lattice-crypto ring-lwe trapdoor: Updated Wed, 20 Jul 2022 09:22:59 GMT

Trapdoor committement using ring lattices involving three parties

Assume there are three parties say A, B, C.

A commits to a message $m$ say $c(m)$ and sends tuple $(m,c(m))$ to B.
B has to prove to C that he possesses commitment $c(m)$. There is no interaction between A and C. But B should not cheat by sending commitment to some other message $m^\prime$.

I guess for this we need A to generate $c(m)$ using his own trapdoor and later C can verify it is generated by A itself. Is it possible to achieve this using lattice based hard problems like $RSIS$ or $RLWE$.

Or is there any other way to achieve this using $RSIS$ or $RLWE$. ?

Solution

I think that this is just a digital signature scheme. $A$ should generate a private signing key and a public verification key for your signature scheme of choice. The then create a signature for the message $m$ and which you are calling the commitment $c(m)$. $B$ can then pass on the $c(m)$ to $C$ who can confirm that is is signed by $A$, but $B$ cannot produce signatures for other messages that verify using $A$'s verification key.

There are several lattice-based signature schemes though they are all quite tricky to parameterise and implement securely. The NIST competition has advanced the lattice-based signatures FALCON and Crystals DILITHIUM to the final round.

Comments (1)

+1 – thanks for the answer. — Mar 18, 2021 at 10:40

External Links

External links referenced by this document:

References

https://crypto.stackexchange.com/questions/88865