lattice-based zero-knowledge proofs: new techniques for
TRANSCRIPT
Lattice-Based Zero-Knowledge Proofs: New Techniquesfor Shorter and Faster Constructions and Applications
LATTICE
Shanghai Jiao Tong University
December 29, 2019
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 1 / 108
Overview
1 IntroductionPreliminary
Zero Knowledge ProofProof of Knowledge
BackgroundStern-type ZKPsSchnorr-type ZKPs
2 ESLL19ContributionConcept and NotationTechniques
3 ApplicationsBits Relaxed ZKPRange Proof
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 2 / 108
Content
1 IntroductionPreliminary
Zero Knowledge ProofProof of Knowledge
BackgroundStern-type ZKPsSchnorr-type ZKPs
2 ESLL19ContributionConcept and NotationTechniques
3 ApplicationsBits Relaxed ZKPRange Proof
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 3 / 108
Content
1 IntroductionPreliminary
Zero Knowledge ProofProof of Knowledge
Background
2 ESLL19
3 Applications
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 4 / 108
Interactive Proof
[GMR,1985]
Definition
An interactive proof system for L is an interactive protocol (P,V ) such that ∀x :
(Completeness): If x ∈ L, then Pr[(P,V ) accepts x ] ≥ δc
(Soundness): If x /∈ L, then Pr[(P,V ) accepts x ] ≤ δs
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 5 / 108
Zero Knowledge
[GMR,1985]
V ’s view: (P,V )(x) = V ’s random coins and messages it receives
Zero Knowledge: whatever V could compute following the interaction, hecould have computed even without talking to P, by running the simulator onhis own
Definition
An interactive proof (P,V ) for L is zero knowledge if ∃ PPT S , ∀x ∈ L
S(x) ≈ (P,V )(x)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 6 / 108
Definition of ZKP
[Katz,2004]
Definition (Zero Knowledge Proof)
A pair of PPT algorithms (P, V) is called a zero-knowledge proof system for alanguage L ∈ NP if it satisfies the following properties:
1 (Completeness) For all x ∈ L, and all witnesses w for x ,Pr[V(1k , x) accepts when interacting with P(1k , x ,w)] = 1.
2 (Soundness) For all x /∈ L and all (even all powerful) P∗:Pr[V(1k , x) accepts when interacting with P∗(x)] = negl(k).
3 (Zero Knowledge) For all PPT (cheating verifiers) V∗, there exists apolynomial time simulator Sim such that the following are computationallyindistinguishable for any x ∈ L and witness w for x :
the view of V∗(1k , x) when interacting with P(1k , x ,w);the output of Sim(1k , x).
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 7 / 108
Honest-Verifier Zero Knowledge
[Katz,2004]Verifier honestly follows the protocol, but may later try to learn some informationfrom the transcript.
Definition (Honest-Verifier Zero Knowledge Proof)
A pair of PPT algorithms (P, V) is called a Honest-Verifier Zero Knowledge proofsystem for a language L ∈ NP if it satisfies the following properties:
1 (Completeness) As above.
2 (Soundness) As above.3 (Honest-Verifier Zero Knowledge) There exists a polynomial time simulator
Sim such that the following are computationally indistinguishable for anyx ∈ L and witness w for x :
the view of V(1k , x) when interacting with P(1k , x ,w);the output of Sim(1k , x).
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 8 / 108
ZKP for all NP (1)
3-colorability is NP-complete
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 9 / 108
ZKP for all NP (2)
3-colorability is an NP-complete problem
Completeness: Graph is 3-colorable ⇒ V accepts w.p. 1
Soundness: Graph isn’t 3-colorable ⇒ ∀P?, V rejects w.p. ≥ 1/(#edges)
Zero Knowledge: Each time V sees two random distinct colors
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 10 / 108
Proof and Proof of Knowledge
[Katz,2004]PoK may be viewed as formalizing an even stronger notion of soundness.
A proof may be viewed as demonstrating that a particular statement is true;
A proof of knowledge may be viewed as demonstrating that the prover”knows” why the statement is true.
1. Consider a finite cyclic group G , language LG = {h|∃x ∈ Zq s.t. g x = h}A proof that h ∈ LG is trivial (assuming deciding membership in G is trivial),A proof of knowledge that h ∈ LG implies that the prover ”knows” the value ofloggh, something that is not implied by a proof alone
2. Consider a one-way permutation f , language Lf = {y |∃x s.t. f (x) = y}A proof that y ∈ Lf is trivial (since Lf contains all strings),A proof of knowledge that y ∈ Lf implies that the prover ”knows” f −1(y).
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 11 / 108
Knowledge
[Katz,2004]We define the ability to extract the knowledge from the machine: i.e., a machineM ”knows” something if there is a poly-time process by which we can extract thisknowledge from M.
DefinitionA machine knows something if it can output it
Let R be an NP-relation
A machine knows the witness to a statement x if it can output w s.t.(x ,w) ∈ R
Knowledge extractor E
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 12 / 108
Proof of Knowledge (1)
[Yang,2019]
Definition
The ZKAoK for R is an interactive protocol (P,V ) that satisfies
(Completeness). For any (x ,w) ∈ R , Pr[(P(x ,w),V (x)) = 1] ≥ 1− δc .
(Proof of Knowledge). There exists an extractor E that for any x , for anyPPT cheating prover P?, if Pr[(P?,V (x)) = 1] ≥ δs + ε for somenon-negligible ε, then E can extract in polynomial time a witness w such that(x ,w) ∈ R via accessing P? in a black-box manner.
(Honest-Verifier Zero-Knowledge). There exists a simulator S that for any(x ,w) ∈ R , the two distributions are computationally indistinguishable:
The view of an honest verifier V in an interaction (P(x ,w),V (x)).The output of S(x).
where δc is the completeness error and δs is the soundness error
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 13 / 108
Proof of Knowledge (2)
[Katz,2004]
ZK proofs. Zero-knowledge proofs involve a prover P trying to prove astatement to a verifier V without revealing any knowledge beyond the factthat the statement is true. (Simulator)
Proofs of knowledge. Proofs of knowledge are protocols in which the proveractually proves that he ”knows” a witness. (Knowledge Extractor)
A ZK proof requires a simulator who rewinds a cheating verifier to simulate aproof without knowing a witness, while a PoK requires a knowledge extractorwho rewinds a cheating prover to extract a witness.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 14 / 108
Argument and Argument of Knowledge
[Katz,2004]
We consider a relaxation of proofs called arguments.
An argument requires soundness to hold only with respect to polynomial-timecheating provers.
A proof requires the soundness condition to hold even for all-powerful provers.
An argument of knowledge (AoK) is defined s.t a knowledge extractor is onlyrequired to extract a witness from provers running in polynomial time.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 15 / 108
Proof of Knowledge for all NP (1)
Hamiltonian cycles is NP-complete
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 16 / 108
Proof of Knowledge for all NP (2)
Theorem
This is a zero knowledge proof of knowledge (ZK PoK) with soundness error 1/2.
Completeness: Graph has Hamiltonian cycles ⇒ V accepts w.p. 1
Proof of Knowledge:Given a graph G ′ and a permutation Π s.t Π(G ) = G ′, (c = 0)and on given a Hamiltonian cycle in G ′ (c = 1)⇒ easy to recover a Hamiltonian cycle in the original graph G
Zero Knowledge: Crucial ingredient Π and we never open both
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 17 / 108
Content
1 IntroductionPreliminaryBackground
Stern-type ZKPsSchnorr-type ZKPs
2 ESLL19
3 Applications
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 18 / 108
Types of Lattice-based ZKPs
’Combinatorial’ proofs (aka ’Stern-type’ [Stern,1993])
ChSet is small (typically |ChSet| = 3)
Pro: can prove complex relations, standard soundness
Cons: many protocol repetitions required (i.e., ’multi-shot’ proofs) very longand slow proofs
’Algebraic’ proofs (aka ’Schnorr-type’ [Schnorr,1989])
ChSet can be very large (even |ChSet| = 22λ for λ-bit PQ-security)
Pro: can achieve very short/fast proofs (i.e., can be ’one-shot’)
Cons: more limited in types of proofs achievable so far may prove relaxed(’approximate’) relations rather than exact ones
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 19 / 108
Stern-type ZKPs (1)
[Stern,1993] Code-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 20 / 108
Stern-type ZKPs (2)
[Stern,1993] Code-based
Reveal a1, a2, check commitments are computed honestly
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 21 / 108
Stern-type ZKPs (3)
[Stern,1993] Code-based
Reveal a1, a3, check commitments are computed honestly
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 22 / 108
Stern-type ZKPs (4)
[Stern,1993] Code-based
Reveal a2, a3, check commitments are computed honestly and w(π(x)) = m/2
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 23 / 108
Stern-JKPT12 ZKPs (1)
[JKPT, 2012] LPN-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 24 / 108
Stern-JKPT12 ZKPs (2)
[JKPT, 2012] LPN-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 25 / 108
Stern-KTX08 ZKPs (1)
[KTX,2008] Lattice-based
Our technical roadmap is
GapSVPγ ≤ SISq,m,β ≤ CRH ≤ Commitment ≤ ZKP
The input is an m-bit vector x obtained by concatenating a random string
ρ$← Zm/2
2 and a message string s ∈ Zm/22 , i.e., x = ρ‖s.
We then define the commitment function as
ComA(s; ρ) := Ax mod q = A(ρ‖s) mod q
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 26 / 108
Stern-KTX08 ZKPs (2)
[KTX,2008] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 27 / 108
Stern-KTX08 ZKPs (3)
[KTX,2008] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 28 / 108
Stern-KTX08 ZKPs (4)
[KTX,2008] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 29 / 108
Stern-LNSW13 ZKPs (1)
[LNSW, 2013] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 30 / 108
Stern-LNSW13 ZKPs (2)
[LNSW, 2013] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 31 / 108
Stern-LNSW13 ZKPs (3)
[LNSW, 2013] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 32 / 108
Stern-LNSW13 ZKPs (4)
[LNSW, 2013] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 33 / 108
Stern-LNSW13 ZKPs (5)
[LNSW, 2013] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 34 / 108
Stern-LNSW13 ZKPs (6)
[LNSW, 2013] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 35 / 108
Stern-LNSW13 ZKPs (7)
[LNSW, 2013] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 36 / 108
Stern-LNSW13 ZKPs (8)
[LNSW, 2013] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 37 / 108
Schnorr-type ZKPs (1)
[Schnorr,1989] Discrete-Logarithm based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 38 / 108
Schnorr-type ZKPs (2)
[Schnorr,1989] Discrete-Logarithm based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 39 / 108
Schnorr-type ZKPs (3)
[Schnorr,1989] Discrete-Logarithm based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 40 / 108
Schnorr-type ZKPs (4)
[Schnorr,1989] Discrete-Logarithm based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 41 / 108
Schnorr-Lyu08 ZKPs (1)
[Lyu, 2008] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 42 / 108
Schnorr-Lyu08 ZKPs (2)
[Lyu, 2008] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 43 / 108
Schnorr-Lyu08 ZKPs (3)
[Lyu, 2008] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 44 / 108
Schnorr-Lyu12 ZKPs (1)
[Lyu, 2012] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 45 / 108
Schnorr-Lyu12 ZKPs (2)
[Lyu, 2012] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 46 / 108
Schnorr-Lyu12 ZKPs (3)
[Lyu, 2012] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 47 / 108
Schnorr-Lyu12 ZKPs (4)
[Lyu, 2012] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 48 / 108
Schnorr-Lyu12 ZKPs (5)
[Lyu, 2012] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 49 / 108
Schnorr-Lyu12 ZKPs (6)
[Lyu, 2012] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 50 / 108
Schnorr-Lyu12 ZKPs (7)
[Lyu, 2012] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 51 / 108
Schnorr-Lyu12 ZKPs (8)
[Lyu, 2012] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 52 / 108
Schnorr-BKLP15 ZKPs (1)
[BKLP, 2015] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 53 / 108
Schnorr-BKLP15 ZKPs (2)
[BKLP, 2015] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 54 / 108
Schnorr-BKLP15 ZKPs (3)
[BKLP, 2015] Lattice-based
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 55 / 108
Comparison
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 56 / 108
Content
1 IntroductionPreliminary
Zero Knowledge ProofProof of Knowledge
BackgroundStern-type ZKPsSchnorr-type ZKPs
2 ESLL19ContributionConcept and NotationTechniques
3 ApplicationsBits Relaxed ZKPRange Proof
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 57 / 108
Content
1 Introduction
2 ESLL19ContributionConcept and NotationTechniques
3 Applications
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 58 / 108
Contribution I
Efficient ’One-shot’ proof techniques for non-linear relations of degree k > 1:
Generalization of ’Fiat-Shamir with aborts’ to higher degrees
New tools for controlling extracted witness length: adjugate matrix
Speed-up Techniques:
CRT message packing in commitment supporting inter-slot operations
NTT-friendly rings
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 59 / 108
Contribution II
Shorter and faster lattice-based protocols based on non-linear relation proofs:
Commitment to Bits proof
Integer Range Proof
Applications:
Ring signature
Blockchain
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 60 / 108
Content
1 Introduction
2 ESLL19ContributionConcept and NotationTechniques
3 Applications
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 61 / 108
Structured Lattice (1)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 62 / 108
Structured Lattice (2)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 63 / 108
Structured Lattice (3)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 64 / 108
Structured Lattice (4)
Reduction from SIVP (worst-case lattice problems)
SIVPγ ≤ SIS [Ajtai, 1996]
SIVPγ ≤ LWE [Regev, 2005]
Reduction from Id-SIVP (i.e., SIVPγ restricted to ideal lattices)
Id-SIVPγ ≤ Ring-SIS
Id-SIVPγ ≤ Ring-LWE
Reduction from Mod-SIVP (i.e., SIVP restricted to module lattices)
Mod-SIVPγ ≤ Module-SIS [LS, 2015]
Mod-SIVPγ ≤ Module-LWE [LS, 2015]
Change of hardness assumptions comes along with a possible security weakening.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 65 / 108
Σ-Protocol
Definition
For relations R,R′ with R ⊆ R′, (P,V ) is called a Σ-protocol for R,R′ withcompleteness error α, a challenge space C, public-private inputs (v ,w), if thefollowing properties are satisfied.
Completeness: An interaction between an honest prover and an honestverifier is accepted with probability at least 1− α whenever (v ,w) ∈ R.
(k + 1)-special soundness: There exists an efficient PPT extractor E thatcomputes w ′ satisfying (v ,w ′) ∈ R′ given (k + 1) accepting protocoltranscripts (a, x0, z0), ..., (a, xk , zk) with distinct xi ’s for 0 ≤ i ≤ k. We referto this process as witness extraction.
Special honest-verifier zero-knowledge (SHVZK): There exists an efficientPPT simulator S that outputs (a, z) given v in the language of R and x ∈ Csuch that (a, x , z) is indistinguishable from an accepting transcript producedby a real run of the protocol.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 66 / 108
Relaxed Commitment Scheme
Let n,m,B, q be positive integers, and assume that we commit to v -dimensionalvectors over Rq for v ≥ 1. The opening algorithm Open is relaxed in the sensethat there is an additional input y ∈ Rq, called relaxation factor, and Open checksif y · C = Comck(m′; r ′).
We say that (y ,m′, r ′) is a valid opening of C if Open(C , (y ,m′, r ′)) = 1. A validopening (y ,m′, r ′) with y = 1 is called an exact valid opening.
If (y ,m′, r ′) is a valid opening such that yC = Comck(ym′; r ′), then we call m′ arelaxed message opening with relaxation factor y .
Both UMC and HMC are additive homomorphic:
Comck(m0, r0) + Comck(m1, r1) = Comck(m0 + m1; r0 + r1) and
c · Comck(m; r) = Comck(c ·m; c · r) for c ∈ Rq.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 67 / 108
Hashed-Message Commitment
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 68 / 108
Unbounded-Message Commitment
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 69 / 108
Content
1 Introduction
2 ESLL19ContributionConcept and NotationTechniques
3 Applications
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 70 / 108
Standard Proof of Knowledge (1)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 71 / 108
Standard Proof of Knowledge (2)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 72 / 108
Standard Proof of Knowledge (3)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 73 / 108
ZKPs for Non-Linear Relations (1)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 74 / 108
ZKPs for Non-Linear Relations (2)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 75 / 108
ZKPs for Non-Linear Relations (3)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 76 / 108
ZKPs for Non-Linear Relations (4)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 77 / 108
ZKPs for Non-Linear Relations (5)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 78 / 108
ZKPs for Non-Linear Relations (6)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 79 / 108
Content
1 IntroductionPreliminary
Zero Knowledge ProofProof of Knowledge
BackgroundStern-type ZKPsSchnorr-type ZKPs
2 ESLL19ContributionConcept and NotationTechniques
3 ApplicationsBits Relaxed ZKPRange Proof
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 80 / 108
Content
1 Introduction
2 ESLL19
3 ApplicationsBits Relaxed ZKPRange Proof
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 81 / 108
Bits Relaxed ZKP (1)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 82 / 108
Bits Relaxed ZKP (2)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 83 / 108
Bits Relaxed ZKP (3)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 84 / 108
Bits Relaxed ZKP (4)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 85 / 108
Content
1 Introduction
2 ESLL19
3 ApplicationsBits Relaxed ZKPRange Proof
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 86 / 108
Integer Range Proof (1)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 87 / 108
Integer Range Proof (12)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 88 / 108
Integer Range Proof (3)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 89 / 108
Polynomial CRT (1)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 90 / 108
Polynomial CRT (2)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 91 / 108
Polynomial CRT (3)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 92 / 108
Range Proof Full Protocol (1)
Let ψ ∈ Z+, l (i) ∈ [0,Ni ) be prover’s values for 1 ≤ i ≤ ψ and Ni = 2ki withk = k1 + ...+ kψ, and s be the smallest power of two s.t s ≥ max{k1, ..., kψ}.
For simplicity, we use base β = 2, but the result can be generalized to other basevalues β. Binary case gives the the most compact proofs in practice.
Assume that Rq = Zq[X ]/(X d + 1) splits into exactly s fields such that
Rq = R(0)q × ...× R
(s−1)q and R
(i)q = Zq[X ]/(P(i)(X )) for some irreducible
polynomial P(i)(X ) of degree d/s for all 0 ≤ i < s.
Write l (i) = (b(0)0 , ..., b
(i)ki−1) in the binary representation and define
l(i)ctri = 〈b(0)
0 , ..., b(i)ki−1〉
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 93 / 108
Range Proof Full Protocol (2)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 94 / 108
Range Proof Full Protocol (3)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 95 / 108
Range Proof Full Protocol (4)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 96 / 108
Range Proof Full Protocol (5)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 97 / 108
Proof (1)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 98 / 108
Proof (2)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 99 / 108
Proof (3)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 100 / 108
Proof (4)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 101 / 108
Extension to arbitrary ranges
We assumed that a range is of the form [0,N) for N = 2k . Suppose that we wantto prove l ∈ [a, b) for b > a + 1.
First, using V ′ = V − Comck(a, 0) in the protocol proves that l − a ∈ [0,N),i.e., l ∈ [a,N + a).
Now, if b − a can be set so that b − a = N = 2k , then we are done.
Otherwise, we set 2k = N > b − a, and run another range proof forV ′′ = Comck(b, 0)− V . This proves that b − l ∈ [0,N), i.e., l ∈ [b − N, b).
As a result, l must be in the intersection of [a,N + a) and [b − N, b), i.e.,l ∈ [a, b) because b − N < a ≤ l < b < N + a.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 102 / 108
Range Proof Size (1)
Our range proof with CRT-packing V.S Range proof using ’norm-optimal’challenges on [0, 2logN − 1] for 128-bit security.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 103 / 108
Range Proof Size (2)
Our range proof with CRT-packing V.S ’Ideal w/o CRT’ range proof on[0, 2logN − 1] for 128-bit security.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 104 / 108
References I
Jonathan Katz (2004)
CMSC 858K - Advanced Topics in Cryptography
S.Goldwasser, S.Micali, and C.Rackoff (1985)
The Knowledge Complexity of Interactive Proof-Systems (Extended Abstract)
STOC, pages 291 - 304, 1985.
Muhammed F. Esgin, Ron Steinfeld, Joseph K. Liu, and Dongxi Liu (2019)
Lattice-based Zero-Knowledge Proofs: New Techniques for Shorter and FasterConstructions and Applications
CRYPTO LNCS 11692, pp. 115 - 146, 2019
Rupeng Yang, Man Ho Au, Zhenfei Zhang, Qiuliang Xu,Zuoxia Yu, and William Whyte(2019)
Efficient Lattice-Based Zero-Knowledge Arguments with Standard Soundness: Constructionand Applications
CRYPTO LNCS 11692, pp. 147 - 175, 2019.
J.Stern (1993)
A new identification scheme based on syndrome decoding
CRYPTO LNCS, vol. 773, pp. 13 - 21, 1993.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 105 / 108
References II
C.P.Schnorr (1989)
Efficient Identification and Signatures for Smart Cards
CRYPTO LNCS 435, pp. 239-252, 1990.
Akinori Kawachi, Keisuke Tanaka, Keita Xagawa (2008)
Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of LatticeProblems
ASIACRYPT LNCS 5350, pp. 372 C 389, 2008.
Abhishek Jain, Stephan Krenn, Krzysztof Pietrzak, and Aris Tentes (2012)
Commitments and Efficient Zero-Knowledge Proofs from Learning Parity with Noise
ASIACRYPT LNCS 7658, pp. 663 - 680, 2012.
Vadim Lyubashevsky (2008)
Lattice-based identification schemes secure under active attacks
PKC pp. 162 C 179, 2008
San Ling, Khoa Nguyen, Damien Stehl , and Huaxiong Wang (2013)
Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications
PKC LNCS 7778, pp. 107 C124, 2013.
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 106 / 108
References III
Vadim Lyubashevsky (2012)
Lattice signatures without trapdoors
EUROCRYPT pages 738 C 755, 2012.
Fabrice Benhamouda, Stephan Krenn, Vadim Lyubashevsky, and Krzysztof Pietrzak (2015)
Efficient Zero-Knowledge Proofs for Commitments from Learning With Errors over Rings
ESORICS LNCS 9326, pp. 305 - 325, 2015.
Adeline Langlois, Damien Stehl (2015)
Worst-case to average-case reductions for module lattices
DCC 75:565 - 599, 2015
M.Ajtai (1996)
Generating hard instances of lattice problems (extended abstract)
STOC pp. 99 C 108. ACM, New York (1996)
O.Regev (2005)
On lattices, learning with errors, random linear codes, and cryptography
STOC pp. 84 - 93. ACM, New York (2005)
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 107 / 108
The End
LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 108 / 108