lattice-based zero-knowledge proofs: new techniques for

Lattice-Based Zero-Knowledge Proofs: New Techniquesfor Shorter and Faster Constructions and Applications

LATTICE

Shanghai Jiao Tong University

[email protected]

December 29, 2019

LATTICE (LATTICE@SJTU) Lattice-Based Zero-Knowledge Proofs December 29, 2019 1 / 108

Overview

1 IntroductionPreliminary

Zero Knowledge ProofProof of Knowledge

BackgroundStern-type ZKPsSchnorr-type ZKPs

2 ESLL19ContributionConcept and NotationTechniques

3 ApplicationsBits Relaxed ZKPRange Proof


Content







Content



Background

2 ESLL19

3 Applications


Interactive Proof

[GMR,1985]

Definition

An interactive proof system for L is an interactive protocol (P,V ) such that ∀x :

(Completeness): If x ∈ L, then Pr[(P,V ) accepts x ] ≥ δc

(Soundness): If x /∈ L, then Pr[(P,V ) accepts x ] ≤ δs


Zero Knowledge

[GMR,1985]

V ’s view: (P,V )(x) = V ’s random coins and messages it receives

Zero Knowledge: whatever V could compute following the interaction, hecould have computed even without talking to P, by running the simulator onhis own

Definition

An interactive proof (P,V ) for L is zero knowledge if ∃ PPT S , ∀x ∈ L

S(x) ≈ (P,V )(x)


Definition of ZKP

[Katz,2004]

Definition (Zero Knowledge Proof)

A pair of PPT algorithms (P, V) is called a zero-knowledge proof system for alanguage L ∈ NP if it satisfies the following properties:

1 (Completeness) For all x ∈ L, and all witnesses w for x ,Pr[V(1k , x) accepts when interacting with P(1k , x ,w)] = 1.

2 (Soundness) For all x /∈ L and all (even all powerful) P∗:Pr[V(1k , x) accepts when interacting with P∗(x)] = negl(k).

3 (Zero Knowledge) For all PPT (cheating verifiers) V∗, there exists apolynomial time simulator Sim such that the following are computationallyindistinguishable for any x ∈ L and witness w for x :

the view of V∗(1k , x) when interacting with P(1k , x ,w);the output of Sim(1k , x).


Honest-Verifier Zero Knowledge

[Katz,2004]Verifier honestly follows the protocol, but may later try to learn some informationfrom the transcript.

Definition (Honest-Verifier Zero Knowledge Proof)

A pair of PPT algorithms (P, V) is called a Honest-Verifier Zero Knowledge proofsystem for a language L ∈ NP if it satisfies the following properties:

1 (Completeness) As above.

2 (Soundness) As above.3 (Honest-Verifier Zero Knowledge) There exists a polynomial time simulator

Sim such that the following are computationally indistinguishable for anyx ∈ L and witness w for x :

the view of V(1k , x) when interacting with P(1k , x ,w);the output of Sim(1k , x).


ZKP for all NP (1)

3-colorability is NP-complete


ZKP for all NP (2)

3-colorability is an NP-complete problem

Completeness: Graph is 3-colorable ⇒ V accepts w.p. 1

Soundness: Graph isn’t 3-colorable ⇒ ∀P?, V rejects w.p. ≥ 1/(#edges)

Zero Knowledge: Each time V sees two random distinct colors


Proof and Proof of Knowledge

[Katz,2004]PoK may be viewed as formalizing an even stronger notion of soundness.

A proof may be viewed as demonstrating that a particular statement is true;

A proof of knowledge may be viewed as demonstrating that the prover”knows” why the statement is true.

1. Consider a finite cyclic group G , language LG = {h|∃x ∈ Zq s.t. g x = h}A proof that h ∈ LG is trivial (assuming deciding membership in G is trivial),A proof of knowledge that h ∈ LG implies that the prover ”knows” the value ofloggh, something that is not implied by a proof alone

2. Consider a one-way permutation f , language Lf = {y |∃x s.t. f (x) = y}A proof that y ∈ Lf is trivial (since Lf contains all strings),A proof of knowledge that y ∈ Lf implies that the prover ”knows” f −1(y).


Knowledge

[Katz,2004]We define the ability to extract the knowledge from the machine: i.e., a machineM ”knows” something if there is a poly-time process by which we can extract thisknowledge from M.

DefinitionA machine knows something if it can output it

Let R be an NP-relation

A machine knows the witness to a statement x if it can output w s.t.(x ,w) ∈ R

Knowledge extractor E


Proof of Knowledge (1)

[Yang,2019]

Definition

The ZKAoK for R is an interactive protocol (P,V ) that satisfies

(Completeness). For any (x ,w) ∈ R , Pr[(P(x ,w),V (x)) = 1] ≥ 1− δc .

(Proof of Knowledge). There exists an extractor E that for any x , for anyPPT cheating prover P?, if Pr[(P?,V (x)) = 1] ≥ δs + ε for somenon-negligible ε, then E can extract in polynomial time a witness w such that(x ,w) ∈ R via accessing P? in a black-box manner.

(Honest-Verifier Zero-Knowledge). There exists a simulator S that for any(x ,w) ∈ R , the two distributions are computationally indistinguishable:

The view of an honest verifier V in an interaction (P(x ,w),V (x)).The output of S(x).

where δc is the completeness error and δs is the soundness error


Proof of Knowledge (2)

[Katz,2004]

ZK proofs. Zero-knowledge proofs involve a prover P trying to prove astatement to a verifier V without revealing any knowledge beyond the factthat the statement is true. (Simulator)

Proofs of knowledge. Proofs of knowledge are protocols in which the proveractually proves that he ”knows” a witness. (Knowledge Extractor)

A ZK proof requires a simulator who rewinds a cheating verifier to simulate aproof without knowing a witness, while a PoK requires a knowledge extractorwho rewinds a cheating prover to extract a witness.


Argument and Argument of Knowledge

[Katz,2004]

We consider a relaxation of proofs called arguments.

An argument requires soundness to hold only with respect to polynomial-timecheating provers.

A proof requires the soundness condition to hold even for all-powerful provers.

An argument of knowledge (AoK) is defined s.t a knowledge extractor is onlyrequired to extract a witness from provers running in polynomial time.


Proof of Knowledge for all NP (1)

Hamiltonian cycles is NP-complete


Proof of Knowledge for all NP (2)

Theorem

This is a zero knowledge proof of knowledge (ZK PoK) with soundness error 1/2.

Completeness: Graph has Hamiltonian cycles ⇒ V accepts w.p. 1

Proof of Knowledge:Given a graph G ′ and a permutation Π s.t Π(G ) = G ′, (c = 0)and on given a Hamiltonian cycle in G ′ (c = 1)⇒ easy to recover a Hamiltonian cycle in the original graph G

Zero Knowledge: Crucial ingredient Π and we never open both


Content

1 IntroductionPreliminaryBackground

Stern-type ZKPsSchnorr-type ZKPs

2 ESLL19

3 Applications


Types of Lattice-based ZKPs

’Combinatorial’ proofs (aka ’Stern-type’ [Stern,1993])

ChSet is small (typically |ChSet| = 3)

Pro: can prove complex relations, standard soundness

Cons: many protocol repetitions required (i.e., ’multi-shot’ proofs) very longand slow proofs

’Algebraic’ proofs (aka ’Schnorr-type’ [Schnorr,1989])

ChSet can be very large (even |ChSet| = 22λ for λ-bit PQ-security)

Pro: can achieve very short/fast proofs (i.e., can be ’one-shot’)

Cons: more limited in types of proofs achievable so far may prove relaxed(’approximate’) relations rather than exact ones


Stern-type ZKPs (1)

[Stern,1993] Code-based


Stern-type ZKPs (2)


Reveal a1, a2, check commitments are computed honestly


Stern-type ZKPs (3)


Reveal a1, a3, check commitments are computed honestly


Stern-type ZKPs (4)


Reveal a2, a3, check commitments are computed honestly and w(π(x)) = m/2


Stern-JKPT12 ZKPs (1)

[JKPT, 2012] LPN-based


Stern-JKPT12 ZKPs (2)

[JKPT, 2012] LPN-based


Stern-KTX08 ZKPs (1)

[KTX,2008] Lattice-based

Our technical roadmap is

GapSVPγ ≤ SISq,m,β ≤ CRH ≤ Commitment ≤ ZKP

The input is an m-bit vector x obtained by concatenating a random string

ρ$← Zm/2

2 and a message string s ∈ Zm/22 , i.e., x = ρ‖s.

We then define the commitment function as

ComA(s; ρ) := Ax mod q = A(ρ‖s) mod q


Stern-LNSW13 ZKPs (1)

[LNSW, 2013] Lattice-based


Schnorr-type ZKPs (1)

[Schnorr,1989] Discrete-Logarithm based


Schnorr-Lyu08 ZKPs (1)

[Lyu, 2008] Lattice-based


Schnorr-BKLP15 ZKPs (1)

[BKLP, 2015] Lattice-based


Comparison


Content







Content

1 Introduction


3 Applications


Contribution I

Efficient ’One-shot’ proof techniques for non-linear relations of degree k > 1:

Generalization of ’Fiat-Shamir with aborts’ to higher degrees

New tools for controlling extracted witness length: adjugate matrix

Speed-up Techniques:

CRT message packing in commitment supporting inter-slot operations

NTT-friendly rings


Contribution II

Shorter and faster lattice-based protocols based on non-linear relation proofs:

Commitment to Bits proof

Integer Range Proof

Applications:

Ring signature

Blockchain


Content

1 Introduction


3 Applications


Structured Lattice (1)



Reduction from SIVP (worst-case lattice problems)

SIVPγ ≤ SIS [Ajtai, 1996]

SIVPγ ≤ LWE [Regev, 2005]

Reduction from Id-SIVP (i.e., SIVPγ restricted to ideal lattices)

Id-SIVPγ ≤ Ring-SIS

Id-SIVPγ ≤ Ring-LWE

Reduction from Mod-SIVP (i.e., SIVP restricted to module lattices)

Mod-SIVPγ ≤ Module-SIS [LS, 2015]

Mod-SIVPγ ≤ Module-LWE [LS, 2015]

Change of hardness assumptions comes along with a possible security weakening.


Σ-Protocol

Definition

For relations R,R′ with R ⊆ R′, (P,V ) is called a Σ-protocol for R,R′ withcompleteness error α, a challenge space C, public-private inputs (v ,w), if thefollowing properties are satisfied.

Completeness: An interaction between an honest prover and an honestverifier is accepted with probability at least 1− α whenever (v ,w) ∈ R.

(k + 1)-special soundness: There exists an efficient PPT extractor E thatcomputes w ′ satisfying (v ,w ′) ∈ R′ given (k + 1) accepting protocoltranscripts (a, x0, z0), ..., (a, xk , zk) with distinct xi ’s for 0 ≤ i ≤ k. We referto this process as witness extraction.

Special honest-verifier zero-knowledge (SHVZK): There exists an efficientPPT simulator S that outputs (a, z) given v in the language of R and x ∈ Csuch that (a, x , z) is indistinguishable from an accepting transcript producedby a real run of the protocol.


Relaxed Commitment Scheme

Let n,m,B, q be positive integers, and assume that we commit to v -dimensionalvectors over Rq for v ≥ 1. The opening algorithm Open is relaxed in the sensethat there is an additional input y ∈ Rq, called relaxation factor, and Open checksif y · C = Comck(m′; r ′).

We say that (y ,m′, r ′) is a valid opening of C if Open(C , (y ,m′, r ′)) = 1. A validopening (y ,m′, r ′) with y = 1 is called an exact valid opening.

If (y ,m′, r ′) is a valid opening such that yC = Comck(ym′; r ′), then we call m′ arelaxed message opening with relaxation factor y .

Both UMC and HMC are additive homomorphic:

Comck(m0, r0) + Comck(m1, r1) = Comck(m0 + m1; r0 + r1) and

c · Comck(m; r) = Comck(c ·m; c · r) for c ∈ Rq.


Hashed-Message Commitment


Unbounded-Message Commitment


Content

1 Introduction


3 Applications


Standard Proof of Knowledge (1)


ZKPs for Non-Linear Relations (1)


Content







Content

1 Introduction

2 ESLL19



Bits Relaxed ZKP (1)


Content

1 Introduction

2 ESLL19



Integer Range Proof (1)


Polynomial CRT (1)


Polynomial CRT (2)


Polynomial CRT (3)


Range Proof Full Protocol (1)

Let ψ ∈ Z+, l (i) ∈ [0,Ni ) be prover’s values for 1 ≤ i ≤ ψ and Ni = 2ki withk = k1 + ...+ kψ, and s be the smallest power of two s.t s ≥ max{k1, ..., kψ}.

For simplicity, we use base β = 2, but the result can be generalized to other basevalues β. Binary case gives the the most compact proofs in practice.

Assume that Rq = Zq[X ]/(X d + 1) splits into exactly s fields such that

Rq = R(0)q × ...× R

(s−1)q and R

(i)q = Zq[X ]/(P(i)(X )) for some irreducible

polynomial P(i)(X ) of degree d/s for all 0 ≤ i < s.

Write l (i) = (b(0)0 , ..., b

(i)ki−1) in the binary representation and define

l(i)ctri = 〈b(0)

0 , ..., b(i)ki−1〉


Proof (1)


Proof (2)


Proof (3)


Proof (4)


Extension to arbitrary ranges

We assumed that a range is of the form [0,N) for N = 2k . Suppose that we wantto prove l ∈ [a, b) for b > a + 1.

First, using V ′ = V − Comck(a, 0) in the protocol proves that l − a ∈ [0,N),i.e., l ∈ [a,N + a).

Now, if b − a can be set so that b − a = N = 2k , then we are done.

Otherwise, we set 2k = N > b − a, and run another range proof forV ′′ = Comck(b, 0)− V . This proves that b − l ∈ [0,N), i.e., l ∈ [b − N, b).

As a result, l must be in the intersection of [a,N + a) and [b − N, b), i.e.,l ∈ [a, b) because b − N < a ≤ l < b < N + a.


Range Proof Size (1)

Our range proof with CRT-packing V.S Range proof using ’norm-optimal’challenges on [0, 2logN − 1] for 128-bit security.


Range Proof Size (2)

Our range proof with CRT-packing V.S ’Ideal w/o CRT’ range proof on[0, 2logN − 1] for 128-bit security.


References I

Jonathan Katz (2004)

CMSC 858K - Advanced Topics in Cryptography

S.Goldwasser, S.Micali, and C.Rackoff (1985)

The Knowledge Complexity of Interactive Proof-Systems (Extended Abstract)

STOC, pages 291 - 304, 1985.

Muhammed F. Esgin, Ron Steinfeld, Joseph K. Liu, and Dongxi Liu (2019)

Lattice-based Zero-Knowledge Proofs: New Techniques for Shorter and FasterConstructions and Applications

CRYPTO LNCS 11692, pp. 115 - 146, 2019

Rupeng Yang, Man Ho Au, Zhenfei Zhang, Qiuliang Xu,Zuoxia Yu, and William Whyte(2019)

Efficient Lattice-Based Zero-Knowledge Arguments with Standard Soundness: Constructionand Applications

CRYPTO LNCS 11692, pp. 147 - 175, 2019.

J.Stern (1993)

A new identification scheme based on syndrome decoding

CRYPTO LNCS, vol. 773, pp. 13 - 21, 1993.


References II

C.P.Schnorr (1989)

Efficient Identification and Signatures for Smart Cards

CRYPTO LNCS 435, pp. 239-252, 1990.

Akinori Kawachi, Keisuke Tanaka, Keita Xagawa (2008)

Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of LatticeProblems

ASIACRYPT LNCS 5350, pp. 372 C 389, 2008.

Abhishek Jain, Stephan Krenn, Krzysztof Pietrzak, and Aris Tentes (2012)

Commitments and Efficient Zero-Knowledge Proofs from Learning Parity with Noise

ASIACRYPT LNCS 7658, pp. 663 - 680, 2012.

Vadim Lyubashevsky (2008)

Lattice-based identification schemes secure under active attacks

PKC pp. 162 C 179, 2008

San Ling, Khoa Nguyen, Damien Stehl , and Huaxiong Wang (2013)

Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications

PKC LNCS 7778, pp. 107 C124, 2013.


References III

Vadim Lyubashevsky (2012)

Lattice signatures without trapdoors

EUROCRYPT pages 738 C 755, 2012.

Fabrice Benhamouda, Stephan Krenn, Vadim Lyubashevsky, and Krzysztof Pietrzak (2015)

Efficient Zero-Knowledge Proofs for Commitments from Learning With Errors over Rings

ESORICS LNCS 9326, pp. 305 - 325, 2015.

Adeline Langlois, Damien Stehl (2015)

Worst-case to average-case reductions for module lattices

DCC 75:565 - 599, 2015

M.Ajtai (1996)

Generating hard instances of lattice problems (extended abstract)

STOC pp. 99 C 108. ACM, New York (1996)

O.Regev (2005)

On lattices, learning with errors, random linear codes, and cryptography

STOC pp. 84 - 93. ACM, New York (2005)


The End


lattice-based zero-knowledge proofs: new techniques for

Documents