Short Accountable Ring Signatures Based on DDH

Bootle, Jonathan; Cerulli, Andrea; Chaidos, Pyrros; Ghadafi, Essam; Groth, Jens; Petit, Christophe

doi:10.1007/978-3-319-24174-6_13

Cited by 82 publications

(67 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We give a general relation which allows us to recover specific protocols by instantiating with concrete polynomial relations. By separating the task of developing more efficient ways to perform the zero knowledge proof, and the task of designing better relations to describe a given language, we can explain the logic behind past optimisations of membership proofs in [28,6], and produce new optimisations for membership proofs and polynomial evaluation proofs.…”

Section: Contributionsmentioning

confidence: 99%

“…Common Construction Techniques. We unify the approaches used in [28,2,6] to construct zero-knowledge proofs for membership and polynomial evaluation, which can all be viewed as employing the same construction method. The constructions of zero-knowledge arguments for low degree polynomial relations in these works proceed by masking an input variable u as f u = ux+u b , using a random challenge x and a random blinder u b .…”

Section: Contributionsmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

Bootle

Groth

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Bootle et al. (EUROCRYPT 2016) construct an extremely efficient zero-knowledge argument for arithmetic circuit satisfiability in the discrete logarithm setting. However, the argument does not treat relations involving commitments, and furthermore, for simple polynomial relations, the complex machinery employed is unnecessary. In this work, we give a framework for expressing simple relations between commitments and field elements, and present a zero-knowledge argument which, by contrast with Bootle et al., is constant-round and uses fewer group operations, in the case where the polynomials in the relation have low degree. Our method also directly yields a batch protocol, which allows many copies of the same relation to be proved and verified in a single argument more efficiently with only a square-root communication overhead in the number of copies. We instantiate our protocol with concrete polynomial relations to construct zero-knowledge arguments for membership proofs, polynomial evaluation proofs, and range proofs. Our work can be seen as a unified explanation of the underlying ideas of these protocols. In the instantiations of membership proofs and polynomial evaluation proofs, we also achieve better efficiency than the state of the art.

show abstract

Section: Contributionsmentioning

confidence: 99%

Section: Contributionsmentioning

confidence: 99%

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

Bootle

Groth

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Very recently, Bootle et al [7] pointed out a few shortcomings of previous models, and put forward stringent security notions for fully dynamic group signatures. They also demonstrated a construction satisfying these notions based on the decisional Diffie-Hellman (DDH) assumption, following a generic transformation from a secure accountable ring signature scheme [8].…”

Section: Introductionmentioning

confidence: 99%

“…We remark that in the DDH-based instantiation from[7] which relies on the accountable ring signature from[8], the verifiers have to periodically download public keys of active signers. Our scheme overcomes this issue, thanks to the use of an updatable accumulator constructed in Section 3.…”

mentioning

confidence: 99%

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Ling

Nguyen

Wang

et al. 2019

Theoretical Computer Science

View full text Add to dashboard Cite

Lattice-based group signature is an active research topic in recent years. Since the pioneering work by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010), eight other schemes have been proposed, providing various improvements in terms of security, efficiency and functionality. However, most of the existing constructions work only in the static setting where the group population is fixed at the setup phase. The only two exceptions are the schemes by Langlois et al. (PKC 2014) that handles user revocations (but new users cannot join), and by Libert et al. (Asiacrypt 2016) which addresses the orthogonal problem of dynamic user enrollments (but users cannot be revoked).In this work, we provide the first lattice-based group signature that offers full dynamicity (i.e., users have the flexibility in joining and leaving the group), and thus, resolve a prominent open problem posed by previous works. Moreover, we achieve this non-trivial feat in a relatively simple manner. Starting with Libert et al.'s fully static construction (Eurocrypt 2016) -which is arguably the most efficient lattice-based group signature to date, we introduce simple-but-insightful tweaks that allow to upgrade it directly into the fully dynamic setting. More startlingly, our scheme even produces slightly shorter signatures than the former, thanks to an adaptation of a technique proposed by Ling et al. (PKC 2013), allowing to prove inequalities in zero-knowledge. The scheme satisfies the strong security requirements of Bootle et al.'s model (ACNS 2016), under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.Furthermore, we demonstrate how to equip the obtained group signature scheme with the deniability functionality in a simple way. This attractive functionality, put forward by Ishida et al. (CANS 2016), enables the tracing authority to provide an evidence that a given user is not the owner of a signature in question. In the process, we design a zero-knowledge protocol for proving that a given LWE ciphertext does not decrypt to a particular message.

show abstract

“…The logarithmic-size ring signatures of [24,8,28] are obtained by applying the Fiat-Shamir heuristic [21] to interactive Σ-protocols. While these solutions admit security proofs under well-established assumptions in the random oracle model, their security reductions are pretty loose.…”

Section: Introductionmentioning

confidence: 99%

Logarithmic-Size Ring Signatures with Tight Security from the DDH Assumption

Libert

Peters

Qian

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Ring signatures make it possible for a signer to anonymously and, yet, convincingly leak a secret by signing a message while concealing his identity within a flexibly chosen ring of users. Unlike group signatures, they do not involve any setup phase or tracing authority. Despite a lot of research efforts in more than 15 years, most of their realizations require linear-size signatures in the cardinality of the ring. In the random oracle model, two recent constructions decreased the signature length to be only logarithmic in the number N of ring members. On the downside, their suffer from rather loose reductions incurred by the use of the Forking Lemma. In this paper, we consider the problem of proving them tightly secure without affecting their space efficiency. Surprisingly, existing techniques for proving tight security in ordinary signature schemes do not trivially extend to the ring signature setting. We overcome these difficulties by combining the Groth-Kohlweiss Σ-protocol (Eurocrypt'15) with dualmode encryption schemes. Our main result is a fully tight construction based on the Decision Diffie-Hellman assumption in the random oracle model. By full tightness, we mean that the reduction's advantage is as large as the adversary's, up to a constant factor.

show abstract

Short Accountable Ring Signatures Based on DDH

Cited by 82 publications

References 30 publications

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Logarithmic-Size Ring Signatures with Tight Security from the DDH Assumption

Contact Info

Product

Resources

About