Efficient Post-quantum SNARKs for RSIS and RLWE and Their Applications to Privacy

In this paper we give efficient statistical zero-knowledge proofs (SNARKs) for Module/Ring LWE and Module/Ring SIS relations, providing the remaining ingredient for building efficient cryptographic protocols from lattice-based hardness assumptions. We achieve our results by exploiting the linear-algebraic nature of the statements supported by the Aurora proof system (Ben-Sasson et al.), which allows us to easily and efficiently encode the linear-algebraic statements that arise in lattice schemes and to side-step the issue of “relaxed extractors”, meaning extractors that only recover a witness for a larger relation than the one for which completeness is guaranteed. We apply our approach to the example use case of partially dynamic group signatures and obtain a lattice-based group signature that protects users against corrupted issuers, and that produces signatures smaller than the state of the art, with signature sizes of less than 300 KB for the comparably secure version of the scheme. To obtain our argument size estimates for proof of knowledge of RLWE secret, we implemented the NIZK using libiop.

[1]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[2]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[3]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[4]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[5]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[6]  Vinod Vaikuntanathan,et al.  Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages , 2011, CRYPTO.

[7]  Vadim Lyubashevsky,et al.  Lattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability , 2018, IACR Cryptol. ePrint Arch..

[8]  Damien Stehlé,et al.  Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications , 2013, Public Key Cryptography.

[9]  Eli Ben-Sasson,et al.  Aurora: Transparent Succinct Arguments for R1CS , 2019, IACR Cryptol. ePrint Arch..

[10]  M. Robshaw,et al.  Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus , 2018, IACR Cryptol. ePrint Arch..

[11]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[12]  Jan Camenisch,et al.  Floppy-Sized Group Signatures from Lattices , 2018, IACR Cryptol. ePrint Arch..

[13]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[14]  Damien Stehlé,et al.  Worst-case to average-case reductions for module lattices , 2014, Designs, Codes and Cryptography.

[15]  Jan Camenisch,et al.  Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs , 2018, IACR Cryptol. ePrint Arch..

[16]  Jens Groth,et al.  Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits , 2018, IACR Cryptol. ePrint Arch..

[17]  Gregory Neven,et al.  One-Shot Verifiable Encryption from Lattices , 2017, EUROCRYPT.

[18]  Xavier Boyen,et al.  Lattice Mixing and Vanishing Trapdoors A Framework for Fully Secure Short Signatures and more , 2010 .

[19]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[20]  Véronique Cortier,et al.  SoK: A Comprehensive Analysis of Game-Based Ballot Privacy Definitions , 2015, 2015 IEEE Symposium on Security and Privacy.

[21]  Shuichi Katsumata,et al.  Group Signatures without NIZK: From Lattices in the Standard Model , 2019, IACR Cryptol. ePrint Arch..

[22]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[23]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[24]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[25]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[26]  Huaxiong Wang,et al.  Lattice-Based Zero-Knowledge Arguments for Integer Relations , 2018, CRYPTO.

[27]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[28]  Yael Tauman Kalai,et al.  Improved Online/Offline Signature Schemes , 2001, CRYPTO.

[29]  Daniele Micciancio,et al.  Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[30]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[31]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[32]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[33]  Rosario Gennaro,et al.  Lattice-Based zk-SNARKs from Square Span Programs , 2018, IACR Cryptol. ePrint Arch..

[34]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[35]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[36]  Peter Manohar,et al.  Succinct Arguments in the Quantum Random Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[37]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[38]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[39]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[40]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).