Paper 2024/890

Ring Signatures for Deniable AKEM: Gandalf's Fellowship

Phillip Gajland, Max Planck Institute for Security and Privacy, Ruhr-Universität Bochum
Jonas Janneck, Ruhr-Universität Bochum
Eike Kiltz, Ruhr-Universität Bochum
Abstract

Ring signatures, a cryptographic primitive introduced by Rivest, Shamir and Tauman (ASIACRYPT 2001), offer signer anonymity within dynamically formed user groups. Recent advancements have focused on lattice-based constructions to improve efficiency, particularly for large signing rings. However, current state-of-the-art solutions suffer from significant overhead, especially for smaller rings. In this work, we present a novel NTRU-based ring signature scheme, Gandalf, tailored towards small rings. Our post-quantum scheme achieves a 50% reduction in signature sizes compared to the linear ring signature scheme Raptor (ACNS 2019). For rings of size two, our signatures are approximately a quarter the size of DualRing (CRYPTO 2021), another linear scheme, and remain more compact for rings up to size seven. Compared to the sublinear scheme Smile (CRYPTO 2021), our signatures are more compact for rings of up to 26. In particular, for rings of size two, our ring signatures are only 1236 bytes. Additionally, we explore the use of ring signatures to obtain deniability in authenticated key exchange mechanisms (AKEMs), the primitive behind the recent HPKE standard used in MLS and TLS. We take a fine-grained approach at formalising sender deniability within AKEM and seek to define the strongest possible notions. Our contributions extend to a black-box construction of a deniable AKEM from a KEM and a ring signature scheme for rings of size two. Our approach attains the highest level of confidentiality and authenticity, while simultaneously preserving the strongest forms of deniability in two orthogonal settings. Finally, we present parameter sets for our schemes, and show that our deniable AKEM, when instantiated with our ring signature scheme, yields ciphertexts of 2004 bytes.

Note: 1. There is a flaw in the unforgeability proof. The problem can be fixed by using the Rényi divergence instead of LWE (the techniques were introduced in https://ia.cr/2024/1769). 2. A mistake in the anonymity proof has been fixed and the bound changed.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2024
Keywords
Lattice-basedNTRURing SignaturesAKEMDeniability
Contact author(s)
phillip gajland @ mpi-sp org
jonas janneck @ rub de
eike kiltz @ rub de
History
2024-12-20: last of 3 revisions
2024-06-04: received
See all versions
Short URL
https://ia.cr/2024/890
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/890,
      author = {Phillip Gajland and Jonas Janneck and Eike Kiltz},
      title = {Ring Signatures for Deniable {AKEM}: Gandalf's Fellowship},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/890},
      year = {2024},
      url = {https://eprint.iacr.org/2024/890}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.