TY - CHAP
T1 - Zero-knowledge arguments for lattice-based accumulators
T2 - 35th Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT 2016
AU - Libert, Benoît
AU - Ling, San
AU - Nguyen, Khoa
AU - Wang, Huaxiong
PY - 2016
Y1 - 2016
N2 - An accumulator is a function that hashes a set of inputs into a short, constant-size string while preserving the ability to efficiently prove the inclusion of a specific input element in the hashed set. It has proved useful in the design of numerous privacy-enhancing protocols, in order to handle revocation or simply prove set membership. In the lattice setting, currently known instantiations of the primitive are based on Merkle trees, which do not interact well with zero-knowledge proofs. In order to efficiently prove the membership of some element in a zeroknowledge manner, the prover has to demonstrate knowledge of a hash chain without revealing it, which is not known to be efficiently possible under well-studied hardness assumptions. In this paper, we provide an efficient method of proving such statements using involved extensions of Stern’s protocol. Under the Small Integer Solution assumption, we provide zero-knowledge arguments showing possession of a hash chain. As an application, we describe new lattice-based group and ring signatures in the random oracle model. In particular, we obtain: (i) The first latticebased ring signatures with logarithmic size in the cardinality of the ring; (ii) The first lattice-based group signature that does not require any GPV trapdoor and thus allows for a much more efficient choice of parameters.
AB - An accumulator is a function that hashes a set of inputs into a short, constant-size string while preserving the ability to efficiently prove the inclusion of a specific input element in the hashed set. It has proved useful in the design of numerous privacy-enhancing protocols, in order to handle revocation or simply prove set membership. In the lattice setting, currently known instantiations of the primitive are based on Merkle trees, which do not interact well with zero-knowledge proofs. In order to efficiently prove the membership of some element in a zeroknowledge manner, the prover has to demonstrate knowledge of a hash chain without revealing it, which is not known to be efficiently possible under well-studied hardness assumptions. In this paper, we provide an efficient method of proving such statements using involved extensions of Stern’s protocol. Under the Small Integer Solution assumption, we provide zero-knowledge arguments showing possession of a hash chain. As an application, we describe new lattice-based group and ring signatures in the random oracle model. In particular, we obtain: (i) The first latticebased ring signatures with logarithmic size in the cardinality of the ring; (ii) The first lattice-based group signature that does not require any GPV trapdoor and thus allows for a much more efficient choice of parameters.
UR - http://www.scopus.com/inward/record.url?scp=84964923600&partnerID=8YFLogxK
U2 - 10.1007/978-3-662-49896-5_1
DO - 10.1007/978-3-662-49896-5_1
M3 - Chapter
AN - SCOPUS:84964923600
SN - 9783662498958
T3 - Lecture Notes in Computer Science
SP - 1
EP - 31
BT - Advances in Cryptology - EUROCRYPT 2016
A2 - Fischlin, Marc
A2 - Coron, Jean-Sébastien
PB - Springer, Springer Nature
CY - Berlin
Y2 - 8 May 2016 through 12 May 2016
ER -