zero knowledge arguments for lattice based accumulators
play

Zero-Knowledge Arguments for Lattice-Based Accumulators: - PowerPoint PPT Presentation

Mar 05, 2023 •335 likes •681 views

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

  1. Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors ıt Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Benoˆ 1 Ecole Normale Sup´ erieure de Lyon (France) 2 Nanyang Technological University (Singapore) EUROCRYPT 2016 - Vienna, Austria

  2. Outline Introduction 1 Our Accumulator and Its Supporting Zero-Knowledge Argument 2 Applications to Ring and Group Signatures 3 Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 2 / 17

  3. Cryptographic Accumulators Accumulator [BdM’93]: a function hashing a large data set R = { d 0 , . . . , d N − 1 } into a constant-size value u . For any d ∈ R , there is a short witness w that d was accumulated into u . It is infeasible to compute a valid witness w ∗ for some d ∗ �∈ R . Numerous applications in authentication mechanisms. In many scenarios, a ZK proof of an input-witness pair ( d , w ) is desirable. Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 3 / 17

  4. Previous Works 2 main families of number-theoretic accumulators: based on groups of hidden order, or on pairings (strong RSA and strong DH assumptions). A 3 rd family relies on Merkle trees: hardly compatible with ZK proofs. Known methods require non-standard assumptions in groups of hidden order [BCG’14] or non-falsifiable knowledge assumptions [BSCG+’14]. [PSTY’13]: SIS-based Merkle tree; supporting ZK proofs were not considered. Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 4 / 17

  5. Our Results First lattice-based accumulator supported by logarithmic-size ZK arguments. We build Merkle trees from a family of SIS-based CRHF H : D × D → D . We demonstrate in ZK the possession of a Merkle tree path (hash chain). Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 5 / 17

  6. Our Results First lattice-based accumulator supported by logarithmic-size ZK arguments. We build Merkle trees from a family of SIS-based CRHF H : D × D → D . We demonstrate in ZK the possession of a Merkle tree path (hash chain). Applications: First lattice-based logarithmic-size ring signature. 1 Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 5 / 17

  7. Our Results First lattice-based accumulator supported by logarithmic-size ZK arguments. We build Merkle trees from a family of SIS-based CRHF H : D × D → D . We demonstrate in ZK the possession of a Merkle tree path (hash chain). Applications: First lattice-based logarithmic-size ring signature. 1 First group signature without lattice trapdoors. Previous constructions 2 [GKV’10,CNR’12,LLLS’13,LNW’15,NZZ’15] rely on trapdoors for key generation and/or for enabling tracing. Being trapdoor-less: smaller parameters, shorter key and signature sizes. User’s signing key in our scheme has size of several KBs, compared with ≈ 90 GBs in [NZZ’15]. Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 5 / 17

  8. Outline Introduction 1 Our Accumulator and Its Supporting Zero-Knowledge Argument 2 Applications to Ring and Group Signatures 3 Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 6 / 17

  9. A Family of Lattice-Based CRHF Let n be the security parameter, q = � O ( n ), k = ⌈ log 2 q ⌉ , and m = 2 nk . Define:   1 2 4 . . . 2 k − 1      ∈ Z n × nk G = . . . .  q 1 2 4 . . . 2 k − 1 q : v = G · bin( v ), where bin( v ) ∈ { 0 , 1 } nk - the bin. rep. of v . For all v ∈ Z n Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 7 / 17

  10. A Family of Lattice-Based CRHF Let n be the security parameter, q = � O ( n ), k = ⌈ log 2 q ⌉ , and m = 2 nk . Define:   1 2 4 . . . 2 k − 1      ∈ Z n × nk G = . . . .  q 1 2 4 . . . 2 k − 1 q : v = G · bin( v ), where bin( v ) ∈ { 0 , 1 } nk - the bin. rep. of v . For all v ∈ Z n Define the family H : { 0 , 1 } nk × { 0 , 1 } nk → { 0 , 1 } nk as H = { h A | A ∈ Z n × m } , q , and ( u 0 , u 1 ) ∈ { 0 , 1 } nk × { 0 , 1 } nk , where for A = [ A 0 | A 1 ] with A 0 , A 1 ∈ Z n × nk q � � ∈ { 0 , 1 } nk . h A ( u 0 , u 1 ) = bin A 0 · u 0 + A 1 · u 1 mod q Note that h A ( u 0 , u 1 ) = u ⇔ A 0 · u 0 + A 1 · u 1 = G · u mod q . H is collision-resistant, assuming that SIS ∞ n , m , q , 1 is hard. Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 7 / 17

  11. From CRHF to Merkle-tree-style Accumulators u u 0 u 1 u 00 u 01 u 10 u 11 u 000 u 001 u 010 u 011 u 100 u 101 u 110 u 111 d 0 d 1 d 2 d 3 d 4 d 5 d 6 d 7 A Merkle tree with 2 3 = 8 leaves, which accumulates the data blocks d 0 , . . . , d 7 into the value u at the root. The value at each non-leaf node is the hash of its two children. The brown nodes together with the bit string ( j 3 , j 2 , j 1 ) = (1 , 0 , 1) form a witness to the fact that d 5 is accumulated into u . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 8 / 17

  12. Proving Knowledge of an Accumulated Value u w 1 v 1 v 2 w 2 w 3 v 3 Public input: A ; u = v 0 . Secret input: ( w ℓ , . . . , w 1 ) , ( v ℓ , . . . , v 1 ) , ( j ℓ , . . . , j 1 ). Prover’s goal: Proving that    h A ( v i +1 , w i +1 ) , if j i +1 = 0; ∀ i ∈ { ℓ − 1 , . . . , 1 , 0 } : v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 9 / 17

  13. Proving Knowledge of an Accumulated Value u w 1 v 1 j 2 = 0 v 2 w 2 w 3 v 3 Public input: A ; u = v 0 . Secret input: ( w ℓ , . . . , w 1 ) , ( v ℓ , . . . , v 1 ) , ( j ℓ , . . . , j 1 ). Prover’s goal: Proving that    h A ( v i +1 , w i +1 ) , if j i +1 = 0; ∀ i ∈ { ℓ − 1 , . . . , 1 , 0 } : v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 9 / 17

  14. Proving Knowledge of an Accumulated Value u w 1 v 1 v 2 w 2 j 3 = 1 w 3 v 3 Public input: A ; u = v 0 . Secret input: ( w ℓ , . . . , w 1 ) , ( v ℓ , . . . , v 1 ) , ( j ℓ , . . . , j 1 ). Prover’s goal: Proving that    h A ( v i +1 , w i +1 ) , if j i +1 = 0; ∀ i ∈ { ℓ − 1 , . . . , 1 , 0 } : v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 9 / 17

  15. Proving Knowledge of an Accumulated Value u w 1 v 1 v 2 w 2 w 3 v 3 Public input: A ; u = v 0 . Secret input: ( w ℓ , . . . , w 1 ) , ( v ℓ , . . . , v 1 ) , ( j ℓ , . . . , j 1 ). Prover’s goal: Proving that    h A ( v i +1 , w i +1 ) , if j i +1 = 0; ∀ i ∈ { ℓ − 1 , . . . , 1 , 0 } : v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . ✗ Previous protocols for SIS-based hash functions ([Lyu’08,09,12], [LNSW’13]) only prove knowledge of a hidden preimage for a given image. ? Here, we essentially need to prove knowledge of “ ℓ hidden preimage-image pairs nested along a hidden path.” Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 9 / 17

  16. Transformations    ¯ b · v For any bit b and binary vector v , define ¯  . b = 1 − b and ext( b , v ) = b · v Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 10 / 17

  17. Transformations    ¯ b · v For any bit b and binary vector v , define ¯  . b = 1 − b and ext( b , v ) = b · v  Observe that   h A ( v i +1 , w i +1 ) , if j i +1 = 0; v i =   h A ( w i +1 , v i +1 ) , if j i +1 = 1 . is equivalent to: v i = ¯ j i +1 · h A ( v i +1 , w i +1 ) + j i +1 · h A ( w i +1 , v i +1 ) � � � � ¯ ⇔ j i +1 · A 0 · v i +1 + A 1 · w i +1 + j i +1 · A 0 · w i +1 + A 1 · v i +1 = G · v i mod q      ¯ j i +1 · v i +1  j i +1 · w i +1  + A ·  = G · v i mod q ⇔ A · ¯ j i +1 · v i +1 j i +1 · w i +1 A · ext( j i +1 , v i +1 ) + A · ext(¯ ⇔ j i +1 , w i +1 ) = G · v i mod q . Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 10 / 17

  18. Developing Stern’s Protocol Now, the task is to prove in ZK the possession of { j i , v i , w i } ℓ i =1 s.t. ∀ i ∈ { ℓ − 1 , . . . , 0 } : A · ext( j i +1 , v i +1 ) + A · ext(¯ j i +1 , w i +1 ) = G · v i mod q . (1) Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 11 / 17

  19. Developing Stern’s Protocol Now, the task is to prove in ZK the possession of { j i , v i , w i } ℓ i =1 s.t. ∀ i ∈ { ℓ − 1 , . . . , 0 } : A · ext( j i +1 , v i +1 ) + A · ext(¯ j i +1 , w i +1 ) = G · v i mod q . (1) Stern’s protocol [Stern’96]: Main ideas Proving in ZK the possession of a binary vector s with fixed Hamming weight t , s.t. M · s = u mod q , for given ( M , u ). Proving the linear equation: show that M ( s + r ) = u + M · r [ q ], for random r . 1 Proving the constraint of s : show that π ( s ) has weight t , for random π . 2 Khoa Nguyen (NTU, Singapore) ZK arguments for lattice-based accumulators EUROCRYPT 2016 11 / 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018 Zero-Knowledge

422 views • 30 slides
Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2

712 views • 33 slides
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

618 views • 46 slides
Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Short Pairing-based Non-interactive Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In a zero knowledge protocol a prover can convince a verifier that some statement is true without leaking any side

628 views • 14 slides
Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay October 15, 2019 1 / 24 zkSNARKs Arguments ZK proofs

435 views • 24 slides
Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 We can verify all basic operations (+,-,*,assignment) We

1.28k views • 62 slides
Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios Papadopoulos 3 Roberto Tamassia 1 Nikos Triandopoulos 4 1 Brown University 2 Microsoft Research 3 University of Maryland 4 Stevens Institute of Technology

614 views • 39 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation

1.03k views • 66 slides
33: Accumulators & Polishing code (Functional Data) Accumulators Estimated Value and search

33: Accumulators & Polishing code (Functional Data) Accumulators Estimated Value and search

33: Accumulators & Polishing code (Functional Data) Accumulators Estimated Value and search subtrees Functional data structures Strategies we've seen so far "Strengthen the recursion": solve a more general problem

745 views • 51 slides
Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs Vadim Lyubashevsky Gregor Seiler IBM Research Zurich April 30, 2018 Motivation: Lattice-Based Zero-Knowledge Proofs

790 views • 42 slides
ELT Main Structure earthquake protection system concept: analysis and simulations Concept

ELT Main Structure earthquake protection system concept: analysis and simulations Concept

ELT Main Structure earthquake protection system concept: analysis and simulations Concept Hydraulic system based on oil cylinders connected to accumulators Concept: Accumulators Accumulators configuration A and B Bladder Piston Modelling

228 views • 22 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki University of Technology http://www.tcs.hut.fi/helger Pedase Theory Day, 04.10.2003 On Diophantine Complexity and SZK Arguments, Helger Lipmaa 1

501 views • 24 slides
Accumulators & Difference Lists Accumulators & Difference Lists York University CSE 3401

Accumulators & Difference Lists Accumulators & Difference Lists York University CSE 3401

Accumulators & Difference Lists Accumulators & Difference Lists York University CSE 3401 Vida Movahedi 1 York University CSE 3401 V. Movahedi 06_AccDiff Overview Overview Accumulators Length of a list Sum of list of

278 views • 23 slides
DAY-2 PRACTICE (ORALLY)

DAY-2 PRACTICE (ORALLY)

DAY-2 PRACTICE (ORALLY) PRACTICE (ORALLY) WRITE IN HINDI 1.Ghaak 2.Kaak

715 views • 23 slides
Diet monitoring is a big issue in many health- related topics, so there has been many

Diet monitoring is a big issue in many health- related topics, so there has been many

Hamid Hassannejad, Guido Matrella, Monica Mordonini, and Stefano Cagnoni 14 th Conference of the Italian Association for Artificial Intelligence September 2015 Diet monitoring is a big issue in many health- related topics, so there has been

262 views • 13 slides
Real-time Protection Against Ransomware at End-Hosts Written By Amin Kharraz and Engin Kirda

Real-time Protection Against Ransomware at End-Hosts Written By Amin Kharraz and Engin Kirda

Redemption: Real-time Protection Against Ransomware at End-Hosts Written By Amin Kharraz and Engin Kirda RAJSHAKHAR PAUL Outlines Introduction Existing works Contribution Threat Model Design Overview Evaluation

527 views • 48 slides
Introduction of Introduction of APCERT APCERT Yurie Ito, JPCERT/CC Yurie Ito, JPCERT/CC (On

Introduction of Introduction of APCERT APCERT Yurie Ito, JPCERT/CC Yurie Ito, JPCERT/CC (On

Introduction of Introduction of APCERT APCERT Yurie Ito, JPCERT/CC Yurie Ito, JPCERT/CC (On behalf of the APCERT Secretariat) (On behalf of the APCERT Secretariat) 2005 (C) JPCERT/CC, APCERT APCERT APCERT APCERT APCERT (Asia Pacific

446 views • 10 slides
HCMUS at the NTCIR-14 Lifelog-3 Task Nguyen-Khang Le, Dieu-Hien Nguyen, Trung-Hieu Hoang,

HCMUS at the NTCIR-14 Lifelog-3 Task Nguyen-Khang Le, Dieu-Hien Nguyen, Trung-Hieu Hoang,

HCMUS at the NTCIR-14 Lifelog-3 Task Nguyen-Khang Le, Dieu-Hien Nguyen, Trung-Hieu Hoang, Thanh-An Nguyen, Thanh-Dat Truong, Duy-Tung Dinh, Quoc-An Luong, Viet-Khoa Vo-Ho Vinh-Tiep Nguyen, Minh-Triet Tran University of Science, VNU-HCM, Ho Chi

821 views • 24 slides
A Mathematics Learning Community on Inclusive Teaching P . Gavin LaRose Department of

A Mathematics Learning Community on Inclusive Teaching P . Gavin LaRose Department of

A Mathematics Learning Community on Inclusive Teaching P . Gavin LaRose Department of Mathematics University of Michigan glarose@umich.edu 11 December, 2018 2018 Gavin LaRose c A Mathematics Learning Community on Inclusive Teaching 1 /

649 views • 19 slides
Intergenerational mobility of education in Vietnam: Evidence from the Vietnam War Khoa Vu 1,2

Intergenerational mobility of education in Vietnam: Evidence from the Vietnam War Khoa Vu 1,2

Intergenerational mobility of education in Vietnam: Evidence from the Vietnam War Khoa Vu 1,2 Maria Lo Bue 2 1 University of Minnesota 2 UNU-WIDER May 2019 1 / 51 Table of Contents Research motivation 1 Research question 2 Data and

1.09k views • 54 slides
PCIeHLS Malte Vesper, Dirk Koch and Khoa Pham High level synthesis half a solution Easy

PCIeHLS Malte Vesper, Dirk Koch and Khoa Pham High level synthesis half a solution Easy

PCIeHLS Malte Vesper, Dirk Koch and Khoa Pham High level synthesis half a solution Easy generation of kernels from popular languages Good results require tuning with knowledge about FPGA architecture No infrastructure for kernel C

906 views • 25 slides

More recommend