Exploring Links Between Lattice-based NIZKs and Various
Signature Schemes (in the Standard Model)
@NTU
Shuichi Katsumata (AIST,PQShield)
Non-InteractiveZero-Knowledge(NIZK)
OverviewofThisTalk
LinksBetweenNIZKsandSignatures
Ø NewNotion:Multi-UserDesignated-ProverNIZKs
Result:GroupSignaturesw/oCRS-NIZK
1
2
3[KY19@EC]
1.Introduction:
Non-InteractiveZero-Knowledge
Zero-KnowledgeProofSystems
Prover Verifier
n VerifierisconvincedthatProverknowswhereWaldois.
Zero-KnowledgeProofSystems
Prover Verifier
n VerifierisconvincedthatProverknowswhereWaldois.n …BUT,Verifierdoesn’tlearnwhereWaldois!
Non-InteractiveZK(NIZK)
Prover Verifier
n Proversendsonlyonemessage toVerifier.
MoreFormally:NIZKs
Prover Verifier(𝑥, 𝑤)
𝜋𝑥
𝑥 ∈ 𝐿
ü Completeness:If 𝑥, 𝑤 ∈ 𝑅(,thenVerifierisconvinced.
MoreFormally:NIZKsCheatingProver Verifier𝑥
𝜋𝑥
𝑥 ∉ 𝐿
ü Completeness:If 𝑥, 𝑤 ∈ 𝑅(,thenVerifierisconvinced.
ü Soundness:If𝑥 ∉ 𝐿,cheatingProvercannotconvinceVerifier.
Reject𝜋.
MoreFormally:NIZKs
Prover Verifier(𝑥, 𝑤)
𝜋𝑥
𝑥 ∈ 𝐿
ü Completeness:If 𝑥, 𝑤 ∈ 𝑅(,thenVerifierisconvinced.
ü Soundness:If𝑥 ∉ 𝐿,cheatingProvercannotconvinceVerifier.
ü Zero-Knowledge:If𝑥 ∈ 𝐿,Verifieronlylearnsthat𝑥 ∈ 𝐿.
𝑤? ?
MotivationforNIZKManyApplicationsofNIZKs
• OWF+NIZK⇒ signaturescheme[BG89@CRYPTO]• CPA-PKE+NIZK⇒ CCA-PKE[NY90@STOC]• Semi-honestsecureMPC+NIZK⇒MalicioussecureMPC
[GMW86@CRYPTO]• ….
TheoreticalInterest• Connectionswithcomplexitytheory
BuildingNIZKs(forallofNP)Donotexistw/otrustedsetup!L [GO94]
BuildingNIZKs(forallofNP)Donotexistw/otrustedsetup!L [GO94]
n RandomOracleModel[FS87]• Practicallyappealingsolution.
n WithTrustedSetup[FLS90]• Provablesecurity.• Theoreticallyappealingsolution.
BuildingNIZKs(forallofNP)Donotexistw/otrustedsetup!L [GO94]
n RandomOracleModel[FS87]• Practicallyappealingsolution.
n WithTrustedSetup[FLS90]• Provablesecurity.• Theoreticallyappealingsolution.
ThisTalk
VariousTypesofTrustedSetup
CRS:(public)commonreferencestring
VariousTypesofTrustedSetup
Prover Verifier(𝑥, 𝑤)
𝜋𝑥CRS,𝑥 ∈ 𝐿
CRS-NIZK(MoststandardNIZK)
CRS:(public)commonreferencestring
VariousTypesofTrustedSetupCRS:(public)commonreferencestring
𝐤𝐯:(private)verificationkey
VariousTypesofTrustedSetupCRS:(public)commonreferencestring
Prover Verifier(𝑥, 𝑤)
𝜋𝑥CRS,𝑥 ∈ 𝐿
DesignatedVerifier-NIZK (DV-NIZK)𝐤𝐯
𝐤𝐯:(private)verificationkey
⇒Requireprivatek0 toverifyproof𝜋!
VariousTypesofTrustedSetupCRS:(public)commonreferencestring
𝐤𝐩:(private)provingkey
Prover Verifier(𝑥, 𝑤)
𝜋𝑥CRS,𝑥 ∈ 𝐿
DesignatedProver-NIZK (DP-NIZK)𝐤𝐩
⇒Requireprivatek2 togenerateproof𝜋!
*Subtletiesin(DV,DP)-NIZKsSinceverifier/provermaintainssecretinformation,definitionrequiresmorecarethanCRS-NIZK.
*Subtletiesin(DV,DP)-NIZKsSinceverifier/provermaintainssecretinformation,definitionrequiresmorecarethanCRS-NIZK.
Ex)DP-NIZK:Unbounded Zero-Knowledge
*Subtletiesin(DV,DP)-NIZKsSinceverifier/provermaintainssecretinformation,definitionrequiresmorecarethanCRS-NIZK.
Ex)DP-NIZK:Unbounded Zero-Knowledge
Eachproofmayleaksomeinformationofk2!
*ConsequenceParallelrepetitionmayfail.
DP-NIZK
*NonExhaustiveState-of-Affairs
CRS-NIZK
DV-NIZK
TrapdoorPermutations[FLS90,BY96,G04]
DP-NIZK
*NonExhaustiveState-of-Affairs
CRS-NIZK
DV-NIZK
TrapdoorPermutations[FLS90,BY96,G04]
Pairings[GOS06,GS08,…]
DP-NIZK
*NonExhaustiveState-of-Affairs
CRS-NIZK
DV-NIZK
TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]Pairings[GOS06,GS08,…]
DP-NIZK
*NonExhaustiveState-of-Affairs
CRS-NIZK
DV-NIZK
TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]
CorrelationInteractableHash[KRR17,…]
Pairings[GOS06,GS08,…]
DP-NIZK
*NonExhaustiveState-of-Affairs
CRS-NIZK
DV-NIZK
TrapdoorPermutations[FLS90,BY96,G04]
Pairings[GOS06,GS08,…]iO [SW14,…]
Lattice [KW18]@CRYPTO
Firstlattice-based!!
CorrelationInteractableHash[KRR17,…]
DP-NIZK
*NonExhaustiveState-of-Affairs
CRS-NIZK
DV-NIZK
TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]
Lattice [KW18]@CRYPTO
CDH [CH19,KNYY19,QRW19]@EC
CorrelationInteractableHash[KRR17,…]
FirstCDH-based!!
Pairings[GOS06,GS08,…]
DP-NIZK
*NonExhaustiveState-of-Affairs
CRS-NIZK
DV-NIZK
TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]
Lattice [KW18]@CRYPTO
CDH[CH19,KNYY19,QRW19]@EC
Lattice [PS19]@CRYPTO
Lattice [LQRWW19]@CRYPTO
CorrelationInteractableHash[KRR17,…]
Finally!!
Pairings[GOS06,GS08,…]
DP-NIZK
*NonExhaustiveState-of-Affairs
CRS-NIZK
DV-NIZK
TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]
Lattice [KW18]@CRYPTO
CDH[CH19,KNYY19,QRW19]@EC
Lattice [PS19]@CRYPTO
Lattice [LQRWW19]@CRYPTO
CorrelationInteractableHash[KRR17,…]
Is[KW18]and[LQRWW19]simplyaspecialcaseof[PS19]??
Pairings[GOS06,GS08,…]
CloserLookatLattice-basedNIZKsn CRS-NIZK[PS19]
• Followsthecorrelationinteractablehashparadigm.• BasedonpolynomialLWE(LearningwithErrors).
CloserLookatLattice-basedNIZKsn CRS-NIZK[PS19]
• Followsthecorrelationinteractablehashparadigm.• BasedonpolynomialLWE(LearningwithErrors).
n DV-NIZK[LQRWW19]• Usenewtool:“Function-hiding”Attribute-basedEncryption.• Basedonsuper-polynomialLWE.(CanuseLPNandCDHtoo!)
CloserLookatLattice-basedNIZKsn CRS-NIZK[PS19]
• Followsthecorrelationinteractablehashparadigm.• BasedonpolynomialLWE(LearningwithErrors).
n DV-NIZK[LQRWW19]
n DP-NIZK[KW18]• GenericconstructionfromFully-HomomorphicSignatures.• BasedonpolynomialSIS(ShortIntegerSolution).
• Usenewtool:“Function-hiding”Attribute-basedEncryption.• Basedonsuper-polynomialLWE.(CanuseLPNandCDHtoo!)
CloserLookatLattice-basedNIZKsn CRS-NIZK[PS19]
n DV-NIZK[LQRWW19]• Usenewtool:“Function-hiding”Attribute-basedEncryption.• Basedonsuper-polynomialLWE.(CanuseLPNandCDHtoo!)
n DP-NIZK[KW18]
Fromatheoreticalstandpoint,DP-NIZK requirestheweakestassumption!
*Thestate-of-the-artcanchangeanytime!J
• Followsthecorrelationinteractablehashparadigm.• BasedonpolynomialLWE(LearningwithErrors).
• GenericconstructionfromFully-HomomorphicSignatures.• BasedonpolynomialSIS(ShortIntegerSolution).
SISvsLWESIS LWE
*InaworldofPTquantumalgorithms,LWEandSISareequivalent.
• Onewayfunction• Collisionresistanthash• Digitalsignaturescheme• Attribute-basedSignature• Fullyhomomorphicsignature• …
• Publickeyencryption• Oblivioustransfer• Attribute-basedEncryption• Fullyhomomorphicencryption• …
WhateverSIS can.
2.Exploration:
LinksBetweenNIZKsandSignatureSchemes
WarmUp:StandardSignaturesWellKnownFact…
OWF+CRS-NIZK⇒ SignatureSchemes [BG89]
WarmUp:StandardSignaturesWellKnownFact…
OWF+CRS-NIZK⇒ SignatureSchemes [BG89]
However,OWF+DP-NIZK ⇒ SignatureSchemes
WarmUp:StandardSignaturesWellKnownFact…
OWF+CRS-NIZK⇒ SignatureSchemes [BG89]
However,OWF+DP-NIZK ⇒ SignatureSchemes
Why?Atahighlevel…Inasignaturescheme,thekeysaregeneratedhonestlyandsecretkeyisneverrevealed toanadversary.
Inasignaturescheme,thekeysaregeneratedhonestlyandsecretkeyisneverrevealed toanadversary.
WarmUp:StandardSignaturesWellKnownFact…
OWF+CRS-NIZK⇒ SignatureSchemes [BG89]
However,OWF+DP-NIZK ⇒ SignatureSchemes
SIS
LWE
Why?Atahighlevel…
AlignswithpriorknowledgethatSISimpliessignatureschemes.
InaBitMoreDetail…
Signer Verifiervk = (crs:;, com>?@AB)
sk = (k;, skDEF)
*UsefactthatOWFimpliesMAC,COM
InaBitMoreDetail…
Signer Verifier
sk = (k;, skDEF)
𝐒𝐢𝐠𝐧 sk,M :1.σD ← SignDEF skDEF,M
vk = (crs:;, com>?@AB)
*UsefactthatOWFimpliesMAC,COM
InaBitMoreDetail…
Signer Verifier
sk = (k;, skDEF)
𝐒𝐢𝐠𝐧 sk,M :
x,w ∈ 𝑅 ⇔ (VerifyDEF skDEF,M, σD = ⊤∧ com>?@AB = COM(skDEF))
vk = (crs:;, com>?@AB)
*UsefactthatOWFimpliesMAC,COM
1.σD ← SignDEF skDEF,M2.𝜋 ← Prove(x = M, σD, com>?@AB ,w = skDEF)
InaBitMoreDetail…
Signer Verifier
sk = (k;, skDEF)
𝐒𝐢𝐠𝐧 sk,M :
x,w ∈ 𝑅 ⇔ (VerifyDEF skDEF,M, σD = ⊤∧ com>?@AB = COM(skDEF))
vk = (crs:;, com>?@AB)
*UsefactthatOWFimpliesMAC,COM
ProvethatüSignatureisvalidüSignedusingthecommittedskDEF
1.σD ← SignDEF skDEF,M2.𝜋 ← Prove(x = M, σD, com>?@AB ,w = skDEF)
InaBitMoreDetail…
Signer Verifier
sk = (k;, skDEF)
𝐒𝐢𝐠𝐧 sk,M :Checkvalidityofproof
= (𝜋, σD)
𝐕𝐞𝐫𝐢𝐟𝐲 vk,M, :
x, w ∈ 𝑅 ⇔ (VerifyDEF skDEF,M, σD = ⊤∧ com>?@AB = COM(skDEF))
vk = (crs:;, com>?@AB)
*UsefactthatOWFimpliesMAC,COM
1.σD ← SignDEF skDEF,M2.𝜋 ← Prove(x = M, σD, com>?@AB ,w = skDEF)
InaBitMoreDetail…
Signer Verifier
sk = (k;, skDEF)
𝐒𝐢𝐠𝐧 sk,M :Checkvalidityofproof
= (𝜋, σD)
𝐕𝐞𝐫𝐢𝐟𝐲 vk,M, :
x, w ∈ 𝑅 ⇔ (VerifyDEF skDEF,M, σD = ⊤∧ com>?@AB = COM(skDEF))
vk = (crs:;, com>?@AB)
*UsefactthatOWFimpliesMAC,COM
1.σD ← SignDEF skDEF,M2.𝜋 ← Prove(x = M, σD, com>?@AB ,w = skDEF)
TakeAwayDP-NIZKsufficessincethe“signer”
isthe“designatedprover”.
LatticeNIZKsandSignatures(Feasibility)Fully-Hom.Signature
DP-NIZK[KW18]
CorrelationInteractableHash+Fiat-Shamir
CRS-NIZK[PS19]
SIS
LWE
*IgnoreDV-NIZKsinceitdoesn’tseemusefulforsignatures.
LatticeNIZKsandSignatures(Feasibility)
DP-NIZK[KW18]
DigitalSignature
CorrelationInteractableHash+Fiat-Shamir
CRS-NIZK
DigitalSignature
[BG89]
*Allarrowassumes“+OWF”
SIS
LWE
Fully-Hom.Signature
[PS19]
LatticeNIZKsandSignatures(Feasibility)
DP-NIZK[KW18]
DigitalSignature
CorrelationInteractableHash+Fiat-Shamir
CRS-NIZK
DigitalSignature
[BG89]
*Allarrowassumes“+OWF”
SIS
LWE
?
[MPR11]Attribute-based
Signature
Attribute-basedSignature
Fully-Hom.Signature
[PS19]
LatticeNIZKsandSignatures(Feasibility)
DP-NIZK[KW18]
DigitalSignature
CorrelationInteractableHash+Fiat-Shamir
CRS-NIZK
DigitalSignature
[BG89]
*Allarrowassumes“+OWF”
SIS
LWE
?
+PKE[BMR03]
[MPR11]
?
Attribute-basedSignature
(FullyAnonymous)GroupSignature
Attribute-basedSignature
(FullyAnonymous)GroupSignature
Fully-Hom.Signature
[PS19]
LatticeNIZKsandSignatures(Feasibility)
DP-NIZK[KW18]
DigitalSignature
CorrelationInteractableHash+Fiat-Shamir
CRS-NIZK
DigitalSignature
[BG89]
*Unfortunately,thisimplicationdoesnotholdforlattice-basedCRS-NIZKsL
SIS
LWE
?
+PKE[BMR03]
[DN00,BKM05]+PKE
[MPR11]
??
Attribute-basedSignature
(FullyAnonymous)GroupSignature
RingSignature*
Attribute-basedSignature
(FullyAnonymous)GroupSignature
RingSignature
Fully-Hom.Signature
[PS19]
LatticeNIZKsandSignatures(Feasibility)
DP-NIZK[KW18]
DigitalSignature
CorrelationInteractableHash+Fiat-Shamir
CRS-NIZK
DigitalSignature
[BG89]
*Allarrowassumes“+OWF”
SIS
LWE
Attribute-basedSignature
(FullyAnonymous)GroupSignature
RingSignature*
Attribute-basedSignature
(FullyAnonymous)GroupSignature
RingSignature
Multi-UserDP-NIZK[KY19]
generalization
+PKE[BMR03]
[DN00,BKM05]+PKE
[MPR11]
Fully-Hom.Signature
[PS19]
LatticeNIZKsandSignatures(Feasibility)
DP-NIZK[KW18]
DigitalSignature
CorrelationInteractableHash+Fiat-Shamir
CRS-NIZK
DigitalSignature
[BG89]
*Allarrowassumes“+OWF”
SIS
LWE
Attribute-basedSignature
(FullyAnonymous)GroupSignature
Attribute-basedSignature
(FullyAnonymous)GroupSignature
RingSignature
Multi-UserDP-NIZK[KY19]
generalization
+PKE[BMR03]
[DN00,BKM05]+PKE
[MPR11]
RingSignature*
Fully-Hom.Signature
[PS19]
LatticeNIZKsandSignatures(Feasibility)
DP-NIZK[KW18]
DigitalSignature
CorrelationInteractableHash+Fiat-Shamir
CRS-NIZK
DigitalSignature
[BG89]
*Allarrowassumes“+OWF”
SIS
LWE
Attribute-basedSignature
(FullyAnonymous)GroupSignature
Attribute-basedSignature
(Selfless Anonymous)GroupSignature
RingSignature
Multi-UserDP-NIZK[KY19]
generalization
+PKE[BMR03]
[DN00,BKM05]+PKE
[MPR11]
RingSignature*
Fully-Hom.Signature
[PS19]
LatticeNIZKsandSignatures(Feasibility)
DP-NIZK[KW18]
DigitalSignature
CorrelationInteractableHash+Fiat-Shamir
CRS-NIZK
DigitalSignature
[BG89]
*Allarrowassumes“+OWF”
SIS
LWE
Attribute-basedSignature
(FullyAnonymous)GroupSignature
Attribute-basedSignature
(Selfless Anonymous)GroupSignature
(compact)RingSignature
Multi-UserDP-NIZK[KY19]
generalization
?openJ
+PKE[BMR03]
[DN00,BKM05]+PKE
[MPR11]
RingSignature*
Fully-Hom.Signature
[PS19]
3.Result:
Lattice-basedGroupSignature[KatYam@EC’19]
via“Multi-UserDP-NIZKs”
*DisclaimersAfterourpaperwasaccepted@EC,CRS-NIZKfromLWEwasfinallyresolved[PS19@CRYPTO].
Accordingly,thefollowingpresentation@EC ismadeunderthe“old”factthatCRS-NIZKfromlatticesdonotexistyet.
OurResultinShort① Constructthefirstgroupsignaturesfrom
latticesinthestandardmodel.
③ Constructionsfromvariousassumptions.
② Achievesfulltraceability[BMW03]andselflessanonymity[CG04].
ü SISw/subexp-modulus.ü LWEw/poly-modulus.ü SISw/poly-modulus+LPNw/const.noiserate
OurTechniquesinShortAvoidusingCRS-NIZK,anecessary
componentinexistingframeworks[BMW03,CG04,…],butnotknownfromlattices.
A) ExtendDP-NIZKtoMulti-User(MU)DP-NIZK.B) ShowMU-DP-NIZK⇒ GS.C) ProvideconstructionofMU-DP-NIZKfromSIS.
Outlineof“3.Result”
DefinitionofGroupSignatures
PreviousTechniques
OurWork
Outlineof“3.Result”
DefinitionofGroupSignatures
PreviousTechniques
OurWork
SyntaxofGroupSignature(GS)gpk, gok, gske e∈[g] ← GS. KeyGen(1l, 1g)
gskm gskn gsko
SyntaxofGroupSignature(GS)gpk, gok, gske e∈[g] ← GS. KeyGen(1l, 1g)
gskm gskn gsko
Σ ← GS. Sign(gpk, gske, M)
SyntaxofGroupSignature(GS)gpk, gok, gske e∈[g] ← GS. KeyGen(1l, 1g)
gskm gskn gsko
Σ ← GS. Sign(gpk, gske, M)⊤/⊥← GS. Vrfy(gpk,M, Σ)
*SignaturesignedbySOMEBODY inthegroup.
SyntaxofGroupSignature(GS)gpk, gok, gske e∈[g] ← GS. KeyGen(1l, 1g)
gskm gskn gsko
Σ ← GS. Sign(gpk, gske, M)⊤/⊥← GS. Vrfy(gpk,M, Σ)𝑖/⊥← GS. Open(gok,M, Σ)Heiswho
hassigned.
gske
Corrupt*Allbut1user
Security:FullTraceability[BMW03]
gske
Corrupt
Security:FullTraceability[BMW03]
SigningOracle
gske
Corrupt
Security:FullTraceability[BMW03]
SigningOracle
or⊥Valid
Hardtoforgeasignaturethattracestoauncorrupteduserorthatcannottrace.
Security:SelflessAnonymity[CG04]
gsket gskeu
Corrupt*Allbut2users
Security:SelflessAnonymity[CG04]
gsket gskeu
Corrupt
Security:SelflessAnonymity[CG04]
gsket gskeu
Corrupt≈w
Signaturesoftwousers𝑖x and𝑖m areind,evengivengpk, gsky yzet,eu
(andopenoracle)
*FullAnonymity[BMW03]Astronger notionthan“selfless”anonymity.Theadversaryisalsogivengsket andgskeu.
Knowntoimplypublic-keyencryption.[CG04,AW04](Hence,probablynon-obtainablefromSIS.)
*FullAnonymity[BMW03]Astronger notionthan“selfless”anonymity.Theadversaryisalsogivengsket andgskeu.
Knowntoimplypublic-keyencryption.[CG04,AW04](Hence,probablynon-obtainablefromSIS.)
ThisTalkWewillonlyfocuson“selfless”anonymity.
Outlineof“3.Result”
DefinitionofGroupSignatures
PreviousTechniques
OurWork
“SignthenEncandProve”Framework*Modifiedversionoforiginal[BMW03]
Ingredients:Signature +PKE +CRS-NIZK
GS. KeyGen(1l, 1g) → gpk, gok, gske e∈[g]
“SignthenEncandProve”Framework*Modifiedversionoforiginal[BMW03]
Ingredients:Signature +PKE +CRS-NIZK
GS. KeyGen(1l, 1g) → gpk, gok, gske e∈[g]
n gpk = ( vke e∈ g , pk;|}, crs)
“SignthenEncandProve”Framework*Modifiedversionoforiginal[BMW03]
Ingredients:Signature +PKE +CRS-NIZK
GS. KeyGen(1l, 1g) → gpk, gok, gske e∈[g]
n gpk = ( vke e∈ g , pk;|}, crs)
n gske = ske :Signingkeyofsignaturescheme
“SignthenEncandProve”Framework*Modifiedversionoforiginal[BMW03]
Ingredients:Signature +PKE +CRS-NIZK
GS. KeyGen(1l, 1g) → gpk, gok, gske e∈[g]
n gpk = ( vke e∈ g , pk;|}, crs)
n gske = ske :Signingkeyofsignaturescheme
n gok = sk;|} :SecretkeyofPKE
“SignthenEncandProve”Framework
gske = ske
gpk = ( vke e∈ g , pk;|}, crs),
n GS. Sign(gpk, gske,𝑀)
User𝒊
gok = sk;|}
“SignthenEncandProve”Framework
gske = ske
gpk = ( vke e∈ g , pk;|}, crs),
n GS. Sign(gpk, gske,𝑀)
User𝒊
gok = sk;|}
1.𝜎 ← Sign ske, M
“SignthenEncandProve”Framework
gske = ske
gpk = ( vke e∈ g , pk;|}, crs),
n GS. Sign(gpk, gske,𝑀)1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)
User𝒊
gok = sk;|}
“SignthenEncandProve”Framework
gske = ske
gpk = ( vke e∈ g , pk;|}, crs),
n GS. Sign(gpk, gske,𝑀)
User𝒊
gok = sk;|}
1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)3.ProveusingCRS-NIZKthat∃𝑅∃𝜎∃𝑖 s.t.
• Verify vke, 𝜎,M = ⊤• ct = Enc pk;|}, 𝑖||𝜎; 𝑅
andobtainproof𝜋.
“SignthenEncandProve”Framework
gske = ske
gpk = ( vke e∈ g , pk;|}, crs),
n GS. Sign(gpk, gske,𝑀)
User𝒊
gok = sk;|}
1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)3.ProveusingCRS-NIZKthat∃𝑅∃𝜎∃𝑖 s.t.
• Verify vke, 𝜎,M = ⊤• ct = Enc pk;|}, 𝑖||𝜎; 𝑅
andobtainproof𝜋.
= (ct, 𝜋)
“SignthenEncandProve”Framework
gske = ske
gpk = ( vke e∈ g , pk;|}, crs),
n GS. Sign(gpk, gske,𝑀)
User𝒊
gok = sk;|}
1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)3.ProveusingCRS-NIZKthat∃𝑅∃𝜎∃𝑖 s.t.
• Verify vke, 𝜎,M = ⊤• ct = Enc pk;|}, 𝑖||𝜎; 𝑅
andobtainproof𝜋.
= (ct, 𝜋)
n GS.Verify⇒ Verify𝜋
“SignthenEncandProve”Framework
gske = ske
gpk = ( vke e∈ g , pk;|}, crs),
n GS. Sign(gpk, gske,𝑀)
User𝒊
gok = sk;|}
1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)3.ProveusingCRS-NIZKthat∃𝑅∃𝜎∃𝑖 s.t.
• Verify vke, 𝜎,M = ⊤• ct = Enc pk;|}, 𝑖||𝜎; 𝑅
andobtainproof𝜋.
= (ct, 𝜋)
n GS.Verify⇒ Verify𝜋 n GS.Open⇒ Dec.ct
IntuitionforSecurity:Anonymity
Proveuser𝑖’sinformationdoesn’tleakfrom.
IntuitionforSecurity:Anonymity
Proveuser𝑖’sinformationdoesn’tleakfrom.
Ø 𝝅 revealsnothingabout𝑖 duetoCRS-NIZKbeingZK.
IntuitionforSecurity:Anonymity
Proveuser𝑖’sinformationdoesn’tleakfrom.
Ø 𝝅 revealsnothingabout𝑖 duetoCRS-NIZKbeingZK.Ø ct revealsnothingabout𝑖 duetosecurityofPKE.
IntuitionforSecurity:Anonymity
Proveuser𝑖’sinformationdoesn’tleakfrom.
Ø 𝝅 revealsnothingabout𝑖 duetoCRS-NIZKbeingZK.Ø ct revealsnothingabout𝑖 duetosecurityofPKE.
Theinformationofwhosignedthemessageishidden!
IntuitionforSecurity:Traceability
Provethefollowingdoesn’thappen.
IntuitionforSecurity:Traceability
Provethefollowingdoesn’thappen.
Ø DuetosoundnessofCRS-NIZK,musthavect oftheformEnc pk;|}, 𝑖||𝜎; 𝑅 for∃𝑅∃𝜎∃𝑖.
IntuitionforSecurity:Traceability
Provethefollowingdoesn’thappen.
⇒ Openalgorithmdoesnotoutput⊥.
Ø DuetosoundnessofCRS-NIZK,musthavect oftheformEnc pk;|}, 𝑖||𝜎; 𝑅 for∃𝑅∃𝜎∃𝑖.
IntuitionforSecurity:Traceability
Provethefollowingdoesn’thappen.
⇒ Openalgorithmdoesnotoutput⊥.Ø Duetounforgeabilityofsignature,impossibletoforge𝜎 s.t.Verify vke, 𝜎,M = ⊤ for non-corrupt user𝑖.
Ø DuetosoundnessofCRS-NIZK,musthavect oftheformEnc pk;|}, 𝑖||𝜎; 𝑅 for∃𝑅∃𝜎∃𝑖.
IntuitionforSecurity:Traceability
Provethefollowingdoesn’thappen.
⇒ Openalgorithmdoesnotoutput⊥.Ø Duetounforgeabilityofsignature,impossibletoforge𝜎 s.t.Verify vke, 𝜎,M = ⊤ for non-corrupt user𝑖.
⇒ Openalgorithmdoesnotoutputnon-corruptuser.
Ø DuetosoundnessofCRS-NIZK,musthavect oftheformEnc pk;|}, 𝑖||𝜎; 𝑅 for∃𝑅∃𝜎∃𝑖.
Outlineof“3.Result”
DefinitionofGroupSignatures
PreviousTechniques
OurWork
MotivationofthisWorkHowtoconstructlattice-based
GSw/oCRS-NIZK??
MotivationofthisWorkHowtoconstructlattice-based
GSw/oCRS-NIZK??
ü IfwecanreplaceCRS-NIZKwithDP-NIZK,thenwecanuseSIS-basedconstructionof[KW18].
ü GettingawaywithSKEinsteadofPKE iseasy.
MotivationofthisWorkHowtoconstructlattice-based
GSw/oCRS-NIZK??
Willresultinthefirstlattice-basedGS!Moreover,fromtheSISassumptionJ
ü IfwecanreplaceCRS-NIZKwithDP-NIZK,thenwecanuseSIS-basedconstructionof[KW18].
ü GettingawaywithSKEinsteadofPKE iseasy.
OverviewofOurApproach① Unfortunately,simplyplugginginDP-NIZK in
placeofCRS-NIZKdoesnotworkL
OverviewofOurApproach① Unfortunately,simplyplugginginDP-NIZK in
placeofCRS-NIZKdoesnotworkL
② Toavoidproblem,weintroduceaMulti-UserDP-NIZK anduseitasreplacement.
OverviewofOurApproach① Unfortunately,simplyplugginginDP-NIZK in
placeofCRS-NIZKdoesnotworkL
③ WeobservethatMU-DP-NIZKisimpliedbyattribute-basedsignatures(ABS)andconstructanewlattice-basedABS.
② Toavoidproblem,weintroduceaMulti-UserDP-NIZK anduseitasreplacement.
Recap:DP-NIZKCRS:(public)commonreferencestring
𝐤𝐩:(private)provingkey
Prover Verifier(𝑥, 𝑤)
𝜋𝑥CRS,𝑥 ∈ 𝐿
𝐤𝐩ZKpropertyissatisfiedaslongas𝐤𝐩
iskeptsecretfromtheVerifier.
Recap:DP-NIZKCRS:(public)commonreferencestring
𝐤𝐩:(private)provingkey
Prover Verifier(𝑥, 𝑤)
𝜋𝑥CRS,𝑥 ∈ 𝐿
𝐤𝐩ZKpropertyissatisfiedaslongas𝐤𝐩
iskeptsecretfromtheVerifier.
Correlated
FirstAttempt
gpk = ( vke e∈ g , pk;|}, crs)
PluginDP-NIZKin[BMW03]framework.Grouppublickey:
FirstAttempt
gpk = ( vke e∈ g , pk;|}, crs)
gske = (ske, k2)
PluginDP-NIZKin[BMW03]framework.Grouppublickey:
Groupsigningkeyforuser𝑖: ProvingkeyforDP-NIZK(Sameforallusers)
FirstAttempt
gpk = ( vke e∈ g , pk;|}, crs)
gske = (ske, k2)
PluginDP-NIZKin[BMW03]framework.Grouppublickey:
Groupsigningkeyforuser𝑖:
Signaturemadebyuser𝑖:Σ = (ct, 𝜋)
ProvingkeyforDP-NIZK(Sameforallusers)
DP-NIZK proof
FirstAttempt
gpk = ( vke e∈ g , pk;|}, crs)
gske = (ske, k2)
PluginDP-NIZKin[BMW03]framework.Grouppublickey:
Groupsigningkeyforuser𝑖:
Σ = (ct, 𝜋)
ProvingkeyforDP-NIZK(Sameforallusers)
DP-NIZK proof
Corruptionofsingleuserrevealsk;⇒ RuinsZKpropertyofDP-NIZK⇒ BreaksAnonymityoftheresultingGS
Signaturemadebyuser𝑖:
SecondAttempt
gpk = ( vke e∈ g , pk;|}, crs m , … , crs(g))
Usedifferentk2 fordifferentusers.Grouppublickey:
SecondAttempt
gpk = ( vke e∈ g , pk;|}, crs m , … , crs(g))Grouppublickey:
gske = (ske, k2(e))
Groupsigningkeyforuser𝑖: Provingkeyforthe𝒊-th instanceofDP-NIZK
Usedifferentk2 fordifferentusers.
SecondAttempt
gpk = ( vke e∈ g , pk;|}, crs m , … , crs(g))Grouppublickey:
gske = (ske, k2(e))
Groupsigningkeyforuser𝑖:
Σ = (ct, 𝜋)
Provingkeyforthe𝒊-th instanceofDP-NIZK
W.R.Tcrs(e)
Usedifferentk2 fordifferentusers.
Signaturemadebyuser𝑖:
SecondAttempt
gpk = ( vke e∈ g , pk;|}, crs m , … , crs(g))Grouppublickey:
gske = (ske, k2(e))
Groupsigningkeyforuser𝑖:
Σ = (ct, 𝜋)
Provingkeyforthe𝒊-th instanceofDP-NIZK
W.R.Tcrs(e)
TheDP-NIZKproof(GSsignature)doesnothidetheinstance𝑖.⇒ BreaksAnonymityoftheresultingGS
Usedifferentk2 fordifferentusers.
Signaturemadebyuser𝑖:
LessonLearnedfromFailuresp NeedmultipleprovervariantofDP-NIZK.p Needsecurityagainstcorruptionofprovers.p Proofshould notleakproveridentity.
DP-NIZKseemstobetooweak….
LessonLearnedfromFailuresp NeedmultipleprovervariantofDP-NIZK.p Needsecurityagainstcorruptionofprovers.p Proofshould notleakproveridentity.
DP-NIZKseemstobetooweak….
OurSolutionConstructanonymousMulti-UserDP-NIZK(Attribute-basedsignature+[KW18]technique)
NewNotion:Multi-UserDP-NIZK
Public:CRS,Private:(kpm, … , kpg)
Essentially,aDP-NIZKwithmultipleusersJ
kpm kpn kpo kp�
NewNotion:Multi-UserDP-NIZK
Public:CRS,Private:(kpm, … , kpg)
Essentially,aDP-NIZKwithmultipleusersJ
kpm kpn kpo kp�
𝑥,𝑤 ∈ 𝑅
Proof 𝜋 w.r.tCRS
NewNotion:Multi-UserDP-NIZK
Public:CRS,Private:(kpm, … , kpg)
Essentially,aDP-NIZKwithmultipleusersJ
kpm kpn kpo kp�
𝑥,𝑤 ∈ 𝑅
Proof 𝜋 w.r.tCRS
ü Zero-Knowledge:𝜋 leaksnoinformationevenwithcorruption.
NewNotion:Multi-UserDP-NIZK
Public:CRS,Private:(kpm, … , kpg)
Essentially,aDP-NIZKwithmultipleusersJ
kpm kpn kpo kp�
𝑥,𝑤 ∈ 𝑅
Proof 𝜋 w.r.tCRS
ü Soundness:𝑥 ∉ 𝐿 cannotbeprovenevenwithcorruption.ü Zero-Knowledge:𝜋 leaksnoinformationevenwithcorruption.
NewNotion:Multi-UserDP-NIZK
Public:CRS,Private:(kpm, … , kpg)
Essentially,aDP-NIZKwithmultipleusersJ
kpm kpn kpo kp�
𝑥,𝑤 ∈ 𝑅
Proof 𝜋 w.r.tCRS
ü Soundness:𝑥 ∉ 𝐿 cannotbeprovenevenwithcorruption.ü Zero-Knowledge:𝜋 leaksnoinformationevenwithcorruption.
ü Anonymity:Informationofwhogenerated𝜋 isnotleakedevenwithcorruption.
HowtoConstructMU-DP-NIZK??
ThePlan1. ReviewAttribute-basedSignatures(ABS).2. CompileABSintoMU-DP-NIZKusingthe
techniquedevelopedin[KW18].
Attribute-basedSignatures(ABS)mpk,msk ← ABS. Setup(1l)
xm xn xo
Attribute-basedSignatures(ABS)mpk,msk ← ABS. Setup(1l)
sk�u
sk� ← ABS. KeyGen(msk, x)
sk�� sk��
xm xn xo
*attribute
Attribute-basedSignatures(ABS)mpk,msk ← ABS. Setup(1l)
sk�u
sk� ← ABS. KeyGen(msk, x)
sk�� sk��
*attribute
𝜎 ← ABS. Sign(mpk, sk�, C,M)
CansignonapolicyC iff C x = 1.*attributesatisfiespolicy.
*policyPolicyC
xm xn xo
Attribute-basedSignatures(ABS)mpk,msk ← ABS. Setup(1l)
sk�u
sk� ← ABS. KeyGen(msk, x)
sk�� sk��
*attribute
𝜎 ← ABS. Sign(mpk, sk�, C,M)
CansignonapolicyC iff C x = 1.*attributesatisfiespolicy.
*policy
⊤/⊥← ABS. Verify(mpk, C, 𝜎,M)
PolicyC
xm xn xo
SecurityofABS:Anonymity
sk�u sk��
xm xn
PolicyC PolicyC
M M
SecurityofABS:Anonymity
sk�u sk��
xm xn
PolicyC PolicyC
Ifattributexm andxn satisfyC xm = C xn = 1,thenthesignaturesareindistinguishable.
M M≈w
SecurityofABS:Anonymity
sk�u sk��
xm xn
PolicyC PolicyC
Ifattributexm andxn satisfyC xm = C xn = 1,thenthesignaturesareindistinguishable.
M M≈w
*Signatureonlyleaksthatthesignerhadasatisfyingattributex forpolicyC.
SecurityofABS:Unforgeability
sk�u sk��
xm xn
Policy𝐂∗
sk��
xo
Corrupt
HardtoforgeasignatureonC∗ evenifgivensigningkeys{sk�} thatarenotallowedtosignonC∗(i. e. , C∗ x = 0)
*Secretkeysk� canonlybeusedwithrespecttoC suchthatC x = 1.
MU-DP-NIZKfromABS(+SKE)Applytheideaof[KW18]toABSinsteadofFHS.
kpm kpn kpo kp�= (Km, sk|u
E��) = (K�, sk|�E��)
ABSsigningkeyviewingKm asattribute
SKEsecretkey
Applytheideaof[KW18]toABSinsteadofFHS.
kpm kpn kpo kp�= (Km, sk|u
E��) = (K�, sk|�E��)
x,w ∈ R
1.ct← SKE. Enc Km,wConstructingMU-DP-NIZKproof𝝅
MU-DP-NIZKfromABS(+SKE)
Applytheideaof[KW18]toABSinsteadofFHS.
kpm kpn kpo kp�= (Km, sk|u
E��) = (K�, sk|�E��)
x,w ∈ R
1.ct← SKE. Enc Km,w2. 𝜎 ← ABS. Sign(mpk, sk|u
E��, C�,��, "∃fixedM")wherepolicyC�,�� K ≔ R x, SKE. Dec K, ct .
PublicFunction
ConstructingMU-DP-NIZKproof𝝅
MU-DP-NIZKfromABS(+SKE)
Applytheideaof[KW18]toABSinsteadofFHS.
kpm kpn kpo kp�= (Km, sk|u
E��) = (K�, sk|�E��)
x,w ∈ R
ConstructingMU-DP-NIZKproof𝝅1.ct← SKE. Enc Km,w2. 𝜎 ← ABS. Sign(mpk, sk|u
E��, C�,��, "∃fixedM")wherepolicyC�,�� K ≔ R x, SKE. Dec K, ct .
3.𝜋 ≔ (ct, 𝜎)
PublicFunction
MU-DP-NIZKfromABS(+SKE)
Security:Soundness
kpm kpn kpo kp�= (Km, sk|u
E��) = (K�, sk|�E��)
x,w ∈ R
MU-DP-NIZKproof:𝜋 = (ct, 𝜎)
SoundnessIfxisnotinthelanguage,thenforallct andK,
C�,�� K ≔ R x, SKE. Dec K, ct = 0.Hence,unforgeabilityofABSimpliessoundnessJ
Security:Soundness
kpm kpn kpo kp�= (Km, sk|u
E��) = (K�, sk|�E��)
x,w ∈ R
MU-DP-NIZKproof:𝜋 = (ct, 𝜎)
SoundnessIfxisnotinthelanguage,thenforallct andK,
C�,�� K ≔ R x, SKE. Dec K, ct = 0.Hence,unforgeabilityofABSimpliessoundnessJ
Corrupt
…w/corruptiontoo??
Security:Soundness
kpm kpn kpo kp�= (Km, sk|u
E��) = (K�, sk|�E��)
x,w ∈ R
MU-DP-NIZKproof:𝜋 = (ct, 𝜎)
SoundnessIfxisnotinthelanguage,thenforallct andK,
C�,�� K ≔ R x, SKE. Dec K, ct = 0.Hence,unforgeabilityofABSimpliessoundnessJ
Corrupt
…w/corruptiontoo??
SoundevenwithcorruptionJ(∵ ABSisunforgeableeven
withcorruption)
Security:Zero-Knowledge/Anonymity
kpm kpn kpo kp�= (Km, sk|u
E��) = (K�, sk|�E��)
x,w ∈ R
MU-DP-NIZKproof:𝜋 = (ct, 𝜎)
ZK/AnonymityØ ct= SKE. Enc K,w :Doesnotleakw duetosecurityofSKE.Ø 𝜎 isaABSsignatureusingsk|E��:Doesnotleak(attribute)K
duetoanonymityofABS.
Security:Zero-Knowledge/Anonymity
kpm kpn kpo kp�= (Km, sk|u
E��) = (K�, sk|�E��)
x,w ∈ R
MU-DP-NIZKproof:𝜋 = (ct, 𝜎)
ZK/AnonymityØ ct= SKE. Enc K,w :Doesnotleakw duetosecurityofSKE.Ø 𝜎 isaABSsignatureusingsk|E��:Doesnotleak(attribute)K
duetoanonymityofABS.
Corrupt
…w/corruptiontoo??
ZKandAnonymousevenwithcorruptionJ
(∵SKEKeysareindependentandABSisanonymous)
PiecingEverythingTogether
SKE+Signature+Multi-UserDP-NIZK⟹ GS
PluginMU-DP-NIZKinplaceofCRS-NIZKinthe“Sign-then-Enc-and-Prove”paradigm[BMW03,CG04].
SKE+ABS⟹
PiecingEverythingTogether
SKE+Signature+Multi-UserDP-NIZK⟹ GS
PluginMU-DP-NIZKinplaceofCRS-NIZKinthe“Sign-then-Enc-and-Prove”paradigm[BMW03,CG04].
SKE+ABS⟹
StraightforwardtoinstantiateSKEandSignatureusingexistingconstructions(SIS,LWE,LPN,…).
HowaboutAttribute-basedSignature??
InstantiatingABS
[Tsabary17]givesABS,butneedscomplexityleveraging forourpurpose⇒ Need(subexp)SIS(duetomismatchofsecuritynotions).
Instantiation1:
InstantiatingABS
[Tsabary17]givesABS,butneedscomplexityleveraging forourpurpose⇒ Need(subexp)SIS(duetomismatchofsecuritynotions).
WeakenthesecurityrequirementsforABSbythefollowingobservations- Boundedkeyqueriesissufficient- Attributesforsigningkeycanbedetermined
beforethesetupofsystem(TheyareSKEkeys)⇒Directlyconstructionfrom(poly)SIS.
Instantiation1:
Instantiation2:
Conclusion of [KY19]① Constructthefirstgroupsignaturesfrom
latticesinthestandardmodel.
③ Constructionsfromvariousassumptions.
② ConsideranewtypeofMulti-User DP-NIZKandconstructitfromABS.
ü SISw/subexp-modulus.ü LWEw/poly-modulus.ü SISw/poly-modulus+LPNw/const.noiserate
SomeOpenQuestions① Constructgroupsignatures basedonpoly SIS.
*Oursrequiresub-expSIS.
② Constructringsignaturesw/osetupwithlogarithmicsignaturesizefromlattices.
*LinearsizeknownfromSIS.
④ ExploreotherlinksbetweenvarioustypesofNIZKandsignatures.
③ AnyotherinterestingnotionsforNIZKs??(e.g.,maliciousDV-NIZK[QRW19])