Black-Box Accumulation Based on Lattices

Abstract

Black-box accumulation (BBA) is a cryptographic protocol that allows users to accumulate and redeem points, e.g. in payment systems, and offers provable security and privacy guarantees. Loosely speaking, the transactions of users remain unlinkable, while adversaries cannot claim a false amount of points or use points from other users. Attempts to spend the same points multiple times (double spending) reveal the identity of the misbehaving user and an undeniable proof of guilt. Known instantiations of BBA rely on classical number-theoretic assumptions, which are not post-quantum secure. In this work, we propose the first lattice-based instantiation of BBA, which is plausibly post-quantum secure. It relies on the hardness of the Learning with Errors (LWE) and Short Integer Solution (SIS) assumptions and is secure in the Random Oracle Model (ROM).

Our work shows that a lattice-based instantiation of BBA can be realized with a communication cost per transaction of about 199MB if built on the zero-knowledge protocol by (CRYPTO 2019) and the CL-type signature of (ASIACRYPT 2017). Without any zero-knowledge overhead, our protocol requires 1.8 MB communication.

Appendices

AHardness Assumptions and Cryptographic Building Blocks

1.1 A.1 Lattice-based Hardness Assumptions

Definition A.1

(Short Integer Solution). Given a modulus \(q \in \mathbb {N}\), \(m \in \mathbb {N}\) uniformly random vectors \(\mathbf {a}_i \in \mathbb {Z}^n_q\) (written as a matrix \(\mathbf {A} \in \mathbb {Z}^{n\times m}_q\)), and a uniformly random vector \(\mathbf {u} \in \mathbb {Z}_q^n\), the Inhomogeneous Short Integer Solution (ISIS) problem is to find a non-zero integer vector \(\mathbf {z}\in \mathbb {Z}^m\) of norm such that

$$\begin{aligned} \mathbf {A} \mathbf {z} = \sum _{i=1}^m \mathbf {a}_i \cdot z_i = \mathbf {u} \in \mathbb {Z}_q^n, \end{aligned}$$

where \(\beta \in \mathbb {R}\) is a parameter with \(\beta < q\).

In the case where \(\mathbf {u}\) is not uniform but fixed to \(\mathbf {0}\), the problem is called Short Integer Solution (SIS). We write \( SIS _{n,q,\beta , m}\), if we want to emphasize the respective parameters.

For typical parameter choices, SIS and ISIS are equivalent. Ajtai showed in his seminal work [2] that the average-case SIS problem can be reduced in polynomial time to the short integer vector problem (SIVP), a worst-case problem on lattices.

Regev [32] introduced the LWE problem and gave a quantum reduction to SIVP. We define the decisional variant of the respective hardness assumption.

Definition A.2

(Learning with Errors). \( LWE _{n,q,\chi ,m}\): For a secret vector \(\mathbf {s} \in \mathbb {Z}_q^n\) and a probability distribution \(\chi \) over \(\mathbb {Z}_q^m\), sample a matrix \(\mathbf {A} \in \mathbb {Z}_q^{n \times m}\) uniformly at random and a vector \(\mathbf {e} \leftarrow \chi \). Given \((\mathbf {A},\mathbf {b}^*)\) where \(\mathbf {b}^*\) is either \(\mathbf {b}_0\) or \(\mathbf {b}_1\), where \(\mathbf {b}^\top _0 = \mathbf {s}^\top \mathbf {A} + \mathbf {e} \mod q\) and \(\mathbf {b}_1\) is chosen uniformly at random. Decide whether \(\mathbf {b}^* = \mathbf {b}_0\) or \(\mathbf {b}^* = \mathbf {b}_1\).

1.2 A.2 Building Blocks

We give a brief overview of the used building blocks. In Sect. 2.3, we give instantiations of these building blocks based on the hardness of SIS and LWE. Commitments. A commitment scheme allows one to commit to (i.e., fix) a value, without revealing it immediately. At a later point, the commitment can be opened and the committed value is revealed. A commitment scheme consists of two PPT algorithms: The parameter generation outputs public parameters \(\mathsf {params}\), and the commitment algorithm \(\mathsf {Com}(\mathsf {params}, m;r) \rightarrow c\) outputs, for a given message m, some explicit randomness r and the public parameters \(\mathsf {params}\), a commitment c on that value m. We often omit the input of the public parameters.

To open the commitment c, one can reveal the randomness r, to check, if \(\mathsf {Com}(\mathsf {params}, m;r) = c\) holds. Informally, we want a commitment scheme to be hiding, i.e. no (efficient) adversary can learn anything about the message m in a commitment, prior to opening. Furthermore, a commitment should be binding which means it should be (computationally) infeasible to open a commitment on m to any other value than m. A commitment scheme is equivocal, if there exist an additional trapdoor generation algorithm that outputs the public parameters \(\mathsf {params}\), together with a trapdoor \(\mathsf {td}\). With the trapdoor \(\mathsf {td}\), it is possible to open a commitment c on the value m to another value \(m'\) with \(m' \ne m\), by running a second algorithm, called \(\mathsf {Equiv}(\mathsf {td}, c, m')\) that outputs a randomness value \(r'\) for opening c to \(m'\). We require the two setups via \(\mathsf {Gen}\) and \(\mathsf {EqGen}\) to be computationally indistinguishable.

Oblivious Signing of Committed Messages. In our construction, we use the signature scheme of Libert et al. [28]; in particular, their protocol for obliviously signing a committed message (see Sect. 2.3). A signature scheme for oblivious signing of committed messages consists of the following algorithms/protocols:

• A key-generation algorithm that outputs \((\mathsf {params}, \mathsf {pk}, \mathsf {sk})\), namely public parameters \(\mathsf {params}\), and a pair consisting of a public and a secret key.

• \(\mathsf {OblSign}\langle \mathcal {U}(\mathsf {params}, \mathsf {pk}, m), \mathcal {S}(\mathsf {params}, \mathsf {pk}, \mathsf {sk})\rangle \), an interactive protocol, where a user \(\mathcal {U}\) interacts with a signer \(\mathcal {S}\) to obtain a signature on a message m inside of a commitment. In this protocol, \(\mathcal {U}\) sends a commitment \(c \leftarrow \mathsf {Com}(m;r)\) on m to the signer \(\mathcal {S}\) and eventually \(\mathcal {U}\) outputs a valid signature on m.

• a verification algorithm \(\mathsf {Vfy}(\mathsf {params}, \mathsf {pk}, m, \mathsf {sig}) \rightarrow b\) that allows to check, whether \(\mathsf {sig}\) is a valid signature on message m public key \(\mathsf {pk}\).

The signer does not learn anything about m, as the commitment scheme is hiding. This protocol offers a security notion that is almost identical to common EUF-CMA security but takes into account that the user sends commitments and not plain messages. Libert et al. forgo an abstract definition of the signature’s security as they directly apply the signature scheme to their E-Cash. We give a formal definition in the full-version [17] of this paper.

Zero-Knowledge Proofs. A proof system allows a party, called prover, to prove to another party, called verifier, that some statement is true. It is a zero-knowledge (ZK) protocol, if (informally) the verifier gains no additional knowledge, except for the truth of the statement. More precisely, the prover can convince the verifier that a word x belongs to a certain \(\mathcal {NP}\)-language L, while even a malicious verifier learns nothing about x except for the truth of \(x \in L\). The protocol is a proof of knowledge (PoK), or extractable, if a convincing prover must know an \(\mathcal {NP}\)-witness w. For example, if \(x = m\), \(w = \sigma \), and the language is “I know a signature \(\sigma \) on message m”, then a ZK-PoK guarantees that a convincing prover knows a signature \(\sigma \), yet, the verifier learns nothing about \(\sigma \). A ZK-PoK is correct, if an honest execution with correct statement always accepts. It has soundness error \(p\in [0,1]\), if the probability that the verifier accepts a false statement is at most p.

Full-Rank Difference Function. We define full-rank differences as introduced by Agrawal, Boneh, and Boyen [1], and refer to them for a concrete instantiation. We use this in the calculation of the double-spending tag. Let \(q \in \mathbb {N}\) be a prime and \(n\in \mathbb {N}\). A full-rank difference function is an efficiently computable function \(H_{ FRD }:\mathbb {Z}_q^n \rightarrow \mathbb {Z}_q^{n\times n}\) satisfying that for all distinct \(u,v \in \mathbb {Z}_q^n\), the matrix \(H_{ FRD }(u) - H_{ FRD }(v) \in \mathbb {Z}_q^{n\times n}\) is full rank.

B Security and Privacy Notions

In this section we render the precise definitions of the security and privacy notions as defined by [23].

Definition B.1

(Correctness of \( \mathsf {BABL}\)). Similar to [22] the \( \mathsf {BABL}\) scheme is called correct if the following holds: If the system is set up by the \(\mathsf {Setup}\) algorithm, the keys are generated by \(\mathsf {UGen}\) and \(\mathsf {OGen}\), all parties follow the protocol honestly, then, the following properties hold: (1) Correctness of the \( \mathsf {Issue}\) protocol: Both parties return as acceptance bit 1. (2) Correctness of the \( \mathsf {Update}\) protocol: For all valid tokens and balances, after adding a value the user always returns as acceptance bit 1.

Definition B.2

(Oracles, from [23] Def. 3.2). \(\mathsf {MalIssue}\) lets the adversary initiate the \(\mathsf {Issue}\) protocol with an honest issuer \( \mathcal {O}\) provided that there is no pending \(\mathsf {MalIssue}\) call for \(\mathsf {pk}_\mathcal {U}\) and \(\mathsf {pk}_\mathcal {U}\) has also not been used in a successful call to \(\mathsf {MalIssue}\) before. \(\mathsf {MalUpdate}\) lets the adversary initiate the \(\mathsf {Update}\) protocol with an honest operator \( \mathcal {O}\) for an input value v. We say that a call to an oracle is successful if the honest party represented by the oracle accepts the run.

1.1 B.1 System Security

We denote by \(\mathcal {T}_{\lambda , \mathsf {CRS}}^\mathsf {Update}\) the set of all transcripts of \(\mathsf {Update}\) transactions, meaning all exchanged messages from the beginning, until both parties terminate.

Definition B.3

A scheme is called simulation-linkable if it satisfies the following conditions:

• Completeness: Let and \(tr \in \mathcal {T}_{\lambda , \mathsf {CRS}}^\mathsf {Update}\) be a transcript. Then there exist inputs \(\mathsf {pk}_\mathcal {U}, \mathsf {sk}_\mathcal {U}, \mathcal {T}, \mathbf {b}\) and random choices for an honest user \(\mathcal {U}\) and honest operator \(\mathcal {O}\) such that a run of the \(\mathsf {Update}\) protocol between \(\mathcal {U}\) and \(\mathcal {O}\) with those inputs leads to the same transcript tr.

• Extractability: There exists a PPT algorithm \(\mathsf {ExtractUID}\) that, given two related transcripts \(tr_1, tr_2 \in \mathcal {T}_{\lambda , \mathsf {CRS}}^\mathsf {Update}\) produced by the interaction of a honest user \(\mathcal {U}\) with public key \(\mathsf {pk}_\mathcal {U}\) with a honest operator \(\mathcal {O}\) outputs the public key \(\mathsf {pk}_\mathcal {U}\). Two transcripts \(tr_1, tr_2\) are called related if they are identical except for the zero-knowledge challenges, output by the Random Oracle.

Additionally, there exists an expected PPT algorithm \(\mathbf {GenerateTranscripts}\) that, given access to a transcript oracle \(\mathcal {O}= \langle \mathcal {U}, \mathcal {O}\rangle \) which outputs transcripts between a user and an operator, outputs two related transcripts \(tr_1, tr_2 \in \mathcal {T}_{\lambda , \mathsf {CRS}}^\mathsf {Update}\) with overwhelming probability. \(\mathbf {GenerateTranscripts}\) is allowed to rewind \(\mathcal {O}\) and reprogram the Random Oracle.

Definition B.4

A simulation-linkable scheme is called owner-binding if for any PPT adversary \(\mathcal {A}\) in the experiments \(\mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {ob\text {-}issue}}(\lambda )\) and \(\mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {ob\text {-}update}}(\lambda )\) from Fig. 5 the advantages of \(\mathcal {A}\) defined by

$$\mathsf {Adv}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {ob\text {-}issue}}(\lambda ) = \mathsf {Pr}\left[ \mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {ob\text {-}issue}}(\lambda ) = 1\right] $$

$$\mathsf {Adv}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {ob\text {-}update}}(\lambda ) = \mathsf {Pr}\left[ \mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {ob\text {-}update}}(\lambda ) = 1\right] $$

are negligible in .

Fig. 5.

Owner-binding experiment

Definition B.5

A simulation-linkable scheme ensures doubles-spending detection if for any PPT adversary \(\mathcal {A}\) in the experiments \(\mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {dsd}}(\lambda )\) from Fig. 6 the advantage of \(\mathcal {A}\) defined by

$$\mathsf {Adv}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {dsd}}(\lambda ) = \mathsf {Pr}\left[ \mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {dsd}}(\lambda ) = 1\right] $$

is negligible in .

Fig. 6.

Double-spending experiment

Definition B.6

A simulation-linkable scheme is called balance-binding if for any PPT adversary \(\mathcal {A}\) in the experiments \(\mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {bb}}(\lambda )\) from Fig. 7 the advantage of \(\mathcal {A}\) defined by

$$\mathsf {Adv}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {bb}}(\lambda ) = \mathsf {Pr}\left[ \mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {bb}}(\lambda ) = 1\right] $$

is negligible in .

Fig. 7.

Balance-binding experiment

1.2 B.2 User Security and Privacy

User security is defined using the real/ideal world paradigm. The adversary can query the \(\mathsf {HonUser}\) oracle to spawn new users. In the real world, the adversary interacts with oracles \(\mathsf {RHonIssue}\) and \( \mathsf {RHonUpdate}\) implementing the real user protocols. In the ideal world, the adversary interacts with a simulator. The simulator has to play the role of the oracles, but without receiving any private user information. We denote this by \(\mathsf {SHonIssue}, \mathsf {SHonUpdate}\). In both worlds, the adversary can query \(\mathsf {RCorrupt}\) or \(\mathsf {SCorrupt}\), respectively, to corrupt a user. By this, they learn all private information of the respective user.

Definition B.7

A scheme is called privacy-preserving if there exist PPT algorithms \(\mathsf {SimSetup}\) and \(\mathsf {SCorrupt}\) as well as PPT protocols \(\mathsf {SHonIssue}, \mathsf {SHonUpdate}\) that receive no private user information, such that for all PPT adversaries \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\) in the experiment depicted in Fig. 8, the advantage \(\mathsf {Adv}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {priv}}(\lambda )\) of \(\mathcal {A}\) defined by

$$\left| \mathsf {Pr}\left[ \mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {priv\text {-}real}}(\lambda ) = 1\right] - \mathsf {Pr}\left[ \mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {priv\text {-}ideal}}(\lambda ) = 1\right] \right| $$

is negligible in .

Fig. 8.

Real/Ideal world privacy experiment

Definition B.8

A simulation-linkable scheme ensures false-accusation protection if for any PPT adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\) in the experiments \(\mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {facp}}(\lambda )\) from Fig. 9 the advantage of \(\mathcal {A}\) defined by

$$\mathsf {Adv}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {facp}}(\lambda ) = \mathsf {Pr}\left[ \mathsf {Exp}_{\mathsf {BABL}, \mathcal {A}}^{\mathsf {facp}}(\lambda ) = 1\right] $$

is negligible in . (Note, that this does not guarantee anything, once the user was compromised.)

Fig. 9.

False-accusation experiment

1.3 B.3 Security and Privacy

Our construction fulfills the desired security and privacy properties mentioned in Sect. 2.1. We formulate the theorems and give proof sketches. Note, that the proofs follow closely the proofs from [23]. Only small changes were necessary to adopt the proofs to the lattice-setting:

Theorem B.1

(Simulation-Linkability). Suppose \(\mathsf {BABL}\) is correct, \(\mathsf {S}\) is secure and \(\mathsf {P1}, \mathsf {P2}\) are sound. Then \(\mathsf {BABL}\) is simulation-linkable.

Proof Sketch

(Simulation-Linkability (Theorem B.1)). As by definition, a scheme is called simulation-linkable when it is complete and extractable, we have to show that \(\mathsf {BABL}\) fulfills these properties.

Completeness requires, that for every accepted transcript, there is a choice of parameters, such that the transcript is the result of an honest protocol run. This is given in our case, as the sum of the serial number and the \(\mathbf {t}\)-part of the double-spending tag are indistinguishable from random values. Further, as the transcript is accepted, the soundness property of the zero-knowledge protocol from [36] guarantees that a commitment is well-formed. It remains to show that the signature is honestly generated, but as the token is accepted by the user and the signature is secure, this is given.

To prove the extractability property we can rely on the fact that the protocol from [36] is extractable, because it is a proof of knowledge.

Theorem B.2

(Owner-Binding w.r.t. \(\mathsf {Issue}\)). Suppose the \(SIS_{{n_{\mathsf {sk}}}, q, \sqrt{{m_{\mathsf {sk}}}}}\) assumption holds and \(\mathsf {P1}\) is extractable. Then \(\mathsf {BABL}\) is owner-binding w.r.t. \(\mathsf {Issue}\).

Proof Sketch

(Owner-Binding wrt. \( \mathsf {Issue}\) (Theorem B.2)). Proving this property is a straightforward reduction on \(SIS_{{n_{\mathsf {sk}}}, q, \sqrt{{m_{\mathsf {sk}}}}}\).

Theorem B.3

(Owner-Binding w.r.t. \(\mathsf {Update}\)). Suppose \(\mathsf {BABL}\) is simulation-linkable, \(\mathsf {P2}\) is extractable and \(\mathsf {S}\) is secure. Then \(\mathsf {BABL}\) is owner-binding w.r.t. \(\mathsf {Update}\).

Proof Sketch

(Owner-Binding wrt. \( \mathsf {Update}\) (Theorem B.3)). To prove the owner-binding property for the \( \mathsf {Update}\) protocol we define a series of games for a hybrid argument. In these games, we test the required properties for the owner-binding property step by step. Finally, we show that the advantage of the adversary to win in the original game differs only negligibly from the other games.

First, we show that it is indeed possible to extract the user’s secret key by reducing this problem on the already proven simulation-linkability property of our scheme. Then it is possible to extract witnesses for all occurred zero-knowledge proofs as the zero-knowledge argument from [36] is extractable. Finally, as there are extracted witnesses, the only way left for the adversary to win the owner-binding game is to forge a signature. This is prevented by the security of our signature. Note here, that the security of the signature is not exactly the usual EUF-CMA security, as the user sends commitments and the signer signs the committed messages (and not the commitment itself). However, the notion of security given in the full-version [17] of this paper suffices for our proofs.

Theorem B.4

(Double-Spending Detection). Suppose \(\mathsf {BABL}\) is simulation-linkable, the \(SIS_{{n_{\mathsf {sk}}}, q, \sqrt{{m_{\mathsf {sk}}}}}\) assumption holds, \(\mathsf {P2}\) is extractable and \(\mathsf {S}\) is secure. Then \(\mathsf {BABL}\) ensures double-spending detection.

Proof Sketch

(Double-Spending Detection (Theorem B.4)). Similar to the last theorem, we prove this property with a hybrid argument. In particular, we consider all ways in which \( \mathsf {IdentDS}\) (Fig. 4) could be tricked into not recognizing an actual act of double-spending. We show that an adversary would therefore either be able to find a collision on the serial number, or they were was able to manipulate the double-spending tag in a specific way. The former happens only with negligible probability, as the serial number is chosen in a coin-toss-like manner. The latter happens only with negligible probability, as the double-spending certainly includes values that the operators drew at random, and as the zero-knowledge proof is sound.

Theorem B.5

(Balance-Binding). Suppose \(\mathsf {P1}\) and \(\mathsf {P2}\) are extractable and sound and \(\mathsf {C}\) is statistically hiding, and \(\mathsf {S}\) is secure Then \(\mathsf {BABL}\) is balance-binding.

Proof Sketch

(Balance-Binding (Theorem B.5)). Similar to the proofs for the previous properties, we prove the balance-binding property by defining several games, where we show step by step, that the probability for an adversary to break the balance-binding property of \( \mathsf {BABL}\) is negligible. More precisely, we interpret every transaction as a node in a graph. Two nodes are connected if the output serial number of the first transaction is the input serial number of the last. We ensure through the game hops, that all nodes have an indegree of exactly one (except for the issuance of the token) and outdegrees of at most one. If this was not the case, there would be collisions on the serial number, double-spendings, or forged signatures. Additionally, every such chain of transactions must be started by the issuance of a token and the balance must only change according to the transaction values of the nodes.

Theorem B.6

(Privacy-Preserving). Suppose \(\mathsf {P1}\) and \(\mathsf {P2}\) are zero-knowledge and \(\mathsf {C}\) is equivocal. Then \(\mathsf {BABL}\) is privacy-preserving.

Proof Sketch

(Privacy-Preserving (Theorem B.6)). We prove this property by defining several games, where the oracles of the real experiment are step-by-step replaced by oracles that hold no personal information of the user, called the ideal world. By showing that an adversary is only with negligible probability able to tell apart the real from the ideal world, we prove that \( \mathsf {BABL}\) is indeed privacy-preserving. In more detail, we make use of the fact that the zero-knowledge proof from [36] is indeed zero-knowledge and the commitment scheme is equivocal. We use the equivocality property to replace the real values in the token with random ones, which makes it impossible to extract personal information from the user in the ideal world.

Theorem B.7

(False-Accusation Protection). Suppose the \(SIS_{{n_{\mathsf {sk}}}, q, \sqrt{{m_{\mathsf {sk}}}}}\) assumption holds and the scheme ensures double-spending detection. Then \(\mathsf {BABL}\) ensures false-accusation protection.

Proof Sketch

(False-Accusation Protection (Theorem B.7)). Just like in the privacy-preserving proof we use the real/ideal world paradigm. Now, if the adversary is able to output a false proof of guilt for an honest user, one can directly construct an adversary breaking the \(SIS_{{n_{\mathsf {sk}}}, q, \sqrt{{m_{\mathsf {sk}}}}}\) assumption. If the adversary is not able to output a proof of guilt for a guilty user, this can be leveraged to distinguish the real world from the ideal world.