• PDF / 665,005 Bytes
• 31 Pages / 439.37 x 666.142 pts Page_size
• 76 Downloads / 212 Views

DOWNLOAD

REPORT

´ Ecole Normale Sup´erieure de Lyon, Laboratoire LIP, Lyon, France [email protected] School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore

Abstract. A recent line of works – initiated by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010) – gave lattice-based constructions allowing users to authenticate while remaining hidden in a crowd. Despite five years of efforts, known constructions are still limited to static sets of users, which cannot be dynamically updated. This work provides new tools enabling the design of anonymous authentication systems whereby new users can join the system at any time. Our first contribution is a signature scheme with efficient protocols, which allows users to obtain a signature on a committed value and subsequently prove knowledge of a signature on a committed message. This construction is well-suited to the design of anonymous credentials and group signatures. It indeed provides the first lattice-based group signature supporting dynamically growing populations of users. As a critical component of our group signature, we provide a simple joining mechanism of introducing new group members using our signature scheme. This technique is combined with zero-knowledge arguments allowing registered group members to prove knowledge of a secret short vector of which the corresponding public syndrome was certified by the group manager. These tools provide similar advantages to those of structure-preserving signatures in the realm of bilinear groups. Namely, they allow group members to generate their own public key without having to prove knowledge of the underlying secret key. This results in a two-message joining protocol supporting concurrent enrollments, which can be used in other settings such as group encryption. Our zero-knowledge arguments are presented in a unified framework where: (i) The involved statements reduce to arguing possession of a {−1, 0, 1}-vector x with a particular structure and satisfying P · x = v mod q for some public matrix P and vector v; (ii) The reduced statements can be handled using permuting techniques for Stern-like protocols. Our framework can serve as a blueprint for proving many other relations in lattice-based cryptography. Keywords: Lattice-based cryptography · Anonymity · Signatures with efficient protocols · Dynamic group signatures · Anonymous credentials c International Association for Cryptologic Research 2016  J.H. Cheon and T. Takagi (Eds.): ASIACRYPT 2016, Part II, LNCS 10032, pp. 373–403, 2016. DOI: 10.1007/978-3-662-53890-6 13

374

1

B. Libert et al.

Introduction

Lattice-based cryptography is currently emerging as a promising alternative to traditional public-key techniques. During the last decade, it has received a permanent interest due to its numerous advantages. Not only does it seemingly resist quantum attacks, it also provides a better asymptotic efficiency than its relatives based on conventional number theory. While enabling many advanced functionalities [41,44,45], lattice-based primitives te

Recommend Documents

Cryptanalysis of Two Fully Anonymous Attribute-Based Group Signature Schemes with Verifier-Local Revocation from Lattice

193 69 34MB

Group Signature Without Random Oracles from Randomizable Signatures

172 14 12MB

Short Threshold Dynamic Group Signatures

163 104 16MB

Asymptotically Efficient Lattice-Based Digital Signatures

166 72 549KB

Signatures with Tight Multi-user Security from Search Assumptions

147 45 39MB

Foundations of Fully Dynamic Group Signatures

189 3 2MB

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-randomizable Keys

172 29 565KB

Constant-Size Lattice-Based Group Signature with Forward Security in the Standard Model

162 89 12MB

Homomorphic Signature Schemes A Survey

183 83 920KB

Kummer surfaces associated with group schemes

211 21 440KB

Short Lattice Signatures in the Standard Model with Efficient Tag Generation

133 69 12MB

An Attack on Some Signature Schemes Constructed from Five-Pass Identification Schemes

152 100 25MB