Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
|
|
- Cory Wright
- 5 years ago
- Views:
Transcription
1 Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015
2 Content 1 Introduction Previous Works on Lattice-Based Group Signatures Our Results and Comparison 2 Our Techniques A Simple Design for Static Group Signature in the ROM The Development of Stern s Protocol
3 Previous Works on Lattice-Based Group Signatures Schemes in the [BMW 03] model: Scheme GKV10 CNR12 LLLS13 Signature N Õ(n2 ) N Õ(n2 ) log N Õ(n) Public key N Õ(n2 ) Õ(n 2 ) log N Õ(n2 ) User secret key N Õ(n2 ) Õ(n 2 ) Õ(n 2 ) Anonymity SIVPÕ(n 2 ) SIVPÕ(n 2 ) SIVPÕ(n 8 ) Traceability SIVPÕ(n 1.5 ) SIVPÕ(n 2 ) SIVPÕ(n 7.5 ) Encryption layer has to be initialized in accordance with signature layer; long user secret keys; long ciphertexts. None of previous schemes simultaneously achieves logarithmic signature size and weak hardness assumptions. Another open question raised in [LLLS 13]: Ring-based group signature? Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
4 Our Results and Comparison with Previous Works Lattice-based group signature (in the [BMW 03] model) with: 1 Logarithmic signature and public key sizes + short user secret key. 2 Weak hardness assumptions: the scheme is secure if the underlying encryption and standard signature are secure (i.e., no overhead!). 3 Easy transformation into the ring setting. 4 Simpler construction. Encryption and signature layers are independent. Only log N bits have to be encrypted. Scheme GKV10 CNR12 LLLS13 Scheme (I) Scheme (II) Signature N Õ(n2 ) N Õ(n2 ) log N Õ(n) log N Õ(n) log N Õ(n) Public key N Õ(n2 ) Õ(n 2 ) log N Õ(n2 ) log N Õ(n2 ) log N Õ(n) User secret key N Õ(n2 ) Õ(n 2 ) Õ(n 2 ) Õ(n) Õ(n) Anonymity SIVPÕ(n 2 ) SIVPÕ(n 2 ) SIVPÕ(n 8 ) SIVPÕ(n 2 ) SVP Õ(n 3.5 ) Traceability SIVPÕ(n 1.5 ) SIVPÕ(n 2 ) SIVPÕ(n 7.5 ) SIVPÕ(n 2 ) SVP Õ(n 2 ) Note: All known lattice-based group signatures are proven secure only in the ROM. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
5 A Simple Design for Static Group Signatures in the ROM Building blocks: S = (SKg, Sign, SVer); E = (EKg, Enc, Dec); and a good interactive ZK protocol. 1 GKeygen(n, N = 2 l ): (sk, vk) SKg(n); (ek, dk) EKg(n). Set gpk := (vk, ek); gmsk = dk. Each user, identified by d {0, 1} l, is given gsk[d] Sign(sk, d). 2 GSign(gsk[d], M): Compute c Enc(ek, d, r). Generate a ZK protocol to prove the possession of (d, gsk[d], r) satisfying: SVer(vk, gsk[d], d) = 1 Enc(ek, d, r) = c. Transform the protocol to a NIZK Π via Fiat-Shamir (with M included in the RO hashing). Output Σ = (c, Π). 3 GVerify(gpk, Σ, M): Check the validity of Π. 4 GOpen(gmsk = dk, Σ): Output Dec(dk, c). Correctness and security follows from those of S, E and Π. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
6 Selection of Lattice-Based Cryptographic Ingredients So, we need to choose secure lattice-based schemes S and E, and then: 1. Equip S with a protocol allowing proving in ZK the possession of a valid message-signature pair, i.e., (d, z) s.t. SVer(vk, z, d) = 1. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
7 Selection of Lattice-Based Cryptographic Ingredients So, we need to choose secure lattice-based schemes S and E, and then: 1. Equip S with a protocol allowing proving in ZK the possession of a valid message-signature pair, i.e., (d, z) s.t. SVer(vk, z, d) = 1. We would avoid using ROM schemes obtained via FDH ([GPV 08]) and Fiat-Shamir ([Lyu 12], [DDLL 13]). A protocol for Bonsai signature [CHKP 10] was given in [LLNW 14]. We will do it for the Boyen signature [Boy 10]. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
8 Selection of Lattice-Based Cryptographic Ingredients So, we need to choose secure lattice-based schemes S and E, and then: 1. Equip S with a protocol allowing proving in ZK the possession of a valid message-signature pair, i.e., (d, z) s.t. SVer(vk, z, d) = 1. We would avoid using ROM schemes obtained via FDH ([GPV 08]) and Fiat-Shamir ([Lyu 12], [DDLL 13]). A protocol for Bonsai signature [CHKP 10] was given in [LLNW 14]. We will do it for the Boyen signature [Boy 10]. 2. Equip E with a verifiable encryption protocol allowing to prove in ZK: The possession of the plaintext and randomness used to generate c. The plaintext is exactly the signed identity d in the signature layer. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
9 Selection of Lattice-Based Cryptographic Ingredients So, we need to choose secure lattice-based schemes S and E, and then: 1. Equip S with a protocol allowing proving in ZK the possession of a valid message-signature pair, i.e., (d, z) s.t. SVer(vk, z, d) = 1. We would avoid using ROM schemes obtained via FDH ([GPV 08]) and Fiat-Shamir ([Lyu 12], [DDLL 13]). A protocol for Bonsai signature [CHKP 10] was given in [LLNW 14]. We will do it for the Boyen signature [Boy 10]. 2. Equip E with a verifiable encryption protocol allowing to prove in ZK: The possession of the plaintext and randomness used to generate c. The plaintext is exactly the signed identity d in the signature layer. Among available options, we choose the CCA2-secure scheme obtained from l-bit GPV-IBE ([GPV 08]) via [BCHK 07]. Both of our ZK components are Stern-type and can be unified easily! Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
10 Stern s protocol and Kawachi et al. s Adaptation Stern [Ste 96] proposed a protocol for the Syndrome Decoding problem. Kawachi et al. [KTX 08] adapt it into the lattice setting, and obtained a ZK argument of knowledge of x B k m = {v {0, 1} m wt(v) = k} s.t. A x = u mod q, for given (A Z n m q, u Z n q). Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
11 Stern s protocol and Kawachi et al. s Adaptation Stern [Ste 96] proposed a protocol for the Syndrome Decoding problem. Kawachi et al. [KTX 08] adapt it into the lattice setting, and obtained a ZK argument of knowledge of x B k m = {v {0, 1} m wt(v) = k} s.t. A x = u mod q, for given (A Z n m q, u Z n q). Main ideas: 1 To prove in ZK that x B k m, sample π $ S m, and show the verifier that π(x) B k m. 2 To prove in ZK that A x = u mod q, sample r $ Z m q, and show that: A (x + r) u = A r mod q. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
12 Stern s protocol and Kawachi et al. s Adaptation Stern [Ste 96] proposed a protocol for the Syndrome Decoding problem. Kawachi et al. [KTX 08] adapt it into the lattice setting, and obtained a ZK argument of knowledge of x B k m = {v {0, 1} m wt(v) = k} s.t. A x = u mod q, for given (A Z n m q, u Z n q). Main ideas: 1 To prove in ZK that x B k m, sample π $ S m, and show the verifier that π(x) B k m. 2 To prove in ZK that A x = u mod q, sample r $ Z m q, and show that: A (x + r) u = A r mod q. Observation: The constraint x B k m is too restricted. In many constructions, we work with ISIS solutions x [ β, β] m, for some β = poly(n). Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
13 Ling et al. s Extension of the Stern-KTX Protocol Ling et al. [LNSW 13] extend the witness range to x [ β, β] m for any β 1. A technique called Decomposition-Extension was proposed. Extension step From B k m to { 1, 0, 1} m : A ZK protocol for ISIS n,m,q,1. Denote by B 3m the set of all v { 1, 0, 1} 3m having exactly m coordinates equal to i, for all i { 1, 0, 1}. Note that, for all π S 3m : x B 3m π(x) B 3m. Extend x to x B 3m, and append 2m zero-columns to A to obtain A Z n 3m q. Note that A x = A x. Run the Stern-KTX protocol to prove that x B 3m and A x = u mod q. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
14 Decomposition step Let β be any positive integer, and let p = log β + 1. Observe that an integer z [ β, β] iff there exist z 1,..., z p { 1, 0, 1} s.t. z = p j=1 β i z i, where β 1 = β/2, β 2 = (β β 1 )/2, β 3 = (β β 1 β 2 )/2,..., β p = 1. Example: Let β = 115, then p = log (115) + 1 = 7, and: β 1 = 58, β 2 = 29, β 3 = 14, β 4 = 7, β 5 = 4, β 6 = 2, β 7 = 1. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
15 Decomposition step Let β be any positive integer, and let p = log β + 1. Observe that an integer z [ β, β] iff there exist z 1,..., z p { 1, 0, 1} s.t. z = p j=1 β i z i, where β 1 = β/2, β 2 = (β β 1 )/2, β 3 = (β β 1 β 2 )/2,..., β p = 1. Example: Let β = 115, then p = log (115) + 1 = 7, and: β 1 = 58, β 2 = 29, β 3 = 14, β 4 = 7, β 5 = 4, β 6 = 2, β 7 = 1. Remark: This sequence was used by Lipmaa et al. [LAN 02] in the context of range proofs, in a more compact form. For j = 1,..., p, β j = β + 2 j 1 2 j. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
16 Decomposition step Let β be any positive integer, and let p = log β + 1. Observe that an integer z [ β, β] iff there exist z 1,..., z p { 1, 0, 1} s.t. z = p j=1 β i z i, where β 1 = β/2, β 2 = (β β 1 )/2, β 3 = (β β 1 β 2 )/2,..., β p = 1. Example: Let β = 115, then p = log (115) + 1 = 7, and: β 1 = 58, β 2 = 29, β 3 = 14, β 4 = 7, β 5 = 4, β 6 = 2, β 7 = 1. Remark: This sequence was used by Lipmaa et al. [LAN 02] in the context of range proofs, in a more compact form. For j = 1,..., p, β j = β + 2 j 1 2 j. From { 1, 0, 1} m to [ β, β] m : We can efficiently decompose any x [ β; β] m into p vectors v 1,..., v p { 1, 0, 1} m s.t. x = p j=1 β j v j. A ZKP for ISIS n,m,q,β can be obtained from p instances for ISIS n,m,q,1. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
17 Our Development: ZK Protocol for Boyen s Signature Recall that, given vk of the signature scheme S, we have to prove in ZK the possession of a pair (d, z) s.t. SVer(vk, z, d) = 1. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
18 Our Development: ZK Protocol for Boyen s Signature Recall that, given vk of the signature scheme S, we have to prove in ZK the possession of a pair (d, z) s.t. SVer(vk, z, d) = 1. When S is Boyen s signature: Public input: Matrices A, A 0,..., A l Z n m q and vector u Z n q Prover s input: d = (d 1,..., d l ) {0, 1} l and z [ β, β] 2m Prover s goal: Proving that A [d] z = u mod q, where: A [d] = [ A A 0 + l i=1 d i A i ] Z n 2m q. If d were publicly given, this is an ISIS relation, and there are several protocols for it ([MV 03,Lyu 08,LNSW 13]). Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
19 We first transform the equation [ A A 0 + l i=1 d i A i ] z = u mod q into the friendly form: (public matrix) (secret vector) = (public vector) modq, where secret vector contains information of both d and z. Let z = (x y), where x, y [ β, β] m, we have: n A A 0 A 1 A l m x y d 1 y u = (mod q) d l y Observation: We obtain an ISIS relation A z = u mod q, where the solution z has a special structure. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
20 n A A 0 A 1 A l 0 0 x u = (mod q) m y d 1 y d l y d l+1 y Main ideas: d 2l y Further extensions! Here, d l+1,..., d 2l are bits s.t. the extended vector d = (d 1,..., d l, d l+1,..., d 2l ) {0, 1} 2l has weight exactly equal to l. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
21 n A A 0 A 1 A l 0 0 x u = (mod q) m y d 1 y d l y d l+1 y Main ideas: d 2l y Further extensions! Here, d l+1,..., d 2l are bits s.t. the extended vector d = (d 1,..., d l, d l+1,..., d 2l ) {0, 1} 2l has weight exactly equal to l. Proving the knowledge of x and y is a simple adaptation of [LNSW 13]. We randomly permute the blocks of (d 1 y,..., d l y, d l+1 y,..., d 2l y) and show that it has exactly l blocks equal to y. This convinces the verifier that the original vector has the form (d 1 y,..., d l y) for certain (d 1,..., d l ) {0, 1} l. In short, we employ a composition of 3 random permutations, for x, y and d, resp. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
22 A Verifiable Encryption Protocol for l-bit Dual-Regev Given public key (B, G) and ciphertext (c 1, c 2 ), prove in ZK the knowledge of s Z n q (might be small), small (e 1 Z m, e 2 Z l ) and d {0, 1} l s.t. ( c1 = B T s + e 1, c 2 = G T s + e 2 + q/2 d ). n l m B T s + e d = c 1 (mod q) l G T e 2 q 2 I l c 2 Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
23 A Verifiable Encryption Protocol for l-bit Dual-Regev Given public key (B, G) and ciphertext (c 1, c 2 ), prove in ZK the knowledge of s Z n q (might be small), small (e 1 Z m, e 2 Z l ) and d {0, 1} l s.t. ( c1 = B T s + e 1, c 2 = G T s + e 2 + q/2 d ). n l m B T s + e d = c 1 (mod q) l G T e 2 q 2 I l c 2 This can be done by adapting the techniques from [LNSW13]. Unifying with the protocol for Boyen s signature: Extend and permute d exactly in the same way. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
24 Summary and Brief Comparison with a Concurrent Work Our contributions: 1 An improved lattice-based static group signature scheme: Simpler design approach. Weaker hardness assumptions. (No overhead!) Shorter public key, shorter ciphertext. Easy transformation into a ring-based scheme. 2 A new tool: ZKAoK of a valid message-signature pair for Boyen s signature. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
25 Summary and Brief Comparison with a Concurrent Work Our contributions: 1 An improved lattice-based static group signature scheme: Simpler design approach. Weaker hardness assumptions. (No overhead!) Shorter public key, shorter ciphertext. Easy transformation into a ring-based scheme. 2 A new tool: ZKAoK of a valid message-signature pair for Boyen s signature. Concurrently, [NZZ 15] also obtain a scheme simpler than previous works. The features of their scheme in comparison with ours: Public key and signature sizes are asymptotically shorter, but the secret key of each user is longer, i.e., a matrix in Z 2m 2m of size Õ(n2 ). Parameters are much larger, e.g., q = m 2.5 max(m 6 ω(log 2.5 m), 4N); Hardness assumptions are stronger, e.g., SIVPÕ(n 8.5 ) for traceability. The encryption layer and the users keygen layer are still not independent. Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
26 Thank you! Khoa Nguyen (NTU, Singapore) Group Signatures from Lattices ENS de Lyon, 30/09/ / 15
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationA Provably Secure Group Signature Scheme from Code-Based Assumptions
A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15 Group Signatures
More informationLattice-Based Zero-Knowledge Arguments for Integer Relations
Lattice-Based Zero-Knowledge Arguments for Integer Relations Benoît Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018,
More informationZero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors Benoît Libert 1, San Ling 2, Khoa Nguyen 2, and Huaxiong Wang 2 1 Ecole
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationImproved Zero-knowledge Proofs of Knowledge for the ISIS Problem, and Applications
Improved Zero-knowledge Proofs of Knowledge for the ISIS Problem, and Applications San Ling 1, Khoa Nguyen 1, Damien Stehlé 2, Huaxiong Wang 1 1 Division of Mathematical Sciences, School of Physical and
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationLattice-Based Group Signatures: Achieving Full Dynamicity with Ease
Lattice-Based Group Signatures: Achieving Full Dynamicity with Ease San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang
More informationarxiv: v1 [cs.cr] 25 Jan 2018
Forward-Secure Group Signatures from Lattices San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu arxiv:1801.08323v1 [cs.cr] 25 Jan 2018 Division of Mathematical Sciences, School of Physical and Mathematical
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationForward-Secure Group Signatures from Lattices
Forward-Secure Group Signatures from Lattices San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University,
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationA Lattice-Based Group Signature Scheme with Message-Dependent Opening
A Lattice-Based Group Signature Scheme with Message-Dependent Opening Benoît Libert, Fabrice Mouhartem, Khoa Nguyen To cite this version: Benoît Libert, Fabrice Mouhartem, Khoa Nguyen. A Lattice-Based
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationBatch Range Proof For Practical Small Ranges
Batch Range Proof For Practical Small Ranges Kun Peng and Feng Bao dr.kun.peng@gmail.com Institute for Inforcomm Research (I 2 R), Singapore 1 Agenda 1. Introduction 2. Range proof 3. Batch proof 4. Extended
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationEfficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption
Appl. Math. Inf. Sci. 8, No. 2, 633-638 (2014) 633 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/080221 Efficient Chosen-Ciphtertext Secure Public
More informationA Group Signature Scheme from Lattice Assumptions
A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining
More informationHow to Delegate a Lattice Basis
How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz July 24, 2009 Abstract We present a technique, which we call basis delegation, that allows one to use a short basis of a given lattice
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationA Code-based Group Signature Scheme with Shorter Public Key Length
Hafsa Assidi, Edoukou Berenger Ayebie and El Mamoun Souidi Mohammed V University in Rabat, Faculty of Sciences, Laboratory of Mathematics, Computer Science and Applications, BP 1014 RP, Rabat, Morocco
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationFully anonymous attribute tokens from lattices
Fully anonymous attribute tokens from lattices Jan Camenisch (IBM Research Zurich) Gregory Neven (IBM Research Zurich) Markus Rückert Elevator pitch Goal: Anonymous credentials from lattices Starting point:
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationCommunication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors
Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors Marc Fischlin Institute for Theoretical Computer Science, ETH Zürich, Switzerland marc.fischlin @ inf.ethz.ch http://www.fischlin.de/
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationTwo-Round PAKE from Approximate SPH and Instantiations from Lattices
Two-Round PAKE from Approximate SPH and Instantiations from Lattices Jiang Zhang 1 and Yu Yu 2,1,3 1 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China 2 Department of Computer Science
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationPost-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler 1, Sebastian Ramacher 1, and Daniel Slamanig 2 1 IAIK, Graz University
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationLattice-Based Group Signatures with Logarithmic Signature Size
Lattice-Based Group Signatures with Logarithmic Signature Size Faien Laguillaumie 1,3, Adeline Langlois 2,3, Benoît Liert 4, and Damien Stehlé 2,3 1 Université Claude Bernard Lyon 1 2 École Normale Supérieure
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationBetter Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures
Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures Fabrice Benhamouda 1, Jan Camenisch 2, Stephan Krenn 2, Vadim Lyubashevsky 3,1, Gregory Neven 2 1 Département
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationAdaptive Oblivious Transfer with Access Control from Lattice Assumptions
Adaptive Oblivious Transfer with Access Control from Lattice Assumptions Benoît Libert 1,2, San Ling 3, Fabrice Mouhartem 2, Khoa Nguyen 3, and Huaxiong Wang 3 1 CNRS, Laboratoire LIP, France 2 ENS de
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationZero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash
Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash Benoît Libert 1,2, San Ling 3, Khoa Nguyen 3, and Huaxiong Wang 3 1 CNRS, Laboratoire LIP, France 2 ENS de Lyon, Laboratoire LIP
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationFloppy-Sized Group Signatures from Lattices
Floppy-Sized Group Signatures from Lattices Cecilia Boschini 1,2( ), Jan Camenisch 1, and Gregory Neven 1 1 IBM Research, Zurich, Switzerland 2 Università della Svizzera Italiana, Lugano, Switzerland {bos,jca,nev}@zurich.ibm.com
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationLattice-Based Group Signatures with Logarithmic Signature Size
Lattice-Based Group Signatures with Logarithmic Signature Size Faien Laguillaumie 1,3, Adeline Langlois 2,3, Benoît Liert 4, and Damien Stehlé 2,3 1 Université Claude Bernard Lyon 1 2 École Normale Supérieure
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationRelaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs
Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs Cecilia Boschini, Jan Camenisch, and Gregory Neven IBM Research Zurich {bos, jca, nev}@zurich.ibm.com Abstract. Higher-level cryptographic
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More information