Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors
Size: px
Start display at page:

Download "Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors"

Transcription

1 Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Sie Ring Signatures and Group Signatures without Trapdoors Benoît Libert 1, San Ling 2, Khoa Nguen 2, and Huaxiong Wang 2 1 Ecole Normale Supérieure de Lon, Laboratoire LIP France 2 School of Phsical and Mathematical Sciences, Nanang Technological Uniersit Singapore Abstract. An accumulator is a function that hashes a set of inputs into a short, constant-sie string while presering the abilit to efficientl proe the inclusion of a specific input element in the hashed set. It has proed useful in the design of numerous priac-enhancing protocols, in order to handle reocation or simpl proe set membership. In the lattice setting, currentl known instantiations of the primitie are based on Merkle trees, which do not interact well with ero-knowledge proofs. In order to efficientl proe the membership of some element in a eroknowledge manner, the proer has to demonstrate knowledge of a hash chain without reealing it, which is not known to be efficientl possible under well-studied hardness assumptions. In this paper, we proide an efficient method of proing such statements using inoled extensions of Stern s protocol. Under the Small Integer Solution assumption, we proide ero-knowledge arguments showing possession of a hash chain. As an application, we describe new lattice-based group and ring signatures in the random oracle model. In particular, we obtain: i The first latticebased ring signatures with logarithmic sie in the cardinalit of the ring; ii The first lattice-based group signature that does not require an GPV trapdoor and thus allows for a much more efficient choice of parameters. 1 Introduction Crptographic accumulators were introduced b Benaloh and de Mare [10] as alternatie to digital signatures in the design of distributed protocols. While initiall used in time-stamping and membership testing mechanisms [10], the found numerous applications in the context of fail-stop signatures [7], anonmous credentials [21,20,1,45], group signatures [69], anonmous ad hoc authentication [29], digital cash [6,23,55], set membership proofs [70,64] or authenticated data structures [61,60] see [28] for further examples. In a nutshell, an accumulator is a sort of algebraic hash function that maps a large set R of inputs into a short, constant-sie accumulator alue u such that an efficientl computable short witness w proides eidence that a gien input was

2 indeed incorporated into the hashed set. In order to be useful, the sie of the witness should be much smaller than the cardinalit of the input set. An extension, suggested b Camenisch and Lsanskaa [21], allows the accumulator alue to be updated oer time, b adding or deleting elements of the hashed set while presering the abilit to efficientl update witnesses. For most applications, the usual securit requirement mandates the infeasibilit of computing an accumulator alue u and a alid witness w for an element x outside the set of hashed inputs. This is made possible b public-ke techniques like the existence of a trapdoor e.g., the factoriation of an RSA modulus or the discrete logarithm of some public group element hidden behind public parameters. So far, number theoretic realiations hae been diided into two main families. The first one relies on groups of hidden order [10,7,48,15] and includes proposals based on the Strong RSA assumption [7,44]. The second main famil [58,20] was first explored b Nguen [58] and appeals to bilinear maps a.k.a. pairings and assumptions of ariabe sie like the Strong Diffie-Hellman assumption [14]. Strong-RSA-based candidates enjo the adantage of short public parameters and the easil extend into uniersal accumulators [44] where non-membership witnesses can show that a gien input was not accumulated. While pairingbased schemes [58,20] usuall require linear-sie public parameters in the number of elements to be hashed, the are useful in applications [6,23] where we want to limit the number of elements to be hashed. A third famil e.g., [60] of constructions relies on Merkle trees [51] rather than number theoretic assumptions. Its main disadantage is that the use of hash trees makes it hardl compatible with efficient ero-knowledge proofs, which are ineitable ingredients of priac-presering protocols [21,69,20,1]. In fact, currentl known methods [15,9] for reconciling Merkle trees and ero-knowledge proofs require non-standard assumptions in groups of hidden order [15] or the machiner of SNARKs, which inherentl rel on non-falsifiable [56] knowledge assumptions [36]. Despite its wide range of applications, the accumulator primitie still has a relatiel small number of efficient realiations. For the time being, most known solutions require non-standard ad hoc assumptions like Strong RSA or Strong Diffie-Hellman. To our knowledge, the onl exception is a generic construction from ector commitments [25], which leaes open the problem of candidates based on the standard Computational Diffie-Hellman assumption in groups without a bilinear map or ero-knowledge-friendl lattice-based schemes. In this paper, we describe a new construction based on standard lattice assumptions which interacts nicel with ero-knowledge proofs despite the use of Merkle trees. We show that this new construction enables new, unexpected applications to the design of lattice-based ring signatures and group signatures. Our Contributions. We describe a lattice-based accumulator 3 that enables short ero-knowledge arguments of membership. Our construction relies on a Merkle hash tree which is computed in a special wa that makes it compatible 3 A lattice-based accumulator was preiousl claimed in [39]. Howeer, the generation of witnesses can onl be performed using the secret ke of the sstem. Moreoer, their scheme is seemingl not compact due to the required choice of parameters.

3 with efficient protocols for proing possession of a secret alue i.e., a leaf of the tree that is properl accumulated in the root of the tree. More specificall, our sstem allows demonstrating the knowledge of a hash chain from the considered secret leaf to the root in a ero-knowledge manner. This building block enables man interesting applications. In particular, we use it to design latticebased ring and group signatures with dramatic improements oer the existing constructions. In the random oracle model, we obtain: The first lattice-based ring signature with logarithmic signature sie in the cardinalit of the ring. So far, all suggested proposals hae linear sie in the number of ring members. A lattice-based group signature with much shorter public ke, signature length, and weaker hardness assumptions than all earlier realiations. Our ring signature does not require an other setup assumption than haing all users agree on a modulus q, a lattice dimension n and a random matrix A Z n m q which can be deried from a random oracle. It proabl satisfies the strong securit definitions put forth b Bender, Kat and Morselli [11]. Our group signature is analed in the setting of static groups using the definitions of Bellare, Micciancio and Warinschi [8]. Its salient feature which it shares with our ring signature is that, unlike all earlier candidates [34,42,43,47,59], it does not require the use of a trapdoor as defined b Gentr, Peikert and Vaikuntanathan [32] consisting of a short basis of some lattice. It thus eliminates one of the frequentl cited reasons [50] for which lattice-based signatures tend to be impractical. In fact, our group signature departs from preiousl used design principles which are all inspired in some wa b the general construction of [8] in that, surprisingl, it does not een require an ordinar digital signature to begin with. All we need is a lattice-based accumulator with a compatible ero-knowledge argument sstem for arguing knowledge of a hash chain. Our Techniques. Our accumulator proceeds b computing a Merkle tree using a hash function based on the Small Integer Solution SIS problem, which is a ariant of the hash functions considered in [4,33,54] preiousl considered b Papamanthou et al. [60]. Instead of hashing a ector x 0, 1} m b computing its sndrome A x Z n q ia a random matrix A Z n m q, it outputs the coordinate-wise binar decomposition bina x mod q 0, 1} m/2 of the sndrome to obtain the two-fold compression factor that is needed for iteratiel appling the function in a Merkle tree. Howeer, Papamanthou et al. [60] did not consider the problem of proing knowledge of a hash chain in a ero-knowledge fashion. The main technical noelt that we introduce is thus a method for demonstrating knowledge of a Merkle-tree hash chain using the framework of Stern s protocol [68]. Using this method, we build ring and group signatures with logarithmic sie in the number of ring or group members inoled. Our constructions are conceptuall simple. Each user s priate ke is a random m-bit ector x 0, 1} m and the matching public ke is the binar expansion d = bina x mod q 0, 1} m/2 of the corresponding sndrome. In order to sign a message, the user considers

4 an accumulation u 0, 1} m/2 of all users public kes R = d 0,..., d N 1 which is obtained b dnamicall forming the ring R in the ring signature and simpl consists of the group public ke in the group signature and generates a Stern-tpe argument that: i His public ke d j belongs to the hashed set R; ii He knows the underling secret d j = bina x j mod q; iii for the group signature He has honestl encrpted the binar representation of the integer j determining his position in the tree to a ciphertext attached in the signature. In order to acquire anonmit in the strongest sense i.e., where the adersar is granted access to a signature opening oracle, we appl the Naor- Yung paradigm [57] to Rege s crptosstem [65], as was preiousl considered in [12]. As pointed out earlier, the adantage of not reling on an ordinar digital signature 4 lies in that it does not require an part i.e., neither the group manager nor the group members in the case of group signatures to hae a GPV trapdoor [32] consisting of a short lattice basis. As emphasied b Lubashesk [50], explicitl aoiding the use of such trapdoors allows for drasticall more efficient choices of parameters. As b-products, our scheme features much smaller group public ke and users secret kes, produces shorter signatures, and relies on weaker hardness assumptions than all of the existing lattice-based group signature schemes [34,22,42,47,59] in the BMW model [8]. In the following, we gie an estimated efficienc comparison among our group signature and the preious 2 most efficient schemes with CCA-anonmit, b Ling et al. [47] and Nguen et al. [59]. The estimations are done with parameter n = 2 8, group sie N = 1024, and soundness error 2 80 for the NIZKs. Ling et al. s scheme requires q = Olog N n 2, m 2n log q, so we set q = 2 18 and m = The infinit norm bound for discrete Gaussian samples is 2 6. The scheme produces group public ke sie 65.8 MB; user s secret ke sie 13.5 KB a Boen signature [17]; and signature sie 1.20 GB. Nguen et al. s scheme requires q > m 8.5, m 2n log q, so we set q = and m = The scheme produces group public ke sie 2.15 GB; user s secret ke sie 90 GB a trapdoor in Z 3m 3m with log m-bit entries; and signature sie 500 MB. Our scheme works with q = 2 8, m = 2 9 8, and parameters p = 32719, m E = 7980 for the encrption laer. The scheme features public ke sie 4.9 MB; user s secret ke sie 3.25 KB; and it produces signatures of sie 61.5 MB. Related Work. While originall suggested as a 3-moe code-based identification scheme, Stern s protocol was adapted to the lattice setting b Kawachi et al. [41] and extended b Ling et al. [46] into an argument sstem for the Inhomogeneous Small Integer Solution ISIS problem. In particular, Ling et al. gae a method, called decomposition-extension framework, which allows arguing knowledge of an integer ector x Z m of norm x β such that A x = u Z n q without leaing an gap between the ector computed b the knowledge extractor and the actual witness x. As shown in [47], the technique of Ling et al. [46] 4 Recall that all Olog N-sie group signatures emplo a signature scheme in the standard model for which all known constructions use trapdoors in order to smoothl interact with ero-knowledge proofs.

5 can be used to proe more inoled statements such as the possession of a Boen signature [17] on a message encrpted b a dual Rege ciphertext [32]. Here, we take one step further and deelop a ero-knowledge argument of knowledge ZKAoK that a specific element of some unierse belongs to a hashed set. Ring signatures were introduced b Riest, Shamir and Tauman-Kalai [66] with the motiation of hiding the identit of a source e.g., a whistleblower in a political scandal while proiding guarantees of trustworthiness. Bender, Kat and Morselli [11] gae stringent securit definitions while constructions with sub-linear signature sie were gien b Chandran, Groth and Sahai [26]. The celebrated results of Gentr, Peikert and Vaikuntanathan [32] inspired a number of lattice-based ring signatures. The state-of-the-art construction probabl stems from the framework of Brakerski and Tauman-Kalai [18], which results in linear-sie in the number of ring members. The same holds for all known Fiat- Shamir-like lattice-based ring signatures e.g., [41,2], although some of them do not require a trapdoor. Thus far, the onl logarithmic-sie ring signatures [37,16] arise from the results of Groth and Kohlweiss [37] and it is not clear how to extend them to the lattice setting. The notion of group signatures dates back to Chaum and Van Hest [27]. While iable constructions were gien in the seminal paper b Ateniese, Camenisch, Joe and Tsudik [5], their securit notions remained poorl understood until the work of Bellare, Micciancio and Warinschi [8]. The first lattice-based proposal came out with the results of Gordon, Kat and Vaikuntanathan [34], which inspired a number of follow-up works describing new sstems with a better asmptotic efficienc [42,59,47] or additional properties [22,43]. For the time being, the most efficient candidates are the recent concurrent proposals of Nguen et al. and Ling et al. [59,47]. As it turns out, except for one scheme [12] that mixes lattice-based and discrete-logarithm-related assumptions, all currentl aailable candidates [42,59,47,22,43] utilie a GPV trapdoor, either to perform the setup of the sstem or to trace signatures or both. Our results thus proide the first sstem that completel eliminates GPV trapdoors. At a high leel, our ZKAoK sstem is partiall inspired b the wa Langlois et al. [43] made use of the Bonsai tree technique [24] since it proes knowledge of a solution to a SIS problem determined b the user s position in a tree. Howeer, there are fundamental differences since our tree is built in a bottom-up rather than top-down manner and we do not perform an trapdoor delegation. 2 Preliminaries Notations. We assume that all ectors are column ectors. The concatenation of matrices A Z k i, B Z k j is denoted b [A B] Z k i+j. For b 0, 1}, we denote the bit 1 b 0, 1} b b. For a positie integer i, we let [i] be the set 1,..., i}. If S is a finite set, x $ S means that x is chosen uniforml at random from S. All logarithms are of base 2. The addition in Z 2 is denoted b. In this section, we first recall the aerage-case lattice problems SIS and LWE, together with their hardness results; and the notion of statistical ero-knowledge

6 arguments of knowledge. The definitions and securit requirements of crptographic accumulators, ring signatures, and group signatures are deferred to their respectie Sections 3, 4, and Aerage-case Lattice Problems Definition 1 [3,32]. The SIS n,m,q,β problem is as follows: Gien uniforml random matrix A Z n m q, find a non-ero ector x Z m such that x β and A x = 0 mod q. If m, β = poln, and q > β Õ n, then the SIS n,m,q,β problem is at least as hard as the worst-case lattice problem SIVP γ for some γ = β Õ nm see [32,53]. Specificall, when β = 1, q = Õn, m = 2n log q, the SIS n,m,q,1 problem is at least as hard as SIVPÕn. In the last decade, numerous SIS-based crptographic primities hae been proposed. In this work, we will extensiel emplo 2 such constructions: Our Merkle tree accumulator is built upon a specific famil of collision-resistant hash functions, which is a sntactic modification i.e., it takes two inputs, instead of one of the one presented in [3,54]. A similar scheme that works with larger SIS norm bound β was proposed in [60]. Our ero-knowledge argument sstems use the statisticall hiding and computationall binding string commitment scheme from [41]. For appropriate setting of parameters, the securit of the aboe two constructions can be based on the worst-case hardness of SIVPÕn. In the group signature in Section 5, we will emplo the multi-bit ersion of Rege s encrption scheme [65], presented in [40][63]. The scheme is based on the hardness of the LWE problem. Definition 2 [65]. Let n, m E 1, p 2, and let χ be a probabilit distribution on Z. For s Z n p, let A s,χ be the distribution obtained b sampling a $ Z n q and e χ, and outputting a, s a + e Z n p Z p. The LWE n,p,χ problem asks to distinguish m E samples chosen according to A s,χ for s $ Z n p and m E samples chosen according to the uniform distribution oer Z n p Z p. If p is a prime power, χ is the discrete Gaussian distribution D Z,αp, where αp 2 n, then LWE n,p,χ is as least as hard as SIVPÕn/α see [65,62,52,53]. 2.2 Zero-Knowledge Arguments of Knowledge We will work with statistical ero-knowledge argument sstems, namel, interactie protocols where the ero-knowledge propert holds against an cheating erifier, while the soundness propert onl holds against computationall bounded cheating proers. More formall, let the set of statements-witnesses R =, w} 0, 1} 0, 1} be an NP relation. A two-part game P, V is called an interactie argument sstem for the relation R with soundness error e if the following two conditions hold:

7 Completeness. If, w R then Pr [ P, w, V = 1 ] = 1. Soundness. If, w R, then PPT P: Pr[ P, w, V = 1] e. An argument sstem is called statistical ero-knowledge if for an V, there exists a PPT simulator S producing a simulated transcript that is statisticall close to the one of the real interaction between P, w and V. A related notion is argument of knowledge, which requires the witness-extended emulation propert. For protocols consisting of 3 moes i.e., commitment-challenge-response, witness-extended emulation is implied b special soundness [35], where the latter assumes that there exists a PPT extractor which takes as input a set of alid transcripts with respect to all possible alues of the challenge to the same commitment, and outputs w such that, w R. The statistical ero-knowledge arguments of knowledge szkaok presented in this work are Stern-tpe [68]. In particular, the are Σ-protocols in the generalied sense defined in [38,12] where 3 alid transcripts are needed for extraction, instead of just 2. Seeral recent works rel on Stern-tpe protocols to design lattice-based [46,43,47] and code-based [38,30] constructions. 3 A Lattice-Based Accumulator with Supporting Zero-Knowledge Argument of Knowledge Throughout the paper, we will work with positie integers n, q, k, m, where: n is the securit parameter; q = Õn; k = log q ; and m = 2nk. We identif Z q b the set 0,..., q 1}. We define the powers-of-2 matrix k k 1 G = k 1 Zn nk q. Note that for eer Z n q, we hae = G bin, where bin 0, 1} nk denotes the binar representation of. 3.1 Crptographic Accumulators An accumulator scheme is a tuple of algorithms TSetup, TAcc, TWitness, TVerif defined as follows: TSetupn On input securit parameter n, output the public parameter pp. TAcc pp On input a set R = d 0,..., d N 1 } of N data alues, output an accumulator alue u. TWitness pp On input a data set R and a alue d, output if d R; otherwise output a witness w for the fact that d is accumulated in TAccR. Tpicall, the sie of w should be short e.g., constant or logarithmic in N to be useful. TVerif pp On input accumulator alue u and a alue-witness pair d, w, output 1 which indicates that d, w is alid for the accumulator u or 0.

8 An accumulator scheme is called correct if for all pp TSetupn, we hae TVerif pp TAccpp R, d, TWitness pp R, d = 1 for all d R. The securit of an accumulator scheme, as defined in [7,21], sas that it is infeasible to proe that a alue d was accumulated in a alue u if it was not. This propert is formalied as follows. Definition 3. An accumulator scheme TSetup, TAcc, TWitness, TVerif is called secure if for all PPT adersaries A: Pr [ pp TSetupn; R, d, w App : d R TVerif pp TAcc pp R, d, w = 1 ] = negln. 3.2 A Famil of Lattice-Based Collision-Resistant Hash Functions We now describe the specific famil of lattice-based collision-resistant hash functions, upon which our Merkle hash tree will be built. Definition 4. The function famil H mapping 0, 1} nk 0, 1} nk to 0, 1} nk is defined as H = h A A Zq n m }, where for A = [A 0 A 1 ] with A 0, A 1 Z n nk q, and for an u 0, u 1 0, 1} nk 0, 1} nk, we hae: h A u 0, u 1 = bin A 0 u 0 + A 1 u 1 mod q 0, 1} nk. Note that h A u 0, u 1 = u A 0 u 0 + A 1 u 1 = G u mod q. Lemma 1. The function famil H, defined in 4 is collision-resistant, assuming the hardness of the SIVPÕn problem. $ Proof. Gien A = [A 0 A 1 ] Z n m q, if one can find two distinct pairs u 0, u 1 0, 1} nk 2 and 0, 1 0, 1} nk 2 such that ha u 0, u 1 = h A 0, 1 mod q, u0 then one can obtain a non-ero ector = 0 1, 0, 1} u 1 m such that 1 A = A 0 u 0 0 +A 1 u 1 1 = G h A u 0, u 1 G h A 0, 1 = 0 mod q. In other words, is a alid solution to the SIS n,m,q,1 problem associated with matrix A. The lemma then follows from the worst-case to aerage-case reduction from SIVPÕn. 3.3 Our Merkle-Tree Accumulator We now gie the construction of a Merkle tree with N = 2 l leaes, where l is a positie integer, based on the famil of lattice-based hash function H defined aboe. TSetupn. Sample A $ Z n m q, and output pp = A.

9 TAcc A R = d 0 0, 1} nk,..., d N 1 0, 1} nk }. For eer j [0, N 1], let j 1,..., j l 0, 1} l be the binar representation of j, and let d j = u j1,...,j l. Form the tree of depth l = log N based on the N leaes u 0,0,...,0,..., u 1,1,...,1 as follows: 1. At depth i [l], the node u b1,...,b i 0, 1} nk, for all b 1,..., b i 0, 1} i, is defined as h A u b1,...,b i,0, u b1,...,b i,1. 2. At depth 0: The root u 0, 1} nk is defined as h A u 0, u 1. The algorithm outputs the accumulator alue u. TWitness A R, d. If d R, return. Otherwise, d = d j for some j [0, N 1] with binar representation j 1,..., j l. Output the witness w defined as: w = j 1,..., j l, u j1,...,j l 1, j l,..., u j1, j 2, u j 1 0, 1} l 0, 1} nk l, for u j1,...,j l 1, j l,..., u j1, j 2, u j 1 computed b algorithm TAcc A R. TVerif A u, d, w. Let the gien witness w be of the form: w = j 1,..., j l, w l,..., w 1 0, 1} l 0, 1} nk l. The algorithm recursiel computes the path l, l 1,..., 1, 0 0, 1} nk as follows: l = d and h A i+1, w i+1, if j i+1 = 0; i l 1,..., 1, 0} : i = h A w i+1, i+1, if j i+1 = 1. Then it returns 1 if 0 = u. Otherwise, it returns 0. In Figure 1, we gie an illustratie example of a tree with 2 3 = 8 leaes. u u 0 u 1 u 00 u 01 u 10 u 11 u 000 u 001 u 010 u 011 u 100 u 101 u 110 u 111 d 0 d 1 d 2 d 3 d 4 d 5 d 6 d 7 Fig. 1: A Merkle tree with 2 3 = 8 leaes, which accumulates the data blocks d 0,..., d 7 into the alue u at the root. The bit string 101 and the gra nodes form a witness to the fact that d 5 is accumulated in u. One can check that the aboe Merkle-tree accumulator scheme is correct. Furthermore, its securit is based on the collision-resistance of the hash function famil H, which in turn is based on the hardness of SIVPÕn.

10 Theorem 1. The gien accumulator scheme is secure in the sense of Definition 3, assuming the hardness of the SIVPÕn problem. Proof. Assuming that there exists a PPT adersar B who has non-negligible success probabilit in the securit experiment of Definition 3. It receies a uniforml random matrix A Z n m q generated b TSetupn, and returns R = d 0,..., d N 1, d, w such that d R and TVerif A u, d, w = 1, where u = TAcc A R. Parse w = j1,..., jl, w l,..., w 1. Let j [0, N 1] be the integer haing binar representation j1,..., jl and let u j1 = d,...,j l j, u j1,..., u,...,j l 1 j1, u be the path from the leae d j to the root of the tree generated b TAcc A R. On the other hand, let l = d, l 1,..., 1, 0 = u be the path computed b algorithm TVerif A u, d, w. Note that d d j since d R. Thus, comparing the two paths, we can find the smallest integer k [l], such that k u j1. We then obtain a collision for h,...,j k A at the parent node of u j 1,...,jk. The theorem then follows from Lemma Zero-Knowledge AoK of an Accumulated Value Our goal in this section is to construct a ero-knowledge argument sstem that allows proer P to conince erifier V that P knows a secret alue that is properl accumulated into the root of the lattice-based Merkle tree described aboe. More formall, in our protocol, P coninces V on input A, u that P possesses a aluewitness pair d, w such that TVerif A u, d, w = 1. The associated relation Racc is defined as follows. Definition 5. A, R acc = u Z n m q 0, 1} nk ; d 0, 1} nk, w 0, 1} l 0, 1} nk l : TVerif A u, d, w = 1 }. Before going into the details, we first introduce seeral supporting notations and techniques. We denote b B nk m the set of all ectors in 0, 1} m that hae Hamming weight nk; and b S m the set of all permutations of m elements. For i nk, m}, for b 0, 1} and for 0, 1} i, we let extb, denote b the ector 0, 1} 2i of the form =. b For b 0, 1}, for π S m, we define the permutation F b,π that transforms 0 = Z 2m πb q consisting of 2 blocks of sie m into F b,π =. 1 π b Namel, F b,π first rearranges the blocks of according to b it keeps the arrangement of blocks if b = 0, or swaps them if b = 1, then it permutes each block according to π.

11 Our strateg to achiee ero-knowledgeness will cruciall rel on the following obseration: For all c, b 0, 1}, all π, φ S m, and all, w 0, 1} m, we hae the equialences = extc, B nk m = ext c, w w B nk m F b,π = Extc b, π π B nk m ; F b,φ = Extc b, φw φw B nk m. 1 Warm-up step. Now, let d, w be such that A, u, d, w R acc, where w is of the form w = j 1,..., j l, w l,..., w 1, and let l = d, l 1,..., 1, 0 be the path computed b TVerif A u, d, w. Note that 0 = u and: h A i+1, w i+1, if j i+1 = 0; i l 1,..., 1, 0} : i = 2 h A w i+1, i+1, if j i+1 = 1. We obsere that relation 2 can be equialentl rewritten in a more compact form: i l 1,..., 1, 0}, i = j i+1 h A i+1, w i+1 + j i+1 h A w i+1, i+1. 3 Equation 3 then can be interpreted as: j i+1 A 0 i+1 + A 1 w i+1 + ji+1 A 0 w i+1 + A 1 i+1 = G i mod q j A i+1 i+1 ji+1 w + A i+1 = G j i+1 i+1 j i+1 w i mod q i+1 A extj i+1, i+1 + A ext j i+1, w i+1 = G i mod q. Therefore, to achiee our goal, it is necessar and sufficient to construct an argument sstem in which P coninces V in ZK that P knows j 1,..., j l 0, 1} l and 1,..., l, w 1,..., w l 0, 1} nk satisfing A extj 1, 1 + A ext j 1, w 1 = G u mod q; 4 i [l 1] : A extj i+1, i+1 + A ext j i+1, w i+1 = G i mod q. To this end, we deelop a Stern-tpe protocol [68], in which we adapt the extension technique from [46]. Specificall, we perform the following extensions: Extend matrix A = [A 0 A 1 ] to matrix A = [A 0 0 n nk A 1 0 n nk ] Z n 2m q. Extend matrix G to matrix G = [G 0 n nk ] Z n m q. Extend 1,..., l, w 1,..., w l into 1,..., l, w 1,..., wl Bnk m, respectiel. This is done b appending a length-nk ector of suitable Hamming weight to each of these ectors. Let i = extj i, i and i = ext j i, w i for each i [l]. Note that now the conditions in 4 can be equialentl rewritten as: A 1 + A 1 = G u mod q; i [l 1] : A i+1 + A i+1 = G i mod q. 5

12 The Interactie Protocol. Haing performed the aboe preparation and transformation steps, we now gie a summar and sketch the main ideas of our interactie protocol, before formall describing it. The public parameters are n, q, k, m, l, the powers-of-2 matrix G and its extension G. Common inputs: A, u. Both parties extend A to A. P s inputs: j 1,..., j l, 1,..., l, w 1,..., w l, 1,..., l, 1,..., l. P s goal: Proe in ZK that i, w i Bnk m, i = extj i, i, i = ext j i, w i for all i [l], and that 5 holds. To achiee its goal, P emplos the following strategies: 1. To proe in ZK that i, w i Bnk m and i = extj i, i and i = ext j i, wi for all i [l], the equialences obsered in 1 are exploited. Specificall, for each $ $ i [l], P samples π i, φ i Sm and b i 0, 1}, then it demonstrates to V that: π i i Bnk m F bi,π i i = extj i b i, π i i ; φ i wi Bnk m F bi,φ i i = extj i b i, φ i wi. 6 Seeing 6, V should be coninced of the facts P wants to proe, while learning no additional information, thanks to the randomness of π i, φ i and b i. 2. To proe in ZK that the l equations in 5 hold, P samples uniforml random masking ectors r 1,..., r l 1 Z m q ; r 1,..., r l then it shows V that A 1 + r 1 + A 1 + r 1 G u = A r 1 i [l 1] : A i+1 + r i+1 + A i+1 + r i+1 = A r i+1 $ + A r i+1, r 1,..., r l $ Z 2m, and + A r 1 mod q; G i + ri G r i mod q. Let COM : 0, 1} 0, 1} m Z n q be the string commitment scheme from [41], which is statisticall hiding and computationall binding if the SIVPÕn problem is hard. The interaction between proer P and erifier V is described in Figure 2. q 3.5 Analsis of the Interactie Protocol The properties of the gien protocol are summaried in the following theorem. Theorem 2. The gien interactie protocol has perfect completeness and communication cost Õl n. If COM is a statisticall hiding and computationall binding string commitment scheme, then it is a statistical ero-knowledge argument of knowledge for the relation R acc. Completeness and Communication Cost. Based on the discussion gien in the preious section, it can be checked that the described protocol has perfect completeness, i.e., if P is honest and follows the protocol, then V alwas

13 1. Commitment. P samples randomness ρ 1, ρ 2, ρ 3 for COM and b 1,..., b l $ 0, 1}; π 1,..., π l, φ 1,..., φ l $ S m; r 1,..., r l 1 $ Z m q ; r 1,..., r l, r 1,..., r l $ Z 2m q. It then sends V commitment CMT = C 1, C 2, C 3, where C 1 = COM b i; π i; φ i} l i=1; A r 1 + A r 1 ; A r i+1 + A r i+1 G r i } l 1 i=1 ; ρ1 C 2 = COM π ir i } l 1 i=1 ; F b i,π i r i ; F bi,φ i r i } l i=1; ρ 2 C 3 = COM π ii +r i } l 1 i=1 ; F b i,π i i+r i ; F bi,φ i i+r i } l i=1; ρ Challenge. Receiing CMT, V sends a challenge Ch $ 1, 2, 3} to P. 3. Response. Depending on Ch, P sends the response RSP computed as follows: Case Ch = 1: For each i [l 1], let t i = π ir i. For each i [l], let: a i = j i b i; s i = π i i ; s i w = φ iw i ; t i = F bi,π i r i ; t i = F bi,φ i r i. Then let RSP = t i } i=1; l 1 a i; s i ; t i ; s i w ; t i } l i=1; ρ 2; ρ 3. 7 Case Ch = 2: For each i [l 1], let e i c i = b i; π i = π i; φ i = φ i; e i = i + r i. For each i [l], let: = i + r i ; e i = i + r i. Then let RSP = e i } i=1; l 1 c i; π i; φ i; e i ; e i } l i=1; ρ 1; ρ 3. 8 Case Ch = 3: For each i [l 1], let p i d i = b i; π i = π i; φ i = φ i; p i = r i. For each i [l], let: = r i ; p i = r i. Then let RSP = p i } l 1 i=1; d i; π i; φ i; p i ; p i } l i=1; ρ 1; ρ 2. 9 Verification. Receiing RSP, V proceeds as follows. Case Ch = 1: Parse RSP as in 7. Check that s i = exta i, s i and let s i for each i [l], let s i C 2 = COM t i C 3 = COM s i } l 1 i=1 ; ti + t i } l 1 i=1 ; si ; t i } l i=1; ρ 2,, s i w B nk m for all i [l]. Next, = exta i, s i w. Then check that: + t i ; s i + t i 10 } l i=1; ρ 3. Case Ch = 2: Parse RSP as in 8 and check that: C 1 = COM c i; π i; φ i} l 1 1 i=1; A e +A e G u; i+1 i+1 i A e +A e G e } l 1 i=1 ; ρ1 C 3 = COM 11 π ie i } l 1 i=1 ; F c i, π i e i ; F ci, φ i e i } l i=1; ρ 3. Case Ch = 3: Parse RSP as in 9 and check that: C 1 = COM d i; π i; φ i} l 1 1 i=1; A p +A p ; i+1 i+1 i A p +A p G p } l 1 i=1 ; ρ1 C 2 = COM 12 π ip i } l 1 i=1 ; F d i, π i p i ; F di, φ i p i } l i=1; ρ 2. In each case, V outputs 1 if all the conditions hold. Otherwise, it outputs 0. Fig. 2: A ero-knowledge argument of knowledge for the relation R acc.

14 outputs 1. It can also be seen that the communication cost of the protocol is Õl m log q = Õl n bits. In order to proe that the protocol is a ZKAoK for the relation R acc, we will emplo the standard simulation and extraction techniques for Stern-tpe protocols see, e.g., [41,46,47]. Lemma 2 Zero-Knowledge Propert. If COM is statisticall hiding, then the interactie protocol in Figure 2 is a statistical ero-knowledge argument. Proof. We construct a PPT simulator S interacting with a possibl dishonest erifier V, such that, gien onl the public input, S outputs with probabilit negligibl close to 2/3 a simulated transcript that is statisticall close to the one produced b the honest proer in the real interaction. The simulator S begins b selecting a random Ch 1, 2, 3}. This is a prediction of the challenge alue that V will not choose. Case Ch = 1: Using linear algebra, S computes 1,..., l, 1,..., l Z2m q 1,..., l 1 Zm q such that A 1 + A 1 = G u mod q; i [1, l 1] : A i+1 + A i+1 = G i mod q. Then it samples randomness ρ 1, ρ 2, ρ 3 for COM and $ $ b 1,..., b l 0, 1}; π1,..., π l, φ 1,..., φ l Sm ; r 1,..., r l 1 $ Z m q ; r 1,..., r l, r 1,..., r l $ Z 2m q. It then sends V commitment CMT = C 1, C 2, C 3, where C 1 = COM b i ; π i ; φ i } l i=1 ; A r 1 + A r 1 ; A r i+1 + A r i+1 G r i } l 1 i=1 ; ρ 1 C 2 = COM π i r i } l 1 i=1 ; F b i,π i r i ; F bi,φ i r i } l i=1 ; ρ 13 2 C 3 = COM π i i +ri } l 1 i=1 ; F b i,π i i +ri ; F bi,φ i i +ri } l i=1 ; ρ 3. Receiing a challenge Ch from V, the simulator responds as follows: If Ch = 1: Output and abort. If Ch = 2: Send RSP = i +ri } l 1 i=1 ; b i; π i ; φ i ; i +ri ; i +ri } l i=1 ; ρ 1; ρ 3. If Ch = 3: Send RSP = r i } l 1 i=1 ; b i; π i ; φ i ; r i ; r i } l i=1 ; ρ 1; ρ 2. Case Ch = 2: S samples j 1,..., j $ l 0, 1}; 1,..., l, w 1,..., w $ l B nk m ; $ $ b 1,..., b l 0, 1}; π1,..., π l, φ 1,..., φ l Sm ; r 1,..., r l 1 $ Z m q ; r 1,..., r l, r 1,..., r l $ Z 2m q. and

15 It then computes i = extj i, i, i = ext j i, w i for each i [l], and sends the commitment CMT computed in the same manner as in 13. Receiing a challenge Ch from V, it responds as follows: If Ch = 1: Send RSP = π i r i } l 1 i=1 ; j i b i ; π i i; F bi,π i r i ; φ i w i; F bi,φ i r i } l i=1; ρ 2 ; ρ 3. If Ch = 2: Output and abort. If Ch = 3: Send RSP computed as in the case Ch = 1, Ch = 3. Case Ch = 3: The simulator proceeds with the preparation as in the case Ch = 2 aboe. Then it sends the commitment CMT := C 1, C 2, C 3, where C 2, C 3 are computed as in 13, while C 1 = COM b i ; π i ; φ i } l i=1; A 1 + r 1 + A 1 + r 1 G u; A i+1 + r i+1 + A i+1 + r i+1 G i + r i Receiing a challenge Ch from V, it responds as follows: If Ch = 1: Send RSP computed as in the case Ch = 2, Ch = 1. If Ch = 2: Send RSP computed as in the case Ch = 1, Ch = 2. If Ch = 3: Output and abort. } l 1 i=1 ; ρ 1. We obsere that, in eer case we hae considered aboe, since COM is statisticall hiding, the distribution of the commitment CMT and the distribution of the challenge Ch from V are statisticall close to those in the real interaction. Hence, the probabilit that the simulator outputs is negligibl close to 1/3. Moreoer, one can check that wheneer the simulator does not halt, it will proide an accepted transcript, the distribution of which is statisticall close to that of the proer in the real interaction. In other words, we hae constructed a simulator that can successfull impersonate the honest proer with probabilit negligibl close to 2/3. To proe that our protocol is an argument of knowledge for the relation R acc, it suffices to demonstrate that the protocol has the special soundness propert [35]. Lemma 3 Argument of Knowledge Propert. If COM is computationall binding, then there exists an efficient knowledge extractor K that, on input 3 alid responses RSP 1, RSP 2, RSP 3 to the same commitment CMT, outputs a pair d 0, 1} nk, w 0, 1} l 0, 1} nk l such that A, u; d, w R acc. Proof. Let the 3 alid responses to CMT = C 1, C 2, C 3 be RSP 1 = t i } l 1 i=1 ; a i; s i ; t i RSP 2 = e i } l 1 i=1 ; c i; π i ; φ i ; e i RSP 3 = p i } l 1 i=1 ; d i; π i ; φ i ; p i ; s i w ; t i } l i=1 ; ρ 2; ρ 3, ; e i } l i=1 ; ρ 1; ρ 3, ; p i } l i=1 ; ρ 1; ρ 2.

16 The alidit of RSP 1 implies that i [l] : s i, s i w B nk m. Furthermore, it follows from the erification conditions gien in 10, 11, 12, and from the computational binding propert of COM that: A e 1 + A e 1 G u = A p 1 + A p 1 mod q, and for all i [1, l 1]: t i A e i+1 + A e i+1 = π i p i ; s i + t i = π i e i ; and G e i = A p i+1 + A p i+1 and for all i [l]: c i = d i ; π i = π i ; φ i = φ i ; t i = F di, π i p i ; exta i, s i + t i = F ci, π i e i ; t i = F di, φ i p i ; exta i, s i w + t i = F ci, φ i e i. G p i mod q, The knowledge extractor K now proceeds as follows. For each i [l], let: j i = a i c i ; i = π 1 i s i ; wi = Note that π i i = si Furthermore, one has that: 1 φ i s i w ; i = e i B nk m, and thus i Bnk m p i ; i = e i p i. b 1. Similarl, w i Bnk m. F ci, π i i = exta i, s i = ext j i c i, π i i. B 1, this implies i = extj i, i. F ci, φ i i = exta i, s i w = ext j i c i, φ i w i. B 1, this implies i = ext j i, w i. Moreoer, the following relations hold: A 1 + A 1 = G u mod q i [1, l 1] : A i+1 + A i+1 = G i mod q A extj 1, 1 + A ext j i, wi = G u mod q i [1, l 1] : A extj i+1, i+1 + A ext j i+1, wi+1 = G i mod q. Now, b dropping the last nk coordinates from 1,..., l, w 1,..., wl, the knowledge extractor K obtains 1,..., l, w 1,..., w l 0, 1}nk, respectiel. These ectors satisf: A extj 1, 1 + A ext j 1, w 1 = G u mod q i [1, l 1] : A extj i+1, i+1 + A ext j i+1, w i+1 = G i mod q 0 = u i [0, l 1] : i = j i+1 h A i+1, w i+1 + j i+1 h A w i+1, i+1. Let d = l and w = j 1,..., j l, w l,..., w 1, then TVerif A u, d, w = 1. In other words, d, w satisfies A, u; d, w R acc. This concludes the proof.

17 4 A Logarithmic-Sie Ring Signature from Lattices In this section, we construct a ring signature scheme [66] with signature sie Õlog N n, where N is the sie of the ring, based on the hardness of lattice problem SIVPÕn. We use the ZKAoK gien in Section 3 as the building block. 4.1 Definitions We recall the standard definitions and securit requirements for ring signatures [11,37]. A ring signature scheme consists of a tuple of efficient algorithms RSetup, RKgen, RSign, RVerif for generating a public parameter, generating kes for users, signing messages, and erifing ring signatures, respectiel. RSetupn: Generates public parameters pp which are made aailable to all users. RKgenpp: Generates a public ke pk and the corresponding secret ke sk. RSign pp sk, M, R: Outputs a signature Σ on the message M 0, 1} with respect to the ring R = pk 0,..., pk N 1. It is required that pk, sk be a alid ke pair produced b RKgenpp and that pk R. RVerif pp M, R, Σ: Gien a candidate signature Σ on a message M with respect to the ring of public kes R, this algorithm outputs 1 if Σ is deemed alid or 0 otherwise. We next describe the following requirements for ring signatures: correctness, unforgeabilit with respect to insider corruption, and statistical anonmit. The correctness requirement sas that a user can alwas sign an message on behalf of a ring he belongs to. This is formalied as follows. Definition 6 Correctness. A ring signature RSetup, RKgen, RSign, RVerif is correct if for an pp RSetupn, an pk, sk RKgenpp, an R such that pk R, an M 0, 1}, we hae RVerif pp M, R, RSignpp sk, M, R = 1. A ring signature is unforgeable with respect to insider corruption if it is infeasible to forge a ring signature without controlling one of the ring members. Definition 7 Unforgeabilit w.r.t. insider corruption. A ring signature scheme RSetup, RKgen, RSign, RVerif is unforgeable w.r.t. insider corruption if for all PPT adersaries A, Pr[pp RSetup1 n ; M, R, Σ A PKGen,Sign,Corrupt pp : where: RVerif pp M, R, Σ = 1] negln, PKGen on the j-th quer runs pk j, sk j RKgenpp and returns pk j. Signj, M, R returns the output of RSign pp sk j, M, R proided: i pk j, sk j has been generated b PKGen; ii pk j R. Otherwise, it returns. Corruptj returns sk j, proided that pk j, sk j has been generated b PKGen.

18 A outputs M, R, Σ such that Sign, M, R has not been queried. Moreoer, R is non-empt and onl contains public kes pk j generated b PKGen for which j has not been corrupted. Definition 8. A ring signature scheme RSetup, RKgen, RSign, RVerif proides statistical anonmit if, for an possibl unbounded adersar A, [ ] pp RSetup1 n ; M, j 0, j 1, R A RKgenpp pp Pr b $ : AΣ = b 0, 1}; Σ RSign pp sk jb, M, R = 1/2 + negln, where pk j0, pk j1 R. Remark: Anonmit under full ke exposure [11] requires that the randomness used b KeGen be reealed to the adersar. In our construction, it does not make a difference since we assume computationall unbounded adersaries. A c-user ring signature scheme is a ariant of ring signatures, that onl supports rings of fixed sie c. Here, we do not assume an upper bound on the sie of a ring. Similarl to [37], we onl assume that all users agree on pre-existing public parameters pp. In our scheme, these public parameters consist of a modulus q and a random matrix A Z n 2nk q which can be deried from a random oracle. In this case, we onl need all users to agree on the parameters q and n. 4.2 The Underling Zero-Knowledge Protocol The ring signature scheme that we will present next relies on a simple extension of the ZKAoK in Section 3. Specificall, one more laer is added: apart from proing that it has a secret alue d that was properl accumulated to the root of the tree, P has to conince V that it knows a ector x 0, 1} m such that bina x mod q = d, or equialentl, A x = G d mod q. The associated relation R ring is defined as follows. Definition 9. Define the relation A, R ring = u Z n m q 0, 1} nk ; d 0, 1} nk, w 0, 1} l 0, 1} nk l, x 0, 1} m : TVerif A u, d, w = 1 A x = G d mod q }. A ZKAoK for R ring can be obtained from the one in Section 3, where the new laer is handled b the same extend-then-permute technique. As before, the protocol relies on the string commitment scheme from [41], which is statisticall hiding and computationall binding if the SIVPÕn problem is hard. Lemma 4. Let us assume that the SIVPÕn problem is hard. Then, there exists a statistical ZKAoK for the relation R ring with perfect completeness and communication cost Õl n. In particular:

19 There exists an efficient simulator that, on input A, u, outputs an accepted transcript which is statisticall close to that produced b the real proer. There exists an efficient knowledge extractor that, on input 3 alid responses RSP 1, RSP 2, RSP 3 to the same commitment CMT, outputs d, w, x such that A, u, d, w, x R ring. The full description and analsis of the argument sstem are gien in Appendix A. 4.3 Description of the Ring Signature Scheme We now will construct a ring signature scheme for rings of N = 2 l users based on the Merkle-tree accumulator presented in Section 3. Our ring signature can be easil adapted for the case when the sie of the ring is not a power of 2 see Remark 1. The scheme uses parameters n, m, q defined as in Section 3, parameter κ = ωlog n that determines the number of protocol repetitions, and a random oracle H FS : 0, 1} 1, 2, 3} κ. RSetupn : Sample A $ Z n m q, and output pp = A. RKgenpp = A : Pick x $ 0, 1} m, compute d = bina x mod q 0, 1} nk, and output sk, pk = x, d. RSign pp sk, M, R : Gien a ring R = d 0,..., d N 1, where d i 0, 1} nk for eer i [0, N 1], and sk = x 0, 1} m such that d = binax mod q R, this algorithm generates a ring signature Σ on M 0, 1} as follows: 1. Run algorithm TAcc A R to build the Merkle tree based on R and the hash function h A, and obtain the root u 0, 1} nk. 2. Run algorithm TWitness A R, d to get a witness w = j 1,..., j l 0, 1} l, w l,..., w 1 0, 1} nk l to the fact that d was properl accumulated in u. 3. Generate a NIZKAoK Π ring to demonstrate the possession of a alid pair sk, pk = x, d such that d is properl accumulated in u. This is done b running the protocol in Section 4.2 with public input A, u and proer s witness x, d, w. The protocol is repeated κ = ωlog n times to achiee negligible soundness error and made non-interactie ia the Fiat-Shamir heuristic as a triple Π ring = CMT i } κ i=1, CH, RSP}κ i=1, where CH = H FS M, CMTi } κ i=1, A, u, R 1, 2, 3} κ. 4. Let Σ = Π ring. RVerif pp M, R, Σ : Gien pp = A, a message M, a ring R = d 0,..., d N 1, and a signature Σ, this algorithm proceeds as follows: 1. Run algorithm TAcc A R to compute the root u of the tree.

20 2. Parse Σ as Σ = CMT i } κ i=1, Ch 1,..., Ch κ, RSP} κ i=1. Return 0 if Ch 1,..., Ch κ H FS M, CMTi } κ i=1, A, u, R. 3. For each i = 1 to κ, run the erification phase of the protocol from Section 4.2 with public input A, u to check the alidit of RSP i with respect to CMT i and Ch i. If an of the conditions does not hold, then return 0. Otherwise, return Analsis of the Ring Signature Scheme We first summarie the properties of the gien ring signature scheme in the following theorem. Theorem 3. The ring signature scheme described in Section 4.3 is correct, and produces signatures of bit-sie Õn log N. In the random oracle model, the scheme is unforgeable w.r.t. insider corruption based on the worst-case hardness of the SIVPÕn problem, and it is statisticall anonmous. Correctness. The correctness of the ring signature scheme directl follows from the correctness of the accumulator scheme in Section 3 and the perfect completeness of the argument sstem in Section 4.2: A member of a ring can alwas obtain a tuple x, d, w such that A, u, d, w, x R ring, and thus, his signature on an message alwas get accepted b the erification algorithm. Efficienc. Since the underling protocol has communication cost Õl n, the signatures produced b the scheme has bit-sie Õκ l n = Õlog N n. Unforgeabilit with respect to insider corruption. For simplicit, the proof of unforgeabilit assumes that the cardinalit of each ring R is a power of 2. Howeer, this restriction can be easil eliminated, as we will see later on. The proof of unforgeabilit relies on the following Lemma from [49]. Lemma 5 [49],Lemma 8. For an matrix A Z n m q and a uniforml random x 0, 1} m, the probabilit that there exists another x 0, 1} m \x} such that A x = A x mod q is at least 1 2 n log q m. With m = 2nk and x $ 0, 1} m, there exists x 0, 1} m \ x} such that A x = A x mod q with oerwhelming probabilit 1 2 nk. Theorem 4. The scheme proides unforgeabilit w.r.t. insider corruption in the random oracle model if the SIVPÕn problem is hard. The proof is aailable in Appendix C. Statistical anonmit. The proof of the following theorem relies on the statistical witness indistinguishabilit of the argument sstem of Lemma 4. The proof is straightforward and omitted. Theorem 5. The scheme proides statistical anonmit in the random oracle model.

21 Remark 1. As alread mentioned, we can handle arbitrar ring sies. To this end, one option is to add dumm ring members d fake,1,..., d fake,r0 whose public kes are sampled obliiousl of their priate kes, b deriing them as d fake,j = bing 0 j 0, 1} nk for each j 1,..., r 0 }, where G 0 : N Z n q is an additional random oracle. A simpler solution is to duplicate one of the actual ring members until reaching a multi-set whose cardinalit is a power of two. 5 A Lattice-Based Group Signature without Trapdoors This section shows how to use our accumulator and argument sstems to build a lattice-based group signature which is dramaticall more efficient than preious proposals as it does not use an trapdoor. Indeed, surprisingl, the scheme does not rel on a standard digital signature to generate group members priate kes. 5.1 Definitions We recall the standard definitions and securit requirements for static group signatures [8]. A group signature scheme is a tuple of 4 polnomial-time algorithms GKegen, GSign, GVerif, GOpen defined as follows: GKegen: This is a probabilistic algorithm that takes as input 1 n, 1 N, where n N is the securit parameter and N N is the number of group users, and outputs a triple gpk, gmsk, gsk, where gpk is the group public ke; gmsk is the group manager s secret ke; and gsk = gsk[0],..., gsk[n 1], where for j 0,..., N 1}, gsk[j] is the secret ke for the group user of index j. GSign: is a randomied algorithm that inputs gpk, a secret ke gsk[j] for some j 0,..., N 1}, and a message M. It returns a group signature Σ on M. GVerif: This deterministic algorithm takes as input the group public ke gpk, a message M, a purported signature Σ on M, and returns either 1 or 0. GOpen: This deterministic algorithm takes as input the group public ke gpk, the group manager s secret ke gmsk, a message M, a signature Σ on M, and returns an index j 0,..., N 1}, or to indicate failure. Correctness. The correctness requirement is stated as follows. For all n, N N, all gpk, gmsk, gsk produced b GKegen1 n, 1 N, all j 0,..., N 1}, and an message M 0, 1}, we hae GVerif gpk, M, GSigngpk, gsk[j], M = 1 and GOpen gpk, gmsk, M, GSigngsk[j], M = j. In static groups, the securit model of Bellare, Micciancio and Warinschi subsumes the desirable securit properties of group signatures using two securit notions called full anonmit and full traceabilit.

22 Exp anon-b GS,A n, N gpk, gmsk, gsk GKeGen1 n, 1 N st, j 0, j 1, M A GS.GOpengpk,msk,.,. 1 gpk, gsk Σ GSigngpk, gsk[j b ], M b A GS.GOpengpk,msk,.,., M,Σ 2 st, Σ Return b Exp trace GS,An, N gpk, gmsk, gsk GKegen1 n, 1 N st gmsk, gpk C ; K ε ; Cont true while Cont = true do Cont, st, j A GS.GSigngpk,gsk[ ], 1 st, K if Cont = true then C C j}; K gsk[j] end if end while; M, Σ A GS.GSigngpk,gsk[ ], 2 st if GVerifgpk, M, Σ = 0, Return 0 if GOpengpk, gmsk, M, Σ =, Return 1 if GOpengpk, gmsk, M, Σ = j j 0,..., N 1} \ C no signing quer inoledj, M then Return 1 else Return 0 Fig. 3: Experiments for the definitions of anonmit and full traceabilit Full anonmit. Full anonmit requires that, without the group manager s secret ke, no efficient adersar can infer the identit of a user from its signatures. The adersar should een be unable to distinguish signatures from two distinct users j 0, j 1, een knowing their priate kes gsk[j 0 ], gsk[j 1 ]. Moreoer, this should remain true een when the adersar is granted access to an oracle that opens arbitrar message-signature pairs M, Σ M, Σ, where M, Σ is the challenge pair generated b the challenger on behalf of user j b, for some b 0, 1}. Formall, the attacker, modeled as a two-stage adersar A = A 1, A 2, is run in the first experiment depicted in Figure 3. The adersar s adantage is defined as Ad anon GS,An, N = Pr[Exp anon-1 GS,A n, N = 1] Pr[Exp anon-0 GS,A n, N = 1]. Definition 10 Full anonmit, [8]. A group signature is full anonmous if, for an polnomial N and an PPT adersar A, Ad anon GS,An, N is a negligible function in the securit parameter n. Full traceabilit. Full traceabilit mandates that all signatures, een those created b colluding users and the group manager who pool their secrets together, be traceable to a member of the coalition. The attacker is modeled as a twostage adersar A = A 1, A 2 which is run in the second experiment of Figure 3, where it is further granted access to an oracle GS.GSigngpk, gsk[ ], that returns signatures on behalf of an honest group member. Its success probabilit

Similar documents

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors Benoît Libert 1, San Ling 2, Khoa Nguyen 2, and Huaxiong Wang 2 1 Ecole

More information

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based

More information

Lattice-Based Zero-Knowledge Arguments for Integer Relations

Lattice-Based Zero-Knowledge Arguments for Integer Relations Lattice-Based Zero-Knowledge Arguments for Integer Relations Benoît Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018,

More information

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,

More information

Lattice-Based Group Signatures: Achieving Full Dynamicity with Ease

Lattice-Based Group Signatures: Achieving Full Dynamicity with Ease Lattice-Based Group Signatures: Achieving Full Dynamicity with Ease San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang

More information

arxiv: v1 [cs.cr] 25 Jan 2018

arxiv: v1 [cs.cr] 25 Jan 2018 Forward-Secure Group Signatures from Lattices San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu arxiv:1801.08323v1 [cs.cr] 25 Jan 2018 Division of Mathematical Sciences, School of Physical and Mathematical

More information

Forward-Secure Group Signatures from Lattices

Forward-Secure Group Signatures from Lattices Forward-Secure Group Signatures from Lattices San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University,

More information

Ring Group Signatures

Ring Group Signatures Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,

More information

A Group Signature Scheme from Lattice Assumptions

A Group Signature Scheme from Lattice Assumptions A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining

More information

Schnorr Signature. Schnorr Signature. October 31, 2012

Schnorr Signature. Schnorr Signature. October 31, 2012 . October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security

More information

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,

More information

Short Lattice-based One-out-of-Many Proofs and Applications to Ring Signatures

Short Lattice-based One-out-of-Many Proofs and Applications to Ring Signatures Short Lattice-based One-out-of-Many Proofs and Applications to Ring Signatures Muhammed F. Esgin 1,2, Ron Steinfeld 1, Amin Sakzad 1, Joseph K. Liu 1, and Dongxi Liu 2 1 Faculty of Information Technology,

More information

A Provably Secure Group Signature Scheme from Code-Based Assumptions

A Provably Secure Group Signature Scheme from Code-Based Assumptions A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15 Group Signatures

More information

Vector Commitments and their Applications

Vector Commitments and their Applications Vector Commitments and their Applications Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it 2 Max Planck Institute for Software

More information

Tightly-Secure Signatures From Lossy Identification Schemes

Tightly-Secure Signatures From Lossy Identification Schemes Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr

More information

An Identification Scheme Based on KEA1 Assumption

An Identification Scheme Based on KEA1 Assumption All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to

More information

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004 CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce

More information

An example of Lagrangian for a non-holonomic system

An example of Lagrangian for a non-holonomic system Uniersit of North Georgia Nighthaks Open Institutional Repositor Facult Publications Department of Mathematics 9-9-05 An eample of Lagrangian for a non-holonomic sstem Piotr W. Hebda Uniersit of North

More information

Lecture Notes 20: Zero-Knowledge Proofs

Lecture Notes 20: Zero-Knowledge Proofs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties

More information

Katz, Lindell Introduction to Modern Cryptrography

Katz, Lindell Introduction to Modern Cryptrography Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key

More information

Transitive Signatures Based on Non-adaptive Standard Signatures

Transitive Signatures Based on Non-adaptive Standard Signatures Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing

More information

Authentication. Chapter Message Authentication

Authentication. Chapter Message Authentication Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,

More information

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain

More information

Sampling Lattice Trapdoors

Sampling Lattice Trapdoors Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a

More information

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 3: Interactive Proofs and Zero-Knowledge CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic

More information

A survey on quantum-secure cryptographic systems

A survey on quantum-secure cryptographic systems A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum

More information

SIS-based Signatures

SIS-based Signatures Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n

More information

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography

More information

1 Number Theory Basics

1 Number Theory Basics ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his

More information

PAPER An Identification Scheme with Tight Reduction

PAPER An Identification Scheme with Tight Reduction IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification

More information

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Digital Signature Schemes and the Random Oracle Model. A. Hülsing Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg

More information

On the Non-malleability of the Fiat-Shamir Transform

On the Non-malleability of the Fiat-Shamir Transform An extended abstract of this paper is published in the proceedings of the 13th International Conference on Cryptology in India [21] Indocrypt 2012. This is the full version. On the Non-malleability of

More information

Sub-linear Blind Ring Signatures without Random Oracles

Sub-linear Blind Ring Signatures without Random Oracles Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi@cs.bris.ac.uk

More information

Foundations of Cryptography

Foundations of Cryptography - 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such

More information

George Danezis Microsoft Research, Cambridge, UK

George Danezis Microsoft Research, Cambridge, UK George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets

More information

Entity Authentication

Entity Authentication Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The

More information

VI. The Fiat-Shamir Heuristic

VI. The Fiat-Shamir Heuristic VI. The Fiat-Shamir Heuristic - as already seen signatures can be used and are used in practice to design identification protocols - next we show how we can obtain signatures schemes from - protocols using

More information

On the (In)security of the Fiat-Shamir Paradigm

On the (In)security of the Fiat-Shamir Paradigm On the (In)security of the Fiat-Shamir Paradigm Shafi Goldwasser Yael Tauman February 2, 2004 Abstract In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification

More information

Constant-round Leakage-resilient Zero-knowledge from Collision Resistance *

Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this

More information

Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors

Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors Marc Fischlin Institute for Theoretical Computer Science, ETH Zürich, Switzerland marc.fischlin @ inf.ethz.ch http://www.fischlin.de/

More information

Statistical WI (and more) in Two Messages

Statistical WI (and more) in Two Messages Statistical WI (and more) in Two Messages Yael Tauman Kalai MSR Cambridge, USA. yael@microsoft.com Dakshita Khurana UCLA, USA. dakshita@cs.ucla.edu Amit Sahai UCLA, USA. sahai@cs.ucla.edu Abstract Two-message

More information

Homework 3 Solutions

Homework 3 Solutions 5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin

More information

Group Undeniable Signatures

Group Undeniable Signatures Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw

More information

Adaptive Oblivious Transfer with Access Control from Lattice Assumptions

Adaptive Oblivious Transfer with Access Control from Lattice Assumptions Adaptive Oblivious Transfer with Access Control from Lattice Assumptions Benoît Libert 1,2, San Ling 3, Fabrice Mouhartem 2, Khoa Nguyen 3, and Huaxiong Wang 3 1 CNRS, Laboratoire LIP, France 2 ENS de

More information

The Inverse Function Theorem

The Inverse Function Theorem Inerse Function Theorem April, 3 The Inerse Function Theorem Suppose and Y are Banach spaces and f : Y is C (continuousl differentiable) Under what circumstances does a (local) inerse f exist? In the simplest

More information

A Lattice-Based Group Signature Scheme with Message-Dependent Opening

A Lattice-Based Group Signature Scheme with Message-Dependent Opening A Lattice-Based Group Signature Scheme with Message-Dependent Opening Benoît Libert, Fabrice Mouhartem, Khoa Nguyen To cite this version: Benoît Libert, Fabrice Mouhartem, Khoa Nguyen. A Lattice-Based

More information

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1 Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes

More information

Lattice-based Multi-signature with Linear Homomorphism

Lattice-based Multi-signature with Linear Homomorphism Copyright c 2016 The Institute of Electronics, Information and Communication Engineers SCIS 2016 2016 Symposium on Cryptography and Information Security Kumamoto, Japan, Jan. 19-22, 2016 The Institute

More information

Cryptographic Protocols Notes 2

Cryptographic Protocols Notes 2 ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:

More information

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval. Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions

More information

Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)

Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version) Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version) Michael Backes 1,3, Lucjan Hanzlik 2,3, Kamil Kluczniak 4, and Jonas Schneider 2,3 1 CISPA Helmholtz

More information

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer

More information

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key

More information

ECash and Anonymous Credentials

ECash and Anonymous Credentials ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials

More information

Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation

Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation 1 Lan Nguyen Centre for Information Security, University of Wollongong, Wollongong 2522,

More information

The Cramer-Shoup Strong-RSA Signature Scheme Revisited

The Cramer-Shoup Strong-RSA Signature Scheme Revisited The Cramer-Shoup Strong-RSA Signature Scheme Revisited Marc Fischlin Johann Wolfgang Goethe-University Frankfurt am Main, Germany marc @ mi.informatik.uni-frankfurt.de http://www.mi.informatik.uni-frankfurt.de/

More information

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il

More information

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police

More information

Constant-Round Non-Malleable Commitments from Any One-Way Function

Constant-Round Non-Malleable Commitments from Any One-Way Function Constant-Round Non-Malleable Commitments from Any One-Way Function Huijia Lin Rafael Pass Abstract We show unconditionally that the existence of commitment schemes implies the existence of constant-round

More information

Cryptographical Security in the Quantum Random Oracle Model

Cryptographical Security in the Quantum Random Oracle Model Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons

More information

Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs

Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs Cecilia Boschini, Jan Camenisch, and Gregory Neven IBM Research Zurich {bos, jca, nev}@zurich.ibm.com Abstract. Higher-level cryptographic

More information

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw

More information

Floppy-Sized Group Signatures from Lattices

Floppy-Sized Group Signatures from Lattices Floppy-Sized Group Signatures from Lattices Cecilia Boschini 1,2( ), Jan Camenisch 1, and Gregory Neven 1 1 IBM Research, Zurich, Switzerland 2 Università della Svizzera Italiana, Lugano, Switzerland {bos,jca,nev}@zurich.ibm.com

More information

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption Appl. Math. Inf. Sci. 8, No. 2, 633-638 (2014) 633 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/080221 Efficient Chosen-Ciphtertext Secure Public

More information

Question 1. The Chinese University of Hong Kong, Spring 2018

Question 1. The Chinese University of Hong Kong, Spring 2018 CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is

More information

Statistically Secure Sigma Protocols with Abort

Statistically Secure Sigma Protocols with Abort AARHUS UNIVERSITY COMPUTER SCIENCE MASTER S THESIS Statistically Secure Sigma Protocols with Abort Author: Anders Fog BUNZEL (20112293) Supervisor: Ivan Bjerre DAMGÅRD September 2016 AARHUS AU UNIVERSITY

More information

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1] CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced

More information

Lattice-Based Non-Interactive Arugment Systems

Lattice-Based Non-Interactive Arugment Systems Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover

More information

Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations

Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations Carmit Hazay 1 and Muthuramakrishnan Venkitasubramaniam 2 1 Bar-Ilan University 2 University of Rochester Abstract. In this

More information

Experimental plug and play quantum coin flipping Supplementary Information

Experimental plug and play quantum coin flipping Supplementary Information Experimental plug and pla quantum coin flipping Supplementar Information SUPPLEMENTARY FIGURES SUPPLEMENTARY NOTES Supplementar Note 1 - Securit Analsis 1 Φ 1,1 Φ 0,1 + θ = cos 1 Φ 0,0 0 Φ 1,0 Supplementar

More information

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the

More information

Construction of universal one-way hash functions: Tree hashing revisited

Construction of universal one-way hash functions: Tree hashing revisited Discrete Applied Mathematics 155 (2007) 2174 2180 www.elsevier.com/locate/dam Note Construction of universal one-way hash functions: Tree hashing revisited Palash Sarkar Applied Statistics Unit, Indian

More information

Scalar multiplication and algebraic direction of a vector

Scalar multiplication and algebraic direction of a vector Roberto s Notes on Linear Algebra Chapter 1: Geometric ectors Section 5 Scalar multiplication and algebraic direction of a ector What you need to know already: of a geometric ectors. Length and geometric

More information

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it

More information

Disjunctions for Hash Proof Systems: New Constructions and Applications

Disjunctions for Hash Proof Systems: New Constructions and Applications Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by

More information

Efficient Public-Key Cryptography in the Presence of Key Leakage

Efficient Public-Key Cryptography in the Presence of Key Leakage Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives

More information

CRYPTANALYSIS OF COMPACT-LWE

CRYPTANALYSIS OF COMPACT-LWE SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption

More information

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R

More information

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler 1, Sebastian Ramacher 1, and Daniel Slamanig 2 1 IAIK, Graz University

More information

Primary-Secondary-Resolver Membership Proof Systems

Primary-Secondary-Resolver Membership Proof Systems Primary-Secondary-Resolver Membership Proof Systems Moni Naor and Asaf Ziv Weizmann Institute of Science, Department of Computer Science and Applied Mathematics. {moni.naor,asaf.ziv}@weizmann.ac.il. Abstract.

More information

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Augmented Black-Box Simulation and Zero Knowledge Argument for NP Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of

More information

Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption

Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au

More information

From Secure MPC to Efficient Zero-Knowledge

From Secure MPC to Efficient Zero-Knowledge From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time

More information

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols

More information

March 19: Zero-Knowledge (cont.) and Signatures

March 19: Zero-Knowledge (cont.) and Signatures March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o

More information

Classical hardness of the Learning with Errors problem

Classical hardness of the Learning with Errors problem Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness

More information

A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles

A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles Michele Ciampi DIEM University of Salerno ITALY mciampi@unisa.it Giuseppe Persiano

More information

Lecture 10: Zero-Knowledge Proofs

Lecture 10: Zero-Knowledge Proofs Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam

More information

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Analysis - Post-Quantum Security of Fiat-Shamir by Dominic Unruh Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis

More information

Anonymous Signatures Made Easy

Anonymous Signatures Made Easy Anonymous Signatures Made Easy Marc Fischlin Darmstadt University of Technology, Germany marc.fischlin @ gmail.com www.fischlin.de Abstract. At PKC 2006, Yang, Wong, Deng and Wang proposed the notion of

More information

A Geometric Review of Linear Algebra

A Geometric Review of Linear Algebra A Geometric Reiew of Linear Algebra The following is a compact reiew of the primary concepts of linear algebra. The order of presentation is unconentional, with emphasis on geometric intuition rather than

More information

Notes on Zero Knowledge

Notes on Zero Knowledge U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based

More information

Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures

Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures Fabrice Benhamouda 1, Jan Camenisch 2, Stephan Krenn 2, Vadim Lyubashevsky 3,1, Gregory Neven 2 1 Département

More information

Dr George Danezis University College London, UK

Dr George Danezis University College London, UK Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets

More information

CS 355: Topics in Cryptography Spring Problem Set 5.

CS 355: Topics in Cryptography Spring Problem Set 5. CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex

More information

2 Message authentication codes (MACs)

2 Message authentication codes (MACs) CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir

More information

A short report on: Pinocchio: Nearly Practical Verifiable Computation. Karim Baghery. Supervised by Prof. Dominique Unruh

A short report on: Pinocchio: Nearly Practical Verifiable Computation. Karim Baghery. Supervised by Prof. Dominique Unruh A short report on: Pinocchio: Nearl Practical Verifiable Computation Karim Bagher Superised b Prof. Dominique Unruh Uniersit of Tartu, Estonia karim.bagher@ut.ee December 17, 2016 Abstract In this report,

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback