CryptoDB
Adeline Roux-Langlois
ORCID: 0000-0003-0617-9606
Publications
Year
Venue
Title
2023
PKC
A Generic Transform from Multi-Round Interactive Proof to NIZK
Abstract
We present a new generic transform that takes a multi-round interactive proof for the membership of a language L and outputs a non-interactive zero-knowledge proof (not of knowledge) in the common reference string model. Similar to the Fiat-Shamir transform, it requires a hash function H. However, in our transform the zero-knowledge property is in the standard model, and the adaptive soundness is in the non-programmable random oracle model (NPROM).
Behind this new generic transform, we build a new generic OR-composition of two multi-round interactive proofs. Note that the two common techniques for building OR-proofs (parallel OR-proof and sequential OR-proof) cannot be naturally extended to the multi-round setting. We also give a proof of security for our OR-proof in the quantum oracle model (QROM), surprisingly the security loss in QROM is independent from the number of rounds.
2023
CRYPTO
Lattice Signature with Efficient Protocols, Application to Anonymous Credentials
Abstract
Digital signature is an essential primitive in cryptography, which can be used as the digital analogue of handwritten signatures but also as a building block for more complex systems. In the latter case, signatures with specific features are needed, so as to smoothly interact with the other components of the systems, such as zero-knowledge proofs. This has given rise to so-called signatures with efficient protocols, a versatile tool that has been used in countless applications. Designing such signatures is however quite difficult, in particular if one wishes to withstand quantum computing. We are indeed aware of only one post-quantum construction, proposed by Libert et al. at Asiacrypt'16, yielding very large signatures and proofs.
In this paper, we propose a new construction that can be instantiated in both standard lattices and structured ones, resulting in each case in dramatic performance improvements. In particular, the size of a proof of message-signature possession, which is one of the main metrics for such schemes, can be brought down to less than 650 KB. As our construction retains all the features expected from signatures with efficient protocols, it can be used as a drop-in replacement in all systems using them, which mechanically improves their own performance, and has thus a direct impact on many applications. It can also be used to easily design new privacy-preserving mechanisms. As an example, we provide the first lattice-based anonymous credentials system.
2022
ASIACRYPT
Log-$\mathcal{S}$-unit lattices using Explicit Stickelberger Generators to solve Approx Ideal-SVP
Abstract
In 2020, Bernard and Roux-Langlois introduced the Twisted-PHS algorithm to solve Approx-SVP for ideal lattices on any number field, based on the PHS algorithm by Pellet-Mary, Hanrot and Stehlé. They performed experiments for prime conductors cyclotomic fields of degrees at most 70, one of the main bottlenecks being the computation of a log-$\mathcal{S}$-unit lattice which requires subexponential time.
Our main contribution is to extend these experiments to cyclotomic fields of degree up to 210 for most conductors $m$. Building upon new results from Bernard and Kučera on the Stickelberger ideal, we use explicit generators to construct full-rank log-$\mathcal{S}$-unit sublattices fulfilling the role of approximating the full Twisted-PHS lattice. In our best approximate regime, our results show that the Twisted-PHS algorithm outperforms, over our experimental range, the CDW algorithm by Cramer, Ducas and Wesolowski, and sometimes beats its asymptotic volumetric lower bound.
Additionally, we use these explicit Stickelberger generators to remove almost all quantum steps in the CDW algorithm, under the mild restriction that the plus part of the class number verifies $h^+_m\leq O(\sqrt{m})$.
2022
JOFC
On the Hardness of Module Learning with Errors with Short Distributions
Abstract
The Module Learning With Errors ( $$\text {M-LWE}$$ M-LWE ) problem is a core computational assumption of lattice-based cryptography which offers an interesting trade-off between guaranteed security and concrete efficiency. The problem is parameterized by a secret distribution as well as an error distribution. There is a gap between the choices of those distributions for theoretical hardness results (standard formulation of $$\text {M-LWE}$$ M-LWE , i.e., uniform secret modulo q and Gaussian error) and practical schemes (small bounded secret and error). In this work, we make progress toward narrowing this gap. More precisely, we prove that $$\text {M-LWE}$$ M-LWE with uniform $$\eta $$ η -bounded secret for any $$1 \le \eta \ll q$$ 1 ≤ η ≪ q and Gaussian error, in both its search and decision variants, is at least as hard as the standard formulation of $$\text {M-LWE}$$ M-LWE , provided that the module rank d is at least logarithmic in the ring degree n . We also prove that the search version of $$\text {M-LWE}$$ M-LWE with large uniform secret and uniform $$\eta $$ η -bounded error is at least as hard as the standard $$\text {M-LWE}$$ M-LWE problem, if the number of samples m is close to the module rank d and with further restrictions on $$\eta $$ η . The latter result can be extended to provide the hardness of search $$\text {M-LWE}$$ M-LWE with uniform $$\eta $$ η -bounded secret and error under specific parameter conditions. Overall, the results apply to all cyclotomic fields, but most of the intermediate results are proven in more general number fields.
2020
ASIACRYPT
Towards Classical Hardness of Module-LWE: The Linear Rank Case
📺
Abstract
We prove that the module learning with errors (M-LWE) problem with arbitrary polynomial-sized modulus $p$ is \emph{classically} at least as hard as standard worst-case lattice problems, as long as the module rank $d$ is
not smaller than the ring dimension $n$.
Previous publications only showed the hardness under quantum reductions.
We achieve this result in an analogous manner as in the case of the learning with errors (LWE) problem.
First, we show the classical hardness of M-LWE with an exponential-sized modulus.
In a second step, we prove the hardness of M-LWE using a binary secret.
And finally, we provide a modulus reduction technique.
The complete result applies to the class of power-of-two cyclotomic fields.
However, several tools hold for more general classes of number fields and may be of independent interest.
2020
ASIACRYPT
Twisted-PHS: Using the Product Formula to Solve Approx-SVP in Ideal Lattices
📺
Abstract
Approx-SVP is a well-known hard problem on lattices, which asks to find short vectors on a given lattice, but its variant restricted to ideal lattices (which correspond to ideals of the ring of integers $\mathcal{O}_{K}$ of a number field $K$) is still not fully understood. For a long time, the best known algorithm to solve this problem on ideal lattices was the same as for arbitrary lattice. But recently, a series of works tends to show that solving this problem could be easier in ideal lattices than in arbitrary ones, in particular in the quantum setting.
Our main contribution is to propose a new ``twisted'' version of the PHS (by Pellet-Mary, Hanrot and Stehlé 2019) algorithm, that we call Twisted-PHS. As a minor contribution, we also propose several improvements of the PHS algorithm. On the theoretical side, we prove that our twisted-PHS algorithm performs at least as well as the original PHS algorithm. On the practical side though, we provide a full implementation of our algorithm which suggest that much better approximation factors are achieved, and that the given lattice bases are a lot more orthogonal than the ones used in PHS. This is the first time to our knowledge that this type of algorithm is completely implemented and tested for fields of degrees up to 60.
2019
ASIACRYPT
Middle-Product Learning with Rounding Problem and Its Applications
Abstract
At CRYPTO 2017, Roşca et al. introduce a new variant of the Learning With Errors (LWE) problem, called the Middle-Product LWE (
$${\mathrm {MP}\text {-}\mathrm{LWE}}$$
). The hardness of this new assumption is based on the hardness of the Polynomial LWE (P-LWE) problem parameterized by a set of polynomials, making it more secure against the possible weakness of a single defining polynomial. As a cryptographic application, they also provide an encryption scheme based on the
$${\mathrm {MP}\text {-}\mathrm{LWE}}$$
problem. In this paper, we propose a deterministic variant of their encryption scheme, which does not need Gaussian sampling and is thus simpler than the original one. Still, it has the same quasi-optimal asymptotic key and ciphertext sizes. The main ingredient for this purpose is the Learning With Rounding (LWR) problem which has already been used to derandomize LWE type encryption. The hardness of our scheme is based on a new assumption called Middle-Product Computational Learning With Rounding, an adaption of the computational LWR problem over rings, introduced by Chen et al. at ASIACRYPT 2018. We prove that this new assumption is as hard as the decisional version of MP-LWE and thus benefits from worst-case to average-case hardness guarantees.
2015
ASIACRYPT
Program Committees
- Eurocrypt 2024
- PKC 2023
- Asiacrypt 2023
- Eurocrypt 2021
- Crypto 2019
- PKC 2018
Coauthors
- Martin R. Albrecht (1)
- Shi Bai (3)
- Olivier Bernard (2)
- Katharina Boudgoust (3)
- Catalin Cocis (1)
- Dipayan Das (1)
- Pierre-Alain Fouque (1)
- Adela Georgescu (1)
- Corentin Jeudy (3)
- Fabien Laguillaumie (2)
- Tancrède Lepoint (2)
- Andrea Lesavourey (1)
- Benoît Libert (1)
- San Ling (1)
- Thuc D. Nguyen (1)
- Khoa Nguyen (1)
- Chen Qian (1)
- Adeline Roux-Langlois (13)
- Amin Sakzad (1)
- Olivier Sanders (1)
- Damien Stehlé (4)
- Ron Steinfeld (3)
- Huaxiong Wang (1)
- Weiqiang Wen (4)
- Zhenfei Zhang (1)