Lattice-BasedZero-KnowledgeProofs:NewTechniquesforShorterand
FasterConstructionsandApplicationsMuhammedF.Esgin,RonSteinfeld,JosephK.Liu,andDongxi Liu
MonashUniversityandData61,CSIROFacultyofIT
MonashUniversity
Acknowledgement:SomeSlidescourtesyofMuhammed.F.Esgin.
Outline• Background: EfficientZero-KnowledgeProofs(ZKPs)forlinearrelations
• Schnorr proofZKPofknowledgeofdiscrete-log• LatticeanalogueofDL:Module-RingSIS /Module-RingLWE• DifficultiesandsolutionsinportingDL-basedtolattice-basedproof• Lyubahsevky proofofknowledgeofModule-Ring-LWEwitness[Lyu12]
• Ournewtechniques: Efficient Lattice-basedZKPsfor`non-linear’relationsofdegreek>1• FrameworkforZKPsfornon-linearrelationofdegreek>1
• IssuesinportingDL-basedtolattice-basedproofsinnon-linearsetting• Our`one-shot’(shortproof)soundnessanalysistechnique: adjugate matrices
• Application:CommitmentsofBitsProofs• Speed-uptechnique1: ExtractionwithlargechallengesandNTT-friendlyrings
• Application:One-of-ManyProofs• Application:anonymousauthentication-- RingSignatures• Application:IntegerRangeProofs
• Speed-uptechnique2: CRT-packingtechniquesupportinginter-slotoperations• Improvesrun-timebypackingfactors
2
Zero-KnowledgeProofs[GMR85]
..Prover(x,w) Verifier(x)
Accept/Reject
Properties:1) Completeness2) Soundness3) Zero-Knowledge
witness
3
Zero-KnowledgeProofs[GMR85]
..Prover(x,w) Verifier(x)
Accept/Reject
Properties:1) Completeness2) Soundness3) Zero-Knowledge
4
Zero-KnowledgeProofs[GMR85]
..Prover(x,w) Verifier(x)
Accept/Reject
Properties:1) Completeness2) Soundness3) Zero-Knowledge
5
Zero-KnowledgeProofs[GMR85]
..Prover(x,w) Verifier(x)
Accept/Reject
Properties:1) Completeness2) Soundness3) Zero-Knowledge
6
Zero-KnowledgeProofs[GMR85]
..Prover(x,w) Verifier(x)
Accept/Reject
Properties:1) Completeness2) Soundness3) Zero-Knowledge
WeworkinparticularwithSigmaprotocols.Easilymadenon-interactiveusingFiat-Shamirheuristic.
7
Background:TypesofZKPsinLattice-BasedCrypto• TwomaintypesofZKProofsinvestigatedinlattice-basedcrypto:
• “Combinatorial”type (aka`Stern-type’[St96]ZKproofs):• Verifierchallengechosenfromaverysmallset(ofsizetypically3)• Differentproverresponsealgorithmexplicitlyspecifiedforeachpossiblechallenge• Pro: Verypowerful– canbeadaptedtoprovecomplexrelations(e.g.[BLNW18])• Con:long/slowproofs:Manyprotocolrepeatsneededforhighsoundnesslevel
• “Algebraic”type (aka`Schnorr-type’[Sch89]ZKproofs):• Verifierchallengecanbechosenfromahugeset(ofsize> 2#forsecurityparameterλ)• Proverresponsealgorithmisanalgebraicfunctionoftheverifier’schallenge• Pro: canachieveshort/fastproofs:`one-shot’challengemaybepossible• Cons:
• Morelimitedintypesofproofssofarachievableefficiently• Mayprove“approximate”(relaxed)relationsratherthanexactrelations
8
Ourfocusinthistalk
Classical ZKP 1: Schnorr proof ZKP of knowledge of discrete-log
Setup of Schnorr’s ZKP of Knowledge of Discrete Log [Sch89]:
• Works in a cyclic multiplicative group G = <g>= {1,g1,g2,...,gq-1} • where Discrete-Logarithm (DL) problem is hard
• Fixed public generator g ∈ G for G
• Denote order (size) of G by q (assumed prime).
• Prover’s Discrete-Log private-key (witness): s ← U(Zq).
• Prover’s public-key (common input): h = gs∈ G.
• Write h = Com(s). • Com is homomorphic from Zq to G: Com(s + t) = Com(s) ∙ Com(t)
9
ClassicalZKP1: Schnorr proofZKPofknowledgeofdiscrete-log
𝐴4·𝐴56 ≟ Com(𝒇)
10
Prover Verifier
𝐴4 = Com(𝑢)
𝑥 ← ChallengeSet =ℤA𝒇
𝐴5 = Com(𝑠)𝑢 ← ℤA
𝒇 = 𝑢 + 𝑥 D 𝑠
𝑠 ← RandSet=ℤA
Correctness: homomorphicpropertyofComCom(f)=Com(u+x·s)=Com(u)·Com(s)xSoundness(2-specialsoundness):proversucceedswithprob >1/|ChSet|à proverknowsavalid opening(DL)of𝐴5
• GivencommitmentA0,fromtwo distinctsuccessfulchallengeresponsepairpairs(x,f),(x’,f’),extractwitnesss’
𝐴4·𝐴56 = Com(𝒇)𝐴4·𝐴56E = Com(𝒇′)
𝐴5 = Com(GHGE6H6E
)
𝑠′
11
ClassicalZKP1: Schnorr proofZKPofknowledgeofdiscrete-log
Prover Verifier
𝐴4 = Com(𝑢)
𝑥 ← CSet=ℤA𝒇
ℎ = Com(𝑠)𝑢 ← ℤJ
𝒇 = 𝑢 + 𝑥 D 𝑠
𝑠 ← RSet=ℤA
Honest-VerifierZero-Knowledge(HVZK):Anhonestverifiedcanefficientlysimulateaprooftranscriptwithouttheprover’switness!TranscriptSimulator,given𝐴5:
•
•
•
𝑥 ← CSet=ℤA𝑓 ← ℤA
𝐴4·𝐴56 ≟ Com(𝒇)
𝐴4·≟ Com 𝒇 D 𝐴5H6
Application 1: Digital Signatures [Sch91]• Fiat-ShamirTransformation:GenericconversionofaninteractiveZKSigma(3-move)prooftoanon-interactivedigitalsignature
• Idea:• Proverusesacryptographicone-wayhashfunctionHtogeneratechallengebyhashinghisprotocolcommitmentA0andthesignedmessagem
• x=H(A0 ,m)
• à Schnorr digitalsignature(similartoDigitalSignatureStandard,DSS):• KG: sk =s,A1 =Com(s)• Sign(s,m)=(x,f)
• A0 =Com(u)• x=H(A0,m)• f=r+x·s
• Ver(m,(x,f),pk):• A0= Com 𝒇 D 𝐴5H6• 𝑥 ≟H(A0,m)
12
Lattice analogue of DL Problem: Module-RingSIS / Module-RingLWE Problems
13
Structured lattice Setup:• Work over a polynomial ring 𝑅A = ℤA[𝑥]/(𝑥P + 1) for integer 𝑞
• Fixed public uniformly random matrix 𝐴∈ 𝑅AJ×T
• Conjectured-Hard Lattice problems
• Module−Ring−SISJ,T,A,V Problem:
• Given𝐴∈ 𝑅AJ×T, find `short’ 𝑣 ∈ 𝑅AT ( 𝑣 ≤ 𝛽) s.t. 𝐴 D 𝑣 = 0
• Module−Ring−LWEJ,T,A,\ Problem:
• Given𝐴∈ 𝑅AJ×T, and 𝑡 = 𝐴 D 𝑠 ∈ 𝑅AJ for a `short’ s ∈ 𝑅AT ( 𝑠 ≤ 𝛼𝑞 𝑚� ), find s (search-LWE) or distinguish t from uniform in 𝑅AJ (decision-LWE)
àTypical Prover’s private-key (witness): `short’ 𝑠 ← U([−𝐵, 𝐵]J×T) = RandSet.
àTypical Prover’s public-key (common input): 𝑡 = 𝐴 D 𝑠 ∈ 𝑅AJ
• Write 𝑡 = 𝐶𝑜𝑚 𝑠
• Com is homomorphic from Doms to 𝑅AJ: Com(s + t) = Com(s) + Com(t)
Bestknownattackstaketime2# if• 𝑑𝑛 ≥ Ω(𝜆 D klm
n Vklm A
),β < 𝑞 (SIS)
• 𝑑(𝑚 − 𝑛) ≥ Ω(𝜆 D klmn \qr
klm A),𝛼H5 > 1 (LWE)
à Balancedwith𝑚 = 2𝑛,𝛽 = 𝛼H5
ManySISsolutions/Unique LWEsolutionwithm = 2n, 𝛽 = 𝛼H5 ≥ 𝑑𝑚� D 𝑞5/t
Hardnessdecreaseswith𝛽à aimtominimizeextractedwitnessnorminZKPs!
LatticeZKP1 Lattice-analogueofSchnorr ZKP`Attempt1’
𝐴4 + 𝑥 D 𝐴5 ≟ Com(𝒇)
14
Prover Verifier
𝐴4 = Com(𝑢)
𝑥 ← CSet⊆ 𝑅A
𝒇
𝐴5 = Com(𝑠)𝑢 ← 𝑅𝑆𝑒𝑡 = [−𝐵′, 𝐵′]PT
𝒇 = 𝑢 + 𝑥 D 𝑠
𝑠 ← SSet=[−𝐵, 𝐵]PT
Correctness: homomorphicpropertyofComCom(f)=Com(u+x·s)=Com(u)·Com(s)xSoundness(2-specialsoundness):proversucceedswithprob >1/|ChSet|à proverknowsavalid openingof𝐴5
• GivencommitmentA0,fromtwo distinctsuccessfulchallengeresponsepairpairs(x,f),(x’,f’),extractwitnesss’
𝐴4 + 𝑥 D 𝐴5 = Com(𝒇)𝐴4 + 𝑥E D 𝐴5 = Com(𝒇′)
𝐴5 = Com(GHGE6H6E
)𝑠E?
𝑓 ? < 𝐵E +𝑚𝑎𝑥6,z 𝑥 D 𝑠 {
Difficulties & Solutions in porting DL-based to lattice-based ZK ProofBut,`Attempt1’doesnotquitework…Issueswith`Attempt1’:1. Zero-KnowledgePropertyisnotsatisfied:
• DomainSSet andRSet forsecretss andu is`short’interval[-B,B](<q)• NeededforhardnessoftheLWE/SISlatticeproblems• Challengesx inChallSet havetobe`short’forsamereason
• Prover’sresponsevalue𝒇 = 𝑢 + 𝑥 D 𝑠 leaksinfo.onsecrets:𝔼[𝒇] =𝑥 D 𝑠
15
-Bx-B’ Bx-Bx -Bx+B’Bx-B’ Bx+B’
s=-B’ s=B’
Distrib.off(overchoiceofu)
MainIssueswith`Attempt1’:1. Zero-KnowledgePropertyisnotsatisfied:• Solution ([Lyu09,Lyu12]):Rejectionsampling
• Restartprotocolwithfreshu(andx)untilfisindependentofs,𝔼[𝒇] =0
16
Difficulties&SolutionsinportingDL-basedtolattice-basedZKProof
0-Bx-B’ Bx-Bx -Bx+B’Bx-B’ Bx+B’
s=-B’ s=B’
Distrib.off(overchoiceofu)
fAcceptRegion:
𝑓 ≤ −𝐵𝑥 + 𝐵′
Acceptanceprobability𝑝 = (1 − ~6
~�)TP= Ω 1 if
~E|~6|
= 𝑂 𝑚𝑑Maskingsizelinearindimension.
UsingdiscreteGaussian(insteadofuniform)distributionforucanreducemaskingsize[Lyu12].
MainIssueswith`Attempt1’:2.SoundnessPropertyisnotsatisfied
• Problem:extractedwitness𝑠E = GHG�
6H6�∈ 𝑅A
• s’maynot be`short’(<<q)à notinvalid(secure)`short’Comdomain• Issue:(𝑥 − 𝑥′)H5 in𝑅Aisusuallynotshortinwhen𝑥 − 𝑥E isshort
• Solutions• Solution1(specialchallenges- efficiencycompromise)[L+14,L+19]:
• UseaspecialchallengespaceCSet⊆ 𝑅A suchthat(𝑥 − 𝑥′)H5 is`short’forallx≠ x’inCSet• But,largestsuchchallengespaceknownissmall(size2d=O(𝜆))
• Lowefficiency:Manyprotocolrepeatsneededforhighsoundnesslevel
• Solution2(approximaterelations– functionalitycompromise)[Lyu09,Lyu12]:• Proveknowledgeofwitness(c’,s’)toapproximate relation• c’isthe`approximation’factor(mustbe`short’butnot1asinexactrelation)• ZKproofapplicationmustworksecurelywithapproximateproof
17
PortingDL-basedtolattice-basedZKProof𝐴4 + 𝑥 D 𝐴5 = Com(𝒇)𝐴4 + 𝑥E D 𝐴5 = Com(𝒇′)
𝐴5 = Com(GHGE6H6E
)
𝑥 − 𝑥E D 𝐴5 = Com(𝑓 − 𝑓′)
𝑐E D 𝐴5 = Com(𝑠′)
LatticeZKP1 Lattice-analogueofSchnorr ZKP`FixedProof’idea(a-la[Lyu12])
𝐴4 + 𝑥 D 𝐴5 ≟ Com(𝒇)
18
Prover Verifier
𝐴4 = Com(𝑢)
𝑥 ← Cset={0,1}d⊆ 𝑅A
𝒇
𝐴5 = Com(𝑠)𝑢 ← 𝑅𝑆𝑒𝑡 = [−𝐵′, 𝐵′]PT
𝒇 = 𝑢 + 𝑥 D 𝑠
𝑠 ← SSet=[−𝐵, 𝐵]PT
Correctness: homomorphicpropertyofComCom(f)=Com(u+x·s)=Com(u)·Com(s)xSoundness(2-specialsoundness):proversucceedswithprob >1/|ChSet|à proverknowsavalid openingof𝐴5
• GivencommitmentA0,fromtwo distinctsuccessfulchallengeresponsepairpairs(x,f),(x’,f’),extractwitnesss’
𝐴4 + 𝑥 D 𝐴5 = Com(𝒇)𝐴4 + 𝑥E D 𝐴5 = Com(𝒇′)
𝑓 ?< 𝐵′ −𝑚𝑎𝑥6,z 𝑥 D 𝑠 {
Restartif 𝒇 { > 𝑩’ −𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {
𝒙 − 𝒙E D 𝑨𝟏 = 𝐂𝐨𝐦(𝒇 − 𝒇′)Relaxationfactor
s’
19
Honest-VerifierZero-Knowledge(HVZK):Anhonestverifiedcanefficientlysimulateaprooftranscriptwithouttheprover’switness!Accepted TranscriptSimulator,given𝐴5:
•
•
•
𝑥 ← CSet ⊆ 𝑅A𝑓 ← AccSet=[−(𝐵E−𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {), (𝐵E−𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {)]PT𝐴4 = Com 𝒇 − 𝑥 D 𝐴5
LatticeZKP1 Lattice-analogueofSchnorr ZKP`FixedProof’idea(a-la[Lyu12])
Prover Verifier
𝐴4 = Com(𝑢)
𝑥 ← CSet⊆ 𝑅A
𝒇
𝐴5 = Com(𝑠)𝑢 ← 𝑅𝑆𝑒𝑡 = [−𝐵′, 𝐵′]PT
𝒇 = 𝑢 + 𝑥 D 𝑠
𝑠 ← SSet=[−𝐵, 𝐵]PT
Restartif 𝒇 { > 𝑩’ −𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {
𝐴4 + 𝑥 D 𝐴5 ≟ Com(𝒇)
Application 1: Digital Signatures [Lyu12,L17+]• Lyubashevsky digitalsignatureidea[variantofLyu12]
• KG: sk =s,A1 =Com(s)• Sign(s,m)=(x,f)
• A0 =Com(u)• x=H(A0,m)∈ 0,1 P
• f=u+x·s• Ver(m,(x,f),pk):
• 𝐴4 = Com 𝒇 − 𝑥 D 𝐴5• 𝑥 ≟ H(A0,m)• 𝑓 ?< 𝐵′ −𝑚𝑎𝑥6,z 𝑥 D 𝑠 {
• Unforgeability proofideas:• ZKsimulatorà simulateobs signaturesbyprogrammingH,withoutsecretkeys• Approx.relationsoundnessà forgingalg.canbeusedtoextracts’=𝑓– 𝑓’ s.t• 𝑥 − 𝑥E D 𝐴5 = Com(𝑓 − 𝑓′)à solveModule-RingSIS :Com( 𝑥 − 𝑥’ D 𝑠– 𝑓 − 𝑓’ )=0• HardnessofdecisionModule-RingLWEà non-trivialsolutionforModule-RingSIS
• Optimised signaturevariantsofaboveinNISTPQCsecondround:• Dilithium,Tesla
20
Restartif 𝒇 { > 𝑩’ −𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {.
ZKPsfornon-linearrelations: One-out-of-ManyProofs
..Prover(𝑃5,… , 𝑃�,(ℓ, 𝑠)) Verifier(𝑃5,… , 𝑃�)
Accept/Reject……
Goal: Proveknowledgeofasecretassociatedtooneofthepublicvalueswithoutrevealingthesecretandtheindexofthepublicvalue
1 2 …ℓ …𝑁IDEALtoolforprivacy-preserving
applications
21
𝑃ℓ = Com(𝑠)…𝑃5 𝑃t… 𝑃�
RingSignatures[RST01,BKM09]
𝑝𝑘5, … , 𝑝𝑘� ,𝑚, 𝜎
Accept/Reject
Properties:1) Correctness2)Unforgeability3) Anonymity
Ring
𝜎 ← Sign 𝑠𝑘ℓ, 𝑝𝑘5, … , 𝑝𝑘� ,𝑚
22
1-out-of-𝑁 proof→ RingSignature
• Userscommittotheirsecretkeystoformtheirpublickeys:𝑝𝑘� = Com 𝑠𝑘�
• Signergeneratesanon-interactive1-out-of-𝑁 prooftoproveknowledgeofanopeningofoneof𝑝𝑘�’s
• i.e.,provingknowledgeof𝑠𝑘ℓ withoutrevealingℓ
1-out-of-𝑵𝐙𝐊𝐏 RingSignatureCompleteness⟹ CorrectnessSoundness⟹ UnforgeabilityZero-Knowledge⟹ Anonymity
Thetransitionmaynotgososmoothlyinthelatticesetting!
23
ApplicationsandOurFocus
• Setmembershipproofs,groupsignatures,…• Privacy-awarecryptocurrencies,e.g.,RingCT protocolinMonero• e-votingsystems• …
• Wewant: short (sublinear-sized)and“post-quantum”one-out-of-manyproofswithnotrustedsetup
24
DiscreteLog.• ZKproofsrunsmoothly
• Noprotocolrepetitions(negligiblesoundnesserrorinsingleexecution)
• Exactsoundness• Any commitmentopeningisvalid
• Veryshortandscalable1-out-of-𝑁proofsduetoGroth andKohlweiss[GK15]andBootleetal.[BCC+15]
• Prooflength:𝑂 log𝑁• Shortinpractice aswell• OnlyafewKBevenfor𝑁 = 10¡
Lattice• Ifyoucareaboutefficiency,thenyouhavetomakecompromises
• Relaxedsoundness:proveknowledgeof(𝛾, 𝑠) s.t
𝛾 ⋅ 𝐶 = Com 𝑠• Onlyshort openingsarevalid
• 𝑠 ≤ 𝑇 forsome𝑇 < 𝑞• Youmayhavetowork
• withasmall setofchallenges• overaring,notafield
• Log-sizedringsignatureduetoLibert etal.[LLNW15]
• NOTshort inpractice• 75MBfor𝑁 = 1000
AdvancedZero-KnowledgeProofs
25
OurResults:Summary• Newtechnicaltoolsforalgebraiclattice-basedprotocols
• HandlingapproximateZKprotocolsfornon-linear(degreek>1) relationsinlatticesetting• Manyspecialsoundprotocols:GeneralizationofLyubashevsky 2-soundprotocoltok>1-non-linearrelations
• Boundsonlengthofextractedwitnessesandapproximationfactors• Speed-upTechniques:CRTmessagepackingincommitmentandadaptingNTT-friendlyrings
• Shortone-out-of-manyproofsfromlattices• Oneshotchallenges• Shortbothasymptoticallyandinpractice
• Shortringsignaturefromstandardlatticeassumptions• BasedonModule-LWEandModule-SIS• Notrustedsetup• Newideasforsoundness⟹ unforgeabilityinaconstraint(lattice)setting
• Variantproofsforrangeandsetmembershipproofs• Exploitingmodulevariantsofstandardlatticeassumptionsforefficiencypurposes[seethepapersfordetails]
26
Lattice-BasedCommitmentschemes• Tohidelow-entropymessages,needarandomised (hiding)commitmentschemeCom(m;r)
• Forremainderofthistalk,Comwilldenoteoneofthetwolattice-based(Module-LWE,Module-SIS)randomised commitmentschemes[B+18]:
• HashedMessageCommitment(HMC):
• Unbounded-MessageCommitment(UMC):
27
Gr Gm 𝑟
𝑚
Com(𝑚, 𝑟) =
G1
G2
𝑟
𝑚
Com(𝑚, 𝑟) = + 0
Framework:ZKPsfornon-linearrelations
Prover Verifier
𝐴4,… , 𝐴©
𝑥 ← ChallengeSet
𝒇, 𝒓
𝐴4 + 𝑥𝐴5 +⋯+ 𝑥©𝐴© ≟ Com(𝒇; 𝒓)
Efficientproofsystemsfrom[GK15]and[BCC+15]havethisstructure!Weneedto1)proveadegree-𝑘 relationfor𝑘 ≥ 1
2)extractavalid openingof𝐴©
WitnessExtractionHowtoextractuseful secretinformationgivenasetof
accepting protocoltranscriptswiththesameinitialmessage
foralattice-basedcommitmentschemeCom?
28
WitnessExtraction( 𝑘 + 1 -specialsoundness)
Extractor
𝐴4,… , 𝐴©
𝑥4, … , 𝑥©𝒇4, 𝒓4 , … , (𝒇©, 𝒓©)
Anopeningof𝐴©
s.t. 𝐴4 + 𝑥�𝐴5 + ⋯+ 𝑥�©𝐴© ≟ Com(𝒇�; 𝒓�) for𝑖 = 0,… , 𝑘
Provesasoundnesserror≤ ©®¯°±²
(acheatingprover’smax.successprobability)29
WitnessExtraction
• Weknowthat𝐴4 + 𝑥�𝐴5 + ⋯+ 𝑥�©𝐴© ≟ Com(𝒇�; 𝒓�) for𝑖 = 0,… , 𝑘
• Goal:Recoveranopeningof𝐴© 𝑽,VandermondeMatrix
30
overaringℜ
Forourlattice-basedcommitment,(𝑚, 𝑟) isavalidopeningof𝐶 if𝐶 = Com(𝑚; 𝑟) AND(𝑚, 𝑟) isshort!
WitnessExtraction
𝑽H5 =
Wehave𝑽 ⋅ 𝒂 = 𝒄,andwewanttoeliminate𝑽
Twoapproaches:• Approach1[E+19a]:Usespecialchallengespacesothatchallengedifferences
1) areinvertible,and2) havea`short’inverse!• Drawback: Smallchallengespaceàmultiplerepetitionsneededforhighsoundnesssecurityà Longproofs,length=𝑂¶ 𝜆t
• Approach2[Thiswork]:Clearthedenominatorsbymultiplyingbydet(V)andfindgoodboundsondet(V)forasetof`short’challenges
• Advantage: cansupportlargechallengespace(‘`one-shot’)à shortproofs,length=𝑂¶ 𝜆 31
[Turner66]
Ourapproach:adjugate matrices• InsteadofmultiplyingbyV^{-1},wemultiplybyadj(V):
• Wehave𝑽 ⋅ 𝒂 = 𝒄 → 𝒅𝒆𝒕(𝑽) ⋅ 𝒂 = 𝒂𝒅𝒋 𝑽 D 𝒄• Relaxationfactor: det 𝑉 = ∏ (𝑥� − 𝑥¾)4¿�À¾¿©
• Extractedwitnessforlastcommitment:
det 𝑉 D 𝐴© =ÁΓ� D 𝐶𝑜𝑚 𝑓�; 𝑟�
©
�Ã4
= 𝐶𝑜𝑚(ÁΓ� D 𝑓�;©
�Ã4
ÁΓ� D 𝑟�)©
�Ã4whereΓ� = (−1)�Ä©∏ (𝑥¾ − 𝑥Å)4¿ÅÀ¾¿©Å,¾Æ� 32
det(𝑉) det(𝑉)
𝑎𝑑𝑗 𝑉 =
det(𝑉)
𝑚È© �̂�©
• Inparticular,ouradjugate matrixanalysisapproachallowslargechallengespacesoftheform
• `Oneshot’possiblewith`short’challenges• e.g.sizeof>2256if 𝑑,𝑤, 𝑝 = 256, 60, 1
• Noinvertibility conditiononchallengespaceneeded(Vcanevenbesingular)à nospecialconditiononringmodulusqneededà canuse`NTT-friendly’q
• Moderatelyshortboundsonrelaxationfactor/witnesssizeforsmallk:• Relaxationfactor:det 𝑉 ≤ (2𝑝)©(©Ä5)/t D 𝑤©(©Ä5)/tH5
• Extractedwitnessnorm:
33
Ourapproach:adjugate matrices
𝑚È© ≤ (𝑘 + 1) D 𝑑 D (2𝑝)©(©H5)/tD 𝑤©(©H5)/tH5 D 𝑚𝑎𝑥� 𝑓��̂�© ≤ (𝑘 + 1) D 𝑑 D (2𝑝)©(©H5)/tD 𝑤©(©H5)/tH5 D 𝑚𝑎𝑥� 𝑟�
Application:CommitmentsofBitsRelaxed ZKP• One-shotvariantofmulti-shotlatticeZKP[E+19a],DLZKPin[GK15]
• Proverwitness• Verifierinput:• OriginalGoal:provethatbisavectorofbits• RelaxedGoal:provethatb=yb’forvectorofbitsb’and`short’relaxationfactory
• ZKPIdea– encodebinaryrequirementasaquadraticrelation:• 𝑏� ∈ 0,1 ← 𝑜𝑣𝑒𝑟𝑎𝑓𝑖𝑒𝑙𝑑 𝑏� D (1 − 𝑏�) = 0• Usualbasicsetting:
• Proversendscommitmentofmaskingrandomness𝐴 = 𝐶𝑜𝑚(𝒂; 𝒓𝒂)• Verifiersendschallengex• Proversendsresponseencodings𝑓� = 𝑎� + x D 𝑏�
• Toverifybinaryrequirement,verifiercomputesquadraticfunctionofxoverencodings:• 𝑔� 𝑥 = 𝑓� D 𝑥 − 𝑓� = −𝑎�t + 𝑎� 1 − 2𝑏� D 𝑥 + 𝑏� 1 − 𝑏� D 𝑥t• Andchecksthatx2coefficientiszero,bychecking• 𝐶𝑜𝑚(𝑔� 𝑥 )=?Com( −𝑎�t )+Com( 𝑎� 1 − 2𝑏� )*x• Toallowverifiertodothis,proveralsosendsinfirststepcommitmentstothenon-zerocoefficients 34
𝒃 ∈ 𝟎, 𝟏 𝒔, 𝒓 ← Sset (`short’)𝐵 = Com(𝒃; 𝒓)
Application:CommitmenttobitsZKP(basicidea)
𝐴 + 𝑥 D 𝐵 ≟ Com(𝒇; 𝑧Ó)
𝒈 = [𝒈𝒊 𝒙 ] = [𝒇𝒊D 𝒙 − 𝒇𝒊 ]
Prover Verifier
𝑥 ← CSet⊆ 𝑅A
(𝒇, 𝒛𝒃, 𝒛𝒄)
𝐵 = Com(𝒃; 𝒓)𝒂, 𝒓𝒂
𝒇𝒊 = 𝑎� + 𝑥 D 𝑏�
𝒃 ∈ 𝟎, 𝟏 𝒔, 𝒓 ← SSet
(𝒇, 𝒛𝒃, 𝒛𝒄) ? < 𝐵E
𝒛𝒃 = 𝒓𝒂 + 𝑥 D 𝒓𝒛𝒄 = 𝒓𝒅 + 𝑥 D 𝒓×Restartif (𝒇, 𝒛𝒃, 𝒛𝒄) { > 𝑩′
𝐴 = 𝐶𝑜𝑚(𝒂; 𝒓𝒂)𝐶 = 𝐶𝑜𝑚( 𝑎� 1 − 2𝑏� ; 𝒓𝒄)𝐷 = 𝐶𝑜𝑚( −𝑎�t ; 𝒓𝒅)
𝐷 + 𝑥 D 𝐶 ≟ Com(𝒈; 𝒛𝒄)
• CommittobitsZKPSoundnessargumentsketch:• Usingthree rewindings ofaproverondistinctchallenges:x1,x2,x3 (samecommitments,butdifferentresponses𝑓�,¾(𝑗 = 1,2,3)
• ->Get3relaxedopenings(𝒂È, 𝒃Ú, 𝒄Û, 𝒅Ú) ofA,B,C,D• withrelaxationfactory=x1 – x2• MustbesameopeningsbybindingofCom,hence:• 𝑦 D 𝑓�,¾ = 𝑥¾ D 𝑏Ý� + 𝑎Û� (j=1,2,3)• 𝑦 D 𝑓�,¾ D (𝑥¾ − 𝑓�,¾) = 𝑥¾ D �̂�� + 𝑑Þ� (j=1,2,3)• à CombineabovepairsofrelationstogetaVandermonde linearsystemoverRq:1 𝑥5 𝑥5t
1 𝑥t 𝑥tt
1 𝑥ß 𝑥ßtD
−𝑎Û�t − 𝑦𝑑Þ�𝑎Û� 𝑦 − 2𝑏Ý� − 𝑦�̂��
𝑏Ý� 𝑦 − 𝑏Ý�
= 0
• Ouradjugate techniqueimpliesdet 𝑉 𝑏Ý� 𝑦 − 𝑏Ý� =0in𝑅A
36
Application:CommitmenttobitsZKP(basicidea)
• CommittobitsZKPSoundnessargumentsketch(cont.):• Ouradjugate techniqueimpliesdet 𝑉 𝑏Ý� 𝑦 − 𝑏Ý� =0in𝑅A,where• 𝑑𝑒𝑡 𝑉 = (𝑥5 − 𝑥t) (𝑥5 − 𝑥ß)(𝑥t − 𝑥ß)
• Wanttouse`NTT-friendly’ringsand`large’challenges• Cannotassumedet(V)isinvertiblein𝑅A
• But,stillwantto“cancel”det(V)factor• à Speed-upLemma1:
• FollowsbecauseRisanintegraldomain.
• ->Wechooseqlargeenoughs.t. Lemma7applies:q/2 > det 𝑉 𝑏Ý� 𝑦 − 𝑏Ý� à cancanceldet(V)toconclude
• 𝑏Ý� 𝑦 − 𝑏Ý� =0à “relaxed”soundnessholds:𝑏Ý� = y D 𝑏�E with𝑏�E ∈ {0,1} 37
Application:CommitmenttobitsZKP(basicidea)
Application:One-of-NZKP• One-shotvariantofmulti-shotlatticeZKP[E+19a],DLZKPin[GK15]
• Proverwitness• Verifierinput:(𝑃5, … , 𝑃�)• OriginalGoal[GK15]: provethat• RelaxedGoal(Ourprotocol): provethat𝒚′ D 𝑃ℓ = 𝑪𝒐𝒎(𝟎; 𝒓Û) for`short’y’and𝒓Û• ZKPIdea– encoderequirementasapolynomialrelation:
• Decomposeℓ = ∑ ℓ𝒋𝜷𝒋𝒌H𝟏𝒋Ã𝟎 and𝒊 = ∑ 𝒊𝒋𝜷𝒋𝒌H𝟏
𝒋Ã𝟎 ∈ [𝑵] into𝑘 = 𝑂(log𝑁) base-𝛽 digits• Writeeachdigitℓ𝒋 inunary:𝜹¾ = (𝛿ℓ𝒋,4, … , 𝛿ℓ𝒋,VH5) isabitvectorwith1inℓ𝒋’th pos.and0else.• Thenisequiv.to∑ ∏ 𝛿ℓ𝒋,�ë¾∈[©] D 𝑃� = 𝐶𝑜𝑚(0; 𝑟)�∈[�] (*)• Provercommitsto𝜹¾‘sanduses`CommittoBits’Protocolvarianttoprove𝜹¾‘sarewellformed
• Proversendscommitmentsofmaskingrandomness𝐴 = 𝐶𝑜𝑚(𝒂; 𝒓𝒂)(andC,D)• Verifiersendschallengex• Proversendsresponseencodings𝑓¾,�ë = 𝑎¾,�ë + x D 𝛿ℓ𝒋,�ë
• Toverify1-of-Nrelation(*),verifiercomputesdegreekfunctionofxoverencodings:• 𝑃 𝑥 = ∑ 𝑝� 𝑥 D 𝑃� =�∈[�] ∑ ∏ 𝑓𝒋,�ë¾∈[©] D 𝑃� =�∈[�] ∑ 𝑒�,4 + 𝑒�,5 D 𝑥 + ⋯+ ∏ 𝛿ℓ𝒋,�ë¾∈[©] D 𝑥© D 𝑃��∈[�]
• Andchecksthatxk coefficientisacommitmentzero,bychecking• 𝑃(𝑥) −([∑ 𝑒�,4𝑃�] + [∑ 𝑒�,5𝑃�] D 𝑥 + ⋯+ [∑ 𝑒�,©H5𝑃�] D 𝑥©H5)=Com(0,z)forazsentbytheprover• Toallowverifiertodothis,proveralsosendsinfirststepcommitmentsinthecoefficientsof𝑥¾ (j<k)
38
ℓ ∈ [𝑵], 𝒓 ← Sset (`short’)𝑃ℓ = Com(𝟎; 𝒓)
𝑃ℓ = Com(𝟎; 𝒓)
• CommittobitsZKPSoundnessargumentsketch:• UsingtheextractorofourRelaxed`CommittoBits’protocolwithrelaxationfactory=x1 – x2,weextractanopeningℓÝand𝑝�È
• Usingk+1 rewindings ofaproverondistinctchallenges:x1,… ,xk+1• à geta(k+1)’th orderVandermonde linearsystemwithmatrixVoverRq• à Byouradjugate technique,extractarelaxeddecommitment oftheform• det 𝑉 𝑦©𝑃ℓÝ = 𝐶𝑜𝑚(0, ∑ Γ��∈ � 𝑦©𝒛�)• Toreducetherelaxationfactortodet 𝑉 𝑦 ,weapplyanotherobservation:
• Weapplyourboundsondet(V)andytoboundtheextractedwitnessnorm.• Moderatelypracticalsincek+1=O(logN)issmall–
• inpracticeforNuptomillions,usuallyoptimaltousekasmallconstantk<3
39
Application:One-of-NZKP
Application:RingSignatureLengthComparison
SignaturelengthsareinKB.Securitylevel≈ 128 bits
40
RingSize 𝟐𝟔 𝟐𝟏𝟎 𝟐𝟏𝟔 𝟐𝟐𝟎 𝟐𝟑𝟎
[LLNW15] 47000 75000 118000 146000 217000
[ESSLL19] 774 1021 1487 1862 3006
[ESLL19] 57 89 154 241 541
eprint.iacr.org/2018/773 – ”multi-shot”proofs(ACNS’19)eprint.iacr.org/2019/445 – Advanced“one-shot”proofs
(to appear in CRYPTO’19)
Application:IntegerRangeZKP• IntegerrangeProofs:• Proverwitness:ℓ ∈ [0, 2© − 1] ,𝑟`𝑠ℎ𝑜𝑟𝑡′• Verifierinput:(𝑃 )• OriginalGoal: provethat𝑃 = 𝐶𝑜𝑚(ℓ; 𝑟) withℓ ∈ [0, 2© − 1]• RelaxedGoal(Ours): provethat𝒚′ D 𝑃 = 𝑪𝒐𝒎(𝒚′ D ℓ; 𝒓Û) for`short’y’and𝒓Û• BasicZKPidea:
• Decomposeℓ = ∑ ℓ𝒊𝟐𝒊𝒌H𝟏𝒊Ã𝟎 inbinary,ℓ� ∈ {0,1}
• Provercommitstobits𝐵 = 𝐶𝑜𝑚(ℓ4, … , ℓ©H5;)• Use`CommittoBits’protocoltoproveℓ� ∈ {0,1}
• Proversendscommitmentofmaskingrandomness𝐴 = 𝐶𝑜𝑚(𝒂; 𝒓𝒂)• Verifiersendschallengex• Proversendsresponseencodings𝑓� = 𝐸𝑛𝑐6 ℓ� = 𝑎� + x D ℓ�
• Verifierchecks`CommittoBits’Proofandalsochecksthatbitsdecomposeℓ• Inter-bithomomorphicencodingoperationonencodings:
• Verifiercomputesencodingv=𝐸𝑛𝑐6 ∑ 2�©H5�Ã4 ℓ� fromencodingsofℓ�
• ∑ 2�©H5�Ã4 D 𝐸𝑛𝑐6 ℓ� =∑ 2�©H5
�Ã4 D 𝑎� + 𝑥 D ∑ 2�©H5�Ã4 ℓ�
• ChecksthatCom(v)andx*Parecommitmentstosameℓ
41
Speed-up technique 2: CRT-packing technique supporting inter-slot operations• Efficiencyproblem:
• Eachbitℓ� consumesawholeringelementintheBcommitment(UMC)
• àkadditionalringelementsincommitmentoutput• àCanmaintaincommitmentlength (setringdimensiondà d/k)• àButComeval run-time stillgoesupbyfactork(𝐺t has≥ 𝑘t Ringelements)
• OurSpeedupTechnique2:UseCRT-packing(a-laFHE)topackkbitsinto1ringelement
42
G1
G2
𝑟
ℓ
Com(ℓ, 𝑟) = + 0
• CRTmessagepackingofkbitsinto1ringelement:• Use𝑅A suchthat𝑧P + 1 splitsinto𝑘 irreduciblefactors𝑃�(𝑧)modq(eachofdegree𝑑/𝑘:
• 𝑅A ≃ 𝑅A5 ×⋯×𝑅A
©
• 𝑚 → 𝐶𝑅𝑇 𝑚 = 𝑚5,… ,𝑚© = 𝑚𝑚𝑜𝑑𝑃5, … ,𝑚𝑚𝑜𝑑𝑃©
• PackedEncodingisnow:• 𝑓 = 𝐸𝑛𝑐6 ℓ5, … , ℓ© = 𝐶𝑅𝑇H5(𝑎5, … , 𝑎©)+ x D 𝐶𝑅𝑇H5(ℓ5, … , ℓ©)• Canextractfromfencodingsofindividualslots:
• 𝑓� = 𝐸𝑛𝑐6T%P&' ℓ� = 𝑎� + 𝑥𝑚𝑜𝑑𝑃� D ℓ�• Buttosupportinterslot homomrphic propertyofEnc,needallextractedencodingswithrespecttosame xà need𝑥𝑚𝑜𝑑𝑃� = 𝑥 forall𝑖
• ∑ 2�©H5�Ã4 D 𝐸𝑛𝑐6 ℓ� =∑ 2�©H5
�Ã4 D 𝑎� + 𝑥 D ∑ 2�©H5�Ã4 ℓ�
• Oursolution:choosechallengexofdegree<d/kà 𝑥𝑚𝑜𝑑𝑃� = 𝑥 forall𝑖
43
Speed-uptechnique2: CRT-packingtechniquesupportinginter-slotoperations
44
Speed-uptechnique2: CRT-packingtechniquesupportinginter-slotoperations
Selectedreferences• [GMR85]Goldwasser etal.,“Theknowledgecomplexityofinteractiveproof-systems”,STOC‘85.
• [Sch89]Schnorr,“Efficientidentificationandsignaturesforsmartcards”,CRYPTO‘89.• [Lyu09]Lyubashevsky,“Fiat-ShamirwithAborts:ApplicationstoLatticeandFactoring-BasedSignatures”,ASIACRYPT’09.
• [Lyu12]Lyubashevsky,“LatticeSignatureswithoutTrapdoors.”,EUROCRYPT‘12.• [GK15]Groth andKohlweiss,“One-out-of-manyproofs:Orhowtoleakasecretandspendacoin”,EUROCRYPT‘15.
• [D+17]Ducas etal.,“CRYSTALS-Dilithium:ALattice-BasedDigitalSignatureScheme”,CHES‘18.
• [E+19a]Esgin etal.,“Shortlattice-basedone-out-of-manyproofsandapplicationstoringsignatures,ACNS‘19
• [E+19b]Esgin etal.,“Lattice-basedZero-KnowledgeProofs:NewTechniquesforShorterandFasterConstructionsandApplications”,CRYPTO‘19(toappear)
45
THANKYOU
46