# Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures

@inproceedings{Benhamouda2014BetterZP, title={Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures}, author={Fabrice Benhamouda and Jan Camenisch and Stephan Krenn and Vadim Lyubashevsky and Gregory Neven}, booktitle={ASIACRYPT}, year={2014} }

Lattice problems are an attractive basis for cryptographic systems because they seem to offer better security than discrete logarithm and factoring based problems. Efficient lattice-based constructions are known for signature and encryption schemes. However, the constructions known for more sophisticated schemes such as group signatures are still far from being practical. In this paper we make a number of steps towards efficient lattice-based constructions of more complex cryptographic…

## 102 Citations

### Efficient Commitments and Zero-Knowledge Protocols from Ring-SIS with Applications to Lattice-based Threshold Cryptosystems

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2016

An additively homomorphic commitment scheme with hardness based on the Ring-SIS problem is presented, which is statistically hiding as well as computationally binding and allows to commit to a vector of ring elements at once.

### Lattice-based group encryptions with only one trapdoor

- Computer Science, MathematicsScience China Information Sciences
- 2022

An integrated zero-knowledge argument system that is friendly to both accumulated values and hidden matrices and supports eﬃcient designs from lattices is developed and the security of the proposed scheme in the standard model is proved, which retains the strongest level of security as the only currently available candidate.

### Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

This paper builds a similar framework for lattice-based schemes by presenting a signature and commitment scheme that are compatible with Lyubashevsky’s Fiat-Shamir proofs with abort, currently the most efficient zero-knowledge proofs for lattices.

### One-Shot Verifiable Encryption from Lattices

- Computer Science, MathematicsEUROCRYPT
- 2017

A new construction of a verifiable encryption scheme, based on the hardness of the Ring-LWE problem in the random-oracle model, for short solutions to linear equations over polynomial rings, with interesting aspects that the decryption algorithm is probabilistic and uses the proof as input (rather than using only the ciphertext).

### Unidirectional IBPRE scheme from lattice for cloud computation

- Computer Science, MathematicsJ. Ambient Intell. Humaniz. Comput.
- 2016

This paper presents an IB-PRE scheme based on lattices with the highly desirable properties of anonymity, uni-directionality, multi-use and backward collusion safety, to the best of the knowledge, it is the first IB- PRE scheme from lattices which provides those properties.

### Provably Secure Group Signature Schemes From Code-Based Assumptions

- Computer Science, MathematicsIEEE Transactions on Information Theory
- 2020

A new verifiable encryption protocol for the randomized McEliece encryption and a novel approach to design formal security reductions from the Syndrome Decoding problem are introduced.

### Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash

- Mathematics, Computer ScienceASIACRYPT
- 2017

This work considers the problem of proving the correct evaluation of lattice-based PRFs based on the Learning-With-Rounding problem, and designs the first compact e-cash system based on lattice assumptions.

### Applications of Structure-Preserving Cryptography and Pairing-Based NIZK Proofs

- Computer Science, Mathematics
- 2015

Using linearly homomorphic structurepreserving signatures, non-malleable commitments to group elements and non-interactive zero-knowledge proofs, as well as public-key encryption schemes that resist chosen-ciphertext attacks are obtained.

### Privacy-preserving cryptography from pairings and lattices

- Computer Science, Mathematics
- 2018

This thesis studies provably secure privacy-preserving cryptographic constructions, and proposes two constructions of group signatures for dynamically growing groups, and an adaptive oblivious transfer protocol, which allows a user to anonymously query an encrypted database, while keeping the unrequested messages hidden.

### Efficient Verifiable Partially-Decryptable Commitments from Lattices and Applications

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

This work introduces verifiable partially-decryptable commitments (VPDC), as a building block for constructing efficient privacy-preserving protocols supporting auditability by a trusted party, and introduces a general decryption feasibility result that overcomes the challenges in relaxed proofs arising in the lattice setting.

## References

SHOWING 1-10 OF 59 REFERENCES

### Lattice Signatures Without Trapdoors

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2011

This work provides an alternative method for constructing lattice-based digital signatures which does not use the "hash-and-sign" methodology, and shows that by slightly changing the parameters, one can get even more efficient signatures that are based on the hardness of the Learning With Errors problem.

### Lattice-Based Identification Schemes Secure Under Active Attacks

- Computer Science, MathematicsPublic Key Cryptography
- 2008

This work constructs a 3-move identification scheme whose security is based on the worst-case hardness of the shortest vector problem in all lattices, and also presents a more efficient versionbased on the hardness ofthe same problem in ideal lattices.

### Efficient Public Key Encryption Based on Ideal Lattices

- Computer Science, MathematicsASIACRYPT
- 2009

This work achieves CPA-security against subexponential attacks, with (quasi-)optimal asymptotic performance, in public key encryption schemes with security provably based on the worst case hardness of the approximate Shortest Vector Problem in some structured lattices, called ideal lattices.

### Making NTRU as Secure as Worst-Case Problems over Ideal Lattices

- Computer Science, MathematicsEUROCRYPT
- 2011

This work shows how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields.

### Lattice-Based Group Signatures with Logarithmic Signature Size

- Computer Science, MathematicsASIACRYPT
- 2013

This paper describes the first lattice-based group signature schemes where the signature and public key sizes are essentially logarithmic in N (for any fixed security level) and proves the security of the schemes in the random oracle model under the SIS and LWE assumptions.

### Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures

- Computer Science, MathematicsASIACRYPT
- 2009

This work demonstrates how the framework that is used for creating efficient number-theoretic ID and signature schemes can be transferred into the setting of lattices and is able to shorten the length of the signatures that are produced by Girault's factoring-based digital signature scheme.

### Trapdoors for hard lattices and new cryptographic constructions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2007

A new notion of trapdoor function with preimage sampling, simple and efficient "hash-and-sign" digital signature schemes, and identity-based encryption are included.

### A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order

- Mathematics, Computer ScienceASIACRYPT
- 2002

A new definition for computationally convincing proofs of knowledge, designed to handle the case where the common input is chosen by the (possibly cheating) prover, is introduced.

### Fully Anonymous Attribute Tokens from Lattices

- Computer Science, MathematicsSCN
- 2012

This work presents a generalization of group signatures called anonymous attribute tokens where users are issued attribute-containing credentials that they can use to anonymously sign messages and generate tokens revealing only a subset of their attributes.

### Advances in Cryptology — CRYPTO’ 92

- Computer Science, MathematicsLecture Notes in Computer Science
- 2001

A new signature scheme is introduced that combines the strength of the strongest schemes with the efficiency of RSA, and uses the same amount of computation and memory as the widely applied RSA scheme.