Zero-Knowledge Arguments for Lattice-Based Accumulators: - PowerPoint PPT Presentation

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors ıt Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Benoˆ 1 Ecole Normale Sup´ erieure de Lyon (France) 2 Nanyang Technological University (Singapore) EUROCRYPT 2016 - Vienna, Austria

Outline Introduction 1 Our Accumulator and Its Supporting Zero-Knowledge Argument 2 Applications to Ring and Group Signatures 3 Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 2 / 17

Cryptographic Accumulators Accumulator [BdM’93]: a function hashing a large data set R = { d 0 , . . . , d N − 1 } into a constant-size value u . For any d ∈ R , there is a short witness w that d was accumulated into u . It is infeasible to compute a valid witness w ∗ for some d ∗ �∈ R . Numerous applications in authentication mechanisms. In many scenarios, a ZK proof of an input-witness pair ( d , w ) is desirable. Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 3 / 17

Previous Works 2 main families of number-theoretic accumulators: based on groups of hidden order, or on pairings (strong RSA and strong DH assumptions). A 3 rd family relies on Merkle trees: hardly compatible with ZK proofs. Known methods require non-standard assumptions in groups of hidden order [BCG’14] or non-falsifiable knowledge assumptions [BSCG+’14]. [PSTY’13]: SIS-based Merkle tree; supporting ZK proofs were not considered. Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 4 / 17

Our Results First lattice-based accumulator supported by logarithmic-size ZK arguments. We build Merkle trees from a family of SIS-based CRHF H : D × D → D . We demonstrate in ZK the possession of a Merkle tree path (hash chain). Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 5 / 17

Our Results First lattice-based accumulator supported by logarithmic-size ZK arguments. We build Merkle trees from a family of SIS-based CRHF H : D × D → D . We demonstrate in ZK the possession of a Merkle tree path (hash chain). Applications: First lattice-based logarithmic-size ring signature. 1 Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 5 / 17

Our Results First lattice-based accumulator supported by logarithmic-size ZK arguments. We build Merkle trees from a family of SIS-based CRHF H : D × D → D . We demonstrate in ZK the possession of a Merkle tree path (hash chain). Applications: First lattice-based logarithmic-size ring signature. 1 First group signature without lattice trapdoors. Previous constructions 2 [GKV’10,CNR’12,LLLS’13,LNW’15,NZZ’15] rely on trapdoors for key generation and/or for enabling tracing. Being trapdoor-less: smaller parameters, shorter key and signature sizes. User’s signing key in our scheme has size of several KBs, compared with ≈ 90 GBs in [NZZ’15]. Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 5 / 17

Outline Introduction 1 Our Accumulator and Its Supporting Zero-Knowledge Argument 2 Applications to Ring and Group Signatures 3 Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 6 / 17

A Family of Lattice-Based CRHF Let n be the security parameter, q = � O ( n ), k = ⌈ log 2 q ⌉ , and m = 2 nk . Define:   1 2 4 . . . 2 k − 1      ∈ Z n × nk G = . . . .  q 1 2 4 . . . 2 k − 1 q : v = G · bin( v ), where bin( v ) ∈ { 0 , 1 } nk - the bin. rep. of v . For all v ∈ Z n Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 7 / 17

A Family of Lattice-Based CRHF Let n be the security parameter, q = � O ( n ), k = ⌈ log 2 q ⌉ , and m = 2 nk . Define:   1 2 4 . . . 2 k − 1      ∈ Z n × nk G = . . . .  q 1 2 4 . . . 2 k − 1 q : v = G · bin( v ), where bin( v ) ∈ { 0 , 1 } nk - the bin. rep. of v . For all v ∈ Z n Define the family H : { 0 , 1 } nk × { 0 , 1 } nk → { 0 , 1 } nk as H = { h A | A ∈ Z n × m } , q , and ( u 0 , u 1 ) ∈ { 0 , 1 } nk × { 0 , 1 } nk , where for A = [ A 0 | A 1 ] with A 0 , A 1 ∈ Z n × nk q � � ∈ { 0 , 1 } nk . h A ( u 0 , u 1 ) = bin A 0 · u 0 + A 1 · u 1 mod q Note that h A ( u 0 , u 1 ) = u ⇔ A 0 · u 0 + A 1 · u 1 = G · u mod q . H is collision-resistant, assuming that SIS ∞ n , m , q , 1 is hard. Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 7 / 17

From CRHF to Merkle-tree-style Accumulators u u 0 u 1 u 00 u 01 u 10 u 11 u 000 u 001 u 010 u 011 u 100 u 101 u 110 u 111 d 0 d 1 d 2 d 3 d 4 d 5 d 6 d 7 A Merkle tree with 2 3 = 8 leaves, which accumulates the data blocks d 0 , . . . , d 7 into the value u at the root. The value at each non-leaf node is the hash of its two children. The brown nodes together with the bit string ( j 3 , j 2 , j 1 ) = (1 , 0 , 1) form a witness to the fact that d 5 is accumulated into u . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 8 / 17

Proving Knowledge of an Accumulated Value u w 1 v 1 v 2 w 2 w 3 v 3 Public input: A ; u = v 0 . Secret input: ( w ℓ , . . . , w 1 ) , ( v ℓ , . . . , v 1 ) , ( j ℓ , . . . , j 1 ). Prover’s goal: Proving that    h A ( v i +1 , w i +1 ) , if j i +1 = 0; ∀ i ∈ { ℓ − 1 , . . . , 1 , 0 } : v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 9 / 17

Proving Knowledge of an Accumulated Value u w 1 v 1 j 2 = 0 v 2 w 2 w 3 v 3 Public input: A ; u = v 0 . Secret input: ( w ℓ , . . . , w 1 ) , ( v ℓ , . . . , v 1 ) , ( j ℓ , . . . , j 1 ). Prover’s goal: Proving that    h A ( v i +1 , w i +1 ) , if j i +1 = 0; ∀ i ∈ { ℓ − 1 , . . . , 1 , 0 } : v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 9 / 17

Proving Knowledge of an Accumulated Value u w 1 v 1 v 2 w 2 j 3 = 1 w 3 v 3 Public input: A ; u = v 0 . Secret input: ( w ℓ , . . . , w 1 ) , ( v ℓ , . . . , v 1 ) , ( j ℓ , . . . , j 1 ). Prover’s goal: Proving that    h A ( v i +1 , w i +1 ) , if j i +1 = 0; ∀ i ∈ { ℓ − 1 , . . . , 1 , 0 } : v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 9 / 17

Proving Knowledge of an Accumulated Value u w 1 v 1 v 2 w 2 w 3 v 3 Public input: A ; u = v 0 . Secret input: ( w ℓ , . . . , w 1 ) , ( v ℓ , . . . , v 1 ) , ( j ℓ , . . . , j 1 ). Prover’s goal: Proving that    h A ( v i +1 , w i +1 ) , if j i +1 = 0; ∀ i ∈ { ℓ − 1 , . . . , 1 , 0 } : v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . ✗ Previous protocols for SIS-based hash functions ([Lyu’08,09,12], [LNSW’13]) only prove knowledge of a hidden preimage for a given image. ? Here, we essentially need to prove knowledge of “ ℓ hidden preimage-image pairs nested along a hidden path.” Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 9 / 17

Transformations    ¯ b · v For any bit b and binary vector v , define ¯  . b = 1 − b and ext( b , v ) = b · v Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 10 / 17

Transformations    ¯ b · v For any bit b and binary vector v , define ¯  . b = 1 − b and ext( b , v ) = b · v  Observe that   h A ( v i +1 , w i +1 ) , if j i +1 = 0; v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . is equivalent to: v i = ¯ j i +1 · h A ( v i +1 , w i +1 ) + j i +1 · h A ( w i +1 , v i +1 ) � � � � ¯ ⇔ j i +1 · A 0 · v i +1 + A 1 · w i +1 + j i +1 · A 0 · w i +1 + A 1 · v i +1 = G · v i mod q      ¯ j i +1 · v i +1  j i +1 · w i +1  + A ·  = G · v i mod q ⇔ A · ¯ j i +1 · v i +1 j i +1 · w i +1 A · ext( j i +1 , v i +1 ) + A · ext(¯ ⇔ j i +1 , w i +1 ) = G · v i mod q . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 10 / 17

Developing Stern’s Protocol Now, the task is to prove in ZK the possession of { j i , v i , w i } ℓ i =1 s.t. ∀ i ∈ { ℓ − 1 , . . . , 0 } : A · ext( j i +1 , v i +1 ) + A · ext(¯ j i +1 , w i +1 ) = G · v i mod q . (1) Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 11 / 17

Developing Stern’s Protocol Now, the task is to prove in ZK the possession of { j i , v i , w i } ℓ i =1 s.t. ∀ i ∈ { ℓ − 1 , . . . , 0 } : A · ext( j i +1 , v i +1 ) + A · ext(¯ j i +1 , w i +1 ) = G · v i mod q . (1) Stern’s protocol [Stern’96]: Main ideas Proving in ZK the possession of a binary vector s with fixed Hamming weight t , s.t. M · s = u mod q , for given ( M , u ). Proving the linear equation: show that M ( s + r ) = u + M · r [ q ], for random r . 1 Proving the constraint of s : show that π ( s ) has weight t , for random π . 2 Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 11 / 17