Post-Quantum Zero-Knowledge Proofs for Accumulators with - - PowerPoint PPT Presentation
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P
‡ §
Post-Quantum Zero-Knowledge Proofs for Accumulators
with Applications to Ring Signatures from Symmetric-Key Primitives David Derler‡, Sebastian Ramacher‡, Daniel Slamanig§ PQCrypto’18, April 9, 2018
1
Ring Signatures
Signature attests some member of ring signed Signer remains anonymous within ring
PQ Ring Signatures
How to build ring signatures in a post-quantum setting?
Linear size in # ring members! Only recently first sublinear ring signatures:
From generic accumulator based approach [DKNS04]
3
3
PQ Ring Signature Intuition
Generic approach [DKNS04]
+ Incorporate message
4
PQ Ring Signature Intuition
Generic approach [DKNS04]
+ Incorporate message
Instantiation via Merkle trees
y0,0 y0,1 y0,2 y1,2 y1,1 y2,2 x2,2 y3,2
4
PQ Ring Signature Intuition
Generic approach [DKNS04]
+ Incorporate message
Instantiation via Merkle trees
y0,0 y0,1 y0,2 y1,2 y1,1 y2,2 x2,2 y3,2 Public keys of users
4
PQ Ring Signature Intuition
Generic approach [DKNS04]
+ Incorporate message
Instantiation via Merkle trees
y0,0 y0,1 y0,2 y1,2 y1,1 y2,2 x2,2 y3,2 Public keys of users Inner nodes: y1,1 ← H(y2,2||y3,2)
4
PQ Ring Signature Intuition
Generic approach [DKNS04]
+ Incorporate message
Instantiation via Merkle trees
y0,0 y0,1 y0,2 y1,2 y1,1 y2,2 x2,2 y3,2 Public keys of users Inner nodes: y1,1 ← H(y2,2||y3,2) Each public key associated to a secret key
4
Zero-Knowledge Membership Proof
Naive approach reveals path taken Trivial approach
y0,0 y0,1 y0,2 y1,2 y1,1 y2,2 y3,2 y0,0 y0,1 y0,2 y1,2 y1,1 y2,2 y3,2
5
Zero-Knowledge Membership Proof
Use commutative hash function? [DKNS04]
6
Zero-Knowledge Membership Proof
Use commutative hash function? [DKNS04]
Our technique
yi = H(ai||bi) ∨ yi = H(bi||ai)
6
Our Ring Signatures
7
Our Ring Signatures
Unforgeability:
+ Prove that ZKB++/FS is simulation-sound extractable
7
Our Ring Signatures
Unforgeability:
+ Prove that ZKB++/FS is simulation-sound extractable
Anonymity:
7
Instantiation & Signature Size
Instantiation
Estimated signature sizes
Ring size |σ| (FS/ROM) |σ| (Unruh/QROM) 25 2125 KB 3159 KB 210 4086 KB 6067 KB 220 8008 KB 11882 KB
8
8
Instantiating the Circuit
Multiplexer x0 x1 s M xs
9
Instantiating the Circuit
Multiplexer x0 x1 M x0
9
Instantiating the Circuit
Multiplexer x0 x1 1 M x1
9
Instantiating the Circuit
ai+1 bi+1 si+1 H H M ai
9
Instantiating the Circuit
ai+1 bi+1 si+1 M M H ai
9
Instantiating the Circuit
ai+1 bi+1 si+1 M M H ai
+ Can be optimized to only require 1 AND gate / output bit
9
Smaller Signatures
Signature size reduction by factor ≈ 2 Ring size |σ| (FS/ROM) |σ| (Unruh/QROM) 25 1200 KB 2289 KB 210 2283 KB 4388 KB 220 4450 KB 8584 KB
10
Conclusions
Important steps towards PQ privacy enhancing primitives
Very flexible
In construction of PQ dynamic group signatures Future directions
? Further optimizations & new constructions
11
Full version: https://ia.cr/2017/1154 Supported by:
12
References i
[BEF18] Dan Boneh, Saba Eskandarian, and Ben Fisch. Post-quantum group signatures from symmetric primitives. IACR Cryptology ePrint Archive, 2018:261, 2018. [DKNS04] Yevgeniy Dodis, Aggelos Kiayias, Antonio Nicolosi, and Victor Shoup. Anonymous identification in ad hoc groups. In EUROCRYPT, 2004. [LLNW16] Benoˆ ıt Libert, San Ling, Khoa Nguyen, and Huaxiong Wang. Zero-knowledge arguments for lattice-based accumulators: Logarithmic-size ring signatures and group signatures without trapdoors. In EUROCRYPT, 2016. [MCG08] Carlos Aguilar Melchor, Pierre-Louis Cayrel, and Philippe Gaborit. A new efficient threshold ring signature scheme based on coding theory. In PQCrypto, 2008. [MP17] Mohamed Saied Emam Mohamed and Albrecht Petzoldt. Ringrainbow - an efficient multivariate ring signature scheme. In AFRICACRYPT, 2017. 13