Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors

Libert, Benôıt; Ling, San; Nguyen, Khoa; Wang, Huaxiong

doi:10.1007/978-3-662-49896-5_1

Cited by 152 publications

(147 citation statements)

References 72 publications

Supporting

Mentioning

147

Contrasting

Order By: Relevance

“…Stern's protocol was originally proposed for code-based cryptography, and adapted to lattices by Kawachi et al [29]. It was subsequently empowered by Ling et al [37] to handle the matrix-vector relations associated with the SIS and inhomogeneous SIS problems and extended to design several lattice-based schemes: group signatures [38,36,34,39], policy-based signatures [12] and group encryption [35]. The basic protocol has 3 moves.…”

Section: Zero-knowledge Argument Systems and Stern-like Protocolsmentioning

confidence: 99%

“…We thus need a lattice-based sub-protocol for proving set membership. In the lattice-based world, a set membership argument system with logarithmic complexity in the cardinality of the set was proposed in [36], exploiting Stern-like protocols [50] and Merkle hash trees. However, the asymptotic efficiency does not come to the front when the underlying set has small, constant size.…”

Section: Introductionmentioning

confidence: 99%

“…These are less efficient than those of the first family because each protocol execution admits a constant soundness error, and require repeating protocols ω(log n) times, for a security parameter n, to achieve negligible soundness error. On the upside, Stern-like protocols have perfect completeness and can handle a wide range of lattice-based relations [38,36,12,34,35,39], especially when witnesses have to not only be small or binary, but also certain prescribed arrangement of coordinates. Furthermore, unlike protocols of the first family, the extractor of Stern-like protocols can output witness vectors with the same properties expected of valid witnesses.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Zero-Knowledge Password Policy Check from Lattices

Nguyen

Tan

Wang

2017

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Passwords are ubiquitous and most commonly used to authenticate users when logging into online services. Using high entropy passwords is critical to prevent unauthorized access and password policies emerged to enforce this requirement on passwords. However, with current methods of password storage, poor practices and server breaches have leaked many passwords to the public. To protect one's sensitive information in case of such events, passwords should be hidden from servers. Verifier-based password authenticated key exchange, proposed by Bellovin and Merrit (IEEE S&P, 1992), allows authenticated secure channels to be established with a hash of a password (verifier). Unfortunately, this restricts password policies as passwords cannot be checked from their verifier. To address this issue, Kiefer and Manulis (ESORICS 2014) proposed zero-knowledge password policy check (ZKPPC). A ZKPPC protocol allows users to prove in zero knowledge that a hash of the user's password satisfies the password policy required by the server. Unfortunately, their proposal is not quantum resistant with the use of discrete logarithm-based cryptographic tools and there are currently no other viable alternatives. In this work, we construct the first post-quantum ZKPPC using lattice-based tools. To this end, we introduce a new randomised password hashing scheme for ASCII-based passwords and design an accompanying zero-knowledge protocol for policy compliance. Interestingly, our proposal does not follow the framework established by Kiefer and Manulis and offers an alternate construction without homomorphic commitments. Although our protocol is not ready to be used in practice, we think it is an important first step towards a quantum-resistant privacy-preserving password-based authentication and key exchange system.

show abstract

Section: Zero-knowledge Argument Systems and Stern-like Protocolsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Zero-Knowledge Password Policy Check from Lattices

Nguyen

Tan

Wang

2017

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…So far, the only known solutions with logarithmic signature length [24,28] suffered from loose reductions: the underlying hard problem could only be solved with a probability smaller than the adversary's advantage by a linear factor in the number of hash queries. Our main result is to give the first construction that simultaneously provides tight security -meaning that there is essentially no gap between the adversary's probability of success and the reduction's advantage in solving a hard problem -and logarithmic signature size in the number of ring members.…”

Section: Introductionmentioning

confidence: 99%

“…The hash-based accumulators of [12,13] would not provide efficient solutions as they would incur proofs of knowledge of hash function pre-images. While the lattice-based construction of [28] relies on hash-based accumulators, its security proof is not tight and its efficiency is not competitive with discrete-logarithm-based techniques. Sander's number-theoretic accumulator [35] is an alternative candidate to instantiate [15] without a setup phase.…”

Section: Introductionmentioning

confidence: 99%

Logarithmic-Size Ring Signatures with Tight Security from the DDH Assumption

Libert

Peters

Qian

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Ring signatures make it possible for a signer to anonymously and, yet, convincingly leak a secret by signing a message while concealing his identity within a flexibly chosen ring of users. Unlike group signatures, they do not involve any setup phase or tracing authority. Despite a lot of research efforts in more than 15 years, most of their realizations require linear-size signatures in the cardinality of the ring. In the random oracle model, two recent constructions decreased the signature length to be only logarithmic in the number N of ring members. On the downside, their suffer from rather loose reductions incurred by the use of the Forking Lemma. In this paper, we consider the problem of proving them tightly secure without affecting their space efficiency. Surprisingly, existing techniques for proving tight security in ordinary signature schemes do not trivially extend to the ring signature setting. We overcome these difficulties by combining the Groth-Kohlweiss Σ-protocol (Eurocrypt'15) with dualmode encryption schemes. Our main result is a fully tight construction based on the Decision Diffie-Hellman assumption in the random oracle model. By full tightness, we mean that the reduction's advantage is as large as the adversary's, up to a constant factor.

show abstract

Identity‐based proxy signature over NTRU lattice

Wang

Zhang

et al. 2018

Int J Communication

View full text Add to dashboard Cite

Proxy signature scheme is an important cryptographic primitive, for an entity can delegate his signing right to another entity. Although identity-based proxy signature schemes based on conventional number-theoretic problems have been proposed for a long time, the researchers have paid less attention to lattice-based proxy signature schemes that can resist quantum attack. In this paper, we first propose an identity-based proxy signature scheme over Number Theory Research Unit (NTRU)-lattice. We proved that the proposed paradigm is secure under the hardness of the -shortest vector problem on the NTRU lattice in random oracle model; furthermore, the comparison with some existing schemes shows our scheme is more efficient in terms of proxy signature secret key size, proxy signature size, and computation complexity. As the elemental problem of the proposed scheme is difficult even for quantum computation model, our scheme can work well in quantum age. KEYWORDSidentity-based, NTRU lattice, proxy signature, quantum computation Proxy signature, proposed by Mambo, Usuda, and Okamoto, 1 is a significant cryptographic scheme that is widely used in different situations, such as cloud computing, e-commerce, and electronic election. Proxy signature can guarantee the security of signature commission, that is, the original signer entrusts his right to the proxy signer, the proxy signer instead of the original signer to sign the message, and even the proxy signer cannot forge the user's signature. The researchers have proposed many effective proxy signature schemes based on large prime factorization and discrete logarithm problems. [2][3][4] However, these categories of schemes are not safe over the long term, because both are solved in polynomial time when we take quantum computation model into consideration. 5 In order to reduce the threat from the quantum computer, many researchers have paid their attention to post-quantum cryptography and proposed some effective proxy signature schemes based on hash, multivariate public key cryptosystems (MPKC), and lattice. [6][7][8][9] As a typical representation of the post-quantum cryptography, lattice-based signature schemes occupy a position of particular interest, because they rely on well-studied problems and come with uniquely strong security guarantees. 10 Many organizations and researchers are committed to design effective lattice-based signature schemes to replace Rivest-Shamir-Adleman (RSA) and elliptic curve cryptography (ECC)-based schemes, and results show that properly optimized lattice-based proxy signature schemes may compete with or even outperform these schemes based on conventional number-theoretic problems. Gentry et al 11 proposed a provable secure lattice-based signature scheme in 2008. Since then, many researchers have proposed lattice-based proxy signature schemes by using preimage sampling technique, which costs a lot of time and resources. Jiang et al 12 constructed lattice-based proxy signature schemes by using bonsai tree Int J Commun Syst. 2019;32:e3867.wileyon...

show abstract

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors

Cited by 152 publications

References 72 publications

Zero-Knowledge Password Policy Check from Lattices

Zero-Knowledge Password Policy Check from Lattices

Logarithmic-Size Ring Signatures with Tight Security from the DDH Assumption

Identity‐based proxy signature over NTRU lattice

Contact Info

Product

Resources

About