【安全技术】来自 Latices 的零知识密码策略检查 |

语言 Chinese, Simplified

SEO Title

Zero-Knowledge Password Policy Check from Lattices

1Introduction

One of the most common methods of user authentication is passwords when logging in to online services. So, it is very important that passwords in use have sufficient entropy and hard to guess for security. Password policies was introduced to guide users into choosing suitable passwords that are harder to guess. Ur et al. [51] discovered that users are more likely to choose easily guessable passwords in the absence of a password policy. Examining the password policies of over 70 web-sites, Florêncio and Herley [18] found that most require passwords with characters from at least one of four sets, digits, symbols, lowercase and uppercase letters and a minimum password length. Hence, it is reasonable to focus on password policies with a minimum password length, sets of valid characters and maybe constraints on the diversity of characters used.

Even with strong passwords and good policies, nothing can prevent leaks if servers do not properly store passwords. Improperly stored passwords can cause serious problems, as seen by hacks on LinkedIn [20] and Yahoo [47] and the web-site “Have I Been Pwned?” [26]. Sadly, such poor practices are not uncommon: many popular web-sites were discovered by Baumann et al. [4] to store password information in plaintext.

If servers cannot be trusted, then no password information should be stored there at all. Thus, protocols that do not require storing secret user information at external servers become necessary. However, even with secret passwords, password policies are important to enforce a base level of security against dictionary attacks, leaving a dilemma: how do users prove compliance of their password without revealing anything?

Kiefer and Manulis [31] showed how to address this problem with zero knowledge password policy check (ZKPPC). It enables blind registration: users register a password with a server and prove password policy conformance without revealing anything about their passwords, thereby solving the dilemma. With ZKPPC, some randomised password verification information is stored at the server and it does not leak information about the password, protecting against server compromises. Furthermore, ZKPPC allows a user to prove, without revealing any information, that the password conforms to the server’s policy. Blind registration can be coupled with a verifier-based password-based authenticated key exchange (VPAKE) protocol to achieve a complete system for privacy-preserving password-based registration, authentication and key exchange. Password-based authenticated key exchange (PAKE) [6, 5, 21, 28, 15, 8] is a protocol that allows users to simultaneously authenticate themselves using passwords and perform key exchange. However, these protocols store passwords on the server and thus, users have to trust the security of the server’s password storage and may be vulnerable to password leakages in the event of server compromise. Verifier-based PAKE [7, 5, 22, 11] extends PAKE to limit the damage caused by information leakage by storing a verifier instead. Verifiers are a means to check that users supplied the correct passwords and are usually hash values of passwords with a salt, which makes it hard to extract the passwords from verifiers.

A ZKPPC protocol allows users to prove that their password, committed in the verifier, satisfies some password policy. VPAKE can then be used to securely authenticate and establish keys whenever communication is required. Together, the password is never revealed, greatly increasing the user security over current standards. Passwords are harder to guess and no longer easily compromised by server breaches.

Kiefer and Manulis [31] proposed a generic construction of ZKPPC using homomorphic commitments and set membership proofs. In the same work, a concrete ZKPPC protocol was constructed using Pedersen commitments [45], whose security is based on the hardness of the discrete logarithm problem. As such, it is vulnerable to attacks from quantum adversaries due to Shor’s algorithm [49] which solves the discrete logarithm problem in quantum polynomial time. With NIST issuing a call for proposals to standardize quantum resistant cryptography [44], it is clear that we need to prepare cryptographic schemes and protocols that are quantum resistant, in case a sufficiently powerful quantum computer is realized. As there is currently no proposal of ZKPPC protocol that has the potential to be quantum resistant, it is an interesting open problem to construct one.

Our contributions and techniques. In this work, inspired by the attractiveness of ZKPPC protocols and the emergence of lattice-based cryptography as a strong quantum resistant candidate, we aim to construct a ZKPPC protocol from lattices. Our contribution is two-fold. We first design a randomised password hashing scheme based on the hardness of the Short Integer Solution (SIS) problem. We then construct a SIS-based statistical zero-knowledge argument of knowledge, which allows the client to convince the server that his secret password, committed in a given hash value, satisfies the server’s policy. This yields the first ZKPPC protocol that still resists against quantum computers.

Our first technical challenge is to derive a password encoding mechanism that operates securely and interacts smoothly with available lattice-based cryptographic tools. In the discrete log setting considered in [31], passwords are mapped to large integers and then encoded as elements in a group of large order. Unfortunately, this does not translate well to the lattice setting as working with large-norm objects usually makes the construction less secure and less efficient. Therefore, a different method, which encodes passwords as small-norm objects, is desirable. To this end, we define a password encoding mechanism, that maps a password consisting of
$t$

characters to a binary vector of length
$8t$

, where each of the
$t$

blocks is the
$8$

-bit representation of the ASCII value of the corresponding password character. To increase its entropy, we further shuffle the arrangement of those blocks using a random permutation, and then commit to the permuted vector as well as a binary encoding of the permutation via the SIS-based commitment scheme proposed by Kawachi, Tanaka and Xagawa [29]. This commitment value is then viewed as the randomised hash value of the password.

The next technical challenge is to prove in zero-knowledge that the committed password satisfies a policy of the form
$f=\big{(}(k_{D},k_{U},k_{L},k_{S}),n_{\mathtt{min}},n_{\mathtt{max}}\big{)}$

, which demands that the password have length at least
$n_{\sf min}$

and at most
$n_{\sf max}$

, and contain at least
$k_{D}$

digits,
$k_{S}$

symbols,
$k_{L}$

lower-case and
$k_{U}$

upper-case letters. To this end, we will have to prove, for instance, that a committed length-
$8$

block-vector belongs to the set of vectors encoding all
$10$

digits. We thus need a lattice-based sub-protocol for proving set membership. In the lattice-based world, a set membership argument system with logarithmic complexity in the cardinality of the set was proposed in [36], exploiting Stern-like protocols [50] and Merkle hash trees. However, the asymptotic efficiency does not come to the front when the underlying set has small, constant size. Here, we employ a different approach, which has linear complexity but is technically simpler and practically more efficient, based on the extend-then-permute technique for Stern’s protocol, suggested by Ling et al. [37]. Finally, we use a general framework for Stern-like protocols, put forward by Libert et al. [34], to combine all of our sub-protocols for set membership and obtain a ZKPPC protocol.

From a practical point of view, our lattice-based ZKPPC protocol is not yet ready to be used: for a typical setting of parameters, an execution with soundness error
$2^{-30}$

has communication cost around
$900$

KB. We, however, believe that there are much room for improvement and view this work as the first step in designing post-quantum privacy-preserving password-based authentication and key exchange systems.

Related work. The only construction of ZKPPC was proposed by Kiefer and Manulis [31] using Pedersen commitments [45] and a randomised password hashing scheme introduced in the same work. It commits each character individually and uses set membership proofs to prove compliance of the entire password to a password policy. The password hash is the sum of the committed characters and thus is linked to the set membership proofs through the homomorphic property of the commitments used. As mentioned previously, their protocol is vulnerable to quantum adversaries and greater diversity is desirable.

To improve the efficiency of secure password registration for VPAKE [32] and two server PAKE [33], Kiefer and Manulis proposed blind password registration (BPR), a new class of cryptographic protocols that prevent password leakage from the server. Using techinques introduced in [31], Kiefer and Manulis used an efficient shuffling proof from [19] to achieve
$\mathcal{O}(1)$

number of set membership proofs instead of
$\mathcal{O}(n_{max})$

in ZKPPC. However, the security model considered for BPR is only suitable for honest but curious participants. The security of ZKPPC is defined to prevent malicious users from registering bad passwords that do not conform to the given password policy. Malicious servers also do not gain any information on the registered password from running the ZKPPC protocol. Overall, the security model of BPR is weaker than the capabilities of ZKPPC and available instantiations are not resistant to quantum adversaries.

An alternate approach using symmetric key primitives, secure set-based policy checking (SPC), to check password policy was proposed in [17]. Policies are represented set-theoretically as monotone access structures and are mapped to linear secret sharing schemes (LSSS). Then, checking policy compliance corresponds to verifying whether some set is in the access structure, i.e. if the set of shares can reconstruct the secret in the LSSS. To obtain a privacy-preserving protocol for SPC, the oblivious bloom intersection (OBI) from [16] is used. The server constructs an LSSS that only users who fulfil the policy can obtain the right shares from the OBI and recover the secret. Knowledge of the secret is proved with a hash of the secret with the transcript of the protocol execution and identities of the two parties, tying the protocol to the proof of knowledge. In the proposed SPC protocol, the one-more-RSA assumption is used to guarantee that the password registration protocol is sound when used by a malicious client. Thus, in the presence of a quantum adversary, the SPC protocol cannot be considered sound anymore. Since the focus is on quantum resistant blind registration of passwords with malicious participants, the SPC protocol is insufficient.

Zero-knowledge proofs in lattice-based cryptography. Early work on interactive and non-interactive proof systems [24, 43, 46] for lattices exploited the geometric structure of worst-case lattice problems, and are not generally applicable in lattice-based cryptography. More recent methods of proving relations appearing in lattice-based cryptosystems belong to the following two main families.

The first family, introduced by Lyubashevsky [40, 41], uses “rejection sampling” techniques, and lead to relatively efficient proofs of knowledge of small secret vectors [9, 2, 13, 14], and proofs of linear and multiplicative relations among committed values [10, 3] in the ideal lattice setting. However, due to the nature of “rejection sampling”, there is a tiny probability that even an honest prover may fail to convince the verifier: i.e., protocols in this family do not have perfect completeness. Furthermore, when proving knowledge of vectors with norm bound
$\beta$

, the knowledge extractor of these protocols is only guaranteed to produce witnesses of norm bound
$g\cdot\beta$

, for some factor
$g>1$

. This factor, called “soundness slack” in [2, 13], may be undesirable: if an extracted witness has to be used in the security proof to solve a challenge SIS instance, we need the
$\mathsf{SIS}_{g\cdot\beta}$

assumption, which is stronger than the
$\mathsf{SIS}_{\beta}$

assumption required by the protocol itself. Moreover, in some sophisticated cryptographic constructions such as the zero-knowledge password policy check protocol considered in this work, the coordinates of extracted vectors are expected to be in
$\{0,1\}$

and/or satisfy a specific pattern. Such issues seem hard to tackle using this family of protocols.

The second family, initiated by Ling et al. [37], use “decomposition-extension” techniques in lattice-based analogues [29] of Stern’s protocol [50]. These are less efficient than those of the first family because each protocol execution admits a constant soundness error, and require repeating protocols
$\omega(\log n)$

times, for a security parameter
$n$

, to achieve negligible soundness error. On the upside, Stern-like protocols have perfect completeness and can handle a wide range of lattice-based relations [38, 36, 12, 34, 35, 39], especially when witnesses have to not only be small or binary, but also certain prescribed arrangement of coordinates. Furthermore, unlike protocols of the first family, the extractor of Stern-like protocols can output witness vectors with the same properties expected of valid witnesses. This feature is often crucial in the design of advanced protocols involving ZK proofs. In addition, the “soundness slack” issue is completely avoided, so the hardness assumptions are kept “in place”.

Organization. In the next section, we define notations used in the paper and briefly describe the building blocks for our ZKPPC protocol. Following that, in Section 3, we instantiate the building blocks and ZKPPC protocol with lattices-based primitives. Finally, we summarize and conclude in Section 4.

2Preliminaries

Notation. We assume all vectors are column vectors. A vector
$\mathbf{x}$

with coordinates
$x_{1},\ldots,x_{m}$

is written as
$\mathbf{x}=(x_{1},\ldots,x_{m})$

. For simplicity, concatenation of
$\mathbf{x}\in\mathbb{R}^{k}$

and
$\mathbf{y}\in\mathbb{R}^{m}$

is denoted with
$(\mathbf{x}\|\mathbf{y})\in\mathbb{R}^{k+m}$

. Column-wise concatenation of matrices
$\mathbf{A}\in\mathbb{R}^{n\times k}$

and
$\mathbf{B}\in\mathbb{R}^{n\times m}$

is denoted by
$[\mathbf{A}\hskip 1.6pt|\hskip 1.6pt\mathbf{B}]\in\mathbb{R}^{n\times(k+m)}$

. If
$S$

is a finite set, then
$x\xleftarrow{\$}S$

means that
$x$

is chosen uniformly at random over
$S$

. For a positive integer
$n$

,
$[n]$

denotes the set
$\{1,\ldots,n\}$

and
$\mathsf{negl}(n)$

denotes a negligible function in
$n$

. The set of all permutations of
$n$

elements is denoted by
$\mathcal{S}_{n}$

. All logarithms are of base
$2$

2.1Some Lattice-Based Cryptographic Ingredients

We first recall the average-case problem SIS and its link to worst-case lattice problems.

Definition 1 (
$\mathsf{SIS}^{\infty}_{n,m,q,\beta}$
[1, 23])

Given a uniformly random matrix
$\mathbf{A}\in\mathbb{Z}_{q}^{n\times m}$

, find a non-zero vector
$\mathbf{x}\in\mathbb{Z}^{m}$

such that
$\|\mathbf{x}\|_{\infty}\leq\beta$

and
$\mathbf{A\cdot x=0}\bmod q.$

The hardness of the SIS is guaranteed by the worst-case to average-case reduction from lattice problems. If
$m,\beta=\mathsf{poly}(n)$

, and
$q>\beta\cdot\widetilde{\mathcal{O}}(\sqrt{n})$

, then the
$\mathsf{SIS}^{\infty}_{n,m,q,\beta}$

problem is at least as hard as the worst-case lattice problem
$\mathsf{SIVP}_{\gamma}$

for some
$\gamma=\beta\cdot\widetilde{\mathcal{O}}(\sqrt{nm})$

(see, e.g., [23, 42]).

The KTX commitment scheme. In this work, we employ the SIS-based commitment scheme proposed by Kawachi, Tanaka and Xagawa [29] (KTX). The scheme, with two flavours, works with lattice parameter
$n$

, prime modulus
$q=\widetilde{\mathcal{O}}(n)$

, and dimension
$m=2n\lceil\log q\rceil$

In the variant that commits
$t$

bits, for some fixed
$t=\mathsf{poly}(n)$

, the commitment key is
$(\mathbf{A},\mathbf{B})\xleftarrow{\$}\mathbb{Z}_{q}^{n\times t}\times\mathbb{Z}_{q}^{n\times m}$

. To commit
$\mathbf{x}\in\{0,1\}^{t}$

, one samples randomness
$\mathbf{r}\xleftarrow{\$}\{0,1\}^{m}$

, and outputs the commitment
$\mathbf{c}=\mathbf{A}\cdot\mathbf{x}+\mathbf{B}\cdot\mathbf{r}\bmod q$

. Then, to open
$\mathbf{c}$

, one reveals
$\mathbf{x}\in\{0,1\}^{t}$

and
$\mathbf{r}\in\{0,1\}^{m}$

If there exists two valid openings
$(\mathbf{x}_{1},\mathbf{r}_{1})$

and
$(\mathbf{x}_{2},\mathbf{r}_{2})$

for the same commitment
$\mathbf{c}$

and
$\mathbf{x}_{1}\neq\mathbf{x}_{2}$

, then one can compute a solution to the
$\mathsf{SIS}_{n,m+t,q,1}^{\infty}$

problem associated with the uniformly random matrix
$[\mathbf{A}\mid\mathbf{B}]\in\mathbb{Z}_{q}^{n\times(m+t)}$

. On the other hand, by the left-over hash lemma [48], the distribution of a valid commitment
$\mathbf{c}$

is statistically close to uniform over
$\mathbb{Z}_{q}^{n}$

which implies that it is statistically hiding.

Kawachi et al. [29] extended the above
$t$

-bit commitment scheme to a string commitment scheme
$\mathsf{COM}:\{0,1\}^{*}\times\{0,1\}^{m}\rightarrow\mathbb{Z}_{q}^{n}$

. The extended scheme shares the same characteristics, statistically hiding from the parameters set and computationally binding under the SIS assumption.

In this work, we use the former variant to commit to passwords, and use COM as a building block for Stern-like zero-knowledge protocols.

2.2Zero-Knowledge Argument Systems and Stern-like Protocols

We work with statistical zero-knowledge argument systems, interactive protocols where the zero-knowledge property holds against any cheating verifier and the soundness property holds against computationally bounded cheating provers. More formally, let the set of statements-witnesses
$\mathrm{R}=\{(y,w)\}\in\{0,1\}^{*}\times\{0,1\}^{*}$

be an NP relation. A two-party game
$\langle\mathcal{P},\mathcal{V}\rangle$

is called an interactive argument system for the relation
$\mathrm{R}$

with soundness error
$e$

if two conditions hold:

•

Completeness. If
$(y,w)\in\mathrm{R}$
then
$\mathrm{Pr}\big{[}\langle\mathcal{P}(y,w),\mathcal{V}(y)\rangle=1\big{]}=1.$
•

Soundness. If
$(y,w)\not\in\mathrm{R}$
, then
$\forall$
PPT
$\widehat{\mathcal{P}}$
:
$\mathrm{Pr}[\langle\widehat{\mathcal{P}}(y,w),\mathcal{V}(y)\rangle=1]\leq e.$

Here and henceforth, PPT denotes probabilistic polynomial time. An argument system is statistical zero-knowledge if for any
$\widehat{\mathcal{V}}(y)$

, there exists a PPT simulator
$\mathcal{S}(y)$

which produces a simulated transcript that is statistically close to that of the real interaction between
$\mathcal{P}(y,w)$

and
$\widehat{\mathcal{V}}(y)$

. A related notion is argument of knowledge, which requires the witness-extended emulation property. For
$3$

move protocols (i.e., commitment-challenge-response), witness-extended emulation is implied by special soundness [25], which assumes the existence of a PPT extractor, taking as input a set of valid transcripts with respect to all possible values of the “challenge” to the same “commitment”, and returning
$w^{\prime}$

such that
$(y,w^{\prime})\in\mathrm{R}$

Stern-like protocols. The statistical zero-knowledge arguments of knowledge presented in this work are Stern-like [50] protocols. In particular, they are
$\Sigma$

-protocols as defined in [27, 9], where
$3$

valid transcripts are needed for extraction instead of just
$2$

. Stern’s protocol was originally proposed for code-based cryptography, and adapted to lattices by Kawachi et al. [29]. It was subsequently empowered by Ling et al. [37] to handle the matrix-vector relations associated with the SIS and inhomogeneous SIS problems and extended to design several lattice-based schemes: group signatures [38, 36, 34, 39], policy-based signatures [12] and group encryption [35].

The basic protocol has
$3$

moves. With
$\mathsf{COM}$

, the KTX string commitment scheme [29], we get a statistical zero-knowledge argument of knowledge (ZKAoK) with perfect completeness, constant soundness error
$2/3$

, and communication cost
$\mathcal{O}(|w|\cdot\log q)$

, where
$|w|$

is the total bit-size of the secret vectors.

An abstraction of Stern’s protocol. We recall an abstraction of Stern’s protocol, proposed in [34]. Let
$n,\ell,q$

be positive integers, where
$\ell\geq n$

,
$q\geq 2$

, and
$\mathsf{VALID}$

be a subset of
$\{0,1\}^{\ell}$

. Suppose
$\mathcal{S}$

is a finite set and every
$\phi\in\mathcal{S}$

is associated with a permutation
$\Gamma_{\phi}$

of
$\ell$

elements, satisfying the following conditions:

\displaystyle\begin{cases}\mathbf{w}\in\mathsf{VALID}\hskip 2.5pt\Leftrightarrow\hskip 2.5pt\Gamma_{\phi}(\mathbf{w})\in\mathsf{VALID},\\ \text{If }\mathbf{w}\in\mathsf{VALID}\text{ and }\phi\text{ is uniform in }\mathcal{S},\text{ then }\Gamma_{\phi}(\mathbf{w})\text{ is uniform in }\mathsf{VALID}.\end{cases}

(1)

We aim to construct a statistical ZKAoK for the following abstract relation:

\displaystyle\mathrm{R_{abstract}}=\big{\{}(\mathbf{M},\mathbf{v}),\mathbf{w}\in\mathbb{Z}_{q}^{n\times\ell}\times\mathbb{Z}_{q}^{n}\times\mathsf{VALID}:\mathbf{M}\cdot\mathbf{w}=\mathbf{v}\bmod q.\big{\}}\vspace{-1cm}

Stern’s original protocol has
$\mathsf{VALID}=\{\mathbf{w}\in\{0,1\}^{\ell}:\mathsf{wt}(\mathbf{w})=k\}$

, where
$\mathsf{wt}(\cdot)$

denotes the Hamming weight and
$k<\ell$

for some given
$k$

,
$\mathcal{S}=\mathcal{S}_{\ell}$

– the symmetric group on
$\ell$

elements, and
$\Gamma_{\phi}(\mathbf{w})=\phi(\mathbf{w})$

The conditions in (1) are key to prove that
$\mathbf{w}\in\mathsf{VALID}$

in ZK: The prover
$\mathcal{P}$

samples
$\phi\xleftarrow{\$}\mathcal{S}$

and the verifier
$\mathcal{V}$

checks that
$\Gamma_{\phi}(\mathbf{w})\in\mathsf{VALID}$

; no additional information about
$\mathbf{w}$

is revealed to
$\mathcal{V}$

due to the randomness of
$\phi$

. Furthermore, to prove in ZK that
$\mathbf{M}\cdot\mathbf{w}=\mathbf{v}\bmod q$

holds,
$\mathcal{P}$

samples
$\mathbf{r}_{w}\xleftarrow{\$}\mathbb{Z}_{q}^{\ell}$

to mask
$\mathbf{w}$

, and convinces
$\mathcal{V}$

instead that
$\mathbf{M}\cdot(\mathbf{w}+\mathbf{r}_{w})=\mathbf{M}\cdot\mathbf{r}_{w}+\mathbf{v}\bmod q.$

We describe the interaction between
$\mathcal{P}$

and
$\mathcal{V}$

in Figure 1. A statistically hiding and computationally binding string commitment scheme COM, e.g. the scheme in Section 2.1, is used.

1.

Commitment: Prover
$\mathcal{P}$
samples
$\mathbf{r}_{w}\xleftarrow{\$}\mathbb{Z}_{q}^{\ell}$
,
$\phi\xleftarrow{\$}\mathcal{S}$
and randomness
$\rho_{1},\rho_{2},\rho_{3}$
for
$\mathsf{COM}$
.
Then, a commitment
$\mathrm{CMT}=\big{(}C_{1},C_{2},C_{3}\big{)}$
is sent to the verifier
$\mathcal{V}$
, where

$\displaystyle C_{1}=\mathsf{COM}(\phi,\mathbf{M}\cdot\mathbf{r}_{w}\bmod q;\rho_{1}),\hskip 8.6ptC_{2}=\mathsf{COM}(\Gamma_{\phi}(\mathbf{r}_{w});\rho_{2}),\hskip 8.6ptC_{3}=\mathsf{COM}(\Gamma_{\phi}(\mathbf{w}+\mathbf{r}_{w}\bmod q);\rho_{3}).$
2.

Challenge:
$\mathcal{V}$
sends a challenge
$Ch\xleftarrow{\$}\{1,2,3\}$
to
$\mathcal{P}$
.
3.
Response: Based on
$C h$
,
$\mathcal{P}$
sends
$\mathrm{RSP}$
computed as follows:
- •
  
  $Ch=1$
  : Let
  $\mathbf{t}_{w}=\Gamma_{\phi}(\mathbf{w})$
  ,
  $\mathbf{t}_{r}=\Gamma_{\phi}(\mathbf{r}_{w})$
  , and
  $\mathrm{RSP}=(\mathbf{t}_{w},\mathbf{t}_{r},\rho_{2},\rho_{3})$
  .
- •
  
  $Ch=2$
  : Let
  $\phi_{2}=\phi$
  ,
  $\mathbf{w}_{2}=\mathbf{w}+\mathbf{r}_{w}\bmod q$
  , and
  $\mathrm{RSP}=(\phi_{2},\mathbf{w}_{2},\rho_{1},\rho_{3})$
  .
- •
  
  $Ch=3$
  : Let
  $\phi_{3}=\phi$
  ,
  $\mathbf{w}_{3}=\mathbf{r}_{w}$
  , and
  $\mathrm{RSP}=(\phi_{3},\mathbf{w}_{3},\rho_{1},\rho_{2})$
  .

Verification: Receiving
$\mathrm{RSP}$

,
$\mathcal{V}$

proceeds as follows:

•

$Ch=1$
: Check that
$\mathbf{t}_{w}\in\mathsf{VALID}$
,
$C_{2}=\mathsf{COM}(\mathbf{t}_{r};\rho_{2})$
,
${C}_{3}=\mathsf{COM}(\mathbf{t}_{w}+\mathbf{t}_{r}\bmod q;\rho_{3})$
.
•

$Ch=2$
: Check that
$C_{1}=\mathsf{COM}(\phi_{2},\mathbf{M}\cdot\mathbf{w}_{2}-\mathbf{v}\bmod q;\rho_{1})$
,
${C}_{3}=\mathsf{COM}(\Gamma_{\phi_{2}}(\mathbf{w}_{2});\rho_{3})$
.
•

$Ch=3$
: Check that
$C_{1}=\mathsf{COM}(\phi_{3},\mathbf{M}\cdot\mathbf{w}_{3};\rho_{1}),\hskip 5.0ptC_{2}=\mathsf{COM}(\Gamma_{\phi_{3}}(\mathbf{w}_{3});\rho_{2}).$

In each case,
$\mathcal{V}$

outputs
$1$

if and only if all the conditions hold.

Figure 1:Stern-like ZKAoK for the relation

\mathrm{R_{abstract}}

The properties of the protocol are summarized in Theorem 2.1.

Theorem 2.1 ([34])

Assuming that
$\mathsf{COM}$

is a statistically hiding and computationally binding string commitment scheme, the protocol in Figure 1 is a statistical ZKAoK with perfect completeness, soundness error
$2/3$

, and communication cost
$\mathcal{O}(\ell\log q)$

. In particular:

•

There exists a polynomial-time simulator that, on input
$(\mathbf{M},\mathbf{v})$
, outputs an accepted transcript statistically close to that produced by the real prover.
•

There exists a polynomial-time knowledge extractor that, on input a commitment
$\mathrm{CMT}$
and
$3$
valid responses
$(\mathrm{RSP}_{1},\mathrm{RSP}_{2},\mathrm{RSP}_{3})$
to all
$3$
possible values of the challenge
$C h$
, outputs
$\mathbf{w}^{\prime}\in\mathsf{VALID}$
such that
$\mathbf{M}\cdot\mathbf{w}^{\prime}=\mathbf{v}\bmod q.$

The proof of the Theorem 2.1, which appeared in [34], employs standard simulation and extraction techniques for Stern-like protocols [29, 37]. The proof is provided in Appendix 0.A for the sake of completeness.

2.3Password Strings and Password Policies

Next, we present the models of password strings and policies, adapted from [31].

Password Strings. We consider password strings
$p w$

over the set of
$94$

printable characters
$\Sigma_{\sf all}$

in the ASCII alphabet
$\Sigma_{\sf ASCII}$

, where
$\Sigma_{\sf all}=\Sigma_{D}\cup\Sigma_{S}\cup\Sigma_{L}\cup\Sigma_{U}\subset\Sigma_{\sf ASCII}$

is split into four disjoint subsets:

•

The set of
$10$
digits
$\Sigma_{D}=\{0,1,\ldots,9\}$
;
•

The set of
$32$
symbols
$\Sigma_{S}=\big{\{}$
!”#$%&’()*+,-./ :;
$<=>$
?@ [\]_̂ ‘
$\{|\}$
~
$\big{\}}$
;
•

The set of
$26$
lower case letters,
$\Sigma_{L}=\{a,b,\ldots,z\}$
;
•

The set of
$26$
upper case letters,
$\Sigma_{U}=\{A,B,\ldots,Z\}$
.

We denote by
$\mathtt{Dict}$

a general dictionary containing all strings that can be formed from the characters in
$\Sigma_{\sf all}$

. A password string
$pw=(c_{1},c_{2},\ldots,c_{k})\in\Sigma_{\sf all}^{k}\subset\mathtt{Dict}$

of length
$k$

is an ordered multi-set of characters
$c_{1},\ldots,c_{k}\in\Sigma_{\sf all}$

Password Policies. A password policy
$f=\big{(}(k_{D},k_{S},k_{L},k_{U}),n_{\sf min},n_{\mathsf{max}}\big{)}$

has six components, a minimum length
$n_{\mathsf{min}}$

, maximum length
$n_{\mathsf{max}}$

, and integers
$k_{D}$

,
$k_{S}$

,
$k_{L}$

and
$k_{U}$

that indicate the minimum number of digits, symbols, upper-case and lower-case letters, respectively, a password string must contain. We say that
$f(pw)=\mathtt{true}$

if and only if policy
$f$

is satisfied by the password string
$p w$

. For instance,

1.

Policy
$f=\big{(}(1,1,1,1),8,16\big{)}$
indicates that password strings must be between
$8$
and
$16$
characters and contain at least one digit, one symbol, one lower-case and one upper-case letters.
2.

Policy
$f=\big{(}(0,2,0,1),10,14\big{)}$
demands that password strings must be between
$10$
and
$14$
characters, including at least two symbols and one upper-case letter.

Remark 1

In practice, password policies typically do not specify
$n_{\mathsf{max}}$

but we can simply fix a number that upper-bounds all reasonable password lengths.

2.4Randomised Password Hashing and Zero-Knowledge Password Policy Check

We now recall the notions of randomised password hashing and zero-knowledge password policy check. Our presentation follows [31, 30].

Randomised Password Hashing. This mechanism aims to compute some password verification information that can be used later in more advanced protocols (e.g., ZKPPC and VPAKE). In order to prevent off-line dictionary attacks, the computation process is randomised via a pre-hash salt and hash salt. More formally, a randomised password hashing scheme
$\mathcal{H}$

is a tuple of
$5$

algorithms
$\mathcal{H}=(\mathsf{Setup},\mathsf{PreSalt},\mathsf{PreHash},\mathsf{Salt},\mathsf{Hash})$

, defined as follows.

•

$\mathsf{Setup}(\lambda)$
: On input security parameter
$\lambda$
, generate public parameters
$p p$
, including the descriptions of the salt spaces
$\mathbb{S}_{P}$
and
$\mathbb{S}_{H}$
.
•

$\mathsf{PreSalt}(pp)$
: On input
$p p$
, output a random pre-hash salt
$s_{P}\in\mathbb{S}_{P}$
.
•

$\mathsf{PreHash}(pp,pw,s_{P})$
: On input
$p p$
, password
$p w$
and pre-hash salt
$s_{P}$
, output a pre-hash value
$P$
.
•

$\mathsf{Salt}(pp)$
: On input
$p p$
, output a random hash salt
$s_{H}\in\mathbb{S}_{H}$
.
•

$\mathsf{Hash}(pp,P,s_{P},s_{H})$
: On input
$p p$
, pre-hash value
$P$
, pre-hash salt
$s_{P}$
and hash salt
$s_{H}$
, output a hash value
$\mathbf{h}$
.

A secure randomised password hashing scheme
$\mathcal{H}$

must satisfy
$5$

requirements: pre-image resistance, second pre-image resistance, pre-hash entropy preservation, entropy preservation and password hiding.

•

Pre-image resistance (or tight one-wayness in [11]): Let
$\text{\emph{pp}}\leftarrow\mathsf{Setup}(\lambda)$
and
$\mathtt{Dict}$
be a dictionary of min-entropy
$\beta$
.
$Hash(\cdot)$
is a function such that
$(H_{i},s_{H_{i}})\leftarrow Hash(\cdot)$
, where
$s_{H_{i}}\leftarrow\mathsf{Salt}(pp)$
and
$H_{i}\leftarrow\mathsf{Hash}(pp,P_{i},s_{P_{i}},s_{H_{i}})$
.
$P_{i}\leftarrow\mathsf{PreHash}(pp,pw_{i},s_{P_{i}})$
with
$s_{P_{i}}\leftarrow$

$\mathsf{PreSalt}(pp)$
and pw_i
$\xleftarrow{\$}\mathtt{Dict}$
.
$P_{i}$
is stored by
$Hash(\cdot)$
and there is a function
$\mathtt{Verify}(i,P)$
such that
$\mathtt{Verify}(i,P)=1$
if
$P=P_{i}$
.

For all PPT adversaries
$\mathcal{A}$
running in time at most
$t$
, there exists a negligible function
$\varepsilon(\cdot)$
such that

$\displaystyle Pr[(i,P)\leftarrow\mathcal{A}^{Hash(\cdot)});\text{ }\mathtt{Verify}(i,P)=1]\leq\frac{\alpha t}{2^{\beta}t_{\mathsf{PreHash}}}+\varepsilon(\lambda)$

for small
$\alpha$
and
$t_{\mathsf{PreHash}}$
, the running time of
$\mathsf{PreHash}$
.
•

Second pre-image resistance: For all PPT adversaries
$\mathcal{A}$
, there exists a negligible function
$\varepsilon(\cdot)$
such that for
$P^{\prime}\leftarrow\mathcal{A}(pp,P,s_{H})$
,

$\displaystyle Pr\big{[}\big{(}P^{\prime}\neq P\big{)}\wedge\big{(}\mathsf{Hash}(pp,P,s_{H})=\mathsf{Hash}(pp,P^{\prime},s_{H})\big{)}\big{]}\leq\varepsilon(\lambda),\vspace{-0.3cm}$

where
$pp\leftarrow\mathsf{Setup}(\lambda)$
,
$s_{P}\leftarrow\mathsf{PreSalt}(pp)$
,
$s_{H}\leftarrow\mathsf{Salt}(pp)$
and
$P\leftarrow\mathsf{Hash}(pp,\text{\emph{pw}},s_{P})$
for any pw
$\in\mathtt{Dict}$
.
•

Pre-hash entropy preservation: For all dictionaries
$\mathtt{Dict}$
that are samplable in polynomial time with min-entropy
$\beta$
and any PPT adversary
$\mathcal{A}$
, there exists a negligible function
$\varepsilon(\cdot)$
such that for
$(P,s_{P})\leftarrow\mathcal{A}(pp)$
with
$pp\leftarrow\mathsf{Setup}(\lambda)$
and random password pw
$\xleftarrow{\$}\mathtt{Dict}$
,

$\displaystyle Pr\big{[}\big{(}s_{P}\in\mathbb{S}_{P}\big{)}\wedge\big{(}P=\mathsf{PreHash}(pp,\text{\emph{pw}},s_{P})\big{)}\big{]}\leq 2^{-\beta}+\varepsilon(\lambda).\vspace{-0.3cm}$
•

Entropy preservation: For all min-entropy
$\beta$
polynomial-time samplable dictionaries
$\mathtt{Dict}$
and any PPT adversary
$\mathcal{A}$
, there exists a negligible function
$\varepsilon(\cdot)$
such that for
$(H,s_{P},s_{H})\leftarrow\mathcal{A}(pp)$

$\displaystyle Pr\big{[}\big{(}s_{P}\in\mathbb{S}_{P}\big{)}\wedge\big{(}s_{H}\in\mathbb{S}_{H}\wedge H=\mathsf{Hash}(pp,\text{\emph{pw}},s_{P},s_{H})\big{)}\big{]}\leq 2^{-\beta}+\varepsilon(\lambda),\vspace{-1cm}$

where
$pp\leftarrow\mathsf{Setup}(\lambda)$
and pw
$\xleftarrow{\$}\mathtt{Dict}$
.
•

Password hiding: For all PPT adversaries
$\mathcal{A}=(\mathcal{A}_{1},\mathcal{A}_{2})$
, where
$\mathcal{A}_{1}(pp)$
outputs two equal length passwords
$\text{\emph{pw}}_{0}$
,
$\text{\emph{pw}}_{1}$
for
$pp\leftarrow\mathsf{Setup}(\lambda)$
and
$\mathcal{A}_{2}(H)$
outputs a bit
$b^{\prime}$
for
$H\leftarrow\mathsf{Hash}(pp,P,s_{P},s_{H})$
, where
$s_{H}\leftarrow\mathsf{Salt}(\lambda)$
,
$s_{P}\leftarrow\mathsf{PreSalt}(\lambda)$
and
$P\leftarrow\mathsf{PreHash}(pp,\text{\emph{pw}}_{b},s_{P})$
for a random bit
$b\xleftarrow{\$}\{0,1\}$
, there exists a negligible function
$\varepsilon(\cdot)$
such that

$\displaystyle\big{|}Pr[b=b^{\prime}]-\tfrac{1}{2}\big{|}\leq\varepsilon(\lambda).\vspace{-0.3cm}$

Zero-Knowledge Password Policy Check. Let
$\mathcal{H}=(\mathsf{Setup},\mathsf{PreSalt},\mathsf{PreHash},\mathsf{Salt},\mathsf{Hash})$

be a randomised password hashing scheme. A password policy check (PPC) is an interactive protocol between a client and server where the password policy
$f=\big{(}(k_{D},k_{S},k_{L},k_{U}),n_{\sf min},n_{\sf max}\big{)}$

of the server and public parameters
$pp\leftarrow\mathsf{Setup}(\lambda)$

are used as common inputs. At the end of the execution, the server accepts a hash value
$\mathbf{h}$

of any password
$p w$

of the client’s choice if and only if
$f(pw)=\mathtt{true}$

. A PPC protocol is an argument of knowledge of the password
$p w$

and ssrandomness
$s_{P}\leftarrow\mathsf{PreSalt}(pp)$

,
$s_{H}\leftarrow\mathsf{Salt}(pp)$

used for hashing. To prevent leaking the password to the server, one additionally requires that the protocol be zero-knowledge.

More formally, a zero-knowledge PPC protocol is an interactive protocol between a prover (client) and verifier (server), in which, given
$(pp,f,\mathbf{h})$

the former convinces the later in zero-knowledge that the former knows
$p w$

and randomness
$(s_{P},s_{H})$

such that:

f(pw)=\mathtt{true}\hskip 16.0pt\text{ and }\hskip 16.0pt\mathsf{Hash}(pp,P,s_{P},s_{H})=\mathbf{h},\vspace{-0.2cm}

where
$P\leftarrow\mathsf{PreHash}(pp,pw,s_{P})$

3Our Constructions

To construct randomised password hashing schemes and ZKPPC protocols from concrete computational assumptions, the first challenge is to derive a password encoding mechanism that operates securely and interacts smoothly with the hashing and zero-knowledge layers. In the discrete log setting considered in [31], passwords are mapped to large integers and then encoded as elements in a group of large order. Unfortunately, this does not translate well to the lattice setting as working with large-norm objects usually reduces the security and efficiency of the construction. Therefore, a different method, which encodes passwords as small-norm objects, is desirable. In this work, we will therefore use binary vectors.

Let
$\mathsf{bin}(\cdot)$

be the function that maps non-negative integers to their binary decomposition. For any character
$c$

encoded in ASCII, let
$\mathtt{ASCII}(c)\in[0,255]$

be its code. Then, we define
$\mathsf{enc}(c)$

for an ASCII encoded character
$c$

and
$\mathsf{enc}(pw)$

for some length-
$t$

password
$pw=(c_{1},\ldots,c_{t})\in\Sigma^{t}$

	$\displaystyle\mathsf{enc}(c)$	$\displaystyle=\mathsf{bin}(\mathtt{ASCII}(c))\in\{0,1\}^{8},$
	$\displaystyle\mathsf{encode}(pw)$	$\displaystyle=\big{(}\mathsf{enc}(c_{1})\\|\ldots\\|\mathsf{enc}(c_{t})\big{)}\in\{0,1\}^{8t}.\vspace{-0.5cm}$

3.1Notations, Sets and Permutations

Let
$\mathfrak{m},\mathfrak{n}$

be arbitrary positive integers. We define the following sets and permutations:

$\diamond$

$\mathsf{B}_{\mathfrak{m}}^{2}$
: the set of all vectors in
$\{0,1\}^{2\mathfrak{m}}$
whose Hamming weight is exactly
$\mathfrak{m}$
. Note that for
$\mathbf{x}\in\mathbb{Z}^{2\mathfrak{m}}$
and
$\psi\in\mathcal{S}_{2\mathfrak{m}}$
the following holds:

$\displaystyle\begin{cases}\mathbf{x}\in\mathsf{B}_{\mathfrak{m}}^{2}\hskip 6.8pt\Leftrightarrow\hskip 6.8pt\psi(\mathbf{x})\in\mathsf{B}_{\mathfrak{m}}^{2};\\ \mathbf{x}\in\mathsf{B}_{\mathfrak{m}}^{2}\text{ and }\psi\xleftarrow{\$}\mathcal{S}_{2\mathfrak{m}},\text{ then }\psi(\mathbf{x})\text{ is uniform over }\mathsf{B}_{\mathfrak{m}}^{2}.\end{cases}$ (2)
$\diamond$

$T_{\psi,\mathfrak{n}}$
, for
$\psi\in\mathcal{S}_{\mathfrak{m}}$
: the permutation that, when applied to a vector
$\mathbf{v}=(\mathbf{v}_{1}\|\mathbf{v}_{2}\|\ldots\|\mathbf{v}_{\mathfrak{m}})\in\mathbb{Z}^{\mathfrak{n}\mathfrak{m}}$
, consisting of
$\mathfrak{m}$
blocks of size
$\mathfrak{n}$
, re-arranges the blocks of
$\mathbf{v}$
according to
$\psi$
, as follows,

$T_{\psi,\mathfrak{n}}(\mathbf{v})=(\mathbf{v}_{\psi(1)}\|\mathbf{v}_{\psi(2)}\|\ldots\|\mathbf{v}_{\psi(\mathfrak{n})}).$

For convenience, when working with password alphabet
$\Sigma_{\sf all}=\Sigma_{D}\cup\Sigma_{S}\cup\Sigma_{L}\cup\Sigma_{U}$

and password policy
$f=\big{(}(k_{D},k_{U},k_{L},k_{S}),n_{\mathtt{min}},n_{\mathtt{max}}\big{)}$

, we introduce the following notations and sets:

$\diamond$

$\eta_{D}=|\Sigma_{D}|=10$
,
$\eta_{S}=|\Sigma_{S}|=32$
,
$\eta_{L}=|\Sigma_{L}|=26$
,
$\eta_{U}=|\Sigma_{U}|=26$
and
$\eta_{\sf all}=|\Sigma_{\sf all}|=94$
.
$\diamond$

For
$\alpha\in\{D,S,L,U,\mathsf{all}\}$
:
$\mathsf{Enc}_{\alpha}=\{\mathsf{enc}(w))\hskip 2.6pt\big{|}\hskip 2.6ptw\in\Sigma_{\alpha}\}$
.
$\diamond$

$\mathsf{SET}_{\alpha}$
for
$\alpha\in\{D,S,L,U,\mathsf{all}\}$
: the set of all vectors
$\mathbf{v}=(\mathbf{v}_{1}\|\ldots\|\mathbf{v}_{\eta_{\alpha}})\in\{0,1\}^{8\eta_{\alpha}}$
, such that the blocks
$\mathbf{v}_{1},\ldots,\mathbf{v}_{\eta_{\alpha}}\in\{0,1\}^{8}$
are exactly the binary encodings of all characters in
$\Sigma_{\alpha}$
, i.e.,

$\big{\{}\mathbf{v}_{1},\ldots,\mathbf{v}_{\eta_{\alpha}}\big{\}}=\big{\{}\mathsf{enc}(w)):\hskip 2.6pt\hskip 2.6ptw\in\Sigma_{\alpha}\big{\}}.$
$\diamond$

$\mathsf{SET}_{n_{\sf max}}$
: the set of all vectors
$\mathbf{v}=(\mathbf{v}_{1}\|\ldots\|\mathbf{v}_{n_{\sf max}})\in\{0,1\}^{n_{\sf max}\lceil\log n_{\sf max}\rceil}$
, such that the blocks
$\mathbf{v}_{1},\ldots,\mathbf{v}_{n_{\sf max}}\allowdisplaybreaks\in\{0,1\}^{\lceil\log n_{\sf max}\rceil}$
are exactly the binary decompositions of all integers in
$[n_{\sf max}]$
, i.e.,

$\big{\{}\mathbf{v}_{1},\ldots,\mathbf{v}_{n_{\sf max}}\big{\}}=\big{\{}\mathsf{bin}(1),\ldots,\mathsf{bin}(n_{\sf max})\big{\}}.$

Observe that the following properties hold.

$\diamond$

For all
$\alpha\in\{D,S,L,U,\mathsf{all}\}$
, all
$\mathbf{x}\in\mathbb{Z}^{8\eta_{\alpha}}$
and all
$\psi\in\mathcal{S}_{\eta_{\alpha}}$
:

$\displaystyle\begin{cases}\mathbf{x}\in\mathsf{SET}_{\alpha}\hskip 6.8pt\Leftrightarrow\hskip 6.8ptT_{\psi,8}(\mathbf{x})\in\mathsf{SET}_{\alpha};\\ \mathbf{x}\in\mathsf{SET}_{\alpha}\text{ and }\psi\xleftarrow{\$}\mathcal{S}_{\eta_{\alpha}},\text{ then }T_{\psi,8}(\mathbf{x})\text{ is uniform over }\mathsf{SET}_{\alpha}.\end{cases}$ (3)

$\diamond$

For all
$\mathbf{x}\in\mathbb{Z}^{n_{\sf max}\lceil\log n_{\sf max}\rceil}$

and all
$\psi\in\mathcal{S}_{n_{\sf max}}$

\displaystyle\begin{cases}\mathbf{x}\in\mathsf{SET}_{n_{\sf max}}\hskip 6.8pt\Leftrightarrow\hskip 6.8ptT_{\psi,\lceil\log n_{\sf max}\rceil}(\mathbf{x})\in\mathbf{x}\in\mathsf{SET}_{n_{\sf max}};\\ \mathbf{x}\in\mathsf{SET}_{n_{\sf max}}\text{ and }\psi\xleftarrow{\$}\mathcal{S}_{n_{\sf max}},\text{ then }T_{\psi,\lceil\log n_{\sf max}\rceil}(\mathbf{x})\text{ is uniform over }\mathsf{SET}_{n_{\sf max}}.\end{cases}

(4)

3.2Randomised Password Hashing from Lattices

We describe our randomised password hashing scheme
$\mathcal{L}$

for passwords of length between two given integers
$n_{\sf min}$

and
$n_{\sf max}$

. At a high level, our scheme maps characters of the password
$p w$

to binary block vectors, re-arranges them with a random permutation
$\chi$

, and finally computes the password hash as a KTX commitment ([29], see also Section 2.1) to a vector storing all the information on
$p w$

and
$\chi$

. The scheme works as follows,

$\mathcal{L}.\mathsf{Setup}(\lambda)$

.

On input security parameter
$\lambda$

, the algorithm performs the following steps:

1.

Choose parameters
$n=\mathcal{O}(\lambda)$
, prime modulus
$q=\widetilde{\mathcal{O}}(n)$
, and dimension
$m=2n\lceil\log q\rceil$
.
2.

Sample matrices
$\mathbf{A}\xleftarrow{\$}\mathbb{Z}_{q}^{n\times(n_{\sf max}\lceil\log n_{\sf max}\rceil+8n_{\sf max})}$
and
$\mathbf{B}\xleftarrow{\$}\mathbb{Z}_{q}^{n\times m}$
.
3.

Let the pre-hash salt space be
$\mathbb{S}_{P}=\mathcal{S}_{n_{\sf max}}$
- the set of all permutations of
$n_{\sf max}$
elements, and hash salt space be
$\mathbb{S}_{H}=\{0,1\}^{m}$
.
4.

Output the public parameters
$pp=\big{(}n,q,m,\mathbb{S}_{P},\mathbb{S}_{H},\mathbf{A},\mathbf{B}\big{)}$
.

$\mathcal{L}.\mathsf{PreSalt}(pp)$

.

Sample
$\chi\xleftarrow{\$}\mathcal{S}_{n_{\sf max}}$

and output
$s_{P}=\chi$

$\mathcal{L}.\mathsf{PreHash}(pp,pw,s_{P})$

.

Let
$s_{P}=\chi\in\mathcal{S}_{n_{\sf max}}$

and
$t\in[n_{\sf min},n_{\sf max}]$

be the length of password
$p w$

. The pre-hash value
$P$

is computed as follows.

1.

Compute
$\mathsf{encode}({pw})\in\{0,1\}^{8t}$
, consisting of
$t$
blocks of length
$8$
.
2.

Insert
$n_{\sf max}-t~{}$
blocks of length
$8$
, each one being
$\mathsf{enc}({g})$
for some non-printable ASCII character
$g\in\Sigma_{\sf ASCII}\setminus\Sigma_{\sf all}$
, into the block-vector
$\mathsf{encode}({pw})$
to get
$\mathbf{e}\in\{0,1\}^{8n_{\sf max}}$
.¹¹This hides the actual length
$t$
of the password in the ZKPPC protocol in Section 3.4.
3.

Apply
$T_{\chi,8}$
to get
$\mathbf{e}^{\prime}=T_{\chi,8}(\mathbf{e})\in\{0,1\}^{8n_{\sf max}}$
.
4.

Output the pre-hash value
$P=\mathbf{e}^{\prime}$
.

$\mathcal{L}.\mathsf{Salt}(pp)$

.

Sample
$\mathbf{r}\xleftarrow{\$}\{0,1\}^{m}$

and output
$s_{H}=\mathbf{r}$

$\mathcal{L}.\mathsf{Hash}(pp,P,s_{P},s_{H})$

.

Let
$P=\mathbf{e}^{\prime}\in\{0,1\}^{8n_{\sf max}}$

,
$s_{P}=\chi\in\mathcal{S}_{n_{\sf max}}$

and
$s_{H}=\mathbf{r}\in\{0,1\}^{m}$

. The hash value
$\mathbf{h}$

is computed as follows,

1.

Express the permutation
$\chi$
as
$\chi=[\chi(1),\ldots,\chi(n_{\sf max})]$
, where for each
$i\in[n_{\sf max}]$
,
$\chi(i)\in[n_{\sf max}]$
. Then, form

$\mathbf{e}_{0}=\big{(}\mathsf{bin}(\chi(1)-1)\|\ldots\|\mathsf{bin}(\chi(n_{\sf max})-1)\big{)}\in\{0,1\}^{n_{\sf max}\lceil\log n_{\sf max}\rceil}.$
2.

Form
$\mathbf{x}=(\mathbf{e}_{0}\|\mathbf{e}^{\prime})\in\{0,1\}^{n_{\sf max}\lceil\log n_{\sf max}\rceil+8n_{\sf max}}$
and output
$\mathbf{h}=\mathbf{A}\cdot\mathbf{x}+\mathbf{B}\cdot\mathbf{r}\in\mathbb{Z}_{q}^{n}$
.

In the following theorem, we demonstrate that the proposed scheme satisfies the security requirements defined in Section 2.4.

Theorem 3.1

Under the
$\mathsf{SIS}$

assumption, the randomised password hashing scheme,
$\mathcal{L}$

, described above satisfies
$5$

requirements: pre-image resistance, second pre-image resistance, pre-hash entropy preservation, entropy preservation and password hiding.

Proof

First, we remark that, by construction, if the pre-hash salt
$s_{P}=\chi$

is given, then we can reverse the procedure used to extend the length
$t$

password by simply discarding any non-printable characters after applying the inverse of the permutation specified by
$s_{P}$

. Hence, if
$s_{P}$

is hidden, then due to its randomness, the min-entropy of
$P$

is larger than the min-entropy of
$p w$

. Thus, the proposed hashing scheme has the pre-hash entropy preservation and entropy preservation properties.

Next, note that
$\mathbf{h}=\mathbf{A}\cdot\mathbf{x}+\mathbf{B}\cdot\mathbf{r}\bmod q$

is a proper KTX commitment of message
$\mathbf{x}$

with randomness
$\mathbf{r}$

. Thus, from the statistical hiding property of the commitment scheme, the password hiding property holds.

Furthermore, if one can produce distinct pre-hash values
$P$

,
$P^{\prime}$

that yield the same hash value
$\mathbf{h}$

, then one can use these values to break the computational binding property of the KTX commitment scheme. This implies that second pre-image resistance property holds under the SIS assumption.

Finally, over the randomness of matrix
$\mathbf{A}$

, password
$p w$

and pre-hash salt
$s_{P}$

, except for a negligible probability (i.e., in the event one accidentally finds a solution to the SIS problem associated with matrix
$\mathbf{A}$

), vector
$\mathbf{A}\cdot\mathbf{x}$

accepts at least
$2^{\beta}$

values in
$\mathbb{Z}_{q}^{n}$

, where
$\beta$

is the min-entropy of the dictionary
$\mathtt{Dict}$

from which
$p w$

is chosen. Therefore, even if
$\mathbf{A}\cdot\mathbf{x}=\mathbf{h}-\mathbf{B}\cdot s_{H}\bmod q$

is given, to find
$P=\mathbf{e}^{\prime}$

, one has to perform
$2^{\beta}$

invocations of
$\mathsf{PreHash}$

which implies that the scheme satisfies the pre-image resistance property. ∎

3.3Techniques for Proving Set Membership

In our construction of ZKPPC in Section 3.4, we will have to prove that a linear relation of the form

\displaystyle\sum_{i}{\big{(}\text{public matrix }\mathbf{M}_{i}\big{)}\cdot\big{(}\text{binary secret vector }\mathbf{s}_{i}\big{)}}=\mathbf{h}\bmod q

holds, where each secret vector
$\mathbf{s}_{i}$

must be an element of a given set of relatively small cardinality, e.g.,
$\mathsf{Enc}_{D},\mathsf{Enc}_{S},\mathsf{Enc}_{L},\mathsf{Enc}_{U},\mathsf{Enc}_{\sf all}$

. Thus, we need to design suitable sub-protocols to prove set membership.

In the lattice-based world, a set membership argument system with logarithmic complexity in the cardinality of the set was proposed in [36], exploiting Stern-like protocols and Merkle hash trees. Despite its asymptotic efficiency, the actual efficiency is worse when the underlying set has small, constant size. To tackle the problems encountered here, we employ a different approach, which has linear complexity but is technically simpler and practically more efficient.

Suppose we have to prove that an
$\mathfrak{n}$

-dimensional vector
$\mathbf{s}_{i}$

belongs to a set of
$\mathfrak{m}$

vectors
$\{\mathbf{v_{1}},\ldots,\mathbf{v}_{\mathfrak{m}}\}$

. To this end, we append
$\mathfrak{m}-1$

blocks to vector
$\mathbf{s}_{i}$

to get an
$\mathfrak{n}\mathfrak{m}$

-dimensional vector
$\mathbf{s}_{i}^{\star}$

whose
$\mathfrak{m}$

blocks are exactly elements of the set
$\{\mathbf{v_{1}},\ldots,\mathbf{v}_{\mathfrak{m}}\}$

. At the same time, we append
$\mathfrak{n}(\mathfrak{m}-1)$

zero-columns to public matrix
$\mathbf{M}_{i}$

to get matrix
$\mathbf{M}^{\star}_{i}$

satisfying
$\mathbf{M}^{\star}_{i}\cdot\mathbf{s}^{\star}_{i}=\mathbf{M}_{i}\cdot\mathbf{s}_{i}$

, so that we preserve the linear equation under consideration. In this way, we reduce the set-membership problem to the problem of proving the well-formedness of
$\mathbf{s}^{\star}_{i}$

. The latter can be done via random permutations of blocks in the framework of Stern’s protocol. For instance, to prove that
$\mathbf{s}_{i}\in\mathsf{Enc}_{D}$

, i.e.,
$\mathbf{s}_{i}$

is a correct binary encoding of a digit, we extend it to
$\mathsf{s}^{\star}_{i}\in\mathsf{SET}_{D}$

, apply a random permutation to the extended vector, and make use of the properties observed in (3).

3.4Zero-Knowledge Password Policy Check Protocol

We now present our construction of ZKPPC from lattices. Throughout, we use notations, sets and permutation techniques specified in Section 3.1 to reduce the statement to be proved to an instance of the relation
$\mathrm{R}_{\rm abstract}$

considered in Section 2.2, which in turn can be handled by the Stern-like protocol of Figure 1.

Our protocol allows a prover
$\mathcal{P}$

to convince a verifier
$\mathcal{V}$

in ZK that
$\mathcal{P}$

knows a password
$p w$

that hashes to a given value with randomness
$\chi,\mathbf{r}$

, and satisfies some policy
$f=\big{(}(k_{D},k_{U},k_{L},k_{S}),n_{\mathtt{min}},n_{\mathtt{max}}\big{)}$

.²²The construction we present considers the scenario where
$k_{D},k_{S},k_{L},k_{U}$

are all positive. Our scheme can be easily adjusted to handle the case where one or more of them are
$0$

. Recall that
$\mathcal{V}$

demands
$p w$

must have length between
$n_{\sf min}$

and
$n_{\sf max}$

inclusive, contain at least
$k_{D}$

digits,
$k_{S}$

symbols,
$k_{L}$

lower-case and
$k_{U}$

upper-case letters. For simplicity, we let
$k_{\sf all}=n_{\sf min}-(k_{D}+k_{U}+k_{L}+k_{S}).$

The common input consists of matrices
$\mathbf{A}\in\mathbb{Z}_{q}^{n\times(n_{\sf max}\lceil\log n_{\sf max}\rceil+8n_{\sf max})},\mathbf{B}\in\mathbb{Z}_{q}^{n\times m}$

, hash value
$\mathbf{h}\in\mathbb{Z}_{q}^{n}$

and extra information

\Delta=(\delta_{D,1},\ldots,\delta_{D,k_{D}},\delta_{S,1},\ldots,\delta_{S,k_{S}},\delta_{L,1},\ldots,\delta_{L,k_{L}},\delta_{U,1},\ldots,\delta_{U,k_{U}},\delta_{\mathsf{all},1},\ldots,\delta_{\mathsf{all},k_{\sf all}})\in[n_{\sf max}]^{n_{\sf min}},\vspace{-0.2cm}

which indicates the positions of the blocks, inside vector
$P=\mathbf{e}^{\prime}$

, encoding
$k_{D}$

digits,
$k_{S}$

symbols,
$k_{L}$

lower-case letters,
$k_{U}$

upper-case letters and
$k_{\sf all}$

other printable characters within
$p w$

. Revealing
$\Delta$

to
$\mathcal{V}$

does not harm
$\mathcal{P}$

, since the original positions of those blocks (in vector
$\mathbf{e}$

) are protected by the secret permutation
$\chi$

The prover’s witness consists of vectors
$\mathbf{x}=(\mathbf{e}_{0}\|\mathbf{e}^{\prime})\in\{0,1\}^{n_{\sf max}\lceil\log n_{\sf max}\rceil+8n_{\sf max}}$

and
$\mathbf{r}\in\{0,1\}^{m}$

satisfying the following conditions:

1.

$\mathbf{A}\cdot\mathbf{x}+\mathbf{B}\cdot\mathbf{r}=\mathbf{h}\bmod q$
;
2.

$\mathbf{e}_{0}=\big{(}\hskip 2.8pt\mathsf{bin}(\chi(1)-1)\hskip 2.8pt\|\ldots\|\hskip 2.8pt\mathsf{bin}(\chi(n_{\sf max}-1))\hskip 2.8pt\big{)}$
;
3.

$\mathbf{e}^{\prime}$
has the form
$(\mathbf{x}_{1},\ldots,\mathbf{x}_{n_{\sf max}})$
, where, for all
$\alpha\in\{D,S,L,U,\mathsf{all}\}$
and all
$i\in[k_{\alpha}]$
, it holds that
$\mathbf{x}_{\delta_{\alpha,i}}\in\mathsf{Enc}_{\alpha}$
.

We first observe that, if we express matrix
$\mathbf{A}$

as
$\mathbf{A}=\big{[}\mathbf{A}_{0}\mid\mathbf{A}_{1}\mid\ldots\mid\mathbf{A}_{n_{\sf max}}\big{]}$

, where
$\mathbf{A}_{0}\in\mathbb{Z}_{q}^{n_{\sf max}\lceil\log n_{\sf max}\rceil}$

and
$\mathbf{A}_{1},\ldots,\mathbf{A}_{n_{\sf max}}\in\mathbb{Z}_{q}^{n\times 8}$

, then equation
$\mathbf{A}\cdot\mathbf{x}+\mathbf{B}\cdot\mathbf{r}=\mathbf{h}\bmod q$

can be equivalently written as

\displaystyle\displaystyle{\mathbf{A}_{0}\cdot\mathbf{e}_{0}+\sum_{\alpha\in\{D,S,L,U,\mathsf{all}\},i\in[k_{\alpha}]}\mathbf{A}_{\delta_{\alpha,i}}\cdot\mathbf{x}_{\delta_{\alpha,i}}+\sum_{j\in[n_{\sf max}]\setminus\Delta}\mathbf{A}_{j}\cdot\mathbf{x}_{j}+\mathbf{B}\cdot\mathbf{r}=\mathbf{h}\bmod q.}

(5)

Note that, we have
$\mathbf{e}_{0}\in\mathsf{SET}_{n_{\sf max}}$

. We next transform the witness vectors
$\mathbf{x}_{1},\ldots,\mathbf{x}_{n_{\sf max}},\mathbf{r}$

as follows,

$\diamond$

For all
$\alpha\in\{D,S,L,U,\mathsf{all}\}$
and all
$i\in[k_{\alpha}]$
, to prove that
$\mathbf{x}_{\delta_{\alpha,i}}\in\mathsf{Enc}_{\alpha}$
, we append
$\eta_{\alpha}-1$
suitable blocks to
$\mathbf{x}_{\delta_{\alpha,i}}$
to get vector
$\mathbf{x}^{\star}_{\delta_{\alpha,i}}\in\mathsf{SET}_{\alpha}$
.
$\diamond$

For vectors
$\{\mathbf{x}_{j}\}_{j\in[n_{\sf max}]\setminus\Delta}$
, note that it is necessary and sufficient to prove that they are binary vectors (namely, they are encoding of characters that may or may not be printable). Similarly, we have to prove that
$\mathbf{r}$
is a binary vector. To this end, we let
$\mathbf{y}\in\{0,1\}^{8(n_{\sf max}-n_{\sf min})}$
be a concatenation of all
$\{\mathbf{x}_{j}\}_{j\in[n_{\sf max}]\setminus\Delta}$
and
$\mathbf{z}=(\mathbf{y}\|\mathbf{r})\in\{0,1\}^{8(n_{\sf max}-n_{\sf min})+m}$
. Then, we append suitable binary entries to
$\mathbf{z}$
to get
$\mathbf{z}^{\star}\in\{0,1\}^{2(8(n_{\sf max}-n_{\sf min})+m)}$
with Hamming weight exactly
$8(n_{\sf max}-n_{\sf min})+m$
, i.e.,
$\mathbf{z}^{\star}\in\mathsf{B}^{2}_{8(n_{\sf max}-n_{\sf min})+m}$
.

Having performed the above transformations, we construct the vector
$\mathbf{w}\in\{0,1\}^{\ell}$

, where

\ell=n_{\sf max}\lceil\log n_{\sf max}\rceil+8(k_{D}\eta_{D}+k_{S}\eta_{S}+k_{L}\eta_{L}+k_{U}\eta_{U})+8k_{\sf all}\eta_{\sf all}+2(8(n_{\sf max}-n_{\sf min})+m),\vspace{-0.2cm}

and
$\mathbf{w}$

has the form:

	$\displaystyle\mathbf{w}=\big{(}\hskip 2.6pt\mathbf{e}_{0}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{D,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{D,k_{D}}}$		$\displaystyle\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{S,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\mathbf{x}^{\star}_{\delta_{S,k_{S}}}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{L,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{L,k_{L}}}$		(6)
			$\displaystyle\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{U,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{U,k_{U}}}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{\mathsf{all},1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{\mathsf{all},k_{\sf all}}}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{z}^{\star}\hskip 2.6pt\big{)}.\vspace{-0.2cm}$		(6)

When performing extensions over the secret vectors, we also append zero-columns to the public matrices in equation (5) so that it is preserved. Then, we concatenate the extended matrices to get
$\mathbf{M}\in\mathbb{Z}_{q}^{n\times\ell}$

such that (5) becomes, with
$\mathbf{v}=\mathbf{h}\in\mathbb{Z}_{q}^{n}$

\mathbf{M}\cdot\mathbf{w}=\mathbf{v}\bmod q.

(7)

We have now established the first step towards reducing the given statement to an instance of the relation
$\mathrm{R}_{\rm abstract}$

from Section 2.2. Next, we will specify the set
$\mathsf{VALID}$

containing the vector
$\mathbf{w}$

, set
$\mathcal{S}$

and permutations
$\{\Gamma_{\phi}:\phi\in\mathcal{S}\}$

such that the conditions in (1) hold.

Define
$\mathsf{VALID}$

as the set of all vectors
$\mathbf{w}\in\{0,1\}^{\ell}$

having the form (6), where

$\diamond$

$\mathbf{e}_{0}\in\mathsf{SET}_{n_{\sf max}}$
;
$\diamond$

$\mathbf{x}^{\star}_{\delta_{\alpha,i}}\in\mathsf{SET}_{\alpha}$
for all
$\alpha\in\{D,S,L,U,\mathsf{all}\}$
and all
$i\in[k_{\alpha}]$
;
$\diamond$

$\mathbf{z}^{\star}\in\mathsf{B}^{2}_{8(n_{\sf max}-n_{\sf min})+m}$
.

It can be seen that the vector
$\mathbf{w}$

obtained above belongs to this tailored set
$\mathsf{VALID}$

. Next, let us define the set of permutations
$\mathcal{S}$

as follows,

\mathcal{S}=\mathcal{S}_{n_{\sf max}}\times\big{(}\mathcal{S}_{\eta_{D}}\big{)}^{k_{D}}\times\big{(}\mathcal{S}_{\eta_{S}}\big{)}^{k_{S}}\times\big{(}\mathcal{S}_{\eta_{L}}\big{)}^{k_{L}}\times\big{(}\mathcal{S}_{\eta_{U}}\big{)}^{k_{U}}\times\big{(}\mathcal{S}_{\eta_{\sf all}}\big{)}^{k_{\sf all}}\times\mathcal{S}_{2(8(n_{\sf max}-n_{\sf min})+m)}.\vspace{-0.2cm}

Then, for each element

\phi=\big{(}\hskip 1.6pt\pi,\hskip 1.6pt\tau_{D,1},\ldots,\hskip 1.6pt\tau_{D,k_{D}},\hskip 1.6pt\tau_{S,1},\ldots,\hskip 1.6pt\tau_{S,k_{S}},\hskip 1.6pt\tau_{L,1},\ldots,\hskip 1.6pt\tau_{L,k_{L}},\hskip 1.6pt\tau_{U,1},\ldots,\hskip 1.6pt\tau_{U,k_{U}},\hskip 1.6pt\tau_{\mathsf{all},1},\ldots,\hskip 1.6pt\tau_{\mathsf{all},k_{\sf all}},\hskip 1.6pt\theta\hskip 1.6pt\big{)}\in\mathcal{S},\vspace{-0.2cm}

we define the permutation
$\Gamma_{\phi}$

that, when applied to
$\mathbf{w}\in\mathbb{Z}^{\ell}$

of the form

	$\displaystyle\mathbf{w}=\big{(}\hskip 2.6pt\mathbf{e}_{0}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{D,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{D,k_{D}}}$		$\displaystyle\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{S,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\mathbf{x}^{\star}_{\delta_{S,k_{S}}}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{L,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{L,k_{L}}}$
			$\displaystyle\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{U,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{U,k_{U}}}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{\mathsf{all},1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{\mathsf{all},k_{\sf all}}}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{z}^{\star}\hskip 2.6pt\big{)}.\vspace{-0.2cm}$

where
$\mathbf{e}_{0}\in\mathbb{Z}^{n_{\sf max}\lceil\log n_{\sf max}\rceil}$

,
$\mathbf{x}^{\star}_{\delta_{\alpha,i}}\in\mathbb{Z}^{8\eta_{\alpha}}$

for all
$\alpha\in\{D,S,L,U,\mathsf{all}\}$

and
$i\in k_{\alpha}$

, and
$\mathbf{z}^{\star}\in\mathbb{Z}^{2(8(n_{\sf max}-n_{\sf min})+m)}$

, it transforms the blocks of vector
$\mathbf{w}$

as follows,

$\diamond$

$\mathbf{e}_{0}\mapsto T_{\pi,\lceil\log n_{\sf max}\rceil}(\mathbf{e}_{0})$
.
$\diamond$

For all
$\alpha\in\{D,S,L,U,\mathsf{all}\}$
and all
$i\in k_{\alpha}$
:
$\mathbf{x}^{\star}_{\delta_{\alpha,i}}\mapsto T_{\tau_{\alpha,i},8}(\mathbf{x}^{\star}_{\delta_{\alpha,i}})$
.
$\diamond$

$\mathbf{z}^{\star}\mapsto\theta(\mathbf{z}^{\star})$
.

Based on the properties observed in (2), (3), and (4), it can be seen that we have satisfied the conditions specified in (1), namely,

\displaystyle\begin{cases}\mathbf{w}\in\mathsf{VALID}\hskip 2.5pt\Leftrightarrow\hskip 2.5pt\Gamma_{\phi}(\mathbf{w})\in\mathsf{VALID},\\ \text{If }\mathbf{w}\in\mathsf{VALID}\text{ and }\phi\text{ is uniform in }\mathcal{S},\text{ then }\Gamma_{\phi}(\mathbf{w})\text{ is uniform in }\mathsf{VALID}.\end{cases}\vspace{-0.2cm}

Having reduced the considered statement to an instance of the relation
$\mathrm{R}_{\rm abstract}$

, let us now describe how our protocol is executed. The protocol uses the KTX string commitment scheme
$\mathsf{COM}$

, which is statistically hiding and computationally binding under the SIS assumption. Prior to the interaction, the prover
$\mathcal{P}$

and verifier
$\mathcal{V}$

construct the matrix
$\mathbf{M}$

and vector
$\mathbf{v}$

based on the common inputs
$(\mathbf{A},\mathbf{B},\mathbf{h},\Delta)$

, while
$\mathcal{P}$

builds the vector
$\mathbf{w}\in\mathsf{VALID}$

from vectors
$\mathbf{x}$

and
$\mathbf{r}$

, as discussed above. Then,
$\mathcal{P}$

and
$\mathcal{V}$

interact per Figure 1. We thus obtain the following result, as a corollary of Theorem 2.1.

Theorem 3.2

Under the
$\mathsf{SIS}$

assumption, the protocol above is a ZKPPC protocol with respect to the randomised password hashing scheme
$\mathcal{L}$

from Section 3.2 and policy
$f=\big{(}(k_{D},k_{U},k_{L},k_{S}),n_{\mathtt{min}},n_{\mathtt{max}}\big{)}$

. The protocol is a statistical ZKAoK with perfect completeness, soundness error
$2/3$

and communication cost
$\mathcal{O}(\ell\log q)$

Proof

Perfect completeness, soundness error
$2/3$

and communication cost
$\mathcal{O}(\ell\log q)$

of the protocol follow from the use of the abstract protocol in Figure 1. For simulation, we simply run the simulator of Theorem 2.1.

As for knowledge extraction, we first run the knowledge extractor of Theorem 2.1 to get the vector
$\mathbf{w}^{\prime}\in\mathsf{VALID}$

such that
$\mathbf{M}\cdot\mathbf{w}^{\prime}=\mathbf{v}\bmod q.$

Then, we “backtrack” the transformations to extract from
$\mathbf{w}^{\prime}$

, vectors
$\mathbf{x}^{\prime}=(\mathbf{e}^{\prime}_{0}\|\mathbf{x}^{\prime}_{1}\|\ldots\|\mathbf{x}^{\prime}_{n_{\sf max}})\in\{0,1\}^{n_{\sf max}\lceil\log n_{\sf max}\rceil+8n_{\sf max}}$

and
$\mathbf{r}^{\prime}\in\{0,1\}^{m}$

such that

$\diamond$

$\mathbf{A}\cdot\mathbf{x}^{\prime}+\mathbf{B}\cdot\mathbf{r}^{\prime}=\mathbf{h}\bmod q$
;
$\diamond$

$\mathbf{e}^{\prime}_{0}\in\mathsf{SET}_{n_{\sf max}}$
;
$\diamond$

For all
$\alpha\in\{D,S,L,U,\mathsf{all}\}$
and all
$i\in k_{\alpha}$
:
$\mathbf{x}^{\prime}_{\delta_{\alpha,i}}\in\mathsf{Enc}_{\alpha}$
.

Notice that one can recover a permutation of
$n_{\sf max}$

elements from an element of
$\mathsf{SET}_{n_{\sf max}}$

. Let
$\chi^{\prime}$

be the permutation encoded by
$\mathbf{e}^{\prime}_{0}$

. Then, by applying the inverse permutation
$T^{-1}_{\chi^{\prime},8}$

to
$(\mathbf{x}^{\prime}_{1}\|\ldots\|\mathbf{x}^{\prime}_{n_{\sf max}})$

, we recover
$\mathbf{e}^{\prime}\in\{0,1\}^{8n_{\sf max}}$

. Finally, by removing potential blocks of length
$8$

that correspond to encodings of non-printable ASCII characters from
$\mathbf{e}^{\prime}$

, we obtain a vector that encodes some password string
$pw^{\prime}$

satisfying policy
$f$

. ∎

Efficiency analysis. By inspection, we can see that, without using the big-O notation, each round of the proposed protocol has communication cost slightly larger than

\ell\log q=\big{(}n_{\sf max}\lceil\log n_{\sf max}\rceil+8(k_{D}\eta_{D}+k_{S}\eta_{S}+k_{L}\eta_{L}+k_{U}\eta_{U})+8k_{\sf all}\eta_{\sf all}+2(8(n_{\sf max}-n_{\sf min})+m)\big{)}\log q.\vspace{-0.2cm}

Let us estimate the cost in practice. Note that the KTX commitment scheme can work with relatively small lattice parameters, e.g.,
$n=256$

,
$\log q=10$

,
$m=5120$

. For a common password policy
$f=\big{(}(1,1,1,1),8,16\big{)}$

, the communication cost would be about
$17$

KB. As each round has a soundness error of
$2/3$

, one may have to repeat the protocol many times in parallel to achieve a high level of confidence. For instance, if a soundness error of
$2^{-30}$

is required, then one can repeat
$52$

times for a final cost of around
$900$

KB. In practical implementations, one can exploit various optimizations (e.g., instead of sending a random vector, one can send the PRNG seed used to generate it) to reduce the communication complexity.

4Conclusion and Open Questions

Through the use of the KTX commitment scheme [29] and a Stern-like zero-knowledge argument of set membership, we designed a lattice-based zero-knowledge protocol for proving that a committed/hashed password sent to the server satisfies the required password policy. All together, we obtain the first ZKPPC that is based on the hardness of the SIS problem which to date remains quantum resistant. Unfortunately, there are no viable VPAKE protocols from lattices that can be coupled with our ZKPPC protocol to construct a complete privacy-preserving password-based authentication and key exchange system.

Our proposed ZKPPC protocol can be employed to securely register chosen passwords at remote servers with the following security guarantees: (1) Registered passwords are not disclosed to the server until used; (2) Each registered password provably conforms to the specified password policy. Although not being ready to be deployed in practice, we view this work as the first step in designing post-quantum privacy-preserving password-based authentication and key exchange systems.

We leave several open questions as potential future work: (1) to construct a more practical lattice-based ZKPPC; (2) to develop a lattice-based VPAKE; and (3) to extend lattice-based ZKPPC to other PAKE protocols, such as two-server PAKE, where the passwords are secretly shared between two servers, of which we assume at most one to be compromisable. The third question is similar to the one asked by Kiefer and Manulis [31] and as they noted, it is a challenge even in the classical discrete logarithm setting.

Acknowledgements. We would like to thank the anonymous reviewers of ISC 2017 for helpful comments. The research is supported by Singapore Ministry of Education under Research Grant MOE2016-T2-2-014(S) and by NTU under Tier 1 grant RG143/14.

References

[1]M. Ajtai.Generating hard instances of lattice problems (extended abstract).In STOC 1996. ACM, 1996.
[2]C. Baum, I. Damgård, K. G. Larsen, and M. Nielsen.How to prove knowledge of small secrets.In CRYPTO 2016, volume 9816 of Lecture Notes in Computer Science. Springer, 2016.
[3]C. Baum, I. Damgård, S. Oechsner, and C. Peikert.Efficient commitments and zero-knowledge protocols from ring-sis with applications to lattice-based threshold cryptosystems.Cryptology ePrint Archive, Report 2016/997, 2016.
[4]E. Bauman, Y. Lu, and Z. Lin.Half a century of practice: Who is still storing plaintext passwords?In ISPEC 2015, volume 9065 of Lecture Notes in Computer Science. Springer, 2015.
[5]M. Bellare, D. Pointcheval, and P. Rogaway.Authenticated key exchange secure against dictionary attacks.In EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science. Springer, 2000.
[6]S. M. Bellovin and M. Merritt.Encrypted key exchange: password-based protocols secure against dictionary attacks.In IEEE Symposium on Security and Privacy. IEEE, 1992.
[7]S. M. Bellovin and M. Merritt.Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise.In ACM CCS 1993. ACM, 1993.
[8]F. Benhamouda, O. Blazy, C. Chevalier, D. Pointcheval, and D. Vergnaud.New techniques for sphfs and efficient one-round pake protocols.In CRYPTO 2013, volume 8402 of Lecture Notes in Computer Science. Springer, 2013.
[9]F. Benhamouda, J. Camenisch, S. Krenn, V. Lyubashevsky, and G. Neven.Better zero-knowledge proofs for lattice encryption and their application to group signatures.In ASIACRYPT 2014, volume 8873 of Lecture Notes in Computer Science. Springer, 2014.
[10]F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Pietrzak.Efficient zero-knowledge proofs for commitments from learning with errors over rings.In Computer Security - ESORICS 2015, Part I, volume 9326 of Lecture Notes in Computer Science. Springer, 2015.
[11]F. Benhamouda and D. Pointcheval.Verifier-based password-authenticated key exchange: New models and constructions.Cryptology ePrint Archive, Report 2013/833, 2013.
[12]S. Cheng, K. Nguyen, and H. Wang.Policy-based signature scheme from lattices.Des. Codes Cryptography, 81(1):43–74, 2016.
[13]R. Cramer, I. Damgård, C. Xing, and C. Yuan.Amortized complexity of zero-knowledge proofs revisited: Achieving linear soundness slack.In EUROCRYPT 2017, volume 10210 of Lecture Notes in Computer Science. Springer, 2017.
[14]R. del Pino and V. Lyubashevsky.Amortization with fewer equations for proving knowledge of small secrets.Cryptology ePrint Archive, Report 2017/280, 2017.
[15]Y. Ding and L. Fan.Efficient password-based authenticated key exchange from lattices.In CIS 2011. IEEE, 2011.
[16]C. Dong, L. Chen, and Z. Wen.When private set intersection meets big data: an efficient and scalable protocol.In ACM CCS 2013. ACM, 2013.
[17]C. Dong and F. Kiefer.Secure set-based policy checking and its application to password registration.In CANS 2015, volume 9476 of Lecture Notes in Computer Science. Springer, 2015.
[18]D. Florêncio and C. Herley.Where do security policies come from?In SOUPS 2010. ACM, 2010.
[19]J. Furukawa.Efficient and verifiable shuffling and shuffle-decryption.IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 88-A(1):172–188, 2005.
[20]S. Gates.Linkedin password hack: Check to see if yours was one of the 6.5 million leaked, 2012.http://www.huffingtonpost.com/2012/06/07/linkedin-password-hack-check_n_1577184.html.
[21]R. Gennaro and Y. Lindell.A framework for password-based authenticated key exchange.In EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science. Springer, 2003.
[22]C. Gentry, P. MacKenzie, and Z. Ramzan.A method for making password-based key exchange resilient to server compromise.In CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science. Springer, 2006.
[23]C. Gentry, C. Peikert, and V. Vaikuntanathan.Trapdoors for hard lattices and new cryptographic constructions.In STOC 2008. ACM, 2008.
[24]O. Goldreich and S. Goldwasser.On the limits of non-approximability of lattice problems.In STOC 1998. ACM, 1998.
[25]J. Groth.Evaluating security of voting schemes in the universal composability framework.In ACNS 2004, volume 3089 of Lecture Notes in Computer Science. Springer, 2004.
[26]T. Hunt.Have i been pwned, 2017.https://haveibeenpwned.com/, accessed on 7 July 2017.
[27]A. Jain, S. Krenn, K. Pietrzak, and A. Tentes.Commitments and efficient zero-knowledge proofs from learning parity with noise.In ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science. Springer, 2012.
[28]J. Katz and V. Vaikuntanathan.Smooth projective hashing and password-based authenticated key exchange from lattices.In ASIACRYPT 2009, volume 5912 of Lecture Notes in Computer Science. Springer, 2009.
[29]A. Kawachi, K. Tanaka, and K. Xagawa.Concurrently secure identification schemes based on the worst-case hardness of lattice problems.In ASIACRYPT 2008, volume 5350 of Lecture Notes in Computer Science. Springer, 2008.
[30]F. Kiefer.Advancements in password-based cryptography.PhD thesis, University of Surrey, 2016.
[31]F. Kiefer and M. Manulis.Zero-knowledge password policy checks and verifier-based PAKE.In ESORICS 2014, volume 8713 of Lecture Notes in Computer Science. Springer, 2014.
[32]F. Kiefer and M. Manulis.Blind password registration for two-server password authenticated key exchange and secret sharing protocols.In ISC 2016, volume 9866 of Lecture Notes in Computer Science. Springer, 2016.
[33]F. Kiefer and M. Manulis.Blind password registration for verifier-based PAKE.In AsiaPKC@AsiaCCS 2016. ACM, 2016.
[34]B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang.Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions.In ASIACRYPT 2016, volume 10032 of Lecture Notes in Computer Science. Springer, 2016.
[35]B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang.Zero-knowledge arguments for matrix-vector relations and lattice-based group encryption.In ASIACRYPT 2016, volume 10032 of Lecture Notes in Computer Science. Springer, 2016.
[36]B. Libert, S. Ling, K. Nguyen, and H. Wang.Zero-knowledge arguments for lattice-based accumulators: Logarithmic-size ring signatures and group signatures without trapdoors.In EUROCRYPT 2016, volume 9666 of Lecture Notes in Computer Science. Springer, 2016.
[37]S. Ling, K. Nguyen, D. Stehlé, and H. Wang.Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications.In PKC 2013, volume 7778 of Lecture Notes in Computer Science. Springer, 2013.
[38]S. Ling, K. Nguyen, and H. Wang.Group signatures from lattices: Simpler, tighter, shorter, ring-based.In PKC 2015, volume 9020 of Lecture Notes in Computer Science. Springer, 2015.
[39]S. Ling, K. Nguyen, H. Wang, and Y. Xu.Lattice-based group signatures: Achieving full dynamicity with ease.In ACNS 2017, volume 10355 of Lecture Notes in Computer Science, 2017.
[40]V. Lyubashevsky.Lattice-based identification schemes secure under active attacks.In PKC 2008, volume 4939 of Lecture Notes in Computer Science. Springer, 2008.
[41]V. Lyubashevsky.Lattice signatures without trapdoors.In EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science. Springer, 2012.
[42]D. Micciancio and C. Peikert.Hardness of SIS and LWE with small parameters.In CRYPTO 2013, volume 8402 of Lecture Notes in Computer Science. Springer, 2013.
[43]D. Micciancio and S. P. Vadhan.Statistical zero-knowledge proofs with efficient provers: Lattice problems and more.In CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science. Springer, 2003.
[44]NIST.Post-quantum crypto standardization - call for proposals announcement, 2016.http://csrc.nist.gov/groups/ST/post-quantum-crypto/cfp-announce-dec2016.html.
[45]T. P. Pedersen.Non-interactive and information-theoretic secure verifiable secret sharing.In CRYPTO 1991, volume 576 of Lecture Notes in Computer Science. Springer, 1991.
[46]C. Peikert and V. Vaikuntanathan.Noninteractive statistical zero-knowledge proofs for lattice problems.In CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science. Springer, 2008.
[47]N. Perlroth.More than half a billion yahoo accounts have been hacked, yahoo confirms, 2016.https://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html.
[48]O. Regev.On lattices, learning with errors, random linear codes, and cryptography.In STOC 2005. ACM, 2005.
[49]P. W. Shor.Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer.SIAM Review, 41(2):303–332, 1999.
[50]J. Stern.A new paradigm for public key identification.IEEE Trans. Information Theory, 42(6):1757–1768, 1996.
[51]B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor.How does your password measure up? the effect of strength meters on password creation.In USENIX Security Symposium 2012. USENIX Association, 2012.

Appendix 0.AProof of Theorem 2.1

We provide the proof of Theorem 2.1 as it appears in [34] but first restate the theorem.

Theorem 2.1. The protocol in Figure 1 is a statistical ZKAoK with perfect completeness, soundness error
$2/3$

, and communication cost
${\mathcal{O}}(\ell\log q)$

. Namely:

•

There exists a polynomial-time simulator that, on input
$(\mathbf{M},\mathbf{v})$
, outputs an accepted transcript statistically close to that produced by the real prover.
•

There exists a polynomial-time knowledge extractor that, on input a commitment
$\mathrm{CMT}$
and
$3$
valid responses
$(\mathrm{RSP}_{1},\mathrm{RSP}_{2},\mathrm{RSP}_{3})$
to all
$3$
possible values of the challenge
$C h$
, outputs
$\mathbf{w}^{\prime}\in\mathsf{VALID}$
such that
$\mathbf{M}\cdot\mathbf{w}^{\prime}=\mathbf{v}\bmod q.$

Proof

Perfect completeness of the protocol can be checked: If a prover follows the protocol honestly, the verifier will always accept. It is also easy to see that the communication cost is bounded by
${\mathcal{O}}(\ell\log q)$

We now prove that the protocol is a statistical zero-knowledge argument of knowledge.

Zero-Knowledge Property. We construct a PPT simulator
$\mathsf{SIM}$

interacting with a (possibly dishonest) verifier
$\widehat{\mathcal{V}}$

, such that, given only the public inputs, with probability negligibly close to
$2/3$

,
$\mathsf{SIM}$

outputs a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.

$\mathsf{SIM}$

first chooses uniformly at random,
$\overline{Ch}\in\{1,2,3\}$

, its prediction of
$C h$

that
$\widehat{\mathcal{V}}$

will not choose.

Case
$\overline{Ch}=1$

: Using basic linear algebra over
$\mathbb{Z}_{q}$

,
$\mathsf{SIM}$

computes a vector
$\mathbf{w}^{\prime}\in\mathbb{Z}_{q}^{\ell}$

such that
$\mathbf{M}\cdot\mathbf{w}^{\prime}=\mathbf{v}\bmod q.$

Next, it samples
$\mathbf{r}_{w}\xleftarrow{\$}\mathbb{Z}_{q}^{\ell}$

,
$\phi\xleftarrow{\$}\mathcal{S}$

, and randomness
$\rho_{1},\rho_{2},\rho_{3}$

for
$\mathsf{COM}$

. Finally, it sends the commitment
$\mathrm{CMT}=\big{(}C^{\prime}_{1},C^{\prime}_{2},C^{\prime}_{3}\big{)}$

to
$\widehat{\mathcal{V}}$

, where

\displaystyle C^{\prime}_{1}=\mathsf{COM}(\phi,\mathbf{M}\cdot\mathbf{r}_{w};\rho_{1}),\quad C^{\prime}_{2}=\mathsf{COM}(\Gamma_{\phi}(\mathbf{r}_{w});\rho_{2}),\quad C^{\prime}_{3}=\mathsf{COM}(\Gamma_{\phi}(\mathbf{w}^{\prime}+\mathbf{r}_{w});\rho_{3}).\vspace{-0.2cm}

Receiving a challenge
$C h$

from
$\widehat{\mathcal{V}}$

, the simulator responds as follows:

•

If
$Ch=1$
: Output
$\bot$
and abort.
•

If
$Ch=2$
: Send
$\mathrm{RSP}=\big{(}\phi,\mathbf{w}^{\prime}+\mathbf{r}_{w},\rho_{1},\rho_{3}\big{)}$
.
•

If
$Ch=3$
: Send
$\mathrm{RSP}=\big{(}\phi,\mathbf{r}_{w},\rho_{1},\rho_{2}\big{)}$
.

Case
$\overline{Ch}=2$

:
$\mathsf{SIM}$

samples
$\mathbf{w}^{\prime}\xleftarrow{\$}\mathsf{VALID}$

,
$\mathbf{r}_{w}\xleftarrow{\$}\mathbb{Z}_{q}^{\ell}$

,
$\phi\xleftarrow{\$}\mathcal{S}$

, and randomness
$\rho_{1},\rho_{2},\rho_{3}$

for
$\mathsf{COM}$

. Then, it sends the commitment
$\mathrm{CMT}=\big{(}C^{\prime}_{1},C^{\prime}_{2},C^{\prime}_{3}\big{)}$

to
$\widehat{\mathcal{V}}$

, where

\displaystyle C^{\prime}_{1}=\mathsf{COM}(\phi,\mathbf{M}\cdot\mathbf{r}_{w};\rho_{1}),\quad C^{\prime}_{2}=\mathsf{COM}(\Gamma_{\phi}(\mathbf{r}_{w});\rho_{2}),\quad C^{\prime}_{3}=\mathsf{COM}(\Gamma_{\phi}(\mathbf{w}^{\prime}+\mathbf{r}_{w});\rho_{3}).

Receiving a challenge
$C h$

from
$\widehat{\mathcal{V}}$

, the simulator responds as follows:

•

If
$Ch=1$
: Send
$\mathrm{RSP}=\big{(}\Gamma_{\phi}(\mathbf{w}^{\prime}),\Gamma_{\phi}(\mathbf{r}_{w}),\rho_{2},\rho_{3}\big{)}$
.
•

If
$Ch=2$
: Output
$\bot$
and abort.
•

If
$Ch=3$
: Send
$\mathrm{RSP}=\big{(}\phi,\mathbf{r}_{w},\rho_{1},\rho_{2}\big{)}$
.

Case
$\overline{Ch}=3$

:
$\mathsf{SIM}$

samples
$\mathbf{w}^{\prime}\xleftarrow{\$}\mathsf{VALID}$

,
$\mathbf{r}_{w}\xleftarrow{\$}\mathbb{Z}_{q}^{\ell}$

,
$\phi\xleftarrow{\$}\mathcal{S}$

, and randomness
$\rho_{1},\rho_{2},\rho_{3}$

for
$\mathsf{COM}$

. Then, it sends the commitment
$\mathrm{CMT}=\big{(}C^{\prime}_{1},C^{\prime}_{2},C^{\prime}_{3}\big{)}$

to
$\widehat{\mathcal{V}}$

, where
$C^{\prime}_{2}=\mathsf{COM}(\Gamma_{\phi}(\mathbf{r}_{w});\rho_{2})$

,
$C^{\prime}_{3}=\mathsf{COM}(\Gamma_{\phi}(\mathbf{w}^{\prime}+\mathbf{r}_{w});\rho_{3})$

as in the previous two cases, while

\displaystyle C^{\prime}_{1}=\mathsf{COM}(\phi,\mathbf{M}\cdot(\mathbf{w}^{\prime}+\mathbf{r}_{w})-\mathbf{v};\rho_{1}).

Receiving a challenge
$C h$

from
$\widehat{\mathcal{V}}$

, it responds as follows:

•

If
$Ch=1$
: Send
$\mathrm{RSP}$
computed as in the case
$(\overline{Ch}=2,Ch=1)$
.
•

If
$Ch=2$
: Send
$\mathrm{RSP}$
computed as in the case
$(\overline{Ch}=1,Ch=2)$
.
•

If
$Ch=3$
: Output
$\bot$
and abort.

Observe that, in each of the cases considered above, since
$\mathsf{COM}$

is statistically hiding, the distribution of the commitment
$\mathrm{CMT}$

and challenge
$C h$

from
$\widehat{\mathcal{V}}$

are statistically close to those in the real interaction. Hence, the probability that the simulator outputs
$\bot$

is negligibly close to
$1/3$

. Moreover, one can check that whenever the simulator does not halt, it will provide an accepted transcript, the distribution of which is statistically close to the prover’s in the real interaction. In other words, the constructed simulator can successfully impersonate the honest prover with probability negligibly close to
$2/3$

Argument of Knowledge. Suppose
$\mathrm{RSP}_{1}=(\mathbf{t}_{w},\mathbf{t}_{r},\rho_{2},\rho_{3})$

,
$\mathrm{RSP}_{2}=(\phi_{2},\mathbf{w}_{2},\rho_{1},\rho_{3})$

and
$\mathrm{RSP}_{3}=(\phi_{3},\mathbf{w}_{3},\rho_{1},\rho_{2})$

are
$3$

valid responses to the same commitment
$\mathrm{CMT}=(C_{1},C_{2},C_{3})$

, with respect to all
$3$

possible values of the challenge. The validity of these responses implies that:

\begin{cases}\mathbf{t}_{w}\in\mathsf{VALID};\\ C_{1}=\mathsf{COM}(\phi_{2},\mathbf{M}\cdot\mathbf{w}_{2}-\mathbf{v}\bmod q;\rho_{1})=\mathsf{COM}(\phi_{3},\mathbf{M}\cdot\mathbf{w}_{3};\rho_{1});\\ C_{2}=\mathsf{COM}(\mathbf{t}_{r};\rho_{2})=\mathsf{COM}(\Gamma_{\phi_{3}}(\mathbf{w}_{3});\rho_{2});\\ {C}_{3}=\mathsf{COM}(\mathbf{t}_{w}+\mathbf{t}_{r}\bmod q;\rho_{3})=\mathsf{COM}(\Gamma_{\phi_{2}}(\mathbf{w}_{2});\rho_{3}).\end{cases}

Since COM is computationally binding, it implies that

\displaystyle\begin{cases}\mathbf{t}_{w}\in\mathsf{VALID};\hskip 2.8pt\phi_{2}=\phi_{3};\hskip 2.8pt\mathbf{t}_{r}=\Gamma_{\phi_{3}}(\mathbf{w}_{3});\hskip 2.8pt\mathbf{t}_{w}+\mathbf{t}_{r}=\Gamma_{\phi_{2}}(\mathbf{w}_{2})\bmod q;\\[2.5pt] \mathbf{M}\cdot\mathbf{w}_{2}-\mathbf{v}=\mathbf{M}\cdot\mathbf{w}_{3}\bmod q.\end{cases}

(8)

Since
$\mathbf{t}_{w}\in\mathsf{VALID}$

, if we let
$\mathbf{w}^{\prime}=[\Gamma_{\phi_{2}}]^{-1}(\mathbf{t}_{w})$

, then
$\mathbf{w}^{\prime}\in\mathsf{VALID}$

. Furthermore, we have

\Gamma_{\phi_{2}}(\mathbf{w}^{\prime})+\Gamma_{\phi_{2}}(\mathbf{w}_{3})=\Gamma_{\phi_{2}}(\mathbf{w}_{2})\bmod q,

which means that
$\mathbf{w}^{\prime}+\mathbf{w}_{3}=\mathbf{w}_{2}\bmod q$

, and
$\mathbf{M}\cdot\mathbf{w}^{\prime}+\mathbf{M}\cdot\mathbf{w}_{3}=\mathbf{M}\cdot\mathbf{w}_{2}\bmod q$

. As a result, we have
$\mathbf{M}\cdot\mathbf{w}^{\prime}=\mathbf{v}\bmod q$

, concluding the proof. ∎

本文地址

https://architect.pub

登录发表评论
3 次浏览

发布日期

星期二, 一月 28, 2025 - 16:01

最后修改

星期二, 一月 28, 2025 - 16:01

	$\displaystyle\mathbf{w}=\big{(}\hskip 2.6pt\mathbf{e}_{0}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{D,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{D,k_{D}}}$		$\displaystyle\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{S,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\mathbf{x}^{\star}_{\delta_{S,k_{S}}}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{L,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{L,k_{L}}}$		(6)
			$\displaystyle\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{U,1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{U,k_{U}}}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{\mathsf{all},1}}\hskip 2.6pt\\|\hskip 2.6pt\ldots\\|\hskip 2.6pt\mathbf{x}^{\star}_{\delta_{\mathsf{all},k_{\sf all}}}\hskip 2.6pt\\|\hskip 2.6pt\mathbf{z}^{\star}\hskip 2.6pt\big{)}.\vspace{-0.2cm}$		(6)

热门内容

今日:

总体:

最近浏览：

热门内容

今日:

总体:

最近浏览：

【安全技术】来自 Latices 的零知识密码策略检查

category

Abstract

1Introduction

2Preliminaries

2.1Some Lattice-Based Cryptographic Ingredients

Definition 1 (
$\mathsf{SIS}^{\infty}_{n,m,q,\beta}$
[1, 23])

2.2Zero-Knowledge Argument Systems and Stern-like Protocols

Theorem 2.1 ([34])

2.3Password Strings and Password Policies

Remark 1

2.4Randomised Password Hashing and Zero-Knowledge Password Policy Check

3Our Constructions

3.1Notations, Sets and Permutations

3.2Randomised Password Hashing from Lattices

Theorem 3.1

Proof

3.3Techniques for Proving Set Membership

3.4Zero-Knowledge Password Policy Check Protocol

Theorem 3.2

Proof

4Conclusion and Open Questions

References

Appendix 0.AProof of Theorem 2.1

Proof

最新内容

热门内容

今日:

总体:

最近浏览：

category

Abstract

1Introduction

2Preliminaries

2.1Some Lattice-Based Cryptographic Ingredients

Definition 1 ( 𝖲𝖨𝖲n,m,q,β∞ [1, 23])

2.2Zero-Knowledge Argument Systems and Stern-like Protocols

Theorem 2.1 ([34])

2.3Password Strings and Password Policies

Remark 1

2.4Randomised Password Hashing and Zero-Knowledge Password Policy Check

3Our Constructions

3.1Notations, Sets and Permutations

3.2Randomised Password Hashing from Lattices

Theorem 3.1

Proof

3.3Techniques for Proving Set Membership

3.4Zero-Knowledge Password Policy Check Protocol

Theorem 3.2

Proof

4Conclusion and Open Questions

References

Appendix 0.AProof of Theorem 2.1

Proof

最新内容

Definition 1 (
$\mathsf{SIS}^{\infty}_{n,m,q,\beta}$
[1, 23])