Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

Chase, Melissa; Derler, David; Goldfeder, Steven; Orlandi, Claudio; Ramacher, Sebastian; Rechberger, Christian; Slamanig, Daniel; Zaverucha, Greg

doi:10.1145/3133956.3133997

Cited by 168 publications

(76 citation statements)

References 59 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We remark that, if we only had to prove the correct evaluation of binary addition circuits, MPC-based techniques [37,29,20] could perform slightly better than our protocols. However, they become much less efficient for the algebraic parts of the statements we have to prove (in particular, we also need to prove knowledge of openings of SIS-based commitments).…”

Section: Introductionmentioning

confidence: 89%

“…Moreover, it even simplifies the resulting protocols and reduces their complexity because the number of secret bits to deal with is smaller than in the above protocol. 20…”

Section: Zero-knowledge Arguments For Integer Additionsmentioning

confidence: 99%

“…However, they become much less efficient for the algebraic parts of the statements we have to prove (in particular, we also need to prove knowledge of openings of SIS-based commitments). Indeed, the MPC-in-the head paradigm [37] and its follow-ups [29,20] have linear complexities in the size of the circuit, which is much larger than the witness size as the commitment relation entails Θ(n(L + m)) additions and multiplications over Z q . In our protocols, proving knowledge of an opening takes Θ((L + m) log q) bits of communication.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Lattice-Based Zero-Knowledge Arguments for Integer Relations

Libert

Ling

Nguyen

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We provide lattice-based protocols allowing to prove relations among committed integers. While the most general zero-knowledge proof techniques can handle arithmetic circuits in the lattice setting, adapting them to prove statements over the integers is non-trivial, at least if we want to handle exponentially large integers while working with a polynomialsize modulus q. For a polynomial L, we provide zero-knowledge arguments allowing a prover to convince a verifier that committed L-bit bitstrings x, y and z are the binary representations of integers X, Y and Z satisfying Z = X + Y over Z. The complexity of our arguments is only linear in L. Using them, we construct arguments allowing to prove inequalities X < Z among committed integers, as well as arguments showing that a committed X belongs to a public interval [α, β], where α and β can be arbitrarily large. Our range arguments have logarithmic cost (i.e., linear in L) in the maximal range magnitude. Using these tools, we obtain zero-knowledge arguments showing that a committed element X does not belong to a public set S using O(n · log |S|) bits of communication, where n is the security parameter. We finally give a protocol allowing to argue that committed L-bit integers X, Y and Z satisfy multiplicative relations Z = XY over the integers, with communication cost subquadratic in L.To this end, we use our protocol for integer addition to prove the correct recursive execution of Karatsuba's multiplication algorithm. The security of our protocols relies on standard lattice assumptions with polynomial modulus and polynomial approximation factor.

show abstract

Section: Introductionmentioning

confidence: 89%

“…Moreover, it even simplifies the resulting protocols and reduces their complexity because the number of secret bits to deal with is smaller than in the above protocol. 20…”

Section: Zero-knowledge Arguments For Integer Additionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Lattice-Based Zero-Knowledge Arguments for Integer Relations

Libert

Ling

Nguyen

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The minimization of the number of AND gates also plays a crucial role in high-level cryptography protocols such as zero-knowledge protocols, fully homomorphic encryption (FHE) and secure multiparty computation (MPC) [8,9]. In this scenario, AND gates are considered the "bottleneck" of the computation [8].…”

Section: Introductionmentioning

confidence: 99%

“…In this scenario, AND gates are considered the "bottleneck" of the computation [8]. In particular, it has been demonstrated that in post-quantum zero-knowledge signatures based on "MPC-in-the-head" [10], the size of the signature is proportional to the number of AND gates used by the underlying blockcipher [9]. For MPC protocols based on Yao's garbled circuits [11,12] with the free XOR technique [13], the total number of computations depends on the multiplicative complexity.…”

Section: Introductionmentioning

confidence: 99%

Reducing the Multiplicative Complexity in Logic Networks for Cryptography and Security Applications

Testa

Soeken

Amarù

et al. 2019

Proceedings of the 56th Annual Design Automation Conference 2019

View full text Add to dashboard Cite

Reducing the number of AND gates plays a central role in many cryptography and security applications. We propose a logic synthesis algorithm and tool to minimize the number of AND gates in a logic network composed of AND, XOR, and inverter gates. Our approach is fully automatic and exploits cut enumeration algorithms to explore optimization potentials in local subcircuits. The experimental results show that our approach can reduce the number of AND gates by 34% on average compared to generic size optimization algorithms. Further, we are able to reduce the number of AND gates up to 76% in best-known benchmarks from the cryptography community.

show abstract