##

Date de l'exposé : 28 septembre 2018

### Zero-Knowledge Argument for Matrix-Vector Relations and Lattice-Based Group Encryption

Group encryption (GE) is the natural encryption analogue of
group signatures in that it allows verifiably encrypting messages for some
anonymous member of a group while providing evidence that the receiver
is a properly certified group member. Should the need arise, an opening
authority is capable of identifying the receiver of any ciphertext. As intro-
duced by Kiayias, Tsiounis and Yung (Asiacrypt’07), GE is motivated by
applications in the context of oblivious retriever storage systems, anony-
mous third parties and hierarchical group signatures. This paper provides
the first realization of group encryption under lattice assumptions. Our
construction is proved secure in the standard model (assuming interac-
tion in the proving phase) under the Learning-With-Errors (LWE) and
Short-Integer-Solution (SIS) assumptions. As a crucial component of our
system, we describe a new zero-knowledge argument system allowing to
demonstrate that a given ciphertext is a valid encryption under some hid-
den but certified public key, which incurs to prove quadratic statements
about LWE relations. Specifically, our protocol allows arguing knowledge
of witnesses consisting of X ∈ ℤ_q^{m×n}, s ∈ ℤ_q^n and a small-norm e ∈ ℤ^m
which underlie a public vector b = X · s + e ∈ ℤ_q^m while simultaneously
proving that the matrix X ∈ ℤ_q^{m×n} has been correctly certified.
We believe our proof system to be useful in other applications involving
zero-knowledge proofs in the lattice setting.