Abstract.Wepresentanimprovedlattice-basedgroupsignatureschemewhoseparametersizesand runningtimesareindependentofthegroupsize.Thesignaturelengthinourschemeisaround200KB, whichisapproximatelya3Xreductionoverthepreviouslymostcompactsuchscheme,basedonany quantum-safeassumption,ofdelPinoetal.(ACMCCS2018)...

Abstract.Wepresentaquantumlysecureidentity-basedsignature schemebasedonthestandardshortintegersolutionproblem,featuringtightsecurityreductionsinthequantumandclassicrandomoracle models.Theschemehasshortsignatures.Eachsignaturecontainsasinglelatticevectorplusasinglebit.Comparedtotheexistingtightly sec...

Abstract.ThispaperintroducesBicameralandAuditablyPrivateSignatures(BAPS)–anewprivacy-preservingsignaturesystemwithseveralnovelfeatures.InaBAPSsystem,givenacertifiedattributexand acertifiedpolicyP,asignercanissueapubliclyverifiablesignatureΣ onamessagemaslongas(m,x)satisfiesP.Anoteworthycharacteristi...

Abstract—WeintroduceMatRiCT+,apracticalprivate blockchainpaymentprotocolbasedon“post-quantum”lattice assumptions.MatRiCT+buildsonMatRiCTduetoEsginetal. (ACMCCS’19)and,ingeneral,followstheRingConfidential Transactions(RingCT)approachusedinMonero,thelargest privacy-preservingcryptocurrency.Intermsofth...

Abstract.Wepresentaquantumlysecureidentity-basedsignature schemebasedonthestandardshortintegersolutionproblem,featuringtightsecurityreductionsinthequantumandclassicrandomoracle models.Theschemehasshortsignatures.Eachsignaturecontainsasinglelatticevectorplusasinglebit.Comparedtotheexistingtightly sec...

Abstract—Athresholdsignatureschemedistributestheability togeneratesignaturesthroughdistributedkeygenerationand signingprotocols.Athresholdsignatureschemeshouldbefunctionallyinterchangeable,meaningthatasignatureproducedby athresholdschemeshouldbeverifiablebythesamealgorithm usedfornon-thresholdsignat...

Abstract.Weproposeaveryfastlattice-basedzero-knowledgeproofsystemforexactlyprovingknowledgeofaternarysolutions2f−1;0;1g n toalinearequationAs=uoverZq,whichimprovesupon theprotocolbyBootle,LyubashevskyandSeiler(CRYPTO2019)byproducingproofsthatareshorter byafactorof8. Atthecoreliesatechniquethatutiliz...

Abstract.Weconstructapracticallattice-basedzero-knowledgeargumentforprovingmultiplicative relationsbetweencommittedvalues.Theunderlyingcommitmentschemethatweuseisthecurrently mostefficientoneofBaumetal.(SCN2018),andthesizeofourmultiplicativeproof(9KB)isonly slightlylargerthanthe7KBrequiredforjustpro...

Lattice-basedcryptographyisevolvingrapidlyandisoftenemployedtodesigncryptographicprimitivesthatholdagreatpromisetobepost-quantumresistantandcanbeemployedinmultipleapplicationsettingssuchas:e-cash,uniquedigitalsignatures,non-interactivelotteryandothers.Insuch applicationscenarios,auserisoftenrequired...

Weintroducethenotionofhybridtrapdoorcommitmentschemes.Intuitivelyahybridtrapdoorcommitmentschemeisa primitivewhichcanbeeitheranunconditionallybindingcommitmentschemeoratrapdoorcommitmentschemedependingonthe distributionofcommitmentparameters.Moreover,suchtwopossibledistributionsarecomputationallyind...

Abstract.Wepresentaquantumlysecureidentity-basedsignature schemebasedonthestandardshortintegersolutionproblem,featuringtightsecurityreductionsinthequantumandclassicrandomoracle models.Theschemehasshortsignatures.Eachsignaturecontainsasinglelatticevectorplusasinglebit.Comparedtotheexistingtightly sec...

Abstract—Theultimategoalinmodernsecuree-votingis toenableeveryonetoverifywhetherthefinalelection resultcorrectlyreflectsthevoteschosenbythe(human) voters,withoutexposinghoweachindividualvoted.These fundamentalsecuritypropertiesarecalledend-to-endveri fiabilityandvoterprivacy.Unfortunately,itturnsout...

Abstract.Wegiveaconstructionofanefficientone-out-of-manyproof system,inwhichaprovershowsthatheknowsthepre-imageforone elementinaset,basedonthehardnessoflatticeproblems.Theconstructionemploystherecentzero-knowledgeframeworkofLyubashevsky etal.(Crypto2022)togetherwithanimproved,overpriorlattice-based ...

Abstract.Inthiswork,weconstructthefirstdigitalsignature(SIG) andpublic-keyencryption(PKE)schemeswithalmosttightmulti-user securityunderadaptivecorruptionsbasedonthelearning-with-errors (LWE)assumptioninthestandardmodel.OurPKEschemeachievesalmosttightIND-CCAsecurityandourSIGschemeachievesalmosttight ...

Abstract.Inthispaper,weconsidertightmulti-usersecurityunder adaptivecorruptions,wheretheadversarycanadaptivelycorruptsome usersandobtaintheirsecretkeys.Weproposegenericconstructionsfor abunchofprimitives,andtheinstantiationsfromthematrixdecisional Diffie-Hellman(MDDH)assumptionsyieldthefollowingsche...

Abstract.Inthispaper,weconsidertightmulti-usersecurityunder adaptivecorruptions,wheretheadversarycanadaptivelycorruptsome usersandobtaintheirsecretkeys.Weproposegenericconstructionsfor abunchofprimitives,andtheinstantiationsfromthematrixdecisional Diffie-Hellman(MDDH)assumptionsyieldthefollowingsche...

ABSTRACT Cryptographicvotingprotocolshaverecentlyseenmuchinterest frompractitionersduetotheir(planned)useincountriessuchas Estonia,Switzerland,France,andAustralia.Practicalprotocolsusuallyrelyontesteddesignssuchasthemixing-and-decryptionparadigm.There,multipleserversverifiablyshuffleencryptedballots...

Inagroupsignaturescheme,userscananonymouslysignmessagesonbehalfofthegroup theybelongto,yetitispossibletotracethesignerwhenneeded.Sincethefirstproposal oflattice-basedgroupsignaturesintherandomoraclemodelbyGordon,Katz,andVaikuntanathan(ASIACRYPT2010),therealizationoftheminthestandardmodelfromlattices...

Abstract—Weconsidertheproblemofincreasingthethreshold parameterofasecret-sharingschemeafterthesetup(sharedistribution)phase,withoutfurthercommunicationbetweenthedealer andtheshareholders.Previoussolutionstothisproblemrequire onetostartoffwithanonstandardschemedesignedspecifically forthispurpose,orto...

Abstract—Theultimategoalinmodernsecuree-votingis toenableeveryonetoverifywhetherthefinalelection resultcorrectlyreflectsthevoteschosenbythe(human) voters,withoutexposinghoweachindividualvoted.These fundamentalsecuritypropertiesarecalledend-to-endveri fiabilityandvoterprivacy.Unfortunately,itturnsout...