Logarithmic-Size Ring Signatures with Tight Security from the DDH Assumption

Libert, Benôıt; Peters, Thomas; Qian, Chen

doi:10.1007/978-3-319-98989-1_15

Cited by 17 publications

(4 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Size DB m > 2 Digital Assets [42] O(N ) ✓ ✗ Bulletproofs [43] O(log(N )) ✓ ✗ Groth-Kohlweiss [19] O(log(N )) ✓ ✗ Log-Ring [38], [39] O(log(N )) ✓ ✗ Dual-Ring [40] O(log(N )) ✓ ✗ Repudiable Ring [41] O(log(N )) ✓ ✗ Our DBPoE O(log(N ) + m) ✓ ✓…”

Section: Protocolmentioning

confidence: 99%

Double-Blind Proof of Existence for Decentralized Identities

Alupotha

2023

IEEE Access

View full text Add to dashboard Cite

Decentralized identities return control of identities to the identity owners. Although current work enhances the privacy of these publicly stored identities using encryption and zero-knowledge proofs, decentralized identities can still be abused due to the following problems:• identity holders, e.g., blockchain peers, can profile identity owners by looking at "who is reading which identity data", and • identity verifiers, e.g., applications and websites, learn private data about owners, like their monetary values and previous transactions during the identity linking. In the worst case scenario, the identity holders and verifiers collaboratively profile users to learn more information. As a practical solution, we introduce the notion of Double Blind Proofs of Existence (DBPoE), which shows that an opened DID is committed in one of the constant-sized multi-generator Pedersen commitments (33 Bytes at 128-bit security), and nothing else. Hence, our DBPoE double-blinds identity holders and identity verifiers to mitigate private information leakage. Equally importantly, our multigenerator commitment-based DBPoE is more resistant to graph analysis than other one-of-many proofs, e.g., ring signatures, which we show mathematically using the maximal flow problem. Our DBPoE protocol has a size complexity of O(log 2 (N ) + m) when the real commitment is hidden in N commitments and m generators are used, e.g., when m = 4, a DBPoE of 1000 commitments is only 3 KB.

show abstract

Section: Protocolmentioning

confidence: 99%

Double-Blind Proof of Existence for Decentralized Identities

Alupotha

2023

IEEE Access

View full text Add to dashboard Cite

show abstract

“…The log-size signatures of [46,55,57] are obtained by applying Fiat-Shamir to Σ-protocols that are not immediately compatible with the BadChallenge function paradigm. In their settings, it would require to iterate a basic Σ-protocol (with small challenge space) a super-constant number of times, thus leading to a combinatorial explosion in the total number of bad challenges as each iteration would tolerate more than one bad challenge.…”

Section: One-shot Fiat-shamir-based Nizk Arguments Of Composite Resid...mentioning

confidence: 99%

One-Shot Fiat-Shamir-Based NIZK Arguments of Composite Residuosity and Logarithmic-Size Ring Signatures in the Standard Model

Libert

Nguyen

Peters

et al. 2022

Advances in Cryptology – EUROCRYPT 2022

Self Cite

View full text Add to dashboard Cite

The standard model security of the Fiat-Shamir transform has been an active research area for many years. In breakthrough results, Canetti et al. (STOC'19) and showed that, under the Learning-With-Errors (LWE) assumption, it provides soundness by applying correlation-intractable (CI) hash functions to so-called trapdoor Σ-protocols. In order to be compatible with CI hash functions based on standard LWE assumptions with polynomial approximation factors, all known such protocols have been obtained via parallel repetitions of a basic protocol with binary challenges. In this paper, we consider languages related to Paillier's composite residuosity assumption (DCR) for which we give the first trapdoor Σ-protocols providing soundness in one shot, via exponentially large challenge spaces. This improvement is analogous to the one enabled by Schnorr over the original Fiat-Shamir protocol in the random oracle model. Using the correlation-intractable hash function paradigm, we then obtain simulation-sound NIZK arguments showing that an element of Z * N 2 is a composite residue, which opens the door to space-efficient applications in the standard model. As a concrete example, we build logarithmic-size ring signatures (assuming a common reference string) with the shortest signature length among schemes based on standard assumptions in the standard model. We prove security under the DCR and LWE assumptions, while keeping the signature size comparable with that of random-oracle-based schemes.

show abstract

“…However, their security reduction was very loose due to using the Forking Lemma [PS96]. Based on this result, Libert et al [LPQ18] gave the first tightly-secure ring signature scheme with logarithmic signature size under the DDH assumption in the RO model. The number of users and the number of oracle queries do not affect their reduction cost at all.…”

Section: Related Workmentioning

confidence: 99%

“…So far, a lot of ring signature schemes with unconditional anonymity has been proposed in the common reference string (CRS) model and in the random oracle model (e.g., [DKNS04], [DRS18], [CGS07], [Gon19], [GK15], [LPQ18], [MS17], [RST01]). On the other hand, in the plain model, we have only one scheme proposed by Malavolta and Schröder [MS17].…”

mentioning

confidence: 99%