Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash

Electronic cash (e-cash) is the digital analogue of regular cash which aims at preserving users' privacy. Following Chaum's seminal work, several new features were proposed for e-cash to address the practical issues of the original primitive. Among them, divisibility has proved very useful to enable efficient storage and spendings. Unfortunately, it is also very difficult to achieve and, to date, quite a few constructions exist, all of them relying on complex mechanisms that can only be instantiated in one specific setting. In addition security models are incomplete and proofs sometimes hand-wavy. In this work, we first provide a complete security model for divisible e-cash, and we study the links with constrained pseudo-random functions (PRFs), a primitive recently formalized by Boneh and Waters. We exhibit two frameworks of divisible e-cash systems from constrained PRFs achieving some specific properties: either key homomorphism or delegability. We then formally prove these frameworks, and address two main issues in previous constructions: two essential security notions were either not considered at all or not fully proven. Indeed, we introduce the notion of clearing, which should guarantee that only the recipient of a transaction should be able to do the deposit, and we show the exculpability, that should prevent an honest user to be falsely accused, was wrong in most proofs of the previous constructions. Some can easily be repaired, but this is not the case for most complex settings such as constructions in the standard model. Consequently, we provide the first construction secure in the standard model, as a direct instantiation of our framework.

Section: A Major Issue With Exculpability In Previous Constructionsmentioning

confidence: 99%

Section: A Major Issue With Exculpability In Previous Constructionsmentioning

confidence: 99%

Divisible E-Cash from Constrained Pseudo-Random Functions

Bourse

Pointcheval

Sanders

2019

“…The described protocol can be seen as an improved version of a Stern-like protocol presented in [46], in the following aspect. In the case Ch = 1, instead of sending Γ c (w) = ENC(c ) -which costs d = 2(m 1 + m 2 ) + 2N + 4|T | bits, we let the prover send c which enables the verifier to compute the value ENC(c ) and which costs only N + m 2 bits.…”

Section: Our General Protocolmentioning

confidence: 99%

“…In the case Ch = 1, instead of sending Γ c (w) = ENC(c ) -which costs d = 2(m 1 + m 2 ) + 2N + 4|T | bits, we let the prover send c which enables the verifier to compute the value ENC(c ) and which costs only N + m 2 bits. Due to this modification, the results from [46] are not directly applicable to our protocol, and thus, in the proof of Theorem 1, we will analyze the protocol from scratch.…”

Section: Our General Protocolmentioning

confidence: 99%

“…To handle the reduced statements in a modular manner, we thus design (in Section 3) a general zero-knowledge protocol that subsumes all argument systems of this work. In comparison with previous protocols [40,48,44,46] built on Stern's framework [60], this general protocol introduces a technical novelty which allows to reduce the communication cost.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Lattice-Based Zero-Knowledge Arguments for Integer Relations

Libert

Ling

Nguyen

et al. 2018

Self Cite

We provide lattice-based protocols allowing to prove relations among committed integers. While the most general zero-knowledge proof techniques can handle arithmetic circuits in the lattice setting, adapting them to prove statements over the integers is non-trivial, at least if we want to handle exponentially large integers while working with a polynomialsize modulus q. For a polynomial L, we provide zero-knowledge arguments allowing a prover to convince a verifier that committed L-bit bitstrings x, y and z are the binary representations of integers X, Y and Z satisfying Z = X + Y over Z. The complexity of our arguments is only linear in L. Using them, we construct arguments allowing to prove inequalities X < Z among committed integers, as well as arguments showing that a committed X belongs to a public interval [α, β], where α and β can be arbitrarily large. Our range arguments have logarithmic cost (i.e., linear in L) in the maximal range magnitude. Using these tools, we obtain zero-knowledge arguments showing that a committed element X does not belong to a public set S using O(n · log |S|) bits of communication, where n is the security parameter. We finally give a protocol allowing to argue that committed L-bit integers X, Y and Z satisfy multiplicative relations Z = XY over the integers, with communication cost subquadratic in L.To this end, we use our protocol for integer addition to prove the correct recursive execution of Karatsuba's multiplication algorithm. The security of our protocols relies on standard lattice assumptions with polynomial modulus and polynomial approximation factor.

Towards Practical Lattice-Based One-Time Linkable Ring Signatures

Baum

Lin

Oechsner

2018

We present a practical construction of an additively homomorphic commitment scheme based on structured lattice assumptions, together with a zero-knowledge proof of opening knowledge. Our scheme is a design improvement over the previous work of Benhamouda et al. in that it is not restricted to being statistically binding. While it is possible to instantiate our scheme to be statistically binding or statistically hiding, it is most efficient when both hiding and binding properties are only computational. This results in approximately a factor of 4 reduction in the size of the proof and a factor of 6 reduction in the size of the commitment over the aforementioned scheme.