Compact Ring Signatures from Learning With Errors

Ring signatures allow a user to sign a message on behalf of a “ring” of signers, while hiding the true identity of the signer. As the degree of anonymity guaranteed by a ring signature is directly proportional to the size of the ring, an important goal in cryptography is to study constructions that minimize the size of the signature as a function of the number of ring members. In this work, we present the first compact ring signature scheme (i.e., where the size of the signature grows logarithmically with the size of the ring) from the (plain) learning with errors (LWE) problem. The construction is in the standard model and it does not rely on a common random string or on the random oracle heuristic. In contrast with the prior work of Backes et al. [EUROCRYPT’2019], our scheme does not rely on bilinear pairings, which allows us to show that the scheme is post-quantum secure assuming the quantum hardness of LWE. At the heart of our scheme is a new construction of compact and statistically witness indistinguishable ZAP arguments for NP ∩ coNP, that we show to be sound based on the plain LWE assumption. Prior to our work, statistical ZAPs (for all of NP) were known to exist only assuming sub-exponential LWE. We believe that this scheme might find further applications in the future. *Stony Brook University. Email: rochatterjee@cs.stonybrook.edu University of California, Berkeley and NTT Research. Email: sanjamg@berkeley.edu University of Waterloo. Email: mdhajiabadi@gmail.com University of Illinois Urbana-Champaign. Email: dakshita@illinois.edu Stony Brook University. Email: liang1@cs.stonybrook.edu Max Planck Institute for Security and Privacy. Email: giulio.malavolta@hotmail.it **Stony Brook University. Email: omkant@cs.stonybrook.edu University of California Berkeley and Stony Brook University. Email: shiayan@umich.edu

[1]  Jonathan Katz,et al.  Ring Signatures: Stronger Definitions, and Constructions without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[2]  Sabine Oechsner,et al.  Towards Practical Lattice-Based One-Time Linkable Ring Signatures , 2018, IACR Cryptol. ePrint Arch..

[3]  Chris Peikert,et al.  Pseudorandomness of ring-LWE for any ring and modulus , 2017, STOC.

[4]  Vinod Vaikuntanathan,et al.  2-Message Publicly Verifiable WI from (Subexponential) LWE , 2019, IACR Cryptol. ePrint Arch..

[5]  Xavier Boyen,et al.  Forward-Secure Linkable Ring Signatures , 2018, ACISP.

[6]  Anat Paskin-Cherniavsky,et al.  Maliciously Circuit-Private FHE , 2014, CRYPTO.

[7]  Ron Rothblum,et al.  Fiat-Shamir: from practice to theory , 2019, STOC.

[8]  Moni Naor,et al.  Zaps and Their Applications , 2007, SIAM J. Comput..

[9]  Sunoo Park,et al.  It wasn't me! Repudiability and Unclaimability of Ring Signatures , 2019, IACR Cryptol. ePrint Arch..

[10]  Nico Döttling,et al.  Ring Signatures: Logarithmic-Size, No Setup - from Standard Assumptions , 2019, IACR Cryptol. ePrint Arch..

[11]  Rex Fernando,et al.  Statistical ZAP Arguments , 2019, IACR Cryptol. ePrint Arch..

[12]  Alonso González A Ring Signature of size Θ(sqrt[3]{n}) without Random Oracles , 2017, IACR Cryptol. ePrint Arch..

[13]  Hovav Shacham,et al.  Efficient Ring Signatures Without Random Oracles , 2007, Public Key Cryptography.

[14]  Mark Zhandry,et al.  Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World , 2013, CRYPTO.

[15]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .

[16]  M. Yung,et al.  One-Shot Fiat-Shamir-based NIZK Arguments of Composite Residuosity in the Standard Model , 2021 .

[17]  Zvika Brakerski,et al.  Two-Message Statistical Sender-Private OT from LWE , 2018, IACR Cryptol. ePrint Arch..

[18]  Chris Peikert,et al.  Noninteractive Zero Knowledge for NP from (Plain) Learning With Errors , 2019, IACR Cryptol. ePrint Arch..

[19]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[20]  Essam Ghadafi,et al.  Sub-linear Blind Ring Signatures without Random Oracles , 2013, IMACC.

[21]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[22]  Tsz Hon Yuen,et al.  Ring signatures without random oracles , 2006, ASIACCS '06.

[23]  Mark Zhandry,et al.  Quantum-Secure Message Authentication Codes , 2013, IACR Cryptol. ePrint Arch..

[24]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[25]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[26]  Michael Backes,et al.  Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys , 2018, ASIACRYPT.

[27]  Vadim Lyubashevsky,et al.  SMILE: Set Membership from Ideal Lattices with Applications to Ring Signatures and Confidential Transactions , 2021, IACR Cryptol. ePrint Arch..

[28]  Aggelos Kiayias,et al.  Anonymous Identification in Ad Hoc Groups , 2004, EUROCRYPT.

[29]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[30]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[31]  Masayuki Abe,et al.  1-out-of-n Signatures from a Variety of Keys , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[32]  Zhengzhong Jin,et al.  Statistical Zaps and New Oblivious Transfer Protocols , 2020, IACR Cryptol. ePrint Arch..

[33]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors , 2016, Journal of Cryptology.

[34]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[35]  Shen Noether,et al.  Ring SIgnature Confidential Transactions for Monero , 2015, IACR Cryptol. ePrint Arch..

[36]  Jörg Schwenk,et al.  A CDH-Based Ring Signature Scheme with Short Signatures and Public Keys , 2010, Financial Cryptography.

[37]  Yael Tauman Kalai,et al.  A Framework for Efficient Signatures, Ring Signatures and Identity Based Encryption in the Standard Model , 2010, IACR Cryptol. ePrint Arch..

[38]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[39]  Jacques Stern,et al.  Provably Secure Blind Signature Schemes , 1996, ASIACRYPT.

[40]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[41]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[42]  Ron Steinfeld,et al.  Post-Quantum One-Time Linkable Ring Signature and Application to Ring Confidential Transactions in Blockchain (Lattice RingCT v1.0) , 2018, IACR Cryptol. ePrint Arch..

[43]  Amit Sahai,et al.  Ring Signatures of Sub-linear Size Without Random Oracles , 2007, ICALP.

[44]  Giulio Malavolta,et al.  Efficient Ring Signatures in the Standard Model , 2017, ASIACRYPT.

[45]  Dongxi Liu,et al.  MatRiCT: Efficient, Scalable and Post-Quantum Blockchain Confidential Transactions Protocol , 2019, CCS.

[46]  Thomas Peters,et al.  Logarithmic-Size Ring Signatures with Tight Security from the DDH Assumption , 2018, ESORICS.

[47]  Mark Zhandry,et al.  Secure Identity-Based Encryption in the Quantum Random Oracle Model , 2012, CRYPTO.

[48]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[49]  Germán Sáez,et al.  Forking Lemmas for Ring Signature Schemes , 2003, INDOCRYPT.

[50]  Moni Naor,et al.  Zaps and their applications , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[51]  Markulf Kohlweiss,et al.  One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin , 2015, EUROCRYPT.

[52]  Shuichi Katsumata,et al.  Calamari and Falafl: Logarithmic (Linkable) Ring Signatures from Isogenies and Lattices , 2020, IACR Cryptol. ePrint Arch..

[53]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .