Cryptography
lattice-crypto ring-lwe trapdoor
Updated Wed, 20 Jul 2022 09:22:59 GMT

# Trapdoor committement using ring lattices involving three parties

Assume there are three parties say A, B, C.

1. A commits to a message $$m$$ say $$c(m)$$ and sends tuple $$(m,c(m))$$ to B.
2. B has to prove to C that he possesses commitment $$c(m)$$. There is no interaction between A and C. But B should not cheat by sending commitment to some other message $$m^\prime$$.

I guess for this we need A to generate $$c(m)$$ using his own trapdoor and later C can verify it is generated by A itself. Is it possible to achieve this using lattice based hard problems like $$RSIS$$ or $$RLWE$$.

Or is there any other way to achieve this using $$RSIS$$ or $$RLWE$$. ?

## Solution

I think that this is just a digital signature scheme. $$A$$ should generate a private signing key and a public verification key for your signature scheme of choice. The then create a signature for the message $$m$$ and which you are calling the commitment $$c(m)$$. $$B$$ can then pass on the $$c(m)$$ to $$C$$ who can confirm that is is signed by $$A$$, but $$B$$ cannot produce signatures for other messages that verify using $$A$$'s verification key.

There are several lattice-based signature schemes though they are all quite tricky to parameterise and implement securely. The NIST competition has advanced the lattice-based signatures FALCON and Crystals DILITHIUM to the final round.

• +1 – thanks for the answer. — Mar 18, 2021 at 10:40

External links referenced by this document: