Abstract: The present disclosure relates to a method method for performing a disjunctive proof for two relations R0 and R1. The relation R0 is between an instance set X0 and a witness set W0 and defines a language L(R0) containing those elements x0?X0 for which there exists a witness w0 that is related to x0 in accordance with R0. The relation R1 is between an instance set X1 and a witness set W1 and defining a language L(R1) containing those elements x1?X1 for which there exists a witness w1 that is related to x1 in accordance with R1. For proving knowledge of a witness wb of at least one of instances x0 and x1, where b is 0 or 1, of the respective relations R0 and R1, the prover may generate using a bijective function a challenge from a simulated challenge c1-b.

Abstract: The invention relates to a method for performing a multi-party electronic computation using a plurality of evaluating computer systems. The cryptographic security of the multi-party computation is implemented using lattice-based cryptography. Each evaluating computer system receives from each user of a plurality of users an individual input share of an input chosen by the respective user. Furthermore, each evaluating computer system receives from the user a commitment to the received individual input share and an opening information. Each evaluating computer system checks the commitments received to the individual input shares and generates a first lattice-based zero-knowledge proof that all the commitments received are valid commitments to input shares. Each evaluating computer system publishes the first lattice-based zero-knowledge proof. Thus, a verifier may be enabled to verify that all commitments are valid commitments to input shares.

Abstract: Embodiments of the present invention may provide the capability for performing public-key encryption with proofs of plaintext knowledge using a lattice-based scheme that provides improved efficiency over conventional techniques. For example, in an embodiment, a computer-implemented method of verifying encryption may comprise generating a ciphertext, derived from a plaintext, via an encryption scheme, proving validity of the ciphertext, wherein the proof includes at least one challenge value, and using a decryption procedure that recovers a plaintext by choosing at least one additional challenge value at random from a challenge space.

Abstract: The present disclosure relates to a method method for performing a disjunctive proof for two relations R0 and R1. The relation R0 is between an instance set X0 and a witness set W0 and defines a language L(R0) containing those elements x0?X0 for which there exists a witness w0 that is related to x0 in accordance with R0. The relation R1 is between an instance set X1 and a witness set W1 and defining a language L(R1) containing those elements x1?X1 for which there exists a witness w1 that is related to x1 in accordance with R1. For proving knowledge of a witness wb of at least one of instances x0 and x1, where b is 0 or 1, of the respective relations R0 and R1, the prover may generate using a bijective function a challenge from a simulated challenge c1-b.

Abstract: The invention relates to a method for performing a multi-party electronic computation using a plurality of evaluating computer systems. The cryptographic security of the multi-party computation is implemented using lattice-based cryptography. Each evaluating computer system receives from each user of a plurality of users an individual input share of an input chosen by the respective user. Furthermore, each evaluating computer system receives from the user a commitment to the received individual input share and an opening information. Each evaluating computer system checks the commitments received to the individual input shares and generates a first lattice-based zero-knowledge proof that all the commitments received are valid commitments to input shares. Each evaluating computer system publishes the first lattice-based zero-knowledge proof. Thus, a verifier may be enabled to verify that all commitments are valid commitments to input shares.

Abstract: Systems and methods are provided for proving plaintext knowledge of a message m, encrypted in a ciphertext, to a verifier computer. The method includes, at a user computer, encrypting the message m via a predetermined encryption scheme to produce a ciphertext u, and generating a plurality l of challenges ci, i=1 to l, dependent on the ciphertext u. For each challenge ci, the user computer generates a cryptographic proof ?2i comprising that challenge ci and a zero-knowledge proof of plaintext knowledge of the message m encrypted in the ciphertext u. The user computer sends the ciphertext u and the l proofs ?2i to the verifier computer. Each challenge ci is constrained to a predetermined challenge space C permitting identification, by searching the challenge space C, of an element ci? such that the message m can be obtained via a decryption operation using the ciphertext u, the element ci?, and a decryption key of said encryption scheme.

Abstract: Embodiments of the present invention may provide the capability for performing public-key encryption with proofs of plaintext knowledge using a lattice-based scheme that provides improved efficiency over conventional techniques. For example, in an embodiment, a computer-implemented method of verifying encryption may comprise generating a ciphertext, derived from a plaintext, via an encryption scheme, proving validity of the ciphertext, wherein the proof includes at least one challenge value, and using a decryption procedure that recovers a plaintext by choosing at least one additional challenge value at random from a challenge space.

Abstract: Methods and systems are provided for authenticating a message ?, at a user computer of a group signature scheme, to a verifier computer. The method includes, at the user computer, storing a user id m for the user computer and a user signing key which comprises a signature on the user id m under a secret key of a selectively-secure signature scheme. The user id m is an element of a predetermined subring, isomorphic to q[x]/(g(x)), of a ring R=q[x]/(f(x)), where f(x) and g(x) are polynomials of degree deg(f) and deg(g) respectively such that deg(f)>deg(g)>1. The method includes, at the user computer, generating a first cryptographic proof ?1 comprising a zero-knowledge proof of knowledge of the user signing key and including the message ? in this proof of knowledge. The user computer sends the message ? and a group signature, comprising the first proof ?1, to the verifier computer.

Abstract: Methods and systems are provided for authenticating a message ?, at a user computer of a group signature scheme, to a verifier computer. The method includes, at the user computer, storing a user id m for the user computer and a user signing key which comprises a signature on the user id m under a secret key of a selectively-secure signature scheme. The user id m is an element of a predetermined subring, isomorphic to q[x]/(g(x)), of a ring R=q[x]/(f(x)), where f(x) and g(x) are polynomials of degree deg(f) and deg(g) respectively such that deg(f)>deg(g)>1. The method includes, at the user computer, generating a first cryptographic proof ?1 comprising a zero-knowledge proof of knowledge of the user signing key and including the message ? in this proof of knowledge. The user computer sends the message ? and a group signature, comprising the first proof ?1, to the verifier computer.

Abstract: Systems and methods are provided for proving plaintext knowledge of a message m, encrypted in a ciphertext, to a verifier computer. The method includes, at a user computer, encrypting the message m via a predetermined encryption scheme to produce a ciphertext u, and generating a plurality l of challenges ci, i=1 to l, dependent on the ciphertext u. For each challenge ci, the user computer generates a cryptographic proof ?2i comprising that challenge ci and a zero-knowledge proof of plaintext knowledge of the message m encrypted in the ciphertext u. The user computer sends the ciphertext u and the l proofs ?2i to the verifier computer. Each challenge ci is constrained to a predetermined challenge space C permitting identification, by searching the challenge space C, of an element ci? such that the message m can be obtained via a decryption operation using the ciphertext u, the element ci?, and a decryption key of said encryption scheme.