Improved Zero-Knowledge Identification with Lattices

Pierre-Louis Cayrel, Richard Lindner, Markus Rückert, Rosemberg Silva
2012 Tatra Mountains Mathematical Publications  
Zero-knowledge identification schemes solve the problem of authenticating one party to another via an insecure channel without disclosing any additional information that might be used by an impersonator. In this paper we propose a scheme whose security relies on the existence of a commitment scheme and on the hardness of worst-case lattice problems. We adapt a code--based identification scheme devised by Cayrel, Véron and El Yousfi, which constitutes an improvement of Stern's construction. Our
more » ... olution sports analogous improvements over the lattice adaption of Stern's scheme which Kawachi et al. presented at ASIACRYPT '08. Specifically, due to a smaller cheating probability close to 1/2 and a similar communication cost, any desired level of security will be achieved in fewer rounds. Compared to Lyubashevsky's scheme presented at ASIACRYPT '09, our proposal, like Kawachi's, offers a much milder security assumption: namely, the hardness of SIS for trinary solutions. The same assumption was used for the SWIFFT hash function, which is secure for much smaller parameters than those proposed by Lyubashevsky. c 2012 Mathematical Institute, Slovak Academy of Sciences. 2010 M a t h e m a t i c s S u b j e c t C l a s s i f i c a t i o n: 94A60, 03G10. K e y w o r d s: lattice-based cryptography, identification scheme, hash function, SIS problem, zero-knowledge. This research was supported by CASED www.cased.de and FAPESP http://www.fapesp.br. 33 P.-L. CAYREL -R. LINDNER -M. RÜCKERT -R. SILVA in the sense that they are worst-case instead of average-case and provide resistance against quantum adversaries. There is an efficient generic construction due to Fiat and Shamir that transforms any ID scheme into a signature scheme, in the random oracle model [14] . Therefore, having an efficient ID solution from lattices gives rise to a similarly efficient signature construction, keeping the same hardness assumption. One of the main hardness assumption for ID schemes based on lattices is the short integer solution (SIS) problem. One is given an average case instance A ∈ Z n×m q , m = Ω n log(n) , and a norm bound b. Then, the task is to find a non-zero vector v ∈ Z m such that Av ≡ 0 (mod q) and v ∞ ≤ b. This is hard to accomplish as long as there is at least one single n-dimensional lattice, where solving the approximate shortest vector problem is hard for approximation factors γ ≥ b ·Õ(1). Hence, it is desirable to build an ID scheme based on SIS with the least possible norm bound b, which is b = 1. The most relevant ID schemes based on number theoretic problems, e.g., [14] and [12], do not resist quantum attacks that use S h o r' s algorithm [33] . One of the first schemes to resist such kind of attack was proposed by S t e r n [34] . It relies on the syndrome decoding problem and uses of a 3-pass zero-knowledge proof of knowledge (ZK-PoK) with a soundness error of 2/3 and perfect completeness. Recently, K a w a c h i, T a n a k a and X a g a w a [19] were able to change the security assumption of Stern's scheme to SIS with norm bound 1. With their work, K a w a c h i et al. provide a more efficient alternative to Lyubashevsky's ID scheme [21] , [24] , which uses a stronger assumption, SIS with norm bound O n 2 log(n) . In contrast to typical zero-knowledge schemes, Lyubashevsky's construction is based on a witness-indistinguishable (not zero-knowledge) proof of knowledge. Furthermore, it has no soundness error. However, it a completeness error of 1 − 1/e, which leads to increased communication costs and the undesirable scenario of having an honest prover being rejected by the verifier. In code-based cryptography, there is also the scheme proposed by C a y r e l , Vé r o n and E l Y o u s f i [11] that improves Stern's scheme by reducing the soundness error to q/ 2(q − 1) ≈ 1/2. This improvement leads to lower the communication cost, when comparing both schemes for a given security level. Currently, in terms of efficiency, there is no practical lattice-based construction that is comparable to that put forward by Cayrel, Véron and El Yousfi. We propose such a scheme with a soundness error of (q + 1)/2q ≈ 1/2 and perfect completeness 1 . It is based on the same efficient version of the SIS problem that is used by K a w a c h i et al. or by the SWIFFT compression function [25] . Both the small soundness error and the mild assumption make our scheme more efficient than previous lattice-based ones. Moreover, by transferring code-based
doi:10.2478/v10127-012-0038-4 fatcat:xt42dbd7dvg4lhycgdg7slux3e