftarrow U(\mathbb {Z}_q^n)$) and m samples chosen according to $U(\mathbb {Z}_q^n \times \mathbb {Z}_q)$.

If q is a prime power, $B \ge \sqrt{n}\omega (\log n)$, $\gamma = \widetilde{\mathcal {O}}(nq/B)$, then there exists an efficient sampleable B-bounded distribution $\chi $ (i.e., $\chi $ outputs samples with norm at most B with overwhelming probability) such that $\mathsf {LWE}_{n,q,\chi }$ is as least as hard as $\mathsf {SIVP}_{\gamma }$ (see, e.g., [14, 47, 49]).

2.3 Syntax and Definitions of Group Encryption

We use the syntax and the security model of Kiayias, Tsiounis and Yung [33]. The group encryption (GE) primitive involves a sender, a verifier, a group manager (GM) that manages the group of receivers and an opening authority (OA) which is capable of identitying ciphertexts’ recipients. In the syntax of [33], a $\mathsf {GE}$ scheme is specified by the description of a relation $\mathcal {R}$ as well as a tuple $\mathsf {GE}=\bigl (\mathsf {SETUP},\mathsf {JOIN},\langle \mathcal {G}_r,\mathcal {R},\mathsf {sample}_{\mathcal {R}} \rangle ,\mathsf {ENC},\mathsf {DEC},\mathsf {OPEN},\langle \mathcal {P},\mathcal {V} \rangle \bigr )$ of algorithms or protocols. In details, $\mathsf {SETUP}$ is a set of initialization procedures that all take (implicitly or explicitly) a security parameter $1^\lambda $ as input. We call them $\mathsf {SETUP}_{\mathsf {init}}(1^\lambda )$, $\mathsf {SETUP}_{\mathsf {GM}}(\mathsf {param})$ and $\mathsf {SETUP}_{\mathsf {OA}}(\mathsf {param})$. The first one of these procedures generates a set of public parameters $\mathsf {param}$ (like the KTY construction [33], we rely on a common reference string even when using interaction between provers and verifiers). The latter two procedures are used to produce key pairs $(\mathsf {pk}_{\mathsf {GM}},\mathsf {sk}_{\mathsf {GM}})$, $(\mathsf {pk}_{\mathsf {OA}},\mathsf {sk}_{\mathsf {OA}})$ for the $\mathsf {GM}$ and the $\mathsf {OA}$. In the following, $\mathsf {param}$ is incorporated in the inputs of all algorithms although we sometimes omit to explicitly write it.

$\mathsf {JOIN}=(\mathsf {J}_{\mathsf {user}},\mathsf {J}_{\mathsf {GM}})$ is an interactive protocol between the $\mathsf {GM}$ and the prospective user. After the execution of $\mathsf {JOIN}$, the $\mathsf {GM}$ stores the public key $\mathsf {pk}$ and its certificate $\mathsf {cert}_{\mathsf {pk}}$ in a public directory $\mathsf {database}$. As in [34], we will restrict this protocol to have minimal interaction and consist of only two messages: the first one is the user’s public key $\mathsf {pk}$ sent by $\mathsf {J}_{\mathsf {user}}$ to $\mathsf {J}_{\mathsf {GM}}$ and the latter’s response is a certificate $\mathsf {cert}_{\mathsf {pk}}$ for $\mathsf {pk}$ that makes the user’s group membership effective. We do not require the user to prove knowledge of his private key $\mathsf {sk}$ or anything else about it. In our construction, valid keys will be publicly recognizable and users will not have to prove their validity. By avoiding proofs of knowledge of private keys, the security proof never has to rewind the adversary to extract those private keys, which allows supporting concurrent joins as advocated by Kiayias and Yung [34]. If applications demand it, it is possible to add proofs of knowledge of private keys in a modular way but our security proofs do not require rewinding the adversary in executions of $\mathsf {JOIN}$.

Algorithm $\mathsf {sample}_{\mathcal {R}}$ allows sampling pairs $(x,w)\in \mathcal {R}$ (made of a public value x and a witness w) using keys $(\mathsf {pk}_{\mathcal {R}},\mathsf {sk}_{\mathcal {R}})$ produced by $\mathcal {G}_r(1^\lambda )$ which samples public/secret parameters for the relation $\mathcal {R}$. Depending on the relation, $\mathsf {sk}_{\mathcal {R}}$ may be the empty string (as in the scheme [33] and ours which both involve publicly samplable relations). The testing procedure $\mathcal {R}(x,w)$ uses $\mathsf {pk}_{\mathcal {R}}$ to return 1 whenever $(x,w)\in \mathcal {R}$. To encrypt a witness w such that $(x,w) \in \mathcal {R}$ for some public x, the sender fetches the pair $(\mathsf {pk},\mathsf {cert}_{\mathsf {pk}})$ from $\mathsf {database}$ and runs the randomized encryption algorithm. The latter takes as input w, a label L, the receiver’s pair $(\mathsf {pk},\mathsf {cert}_{\mathsf {pk}})$ as well as public keys $\mathsf {pk}_{\mathsf {GM}}$ and $\mathsf {pk}_{\mathsf {OA}}$. Its output is a ciphertext $\varPsi \leftarrow \mathsf {ENC}(\mathsf {pk}_{\mathsf {GM}},\mathsf {pk}_{\mathsf {OA}},\mathsf {pk},\mathsf {cert}_{\mathsf {pk}},w,L)$. On input of the same elements, the certificate $\mathsf {cert}_{\mathsf {pk}}$, the ciphertext $\varPsi $ and the random coins $coins_{\varPsi }$ that were used to produce $\varPsi $, the non-interactive algorithm $\mathcal {P}$ generates a proof $\pi _{\varPsi }$ that there exists a certified receiver whose public key was registered in $\mathsf {database}$ and who is able to decrypt $\varPsi $ and obtain a witness w such that $(x,w) \in \mathcal {R}$. The verification algorithm $\mathcal {V}$ takes as input $\varPsi $, $\mathsf {pk}_{\mathsf {GM}}$, $\mathsf {pk}_{\mathsf {OA}}$, $\pi _{\varPsi }$ and the description of $\mathcal {R}$ and outputs 0 or 1. Given $\varPsi $, L and the receiver’s private key $\mathsf {sk}$, the output of $\mathsf {DEC}$ is either a witness w such that $(x,w) \in \mathcal {R}$ or a rejection symbol $\bot $. Finally, $\mathsf {OPEN}$ takes as input a ciphertext/label pair $(\varPsi ,L)$ and the OA’s secret key $\mathsf {sk}_{\mathsf {OA}}$ and returns a receiver’s public key $\mathsf {pk}$.

The model of [33] considers four properties termed correctness, message security, anonymity and soundness.

3 Warm-Up: Decompositions, Extensions, Permutations

This section introduces the notations and techniques that will be used throughout the paper. Part of the covered material appeared (in slightly different forms) in recent works [20, 37, 38, 40, 41] on Stern-like protocols [52]. The techniques that will be employed for handling quadratic relations (double-bit extension $\mathsf {ext}(\cdot , \cdot )$, expansion $\mathsf {expand}^{\otimes }(\cdot , \cdot )$ of matrix-vector product and the associated permuting mechanisms) are novel contributions of this paper.

3.1 Decompositions

For any $B \in \mathbb {Z}_+$, define the number $\delta _B:=\lfloor \log _2 B\rfloor +1 = \lceil \log _2(B+1)\rceil $ and the sequence $B_1, \ldots , B_{\delta _B}$, where $B_j = \lfloor \frac{B + 2^{j-1}}{2^j} \rfloor $, $\forall j \in [1,\delta _B]$. As observed in [40], the sequence satisfies $\sum _{j=1}^{\delta _B} B_j = B$ and any integer $v \in [0, B]$ can be decomposed to $\mathsf {idec}_B(v) = (v^{(1)}, \ldots , v^{(\delta _B)})^\top \in \{0,1\}^{\delta _B}$ such that $\sum _{j=1}^{\delta _B}B_j \cdot v_j = v$. We describe this decomposition procedure in a deterministic manner:

1.
$v': = v$
2.
For $j=1$ to $\delta _B$ do:
1. (i)
  If $v' \ge B_j$ then $v^{(j)}: = 1$, else $v^{(j)}: = 0$;
2. (ii)
  $v': = v' - B_j\cdot v^{(j)}$.
3.
Output $\mathsf {idec}_B(v) = (v^{(1)}, \ldots , v^{(\delta _B)})^\top $.

Next, for any positive integers $\mathfrak {m}, B$, we define the decomposition matrix:

(1)

and the following injective functions:

(i)
$\mathsf {vdec}_{\mathfrak {m}, B}: [0,B]^{\mathfrak {m}} \rightarrow \{0,1\}^{\mathfrak {m}\delta _B}$ that maps vector $\mathbf {v} = (v_1, \ldots , v_{\mathfrak {m}})^\top $ to vector $\big (\mathsf {idec}_B(v_1)^\top \Vert \ldots \Vert \mathsf {idec}_B(v_{\mathfrak {m}})^\top \big )^\top $. Note that $\mathbf {H}_{\mathfrak {m}, B} \cdot \mathsf {vdec}_{\mathfrak {m}, B}(\mathbf {v}) = \mathbf {v}$.
(ii)
$\mathsf {vdec}'_{\mathfrak {m}, B}: [-B,B]^{\mathfrak {m}} \rightarrow \{-1,0,1\}^{\mathfrak {m}\delta _B}$ that maps vector $\mathbf {w} = (w_1, \ldots , w_{\mathfrak {m}})^\top $ to vector $\big (\sigma (w_1)\cdot \mathsf {idec}_B(w_1)^\top \Vert \ldots \Vert \sigma (w_{\mathfrak {m}})\cdot \mathsf {idec}_B(w_{\mathfrak {m}})^\top \big )^\top $, where for each $i=1, \ldots , \mathfrak {m}$: $\sigma (w_i) = 0$ if $w_i =0$; $\sigma (w_i) = -1$ if $w_i <0$; $\sigma (w_i) = 1$ if $w_i >0$. Note that $\mathbf {H}_{\mathfrak {m}, B} \cdot \mathsf {vdec}'_{\mathfrak {m}, B}(\mathbf {w}) = \mathbf {w}$.

We also define the following matrix decomposition procedure. For positive integers n, m, q, define the injective function $\mathsf {mdec}_{n,m,q}: \mathbb {Z}_q^{m \times n} \rightarrow \{0,1\}^{mn\delta _{q-1}}$ that maps matrix $\mathbf {X} = [\mathbf {x}_1 | \ldots | \mathbf {x}_n] \in \mathbb {Z}_q^{m \times n}$, where $\mathbf {x}_1, \ldots , \mathbf {x}_n \in \mathbb {Z}_q^m$, to vector

$$\begin{aligned} \mathsf {mdec}_{n,m,q}(\mathbf {X})= & {} \big (\mathsf {vdec}_{m, q-1}(\mathbf {x}_1)^\top \Vert \ldots \mathsf {vdec}_{m,q-1}(\mathbf {x}_n)^\top \big )^\top \\= & {} (x_{1,1}, \ldots , x_{1, mk}, x_{2,1}, \ldots , x_{2,mk}, \ldots , x_{n,1}, x_{n,mk})^\top \in \{0,1\}^{nmk}, \end{aligned}$$

where, for each $(i,j) \in [n] \times [mk]$, $x_{i,j} \in \{0,1\}$ denotes the j-th bit of the decomposition of the i-th column of $\mathbf {X}$.

Looking ahead, when proving knowledge of witnesses $(\mathbf {X},\mathbf {s}) \in \mathbb {Z}_q^{m \times n} \times \mathbb {Z}_q^{n}$ satisfying $\mathbf {b} = \mathbf {X} \cdot \mathbf {s} + \mathbf {e} \bmod q$, we will have to consider terms of the form $x_{i,j} \cdot s_{i,t}$, where $\mathbf {s}=(s_1,\ldots ,s_n)^\top \in \mathbb {Z}_q^n$ and $(s_{i,1},\ldots ,s_{i,k})^\top =\mathsf {idec}_{q-1}(s_i)$ for each $i \in [n]$.

3.2 Extensions and Permutations

We now introduce the extensions and permutations which will be essential for proving quadratic relations.

For each $c \in \{0,1\}$, denote by $\overline{c}$ the bit $1-c \in \{0,1\}$.
For $c_1,c_2 \in \{0,1\}$, define the vector
$$\mathsf {ext}(c_1,c_2) = (\overline{c}_1\cdot \overline{c}_2, \overline{c}_1\cdot {c}_2, {c}_1\cdot \overline{c}_2, c_1\cdot c_2)^\top \in \{0,1\}^4.$$
For $b_1,b_2 \in \{0,1\}$, define the permutation $T_{b_1,b_2}$ that transforms vector $\mathbf {v} = (v_{0,0}, v_{0,1}, v_{1,0}, v_{1,1})^\top \in \mathbb {Z}_q^4$ to vector $(v_{{b}_1, {b}_2}, v_{{b}_1, \overline{b}_2}, v_{ \overline{b}_1,{b}_2}, v_{\overline{b}_1, \overline{b}_2})^\top $. Note that, for all $c_1, c_2, b_1, b_2 \in \{0,1\}$, we have the following:
$$\begin{aligned} \mathbf {z} = \mathsf {ext}(c_1, c_2) \Longleftrightarrow T_{b_1, b_2}(\mathbf {z}) = \mathsf {ext}(c_1 \oplus b_1, c_2 \oplus b_2), \end{aligned}$$
(2)

where $\oplus $ denotes the bit-wise addition modulo 2.

Now, for positive integers n, m, k, and for vectors

$$\mathbf {x} = (x_{1,1}, \ldots , x_{1, mk}, x_{2,1}, \ldots , x_{2,mk}, \ldots , x_{n,1}, x_{n,mk})^\top \in \{0,1\}^{nmk}$$

and $\mathbf {s}_0 = (s_{1,1}, \ldots , s_{1,k}, s_{2,1}, \ldots , s_{2,k}, \ldots , s_{n,1}, \ldots , s_{n,k})^\top \in \{0,1\}^{nk}$, we define the vector $ \mathsf {expand}^{\otimes }(\mathbf {x}, \mathbf {s}_0) \in \{0,1\}^{4nmk^2}$ as

That is, $ \mathsf {expand}^{\otimes }(\mathbf {x}, \mathbf {s}_0)$ is obtained by applying $\mathsf {ext}$ to all pairs of the form $(x_{i,j},s_{i,t})$ for $(i,j,t) \in [n] \times [mk] \times [k]$.

Now, for $\mathbf {b} = (b_{1,1}, \ldots , b_{1, mk}, b_{2,1}, \ldots , b_{2,mk}, \ldots , b_{n,1}, b_{n,mk})^\top \in \{0,1\}^{nmk}$ and $\mathbf {d} = (d_{1,1}, \ldots , d_{1,k}, d_{2,1}, \ldots , d_{2,k}, \ldots , d_{n,1}, \ldots , d_{n,k})^\top \in \{0,1\}^{nk}$ we define the permutation $P_{\mathbf {b}, \mathbf {d}}$ that transforms vector

consisting of $nmk^2$ blocks of length 4, to vector $P_{\mathbf {b}, \mathbf {d}}(\mathbf {v})$ of the form

where for each $(i,j,t) \in [n]\times [mk] \times [k]$: $\mathbf {w}_{i,j,t} = T_{b_{i,j}, d_{i,t}}(\mathbf {v}_{i,j,t})$.

Observe that, for all $\mathbf {b} \in \{0,1\}^{nmk}, \mathbf {d} \in \{0,1\}^{nk}$, we have:

$$\begin{aligned} \mathbf {z} = \mathsf {expand}^{\otimes }(\mathbf {x}, \mathbf {s}_0) \Longleftrightarrow P_{\mathbf {b},\mathbf {d}}(\mathbf {z}) = \mathsf {expand}^{\otimes }(\mathbf {x} \oplus \mathbf {b}, \mathbf {s}_0 \oplus \mathbf {d}). \end{aligned}$$

(3)

Next, we recall the notations, extensions and permutations used in previous Stern-like protocols [20, 37, 40, 41] for proving linear relations.

For any positive integer t, denote by $\mathcal {S}_t$ the symmetric group of all permutations of t elements, by $\mathsf {B}_{2t}$ the set of all vectors in $\{0,1\}^{2t}$ having Hamming weight t, and by $\mathsf {B}_{3t}$ the set of all vectors in $\{-1,0,1\}^{3t}$ having exactly t coordinates equal to j, for each $j \in \{-1,0,1\}$. Note that for any $\phi \in \mathcal {S}_{2t}$ and $\psi \in \mathcal {S}_{3t}$, we have the following equivalences:

$$\begin{aligned} \mathbf {x} \in \mathsf {B}_{2t} \Longleftrightarrow \phi (\mathbf {x}) \in \mathsf {B}_{2t} \text { and } \mathbf {y} \in \mathsf {B}_{3t} \Longleftrightarrow \psi (\mathbf {y}) \in \mathsf {B}_{3t}. \end{aligned}$$

(4)

The following extending procedures are defined for any positive integers t.

$\mathsf {ExtendTwo}_t: \{0,1\}^{t} \rightarrow \mathsf {B}_{2t}$. On input vector $\mathbf {x}$ with Hamming weight w, it outputs $\mathbf {x}' = (\mathbf {x}^\top \Vert \mathbf {1}^{t-w} \Vert \mathbf {0}^{w})^\top $.
$\mathsf {ExtendThree}_t: \{-1,0,1\}^{t} \rightarrow \mathsf {B}_{3t}$. On input vector $\mathbf {y}$ containing $n_j$ coordinates equal to j for $j \in \{-1,0,1\}$, output $\mathbf {y}' = (\mathbf {y}^\top \Vert \mathbf {1}^{t-n_1} \Vert \mathbf {0}^{t-n_0} \Vert \mathbf {(-1)}^{t-n_{-1}})$.

We also use the following encodings and permutations to achieve fine-grained control over coordinates of binary witness-vectors.

For any positive integer t, define the function $\mathsf {encode}_t$ that encodes vector $\mathbf {x} = (x_1, \ldots , x_t)^\top \in \{0,1\}^t$ to vector $\mathsf {encode}_t(\mathbf {x}) = (\bar{x}_1, x_1, \ldots , \bar{x}_t, x_t)^\top \in \{0,1\}^{2t}$.
For any positive integer t and any vector $\mathbf {c} = (c_1, \ldots , c_t)^\top \in \{0,1\}^t$, define the permutation $F_{\mathbf {c}}^{(t)}$ that transforms vector $\mathbf {v} = (v_1^{(0)}, v_1^{(1)}, \ldots , v_t^{(0)}, v_t^{(1)})^\top \in \mathbb {Z}^{2t}$ into vector $F_{\mathbf {c}}^{(t)}(\mathbf {v}) = (v_1^{(c_1)}, v_1^{(\bar{c}_1)}, \ldots , v_t^{(c_t)}, v_t^{(\bar{c}_t)})^\top $.

Note that the following equivalence holds for all $t, \mathbf {c}$:

$$\begin{aligned} \mathbf {y} = \mathsf {encode}_t(\mathbf {x}) \Longleftrightarrow F_{\mathbf {c}}^{(t)}(\mathbf {y}) = \mathsf {encode}_t(\mathbf {x} \oplus \mathbf {c}). \end{aligned}$$

(5)

To close this warm-up section, we remark that the equivalences observed in (3), (4) and (5) will play crucial roles in our zero-knowledge layer.

4 The Supporting Zero-Knowledge Layer

In this section, we first demonstrate how to prove in zero-knowledge that a given vector $\mathbf {b}$ is a correct LWE evaluation, i.e., $\mathbf {b} = \mathbf {X}\cdot \mathbf {s} + \mathbf {e} \bmod q$, where the hidden matrix $\mathbf {X}$ and vector $\mathbf {s}$ may satisfy additional conditions. This sub-protocol, which we believe will have other applications, is one of the major challenges in our road towards the design of lattice-based group encryption. We then plug this building block into the big picture, and construct the supporting zero-knowledge argument of knowledge (ZKAoK) for our group encryption scheme (Sect. 5).

4.1 Proving the LWE Relation with Hidden Matrices

Let $n,m,q, \beta $ be positive integers where $\beta \ll q$, and let $k = \lceil \log _2 q\rceil $. We identify $\mathbb {Z}_q$ as the set $\{0,1, \ldots , q-1\}$. We consider a zero-knowledge argument system allowing prover $\mathcal {P}$ to convince verifier $\mathcal {V}$ on input $\mathbf {b} \in \mathbb {Z}_q^m$ that $\mathcal {P}$ knows secret matrix $\mathbf {X} \in \mathbb {Z}_q^{m \times n}$, and vectors $\mathbf {s} \in \mathbb {Z}_q^n$, $\mathbf {e} \in [-\beta , \beta ]^m$ such that:

$$\begin{aligned} \mathbf {b} = \mathbf {X}\cdot \mathbf {s} + \mathbf {e} \bmod q. \end{aligned}$$

(6)

Moreover, the argument system should be readily extended to proving that $\mathbf {X}$ and $\mathbf {s}$ satisfy additional conditions, such as:

The bits representing $\mathbf {X}$ are certified by an authority, and the prover also knows that secret signature-certificate.
The (secret) hash of $\mathbf {X}$ is correctly encrypted to a given ciphertext.
The LWE secret $\mathbf {s}$ is involved in other linear equations.

Let $q_1, \ldots , q_k \in \mathbb {Z}_q$ be the sequence of integers obtained by decomposing $q-1$ using the technique recalled in Sect. 3.1, and define the row vector $\mathbf {g} = (q_1, \ldots , q_k)$. Let $\mathbf {X} = [\mathbf {x}_1 | \ldots | \mathbf {x}_n] \in \mathbb {Z}_q^{m \times n}$ and $\mathbf {s}= (s_1, \ldots , s_n)^\top $. For each index $i \in [n]$, let us consider $\mathsf {vdec}_{m,q-1}(\mathbf {x}_i) = (x_{i,1}, \ldots , x_{i,mk})^\top \in \{0,1\}^{mk}$. Let $\mathsf {vdec}_{n,q-1}(\mathbf {s})= (s_{1,1}, \ldots , s_{1,k}, s_{2,1}, \ldots , s_{2,k}, \ldots , s_{n,1}, \ldots s_{n,k})^\top \in \{0,1\}^{nk}$ and observe that $s_i = \mathbf {g} \cdot \mathsf {idec}_{q-1}(s_i)= \mathbf {g}\cdot (s_{i,1}, \ldots , s_{i,k})^\top $ for each $i \in [n]$. We have:

$$\begin{aligned} \mathbf {X}\cdot \mathbf {s}= & {} \sum _{i=1}^n \mathbf {x}_i\cdot s_i = \sum _{i=1}^n \mathbf {H}_{m,q-1}\cdot \mathsf {vdec}_{m,q-1}(\mathbf {x}_i)\cdot s_i \\= & {} \mathbf {H}_{m,q-1}\cdot \Big (\sum _{i=1}^n (x_{i,1}\cdot s_i, \ldots , x_{i,mk}\cdot s_i)^\top \Big ) \bmod q. \end{aligned}$$

Observe that, for each $i \in [n]$ and each $j \in [mk]$, we have

$$x_{i,j}\cdot s_i = x_{i,j}\cdot \mathbf {g} \cdot (s_{i,1}, \ldots , s_{i,k})^\top = (q_1, \ldots , q_k) \cdot (x_{i,j}\cdot s_{i,1}, \ldots , x_{i,j}\cdot s_{i,k})^\top .$$

We now extend vector $(q_1, q_2, \ldots , q_k)$ to $\mathbf {g}' = (0,0,0,q_1, 0,0,0, q_2, \ldots , 0,0,0,q_k) \in \mathbb {Z}_q^{4k}$. For all $(i,j) \in [n]\times [mk]$, we have:

$$ x_{i,j}\cdot s_i = \mathbf {g}' \cdot (\mathsf {ext}^\top (x_{i,j}, s_{i,1}) \Vert \ldots \Vert \mathsf {ext}^\top (x_{i,j},s_{i,k}))^\top . $$

Let us define the matrices

$$\begin{aligned} \mathbf {Q}_0: = \mathbf {I}_{mk}\otimes \mathbf {g}' = \begin{bmatrix} \mathbf {g}'&&\\&\mathbf {g}'&&\\&&\ddots&\\&&\mathbf {g}' \\ \end{bmatrix} \in \mathbb {Z}_q^{mk \times 4mk^2}, \end{aligned}$$

(7)

and $\widehat{\mathbf {Q}} = [\overbrace{\mathbf {Q}_0 | \ldots | \mathbf {Q}_0}^{n \text { times }}] \in \mathbb {Z}_q^{mk \times 4nmk^2}$. For each $i \in [n]$, define

$$\begin{aligned} \mathbf {y}_i =&(\mathsf {ext}^\top (x_{i,1}, s_{i,1}) \Vert \ldots \Vert \mathsf {ext}^\top (x_{i,1},s_{i,k}))^\top \Vert \mathsf {ext}^\top (x_{i,2},s_{i,1} \Vert \ldots \Vert \mathsf {ext}^\top (x_{i,2}, s_{i,k}) \\&\Vert \ldots \Vert \mathsf {ext}^\top (x_{i,mk},s_{i,1} \Vert \ldots \Vert \mathsf {ext}^\top (x_{i,mk}, s_{i,k}) )^\top \in \{0,1\}^{4mk^2}. \end{aligned}$$

Then, for all $i \in [n]$, we have: $ (x_{i,1}\cdot s_i, \ldots , x_{i,mk}\cdot s_i)^\top = \mathbf {Q}_0 \cdot \mathbf {y}_i. $ Now, we note that

$$(\mathbf {y}_1^\top \Vert \ldots \Vert \mathbf {y}_n^\top )^\top = \mathsf {expand}^{\otimes }(\mathsf {mdec}_{n,m,q}(\mathbf {X}), \mathsf {vdec}_{n,q-1}(\mathbf {s})),$$

and

$$\begin{aligned} \sum _{i=1}^n (x_{i,1}\cdot&s_i, \ldots , x_{i,mk}\cdot s_i)^\top \nonumber \\&= \sum _{i=1}^n \mathbf {Q}_0 \cdot \mathbf {y}_i = \widehat{\mathbf {Q}}\cdot \mathsf {expand}^{\otimes }(\mathsf {mdec}_{n,m,q}(\mathbf {X}), \mathsf {vdec}_{n,q-1}(\mathbf {s})). \qquad \end{aligned}$$

(8)

Letting $\mathbf {Q}= \mathbf {H}_{m,q-1}\cdot \widehat{\mathbf {Q}} \in \mathbb {Z}_q^{m \times 4nmk^2}$ and left-multiplying (8) by $ \mathbf {H}_{m,q-1}$, we obtain the equation:

$$ \mathbf {X} \cdot \mathbf {s} = \mathbf {Q}\cdot \mathsf {expand}^{\otimes }\big (\mathsf {mdec}_{n,m,q}(\mathbf {X}), \mathsf {vdec}_{n,q-1}(\mathbf {s})\big ) \bmod q. $$

This means that the task of proving knowledge of $(\mathbf {X},\mathbf {s},\mathbf {e}) \in \mathbb {Z}_q^{m \times n} \times \mathbb {Z}_q^n \times [-\beta ,\beta ]^m$ such that $\mathbf {b}=\mathbf {X} \cdot \mathbf {s} + \mathbf {e} \bmod q$ boils down to proving knowledge of $\mathbf {z} \in \{0,1\}^{4nmk^2}$, $\mathbf {x} \in \{0,1\}^{nmk}$, $\mathbf {s}_0 \in \{0,1\}^{nk}$ and a short $\mathbf {e} \in \mathbb {Z}^m$ such that

$$\begin{aligned} \mathbf {b} = \mathbf {Q}\cdot \mathbf {z} + \mathbf {I}_m \cdot \mathbf {e} \bmod q \text { and } \mathbf {z} = \mathsf {expand}^{\otimes }(\mathbf {x},\mathbf {s}_0). \end{aligned}$$

As the knowledge of small-norm $\mathbf {e}$ can easily be proved with Stern-like protocol (e.g., [40]), the challenging part is to prove in ZK the constraint of $\mathbf {z} = \mathsf {expand}^{\otimes }(\mathbf {x},\mathbf {s}_0)$. To this end, we will use the following permuting technique inspired by the equivalence of Eq. (3). We sample uniformly random $\mathbf {d}_x \in \{0,1\}^{n{m}k}$ and $\mathbf {d}_s \in \{0,1\}^{nk}$, send $\mathbf {x}' = \mathbf {x} \oplus \mathbf {d}_x$ and $\mathbf {s}' = \mathbf {s}_0 \oplus \mathbf {d}_s$ to the verifier, and let the latter check that $P_{\mathbf {d}_x, \mathbf {d}_s}(\mathbf {z}) = \mathsf {expand}^{\otimes }(\mathbf {x}', \mathbf {s}')$. This will be sufficient to convince the verifier that the original vector $\mathbf {z}$ satisfies the required constraint. The crucial point is that no additional information about $\mathbf {x}$ and $\mathbf {s}_0$ is leaked, since these binary vectors are perfectly hidden under the “one-time pad” $\mathbf {d}_x$ and $\mathbf {d}_s$, respectively.

In the framework of Stern’s protocol, the idea of using “one-time-pad” permutations further allows us to prove that $\mathbf {x}$ and $\mathbf {s}_0$ satisfy additional conditions, i.e., they appear in other equations. This is done by first setting up an equivalence similar to (3) in the places where these objects appear, and then, using the same “one-time pad” for each of them in all appearances. We will explain in detail how this technique can be realized in the next subsection.

4.2 The Main Zero-Knowledge Argument System

The zero-knowledge argument of knowledge used in our group encryption scheme (Sect. 5) will involve a system of 10 modular equations:

(9)

where $\{\mathbf {M}_{i,j}\}_{(i,j) \in [10] \times [15]}$, $\{\mathbf {v}_i\}_{i \in [10]}$ are public matrices and vectors (which are possibly zero). Our goal is to prove knowledge of vectors $\mathbf {w}_1, \ldots , \mathbf {w}_{15}$, such that (9) holds, and that these vectors have the following constraints.

1.
$\mathbf {w}_1 \in \{0,1\}^{n\bar{m}k}$, $\mathbf {w}_2 \in \{0,1\}^{nk}$ and $\mathbf {w}_3 = \mathsf {expand}^{\otimes }(\mathbf {w}_1, \mathbf {w}_2) \in \{0,1\}^{4n\bar{m}k^2}$. (Note that these vectors are obtained via the techniques of Sect. 4.1.)
2.
$\mathbf {w}_4, \mathbf {w}_5, \mathbf {w}_6, \mathbf {w}_7$ are $\{0,1\}$ vectors.
3.
Vectors $\mathbf {w}_8, \ldots , \mathbf {w}_{14}$ have bounded infinity norms.
4.
Vector $\mathbf {w}_{15}$ has the form $\big (\mathbf {d}_1^\top \Vert \mathbf {d}_2^\top \Vert \tau [1]\cdot \mathbf {d}_2^\top \Vert \ldots \Vert \tau [\ell ]\cdot \mathbf {d}_2^\top \big )^\top $, for some vectors $\mathbf {d}_1, \mathbf {d}_2 \in [-\beta , \beta ]^m$ and $\tau = (\tau [1], \ldots , \tau [\ell ])^\top \in \{0,1\}^\ell $.

Towards achieving the goal, we employ a 4-step strategy.

1.
The first step transforms all the secret vectors with infinity norm larger than 1 into vectors with infinity norm 1. This is done with the decomposition technique of Sect. 3.1.
2.
The norm-1 vectors is then encoded or extended into vectors whose constraints are invariant under random permutations. This is done with the techniques described at the end of Sect. 3.2. The public matrices $\{\mathbf {M}_{i,j}\}_{i,j}$ are transformed accordingly to preserve the equations.
3.
The third step unifies all the equations into one of the form $\mathbf {M}\cdot \mathbf {x} = \mathbf {v} \bmod q$, where $\mathbf {x}$ is a concatenation of the newly obtained witness-vectors.
4.
In the final step, we run a Stern-like protocol to prove the unified equation $\mathbf {M}\cdot \mathbf {x} = \mathbf {v} \bmod q$, where a composed permutation is employed to prove the constraints of vector $\mathbf {x}$.

Our strategy subsumes the central ideas underlying recent works on Stern-like protocols [37, 40, 41] for lattice-based relations: preprocessing secret witness-vectors to make them provable-in-zero-knowledge with random permutations, unifying them into just one vector for the sake of convenience, and then running Stern’s protocol in a classical manner.

The first step is applicable to vectors $\mathbf {w}_8, \ldots , \mathbf {w}_{14}$ and $\mathbf {w}_{15}$. Suppose that $\mathbf {w}_i$ has dimension $m_i$ and infinity norm bound $\beta _i$, for $i \in [8,14]$. Then we compute vector $\mathbf {w}'_i = \mathsf {vdec}_{m_i, \beta _i}(\mathbf {w}_i) \in \{-1,0,1\}^{m_i\delta _{\beta _i}}$. Note that $\mathbf {H}_{m_i, \beta _i}\cdot \mathbf {w}'_i = \mathbf {w}_i$. To decompose $\mathbf {w}_{15}$, we compute $\mathbf {d}'_j = \mathsf {vdec}_{m, \beta }(\mathbf {d}_j) \in \{-1,0,1\}^{m\delta _{\beta }}$, for $j = 1,2$.

The second step performs the following encodings and extensions.

Encode $\mathbf {w}_1$ and $\mathbf {w}_2$: Let $\mathbf {w}''_1 = \mathsf {encode}_{n\bar{m}k}(\mathbf {w}_1)$ and $\mathbf {w}''_2 = \mathsf {encode}_{nk}(\mathbf {w}_2)$. Note that to prove knowledge of $\mathbf {w}''_1$ and $\mathbf {w}''_2$, we will employ the “one-time pad” permuting technique implied by (5). The same one-time pads are used to prove that $\mathbf {w}_3 = \mathsf {expand}^{\otimes }(\mathbf {w}_1, \mathbf {w}_2)$, as discussed in Sect. 4.1.
Extend vectors $\mathbf {w}_4, \ldots , \mathbf {w}_7, \mathbf {w}'_8, \ldots , \mathbf {w}'_{14}$ and $\mathbf {d}'_1, \mathbf {d}'_2, \tau $.

For $i \in [4,7]$, suppose that the binary vector $\mathbf {w}_i$ has dimension $m_i$. Then we extend it to $\mathbf {w}''_i = \mathsf {ExtendTwo}_{m_i}(\mathbf {w}_i) \in \mathsf {B}_{2m_i}$. For $i \in [8,14]$, we extend $\mathbf {w}'_i$ to $\mathbf {w}''_i = \mathsf {ExtendThree}_{m_i\delta _{\beta _i}}(\mathbf {w}'_i) \in \mathsf {B}_{3m_i\delta _{\beta _i}}$. It follows from (4) that, the knowledge of vectors $\{\mathbf {w}''_i\}_{i=4}^{14}$ can be proved in zero-knowledge using random permutations.

Meanwhile, we need a more sophisticated treatment for the components of vector $\mathbf {w}_{15}$. For $j=1,2$, we let $\mathbf {d}''_j = \mathsf {ExtendThree}_{m\delta _\beta }(\mathbf {d}'_j) \in \mathsf {B}_{3m\delta _\beta }$. We also extend $\tau $ to $\tau '' = \mathsf {ExtendTwo}_\ell (\tau ) = (\tau [1], \ldots , \tau [\ell ], \tau [\ell +1], \ldots , \tau [2\ell ])^\top \in \mathsf {B}_{2\ell }$. Then we form the vector:
$$ \mathbf {w}''_{15}= \big ((\mathbf {d}''_1)^\top \Vert (\mathbf {d}''_2)^\top \Vert \tau [1] (\mathbf {d}''_2)^\top \Vert \ldots \Vert \tau [\ell ](\mathbf {d}''_2)^\top \Vert \ldots \Vert \tau [2\ell ](\mathbf {d}''_2)^\top \big )^\top . $$
Next, we define $\mathsf {CorMix}$ as the set of all vectors in $\{-1,0,1\}^{(2\ell +2)3m\delta _\beta }$, that have the form $\big (\mathbf {z}_1^\top \Vert \mathbf {z}_2^\top \Vert \rho [1] \mathbf {z}_2^\top \Vert \ldots \Vert \rho [2\ell ]\mathbf {z}_2^\top \big )^\top $ for some $\mathbf {z}_1, \mathbf {z}_2 \in \mathsf {B}_{3m\delta _\beta }$ and $\rho \in \mathsf {B}_{2\ell }$. Clearly, $\mathbf {w}''_{15} \in \mathsf {CorMix}$. Furthermore, as shown in [37, 41], this set is closed under a special composition of 3 permutations $\phi _1 \in \mathcal {S}_{3m\delta _\beta }, \phi _2 \in \mathcal {S}_{3m\delta _\beta }, \phi _3 \in \mathcal {S}_{2\ell }$, which we denote by $T_{\phi _1, \phi _2, \phi _3}$. That is, we have the equivalence:
$$\begin{aligned} \mathbf {w}''_{15} \in \mathsf {CorMix} \Longleftrightarrow T_{\phi _1, \phi _2, \phi _3}(\mathbf {w}''_{15}) \in \mathsf {CorMix}. \end{aligned}$$
(10)
As we have changed the dimensions of the witness-vectors, we also have to transform the public matrices $\{\mathbf {M}_{i,j}\}_{i,j}$ accordingly to preserve the equations. In short, this can be done through right-multiplying by the decomposition matrices (if needed), and then inserting zero-columns at suitable positions. We denote the transformed public matrices by $\{\mathbf {M}''_{i,j}\}_{i,j}$.

At the end of the second step, we are presented with the following system of equations, which is equivalent to (9).

(11)

The third step involves only basic linear algebra. Let

then we obtain the unified equation $\mathbf {M}\cdot \mathbf {x} = \mathbf {v} \bmod q$.

Given the above preparations, we now comes to the final step where we formally present our protocol. Let D be the dimension of vector $\mathbf {x}$. Denote by VALID the set of all vectors in $\{-1,0,1\}^D$, that have the form $\mathbf {z} = (\mathbf {z}^\top _1 \Vert \ldots \Vert \mathbf {z}^\top _{15})^\top $, where:

1.
$\mathbf {z}_1 = \mathsf {encode}_{n\bar{m}k}(\mathbf {y}_1)$, $\mathbf {z}_2 = \mathsf {encode}_{nk}(\mathbf {y}_2)$ and $\mathbf {z}_3 = \mathsf {expand}^{\otimes }(\mathbf {y}_1, \mathbf {y}_2)$, for some $\mathbf {y}_1 \in \{0,1\}^{n\bar{m}k}$ and $\mathbf {y}_2 \in \{0,1\}^{nk}$.
2.
For $i \in [4,7]$, vector $\mathbf {z}_i \in \mathsf {B}_{2m_i}$. For $i \in [8,14]$, vector $\mathbf {z}_i \in \mathsf {B}_{3m_i\delta _{\beta _i}}$.
3.
Vector $\mathbf {z}_{15} \in \mathsf {CorMix}$.

It can be seen that our vector $\mathbf {x}$ is an element of this tailored set $\mathsf {VALID}$. By construction, the task of proving knowledge of vectors $\mathbf {w}_1, \ldots , \mathbf {w}_{15}$ that have the required constraints, and that satisfy system (9) has boiled down to proving the possession of vector $\mathbf {x} \in \mathsf {VALID}$ such that $\mathbf {M}\cdot \mathbf {x} = \mathbf {v} \bmod q$. We will fulfill this task with a Stern-like zero-knowledge protocol, in which we hide $\mathbf {x}$ from the verifier’s view by a random permutation and a random masking vector.

Let us determine the type of permutations to be applied for $\mathbf {x}$. Let

$$\begin{aligned} \mathcal {S} = \{0,1\}^{n\bar{m}k} \times \{0,1\}^{nk} \times \mathcal {S}_{2m_4} \times \ldots \times&\mathcal {S}_{2m_7} \times \mathcal {S}_{3m_8\delta _{\beta _8}} \times \ldots \nonumber \\&\ldots \times \mathcal {S}_{3m_{14}\delta _{\beta _{14}}} \times (\mathcal {S}_{3m\delta _\beta })^2 \times \mathcal {S}_{2\ell }. \end{aligned}$$

We associate each element $\pi = (\mathbf {b}_1, \mathbf {b}_2, \phi _4, \ldots , \phi _{14}, \phi _{15}^1, \phi _{15}^2, \phi _{15}^3) \in \mathcal {S}$ with the permutation $\varGamma _\pi $ that transforms vector $\mathbf {z} = (\mathbf {z}^\top _1 \Vert \ldots \Vert \mathbf {z}^\top _{15})^\top \in \mathbb {Z}^D$, where the length of block $\mathbf {z}_i$ equals to that of $\mathbf {w}''_i$ for all $i \in [15]$, into vector

$$\begin{aligned} \varGamma _\pi (\mathbf {z}) = \big (F_{\mathbf {b}_1}^{(n\bar{m}k)}(\mathbf {z}_1) \Vert F_{\mathbf {b}_2}^{(nk)}(\mathbf {z}_2) \Vert P_{\mathbf {b}_1, \mathbf {b}_2}(\mathbf {z}_3)&\Vert \phi _4(\mathbf {z}_4) \Vert \ldots \nonumber \\&\ldots \Vert \phi _{14}(\mathbf {z}_{14}) \Vert T_{\phi _{15}^1,\phi _{15}^2, \phi _{15}^3}(\mathbf {z}_{15})\big ). \end{aligned}$$

It is implied by the equivalences given in (3), (4), (5) and (10) that the following holds for all $\pi \in \mathcal {S}$:

$$ \mathbf {x} \in \mathsf {VALID} \Longleftrightarrow \varGamma _\pi (\mathbf {x}) \in \mathsf {VALID}. $$

Additionally, if $\mathbf {x} \in \mathsf {VALID}$ and $\pi $ is uniformly random in $\mathcal {S}$, then $\varGamma _\pi (\mathbf {x})$ is uniformly random in $\mathsf {VALID}$. In the framework of Stern’s protocol, these facts allow us to prove in zero-knowledge the knowledge of $\mathbf {x} \in \mathsf {VALID}$.

Furthermore, proving that equation $\mathbf {M}\cdot \mathbf {x} = \mathbf {v} \bmod q$ holds can be done by sampling a uniformly random masking vector $\mathbf {r}_x \in \mathbb {Z}_q^D$, and demonstrating to the verifier that $\mathbf {M}\cdot (\mathbf {x} + \mathbf {r}_x) - \mathbf {v} = \mathbf {M}\cdot \mathbf {r}_x \bmod q$.

The interaction between prover $\mathcal {P}$ and verifier $\mathcal {V}$ is described in Fig. 1. Prior to the interaction, both parties obtain matrix $\mathbf {M}$ and vector $\mathbf {v}$ from the public input, while $\mathcal {P}$ construct witness-vector $\mathbf {x}$ from his secret input, as described above. The protocol employs the statistically hiding and computationally binding string commitment scheme COM from [31].

The properties of the given protocol are summarized in Theorem 1. The proof of the theorem employs standard simulation and extraction techniques for Stern-like protocols [31, 40, 41], and is detailed in the full version of the paper.

Theorem 1

The protocol in Fig. 1 is a statistical ZKAoK with perfect completeness, soundness error 2/3, and communication cost $\widetilde{\mathcal {O}}(D\log q)$. Namely:

There exists a polynomial-time simulator that, on input $(\mathbf {M}, \mathbf {v})$, outputs an accepted transcript which is statistically close to that produced by the real prover.
There exists a polynomial-time knowledge extractor that, on input a commitment $\mathrm {CMT}$ and 3 valid responses $(\mathrm {RSP}_1,\mathrm {RSP}_2,\mathrm {RSP}_3)$ to all 3 possible values of the challenge Ch, outputs $\mathbf {x}' \in \mathsf {VALID}$ such that $\mathbf {M}\cdot \mathbf {x}' = \mathbf {v} \bmod q.$

Note that, given vector $\mathbf {x}'$ outputted by the extractor, one can efficiently compute 15 vectors satisfying the conditions described at the beginning of this subsection, simply by “backtracking” the transformations conducted by our first 3 steps. In the group encryption scheme presented next, the constructed ZKAoK will be invoked by algorithm $\langle \mathcal {P}, \mathcal {V}\rangle $, while its simulator and extractor will come in handy in the proofs of security theorems, that are defined in the full version of the paper.

5 Our Lattice-Based Group Encryption Scheme

To build a $\mathsf {GE}$ scheme using our zero-knowledge argument system, we need to choose a specific key-private CCA2-secure encryption scheme. The first idea is to use the CCA2-secure public-key cryptosystem which is implied by the Agrawal-Boneh-Boyen identity-based encryption (IBE) scheme [1] (which is recalled in Appendix A.2) via the Canetti-Halevi-Katz (CHK) transformation [16]. The ABB scheme is a natural choice since it has pseudo-random ciphertexts (which implies the key-privacy [7] when the CHK paradigm is applied) and provides one of the most efficient CCA2 cryptosystem based on the hardness of $\mathsf {LWE}$ in the standard model. One difficulty is that the Kiayias-Tsiounis-Yung model [33] requires that certified public keys be valid public keys (i.e., which have a matching secret key). When new group members join the system and request a certificate for their public key $\mathbf {B}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times \bar{m}}$, a direct use of the ABB/CHK technique would incur of proof of existence of a GPV trapdoor [23] corresponding to $\mathbf {B}_{\mathsf {U}}$ (i.e., a small-norm matrix $\mathbf {T}_{\mathbf {B}_{\mathsf {U}}} \in \mathbb {Z}^{\bar{m} \times \bar{m} } $ s.t. $\mathbf {B} \cdot \mathbf {T}_{\mathbf {B}_{\mathsf {U}}}= \mathbf {0}^n \bmod q$). While the techniques of Peikert and Vaikuntanathan [48] would provide a solution to this problem (as they allow proving that $\mathbf {T}_{\mathbf {B}_{\mathsf {U}}} \in \mathbb {Z}^{\bar{m} \times \bar{m}} $ has full-rank), we found it simpler to rely on the trapdoor mechanism of Micciancio and Peikert [43].

If we assume public parameters containing a random matrix $\bar{\mathbf {A}} \in \mathbb {Z}_q^{n \times m}$, each user’s public key can consist of a matrix $\mathbf {B}_{\mathsf {U}} = \bar{\mathbf {A}} \cdot \mathbf {T}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times \bar{m}}$, where $\mathbf {T}_{\mathsf {U}} \in \mathbb {Z}^{m \times \bar{m}}$ is a small-norm matrix whose calms are sampled from a discrete Gaussian distribution. Note that, if $\bar{\mathbf {A}} \in \mathbb {Z}_q^{n \times m}$ is uniformly distributed, then [23, Lemma 5.1] ensures that, with overwhelming probability, any matrix $\mathbf {B}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times \bar{m}}$ has an underlying small-norm matrix satisfying $\mathbf {B}_{\mathsf {U}} = \bar{\mathbf {A}} \cdot \mathbf {T}_{\mathsf {U}} \bmod q $. This simplifies the joining procedure by eliminating the need for proofs of public key validity.

In the encryption algorithm, the sender computes a dual Regev encryption [23] of the witness $\mathbf {w} \in \{0,1\}^m$ using a matrix $[\bar{\mathbf {A}} ~|~ \mathbf {B}_\mathsf {U}+ \mathsf {FRD}(\mathsf {VK}) \cdot \mathbf {G} ] \in \mathbb {Z}_q^{n \times (m + \bar{m})}$ such that: (i) $\mathsf {VK}\in \mathbb {Z}_q^n$ is the verification key of a one-time signature; (ii) $\mathsf {FRD}: \mathbb {Z}_q^n \rightarrow \mathbb {Z}_q^{n \times n}$ is the full-rank difference^{Footnote 1} function of [1]; (iii) $\mathbf {G} = \mathbf {I}_n \otimes [1|2| \ldots |2^{k-1}] \in \mathbb {Z}_q^{n \times \bar{m}}$ is the gadget matrix of [43]. Given that $\mathbf {G} $ has a publicly known trapdoor allowing to sample short vectors in $\varLambda _q^{\perp }(\mathbf {G})$, the user can use his private key $\mathbf {T}_{\mathsf {U}} \in \mathbb {Z}^{m \times \bar{m}}$ to decrypt by running the $\mathsf {SampleRight}$ algorithm of Lemma 5.

Having encrypted the witness $\mathbf {w} \in \{0,1\}^m$ by running the ABB encryption algorithm, the sender proceeds by encrypting a hash value of $\mathbf {B}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times \bar{m}}$ under the public key $\mathbf {B}_{\mathsf {OA}} = \bar{\mathbf {A}} \cdot \mathbf {T}_{\mathsf {OA}} \in \mathbb {Z}_q^{n \times \bar{m}}$ of the opening authority. The latter hash value is obtained as a bit-wise decomposition of $\mathbf {F} \cdot \mathsf {mdec}_{n,m,q}(\mathbf {B}_{\mathsf {U}}^\top ) \in \mathbb {Z}_q^{2n}$, where $\mathbf {F} \in \mathbb {Z}_q^{2n \times n \bar{m} \lceil \log q \rceil }$ is a random public matrix and $\mathsf {mdec}_{n,m,q}(\mathbf {B}_{\mathsf {U}}^\top ) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil }$ denotes an entry-wise binary decomposition of the matrix $\mathbf {B}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times \bar{m}}$.

By combining our new argument for quadratic relations and the extensions of Stern’s protocol suggested in [37, 41], we are able to prove that some component of the ciphertext is of the form $\mathbf {c}=\mathbf {B}_{\mathsf {U}}^{\top } \cdot \mathbf {s} + \mathbf {e} \in \mathbb {Z}_q^{\bar{m}}$, for some $\mathbf {s} \in \mathbb {Z}_q^n$ and a small-norm $\mathbf {e} \in \mathbb {Z}^{\bar{m}}$ while also arguing possession of a signature on the binary decomposition $\mathsf {mdec}_{n,m,q}(\mathbf {B}_{\mathsf {U}}^\top ) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil }$ of $\mathbf {B}_{\mathsf {U}}^\top $. For this purpose, we use a variant of a signature scheme due to Böhl et al.’s signature [11] which was recently proposed by Libert, Ling, Mouhartem, Nguyen and Wang [37] (and of which a description is given in Appendix A.1). At the same time, the prover $\mathcal {P}$ can also argue that a hash value of $\mathsf {mdec}_{n,m,q}(\mathbf {B}_{\mathsf {U}}^\top ) $ is properly encrypted under the $\mathsf {OA}$’s public key using the ABB encryption scheme.

5.1 Description of the Scheme

Our $\mathsf {GE}$ scheme allows encrypting witnesses for the Inhomogeneous SIS relation $ \mathrm {R}_{\mathsf {ISIS}}(n,m,q,1)$, which consists of pairs $((\mathbf {A}_R, \mathbf {u}_R), \mathbf {w}) \in (\mathbb {Z}_q^{n \times m} \times \mathbb {Z}_q^n) \times \{0,1\}^m $ satisfying $\mathbf {u}_R=\mathbf {A}_R \cdot \mathbf {w} \bmod q$. This relation is in the same spirit as the one of Kiayias, Tsiounis and Yung [33], who consider the verifiable encryption of discrete logarithms. While the construction of [33] allow verifiably encrypting discrete-logarithm-type secret keys under the public key of some anonymous TTP, our construction makes it possible to encrypt GPV-type secret keys [23].

$\mathsf {SETUP_{init}}(1^\lambda )$: This algorithm performs the following:
1. 1.
  Choose integers $n = \mathcal {O}(\lambda )$, prime $q = \widetilde{\mathcal {O}}(n^4)$, and let $k = \lceil \log _2 q\rceil $, $\bar{m}=nk$ and $m =2\bar{m}= 2nk$. Choose a B-bounded distribution $\chi $ over $\mathbb {Z}$ for some $B= \sqrt{n}\omega (\log n)$.
2. 2.
  Choose a Gaussian parameter $\sigma = \varOmega (\sqrt{n \log q}\log n)$. Let $\beta = \sigma \omega (\log n)$ be the upper bound of samples from $D_{\mathbb {Z}, \sigma }$.
3. 3.
  Select integers $\ell = \ell (\lambda )$ which determines the maximum expected group size $2^\ell $, and $\kappa = \omega (\log \lambda )$ (the number of protocol repetitions).
4. 4.
  Select a strongly unforgeable one-time signature $\mathcal {OTS} = (\mathsf {Gen}, \mathsf {Sig}, \mathsf {Ver})$. We assume that the verification keys live in $\mathbb {Z}_q^n$.
5. 5.
  Select public parameters $\mathsf {COM}_{\mathsf {par}}$ for a statistically-hiding commitment scheme like [31]. This commitment will serve as a building block for the zero-knowledge argument system used in $\langle \mathcal {P}, \mathcal {V} \rangle $.
6. 6.
  Let $\mathsf {FRD}: \mathbb {Z}_q^{n} \rightarrow \mathbb {Z}_q^{n \times n}$ be the full-rank difference mapping from [1].
7. 7.
  Pick a random matrix $\mathbf {F} \leftarrow \mathbb {Z}_q^{2n \times n \bar{m}k}$, which will be used to hash users’ public keys from $\mathbb {Z}_q^{n \times \bar{m}}$ to $\mathbb {Z}_q^n$.
8. 8.
  Let $\mathbf {G} \in \mathbb {Z}_q^{n \times \bar{m}}$ be the gadget matrix $\mathbf {G}= \mathbf {I}_n \otimes \begin{bmatrix} 1&2&\ldots&2^{k-1} \end{bmatrix}$ of [43]. Pick matrices $\bar{\mathbf {A}}, \mathbf {U} \leftarrow U(\mathbb {Z}_q^{n \times m})$ and $\mathbf {V} \leftarrow U(\mathbb {Z}_q^{n \times m})$. Looking ahead, $\mathbf {U}$ will be used to encrypt for the receiver while $\mathbf {V}$ will be used to encrypt the user’s public key under the $\mathsf {OA}$’s public key. As for $\bar{\mathbf {A}}$, it will be used in two instances of the ABB encryption scheme [1].

Output

$$\begin{aligned} \mathsf {param}= & {} \big \{\lambda , n, q, k, m, B, \chi , \sigma , \beta , \ell , \kappa , \mathcal {OTS}, \mathsf {COM}_{\mathsf {par}}, \mathsf {FRD}, \bar{\mathbf {A}}, \mathbf {G}, \mathbf {F}, \mathbf {U}, \mathbf {V} \big \}. \end{aligned}$$

$\langle \mathcal {G}_r, \mathsf {sample}_{\mathcal {R}} \rangle $: Algorithm $\mathcal {G}_r(1^\lambda ,1^n,1^m)$ proceeds by sampling a random matrix $\mathbf {A}_R \leftarrow U(\mathbb {Z}_q^{n \times m})$ and outputting $(\mathsf {pk}_{\mathcal {R}},\mathsf {sk}_{\mathcal {R}})=(\mathbf {A}_R,\varepsilon )$. On input of a public key $\mathsf {pk}_{\mathcal {R}}=\mathbf {A}_R \in \mathbb {Z}_q^{n \times m}$ for the relation $\mathrm {R}_{\mathsf {ISIS}}$, algorithm $\mathsf {sample}_{\mathcal {R}}$ picks $\mathbf {w} \leftarrow U(\{0,1\}^m)$ and outputs a pair $((\mathbf {A}_R,\mathbf {u}_R),\mathbf {w})$, where $\mathbf {u}_R =\mathbf {A}_R \cdot \mathbf {w} \in \mathbb {Z}_q^n$.
$\mathsf {SETUP_{\mathsf {GM}}}(\mathsf {param})$: The $\mathsf {GM}$ generates $(\mathsf {sk}_\mathsf {GM},\mathsf {pk}_\mathsf {GM}) \leftarrow \mathsf {Keygen}(1^\lambda ,q,n,m,\ell ,\sigma )$ as a key pair for the $\mathsf {SIS}$-based signature scheme of [37] (as recalled in Appendix A.1). This key pair consists of $\mathsf {sk}_{\mathsf {GM}}:= \mathbf {T}_{\mathbf {A}} $ and
$$\begin{aligned} \mathsf {pk}_{\mathsf {GM}}:=\Bigl ( \mathbf {A}, \mathbf {A}_0,\ldots , \mathbf {A}_{\ell } \in \mathbb {Z}_q^{n \times m}, ~ \mathbf {D}_0 , \mathbf {D}_1 \in \mathbb {Z}_q^{n \times m}, \mathbf {D} \in \mathbb {Z}_q^{n \times \bar{m}}, \mathbf {u} \in \mathbb {Z}_q^n \Bigr ). \end{aligned}$$
(12)

$\mathsf {SETUP_{\mathsf {OA}}}(\mathsf {param})$: The $\mathsf {OA}$ samples a small-norm matrix $\mathbf {T}_{\mathsf {OA}} \leftarrow D_{\mathbb {Z}^m,\sigma }^{\bar{m}}$ in $\mathbb {Z}^{m \times \bar{m}}$ to obtain a statistically uniform $\mathbf {B}_{\mathsf {OA}} = \bar{\mathbf {A}} \cdot \mathbf {T}_{\mathsf {OA}} \in \mathbb {Z}_q^{n \times \bar{m}}$. The $\mathsf {OA}$’s key pair consists of $(\mathsf {sk}_{\mathsf {OA}},\mathsf {pk}_{\mathsf {OA}})=(\mathbf {T}_{\mathsf {OA}},\mathbf {B}_{\mathsf {OA}})$.
$\mathsf {JOIN}$: The prospective user $\mathsf {U}$ and the $\mathsf {GM}$ interact in the following protocol.

1.
$\mathsf {U}$ first samples $\mathbf {T}_{\mathsf {U}} \leftarrow D_{\mathbb {Z}^m,\sigma }^{\bar{m}} $ in $\mathbb {Z}^{m \times \bar{m}}$ to compute a statistically uniform matrix $\mathbf {B}_{\mathsf {U}} = \bar{\mathbf {A}} \cdot \mathbf {T}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times \bar{m}}$. The prospective user defines his key pair as $(\mathsf {pk}_{\mathsf {U}},\mathsf {sk}_{\mathsf {U}})=(\mathbf {B}_{\mathsf {U}},\mathbf {T}_{\mathsf {U}})$ and sends $\mathsf {pk}_{\mathsf {U}}=\mathbf {B}_{\mathsf {U}}$ to the $\mathsf {GM}$.
2.
Upon receiving a public key $\mathsf {pk}_{\mathsf {U}} = \mathbf {B}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times \bar{m}}$ from the user, the $\mathsf {GM}$ certifies $\mathsf {pk}_U$ via the following steps:
1. a.
  Compute $\mathbf {h}_{\mathsf {U}} = \mathbf {F}\cdot \mathsf {mdec}_{n,\bar{m},q}(\mathbf {B}_{\mathsf {U}}^\top ) \in \mathbb {Z}_q^{2n}$ as a hash value of the public key $\mathsf {pk}_{\mathsf {U}}=\mathbf {B}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times \bar{m}}$.
2. b.
  Use the trapdoor $\mathsf {sk}_{\mathsf {GM}} = \mathbf {T_A}$ to generate a signature
  $$\begin{aligned} \mathsf {cert}_{\mathsf {U}} = \big ( \tau , \mathbf {d}, \mathbf {r} \big ) \in \{0,1\}^\ell \times [-\beta ,\beta ]^{2m} \times [-\beta ,\beta ]^m, \end{aligned}$$
  (13)
  satisfying
  $$\begin{aligned} \big [\mathbf {A}&~|~ \sum _{j=1}^\ell \tau [j]\mathbf {A}_j\big ] \cdot \mathbf {d} \nonumber \\ = \mathbf {u}~ + ~&\mathbf {D}\cdot \mathsf {vdec}_{n,q-1}( \mathbf {D}_0 \cdot \mathbf {r} + \mathbf {D}_1 \cdot \mathsf {vdec}_{n,q-1}(\mathbf {h}_{\mathsf {U}}) ) \bmod q, \end{aligned}$$
  (14)
  where $\tau = \tau [1] \ldots \tau [\ell ] \in \{0,1\}^{\ell }$, as in the scheme of Appendix A.1.

$\mathsf {U}$ verifies that $\mathsf {cert}_{\mathsf {U}}$ is tuple of the form (13) satisfying (14) and returns $\perp $ if it is not the case. The $\mathsf {GM}$ stores $(\mathsf {pk}_{\mathsf {U}},\mathsf {cert}_\mathsf {U})$ in the user database $\mathsf {database}$ and returns the certificate $\mathsf {cert}_\mathsf {U}$ to the new user $\mathcal {U}$.

$\mathsf {ENC}(\mathsf {pk}_{\mathsf {GM}}, \mathsf {pk}_{\mathsf {OA}}, \mathsf {pk}_\mathsf {U}, \mathsf {cert}_\mathsf {U}, \mathbf {w}, L)$: To encrypt a witness $\mathbf {w} \in \{0,1\}^m$ such that $((\mathbf {A}_R, \mathbf {u}_R), \mathbf {w}) \in \mathrm {R}_{\mathsf {ISIS}}(n,m,q,1)$ (i.e., $\mathbf {A}_R \cdot \mathbf {w} = \mathbf {u}_R \bmod q$), parse $\mathsf {pk}_{\mathsf {GM}}$ as in (12), $\mathsf {pk}_{\mathsf {OA}}$ as $\mathbf {B}_{\mathsf {OA}} \in \mathbb {Z}_q^{n \times \bar{m}}$, $\mathsf {pk}_{\mathsf {U}}$ as $\mathbf {B}_\mathsf {U}\in \mathbb {Z}_q^{n \times \bar{m}}$ and $\mathsf {cert}_{\mathsf {U}}$ as in (13).
1. 1.
  Generate a one-time key-pair $(\mathsf {SK}, \mathsf {VK}) \leftarrow \mathsf {Gen}(1^\lambda )$, where $\mathsf {VK}\in \mathbb {Z}_q^n$.
2. 2.
  Compute a full-rank-difference hash $\mathbf {H}_{\mathsf {VK}}= \mathsf {FRD}(\mathsf {VK}) \in \mathbb {Z}_q^{n \times n}$ of the one-time verification key $\mathsf {VK}\in \mathbb {Z}_q^n$.
3. 3.
  Encrypt the witness $\mathbf {w} \in \{0,1\}^m$ under $\mathsf {U}$’s public key $\mathbf {B}_\mathsf {U}\in \mathbb {Z}_q^{n \times \bar{m}}$ using the tag $\mathsf {VK}$ by taking the following steps:
  1. a.
    Sample $\mathbf {s}_{\mathsf {rec}} \leftarrow U(\mathbb {Z}_q^n)$, $\mathbf {R}_{\mathsf {rec}} \leftarrow D_{\mathbb {Z},\sigma }^{m \times \bar{m}} $ and $\mathbf {x}_{\mathsf {rec}}, \mathbf {y}_{\mathsf {rec}} \leftarrow \chi ^m$. Compute $\mathbf {z}_{\mathsf {rec}} = \mathbf {R}_{\mathsf {rec}}^\top \cdot \mathbf {y}_{\mathsf {rec}} \in \mathbb {Z}^{\bar{m}}$.
  2. b.
    Compute
    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {c}_{\mathsf {rec}}^{(1)} = \bar{\mathbf {A}}^\top \cdot \mathbf {s}_{\mathsf {rec}} + \mathbf {y}_{\mathsf {rec}} \bmod q \\ \mathbf {c}_{\mathsf {rec}}^{(2)}= (\mathbf {B}_\mathsf {U}+ \mathbf {H}_{\mathsf {VK}} \cdot \mathbf {G})^\top \cdot \mathbf {s}_{\mathsf {rec}} + \mathbf {z}_{\mathsf {rec}} \bmod q ; \\ \mathbf {c}_{\mathsf {rec}}^{(3)} = \mathbf {U}^\top \cdot \mathbf {s}_{\mathsf {rec}} + \mathbf {x}_{\mathsf {rec}} + \mathbf {w}\cdot \Big \lfloor \frac{q}{2}\Big \rfloor ,\end{array}\right. } \end{aligned}$$
    (15)
    and let $\mathbf {c}_{\mathsf {rec}} = \big (\mathbf {c}_{\mathsf {rec}}^{(1)}, \mathbf {c}_{\mathsf {rec}}^{(2)}, \mathbf {c}_{\mathsf {rec}}^{(3)}\big ) \in \mathbb {Z}_q^m \times \mathbb {Z}_q^{\bar{m}} \times \mathbb {Z}_q^m$, which forms an ABB ciphertext [1] for the tag $\mathsf {VK}\in \mathbb {Z}_q^n$.
4. 4.
  Encrypt the decomposition $\mathsf {vdec}_{n,q-1}(\mathbf {h_\mathsf {U}}) \in \{0,1\}^{m}$ of the hashed $\mathsf {pk}_\mathsf {U}$ under the $\mathsf {OA}$’s public key $\mathbf {B}_{\mathsf {OA}} \in \mathbb {Z}_q^{n \times \bar{m}}$ w.r.t. the tag $\mathsf {VK}\in \mathbb {Z}_q^n$. Namely, conduct the following steps:
  1. a.
    Sample $\mathbf {s}_{\mathsf {oa}} \leftarrow U( \mathbb {Z}_q^n)$, $\mathbf {R}_{\mathsf {oa}} \leftarrow D_{\mathbb {Z},\sigma }^{m \times \bar{m}}$, $\mathbf {x}_{\mathsf {oa}} \leftarrow \chi ^{m}, \mathbf {y}_{\mathsf {oa}} \leftarrow \chi ^m$. Set $\mathbf {z}_{\mathsf {oa}} = \mathbf {R}_{\mathsf {oa}}^\top \cdot \mathbf {y}_{\mathsf {oa}} \in \mathbb {Z}^{\bar{m}}$.
  2. b.
    Compute
    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {c}_{\mathsf {oa}}^{(1)} = \bar{\mathbf {A}}^\top \cdot \mathbf {s}_{\mathsf {oa}} + \mathbf {y}_{\mathsf {oa}} \bmod q; \\ \mathbf {c}_{\mathsf {oa}}^{(2)} = (\mathbf {B}_\mathsf {OA}+ \mathbf {H}_{\mathsf {VK}} \cdot \mathbf {G})^\top \cdot \mathbf {s}_{\mathsf {oa}} + \mathbf {z}_{\mathsf {oa}} \bmod q;\\ \mathbf {c}_{\mathsf {oa}}^{(3)} = \mathbf {V}^\top \cdot \mathbf {s}_{\mathsf {oa}} + \mathbf {x}_{\mathsf {oa}} + \mathsf {vdec}_{n,q-1}(\mathbf {h_\mathsf {U}})\cdot \Big \lfloor \frac{q}{2}\Big \rfloor ,\end{array}\right. } \end{aligned}$$
    (16)
    and let $\mathbf {c}_{\mathsf {oa}} = \big (\mathbf {c}_{\mathsf {oa}}^{(1)}, \mathbf {c}_{\mathsf {oa}}^{(2)}, \mathbf {c}_{\mathsf {oa}}^{(3)}\big ) \in \mathbb {Z}_q^m \times \mathbb {Z}_q^{\bar{m}} \times \mathbb {Z}_q^{m}$.
5. 5.
  Compute a one-time signature $\varSigma = \mathsf {Sig}(\mathsf {SK}, (\mathbf {c}_{\mathsf {rec}}, \mathbf {c}_{\mathsf {oa}},L))$.

Output the ciphertext

$$\begin{aligned} \mathbf {\varPsi } = (\mathsf {VK},\mathbf {c}_{\mathsf {rec}}, \mathbf {c}_{\mathsf {oa}}, \varSigma ). \end{aligned}$$

(17)

and the state information $coins_{\mathbf {\varPsi }}=\big ( \mathbf {s}_{\mathsf {rec}}, \mathbf {R}_{\mathsf {rec}} , \mathbf {x}_{\mathsf {rec}}, \mathbf {y}_{\mathsf {rec}}, \mathbf {s}_{\mathsf {oa}}, \mathbf {R}_{\mathsf {oa}} ,\mathbf {x}_{\mathsf {oa}}, \mathbf {y}_{\mathsf {oa}} \big ) $.

$\mathsf {DEC}(\mathsf {sk}_\mathsf {U}, \mathbf {\varPsi },L)$: The decryption algorithm proceeds as follows:
1. 1.
  If $\mathsf {Ver}\big (\mathsf {VK}, \varSigma , ( \mathbf {c}_{\mathsf {rec}}, \mathbf {c}_{\mathsf {oa}},L)\big ) = 0$, return $\bot $. Otherwise, parse the secret key $\mathsf {sk}_\mathsf {U}$ as $\mathbf {T}_\mathsf {U}\in \mathbb {Z}^{m \times \bar{m}}$ and the ciphertext $\mathbf {\varPsi }$ as in (17). Define the matrix $\mathbf {B}_{\mathsf {VK}} = \mathbf {B}_\mathsf {U}+\mathsf {FRD}(\mathsf {VK}) \cdot \mathbf {G} \in \mathbb {Z}_q^{n \times \bar{m}}$.
2. 2.
  Decrypt $\mathbf {c}_{\mathsf {rec}}$ using a decryption key for the tag $\mathsf {VK}\in \mathbb {Z}^n$. Namely,
  1. a.
    Define $\mathbf {B}_{\mathsf {U},\mathsf {VK}} = [ \bar{\mathbf {A}} | \mathbf {B}_\mathsf {VK}] = [ \bar{\mathbf {A}} | \bar{\mathbf {A}} \cdot \mathbf {T}_{\mathsf {U}} + \mathsf {FRD}(\mathsf {VK}) \cdot \mathbf {G} ] \in \mathbb {Z}_q^{n \times (m+\bar{m})} $. Using $\mathbf {T}_\mathsf {U}$ and the publicly known trapdoor $\mathbf {T}_{\mathbf {G}}$ of $\mathbf {G}$, compute a small-norm matrix $\mathbf {E}_{\mathsf {VK}} \in \mathbb {Z}^{(m+ \bar{m}) \times m} $ such that $\mathbf {B}_{\mathsf {U},\mathsf {VK}} \cdot \mathbf {E}_{\mathsf {VK}} = \mathbf {U} \bmod q$ by running the $\mathsf {SampleRight}$ algorithm of Lemma 5.
  2. b.
    Compute
    $$\begin{aligned} \mathbf {w} = \left\lfloor \Bigl ( \mathbf {c}_{\mathsf {rec}}^{(3)} - \mathbf {E}_{\mathsf {VK}}^\top \cdot \begin{bmatrix} \mathbf {c}_{\mathsf {rec}}^{(1)} \\ \mathbf {c}_{\mathsf {rec}}^{(2)} \end{bmatrix} \Bigr ) / \left\lfloor \frac{q}{2} \right\rfloor \right\rceil \in \mathbb {Z}^m \end{aligned}$$
    and return the obtained $\mathbf {w} \in \{0,1\}^m$.

$\mathsf {OPEN}(\mathsf {sk}_{\mathsf {OA}}, \mathbf {\varPsi },L)$: The opening algorithm proceeds as follows:
1. 1.
  If $\mathsf {Ver}\big (\mathsf {VK}, \varSigma , (\mathbf {c}_{\mathsf {rec}}, \mathbf {c}_{\mathsf {oa}}),L\big ) = 0$, then return $\bot $. Otherwise, parse $\mathsf {sk}_{\mathsf {OA}}$ as $\mathbf {T}_\mathsf {OA}\in \mathbb {Z}^{m \times \bar{m}}$ and the ciphertext $\mathbf {\varPsi }$ as in (17).
2. 2.
  Decrypt $\mathbf {c}_{\mathsf {oa}}$ using a decryption key for the tag $\mathsf {VK}\in \mathbb {Z}_q^n$ in the same way as in the decryption algorithm. That is, do the following:
  1. a.
    Define the matrix $\mathbf {B}_{\mathsf {OA},\mathsf {VK}} = [ \bar{\mathbf {A}} | \mathbf {B}_\mathsf {OA}+ \mathsf {FRD}(\mathsf {VK}) \cdot \mathbf {G} ] \in \mathbb {Z}_q^{n \times (m+\bar{m})} $. Use $\mathbf {T}_\mathsf {OA}$ to compute a small-norm $\mathbf {E}_{\mathsf {OA},\mathsf {VK}} \in \mathbb {Z}^{(m+\bar{m}) \times m} $ satisfying $\mathbf {B}_{\mathsf {OA},\mathsf {VK}} \cdot \mathbf {E}_{\mathsf {OA},\mathsf {VK}} = \mathbf {V} \bmod q$.
  2. b.
    Compute
    $$\begin{aligned} \mathbf {h} = \left\lfloor \Bigl ( \mathbf {c}_{\mathsf {oa}}^{(3)} - \mathbf {E}_{\mathsf {OA},\mathsf {VK}}^\top \cdot \begin{bmatrix} \mathbf {c}_{\mathsf {oa}}^{(1)} \\ \mathbf {c}_{\mathsf {oa}}^{(2)} \end{bmatrix} \Bigr ) /\left\lfloor \frac{q}{2} \right\rfloor \right\rceil \in \{0,1\}^{m} \end{aligned}$$
    and $\mathbf {h}_\mathsf {U}'=\mathbf {H}_{2n,q-1} \cdot \mathbf {h} \in \mathbb {Z}_q^{2n}$.
3. 3.
  Look up $\mathsf {database}$ to find a public key $\mathsf {pk}_\mathsf {U}=\mathbf {B}_\mathsf {U}\in \mathbb {Z}_q^{n \times \bar{m}}$ that hashes to $\mathbf {h}_\mathsf {U}' \in \mathbb {Z}_q^{2n}$ (i.e., such that $\mathbf {h}_\mathsf {U}'= \mathbf {F} \cdot \mathsf {mdec}_{n,\bar{m},q}(\mathbf {B}_\mathsf {U}^\top )$). If more than one such key exists, return $\perp $. If only one key $\mathsf {pk}_\mathsf {U}=\mathbf {B}_{\mathsf {U}} \in \mathbb {Z}_q^{n \times \bar{m}}$ satisfies $\mathbf {h}_\mathsf {U}'= \mathbf {F} \cdot \mathsf {mdec}_{n,\bar{m},q}(\mathbf {B}_\mathsf {U}^\top )$, return that key $\mathsf {pk}_\mathsf {U}$. In any other situation, return $\bot $.

$\langle \mathcal {P}, \mathcal {V}\rangle $: The common input consists of $\mathsf {param}$ and $\mathsf {pk}_{\mathsf {GM}} $ as specified above, as well as $(\mathbf {A}_R, \mathbf {u}_R) \in \mathbb {Z}_q^{n \times m} \times \mathbb {Z}_q^n$, $\mathsf {pk}_{\mathsf {OA}} = \mathbf {B}_{\mathsf {OA}} \in \mathbb {Z}_q^{n \times \bar{m}}$, and a ciphertext $\mathbf {\varPsi }$ as in (17). Both parties compute $ \mathbf {B}_{\mathsf {OA},\mathsf {VK}} = [ \bar{\mathbf {A}} | \mathbf {B}_\mathsf {OA}+ \mathsf {FRD}(\mathsf {VK}) \cdot \mathbf {G} ] $ as specified above. The prover’s secret input consists of a witness $\mathbf {w} \in \{0,1\}^m$, $\mathsf {pk}_\mathsf {U}= \mathbf {B}_\mathsf {U}$, $\mathsf {cert}_\mathsf {U}= (\tau ,\mathbf {d},\mathbf {r}) \in \{0,1\}^\ell \times \mathbb {Z}^{2m} \times \mathbb {Z}^m$, and the random coins $coins_{\mathbf {\varPsi }}=\big ( \mathbf {s}_{\mathsf {rec}}, \mathbf {R}_{\mathsf {rec}} , \mathbf {x}_{\mathsf {rec}}, \mathbf {y}_{\mathsf {rec}}, \mathbf {s}_{\mathsf {oa}}, \mathbf {R}_{\mathsf {oa}} ,\mathbf {x}_{\mathsf {oa}}, \mathbf {y}_{\mathsf {oa}} \big ) $ used to generate $\mathbf {\varPsi }$.

The prover’s goal is to convince the verifier in zero-knowledge that his secret input satisfies the following:
1. 1.
  $\mathbf {A}_R \cdot \mathbf {w} = \mathbf {u}_R \bmod q$.
2. 2.
  $\mathbf {h_M} = \mathbf {F}\cdot \mathsf {mdec}_{n,m,q}(\mathbf {M}) \bmod q$.
3. 3.
  Conditions (13) and (14) hold.
4. 4.
  Vectors $\mathbf {x}_{\mathsf {rec}}, \mathbf {y}_{\mathsf {rec}}, \mathbf {x}_{\mathsf {oa}}, \mathbf {y}_{\mathsf {oa}}$ have infinity norms bounded by B, and vectors $\mathbf {z}_{\mathsf {rec}}, \mathbf {z}_{\mathsf {oa}}$ have infinity norms bounded by $\beta mB$.
5. 5.
  Equations in (15) and (16) hold.

To this end $\mathcal {P}$ conducts the following steps.

1.
Decompose the matrix $\mathbf {B}_\mathsf {U}\in \mathbb {Z}_q^{n \times \bar{m}}$ into $\mathbf {b}_{\mathsf {U}} = \mathsf {mdec}_{n,\bar{m},q}(\mathbf {B}_{\mathsf {U}}^\top ) \in \{0,1\}^{n\bar{m}k}$ and the vectors $\mathbf {s}_{\mathsf {rec}} ,\mathbf {s}_{\mathsf {oa}} \in \mathbb {Z}_q^n$ into $\mathbf {s}_{0,\mathsf {rec}} = \mathsf {vdec}_{n,q-1}(\mathbf {s}_{\mathsf {rec}}) \in \{0,1\}^{nk}$ and $\mathbf {s}_{0,\mathsf {oa}} = \mathsf {vdec}_{n,q-1}(\mathbf {s}_{\mathsf {oa}}) \in \{0,1\}^{nk}$. Combine the first two binary vectors into $\mathbf {z}_{\mathbf {\varPsi }} = \mathsf {expand}^{\otimes }(\mathbf {b}_{\mathsf {U}},\mathbf {s}_{0,\mathsf {rec}}) \in \{0,1\}^{4n \bar{m} k^2}$. Define
$$\mathbf {Q} = \mathbf {H}_{\bar{m},q-1} \cdot [\overbrace{\mathbf {Q}_0 | \ldots | \mathbf {Q}_0}^{n \text { times }}] \in \mathbb {Z}_q^{\bar{m} \times 4n \bar{m} k^2} ,$$
where $\mathbf {Q}_0 = \mathbf {I}_{\bar{m} k} \otimes \mathbf {g}' \in \mathbb {Z}_q^{\bar{m}k \times 4 \bar{m} k^2}$ is the matrix defined as in (7).
2.
Generate a zero-knowledge argument of knowledge of
$$\begin{aligned} \left\{ \begin{array}{l} \tau \in \{0,1\}^\ell ,~\mathbf {d}=[\mathbf {d}_1^\top | \mathbf {d}_2^\top ]^\top \in [-\beta ,\beta ]^{2m},~\mathbf {r} \in [-\beta ,\beta ]^m \\ \mathbf {t}_{\mathsf {U}} \in \{0,1\}^{m},~\mathbf {w}_{\mathsf {U}} \in \{0,1\}^{\bar{m}} \\ \mathbf {b}_{\mathsf {U}} \in \{0,1\}^{n \bar{m} k}, ~\mathbf {s}_{0,\mathsf {rec}} \in \{0,1\}^{nk},~ \mathbf {z}_{\mathbf {\varPsi }} = \mathsf {expand}^{\otimes }(\mathbf {b}_{\mathsf {U}},\mathbf {s}_{0,\mathsf {rec}}) \\ \mathbf {x}_{\mathsf {rec}}, ~\mathbf {y}_{\mathsf {rec}} \in [-B,B]^m,~ \mathbf {z}_{\mathsf {rec}} \in [-\beta mB, \beta mB]^{\bar{m}} , ~\mathbf {w} \in \{0,1\}^m, \\ \mathbf {s}_{0,\mathsf {oa}} \in \{0,1\}^{nk},~\mathbf {x}_{\mathsf {oa}}, ~\mathbf {y}_{\mathsf {oa}} \in [-B,B]^m, ~\mathbf {z}_{\mathsf {oa}} \in [-\beta mB,\beta mB]^{\bar{m}}\end{array} \right. \end{aligned}$$

such that the following system of 10 equations holds:

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {u}= [\mathbf {A} | \mathbf {A}_0 | \mathbf {A}_1 | \ldots | \mathbf {A}_\ell ]\cdot \left( \begin{array}{c} \mathbf {d}_1 \\ \mathbf {d}_2 \\ \tau [1]\cdot \mathbf {d}_2 \\ \vdots \\ \tau [\ell ]\cdot \mathbf {d}_2\\ \end{array} \right) + (-\mathbf {D})\cdot \mathbf {w}_\mathsf{U} \bmod q, \\[5pt] \mathbf {0} = \mathbf {H}_{n, q-1}\cdot \mathbf {w}_\mathsf{U} + (-\mathbf {D}_0)\cdot \mathbf {r} + (-\mathbf {D}_1)\cdot \mathbf {t}_\mathsf{U} \bmod q, \\[5pt] \mathbf {0} = \mathbf {H}_{2n,q-1}\cdot \mathbf {t}_\mathsf{U} + (-\mathbf {F})\cdot \mathbf {b}_\mathsf{U}\bmod q, \\[5pt] \mathbf {c}_{\mathsf {rec}}^{(1)} = (\bar{\mathbf {A}}^\top \cdot \mathbf {H}_{n,q-1}) \cdot \mathbf {s}_{0,\mathsf {rec}} + \mathbf {I}_m\cdot \mathbf {y}_{\mathsf {rec}} \bmod q, \\[5pt] \mathbf {c}_{\mathsf {rec}}^{(2)} = \mathbf {Q}\cdot \mathbf {z}_{\mathbf {\varPsi }} + (\mathbf {G}^\top \cdot \mathbf {H}_{\mathsf {VK}}^\top \cdot \mathbf {H}_{n,q-1})\cdot \mathbf {s}_{0,\mathsf {rec}} + \mathbf {I}_{\bar{m}} \cdot \mathbf {z}_{\mathsf {rec}} \bmod q, \\[5pt] \mathbf {c}_{\mathsf {rec}}^{(3)} = (\mathbf {U}^\top \cdot \mathbf {H}_{n,q-1})\cdot \mathbf {s}_{0,\mathsf {rec}} + \mathbf {I}_m\cdot \mathbf {x}_{\mathsf {rec}} + (\lfloor \frac{q}{2}\rfloor \cdot \mathbf {I}_m)\cdot \mathbf {w} \bmod q, \\[5pt] \mathbf {u}_R = \mathbf {A}_R\cdot \mathbf {w} \bmod q, \\[5pt] \mathbf {c}_{\mathsf {oa}}^{(1)} = (\bar{\mathbf A}^\top \cdot \mathbf {H}_{n,q-1})\cdot \mathbf {s}_{0,\mathsf {oa}} + \mathbf {I}_m\cdot \mathbf {y}_{\mathsf {oa}} \bmod q, \\[5pt] \mathbf {c}_{\mathsf {oa}}^{(2)} = [(\mathbf {B}_{\mathsf {OA}} + \mathbf {H}_{\mathsf {VK}}\cdot \mathbf {G})^\top \cdot \mathbf {H}_{n,q-1}]\cdot \mathbf {s}_{0,\mathsf {oa}} + \mathbf {I}_{\bar{m}}\cdot \mathbf {z}_{\mathsf {oa}} \bmod q, \\[5pt] \mathbf {c}_{\mathsf {oa}}^{(3)} = (\mathbf {V}^\top \cdot \mathbf {H}_{n,q-1})\cdot \mathbf {s}_{0, \mathsf {oa}} + \mathbf {I}_m\cdot \mathbf {x}_{\mathsf {oa}} + (\lfloor \frac{q}{2}\rfloor \cdot \mathbf {I}_m)\cdot \mathbf {t}_{\mathsf {U}} \bmod q. \end{array}\right. } \end{aligned}$$

(18)

Let $\mathbf {w}_1 = \mathbf {b}_{\mathsf {U}}$, $\mathbf {w}_2 = \mathbf {s}_{0,\mathsf {rec}}$, $\mathbf {w}_3 = \mathbf {z}_{\mathbf {\varPsi }} = \mathsf {expand}^{\otimes }(\mathbf {b}_{\mathsf {U}},\mathbf {s}_{0,\mathsf {rec}})$, $\mathbf {w}_4 = \mathbf {w}_{\mathsf {U}}$, $\mathbf {w}_5 = \mathbf {t}_{\mathsf {U}}$, $\mathbf {w}_6 = \mathbf {s}_{0,\mathsf {oa}}$, $\mathbf {w}_7 = \mathbf {w}$, $\mathbf {w}_8 = \mathbf {x}_{\mathsf {rec}}$, $\mathbf {w}_9 = \mathbf {y}_{\mathsf {rec}}$, $\mathbf {w}_{10} = \mathbf {z}_{\mathsf {rec}}$, $\mathbf {w}_{11} = \mathbf {r}$, $\mathbf {w}_{12} = \mathbf {x}_{\mathsf {oa}}$, $\mathbf {w}_{13} = \mathbf {y}_{\mathsf {oa}}$, $\mathbf {w}_{14}= \mathbf {z}_{\mathsf {oa}}$ and

$$\mathbf {w}_{15}= \big (\mathbf {d}_1^\top \Vert \mathbf {d}_2^\top \Vert \tau [1]\cdot \mathbf {d}_2^\top \Vert \ldots \Vert \tau [\ell ]\cdot \mathbf {d}_2^\top \big )^\top .$$

Then system (18) can be rewritten as:

(19)

where $\{\mathbf {M}_{i,j}\}_{(i,j) \in [10] \times [15]}$, $\{\mathbf {v}_i\}_{i \in [10]}$ are public matrices and vectors (which are possibly zero).

The argument system is obtained by invoking the protocol from Sect. 4.2. The protocol is repeated $\kappa $ times to make the soundness error negligibly small.

5.2 Efficiency and Correctness

Efficiency. It can be seen that the given group encryption scheme can be implemented in polynomial time. We now will evaluate the bit-sizes of keys and ciphertext, as well as the communication cost of the protocol $\langle \mathcal {P}, \mathcal {V}\rangle $.

The public key of GM, as in (12), has bit-size $\mathcal {O}(\ell n^2 \log ^2 q) = \widetilde{\mathcal {O}}(\ell \lambda ^2)$.
The public keys of OA and each user both have bit-size $n\bar{m}\lceil \log _2 q\rceil = \widetilde{\mathcal {O}}(\lambda ^2)$.
The secret key of each party in the scheme is a trapdoor of bit-size $\widetilde{\mathcal {O}}(\lambda ^2)$. The user’s certificate $\mathsf {cert}_{\mathsf {U}}$ has bit-size $\widetilde{\mathcal {O}}(\lambda )$.
The ciphertext $\mathbf {\varPsi }$ consists of $\mathsf {VK}\in \mathbb {Z}_q^n$, two ABB ciphertexts of total size $2(2m + \bar{m})\lceil \log _2 q\rceil $ and a one-time signature $\varSigma $. Thus, its bit-size is $\widetilde{\mathcal {O}}(\lambda ) + \big |\varSigma \big |$.
The communication cost of the protocol $\langle \mathcal {P}, \mathcal {V}\rangle $ is largely dominated by the bit-size of the witness $\mathbf {z}_{\mathbf {\varPsi }} = \mathsf {expand}^{\otimes }(\mathbf {b}_{\mathsf {U}},\mathbf {s}_{0,\mathsf {rec}}) \in \{0,1\}^{4n \bar{m} k^2}$. The total cost is $\kappa \cdot \mathcal {O}(n^2 \log ^4 q) = \widetilde{\mathcal {O}}(\lambda ^2)$ bits.

Correctness. The given group encryption scheme is correct with overwhelming probability. We first remark that the scheme parameters are set up so that the two instances of the ABB identity-based encryption [1] are correct. Indeed, during the decryption procedure of $\mathsf {DEC}(\mathsf {sk}_\mathsf {U}, \mathbf {\varPsi },L)$, we have:

$$ \mathbf {c}_{\mathsf {rec}}^{(3)} - \mathbf {E}_{\mathsf {VK}}^\top \cdot \begin{bmatrix} \mathbf {c}_{\mathsf {rec}}^{(1)} \\ \mathbf {c}_{\mathsf {rec}}^{(2)} \end{bmatrix} = \mathbf {x}_{\mathsf {rec}} - \mathbf {E}_{\mathsf {VK}}^\top \cdot \begin{bmatrix} \mathbf {y}_{\mathsf {rec}} \\ \mathbf {z}_{\mathsf {rec}} \end{bmatrix} + \mathbf {w}\cdot \left\lfloor \frac{q}{2} \right\rfloor . $$

Note that $\Vert \mathbf {x}_{\mathsf {rec}}\Vert _\infty $ and $\Vert \mathbf {y}_{\mathsf {rec}}\Vert _\infty $ are bounded by B, and $\Vert \mathbf {z}_{\mathsf {rec}}\Vert _\infty = \Vert \mathbf {R}_{\mathsf {rec}}^\top \cdot \mathbf {y}_{\mathsf {rec}}\Vert _\infty \le \beta m B = \widetilde{\mathcal {O}}(n^2)$. Furthermore, the entries of the discrete Gaussian matrix $\mathbf {E}_{\mathsf {VK}}^\top $ are bounded by $\widetilde{\mathcal {O}}(\sqrt{n})$. Hence, the error term $\mathbf {x}_{\mathsf {rec}} - \mathbf {E}_{\mathsf {VK}}^\top \cdot \begin{bmatrix} \mathbf {y}_{\mathsf {rec}} \\ \mathbf {z}_{\mathsf {rec}} \end{bmatrix}$ is bounded by $\widetilde{\mathcal {O}}(n^{3.5})$ which is much smaller than $q/4 = \widetilde{\mathcal {O}}(n^4)$. As a result, the decryption algorithm returns $\mathbf {w}$ with overwhelming probability. The correctness of algorithm $\mathsf {OPEN}(\mathsf {sk}_{\mathsf {OA}}, \mathbf {\varPsi },L)$ also follows from a similar argument.

Finally, we note that if a certified group user honestly follows all the prescribed algorithms, then he should be able to compute valid witness-vectors to be used in the protocol $\langle \mathcal {P}, \mathcal {V}\rangle $, and he should be accepted by the verifier, thanks to the perfect completeness of the argument system in Sect. 4.2.

Our scheme is proven secure under the $\mathsf {SIS}$ and $\mathsf {LWE}$ assumptions using classical reduction techniques. The detailed security proofs are given in the full version of the paper.

Notes

1.
This means that, for any two distinct one-time verification keys $\mathsf {VK},\mathsf {VK}' \in \mathbb {Z}_q^n$, the difference $\mathsf {FRD}(\mathsf {VK}) - \mathsf {FRD}(\mathsf {VK}') \in \mathbb {Z}_q^{n \times n}$ is invertible over $\mathbb {Z}_q$.

References

Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_28
Chapter Google Scholar
Aguilar Melchor, C., Bettaieb, S., Boyen, X., Fousse, L., Gaborit, P.: Adapting lyubashevsky’s signature schemes to the ring signature setting. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 1–25. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38553-7_1
Chapter Google Scholar
Aimani, L., Joye, M.: Toward practical group encryption. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 237–252. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38980-1_15
Chapter Google Scholar
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). doi:10.1007/3-540-48523-6_1
Chapter Google Scholar
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: STACS 2009. LIPIcs, vol. 3, pp. 75–86. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany (2009)
Google Scholar
Banaszczyk, W.: New bounds in some transference theorems in the geometry of number. Math. Ann. 296(1), 625–635 (1993)
Article MathSciNet MATH Google Scholar
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). doi:10.1007/3-540-45682-1_33
Chapter Google Scholar
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993, pp. 62–73. ACM Press (1993)
Google Scholar
Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45611-8_29
Google Scholar
Benhamouda, F., Krenn, S., Lyubashevsky, V., Pietrzak, K.: Efficient zero-knowledge proofs for commitments from learning with errors over rings. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 305–325. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24174-6_16
Chapter Google Scholar
Böhl, F., Hofheinz, D., Jager, T., Koch, J., Striecks, C.: Confined guessing: new signatures from standard assumptions. J. Cryptology 28(1), 176–208 (2015)
Article MathSciNet MATH Google Scholar
Boneh, D., Boyen, X.: Efficient Selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_14
Chapter Google Scholar
Boyen, X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13013-7_29
Chapter Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: On the classical hardness of learning with errors. In: STOC 2013, pp. 575–584. ACM (2013)
Google Scholar
Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003). doi:10.1007/3-540-36413-7_20
Chapter Google Scholar
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_13
Chapter Google Scholar
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_27
Chapter Google Scholar
Cathalo, J., Libert, B., Yung, M.: Group encryption: non-interactive realization in the standard model. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 179–196. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_11
Chapter Google Scholar
Chaum, D., Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). doi:10.1007/3-540-46416-6_22
Google Scholar
Ezerman, M.F., Lee, H.T., Ling, S., Nguyen, K., Wang, H.: A provably secure group signature scheme from code-based assumptions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 260–285. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_12
Chapter Google Scholar
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi:10.1007/3-540-47721-7_12
Chapter Google Scholar
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC 2009, pp. 169–178. ACM (2009)
Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206. ACM (2008)
Google Scholar
O. Goldreich, S. Goldwasser, and S. Halevi. Collision-Free Hashing from Lattice Problems. ECCC 3(42) (1996)
Google Scholar
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: STOC 1985, pp. 291–304. ACM (1985)
Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48000-7_25
Chapter Google Scholar
Gordon, S.D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17373-8_23
Chapter Google Scholar
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78967-3_24
Chapter Google Scholar
Izabachène, M., Pointcheval, D., Vergnaud, D.: Mediated traceable anonymous encryption. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 40–60. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14712-8_3
Chapter Google Scholar
Jain, A., Krenn, S., Pietrzak, K., Tentes, A.: Commitments and efficient zero-knowledge proofs from learning parity with noise. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 663–680. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_40
Chapter Google Scholar
Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89255-7_23
Chapter Google Scholar
Kiayias, A., Tsiounis, Y., Yung, M.: Traceable signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 571–589. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_34
Chapter Google Scholar
Kiayias, A., Tsiounis, Y., Yung, M.: Group encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 181–199. Springer, Heidelberg (2007). doi:10.1007/978-3-540-76900-2_11
Chapter Google Scholar
Kiayias, A., Yung, M.: Group signatures with efficient concurrent join. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 198–214. Springer, Heidelberg (2005). doi:10.1007/11426639_12
Chapter Google Scholar
Laguillaumie, F., Langlois, A., Libert, B., Stehlé, D.: Lattice-based group signatures with logarithmic signature size. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 41–61. Springer, Heidelberg (2013). doi:10.1007/978-3-642-42045-0_3
Chapter Google Scholar
Langlois, A., Ling, S., Nguyen, K., Wang, H.: Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 345–361. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54631-0_20
Chapter Google Scholar
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, vol. 10032, pp. 373–403. Springer, Heidelberg (2016)
Google Scholar
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 1–31. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_1
Chapter Google Scholar
Libert, B., Yung, M., Joye, M., Peters, T.: Traceable group encryption. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 592–610. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54631-0_34
Chapter Google Scholar
Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36362-7_8
Chapter Google Scholar
Ling, S., Nguyen, K., Wang, H.: Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 427–449. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46447-2_19
Google Scholar
Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78440-1_10
Chapter Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Micciancio, D., Vadhan, S.P.: Statistical zero-knowledge proofs with efficient provers: lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_17
Chapter Google Scholar
Nguyen, P.Q., Zhang, J., Zhang, Z.: Simpler efficient group signatures from lattices. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 401–426. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46447-2_18
Google Scholar
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). doi:10.1007/3-540-48910-X_16
Google Scholar
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: STOC 2009, pp. 333–342. ACM (2009)
Google Scholar
Peikert, C., Vaikuntanathan, V.: Noninteractive statistical zero-knowledge proofs for lattice problems. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 536–553. Springer, Heidelberg (2008). doi:10.1007/978-3-540-85174-5_30
Chapter Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005, pp. 84–93. ACM (2005)
Google Scholar
Rückert, M.: Lattice-based blind signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 413–430. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17373-8_24
Chapter Google Scholar
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 688–689. Springer, Heidelberg (1990). doi:10.1007/3-540-46885-4_68
Chapter Google Scholar
Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 1757–1768 (1996)
Article MathSciNet MATH Google Scholar
Trolin, M., Wikström, D.: Hierarchical group signatures. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 446–458. Springer, Heidelberg (2005). doi:10.1007/11523468_37
Chapter Google Scholar
Xie, X., Xue, R., Wang, M.: Zero knowledge proofs from ring-LWE. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 57–73. Springer, Heidelberg (2013). doi:10.1007/978-3-319-02937-5_4
Chapter Google Scholar

Download references

Acknowledgements

We thank Damien Stehlé for useful discussions and the reviewers for useful comments. The first author was funded by the “Programme Avenir Lyon Saint-Etienne de l’Université de Lyon” in the framework of the programme “Investissements d’Avenir” (ANR-11-IDEX-0007). San Ling, Khoa Nguyen and Huaxiong Wang were supported by the “Singapore Ministry of Education under Research Grant MOE2013-T2-1-041”. Huaxiong Wang was also supported by NTU under Tier 1 grant RG143/14.

Author information

Authors and Affiliations

École Normale Supérieure de Lyon, Laboratoire LIP, Lyon, France
Benoît Libert & Fabrice Mouhartem
School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
San Ling, Khoa Nguyen & Huaxiong Wang

Authors

Benoît Libert
View author publications
You can also search for this author in PubMed Google Scholar
San Ling
View author publications
You can also search for this author in PubMed Google Scholar
Fabrice Mouhartem
View author publications
You can also search for this author in PubMed Google Scholar
Khoa Nguyen
View author publications
You can also search for this author in PubMed Google Scholar
Huaxiong Wang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benoît Libert .

Editor information

Editors and Affiliations

Seoul National University, Seoul, Korea (Republic of)
Jung Hee Cheon
Kyushu University, Fukuoka, Japan
Tsuyoshi Takagi

A Building Blocks

1.1 A.1 Signatures Supporting Zero-Knowledge Proofs

We use a signature scheme proposed by Libert, Ling, Mouhartem, Nguyen and Wang [37] who extended the Böhl et al. signature [11] (which is itself built upon Boyen’s signature [13]) into a signature scheme compatible with zero-knowledge proofs. While the scheme was designed to sign messages comprised of multiple blocks, we only use the single-block version here.

Keygen $(1^\lambda ,q,n,m,\ell ,\sigma )$: This algorithm takes as input a security parameter $\lambda >0$ as well as the following parameters: $n = \mathcal {O}(\lambda )$; a prime modulus $q = \widetilde{\mathcal {O}}( n^{4})$; dimension $m =2n \lceil \log q \rceil $; an integer $\ell = \mathsf {poly}(\lambda )$; and Gaussian parameters $\sigma = \varOmega (\sqrt{n\log q}\log n)$. It defines the message space as $\{0,1\}^{m}$.
1. 1.
  Run $\mathsf {TrapGen}(1^n,1^m,q)$ to get $\mathbf {A} \in \mathbb {Z}_q^{n \times m}$ and a short basis $\mathbf {T}_{\mathbf {A}}$ of $\varLambda _q^{\perp }(\mathbf {A}).$ This basis allows computing short vectors in $\varLambda _q^{\perp }(\mathbf {A})$ with a Gaussian parameter $\sigma $. Next, choose $\ell +1$ random $\mathbf {A}_0,\mathbf {A}_1,\ldots ,\mathbf {A}_{\ell } \hookleftarrow U(\mathbb {Z}_q^{n \times m})$.
2. 2.
  Choose random matrices $\mathbf {D} \hookleftarrow U(\mathbb {Z}_q^{n \times m/2})$, $\mathbf {D}_0,\mathbf {D}_1 \hookleftarrow U(\mathbb {Z}_q^{n \times m})$ as well as a random vector $\mathbf {u} \hookleftarrow U(\mathbb {Z}_q^n)$.
The private key consists of $SK:= \mathbf {T}_{\mathbf {A}} $ and the public key is
$${PK}:=\big ( \mathbf {A}, ~ \{\mathbf {A}_j \}_{j=0}^{\ell }, ~ \mathbf {D}_0,~\mathbf {D}_1,~\mathbf {D}, ~\mathbf {u} \big ).$$
Sign $\big (SK, \mathfrak {m} \big )$: To sign a message $\mathfrak {m} \in \{0,1\}^{m} $,
1. 1.
  Choose a random binary string $\tau \hookleftarrow U(\{0,1\}^\ell )$. Then, using $SK:= \mathbf {T}_{\mathbf {A}} $, compute a short delegated basis $\mathbf {T}_\tau \in \mathbb {Z}^{2m \times 2m}$ for the matrix
  $$\begin{aligned} \mathbf {A}_{\tau }= [ \mathbf {A} \mid \mathbf {A}_0 + \sum _{j=1}^\ell \tau [j] \mathbf {A}_j ] \in \mathbb {Z}_q^{ n \times 2m}. \end{aligned}$$
  (20)
2. 2.
  Choose a discrete Gaussian vector $\mathbf {r} \hookleftarrow D_{\mathbb {Z}^{m},\sigma }$. Compute $\mathbf {c}_M \in \mathbb {Z}_q^{n}$ as a chameleon hash of $\mathfrak {m}$. Namely, compute $\mathbf {c}_M = \mathbf {D}_{0} \cdot \mathbf {r} + \mathbf {D}_1 \cdot \mathfrak {m} \in \mathbb {Z}_q^{n} ,$ which is used to define $\mathbf {u}_M=\mathbf {u} + \mathbf {D} \cdot \mathsf {vdec}_{n,q-1}( \mathbf {c}_M) \in \mathbb {Z}_q^n .$ Using the delegated basis $\mathbf {T}_\tau \in \mathbb {Z}^{2m \times 2m}$, sample a short vector $\mathbf {v} \in \mathbb {Z}^{2m}$ in $D_{\varLambda _q^{\mathbf {u}_M}(\mathbf {A}_\tau ), \sigma }$.
Output the signature $sig=(\tau ,\mathbf {v},\mathbf {r}) \in \{0,1\}^\ell \times \mathbb {Z}^{2m} \times \mathbb {Z}^m$.
Verify $\big (PK,\mathfrak {m},sig\big )$: Given PK, $\mathfrak {m} \in \{0,1\}^{m}$ and $sig=(\tau ,\mathbf {v},\mathbf {r}) \in \{0,1\}^\ell \times \mathbb {Z}^{2m} \times \mathbb {Z}^{m}$, return 1 if $\Vert \mathbf {v} \Vert < \sigma \sqrt{2m}$, $\Vert \mathbf {r} \Vert < \sigma \sqrt{m}$ and
$$\begin{aligned} \mathbf {A}_{\tau } \cdot \mathbf {v}= & {} \mathbf {u} + \mathbf {D} \cdot \mathsf {vdec}_{n,q-1}( \mathbf {D}_0 \cdot \mathbf {r} + \mathbf {D}_1 \cdot \mathfrak {m} ) \bmod q. \end{aligned}$$
(21)

Like [11, 13], the scheme of [37] was proved secure under the $\mathsf {SIS}$ assumption and shown to easily interact with Stern-like protocols when it comes to proving knowledge of a hidden message-signature pair. While such proofs would also be possible using Boyen’s signature [13], the number of public matrices $\{\mathbf {A}_j\}_{j=0}^\ell $ in the public key can be reduced from $\varTheta (n \cdot \log q)$ to $\varTheta (\lambda )$ using the scheme of [37].

The above description uses a slightly different variant of [37] where, at step 2 of the signing algorithm, a different binary decomposition of $\mathbf {c}_M$ is used to compute $\mathbf {u}_M$: while [37] uses the standard binary decomposition, we use a non-unique encoding based on the $\mathsf {vdec}$ function for convenience. However, the security proof of [37] goes through with this encoding since the function $\mathsf {vdec}_{n,q-1}(.)$ is injective.

Lemma 6

([37, Theorem 1]). The above signature scheme is unforgeable under chosen-message attacks if the $\mathsf {SIS}$ assumption holds.

1.2 A.2 The Agrawal-Boneh-Boyen IBE Scheme

Identity-Based Encryption. An IBE scheme is a tuple of efficient algorithms $(\mathsf {Setup}, \mathsf {Extract}_\mathsf {PP}, \mathsf {Encrypt}_\mathsf {PP}, \mathsf {Decrypt}_\mathsf {PP})$ such that

Setup $(1^\lambda )$: On security parameter $\lambda $, this algorithm outputs public parameters $\mathsf {PP}$ and a master secret key $\mathsf {msk}$.
Extract $_\mathsf {PP}(\mathsf {msk}, \mathsf {ID})$: Takes as input a master secret key $\mathsf {msk}$ and an identity $\mathsf {ID}$ and outputs a secret key $\mathsf {sk}_\mathsf {ID}$.
Encrypt $_\mathsf {PP}(\mathsf {ID}, M)$: Given an identity $\mathsf {ID}$ and a message M, it outputs a ciphertext C.
Decrypt $_\mathsf {PP}(\mathsf {sk}_\mathsf {ID}, C)$: Given a secret key $\mathsf {sk}_\mathsf {ID}$ and a ciphertext C, outputs either a decryption error symbol $\bot $, or a message M.

Correctness requires that, for any pair $(\mathsf {PP}, \mathsf {msk}) \leftarrow \mathsf {Setup} (1^\lambda )$, any $\mathsf {ID}$ and any message M, we have $\mathsf {Decrypt}_\mathsf {PP}\bigl (\textsf {Extract}_\mathsf {PP}(\mathsf {msk}, \mathsf {ID}), \mathsf {Encrypt}_\mathsf {PP}(\mathsf {ID}, M)\bigr ) = M.$

Our proofs rely on the semantic security of the scheme against selective adversaries (IND-sID-CPA) but also on the stronger property of ciphertext pseudo-randomness. Informally, this notions demands that the adversary be unable to distinguish an encryption of a message of its choice from a random element of the ciphertext space $\mathcal {C}$. Notice that this property implies IND-sID-CPA security.

Definition 4

An IBE scheme has pseudo-random-ciphertexts if no PPT adversary $\mathcal {A} $ with access to private key extraction oracle ${\textsf {Extract}}_{\textsf {PP}}({\textsf {msk,}} \cdot )$ has non-negligible advantage $ \mathbf {Adv}_{\mathcal {A}}^{\mathrm {ROR}}\!\left( \lambda \right) = | \Pr \bigl [ \mathbf {Expt}_{\mathcal {A}}^\mathrm {ROR} = 1 \bigr ] - \frac{1}{2} | $ in this game:

The ABB System. Agrawal, Boneh and Boyen described [1] a compact IBE scheme in the standard model which allows encrypting multi-bit messages.

Setup $(1^\lambda )$: Given a security parameter $\lambda $, choose parameters $q, n, \sigma , \alpha $ and define $k =\lfloor \log q \rfloor $, $\bar{m}= nk$, $m = 2 \bar{m}$ and choose a noise distribution $\chi $ for $\mathsf {LWE}$.
1. 1.
  Compute $(\bar{\mathbf A}, \mathbf {T}_{\bar{\mathbf {A}}}) \leftarrow \mathsf {TrapGen}(1^n, 1^m, q)$.
2. 2.
  Define $\mathbf {G} = \mathbf {I}_n \otimes [1|2|\ldots |2^{k-1}] \in \mathbb {Z}_q^{n \times \bar{m}}$. Sample matrices $\mathbf B \hookleftarrow U(\mathbb {Z}_q^{ n \times \bar{m}}) $, $ \mathbf U \hookleftarrow U(\mathbb {Z}_q^{n \times m})$.
3. 3.
  Let $\mathsf {FRD}: \mathbb {Z}_q^n \rightarrow \mathbb {Z}_q^{n \times n}$ be the full-rank difference mapping from [1].
Output $ \mathsf {PP}= \bigl (\bar{\mathbf A}, \mathbf B, \mathbf U \bigr )$ and $\mathsf {msk}= \mathbf {T}_{\bar{\mathbf A}}$.
Extract $_\mathsf {PP}(\mathsf {msk}, \mathsf {ID})$: Given $\mathsf {msk}= \mathbf {T}_{\bar{\mathbf A}}$ and an identity $\mathsf {ID}\in \mathbb {Z}_q^n$, do as follows:
1. 1.
  Define the matrix $\mathbf B_\mathsf {ID}= \mathbf B + \mathsf {FRD}(\mathsf {ID}) \cdot \mathbf G \in \mathbb {Z}_q^{n \times \bar{m}}$.
2. 2.
  Let $\mathbf B_{\mathbf A, \mathsf {ID}} = \left[ \mathbf A \mid \mathbf B_\mathsf {ID}\right] \in \mathbb {Z}_q^{n \times (m + \bar{m})}$, use $\mathbf T_A$ to compute a delegated basis $\mathbf T_\mathsf {ID}$ for the lattice $\varLambda ^\perp (\mathbf B_{\mathbf A, \mathsf {ID}})$.
3. 3.
  Use $\mathbf T_\mathsf {ID}$ to sample a small-norm matrix $\mathbf E_\mathsf {ID}\in \mathbb {Z}^{(m+ \bar{m}) \times m}$ satisfying the equality $\mathbf B_{\mathbf A, \mathsf {ID}} \cdot \mathbf E_\mathsf {ID}= \mathbf U \bmod q$.
4. 4.
  Output $\mathsf {sk}_\mathsf {ID}= \mathbf E_\mathsf {ID}\in \mathbb {Z}^{(m+ \bar{m}) \times m}$.
Encrypt $_\mathsf {PP}(\mathsf {ID},\mathbf m)$: Given an identity $\mathsf {ID}$ and a message $\mathbf m \in \{0,1\}^m$,
1. 1.
  Compute the matrix $\mathbf B_\mathsf {ID}= \mathbf B + \mathsf {FRD}(\mathsf {ID}) \cdot \mathbf G \in \mathbb {Z}_q^{n \times \bar{m}}$. Sample vectors $\mathbf s \hookleftarrow U(\mathbb {Z}_q^n), \mathbf x, \mathbf y \hookleftarrow \chi ^m$, $\mathbf R \hookleftarrow D_{\mathbb {Z},\sigma }^{m \times \bar{m}}$ and compute $\mathbf z = \mathbf R^\top \cdot \mathbf y \in \mathbf {Z}^m$.
2. 2.
  Compute
  $$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf c^{(1)} = \bar{\mathbf A}^\top \cdot \mathbf s + \mathbf y \bmod q,\\ \mathbf c^{(2)} = \mathbf B_\mathsf {ID}^\top \cdot \mathbf s + \mathbf z \bmod q,\\ \mathbf c^{(3)} = \mathbf U^\top \cdot \mathbf s + \mathbf x + \mathbf m \cdot \left\lfloor \dfrac{q}{2} \right\rfloor . \end{array}\right. } \end{aligned}$$
  (22)
3. 3.
  Output $\mathbf c = \bigl (\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr ) \in \mathbb {Z}_q^m \times \mathbb {Z}_q^{\bar{m}} \times \mathbb {Z}_q^m$.
Decrypt $_\mathsf {PP}(\mathsf {sk}_\mathsf {ID}, \mathbf c)$: Given $\mathsf {sk}_\mathsf {ID}= \mathbf E_\mathsf {ID}$ and $\mathbf c=\bigl (\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr ) \in \mathbb {Z}_q^m \times \mathbb {Z}_q^{\bar{m}} \times \mathbb {Z}_q^m$, compute and output $ \mathbf m' = \left\lfloor \left( \mathbf c^{(3)} - \mathbf E_\mathsf {ID}\cdot \begin{bmatrix} \mathbf c^{(1)} \\ \mathbf c^{(2)} \end{bmatrix} \right) \cdot \left\lfloor \dfrac{q}{2} \right\rfloor ^{-1} \right\rceil \in \{0,1\}^m .$

Theorem 2

([1, Theorem 23]). The ABB IBE scheme has pseudo-random ciphertexts if the $\mathsf {LWE}_{n,q,\chi }$ assumption holds.

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H. (2016). Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption. In: Cheon, J., Takagi, T. (eds) Advances in Cryptology – ASIACRYPT 2016. ASIACRYPT 2016. Lecture Notes in Computer Science(), vol 10032. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53890-6_4

Download citation

DOI: https://doi.org/10.1007/978-3-662-53890-6_4
Published: 09 November 2016
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53889-0
Online ISBN: 978-3-662-53890-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption

Abstract

Similar content being viewed by others

Lattice-based group encryptions with only one trapdoor

Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures

Forward-Secure Group Encryptions from Lattices

Keywords

1 Introduction

2 Background and Definitions

2.1 Lattices

Definition 1

Lemma 1

Lemma 2

Lemma 3

Lemma 4

Lemma 5

2.2 Computational Problems

Definition 2

Definition 3

2.3 Syntax and Definitions of Group Encryption

3 Warm-Up: Decompositions, Extensions, Permutations

3.1 Decompositions

3.2 Extensions and Permutations

4 The Supporting Zero-Knowledge Layer

4.1 Proving the LWE Relation with Hidden Matrices

4.2 The Main Zero-Knowledge Argument System

Theorem 1

5 Our Lattice-Based Group Encryption Scheme

5.1 Description of the Scheme

5.2 Efficiency and Correctness

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

A Building Blocks

A Building Blocks

1.1 A.1 Signatures Supporting Zero-Knowledge Proofs

Lemma 6

1.2 A.2 The Agrawal-Boneh-Boyen IBE Scheme

Definition 4

Theorem 2

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation