Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based

Ling, San; Nguyen, Khoa; Wang, Huaxiong

doi:10.1007/978-3-662-46447-2_19

Cited by 100 publications

(130 citation statements)

References 42 publications

Supporting

Mentioning

129

Contrasting

Order By: Relevance

“…Stern-like systems are less efficient than those of the first family because each protocol execution admits a constant soundness error, requiring the protocols to be repeated ω(log λ) times in order to achieve a negligible soundness error. On the upside, Stern-like protocols do have perfect completeness and are capable of handling a wide range of lattice-based relations [69,74,72,71,70], especially when the witnesses are not only required to be small or binary, but should also have prescribed arrangements of coordinates. Moreover, unlike protocols of the first family, the extractor of Stern-like protocols are able to output witness vectors having exactly the same properties as those expected from valid witnesses.…”

Section: Related Workmentioning

confidence: 99%

“…Despite the scarcity of truly efficient zero-knowledge proofs in the latticesetting, a recent body of work successfully designed proof systems in privacypreserving protocols [67,58,68,13,84,74]. These results, however, only considered ring signatures [19,67], group signatures [58,68,69,13,84,74], group encryption [70] or building blocks [71] for anonymous credentials [36].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash

Libert

Ling

Nguyen

et al. 2017

Advances in Cryptology – ASIACRYPT 2017

Self Cite

View full text Add to dashboard Cite

Abstract. Beyond their security guarantees under well-studied assumptions, algebraic pseudo-random functions are motivated by their compatibility with efficient zero-knowledge proof systems, which is useful in a number of privacy applications like digital cash. We consider the problem of proving the correct evaluation of lattice-based PRFs based on the Learning-With-Rounding (LWR) problem introduced by Banerjee et al. (Eurocrypt'12). Namely, we are interested zero-knowledge arguments of knowledge of triples (y, k, x) such that y = F k (x) is the correct evaluation of a PRF for a secret input x and a committed key k. While analogous statements admit efficient zero-knowledge protocols in the discrete logarithm setting, they have never been addressed in lattices so far. We provide such arguments for the key homomorphic PRF of Boneh et al. (Crypto'13) and the generic PRF implied by the LWR-based pseudo-random generator. As an application of our ZK arguments, we design the first compact e-cash system based on lattice assumptions. By "compact", we mean that the complexity is at most logarithmic in the value of withdrawn wallets. Our system can be seen as a lattice-based analogue of the first compact e-cash construction due to Camenisch, Hohenberger and Lysyanskaya (Eurocrypt'05).

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash

Libert

Ling

Nguyen

et al. 2017

Advances in Cryptology – ASIACRYPT 2017

Self Cite

View full text Add to dashboard Cite

show abstract

“…Stern's protocol was originally proposed for code-based cryptography, and adapted to lattices by Kawachi et al [29]. It was subsequently empowered by Ling et al [37] to handle the matrix-vector relations associated with the SIS and inhomogeneous SIS problems and extended to design several lattice-based schemes: group signatures [38,36,34,39], policy-based signatures [12] and group encryption [35]. The basic protocol has 3 moves.…”

Section: Zero-knowledge Argument Systems and Stern-like Protocolsmentioning

confidence: 99%

“…These are less efficient than those of the first family because each protocol execution admits a constant soundness error, and require repeating protocols ω(log n) times, for a security parameter n, to achieve negligible soundness error. On the upside, Stern-like protocols have perfect completeness and can handle a wide range of lattice-based relations [38,36,12,34,35,39], especially when witnesses have to not only be small or binary, but also certain prescribed arrangement of coordinates. Furthermore, unlike protocols of the first family, the extractor of Stern-like protocols can output witness vectors with the same properties expected of valid witnesses.…”

Section: Introductionmentioning

confidence: 99%

Zero-Knowledge Password Policy Check from Lattices

Nguyen

Tan

Wang

2017

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Passwords are ubiquitous and most commonly used to authenticate users when logging into online services. Using high entropy passwords is critical to prevent unauthorized access and password policies emerged to enforce this requirement on passwords. However, with current methods of password storage, poor practices and server breaches have leaked many passwords to the public. To protect one's sensitive information in case of such events, passwords should be hidden from servers. Verifier-based password authenticated key exchange, proposed by Bellovin and Merrit (IEEE S&P, 1992), allows authenticated secure channels to be established with a hash of a password (verifier). Unfortunately, this restricts password policies as passwords cannot be checked from their verifier. To address this issue, Kiefer and Manulis (ESORICS 2014) proposed zero-knowledge password policy check (ZKPPC). A ZKPPC protocol allows users to prove in zero knowledge that a hash of the user's password satisfies the password policy required by the server. Unfortunately, their proposal is not quantum resistant with the use of discrete logarithm-based cryptographic tools and there are currently no other viable alternatives. In this work, we construct the first post-quantum ZKPPC using lattice-based tools. To this end, we introduce a new randomised password hashing scheme for ASCII-based passwords and design an accompanying zero-knowledge protocol for policy compliance. Interestingly, our proposal does not follow the framework established by Kiefer and Manulis and offers an alternate construction without homomorphic commitments. Although our protocol is not ready to be used in practice, we think it is an important first step towards a quantum-resistant privacy-preserving password-based authentication and key exchange system.

show abstract

“…A current and independent work of Ling, Nguyen and Wang [49] also try to design an efficient lattice-based group signature scheme. Specifically, by first constructing a nice Stern-type [59] NIZK protocol, they propose a scheme which excels previous ones in [44,45] by a constant factor in terms of efficiency, i.e., all the sizes are still proportional to log N .…”

Section: Introductionmentioning

confidence: 99%

Simpler Efficient Group Signatures from Lattices

Nguyêñ

Zhang

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract.A group signature allows a group member to anonymously sign messages on behalf of the group. In the past few years, new group signatures based on lattice problems have appeared: the most efficient lattice-based constructions are due to Laguillaumie et al. (Asiacrypt '13) and Langlois et al. (PKC '14). Both have at least O(n 2 log 2 n log N )-bit group public key and O(n log 3 n log N )-bit signature, where n is the security parameter and N is the maximum number of group members. In this paper, we present a simpler lattice-based group signature, which is more efficient by a O(log N ) factor in both the group public key and the signature size. We achieve this by using a new non-interactive zero-knowledge (NIZK) proof corresponding to a simple identity-encoding function. The security of our group signature can be reduced to the hardness of SIS and LWE in the random oracle model.

show abstract

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based

Cited by 100 publications

References 42 publications

Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash

Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash

Zero-Knowledge Password Policy Check from Lattices

Simpler Efficient Group Signatures from Lattices

Contact Info

Product

Resources

About