Exploring Links Between Lattice-based NIZKs and Various

Signature Schemes (in the Standard Model)

@NTU

Shuichi Katsumata (AIST,PQShield)

Non-InteractiveZero-Knowledge(NIZK)

OverviewofThisTalk

LinksBetweenNIZKsandSignatures

Ø NewNotion:Multi-UserDesignated-ProverNIZKs

Result:GroupSignaturesw/oCRS-NIZK

1

2

3[KY19@EC]

1.Introduction:

Non-InteractiveZero-Knowledge

Zero-KnowledgeProofSystems

Prover Verifier

n VerifierisconvincedthatProverknowswhereWaldois.

Zero-KnowledgeProofSystems

Prover Verifier

n VerifierisconvincedthatProverknowswhereWaldois.n …BUT,Verifierdoesn’tlearnwhereWaldois!

Non-InteractiveZK(NIZK)

Prover Verifier

n Proversendsonlyonemessage toVerifier.

MoreFormally:NIZKs

Prover Verifier(𝑥, 𝑤)

𝜋𝑥

𝑥 ∈ 𝐿

ü Completeness:If 𝑥, 𝑤 ∈ 𝑅(,thenVerifierisconvinced.

MoreFormally:NIZKsCheatingProver Verifier𝑥

𝜋𝑥

𝑥 ∉ 𝐿

ü Completeness:If 𝑥, 𝑤 ∈ 𝑅(,thenVerifierisconvinced.

ü Soundness:If𝑥 ∉ 𝐿,cheatingProvercannotconvinceVerifier.

Reject𝜋.

MoreFormally:NIZKs

Prover Verifier(𝑥, 𝑤)

𝜋𝑥

𝑥 ∈ 𝐿

ü Completeness:If 𝑥, 𝑤 ∈ 𝑅(,thenVerifierisconvinced.

ü Soundness:If𝑥 ∉ 𝐿,cheatingProvercannotconvinceVerifier.

ü Zero-Knowledge:If𝑥 ∈ 𝐿,Verifieronlylearnsthat𝑥 ∈ 𝐿.

𝑤? ?

MotivationforNIZKManyApplicationsofNIZKs

• OWF+NIZK⇒ signaturescheme[BG89@CRYPTO]• CPA-PKE+NIZK⇒ CCA-PKE[NY90@STOC]• Semi-honestsecureMPC+NIZK⇒MalicioussecureMPC

[GMW86@CRYPTO]• ….

TheoreticalInterest• Connectionswithcomplexitytheory

BuildingNIZKs(forallofNP)Donotexistw/otrustedsetup!L [GO94]

BuildingNIZKs(forallofNP)Donotexistw/otrustedsetup!L [GO94]

n RandomOracleModel[FS87]• Practicallyappealingsolution.

n WithTrustedSetup[FLS90]• Provablesecurity.• Theoreticallyappealingsolution.

BuildingNIZKs(forallofNP)Donotexistw/otrustedsetup!L [GO94]

n RandomOracleModel[FS87]• Practicallyappealingsolution.

n WithTrustedSetup[FLS90]• Provablesecurity.• Theoreticallyappealingsolution.

ThisTalk

VariousTypesofTrustedSetup

CRS:(public)commonreferencestring

VariousTypesofTrustedSetup

Prover Verifier(𝑥, 𝑤)

𝜋𝑥CRS,𝑥 ∈ 𝐿

CRS-NIZK(MoststandardNIZK)

CRS:(public)commonreferencestring

VariousTypesofTrustedSetupCRS:(public)commonreferencestring

𝐤𝐯:(private)verificationkey

VariousTypesofTrustedSetupCRS:(public)commonreferencestring

Prover Verifier(𝑥, 𝑤)

𝜋𝑥CRS,𝑥 ∈ 𝐿

DesignatedVerifier-NIZK (DV-NIZK)𝐤𝐯

𝐤𝐯:(private)verificationkey

⇒Requireprivatek0 toverifyproof𝜋!

VariousTypesofTrustedSetupCRS:(public)commonreferencestring

𝐤𝐩:(private)provingkey

Prover Verifier(𝑥, 𝑤)

𝜋𝑥CRS,𝑥 ∈ 𝐿

DesignatedProver-NIZK (DP-NIZK)𝐤𝐩

⇒Requireprivatek2 togenerateproof𝜋!

*Subtletiesin(DV,DP)-NIZKsSinceverifier/provermaintainssecretinformation,definitionrequiresmorecarethanCRS-NIZK.

*Subtletiesin(DV,DP)-NIZKsSinceverifier/provermaintainssecretinformation,definitionrequiresmorecarethanCRS-NIZK.

Ex)DP-NIZK:Unbounded Zero-Knowledge

*Subtletiesin(DV,DP)-NIZKsSinceverifier/provermaintainssecretinformation,definitionrequiresmorecarethanCRS-NIZK.

Ex)DP-NIZK:Unbounded Zero-Knowledge

Eachproofmayleaksomeinformationofk2!

*ConsequenceParallelrepetitionmayfail.

DP-NIZK

*NonExhaustiveState-of-Affairs

CRS-NIZK

DV-NIZK

TrapdoorPermutations[FLS90,BY96,G04]

DP-NIZK

*NonExhaustiveState-of-Affairs

CRS-NIZK

DV-NIZK

TrapdoorPermutations[FLS90,BY96,G04]

Pairings[GOS06,GS08,…]

DP-NIZK

*NonExhaustiveState-of-Affairs

CRS-NIZK

DV-NIZK

TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]Pairings[GOS06,GS08,…]

DP-NIZK

*NonExhaustiveState-of-Affairs

CRS-NIZK

DV-NIZK

TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]

CorrelationInteractableHash[KRR17,…]

Pairings[GOS06,GS08,…]

DP-NIZK

*NonExhaustiveState-of-Affairs

CRS-NIZK

DV-NIZK

TrapdoorPermutations[FLS90,BY96,G04]

Pairings[GOS06,GS08,…]iO [SW14,…]

Lattice [KW18]@CRYPTO

Firstlattice-based!!

CorrelationInteractableHash[KRR17,…]

DP-NIZK

*NonExhaustiveState-of-Affairs

CRS-NIZK

DV-NIZK

TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]

Lattice [KW18]@CRYPTO

CDH [CH19,KNYY19,QRW19]@EC

CorrelationInteractableHash[KRR17,…]

FirstCDH-based!!

Pairings[GOS06,GS08,…]

DP-NIZK

*NonExhaustiveState-of-Affairs

CRS-NIZK

DV-NIZK

TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]

Lattice [KW18]@CRYPTO

CDH[CH19,KNYY19,QRW19]@EC

Lattice [PS19]@CRYPTO

Lattice [LQRWW19]@CRYPTO

CorrelationInteractableHash[KRR17,…]

Finally!!

Pairings[GOS06,GS08,…]

DP-NIZK

*NonExhaustiveState-of-Affairs

CRS-NIZK

DV-NIZK

TrapdoorPermutations[FLS90,BY96,G04] iO [SW14,…]

Lattice [KW18]@CRYPTO

CDH[CH19,KNYY19,QRW19]@EC

Lattice [PS19]@CRYPTO

Lattice [LQRWW19]@CRYPTO

CorrelationInteractableHash[KRR17,…]

Is[KW18]and[LQRWW19]simplyaspecialcaseof[PS19]??

Pairings[GOS06,GS08,…]

CloserLookatLattice-basedNIZKsn CRS-NIZK[PS19]

• Followsthecorrelationinteractablehashparadigm.• BasedonpolynomialLWE(LearningwithErrors).

CloserLookatLattice-basedNIZKsn CRS-NIZK[PS19]

• Followsthecorrelationinteractablehashparadigm.• BasedonpolynomialLWE(LearningwithErrors).

n DV-NIZK[LQRWW19]• Usenewtool:“Function-hiding”Attribute-basedEncryption.• Basedonsuper-polynomialLWE.(CanuseLPNandCDHtoo!)

CloserLookatLattice-basedNIZKsn CRS-NIZK[PS19]

• Followsthecorrelationinteractablehashparadigm.• BasedonpolynomialLWE(LearningwithErrors).

n DV-NIZK[LQRWW19]

n DP-NIZK[KW18]• GenericconstructionfromFully-HomomorphicSignatures.• BasedonpolynomialSIS(ShortIntegerSolution).

• Usenewtool:“Function-hiding”Attribute-basedEncryption.• Basedonsuper-polynomialLWE.(CanuseLPNandCDHtoo!)

CloserLookatLattice-basedNIZKsn CRS-NIZK[PS19]

n DV-NIZK[LQRWW19]• Usenewtool:“Function-hiding”Attribute-basedEncryption.• Basedonsuper-polynomialLWE.(CanuseLPNandCDHtoo!)

n DP-NIZK[KW18]

Fromatheoreticalstandpoint,DP-NIZK requirestheweakestassumption!

*Thestate-of-the-artcanchangeanytime!J

• Followsthecorrelationinteractablehashparadigm.• BasedonpolynomialLWE(LearningwithErrors).

• GenericconstructionfromFully-HomomorphicSignatures.• BasedonpolynomialSIS(ShortIntegerSolution).

SISvsLWESIS LWE

*InaworldofPTquantumalgorithms,LWEandSISareequivalent.

• Onewayfunction• Collisionresistanthash• Digitalsignaturescheme• Attribute-basedSignature• Fullyhomomorphicsignature• …

• Publickeyencryption• Oblivioustransfer• Attribute-basedEncryption• Fullyhomomorphicencryption• …

WhateverSIS can.

2.Exploration:

LinksBetweenNIZKsandSignatureSchemes

WarmUp:StandardSignaturesWellKnownFact…

OWF+CRS-NIZK⇒ SignatureSchemes [BG89]

WarmUp:StandardSignaturesWellKnownFact…

OWF+CRS-NIZK⇒ SignatureSchemes [BG89]

However,OWF+DP-NIZK ⇒ SignatureSchemes

WarmUp:StandardSignaturesWellKnownFact…

OWF+CRS-NIZK⇒ SignatureSchemes [BG89]

However,OWF+DP-NIZK ⇒ SignatureSchemes

Why?Atahighlevel…Inasignaturescheme,thekeysaregeneratedhonestlyandsecretkeyisneverrevealed toanadversary.

Inasignaturescheme,thekeysaregeneratedhonestlyandsecretkeyisneverrevealed toanadversary.

WarmUp:StandardSignaturesWellKnownFact…

OWF+CRS-NIZK⇒ SignatureSchemes [BG89]

However,OWF+DP-NIZK ⇒ SignatureSchemes

SIS

LWE

Why?Atahighlevel…

AlignswithpriorknowledgethatSISimpliessignatureschemes.

InaBitMoreDetail…

Signer Verifiervk = (crs:;, com>?@AB)

sk = (k;, skDEF)

*UsefactthatOWFimpliesMAC,COM

InaBitMoreDetail…

Signer Verifier

sk = (k;, skDEF)

𝐒𝐢𝐠𝐧 sk,M :1.σD ← SignDEF skDEF,M

vk = (crs:;, com>?@AB)

*UsefactthatOWFimpliesMAC,COM

InaBitMoreDetail…

Signer Verifier

sk = (k;, skDEF)

𝐒𝐢𝐠𝐧 sk,M :

x,w ∈ 𝑅 ⇔ (VerifyDEF skDEF,M, σD = ⊤∧ com>?@AB = COM(skDEF))

vk = (crs:;, com>?@AB)

*UsefactthatOWFimpliesMAC,COM

1.σD ← SignDEF skDEF,M2.𝜋 ← Prove(x = M, σD, com>?@AB ,w = skDEF)

InaBitMoreDetail…

Signer Verifier

sk = (k;, skDEF)

𝐒𝐢𝐠𝐧 sk,M :

x,w ∈ 𝑅 ⇔ (VerifyDEF skDEF,M, σD = ⊤∧ com>?@AB = COM(skDEF))

vk = (crs:;, com>?@AB)

*UsefactthatOWFimpliesMAC,COM

ProvethatüSignatureisvalidüSignedusingthecommittedskDEF

1.σD ← SignDEF skDEF,M2.𝜋 ← Prove(x = M, σD, com>?@AB ,w = skDEF)

InaBitMoreDetail…

Signer Verifier

sk = (k;, skDEF)

𝐒𝐢𝐠𝐧 sk,M :Checkvalidityofproof

= (𝜋, σD)

𝐕𝐞𝐫𝐢𝐟𝐲 vk,M, :

x, w ∈ 𝑅 ⇔ (VerifyDEF skDEF,M, σD = ⊤∧ com>?@AB = COM(skDEF))

vk = (crs:;, com>?@AB)

*UsefactthatOWFimpliesMAC,COM

1.σD ← SignDEF skDEF,M2.𝜋 ← Prove(x = M, σD, com>?@AB ,w = skDEF)

InaBitMoreDetail…

Signer Verifier

sk = (k;, skDEF)

𝐒𝐢𝐠𝐧 sk,M :Checkvalidityofproof

= (𝜋, σD)

𝐕𝐞𝐫𝐢𝐟𝐲 vk,M, :

x, w ∈ 𝑅 ⇔ (VerifyDEF skDEF,M, σD = ⊤∧ com>?@AB = COM(skDEF))

vk = (crs:;, com>?@AB)

*UsefactthatOWFimpliesMAC,COM

1.σD ← SignDEF skDEF,M2.𝜋 ← Prove(x = M, σD, com>?@AB ,w = skDEF)

TakeAwayDP-NIZKsufficessincethe“signer”

isthe“designatedprover”.

LatticeNIZKsandSignatures(Feasibility)Fully-Hom.Signature

DP-NIZK[KW18]

CorrelationInteractableHash+Fiat-Shamir

CRS-NIZK[PS19]

SIS

LWE

*IgnoreDV-NIZKsinceitdoesn’tseemusefulforsignatures.

LatticeNIZKsandSignatures(Feasibility)

DP-NIZK[KW18]

DigitalSignature

CorrelationInteractableHash+Fiat-Shamir

CRS-NIZK

DigitalSignature

[BG89]

*Allarrowassumes“+OWF”

SIS

LWE

Fully-Hom.Signature

[PS19]

LatticeNIZKsandSignatures(Feasibility)

DP-NIZK[KW18]

DigitalSignature

CorrelationInteractableHash+Fiat-Shamir

CRS-NIZK

DigitalSignature

[BG89]

*Allarrowassumes“+OWF”

SIS

LWE

?

[MPR11]Attribute-based

Signature

Attribute-basedSignature

Fully-Hom.Signature

[PS19]

LatticeNIZKsandSignatures(Feasibility)

DP-NIZK[KW18]

DigitalSignature

CorrelationInteractableHash+Fiat-Shamir

CRS-NIZK

DigitalSignature

[BG89]

*Allarrowassumes“+OWF”

SIS

LWE

?

+PKE[BMR03]

[MPR11]

?

Attribute-basedSignature

(FullyAnonymous)GroupSignature

Attribute-basedSignature

(FullyAnonymous)GroupSignature

Fully-Hom.Signature

[PS19]

LatticeNIZKsandSignatures(Feasibility)

DP-NIZK[KW18]

DigitalSignature

CorrelationInteractableHash+Fiat-Shamir

CRS-NIZK

DigitalSignature

[BG89]

*Unfortunately,thisimplicationdoesnotholdforlattice-basedCRS-NIZKsL

SIS

LWE

?

+PKE[BMR03]

[DN00,BKM05]+PKE

[MPR11]

??

Attribute-basedSignature

(FullyAnonymous)GroupSignature

RingSignature*

Attribute-basedSignature

(FullyAnonymous)GroupSignature

RingSignature

Fully-Hom.Signature

[PS19]

LatticeNIZKsandSignatures(Feasibility)

DP-NIZK[KW18]

DigitalSignature

CorrelationInteractableHash+Fiat-Shamir

CRS-NIZK

DigitalSignature

[BG89]

*Allarrowassumes“+OWF”

SIS

LWE

Attribute-basedSignature

(FullyAnonymous)GroupSignature

RingSignature*

Attribute-basedSignature

(FullyAnonymous)GroupSignature

RingSignature

Multi-UserDP-NIZK[KY19]

generalization

+PKE[BMR03]

[DN00,BKM05]+PKE

[MPR11]

Fully-Hom.Signature

[PS19]

LatticeNIZKsandSignatures(Feasibility)

DP-NIZK[KW18]

DigitalSignature

CorrelationInteractableHash+Fiat-Shamir

CRS-NIZK

DigitalSignature

[BG89]

*Allarrowassumes“+OWF”

SIS

LWE

Attribute-basedSignature

(FullyAnonymous)GroupSignature

Attribute-basedSignature

(FullyAnonymous)GroupSignature

RingSignature

Multi-UserDP-NIZK[KY19]

generalization

+PKE[BMR03]

[DN00,BKM05]+PKE

[MPR11]

RingSignature*

Fully-Hom.Signature

[PS19]

LatticeNIZKsandSignatures(Feasibility)

DP-NIZK[KW18]

DigitalSignature

CorrelationInteractableHash+Fiat-Shamir

CRS-NIZK

DigitalSignature

[BG89]

*Allarrowassumes“+OWF”

SIS

LWE

Attribute-basedSignature

(FullyAnonymous)GroupSignature

Attribute-basedSignature

(Selfless Anonymous)GroupSignature

RingSignature

Multi-UserDP-NIZK[KY19]

generalization

+PKE[BMR03]

[DN00,BKM05]+PKE

[MPR11]

RingSignature*

Fully-Hom.Signature

[PS19]

LatticeNIZKsandSignatures(Feasibility)

DP-NIZK[KW18]

DigitalSignature

CorrelationInteractableHash+Fiat-Shamir

CRS-NIZK

DigitalSignature

[BG89]

*Allarrowassumes“+OWF”

SIS

LWE

Attribute-basedSignature

(FullyAnonymous)GroupSignature

Attribute-basedSignature

(Selfless Anonymous)GroupSignature

(compact)RingSignature

Multi-UserDP-NIZK[KY19]

generalization

?openJ

+PKE[BMR03]

[DN00,BKM05]+PKE

[MPR11]

RingSignature*

Fully-Hom.Signature

[PS19]

3.Result:

Lattice-basedGroupSignature[KatYam@EC’19]

via“Multi-UserDP-NIZKs”

*DisclaimersAfterourpaperwasaccepted@EC,CRS-NIZKfromLWEwasfinallyresolved[PS19@CRYPTO].

Accordingly,thefollowingpresentation@EC ismadeunderthe“old”factthatCRS-NIZKfromlatticesdonotexistyet.

OurResultinShort① Constructthefirstgroupsignaturesfrom

latticesinthestandardmodel.

③ Constructionsfromvariousassumptions.

② Achievesfulltraceability[BMW03]andselflessanonymity[CG04].

ü SISw/subexp-modulus.ü LWEw/poly-modulus.ü SISw/poly-modulus+LPNw/const.noiserate

OurTechniquesinShortAvoidusingCRS-NIZK,anecessary

componentinexistingframeworks[BMW03,CG04,…],butnotknownfromlattices.

A) ExtendDP-NIZKtoMulti-User(MU)DP-NIZK.B) ShowMU-DP-NIZK⇒ GS.C) ProvideconstructionofMU-DP-NIZKfromSIS.

Outlineof“3.Result”

DefinitionofGroupSignatures

PreviousTechniques

OurWork

Outlineof“3.Result”

DefinitionofGroupSignatures

PreviousTechniques

OurWork

SyntaxofGroupSignature(GS)gpk, gok, gske e∈[g] ← GS. KeyGen(1l, 1g)

gskm gskn gsko

SyntaxofGroupSignature(GS)gpk, gok, gske e∈[g] ← GS. KeyGen(1l, 1g)

gskm gskn gsko

Σ ← GS. Sign(gpk, gske, M)

SyntaxofGroupSignature(GS)gpk, gok, gske e∈[g] ← GS. KeyGen(1l, 1g)

gskm gskn gsko

Σ ← GS. Sign(gpk, gske, M)⊤/⊥← GS. Vrfy(gpk,M, Σ)

*SignaturesignedbySOMEBODY inthegroup.

SyntaxofGroupSignature(GS)gpk, gok, gske e∈[g] ← GS. KeyGen(1l, 1g)

gskm gskn gsko

Σ ← GS. Sign(gpk, gske, M)⊤/⊥← GS. Vrfy(gpk,M, Σ)𝑖/⊥← GS. Open(gok,M, Σ)Heiswho

hassigned.

gske

Corrupt*Allbut1user

Security:FullTraceability[BMW03]

gske

Corrupt

Security:FullTraceability[BMW03]

SigningOracle

gske

Corrupt

Security:FullTraceability[BMW03]

SigningOracle

or⊥Valid

Hardtoforgeasignaturethattracestoauncorrupteduserorthatcannottrace.

Security:SelflessAnonymity[CG04]

gsket gskeu

Corrupt*Allbut2users

Security:SelflessAnonymity[CG04]

gsket gskeu

Corrupt

Security:SelflessAnonymity[CG04]

gsket gskeu

Corrupt≈w

Signaturesoftwousers𝑖x and𝑖m areind,evengivengpk, gsky yzet,eu

(andopenoracle)

*FullAnonymity[BMW03]Astronger notionthan“selfless”anonymity.Theadversaryisalsogivengsket andgskeu.

Knowntoimplypublic-keyencryption.[CG04,AW04](Hence,probablynon-obtainablefromSIS.)

*FullAnonymity[BMW03]Astronger notionthan“selfless”anonymity.Theadversaryisalsogivengsket andgskeu.

Knowntoimplypublic-keyencryption.[CG04,AW04](Hence,probablynon-obtainablefromSIS.)

ThisTalkWewillonlyfocuson“selfless”anonymity.

Outlineof“3.Result”

DefinitionofGroupSignatures

PreviousTechniques

OurWork

“SignthenEncandProve”Framework*Modifiedversionoforiginal[BMW03]

Ingredients:Signature +PKE +CRS-NIZK

GS. KeyGen(1l, 1g) → gpk, gok, gske e∈[g]

“SignthenEncandProve”Framework*Modifiedversionoforiginal[BMW03]

Ingredients:Signature +PKE +CRS-NIZK

GS. KeyGen(1l, 1g) → gpk, gok, gske e∈[g]

n gpk = ( vke e∈ g , pk;|}, crs)

“SignthenEncandProve”Framework*Modifiedversionoforiginal[BMW03]

Ingredients:Signature +PKE +CRS-NIZK

GS. KeyGen(1l, 1g) → gpk, gok, gske e∈[g]

n gpk = ( vke e∈ g , pk;|}, crs)

n gske = ske :Signingkeyofsignaturescheme

“SignthenEncandProve”Framework*Modifiedversionoforiginal[BMW03]

Ingredients:Signature +PKE +CRS-NIZK

GS. KeyGen(1l, 1g) → gpk, gok, gske e∈[g]

n gpk = ( vke e∈ g , pk;|}, crs)

n gske = ske :Signingkeyofsignaturescheme

n gok = sk;|} :SecretkeyofPKE

“SignthenEncandProve”Framework

gske = ske

gpk = ( vke e∈ g , pk;|}, crs),

n GS. Sign(gpk, gske,𝑀)

User𝒊

gok = sk;|}

“SignthenEncandProve”Framework

gske = ske

gpk = ( vke e∈ g , pk;|}, crs),

n GS. Sign(gpk, gske,𝑀)

User𝒊

gok = sk;|}

1.𝜎 ← Sign ske, M

“SignthenEncandProve”Framework

gske = ske

gpk = ( vke e∈ g , pk;|}, crs),

n GS. Sign(gpk, gske,𝑀)1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)

User𝒊

gok = sk;|}

“SignthenEncandProve”Framework

gske = ske

gpk = ( vke e∈ g , pk;|}, crs),

n GS. Sign(gpk, gske,𝑀)

User𝒊

gok = sk;|}

1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)3.ProveusingCRS-NIZKthat∃𝑅∃𝜎∃𝑖 s.t.

• Verify vke, 𝜎,M = ⊤• ct = Enc pk;|}, 𝑖||𝜎; 𝑅

andobtainproof𝜋.

“SignthenEncandProve”Framework

gske = ske

gpk = ( vke e∈ g , pk;|}, crs),

n GS. Sign(gpk, gske,𝑀)

User𝒊

gok = sk;|}

1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)3.ProveusingCRS-NIZKthat∃𝑅∃𝜎∃𝑖 s.t.

• Verify vke, 𝜎,M = ⊤• ct = Enc pk;|}, 𝑖||𝜎; 𝑅

andobtainproof𝜋.

= (ct, 𝜋)

“SignthenEncandProve”Framework

gske = ske

gpk = ( vke e∈ g , pk;|}, crs),

n GS. Sign(gpk, gske,𝑀)

User𝒊

gok = sk;|}

1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)3.ProveusingCRS-NIZKthat∃𝑅∃𝜎∃𝑖 s.t.

• Verify vke, 𝜎,M = ⊤• ct = Enc pk;|}, 𝑖||𝜎; 𝑅

andobtainproof𝜋.

= (ct, 𝜋)

n GS.Verify⇒ Verify𝜋

“SignthenEncandProve”Framework

gske = ske

gpk = ( vke e∈ g , pk;|}, crs),

n GS. Sign(gpk, gske,𝑀)

User𝒊

gok = sk;|}

1.𝜎 ← Sign ske, M2. ct ← Enc(pk;|}, 𝑖||σ; 𝑅)3.ProveusingCRS-NIZKthat∃𝑅∃𝜎∃𝑖 s.t.

• Verify vke, 𝜎,M = ⊤• ct = Enc pk;|}, 𝑖||𝜎; 𝑅

andobtainproof𝜋.

= (ct, 𝜋)

n GS.Verify⇒ Verify𝜋 n GS.Open⇒ Dec.ct

IntuitionforSecurity:Anonymity

Proveuser𝑖’sinformationdoesn’tleakfrom.

IntuitionforSecurity:Anonymity

Proveuser𝑖’sinformationdoesn’tleakfrom.

Ø 𝝅 revealsnothingabout𝑖 duetoCRS-NIZKbeingZK.

IntuitionforSecurity:Anonymity

Proveuser𝑖’sinformationdoesn’tleakfrom.

Ø 𝝅 revealsnothingabout𝑖 duetoCRS-NIZKbeingZK.Ø ct revealsnothingabout𝑖 duetosecurityofPKE.

IntuitionforSecurity:Anonymity

Proveuser𝑖’sinformationdoesn’tleakfrom.

Ø 𝝅 revealsnothingabout𝑖 duetoCRS-NIZKbeingZK.Ø ct revealsnothingabout𝑖 duetosecurityofPKE.

Theinformationofwhosignedthemessageishidden!

IntuitionforSecurity:Traceability

Provethefollowingdoesn’thappen.

IntuitionforSecurity:Traceability

Provethefollowingdoesn’thappen.

Ø DuetosoundnessofCRS-NIZK,musthavect oftheformEnc pk;|}, 𝑖||𝜎; 𝑅 for∃𝑅∃𝜎∃𝑖.

IntuitionforSecurity:Traceability

Provethefollowingdoesn’thappen.

⇒ Openalgorithmdoesnotoutput⊥.

Ø DuetosoundnessofCRS-NIZK,musthavect oftheformEnc pk;|}, 𝑖||𝜎; 𝑅 for∃𝑅∃𝜎∃𝑖.

IntuitionforSecurity:Traceability

Provethefollowingdoesn’thappen.

⇒ Openalgorithmdoesnotoutput⊥.Ø Duetounforgeabilityofsignature,impossibletoforge𝜎 s.t.Verify vke, 𝜎,M = ⊤ for non-corrupt user𝑖.

Ø DuetosoundnessofCRS-NIZK,musthavect oftheformEnc pk;|}, 𝑖||𝜎; 𝑅 for∃𝑅∃𝜎∃𝑖.

IntuitionforSecurity:Traceability

Provethefollowingdoesn’thappen.

⇒ Openalgorithmdoesnotoutput⊥.Ø Duetounforgeabilityofsignature,impossibletoforge𝜎 s.t.Verify vke, 𝜎,M = ⊤ for non-corrupt user𝑖.

⇒ Openalgorithmdoesnotoutputnon-corruptuser.

Ø DuetosoundnessofCRS-NIZK,musthavect oftheformEnc pk;|}, 𝑖||𝜎; 𝑅 for∃𝑅∃𝜎∃𝑖.

Outlineof“3.Result”

DefinitionofGroupSignatures

PreviousTechniques

OurWork

MotivationofthisWorkHowtoconstructlattice-based

GSw/oCRS-NIZK??

MotivationofthisWorkHowtoconstructlattice-based

GSw/oCRS-NIZK??

ü IfwecanreplaceCRS-NIZKwithDP-NIZK,thenwecanuseSIS-basedconstructionof[KW18].

ü GettingawaywithSKEinsteadofPKE iseasy.

MotivationofthisWorkHowtoconstructlattice-based

GSw/oCRS-NIZK??

Willresultinthefirstlattice-basedGS!Moreover,fromtheSISassumptionJ

ü IfwecanreplaceCRS-NIZKwithDP-NIZK,thenwecanuseSIS-basedconstructionof[KW18].

ü GettingawaywithSKEinsteadofPKE iseasy.

OverviewofOurApproach① Unfortunately,simplyplugginginDP-NIZK in

placeofCRS-NIZKdoesnotworkL

OverviewofOurApproach① Unfortunately,simplyplugginginDP-NIZK in

placeofCRS-NIZKdoesnotworkL

② Toavoidproblem,weintroduceaMulti-UserDP-NIZK anduseitasreplacement.

OverviewofOurApproach① Unfortunately,simplyplugginginDP-NIZK in

placeofCRS-NIZKdoesnotworkL

③ WeobservethatMU-DP-NIZKisimpliedbyattribute-basedsignatures(ABS)andconstructanewlattice-basedABS.

② Toavoidproblem,weintroduceaMulti-UserDP-NIZK anduseitasreplacement.

Recap:DP-NIZKCRS:(public)commonreferencestring

𝐤𝐩:(private)provingkey

Prover Verifier(𝑥, 𝑤)

𝜋𝑥CRS,𝑥 ∈ 𝐿

𝐤𝐩ZKpropertyissatisfiedaslongas𝐤𝐩

iskeptsecretfromtheVerifier.

Recap:DP-NIZKCRS:(public)commonreferencestring

𝐤𝐩:(private)provingkey

Prover Verifier(𝑥, 𝑤)

𝜋𝑥CRS,𝑥 ∈ 𝐿

𝐤𝐩ZKpropertyissatisfiedaslongas𝐤𝐩

iskeptsecretfromtheVerifier.

Correlated

FirstAttempt

gpk = ( vke e∈ g , pk;|}, crs)

PluginDP-NIZKin[BMW03]framework.Grouppublickey:

FirstAttempt

gpk = ( vke e∈ g , pk;|}, crs)

gske = (ske, k2)

PluginDP-NIZKin[BMW03]framework.Grouppublickey:

Groupsigningkeyforuser𝑖: ProvingkeyforDP-NIZK(Sameforallusers)

FirstAttempt

gpk = ( vke e∈ g , pk;|}, crs)

gske = (ske, k2)

PluginDP-NIZKin[BMW03]framework.Grouppublickey:

Groupsigningkeyforuser𝑖:

Signaturemadebyuser𝑖:Σ = (ct, 𝜋)

ProvingkeyforDP-NIZK(Sameforallusers)

DP-NIZK proof

FirstAttempt

gpk = ( vke e∈ g , pk;|}, crs)

gske = (ske, k2)

PluginDP-NIZKin[BMW03]framework.Grouppublickey:

Groupsigningkeyforuser𝑖:

Σ = (ct, 𝜋)

ProvingkeyforDP-NIZK(Sameforallusers)

DP-NIZK proof

Corruptionofsingleuserrevealsk;⇒ RuinsZKpropertyofDP-NIZK⇒ BreaksAnonymityoftheresultingGS

Signaturemadebyuser𝑖:

SecondAttempt

gpk = ( vke e∈ g , pk;|}, crs m , … , crs(g))

Usedifferentk2 fordifferentusers.Grouppublickey:

SecondAttempt

gpk = ( vke e∈ g , pk;|}, crs m , … , crs(g))Grouppublickey:

gske = (ske, k2(e))

Groupsigningkeyforuser𝑖: Provingkeyforthe𝒊-th instanceofDP-NIZK

Usedifferentk2 fordifferentusers.

SecondAttempt

gpk = ( vke e∈ g , pk;|}, crs m , … , crs(g))Grouppublickey:

gske = (ske, k2(e))

Groupsigningkeyforuser𝑖:

Σ = (ct, 𝜋)

Provingkeyforthe𝒊-th instanceofDP-NIZK

W.R.Tcrs(e)

Usedifferentk2 fordifferentusers.

Signaturemadebyuser𝑖:

SecondAttempt

gpk = ( vke e∈ g , pk;|}, crs m , … , crs(g))Grouppublickey:

gske = (ske, k2(e))

Groupsigningkeyforuser𝑖:

Σ = (ct, 𝜋)

Provingkeyforthe𝒊-th instanceofDP-NIZK

W.R.Tcrs(e)

TheDP-NIZKproof(GSsignature)doesnothidetheinstance𝑖.⇒ BreaksAnonymityoftheresultingGS

Usedifferentk2 fordifferentusers.

Signaturemadebyuser𝑖:

LessonLearnedfromFailuresp NeedmultipleprovervariantofDP-NIZK.p Needsecurityagainstcorruptionofprovers.p Proofshould notleakproveridentity.

DP-NIZKseemstobetooweak….

LessonLearnedfromFailuresp NeedmultipleprovervariantofDP-NIZK.p Needsecurityagainstcorruptionofprovers.p Proofshould notleakproveridentity.

DP-NIZKseemstobetooweak….

OurSolutionConstructanonymousMulti-UserDP-NIZK(Attribute-basedsignature+[KW18]technique)

NewNotion:Multi-UserDP-NIZK

Public:CRS,Private:(kpm, … , kpg)

Essentially,aDP-NIZKwithmultipleusersJ

kpm kpn kpo kp�

NewNotion:Multi-UserDP-NIZK

Public:CRS,Private:(kpm, … , kpg)

Essentially,aDP-NIZKwithmultipleusersJ

kpm kpn kpo kp�

𝑥,𝑤 ∈ 𝑅

Proof 𝜋 w.r.tCRS

NewNotion:Multi-UserDP-NIZK

Public:CRS,Private:(kpm, … , kpg)

Essentially,aDP-NIZKwithmultipleusersJ

kpm kpn kpo kp�

𝑥,𝑤 ∈ 𝑅

Proof 𝜋 w.r.tCRS

ü Zero-Knowledge:𝜋 leaksnoinformationevenwithcorruption.

NewNotion:Multi-UserDP-NIZK

Public:CRS,Private:(kpm, … , kpg)

Essentially,aDP-NIZKwithmultipleusersJ

kpm kpn kpo kp�

𝑥,𝑤 ∈ 𝑅

Proof 𝜋 w.r.tCRS

ü Soundness:𝑥 ∉ 𝐿 cannotbeprovenevenwithcorruption.ü Zero-Knowledge:𝜋 leaksnoinformationevenwithcorruption.

NewNotion:Multi-UserDP-NIZK

Public:CRS,Private:(kpm, … , kpg)

Essentially,aDP-NIZKwithmultipleusersJ

kpm kpn kpo kp�

𝑥,𝑤 ∈ 𝑅

Proof 𝜋 w.r.tCRS

ü Soundness:𝑥 ∉ 𝐿 cannotbeprovenevenwithcorruption.ü Zero-Knowledge:𝜋 leaksnoinformationevenwithcorruption.

ü Anonymity:Informationofwhogenerated𝜋 isnotleakedevenwithcorruption.

HowtoConstructMU-DP-NIZK??

ThePlan1. ReviewAttribute-basedSignatures(ABS).2. CompileABSintoMU-DP-NIZKusingthe

techniquedevelopedin[KW18].

Attribute-basedSignatures(ABS)mpk,msk ← ABS. Setup(1l)

xm xn xo

Attribute-basedSignatures(ABS)mpk,msk ← ABS. Setup(1l)

sk�u

sk� ← ABS. KeyGen(msk, x)

sk�� sk��

xm xn xo

*attribute

Attribute-basedSignatures(ABS)mpk,msk ← ABS. Setup(1l)

sk�u

sk� ← ABS. KeyGen(msk, x)

sk�� sk��

*attribute

𝜎 ← ABS. Sign(mpk, sk�, C,M)

CansignonapolicyC iff C x = 1.*attributesatisfiespolicy.

*policyPolicyC

xm xn xo

Attribute-basedSignatures(ABS)mpk,msk ← ABS. Setup(1l)

sk�u

sk� ← ABS. KeyGen(msk, x)

sk�� sk��

*attribute

𝜎 ← ABS. Sign(mpk, sk�, C,M)

CansignonapolicyC iff C x = 1.*attributesatisfiespolicy.

*policy

⊤/⊥← ABS. Verify(mpk, C, 𝜎,M)

PolicyC

xm xn xo

SecurityofABS:Anonymity

sk�u sk��

xm xn

PolicyC PolicyC

M M

SecurityofABS:Anonymity

sk�u sk��

xm xn

PolicyC PolicyC

Ifattributexm andxn satisfyC xm = C xn = 1,thenthesignaturesareindistinguishable.

M M≈w

SecurityofABS:Anonymity

sk�u sk��

xm xn

PolicyC PolicyC

Ifattributexm andxn satisfyC xm = C xn = 1,thenthesignaturesareindistinguishable.

M M≈w

*Signatureonlyleaksthatthesignerhadasatisfyingattributex forpolicyC.

SecurityofABS:Unforgeability

sk�u sk��

xm xn

Policy𝐂∗

sk��

xo

Corrupt

HardtoforgeasignatureonC∗ evenifgivensigningkeys{sk�} thatarenotallowedtosignonC∗(i. e. , C∗ x = 0)

*Secretkeysk� canonlybeusedwithrespecttoC suchthatC x = 1.

MU-DP-NIZKfromABS(+SKE)Applytheideaof[KW18]toABSinsteadofFHS.

kpm kpn kpo kp�= (Km, sk|u

E��) = (K�, sk|�E��)

ABSsigningkeyviewingKm asattribute

SKEsecretkey

Applytheideaof[KW18]toABSinsteadofFHS.

kpm kpn kpo kp�= (Km, sk|u

E��) = (K�, sk|�E��)

x,w ∈ R

1.ct← SKE. Enc Km,wConstructingMU-DP-NIZKproof𝝅

MU-DP-NIZKfromABS(+SKE)

Applytheideaof[KW18]toABSinsteadofFHS.

kpm kpn kpo kp�= (Km, sk|u

E��) = (K�, sk|�E��)

x,w ∈ R

1.ct← SKE. Enc Km,w2. 𝜎 ← ABS. Sign(mpk, sk|u

E��, C�,��, "∃fixedM")wherepolicyC�,�� K ≔ R x, SKE. Dec K, ct .

PublicFunction

ConstructingMU-DP-NIZKproof𝝅

MU-DP-NIZKfromABS(+SKE)

Applytheideaof[KW18]toABSinsteadofFHS.

kpm kpn kpo kp�= (Km, sk|u

E��) = (K�, sk|�E��)

x,w ∈ R

ConstructingMU-DP-NIZKproof𝝅1.ct← SKE. Enc Km,w2. 𝜎 ← ABS. Sign(mpk, sk|u

E��, C�,��, "∃fixedM")wherepolicyC�,�� K ≔ R x, SKE. Dec K, ct .

3.𝜋 ≔ (ct, 𝜎)

PublicFunction

MU-DP-NIZKfromABS(+SKE)

Security:Soundness

kpm kpn kpo kp�= (Km, sk|u

E��) = (K�, sk|�E��)

x,w ∈ R

MU-DP-NIZKproof:𝜋 = (ct, 𝜎)

SoundnessIfxisnotinthelanguage,thenforallct andK,

C�,�� K ≔ R x, SKE. Dec K, ct = 0.Hence,unforgeabilityofABSimpliessoundnessJ

Security:Soundness

kpm kpn kpo kp�= (Km, sk|u

E��) = (K�, sk|�E��)

x,w ∈ R

MU-DP-NIZKproof:𝜋 = (ct, 𝜎)

SoundnessIfxisnotinthelanguage,thenforallct andK,

C�,�� K ≔ R x, SKE. Dec K, ct = 0.Hence,unforgeabilityofABSimpliessoundnessJ

Corrupt

…w/corruptiontoo??

Security:Soundness

kpm kpn kpo kp�= (Km, sk|u

E��) = (K�, sk|�E��)

x,w ∈ R

MU-DP-NIZKproof:𝜋 = (ct, 𝜎)

SoundnessIfxisnotinthelanguage,thenforallct andK,

C�,�� K ≔ R x, SKE. Dec K, ct = 0.Hence,unforgeabilityofABSimpliessoundnessJ

Corrupt

…w/corruptiontoo??

SoundevenwithcorruptionJ(∵ ABSisunforgeableeven

withcorruption)

Security:Zero-Knowledge/Anonymity

kpm kpn kpo kp�= (Km, sk|u

E��) = (K�, sk|�E��)

x,w ∈ R

MU-DP-NIZKproof:𝜋 = (ct, 𝜎)

ZK/AnonymityØ ct= SKE. Enc K,w :Doesnotleakw duetosecurityofSKE.Ø 𝜎 isaABSsignatureusingsk|E��:Doesnotleak(attribute)K

duetoanonymityofABS.

Security:Zero-Knowledge/Anonymity

kpm kpn kpo kp�= (Km, sk|u

E��) = (K�, sk|�E��)

x,w ∈ R

MU-DP-NIZKproof:𝜋 = (ct, 𝜎)

ZK/AnonymityØ ct= SKE. Enc K,w :Doesnotleakw duetosecurityofSKE.Ø 𝜎 isaABSsignatureusingsk|E��:Doesnotleak(attribute)K

duetoanonymityofABS.

Corrupt

…w/corruptiontoo??

ZKandAnonymousevenwithcorruptionJ

(∵SKEKeysareindependentandABSisanonymous)

PiecingEverythingTogether

SKE+Signature+Multi-UserDP-NIZK⟹ GS

PluginMU-DP-NIZKinplaceofCRS-NIZKinthe“Sign-then-Enc-and-Prove”paradigm[BMW03,CG04].

SKE+ABS⟹

PiecingEverythingTogether

SKE+Signature+Multi-UserDP-NIZK⟹ GS

PluginMU-DP-NIZKinplaceofCRS-NIZKinthe“Sign-then-Enc-and-Prove”paradigm[BMW03,CG04].

SKE+ABS⟹

StraightforwardtoinstantiateSKEandSignatureusingexistingconstructions(SIS,LWE,LPN,…).

HowaboutAttribute-basedSignature??

InstantiatingABS

[Tsabary17]givesABS,butneedscomplexityleveraging forourpurpose⇒ Need(subexp)SIS(duetomismatchofsecuritynotions).

Instantiation1:

InstantiatingABS

[Tsabary17]givesABS,butneedscomplexityleveraging forourpurpose⇒ Need(subexp)SIS(duetomismatchofsecuritynotions).

WeakenthesecurityrequirementsforABSbythefollowingobservations- Boundedkeyqueriesissufficient- Attributesforsigningkeycanbedetermined

beforethesetupofsystem(TheyareSKEkeys)⇒Directlyconstructionfrom(poly)SIS.

Instantiation1:

Instantiation2:

Conclusion of [KY19]① Constructthefirstgroupsignaturesfrom

latticesinthestandardmodel.

③ Constructionsfromvariousassumptions.

② ConsideranewtypeofMulti-User DP-NIZKandconstructitfromABS.

ü SISw/subexp-modulus.ü LWEw/poly-modulus.ü SISw/poly-modulus+LPNw/const.noiserate

SomeOpenQuestions① Constructgroupsignatures basedonpoly SIS.

*Oursrequiresub-expSIS.

② Constructringsignaturesw/osetupwithlogarithmicsignaturesizefromlattices.

*LinearsizeknownfromSIS.

④ ExploreotherlinksbetweenvarioustypesofNIZKandsignatures.

③ AnyotherinterestingnotionsforNIZKs??(e.g.,maliciousDV-NIZK[QRW19])