Skip to main content
SpringerLink
Log in

Efficient Lattice-Based Blind Signatures via Gaussian One-Time Signatures

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2022 (PKC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13178))

Included in the following conference series:

Abstract

Lattice-based blind signature schemes have been receiving some recent attention lately. Earlier efficient 3-round schemes (Asiacrypt 2010, Financial Cryptography 2020) were recently shown to have mistakes in their proofs, and fixing them turned out to be extremely inefficient and limited the number of signatures that a signer could send to less than a dozen (Crypto 2020). In this work we propose a round-optimal, 2-round lattice-based blind signature scheme which produces signatures of length 150 KB. The running time of the signing protocol is linear in the maximum number signatures that can be given out, and this limits the number of signatures that can be signed per public key. Nevertheless, the scheme is still quite efficient when the number of signatures is limited to a few dozen thousand, and appears to currently be the most efficient lattice-based candidate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    If one is content with a relaxed definition of blindness where a signature is hidden among T user-signer interactions, then the running time of the scheme can be kept to O(T). This is not a standard definition of a blind signature, but we just mention this possibility in case it’s good enough for an application.

  2. 2.

    The first signature \({\mathbf {z}}\) on a message \(\mu \) is already given to the adversary in (4) and (5), so he really just has to produce a second one.

  3. 3.

    One could define the Gaussian function more generally using a covariance matrix. However, we will not need such a general case and thus we omit it for presentation purposes.

  4. 4.

    We refer to [ENS20, LNS21a] for more details on the protocol.

  5. 5.

    We remind the reader that the encryption scheme’s variables and computations are done over \({\mathcal {R}_q}\), and therefore the \(\mathsf {MLWE}\) problem is \(\mod q\), and \(S_{\gamma }\) here is those \({r \in \mathcal {R}_q}\) such that \(|r|\le \gamma \).

  6. 6.

    The forgery is one of the unexpected signatures, which exists since the adversary is expected to produce at most \(\ell \) signatures from \(\ell \) interactions.

  7. 7.

    Notice that due to this verification step, our definition of blindness is stronger than honest-signer blindness.

  8. 8.

    It seems that \({\mathcal {A}}\) could send directly the index of the unexpected signature to \({\mathcal {B}}\). This would save a factor 1/N in the winning probability of \({\mathcal {B}}\) while seemingly keeping the hardness of the forgery the same.

  9. 9.

    More specifically, we choose \(q \approx 2^{64}\) for which \(X^d+1\) splits into quadratic terms modulo q. This makes sure the one-out-of-many proof \(\pi _{\in }\) from [LNS21b] does not need any repetitions.

  10. 10.

    Intuitively, \(\tilde{\alpha }\) represents how many garbage polynomials we need to prove that coefficients a polynomial are exactly between \(-\gamma \) and \(\gamma \). For example, if one wants to prove ternary coefficients, we need three garbage polynomials.

  11. 11.

    For simplicity, we neglect the size of a challenge polynomial since it has a negligible impact on the total proof size.

  12. 12.

    Actually, the zero-knowledge property of the protocol in [LNS21a] reduces to the so-called Extended-MLWE problem. However, as argued in [LNS21a], this problem should still be almost as hard as the plain MLWE.

  13. 13.

    For instance, when \(\alpha =1\) and \(d=4096\), the public key has size \(\approx 300\) KB.

References

  1. Alkeilani Alkadri, N., El Bansarkhani, R., Buchmann, J.: BLAZE: practical lattice-based blind signatures for privacy-preserving applications. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 484–502. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_26

    Chapter  Google Scholar 

  2. Attema, T., Lyubashevsky, V., Seiler, G.: Practical product proofs for lattice commitments. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 470–499. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_17

    Chapter  Google Scholar 

  3. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015). https://eprint.iacr.org/2015/046

  4. Aharonov, D., Regev, O.: Lattice problems in NP cap coNP. In: FOCS, pp. 362–371. IEEE Computer Society (2004)

    Google Scholar 

  5. Agrawal, S., Stehlé, D., Yadav, A.: Towards practical and round-optimal lattice-based threshold and blind signatures. IACR Cryptology ePrint Archive, p. 381 (2021)

    Google Scholar 

  6. Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296(1), 625–635 (1993)

    Article  MathSciNet  Google Scholar 

  7. Bai, S., Langlois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 3–24. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_1

    Chapter  MATH  Google Scholar 

  8. Benhamouda, F., Lepoint, T., Loss, J., Orrù, M., Raykova, M.: On the (in)security of ROS. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 33–53. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_2

    Chapter  MATH  Google Scholar 

  9. Bootle, J., Lyubashevsky, V., Seiler, G.: Algebraic techniques for short(er) exact lattice-based zero-knowledge proofs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 176–202. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_7

    Chapter  Google Scholar 

  10. Chaum, D.: Blind signatures for untraceable payments. In: CRYPTO, pp. 199–203. Plenum Press, New York (1982)

    Google Scholar 

  11. Ducas, L., et al.: CRYSTALS-dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018)

    Article  Google Scholar 

  12. del Pino, R., Lyubashevsky, V., Seiler, G.: Lattice-based group signatures and zero-knowledge proofs of automorphism stability. In: ACM Conference on Computer and Communications Security, pp. 574–591. ACM (2018)

    Google Scholar 

  13. Esgin, M.F., Nguyen, N.K., Seiler, G.: Practical exact proofs from lattices: new techniques to exploit fully-splitting rings. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 259–288. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_9

    Chapter  Google Scholar 

  14. Esgin, M.F., Steinfeld, R., Liu, J.K., Liu, D.: Lattice-based zero-knowledge proofs: new techniques for shorter and faster constructions and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 115–146. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_5

    Chapter  Google Scholar 

  15. Esgin, M.F., Zhao, R.K., Steinfeld, R., Liu, J.K., Liu, D.: MatRiCT: efficient, scalable and post-quantum blockchain confidential transactions protocol. In: CCS, pp. 567–584. ACM (2019)

    Google Scholar 

  16. Groth, J., Kohlweiss, M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 253–280. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_9

    Chapter  Google Scholar 

  17. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)

    Google Scholar 

  18. Hauck, E., Kiltz, E., Loss, J., Nguyen, N.K.: Lattice-based blind signatures, revisited. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 500–529. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_18

    Chapter  Google Scholar 

  19. Lyubashevsky, V., Micciancio, D.: Asymptotically efficient lattice-based digital signatures. J. Cryptol. 31(3), 774–797 (2018). Preliminare version appeared in TCC 2008

    Google Scholar 

  20. Lyubashevsky, V., Nguyen, N.K., Plançon, M., Seiler, G.: Shorter lattice-based group signatures via “almost free” encryption and other optimizations. In: ASIACRYPT. LNCS, vol. 13093, pp. 218–248. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_8

  21. Lyubashevsky, V., Nguyen, N.K., Seiler, G.: Practical lattice-based zero-knowledge proofs for integer relations. In: CCS, pp. 1051–1070. ACM (2020)

    Google Scholar 

  22. Lyubashevsky, V., Nguyen, N.K., Seiler, G.: Shorter lattice-based zero-knowledge proofs via one-time commitments. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 215–241. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_9

    Chapter  Google Scholar 

  23. Lyubashevsky, V., Nguyen, N.K., Seiler, G.: SMILE: set membership from ideal lattices with applications to ring signatures and confidential transactions. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 611–640. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_21

    Chapter  Google Scholar 

  24. Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2014). https://doi.org/10.1007/s10623-014-9938-4

    Article  MathSciNet  MATH  Google Scholar 

  25. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43

    Chapter  Google Scholar 

  26. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41

    Chapter  Google Scholar 

  27. Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)

    Article  MathSciNet  Google Scholar 

  28. Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions

  29. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)

    Article  Google Scholar 

  30. Rückert, M.: Lattice-based blind signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 413–430. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_24

    Chapter  Google Scholar 

  31. Yang, R., Au, M.H., Zhang, Z., Xu, Q., Yu, Z., Whyte, W.: Efficient lattice-based zero-knowledge arguments with standard soundness: construction and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 147–175. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_6

    Chapter  Google Scholar 

Download references

Acknowledgement

We would like to thank anonymous reviewers for the useful feedback. This work was supported by the EU H2020 ERC Project 101002845 PLAZA.

Author information

Authors and Affiliations

  1. IBM Research, Zurich, Switzerland

    Vadim Lyubashevsky, Ngoc Khanh Nguyen & Maxime Plancon

  2. ETH Zurich, Zurich, Switzerland

    Ngoc Khanh Nguyen & Maxime Plancon

Authors
  1. Vadim Lyubashevsky
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ngoc Khanh Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maxime Plancon
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan

    Goichiro Hanaoka

  2. Yokohama National University, Yokohama, Japan

    Junji Shikata

  3. The University of Electro-Communications, Tokyo, Japan

    Yohei Watanabe

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lyubashevsky, V., Nguyen, N.K., Plancon, M. (2022). Efficient Lattice-Based Blind Signatures via Gaussian One-Time Signatures. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13178. Springer, Cham. https://doi.org/10.1007/978-3-030-97131-1_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-97131-1_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-97130-4

  • Online ISBN: 978-3-030-97131-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation