Abstract
While basic lattice-based primitives like encryption and digital signature schemes are already fairly short, more advanced privacy-preserving protocols (e.g. group signatures) that are believed to be post-quantum secure have outputs of at least several hundred kilobytes. In this paper, we propose a framework for building privacy protocols with significantly smaller parameter sizes whose secrecy is based on post-quantum assumptions, but soundness additionally assumes that some classical assumption, e.g., the discrete logarithm problem (DLP), is hard to break within a short amount of time.
The main ingredients of our constructions are statistical zero-knowledge proofs of knowledge for certain relations, whose soundness rely on the hardness of solving the discrete logarithm problem for a fresh DLP instance per proof. This notion has recently been described by the term quantum annoyance. Using such proofs, while also enforcing that they be completed in a fixed amount of time, we then show how to construct privacy-preserving primitives such as (dynamic) group signatures and DAA schemes, where soundness is based on the hardness of the “timed” discrete logarithm problem and SIS. The outputs of our schemes are significantly shorter (\({\approx }30X)\) than purely lattice-based schemes.
A. Lehmann—Work done while being at IBM Research – Zurich.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
If the user wants to sign a message, then he transforms the interactive authentication protocol into a non-interactive one via the Fiat-Shamir framework and uses the message to create the challenge.
- 2.
We will use multiplicative notation for discrete log.
- 3.
A shifted lattice is a lattice shifted by some vector v. Note that a shifted lattice does not have the property that the sum of any two vectors is in the shifted lattice.
References
STARK-friendly hash challenge (2019). https://starkware.co/hash-challenge/
Albrecht, M.R., et al.: Feistel structures for MPC, and more. Cryptology ePrint Archive, Report 2019/397 (2019). https://eprint.iacr.org/2019/397
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. Cryptology ePrint Archive, Report 2019/426 (2019). https://eprint.iacr.org/2019/426
Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_38
Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: the case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_11
Ben-Sasson, E.: Stark-friendly hash (2019). https://medium.com/starkware/stark-friendly-hash-tire-kicking-8087e8d9a246
Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_29
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_12
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_3
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: IEEE Symposium on Security and Privacy, SP, pp. 315–334 (2018)
Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_20
Chaabouni, R., Lipmaa, H., Shelat, A.: Additive combinatorics and discrete logarithm based range protocols. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 336–351. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14081-5_21
del Pino, R., Lyubashevsky, V., Seiler, G.: Lattice-based group signatures and zero-knowledge proofs of automorphism stability. In: CCS, pp. 574–591 (2018)
del Pino, R., Lyubashevsky, V., Seiler, G.: Short discrete log proofs for FHE and ring-LWE ciphertexts. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 344–373. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_12
Derler, D., Slamanig, D.: Highly-efficient fully-anonymous dynamic group signatures. In: AsiaCCS, pp. 551–565 (2018)
Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_2
Ducas, L., Prest, T.: Fast Fourier orthogonalization. In: ISSAC, pp. 191–198 (2016)
Esgin, M.F., Zhao, R.K., Steinfeld, R., Liu, J.K., Liu, D.: MatRiCT: efficient, scalable and post-quantum blockchain confidential transactions protocol. In: CCS, pp. 567–584. ACM (2019)
De Feo, L., Masson, S., Petit, C., Sanso, A.: Verifiable delay functions from supersingular isogenies and pairings. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 248–277. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_10
Fowler, A.G., Mariantoni, M., Martinis, J.M., Cleland, A.N.: Surface codes: towards practical large-scale quantum computation. Phys. Rev. A 86, 032324 (2012)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)
Gidney, C.: Why will quantum computers be slow? (2018). http://algassert.com/post/1800. Accessed 22 Feb 2020
Grassi, L., Kales, D., Khovratovich, D., Roy, A., Rechberger, C., Schofnegger, M.: Starkad and Poseidon: new hash functions for zero knowledge proof systems. Cryptology ePrint Archive, Report 2019/458 (2019). https://eprint.iacr.org/2019/458
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_9
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Lekitsch, B., et al.: Blueprint for a microwave trapped ion quantum computer. Sci. Adv. 3(2), e1601540 (2017)
Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_8
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_13
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Pointcheval, D., Sanders, O.: Short randomizable signatures. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 111–126. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_7
Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Schanck, J.M.: Security estimator for lattice based cryptosystems (2019). https://github.com/jschanck/estimator
Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_2
Acknowledgements
This work was supported by the SNSF ERC starting transfer grant FELICITY and the EU Horizon 2020 project FutureTPM (No. 779391).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Lattice-Based ZKP for Relation 6
Below we provide the prover and verifier algorithms for relation 6 adapted from [8].
If \(R_q=\mathbb {Z}_q[X]/(X^d+1)\), then we define the set \(\mathcal {M}=\{0,\pm x^i\,\, 0\le i<d\}\). The size of \(\mathcal {M}\) is \(2d+1\). We also define a parameter \(\lambda \) which controls the soundness error of the proof. The soundness error will be \(|\mathcal {M}|^{-\lambda }\approx d^{-\lambda -1}\). For example, if \(d=2048\), then to get the soundness error to be less than \(2^{-128}\), we need to set \(\lambda =11\).
The proof in Algorithm 7 uses Gaussian-based rejection sampling and can be shown to be zero-knowledge, and requiring 3 iterations on average, using [31, Theorem 4.6]. If \(|\mathcal {M}|^\lambda >2^{128}\), then a prover succeeding with probability greater than \({\approx }2^{-128}\) can be rewound to produce two solutions \(\varvec{A}\varvec{z}_i = \varvec{w}_i+c_i\varvec{t}\) and \(\varvec{A}\varvec{z}_i' = \varvec{w}_i+c_i'\varvec{t}\) for distinct \(c_i\in \mathcal {M}\). These can be combined to form the solution
By [8, Lemma 3.1], we know that for \(c_i\ne c_i'\in \mathcal {M}\), the quotient \(2/(c_i-c_i')\) is a polynomial with coefficients in \(\{-1,0,1\}\) and therefore has \(\ell _2\)-norm at most \(\sqrt{d}\). The parameters for the size of \(\bar{\varvec{s}}\) in (6) then follow from the parameters in Algorithms 7 and 8.
B Hash Functions with Efficient Proofs
In our group signature and DAA scheme, we need to use a hash function that allows for efficient zero-knowledge proofs that a hash was correctly computed and that the prover knows a pre-image of the hash value. We will use zero-knowledge proofs based on the discrete logarithm assumption, which naturally lend themselves to proving statements over fields of large prime order. Therefore, we would like to use a hash-function built around arithmetic over such fields.
The MiMC Hash Function Family. MiMC [3] is a family of hash functions designed with precisely this in mind. MiMC hash functions are based on the sponge construction [10]. The construction works by cubing the input over the field, adding randomly chosen constant values, and repeating the process many times.
For fixed input size, output size, and security level, the MiMC family includes a range of hash functions with a trade-off between the size of the prime field used and the number of multiplication gates in a circuit which verifies correct computing of the hash function. Later, in our choices of zero-knowledge proof-system, we will see that for every multiplication in the circuit, the prover must perform some exponentiations over a cryptographic group. Therefore, in the two cases below, we have carefully selected the parameters of the MiMC hash functions in order to minimise the computational burden on the prover. To specify an MiMC hash function, one must give the desired security level and the ‘rate’ of the round function, which determines the prime field to be used.
As part of our schemes, we will use a pre-image resistant function (later referred to as \(F_{R_{+}}\)) to protect the user’s secret key. We instantiate this function with an MiMC hash function with an input length of 256 bits and an output length of 1,024 bits. The circuit used to prove knowledge of a hash pre-image has 60,192 multiplication gates. We will also use a hash-function, modelled as a random oracle, which maps the output of the previous function onto a ring element from \(\mathbb {Z}_q[X]/(X^d+1)\). In this case, we use an MiMC hash function with an input length of 1,024 bits and an output length of 14,336 bits. For the new, larger input and output sizes, the circuit used to prove knowledge of a hash pre-image has 831,577 multiplication gates.
In both cases, we use MiMC hash functions with capacity 512, and a 521-bit prime. This choice of parameters comes from our requirement that the hash function has 256 bits of classical security and therefore 128 bits of quantum security against collision-finding attacks. For 256 bits of classical security, the internal workings of the hash function force us to use a prime of at least 512 bits. Hence, we use a 521-bit prime so that we can use a standardised NIST elliptic curve, for which we expect highly optimised implementations of curve operations compared with unstandardised curves.
C Quantum Annoying and Timed ZKPs
The core observation behind our timed ZKPs is that while certain hard problems, such as the discrete logarithm problem, can be solved in polynomial-time by (sufficiently sized) quantum computers, it is likely that solving them won’t be instantaneous or at least prohibitively expensive. Thus, forcing the adversary to solve a fresh DLP instance for each proof might render the attack infeasible.
This property has recently been described as quantum annoyance [22] and formalized through a two stage adversary. Roughly, in an offline pre-computation phase the adversary is granted full quantum power, but gets restricted to be classical when turning to an online phase.
We now apply this concept to zero-knowledge proofs, more precisely, we consider ZKPs for generalized statements following the form of Eq. (7) of the proof system recently introduced in [17]. The proof system uses a CRS made up of random group elements \(g_1,\ldots ,g_{n}\), and assuming the DL problem is hard, it allows to prove knowledge of a witness for various NP statements. For example, the protocol of [17] actually proves is that the prover knows a SIS solution \(\mathbf {s}\) or a non-trivial discrete logarithm relation between \(g_1,\ldots ,g_{n}\). Generalizing this idea we consider proofs of the form: \(\mathsf {ZKP}\{(w): (x_q,w) \in \mathcal {R}_q ~\vee ~ (x_c,w) \in \mathcal {R}_c\}\), where \(\mathcal {R}\) denotes a NP relation and w is a witness for a statement x if \((x,w)\in \mathcal {R}\).
In this plain form, the soundness of the proof relies on the weaker of both relations, i.e., the DL assumption in the case of [17] even though it also proves a lattice relation. We can transform the proof into a quantum annoying (and later timed) version by simply letting the verifier freshly choose \(x_c\) (i.e., \(g_i\) in our concrete scheme) when the proof starts.
Let be a generator that produces a random instance \(x \in \mathcal {L}\) for security parameter \({1^{\lambda }}\) and language \(\mathcal {L}=\{x \ \vert \ \exists w: (x,w) \in \mathcal {R}\}\). We can then formulate quantum-annoying soundness for an interactive proof protocol \((\mathcal {P}, \mathcal {V})\) for statements \((x_q,w) \in \mathcal {R}_q ~\vee ~ (x_c,w) \in \mathcal {R}_c\) as follows: For any efficient adversary \((\mathcal {A}_1, \mathcal {A}_2)\)—where \(\mathcal {A}_1\) is quantum, and \(\mathcal {A}_2\) is classical—running the following game
-
1.
sample random
- 2.
-
3.
sample random
-
4.
where \(\mathsf {Pr}\left[ \langle \mathcal {A}_2(\mathsf {st}, x_q,x_c), \mathcal {V}(x_q,x_c)\rangle =1\right] > \epsilon \)
there exist an efficient extractor \(\mathcal {E}\) with rewindable black-box access to \(\mathcal {A}_2\) that outputs w s.t. \((x_q,w) \in \mathcal {R}_q \vee (x_c,w) \in \mathcal {R}_c\) with probability \(\ge \epsilon /\mathsf {poly}({1^{\lambda }})\).
Generally, the online adversary \(\mathcal {A}_2\) can be seen as a resource-restricted adversary that cannot break the classical problem. While quantum-annoyance models the resource restriction by simply limiting \(\mathcal {A}_2\) to be classical, we can also be more generous and give \(\mathcal {A}_2\) quantum power, yet restrict its running time.
That is, the verifier only accepts a proof when the prover correctly responds within some fixed short time \(\varDelta \). The soundness of our ZKP then even holds against a full quantum adversary under the additional assumption that the problem \(\mathcal {R}_c\) is hard to solve within a short amount of time. We will refer to such an assumption as \(\varDelta \)-hardness.
Note that there are subtle constraints on how to choose the time \(\varDelta \) for a concrete ZKP instantiation based on a \(\varDelta '\)-hard problem. For satisfying completeness, \(\varDelta \) must be chosen large enough, such that honest provers can still complete the proof (for \(\mathcal {L}_q\)) in time. For soundness, \(\varDelta \) depends on the loss in the reduction, i.e., the running time of the extractor that will be used to break the \(\varDelta '\)-hard problem needs to be taken into account. We leave a more formal treatment of these relations as interesting future work.
D Zero-Knowledge Proofs for Group Signature Algorithms
In this section, we explain how to give the zero-knowledge proofs for the group signature algorithms of Sect. 4 in terms of the proof systems of [17] for SIS relations and [13] for more complicated relations with less special structure available.
Both proof systems rely on the discrete logarithm assumption.
Definition 1 (Discrete Log Relation)
For all PPT adversaries \(\mathcal {A}\) and for all \(n\ge 2\) there exists a negligible function \(\mu (\lambda )\) such that
For \(n \ge 2\), this is equivalent to the discrete logarithm assumption.
Sign: A zero-knowledge proof of the following statement is computed:
The conditions in this relation can be rewritten as follows, with appropriate size bounds on different elements. Set \(k = F_{R_{\pm }}(\rho )\) and \(l = H_{R_q}(k)\).
We prove the necessary conditions as follows. We use the proof system of [17] to give a zero knowledge proof for the first linear equation, which has an infinity norm bound of 1 on \(e_1,e_2, e_1',e_2'\) and k. The size of this proof is roughly 76 group elements and 6 field elements for the parameters that we have chosen. We also use the same proof system from [17] to give a zero-knowledge proof for the second linear equation, with an infinity norm bound of q on \(s_1,s_2\) and l.
The remaining conditions that we have to check are the conditions \(k = F_{R_{\pm }}(\rho )\), \(l = H_{R_q}(k)\), and the fact that the \(\ell _2\)-norms of \(s_1\) and \(s_2\) are bounded by \(1.5\sigma \sqrt{d}\). We use the proof system of [13] to achieve this. This proof system works with general arithmetic circuits. The number of multiplication gates in the circuit required to prove these conditions is the sum of the sizes of the circuits for \(F_{R_{\pm }}\) and \(H_{R_q}\), plus roughly 2096 extra multiplications which are used for checking that the norms of \(s_1\) and \(s_2\) are bounded correctly. The extra multiplication gates compute the squares of the \(\ell _2\) norms of each of \(s_1\) and \(s_2\), using 2048 multiplications, check that roughly 48 values are bits by checking that when multiplying them with their complements, the result is zero, and then show that the squares of the \(\ell _2\) norms are represented by the binary values, so that the norms must be in the correct range. Since we have already used the proof system [17] to check that the infinity norms of \(s_1\) and \(s_2\) are bounded, and we work over a prime field with a much larger modulus than the base ring of \(s_1\) and \(s_2\), we need not worry about overflow when computing the squares of the \(\ell _2\) norms. We give zero-knowledge proofs of arithmetic circuit satisfiability and prove all of these things using one single proof from [13]. This proof contributes 48 group elements and 5 finite field elements.
In order to use these proof systems, and be sure that certain secret values are consistent across the different proofs, we need to make some adjustments. The first tweak is to split some of the long commitments made in the protocols into several parts, to allow values to be shared between the two proof systems. This is described in the full version. Separate commitments to k and \(s_1,s_2,l\) allow these values to be shared between the first two proofs for linear relations and the third proof for non-linear relations.
The second tweak is to modify the protocol of [17] so that it works even if we are proving that the entries of the secret vector lie in an interval whose width is not a power of 2. This is easily achieved using techniques from [15]. The idea is that a binary expansion of the form \(\sum _i x_i 2^i\) uniquely expresses every integer in a given interval whose width is a power of 2, but if we change the powers of two in the expression to other values, we can obtain (possibly non-unique) binary expansions for other intervals which suffice for the purpose of giving range proofs. This change has no impact on proof size.
Open: The following zero-knowledge proof is needed:
The conditions in this relation can be rewritten as follows, with appropriate size bounds on different elements.
This relation is proved by using the proof system from [17] twice. The first proof proves the linear relation from the first row of the matrix, which does not include v. Therefore, the proof system can be used with norm bound 1. The second proof proves the linear relation from the second row of the matrix, which does include v, and therefore works with norm bound \(q/4-d_2\). As with the signing algorithm, we use the adjustments described to make sure that the preimage values are consistent across the two proofs.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Bootle, J., Lehmann, A., Lyubashevsky, V., Seiler, G. (2020). Compact Privacy Protocols from Post-quantum and Timed Classical Assumptions. In: Ding, J., Tillich, JP. (eds) Post-Quantum Cryptography. PQCrypto 2020. Lecture Notes in Computer Science(), vol 12100. Springer, Cham. https://doi.org/10.1007/978-3-030-44223-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-44223-1_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44222-4
Online ISBN: 978-3-030-44223-1
eBook Packages: Computer ScienceComputer Science (R0)