Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based

Transcription

1 Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015

2 Content 1 Introduction Previous Works on Lattice-Based Group Signatures Our Results and Comparison 2 Our Techniques A Simple Design for Static Group Signature in the ROM The Development of Stern s Protocol

3 Previous Works on Lattice-Based Group Signatures Schemes in the [BMW 03] model: Scheme GKV10 CNR12 LLLS13 Signature N Õ(n2 ) N Õ(n2 ) log N Õ(n) Public key N Õ(n2 ) Õ(n 2 ) log N Õ(n2 ) User secret key N Õ(n2 ) Õ(n 2 ) Õ(n 2 ) Anonymity SIVPÕ(n 2 ) SIVPÕ(n 2 ) SIVPÕ(n 8 ) Traceability SIVPÕ(n 1.5 ) SIVPÕ(n 2 ) SIVPÕ(n 7.5 ) Encryption layer has to be initialized in accordance with signature layer; long user secret keys; long ciphertexts. None of previous schemes simultaneously achieves logarithmic signature size and weak hardness assumptions. Another open question raised in [LLLS 13]: Ring-based group signature? Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

4 Our Results and Comparison with Previous Works Lattice-based group signature (in the [BMW 03] model) with: 1 Logarithmic signature and public key sizes + short user secret key. 2 Weak hardness assumptions: the scheme is secure if the underlying encryption and standard signature are secure (i.e., no overhead!). 3 Easy transformation into the ring setting. 4 Simpler construction. Encryption and signature layers are independent. Only log N bits have to be encrypted. Scheme GKV10 CNR12 LLLS13 Scheme (I) Scheme (II) Signature N Õ(n2 ) N Õ(n2 ) log N Õ(n) log N Õ(n) log N Õ(n) Public key N Õ(n2 ) Õ(n 2 ) log N Õ(n2 ) log N Õ(n2 ) log N Õ(n) User secret key N Õ(n2 ) Õ(n 2 ) Õ(n 2 ) Õ(n) Õ(n) Anonymity SIVPÕ(n 2 ) SIVPÕ(n 2 ) SIVPÕ(n 8 ) SIVPÕ(n 2 ) SVP Õ(n 3.5 ) Traceability SIVPÕ(n 1.5 ) SIVPÕ(n 2 ) SIVPÕ(n 7.5 ) SIVPÕ(n 2 ) SVP Õ(n 2 ) Note: All known lattice-based group signatures are proven secure only in the ROM. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

5 A Simple Design for Static Group Signatures in the ROM Building blocks: S = (SKg, Sign, SVer); E = (EKg, Enc, Dec); and a good interactive ZK protocol. 1 GKeygen(n, N = 2 l ): (sk, vk) SKg(n); (ek, dk) EKg(n). Set gpk := (vk, ek); gmsk = dk. Each user, identified by d {0, 1} l, is given gsk[d] Sign(sk, d). 2 GSign(gsk[d], M): Compute c Enc(ek, d, r). Generate a ZK protocol to prove the possession of (d, gsk[d], r) satisfying: SVer(vk, gsk[d], d) = 1 Enc(ek, d, r) = c. Transform the protocol to a NIZK Π via Fiat-Shamir (with M included in the RO hashing). Output Σ = (c, Π). 3 GVerify(gpk, Σ, M): Check the validity of Π. 4 GOpen(gmsk = dk, Σ): Output Dec(dk, c). Correctness and security follows from those of S, E and Π. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

6 Selection of Lattice-Based Cryptographic Ingredients So, we need to choose secure lattice-based schemes S and E, and then: 1. Equip S with a protocol allowing proving in ZK the possession of a valid message-signature pair, i.e., (d, z) s.t. SVer(vk, z, d) = 1. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

7 Selection of Lattice-Based Cryptographic Ingredients So, we need to choose secure lattice-based schemes S and E, and then: 1. Equip S with a protocol allowing proving in ZK the possession of a valid message-signature pair, i.e., (d, z) s.t. SVer(vk, z, d) = 1. We would avoid using ROM schemes obtained via FDH ([GPV 08]) and Fiat-Shamir ([Lyu 12], [DDLL 13]). A protocol for Bonsai signature [CHKP 10] was given in [LLNW 14]. We will do it for the Boyen signature [Boy 10]. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

8 Selection of Lattice-Based Cryptographic Ingredients So, we need to choose secure lattice-based schemes S and E, and then: 1. Equip S with a protocol allowing proving in ZK the possession of a valid message-signature pair, i.e., (d, z) s.t. SVer(vk, z, d) = 1. We would avoid using ROM schemes obtained via FDH ([GPV 08]) and Fiat-Shamir ([Lyu 12], [DDLL 13]). A protocol for Bonsai signature [CHKP 10] was given in [LLNW 14]. We will do it for the Boyen signature [Boy 10]. 2. Equip E with a verifiable encryption protocol allowing to prove in ZK: The possession of the plaintext and randomness used to generate c. The plaintext is exactly the signed identity d in the signature layer. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

9 Selection of Lattice-Based Cryptographic Ingredients So, we need to choose secure lattice-based schemes S and E, and then: 1. Equip S with a protocol allowing proving in ZK the possession of a valid message-signature pair, i.e., (d, z) s.t. SVer(vk, z, d) = 1. We would avoid using ROM schemes obtained via FDH ([GPV 08]) and Fiat-Shamir ([Lyu 12], [DDLL 13]). A protocol for Bonsai signature [CHKP 10] was given in [LLNW 14]. We will do it for the Boyen signature [Boy 10]. 2. Equip E with a verifiable encryption protocol allowing to prove in ZK: The possession of the plaintext and randomness used to generate c. The plaintext is exactly the signed identity d in the signature layer. Among available options, we choose the CCA2-secure scheme obtained from l-bit GPV-IBE ([GPV 08]) via [BCHK 07]. Both of our ZK components are Stern-type and can be unified easily! Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

10 Stern s protocol and Kawachi et al. s Adaptation Stern [Ste 96] proposed a protocol for the Syndrome Decoding problem. Kawachi et al. [KTX 08] adapt it into the lattice setting, and obtained a ZK argument of knowledge of x B k m = {v {0, 1} m wt(v) = k} s.t. A x = u mod q, for given (A Z n m q, u Z n q). Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

11 Stern s protocol and Kawachi et al. s Adaptation Stern [Ste 96] proposed a protocol for the Syndrome Decoding problem. Kawachi et al. [KTX 08] adapt it into the lattice setting, and obtained a ZK argument of knowledge of x B k m = {v {0, 1} m wt(v) = k} s.t. A x = u mod q, for given (A Z n m q, u Z n q). Main ideas: 1 To prove in ZK that x B k m, sample π $ S m, and show the verifier that π(x) B k m. 2 To prove in ZK that A x = u mod q, sample r $ Z m q, and show that: A (x + r) u = A r mod q. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

12 Stern s protocol and Kawachi et al. s Adaptation Stern [Ste 96] proposed a protocol for the Syndrome Decoding problem. Kawachi et al. [KTX 08] adapt it into the lattice setting, and obtained a ZK argument of knowledge of x B k m = {v {0, 1} m wt(v) = k} s.t. A x = u mod q, for given (A Z n m q, u Z n q). Main ideas: 1 To prove in ZK that x B k m, sample π $ S m, and show the verifier that π(x) B k m. 2 To prove in ZK that A x = u mod q, sample r $ Z m q, and show that: A (x + r) u = A r mod q. Observation: The constraint x B k m is too restricted. In many constructions, we work with ISIS solutions x [ β, β] m, for some β = poly(n). Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

13 Ling et al. s Extension of the Stern-KTX Protocol Ling et al. [LNSW 13] extend the witness range to x [ β, β] m for any β 1. A technique called Decomposition-Extension was proposed. Extension step From B k m to { 1, 0, 1} m : A ZK protocol for ISIS n,m,q,1. Denote by B 3m the set of all v { 1, 0, 1} 3m having exactly m coordinates equal to i, for all i { 1, 0, 1}. Note that, for all π S 3m : x B 3m π(x) B 3m. Extend x to x B 3m, and append 2m zero-columns to A to obtain A Z n 3m q. Note that A x = A x. Run the Stern-KTX protocol to prove that x B 3m and A x = u mod q. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

14 Decomposition step Let β be any positive integer, and let p = log β + 1. Observe that an integer z [ β, β] iff there exist z 1,..., z p { 1, 0, 1} s.t. z = p j=1 β i z i, where β 1 = β/2, β 2 = (β β 1 )/2, β 3 = (β β 1 β 2 )/2,..., β p = 1. Example: Let β = 115, then p = log (115) + 1 = 7, and: β 1 = 58, β 2 = 29, β 3 = 14, β 4 = 7, β 5 = 4, β 6 = 2, β 7 = 1. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

15 Decomposition step Let β be any positive integer, and let p = log β + 1. Observe that an integer z [ β, β] iff there exist z 1,..., z p { 1, 0, 1} s.t. z = p j=1 β i z i, where β 1 = β/2, β 2 = (β β 1 )/2, β 3 = (β β 1 β 2 )/2,..., β p = 1. Example: Let β = 115, then p = log (115) + 1 = 7, and: β 1 = 58, β 2 = 29, β 3 = 14, β 4 = 7, β 5 = 4, β 6 = 2, β 7 = 1. Remark: This sequence was used by Lipmaa et al. [LAN 02] in the context of range proofs, in a more compact form. For j = 1,..., p, β j = β + 2 j 1 2 j. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

16 Decomposition step Let β be any positive integer, and let p = log β + 1. Observe that an integer z [ β, β] iff there exist z 1,..., z p { 1, 0, 1} s.t. z = p j=1 β i z i, where β 1 = β/2, β 2 = (β β 1 )/2, β 3 = (β β 1 β 2 )/2,..., β p = 1. Example: Let β = 115, then p = log (115) + 1 = 7, and: β 1 = 58, β 2 = 29, β 3 = 14, β 4 = 7, β 5 = 4, β 6 = 2, β 7 = 1. Remark: This sequence was used by Lipmaa et al. [LAN 02] in the context of range proofs, in a more compact form. For j = 1,..., p, β j = β + 2 j 1 2 j. From { 1, 0, 1} m to [ β, β] m : We can efficiently decompose any x [ β; β] m into p vectors v 1,..., v p { 1, 0, 1} m s.t. x = p j=1 β j v j. A ZKP for ISIS n,m,q,β can be obtained from p instances for ISIS n,m,q,1. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

17 Our Development: ZK Protocol for Boyen s Signature Recall that, given vk of the signature scheme S, we have to prove in ZK the possession of a pair (d, z) s.t. SVer(vk, z, d) = 1. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

18 Our Development: ZK Protocol for Boyen s Signature Recall that, given vk of the signature scheme S, we have to prove in ZK the possession of a pair (d, z) s.t. SVer(vk, z, d) = 1. When S is Boyen s signature: Public input: Matrices A, A 0,..., A l Z n m q and vector u Z n q Prover s input: d = (d 1,..., d l ) {0, 1} l and z [ β, β] 2m Prover s goal: Proving that A [d] z = u mod q, where: A [d] = [ A A 0 + l i=1 d i A i ] Z n 2m q. If d were publicly given, this is an ISIS relation, and there are several protocols for it ([MV 03,Lyu 08,LNSW 13]). Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

19 We first transform the equation [ A A 0 + l i=1 d i A i ] z = u mod q into the friendly form: (public matrix) (secret vector) = (public vector) modq, where secret vector contains information of both d and z. Let z = (x y), where x, y [ β, β] m, we have: n A A 0 A 1 A l m x y d 1 y u = (mod q) d l y Observation: We obtain an ISIS relation A z = u mod q, where the solution z has a special structure. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

20 n A A 0 A 1 A l 0 0 x u = (mod q) m y d 1 y d l y d l+1 y Main ideas: d 2l y Further extensions! Here, d l+1,..., d 2l are bits s.t. the extended vector d = (d 1,..., d l, d l+1,..., d 2l ) {0, 1} 2l has weight exactly equal to l. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

21 n A A 0 A 1 A l 0 0 x u = (mod q) m y d 1 y d l y d l+1 y Main ideas: d 2l y Further extensions! Here, d l+1,..., d 2l are bits s.t. the extended vector d = (d 1,..., d l, d l+1,..., d 2l ) {0, 1} 2l has weight exactly equal to l. Proving the knowledge of x and y is a simple adaptation of [LNSW 13]. We randomly permute the blocks of (d 1 y,..., d l y, d l+1 y,..., d 2l y) and show that it has exactly l blocks equal to y. This convinces the verifier that the original vector has the form (d 1 y,..., d l y) for certain (d 1,..., d l ) {0, 1} l. In short, we employ a composition of 3 random permutations, for x, y and d, resp. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

22 A Verifiable Encryption Protocol for l-bit Dual-Regev Given public key (B, G) and ciphertext (c 1, c 2 ), prove in ZK the knowledge of s Z n q (might be small), small (e 1 Z m, e 2 Z l ) and d {0, 1} l s.t. ( c1 = B T s + e 1, c 2 = G T s + e 2 + q/2 d ). n l m B T s + e d = c 1 (mod q) l G T e 2 q 2 I l c 2 Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

23 A Verifiable Encryption Protocol for l-bit Dual-Regev Given public key (B, G) and ciphertext (c 1, c 2 ), prove in ZK the knowledge of s Z n q (might be small), small (e 1 Z m, e 2 Z l ) and d {0, 1} l s.t. ( c1 = B T s + e 1, c 2 = G T s + e 2 + q/2 d ). n l m B T s + e d = c 1 (mod q) l G T e 2 q 2 I l c 2 This can be done by adapting the techniques from [LNSW13]. Unifying with the protocol for Boyen s signature: Extend and permute d exactly in the same way. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

24 Summary and Brief Comparison with a Concurrent Work Our contributions: 1 An improved lattice-based static group signature scheme: Simpler design approach. Weaker hardness assumptions. (No overhead!) Shorter public key, shorter ciphertext. Easy transformation into a ring-based scheme. 2 A new tool: ZKAoK of a valid message-signature pair for Boyen s signature. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

25 Summary and Brief Comparison with a Concurrent Work Our contributions: 1 An improved lattice-based static group signature scheme: Simpler design approach. Weaker hardness assumptions. (No overhead!) Shorter public key, shorter ciphertext. Easy transformation into a ring-based scheme. 2 A new tool: ZKAoK of a valid message-signature pair for Boyen s signature. Concurrently, [NZZ 15] also obtain a scheme simpler than previous works. The features of their scheme in comparison with ours: Public key and signature sizes are asymptotically shorter, but the secret key of each user is longer, i.e., a matrix in Z 2m 2m of size Õ(n2 ). Parameters are much larger, e.g., q = m 2.5 max(m 6 ω(log 2.5 m), 4N); Hardness assumptions are stronger, e.g., SIVPÕ(n 8.5 ) for traceability. The encryption layer and the users keygen layer are still not independent. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15

26 Thank you! Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15