Zero-Knowledge Argument for Matrix-Vector Relations and Lattice-Based Group Encryption

Group encryption (GE) is the natural encryption analogue of group signatures in that it allows verifiably encrypting messages for some anonymous member of a group while providing evidence that the receiver is a properly certified group member. Should the need arise, an opening authority is capable of identifying the receiver of any ciphertext. As intro- duced by Kiayias, Tsiounis and Yung (Asiacrypt’07), GE is motivated by applications in the context of oblivious retriever storage systems, anony- mous third parties and hierarchical group signatures. This paper provides the first realization of group encryption under lattice assumptions. Our construction is proved secure in the standard model (assuming interac- tion in the proving phase) under the Learning-With-Errors (LWE) and Short-Integer-Solution (SIS) assumptions. As a crucial component of our system, we describe a new zero-knowledge argument system allowing to demonstrate that a given ciphertext is a valid encryption under some hid- den but certified public key, which incurs to prove quadratic statements about LWE relations. Specifically, our protocol allows arguing knowledge of witnesses consisting of X ∈ ℤ_q^{m×n}, s ∈ ℤ_q^n and a small-norm e ∈ ℤ^m which underlie a public vector b = X · s + e ∈ ℤ_q^m while simultaneously proving that the matrix X ∈ ℤ_q^{m×n} has been correctly certified. We believe our proof system to be useful in other applications involving zero-knowledge proofs in the lattice setting. lien: rien