Lattice-BasedZero-KnowledgeProofs:NewTechniquesforShorterand

FasterConstructionsandApplicationsMuhammedF.Esgin,RonSteinfeld,JosephK.Liu,andDongxi Liu

MonashUniversityandData61,CSIROFacultyofIT

MonashUniversity

Acknowledgement:SomeSlidescourtesyofMuhammed.F.Esgin.

Outline• Background: EfficientZero-KnowledgeProofs(ZKPs)forlinearrelations

• Schnorr proofZKPofknowledgeofdiscrete-log• LatticeanalogueofDL:Module-RingSIS /Module-RingLWE• DifficultiesandsolutionsinportingDL-basedtolattice-basedproof• Lyubahsevky proofofknowledgeofModule-Ring-LWEwitness[Lyu12]

• Ournewtechniques: Efficient Lattice-basedZKPsfor`non-linear’relationsofdegreek>1• FrameworkforZKPsfornon-linearrelationofdegreek>1

• IssuesinportingDL-basedtolattice-basedproofsinnon-linearsetting• Our`one-shot’(shortproof)soundnessanalysistechnique: adjugate matrices

• Application:CommitmentsofBitsProofs• Speed-uptechnique1: ExtractionwithlargechallengesandNTT-friendlyrings

• Application:One-of-ManyProofs• Application:anonymousauthentication-- RingSignatures• Application:IntegerRangeProofs

• Speed-uptechnique2: CRT-packingtechniquesupportinginter-slotoperations• Improvesrun-timebypackingfactors

2

Zero-KnowledgeProofs[GMR85]

..Prover(x,w) Verifier(x)

Accept/Reject

Properties:1) Completeness2) Soundness3) Zero-Knowledge

witness

3

Zero-KnowledgeProofs[GMR85]

..Prover(x,w) Verifier(x)

Accept/Reject

Properties:1) Completeness2) Soundness3) Zero-Knowledge

4

Zero-KnowledgeProofs[GMR85]

..Prover(x,w) Verifier(x)

Accept/Reject

Properties:1) Completeness2) Soundness3) Zero-Knowledge

5

Zero-KnowledgeProofs[GMR85]

..Prover(x,w) Verifier(x)

Accept/Reject

Properties:1) Completeness2) Soundness3) Zero-Knowledge

6

Zero-KnowledgeProofs[GMR85]

..Prover(x,w) Verifier(x)

Accept/Reject

Properties:1) Completeness2) Soundness3) Zero-Knowledge

WeworkinparticularwithSigmaprotocols.Easilymadenon-interactiveusingFiat-Shamirheuristic.

7

Background:TypesofZKPsinLattice-BasedCrypto• TwomaintypesofZKProofsinvestigatedinlattice-basedcrypto:

• “Combinatorial”type (aka`Stern-type’[St96]ZKproofs):• Verifierchallengechosenfromaverysmallset(ofsizetypically3)• Differentproverresponsealgorithmexplicitlyspecifiedforeachpossiblechallenge• Pro: Verypowerful– canbeadaptedtoprovecomplexrelations(e.g.[BLNW18])• Con:long/slowproofs:Manyprotocolrepeatsneededforhighsoundnesslevel

• “Algebraic”type (aka`Schnorr-type’[Sch89]ZKproofs):• Verifierchallengecanbechosenfromahugeset(ofsize> 2#forsecurityparameterλ)• Proverresponsealgorithmisanalgebraicfunctionoftheverifier’schallenge• Pro: canachieveshort/fastproofs:`one-shot’challengemaybepossible• Cons:

• Morelimitedintypesofproofssofarachievableefficiently• Mayprove“approximate”(relaxed)relationsratherthanexactrelations

8

Ourfocusinthistalk

Classical ZKP 1: Schnorr proof ZKP of knowledge of discrete-log

Setup of Schnorr’s ZKP of Knowledge of Discrete Log [Sch89]:

• Works in a cyclic multiplicative group G = <g>= {1,g1,g2,...,gq-1} • where Discrete-Logarithm (DL) problem is hard

• Fixed public generator g ∈ G for G

• Denote order (size) of G by q (assumed prime).

• Prover’s Discrete-Log private-key (witness): s ← U(Zq).

• Prover’s public-key (common input): h = gs∈ G.

• Write h = Com(s). • Com is homomorphic from Zq to G: Com(s + t) = Com(s) ∙ Com(t)

9

ClassicalZKP1: Schnorr proofZKPofknowledgeofdiscrete-log

𝐴4·𝐴56 ≟ Com(𝒇)

10

Prover Verifier

𝐴4 = Com(𝑢)

𝑥 ← ChallengeSet =ℤA𝒇

𝐴5 = Com(𝑠)𝑢 ← ℤA

𝒇 = 𝑢 + 𝑥 D 𝑠

𝑠 ← RandSet=ℤA

Correctness: homomorphicpropertyofComCom(f)=Com(u+x·s)=Com(u)·Com(s)xSoundness(2-specialsoundness):proversucceedswithprob >1/|ChSet|à proverknowsavalid opening(DL)of𝐴5

• GivencommitmentA0,fromtwo distinctsuccessfulchallengeresponsepairpairs(x,f),(x’,f’),extractwitnesss’

𝐴4·𝐴56 = Com(𝒇)𝐴4·𝐴56E = Com(𝒇′)

𝐴5 = Com(GHGE6H6E

)

𝑠′

11

ClassicalZKP1: Schnorr proofZKPofknowledgeofdiscrete-log

Prover Verifier

𝐴4 = Com(𝑢)

𝑥 ← CSet=ℤA𝒇

ℎ = Com(𝑠)𝑢 ← ℤJ

𝒇 = 𝑢 + 𝑥 D 𝑠

𝑠 ← RSet=ℤA

Honest-VerifierZero-Knowledge(HVZK):Anhonestverifiedcanefficientlysimulateaprooftranscriptwithouttheprover’switness!TranscriptSimulator,given𝐴5:

•

•

•

𝑥 ← CSet=ℤA𝑓 ← ℤA

𝐴4·𝐴56 ≟ Com(𝒇)

𝐴4·≟ Com 𝒇 D 𝐴5H6

Application 1: Digital Signatures [Sch91]• Fiat-ShamirTransformation:GenericconversionofaninteractiveZKSigma(3-move)prooftoanon-interactivedigitalsignature

• Idea:• Proverusesacryptographicone-wayhashfunctionHtogeneratechallengebyhashinghisprotocolcommitmentA0andthesignedmessagem

• x=H(A0 ,m)

• à Schnorr digitalsignature(similartoDigitalSignatureStandard,DSS):• KG: sk =s,A1 =Com(s)• Sign(s,m)=(x,f)

• A0 =Com(u)• x=H(A0,m)• f=r+x·s

• Ver(m,(x,f),pk):• A0= Com 𝒇 D 𝐴5H6• 𝑥 ≟H(A0,m)

12

Lattice analogue of DL Problem: Module-RingSIS / Module-RingLWE Problems

13

Structured lattice Setup:• Work over a polynomial ring 𝑅A = ℤA[𝑥]/(𝑥P + 1) for integer 𝑞

• Fixed public uniformly random matrix 𝐴∈ 𝑅AJ×T

• Conjectured-Hard Lattice problems

• Module−Ring−SISJ,T,A,V Problem:

• Given𝐴∈ 𝑅AJ×T, find `short’ 𝑣 ∈ 𝑅AT ( 𝑣 ≤ 𝛽) s.t. 𝐴 D 𝑣 = 0

• Module−Ring−LWEJ,T,A,\ Problem:

• Given𝐴∈ 𝑅AJ×T, and 𝑡 = 𝐴 D 𝑠 ∈ 𝑅AJ for a `short’ s ∈ 𝑅AT ( 𝑠 ≤ 𝛼𝑞 𝑚� ), find s (search-LWE) or distinguish t from uniform in 𝑅AJ (decision-LWE)

àTypical Prover’s private-key (witness): `short’ 𝑠 ← U([−𝐵, 𝐵]J×T) = RandSet.

àTypical Prover’s public-key (common input): 𝑡 = 𝐴 D 𝑠 ∈ 𝑅AJ

• Write 𝑡 = 𝐶𝑜𝑚 𝑠

• Com is homomorphic from Doms to 𝑅AJ: Com(s + t) = Com(s) + Com(t)

Bestknownattackstaketime2# if• 𝑑𝑛 ≥ Ω(𝜆 D klm

n Vklm A

),β < 𝑞 (SIS)

• 𝑑(𝑚 − 𝑛) ≥ Ω(𝜆 D klmn \qr

klm A),𝛼H5 > 1 (LWE)

à Balancedwith𝑚 = 2𝑛,𝛽 = 𝛼H5

ManySISsolutions/Unique LWEsolutionwithm = 2n, 𝛽 = 𝛼H5 ≥ 𝑑𝑚� D 𝑞5/t

Hardnessdecreaseswith𝛽à aimtominimizeextractedwitnessnorminZKPs!

LatticeZKP1 Lattice-analogueofSchnorr ZKP`Attempt1’

𝐴4 + 𝑥 D 𝐴5 ≟ Com(𝒇)

14

Prover Verifier

𝐴4 = Com(𝑢)

𝑥 ← CSet⊆ 𝑅A

𝒇

𝐴5 = Com(𝑠)𝑢 ← 𝑅𝑆𝑒𝑡 = [−𝐵′, 𝐵′]PT

𝒇 = 𝑢 + 𝑥 D 𝑠

𝑠 ← SSet=[−𝐵, 𝐵]PT

Correctness: homomorphicpropertyofComCom(f)=Com(u+x·s)=Com(u)·Com(s)xSoundness(2-specialsoundness):proversucceedswithprob >1/|ChSet|à proverknowsavalid openingof𝐴5

• GivencommitmentA0,fromtwo distinctsuccessfulchallengeresponsepairpairs(x,f),(x’,f’),extractwitnesss’

𝐴4 + 𝑥 D 𝐴5 = Com(𝒇)𝐴4 + 𝑥E D 𝐴5 = Com(𝒇′)

𝐴5 = Com(GHGE6H6E

)𝑠E?

𝑓 ? < 𝐵E +𝑚𝑎𝑥6,z 𝑥 D 𝑠 {

Difficulties & Solutions in porting DL-based to lattice-based ZK ProofBut,`Attempt1’doesnotquitework…Issueswith`Attempt1’:1. Zero-KnowledgePropertyisnotsatisfied:

• DomainSSet andRSet forsecretss andu is`short’interval[-B,B](<q)• NeededforhardnessoftheLWE/SISlatticeproblems• Challengesx inChallSet havetobe`short’forsamereason

• Prover’sresponsevalue𝒇 = 𝑢 + 𝑥 D 𝑠 leaksinfo.onsecrets:𝔼[𝒇] =𝑥 D 𝑠

15

-Bx-B’ Bx-Bx -Bx+B’Bx-B’ Bx+B’

s=-B’ s=B’

Distrib.off(overchoiceofu)

MainIssueswith`Attempt1’:1. Zero-KnowledgePropertyisnotsatisfied:• Solution ([Lyu09,Lyu12]):Rejectionsampling

• Restartprotocolwithfreshu(andx)untilfisindependentofs,𝔼[𝒇] =0

16

Difficulties&SolutionsinportingDL-basedtolattice-basedZKProof

0-Bx-B’ Bx-Bx -Bx+B’Bx-B’ Bx+B’

s=-B’ s=B’

Distrib.off(overchoiceofu)

fAcceptRegion:

𝑓 ≤ −𝐵𝑥 + 𝐵′

Acceptanceprobability𝑝 = (1 − ~6

~�)TP= Ω 1 if

~E|~6|

= 𝑂 𝑚𝑑Maskingsizelinearindimension.

UsingdiscreteGaussian(insteadofuniform)distributionforucanreducemaskingsize[Lyu12].

MainIssueswith`Attempt1’:2.SoundnessPropertyisnotsatisfied

• Problem:extractedwitness𝑠E = GHG�

6H6�∈ 𝑅A

• s’maynot be`short’(<<q)à notinvalid(secure)`short’Comdomain• Issue:(𝑥 − 𝑥′)H5 in𝑅Aisusuallynotshortinwhen𝑥 − 𝑥E isshort

• Solutions• Solution1(specialchallenges- efficiencycompromise)[L+14,L+19]:

• UseaspecialchallengespaceCSet⊆ 𝑅A suchthat(𝑥 − 𝑥′)H5 is`short’forallx≠ x’inCSet• But,largestsuchchallengespaceknownissmall(size2d=O(𝜆))

• Lowefficiency:Manyprotocolrepeatsneededforhighsoundnesslevel

• Solution2(approximaterelations– functionalitycompromise)[Lyu09,Lyu12]:• Proveknowledgeofwitness(c’,s’)toapproximate relation• c’isthe`approximation’factor(mustbe`short’butnot1asinexactrelation)• ZKproofapplicationmustworksecurelywithapproximateproof

17

PortingDL-basedtolattice-basedZKProof𝐴4 + 𝑥 D 𝐴5 = Com(𝒇)𝐴4 + 𝑥E D 𝐴5 = Com(𝒇′)

𝐴5 = Com(GHGE6H6E

)

𝑥 − 𝑥E D 𝐴5 = Com(𝑓 − 𝑓′)

𝑐E D 𝐴5 = Com(𝑠′)

LatticeZKP1 Lattice-analogueofSchnorr ZKP`FixedProof’idea(a-la[Lyu12])

𝐴4 + 𝑥 D 𝐴5 ≟ Com(𝒇)

18

Prover Verifier

𝐴4 = Com(𝑢)

𝑥 ← Cset={0,1}d⊆ 𝑅A

𝒇

𝐴5 = Com(𝑠)𝑢 ← 𝑅𝑆𝑒𝑡 = [−𝐵′, 𝐵′]PT

𝒇 = 𝑢 + 𝑥 D 𝑠

𝑠 ← SSet=[−𝐵, 𝐵]PT

Correctness: homomorphicpropertyofComCom(f)=Com(u+x·s)=Com(u)·Com(s)xSoundness(2-specialsoundness):proversucceedswithprob >1/|ChSet|à proverknowsavalid openingof𝐴5

• GivencommitmentA0,fromtwo distinctsuccessfulchallengeresponsepairpairs(x,f),(x’,f’),extractwitnesss’

𝐴4 + 𝑥 D 𝐴5 = Com(𝒇)𝐴4 + 𝑥E D 𝐴5 = Com(𝒇′)

𝑓 ?< 𝐵′ −𝑚𝑎𝑥6,z 𝑥 D 𝑠 {

Restartif 𝒇 { > 𝑩’ −𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {

𝒙 − 𝒙E D 𝑨𝟏 = 𝐂𝐨𝐦(𝒇 − 𝒇′)Relaxationfactor

s’

19

Honest-VerifierZero-Knowledge(HVZK):Anhonestverifiedcanefficientlysimulateaprooftranscriptwithouttheprover’switness!Accepted TranscriptSimulator,given𝐴5:

•

•

•

𝑥 ← CSet ⊆ 𝑅A𝑓 ← AccSet=[−(𝐵E−𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {), (𝐵E−𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {)]PT𝐴4 = Com 𝒇 − 𝑥 D 𝐴5

LatticeZKP1 Lattice-analogueofSchnorr ZKP`FixedProof’idea(a-la[Lyu12])

Prover Verifier

𝐴4 = Com(𝑢)

𝑥 ← CSet⊆ 𝑅A

𝒇

𝐴5 = Com(𝑠)𝑢 ← 𝑅𝑆𝑒𝑡 = [−𝐵′, 𝐵′]PT

𝒇 = 𝑢 + 𝑥 D 𝑠

𝑠 ← SSet=[−𝐵, 𝐵]PT

Restartif 𝒇 { > 𝑩’ −𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {

𝐴4 + 𝑥 D 𝐴5 ≟ Com(𝒇)

Application 1: Digital Signatures [Lyu12,L17+]• Lyubashevsky digitalsignatureidea[variantofLyu12]

• KG: sk =s,A1 =Com(s)• Sign(s,m)=(x,f)

• A0 =Com(u)• x=H(A0,m)∈ 0,1 P

• f=u+x·s• Ver(m,(x,f),pk):

• 𝐴4 = Com 𝒇 − 𝑥 D 𝐴5• 𝑥 ≟ H(A0,m)• 𝑓 ?< 𝐵′ −𝑚𝑎𝑥6,z 𝑥 D 𝑠 {

• Unforgeability proofideas:• ZKsimulatorà simulateobs signaturesbyprogrammingH,withoutsecretkeys• Approx.relationsoundnessà forgingalg.canbeusedtoextracts’=𝑓– 𝑓’ s.t• 𝑥 − 𝑥E D 𝐴5 = Com(𝑓 − 𝑓′)à solveModule-RingSIS :Com( 𝑥 − 𝑥’ D 𝑠– 𝑓 − 𝑓’ )=0• HardnessofdecisionModule-RingLWEà non-trivialsolutionforModule-RingSIS

• Optimised signaturevariantsofaboveinNISTPQCsecondround:• Dilithium,Tesla

20

Restartif 𝒇 { > 𝑩’ −𝒎𝒂𝒙𝒙,𝒔 𝒙 D 𝒔 {.

ZKPsfornon-linearrelations: One-out-of-ManyProofs

..Prover(𝑃5,… , 𝑃�,(ℓ, 𝑠)) Verifier(𝑃5,… , 𝑃�)

Accept/Reject……

Goal: Proveknowledgeofasecretassociatedtooneofthepublicvalueswithoutrevealingthesecretandtheindexofthepublicvalue

1 2 …ℓ …𝑁IDEALtoolforprivacy-preserving

applications

21

𝑃ℓ = Com(𝑠)…𝑃5 𝑃t… 𝑃�

RingSignatures[RST01,BKM09]

𝑝𝑘5, … , 𝑝𝑘� ,𝑚, 𝜎

Accept/Reject

Properties:1) Correctness2)Unforgeability3) Anonymity

Ring

𝜎 ← Sign 𝑠𝑘ℓ, 𝑝𝑘5, … , 𝑝𝑘� ,𝑚

22

1-out-of-𝑁 proof→ RingSignature

• Userscommittotheirsecretkeystoformtheirpublickeys:𝑝𝑘� = Com 𝑠𝑘�

• Signergeneratesanon-interactive1-out-of-𝑁 prooftoproveknowledgeofanopeningofoneof𝑝𝑘�’s

• i.e.,provingknowledgeof𝑠𝑘ℓ withoutrevealingℓ

1-out-of-𝑵𝐙𝐊𝐏 RingSignatureCompleteness⟹ CorrectnessSoundness⟹ UnforgeabilityZero-Knowledge⟹ Anonymity

Thetransitionmaynotgososmoothlyinthelatticesetting!

23

ApplicationsandOurFocus

• Setmembershipproofs,groupsignatures,…• Privacy-awarecryptocurrencies,e.g.,RingCT protocolinMonero• e-votingsystems• …

• Wewant: short (sublinear-sized)and“post-quantum”one-out-of-manyproofswithnotrustedsetup

24

DiscreteLog.• ZKproofsrunsmoothly

• Noprotocolrepetitions(negligiblesoundnesserrorinsingleexecution)

• Exactsoundness• Any commitmentopeningisvalid

• Veryshortandscalable1-out-of-𝑁proofsduetoGroth andKohlweiss[GK15]andBootleetal.[BCC+15]

• Prooflength:𝑂 log𝑁• Shortinpractice aswell• OnlyafewKBevenfor𝑁 = 10¡

Lattice• Ifyoucareaboutefficiency,thenyouhavetomakecompromises

• Relaxedsoundness:proveknowledgeof(𝛾, 𝑠) s.t

𝛾 ⋅ 𝐶 = Com 𝑠• Onlyshort openingsarevalid

• 𝑠 ≤ 𝑇 forsome𝑇 < 𝑞• Youmayhavetowork

• withasmall setofchallenges• overaring,notafield

• Log-sizedringsignatureduetoLibert etal.[LLNW15]

• NOTshort inpractice• 75MBfor𝑁 = 1000

AdvancedZero-KnowledgeProofs

25

OurResults:Summary• Newtechnicaltoolsforalgebraiclattice-basedprotocols

• HandlingapproximateZKprotocolsfornon-linear(degreek>1) relationsinlatticesetting• Manyspecialsoundprotocols:GeneralizationofLyubashevsky 2-soundprotocoltok>1-non-linearrelations

• Boundsonlengthofextractedwitnessesandapproximationfactors• Speed-upTechniques:CRTmessagepackingincommitmentandadaptingNTT-friendlyrings

• Shortone-out-of-manyproofsfromlattices• Oneshotchallenges• Shortbothasymptoticallyandinpractice

• Shortringsignaturefromstandardlatticeassumptions• BasedonModule-LWEandModule-SIS• Notrustedsetup• Newideasforsoundness⟹ unforgeabilityinaconstraint(lattice)setting

• Variantproofsforrangeandsetmembershipproofs• Exploitingmodulevariantsofstandardlatticeassumptionsforefficiencypurposes[seethepapersfordetails]

26

Lattice-BasedCommitmentschemes• Tohidelow-entropymessages,needarandomised (hiding)commitmentschemeCom(m;r)

• Forremainderofthistalk,Comwilldenoteoneofthetwolattice-based(Module-LWE,Module-SIS)randomised commitmentschemes[B+18]:

• HashedMessageCommitment(HMC):

• Unbounded-MessageCommitment(UMC):

27

Gr Gm 𝑟

𝑚

Com(𝑚, 𝑟) =

G1

G2

𝑟

𝑚

Com(𝑚, 𝑟) = + 0

Framework:ZKPsfornon-linearrelations

Prover Verifier

𝐴4,… , 𝐴©

𝑥 ← ChallengeSet

𝒇, 𝒓

𝐴4 + 𝑥𝐴5 +⋯+ 𝑥©𝐴© ≟ Com(𝒇; 𝒓)

Efficientproofsystemsfrom[GK15]and[BCC+15]havethisstructure!Weneedto1)proveadegree-𝑘 relationfor𝑘 ≥ 1

2)extractavalid openingof𝐴©

WitnessExtractionHowtoextractuseful secretinformationgivenasetof

accepting protocoltranscriptswiththesameinitialmessage

foralattice-basedcommitmentschemeCom?

28

WitnessExtraction( 𝑘 + 1 -specialsoundness)

Extractor

𝐴4,… , 𝐴©

𝑥4, … , 𝑥©𝒇4, 𝒓4 , … , (𝒇©, 𝒓©)

Anopeningof𝐴©

s.t. 𝐴4 + 𝑥�𝐴5 + ⋯+ 𝑥�©𝐴© ≟ Com(𝒇�; 𝒓�) for𝑖 = 0,… , 𝑘

Provesasoundnesserror≤ ©®¯°±²

(acheatingprover’smax.successprobability)29

WitnessExtraction

• Weknowthat𝐴4 + 𝑥�𝐴5 + ⋯+ 𝑥�©𝐴© ≟ Com(𝒇�; 𝒓�) for𝑖 = 0,… , 𝑘

• Goal:Recoveranopeningof𝐴© 𝑽,VandermondeMatrix

30

overaringℜ

Forourlattice-basedcommitment,(𝑚, 𝑟) isavalidopeningof𝐶 if𝐶 = Com(𝑚; 𝑟) AND(𝑚, 𝑟) isshort!

WitnessExtraction

𝑽H5 =

Wehave𝑽 ⋅ 𝒂 = 𝒄,andwewanttoeliminate𝑽

Twoapproaches:• Approach1[E+19a]:Usespecialchallengespacesothatchallengedifferences

1) areinvertible,and2) havea`short’inverse!• Drawback: Smallchallengespaceàmultiplerepetitionsneededforhighsoundnesssecurityà Longproofs,length=𝑂¶ 𝜆t

• Approach2[Thiswork]:Clearthedenominatorsbymultiplyingbydet(V)andfindgoodboundsondet(V)forasetof`short’challenges

• Advantage: cansupportlargechallengespace(‘`one-shot’)à shortproofs,length=𝑂¶ 𝜆 31

[Turner66]

Ourapproach:adjugate matrices• InsteadofmultiplyingbyV^{-1},wemultiplybyadj(V):

• Wehave𝑽 ⋅ 𝒂 = 𝒄 → 𝒅𝒆𝒕(𝑽) ⋅ 𝒂 = 𝒂𝒅𝒋 𝑽 D 𝒄• Relaxationfactor: det 𝑉 = ∏ (𝑥� − 𝑥¾)4¿�À¾¿©

• Extractedwitnessforlastcommitment:

det 𝑉 D 𝐴© =ÁΓ� D 𝐶𝑜𝑚 𝑓�; 𝑟�

©

�Ã4

= 𝐶𝑜𝑚(ÁΓ� D 𝑓�;©

�Ã4

ÁΓ� D 𝑟�)©

�Ã4whereΓ� = (−1)�Ä©∏ (𝑥¾ − 𝑥Å)4¿ÅÀ¾¿©Å,¾Æ� 32

det(𝑉) det(𝑉)

𝑎𝑑𝑗 𝑉 =

det(𝑉)

𝑚È© �̂�©

• Inparticular,ouradjugate matrixanalysisapproachallowslargechallengespacesoftheform

• `Oneshot’possiblewith`short’challenges• e.g.sizeof>2256if 𝑑,𝑤, 𝑝 = 256, 60, 1

• Noinvertibility conditiononchallengespaceneeded(Vcanevenbesingular)à nospecialconditiononringmodulusqneededà canuse`NTT-friendly’q

• Moderatelyshortboundsonrelaxationfactor/witnesssizeforsmallk:• Relaxationfactor:det 𝑉 ≤ (2𝑝)©(©Ä5)/t D 𝑤©(©Ä5)/tH5

• Extractedwitnessnorm:

33

Ourapproach:adjugate matrices

𝑚È© ≤ (𝑘 + 1) D 𝑑 D (2𝑝)©(©H5)/tD 𝑤©(©H5)/tH5 D 𝑚𝑎𝑥� 𝑓��̂�© ≤ (𝑘 + 1) D 𝑑 D (2𝑝)©(©H5)/tD 𝑤©(©H5)/tH5 D 𝑚𝑎𝑥� 𝑟�

Application:CommitmentsofBitsRelaxed ZKP• One-shotvariantofmulti-shotlatticeZKP[E+19a],DLZKPin[GK15]

• Proverwitness• Verifierinput:• OriginalGoal:provethatbisavectorofbits• RelaxedGoal:provethatb=yb’forvectorofbitsb’and`short’relaxationfactory

• ZKPIdea– encodebinaryrequirementasaquadraticrelation:• 𝑏� ∈ 0,1 ← 𝑜𝑣𝑒𝑟𝑎𝑓𝑖𝑒𝑙𝑑 𝑏� D (1 − 𝑏�) = 0• Usualbasicsetting:

• Proversendscommitmentofmaskingrandomness𝐴 = 𝐶𝑜𝑚(𝒂; 𝒓𝒂)• Verifiersendschallengex• Proversendsresponseencodings𝑓� = 𝑎� + x D 𝑏�

• Toverifybinaryrequirement,verifiercomputesquadraticfunctionofxoverencodings:• 𝑔� 𝑥 = 𝑓� D 𝑥 − 𝑓� = −𝑎�t + 𝑎� 1 − 2𝑏� D 𝑥 + 𝑏� 1 − 𝑏� D 𝑥t• Andchecksthatx2coefficientiszero,bychecking• 𝐶𝑜𝑚(𝑔� 𝑥 )=?Com( −𝑎�t )+Com( 𝑎� 1 − 2𝑏� )*x• Toallowverifiertodothis,proveralsosendsinfirststepcommitmentstothenon-zerocoefficients 34

𝒃 ∈ 𝟎, 𝟏 𝒔, 𝒓 ← Sset (`short’)𝐵 = Com(𝒃; 𝒓)

Application:CommitmenttobitsZKP(basicidea)

𝐴 + 𝑥 D 𝐵 ≟ Com(𝒇; 𝑧Ó)

𝒈 = [𝒈𝒊 𝒙 ] = [𝒇𝒊D 𝒙 − 𝒇𝒊 ]

Prover Verifier

𝑥 ← CSet⊆ 𝑅A

(𝒇, 𝒛𝒃, 𝒛𝒄)

𝐵 = Com(𝒃; 𝒓)𝒂, 𝒓𝒂

𝒇𝒊 = 𝑎� + 𝑥 D 𝑏�

𝒃 ∈ 𝟎, 𝟏 𝒔, 𝒓 ← SSet

(𝒇, 𝒛𝒃, 𝒛𝒄) ? < 𝐵E

𝒛𝒃 = 𝒓𝒂 + 𝑥 D 𝒓𝒛𝒄 = 𝒓𝒅 + 𝑥 D 𝒓×Restartif (𝒇, 𝒛𝒃, 𝒛𝒄) { > 𝑩′

𝐴 = 𝐶𝑜𝑚(𝒂; 𝒓𝒂)𝐶 = 𝐶𝑜𝑚( 𝑎� 1 − 2𝑏� ; 𝒓𝒄)𝐷 = 𝐶𝑜𝑚( −𝑎�t ; 𝒓𝒅)

𝐷 + 𝑥 D 𝐶 ≟ Com(𝒈; 𝒛𝒄)

• CommittobitsZKPSoundnessargumentsketch:• Usingthree rewindings ofaproverondistinctchallenges:x1,x2,x3 (samecommitments,butdifferentresponses𝑓�,¾(𝑗 = 1,2,3)

• ->Get3relaxedopenings(𝒂È, 𝒃Ú, 𝒄Û, 𝒅Ú) ofA,B,C,D• withrelaxationfactory=x1 – x2• MustbesameopeningsbybindingofCom,hence:• 𝑦 D 𝑓�,¾ = 𝑥¾ D 𝑏Ý� + 𝑎Û� (j=1,2,3)• 𝑦 D 𝑓�,¾ D (𝑥¾ − 𝑓�,¾) = 𝑥¾ D �̂�� + 𝑑Þ� (j=1,2,3)• à CombineabovepairsofrelationstogetaVandermonde linearsystemoverRq:1 𝑥5 𝑥5t

1 𝑥t 𝑥tt

1 𝑥ß 𝑥ßtD

−𝑎Û�t − 𝑦𝑑Þ�𝑎Û� 𝑦 − 2𝑏Ý� − 𝑦�̂��

𝑏Ý� 𝑦 − 𝑏Ý�

= 0

• Ouradjugate techniqueimpliesdet 𝑉 𝑏Ý� 𝑦 − 𝑏Ý� =0in𝑅A

36

Application:CommitmenttobitsZKP(basicidea)

• CommittobitsZKPSoundnessargumentsketch(cont.):• Ouradjugate techniqueimpliesdet 𝑉 𝑏Ý� 𝑦 − 𝑏Ý� =0in𝑅A,where• 𝑑𝑒𝑡 𝑉 = (𝑥5 − 𝑥t) (𝑥5 − 𝑥ß)(𝑥t − 𝑥ß)

• Wanttouse`NTT-friendly’ringsand`large’challenges• Cannotassumedet(V)isinvertiblein𝑅A

• But,stillwantto“cancel”det(V)factor• à Speed-upLemma1:

• FollowsbecauseRisanintegraldomain.

• ->Wechooseqlargeenoughs.t. Lemma7applies:q/2 > det 𝑉 𝑏Ý� 𝑦 − 𝑏Ý� à cancanceldet(V)toconclude

• 𝑏Ý� 𝑦 − 𝑏Ý� =0à “relaxed”soundnessholds:𝑏Ý� = y D 𝑏�E with𝑏�E ∈ {0,1} 37

Application:CommitmenttobitsZKP(basicidea)

Application:One-of-NZKP• One-shotvariantofmulti-shotlatticeZKP[E+19a],DLZKPin[GK15]

• Proverwitness• Verifierinput:(𝑃5, … , 𝑃�)• OriginalGoal[GK15]: provethat• RelaxedGoal(Ourprotocol): provethat𝒚′ D 𝑃ℓ = 𝑪𝒐𝒎(𝟎; 𝒓Û) for`short’y’and𝒓Û• ZKPIdea– encoderequirementasapolynomialrelation:

• Decomposeℓ = ∑ ℓ𝒋𝜷𝒋𝒌H𝟏𝒋Ã𝟎 and𝒊 = ∑ 𝒊𝒋𝜷𝒋𝒌H𝟏

𝒋Ã𝟎 ∈ [𝑵] into𝑘 = 𝑂(log𝑁) base-𝛽 digits• Writeeachdigitℓ𝒋 inunary:𝜹¾ = (𝛿ℓ𝒋,4, … , 𝛿ℓ𝒋,VH5) isabitvectorwith1inℓ𝒋’th pos.and0else.• Thenisequiv.to∑ ∏ 𝛿ℓ𝒋,�ë¾∈[©] D 𝑃� = 𝐶𝑜𝑚(0; 𝑟)�∈[�] (*)• Provercommitsto𝜹¾‘sanduses`CommittoBits’Protocolvarianttoprove𝜹¾‘sarewellformed

• Proversendscommitmentsofmaskingrandomness𝐴 = 𝐶𝑜𝑚(𝒂; 𝒓𝒂)(andC,D)• Verifiersendschallengex• Proversendsresponseencodings𝑓¾,�ë = 𝑎¾,�ë + x D 𝛿ℓ𝒋,�ë

• Toverify1-of-Nrelation(*),verifiercomputesdegreekfunctionofxoverencodings:• 𝑃 𝑥 = ∑ 𝑝� 𝑥 D 𝑃� =�∈[�] ∑ ∏ 𝑓𝒋,�ë¾∈[©] D 𝑃� =�∈[�] ∑ 𝑒�,4 + 𝑒�,5 D 𝑥 + ⋯+ ∏ 𝛿ℓ𝒋,�ë¾∈[©] D 𝑥© D 𝑃��∈[�]

• Andchecksthatxk coefficientisacommitmentzero,bychecking• 𝑃(𝑥) −([∑ 𝑒�,4𝑃�] + [∑ 𝑒�,5𝑃�] D 𝑥 + ⋯+ [∑ 𝑒�,©H5𝑃�] D 𝑥©H5)=Com(0,z)forazsentbytheprover• Toallowverifiertodothis,proveralsosendsinfirststepcommitmentsinthecoefficientsof𝑥¾ (j<k)

38

ℓ ∈ [𝑵], 𝒓 ← Sset (`short’)𝑃ℓ = Com(𝟎; 𝒓)

𝑃ℓ = Com(𝟎; 𝒓)

• CommittobitsZKPSoundnessargumentsketch:• UsingtheextractorofourRelaxed`CommittoBits’protocolwithrelaxationfactory=x1 – x2,weextractanopeningℓÝand𝑝�È

• Usingk+1 rewindings ofaproverondistinctchallenges:x1,… ,xk+1• à geta(k+1)’th orderVandermonde linearsystemwithmatrixVoverRq• à Byouradjugate technique,extractarelaxeddecommitment oftheform• det 𝑉 𝑦©𝑃ℓÝ = 𝐶𝑜𝑚(0, ∑ Γ��∈ � 𝑦©𝒛�)• Toreducetherelaxationfactortodet 𝑉 𝑦 ,weapplyanotherobservation:

• Weapplyourboundsondet(V)andytoboundtheextractedwitnessnorm.• Moderatelypracticalsincek+1=O(logN)issmall–

• inpracticeforNuptomillions,usuallyoptimaltousekasmallconstantk<3

39

Application:One-of-NZKP

Application:RingSignatureLengthComparison

SignaturelengthsareinKB.Securitylevel≈ 128 bits

40

RingSize 𝟐𝟔 𝟐𝟏𝟎 𝟐𝟏𝟔 𝟐𝟐𝟎 𝟐𝟑𝟎

[LLNW15] 47000 75000 118000 146000 217000

[ESSLL19] 774 1021 1487 1862 3006

[ESLL19] 57 89 154 241 541

eprint.iacr.org/2018/773 – ”multi-shot”proofs(ACNS’19)eprint.iacr.org/2019/445 – Advanced“one-shot”proofs

(to appear in CRYPTO’19)

Application:IntegerRangeZKP• IntegerrangeProofs:• Proverwitness:ℓ ∈ [0, 2© − 1] ,𝑟`𝑠ℎ𝑜𝑟𝑡′• Verifierinput:(𝑃 )• OriginalGoal: provethat𝑃 = 𝐶𝑜𝑚(ℓ; 𝑟) withℓ ∈ [0, 2© − 1]• RelaxedGoal(Ours): provethat𝒚′ D 𝑃 = 𝑪𝒐𝒎(𝒚′ D ℓ; 𝒓Û) for`short’y’and𝒓Û• BasicZKPidea:

• Decomposeℓ = ∑ ℓ𝒊𝟐𝒊𝒌H𝟏𝒊Ã𝟎 inbinary,ℓ� ∈ {0,1}

• Provercommitstobits𝐵 = 𝐶𝑜𝑚(ℓ4, … , ℓ©H5;)• Use`CommittoBits’protocoltoproveℓ� ∈ {0,1}

• Proversendscommitmentofmaskingrandomness𝐴 = 𝐶𝑜𝑚(𝒂; 𝒓𝒂)• Verifiersendschallengex• Proversendsresponseencodings𝑓� = 𝐸𝑛𝑐6 ℓ� = 𝑎� + x D ℓ�

• Verifierchecks`CommittoBits’Proofandalsochecksthatbitsdecomposeℓ• Inter-bithomomorphicencodingoperationonencodings:

• Verifiercomputesencodingv=𝐸𝑛𝑐6 ∑ 2�©H5�Ã4 ℓ� fromencodingsofℓ�

• ∑ 2�©H5�Ã4 D 𝐸𝑛𝑐6 ℓ� =∑ 2�©H5

�Ã4 D 𝑎� + 𝑥 D ∑ 2�©H5�Ã4 ℓ�

• ChecksthatCom(v)andx*Parecommitmentstosameℓ

41

Speed-up technique 2: CRT-packing technique supporting inter-slot operations• Efficiencyproblem:

• Eachbitℓ� consumesawholeringelementintheBcommitment(UMC)

• àkadditionalringelementsincommitmentoutput• àCanmaintaincommitmentlength (setringdimensiondà d/k)• àButComeval run-time stillgoesupbyfactork(𝐺t has≥ 𝑘t Ringelements)

• OurSpeedupTechnique2:UseCRT-packing(a-laFHE)topackkbitsinto1ringelement

42

G1

G2

𝑟

ℓ

Com(ℓ, 𝑟) = + 0

• CRTmessagepackingofkbitsinto1ringelement:• Use𝑅A suchthat𝑧P + 1 splitsinto𝑘 irreduciblefactors𝑃�(𝑧)modq(eachofdegree𝑑/𝑘:

• 𝑅A ≃ 𝑅A5 ×⋯×𝑅A

©

• 𝑚 → 𝐶𝑅𝑇 𝑚 = 𝑚5,… ,𝑚© = 𝑚𝑚𝑜𝑑𝑃5, … ,𝑚𝑚𝑜𝑑𝑃©

• PackedEncodingisnow:• 𝑓 = 𝐸𝑛𝑐6 ℓ5, … , ℓ© = 𝐶𝑅𝑇H5(𝑎5, … , 𝑎©)+ x D 𝐶𝑅𝑇H5(ℓ5, … , ℓ©)• Canextractfromfencodingsofindividualslots:

• 𝑓� = 𝐸𝑛𝑐6T%P&' ℓ� = 𝑎� + 𝑥𝑚𝑜𝑑𝑃� D ℓ�• Buttosupportinterslot homomrphic propertyofEnc,needallextractedencodingswithrespecttosame xà need𝑥𝑚𝑜𝑑𝑃� = 𝑥 forall𝑖

• ∑ 2�©H5�Ã4 D 𝐸𝑛𝑐6 ℓ� =∑ 2�©H5

�Ã4 D 𝑎� + 𝑥 D ∑ 2�©H5�Ã4 ℓ�

• Oursolution:choosechallengexofdegree<d/kà 𝑥𝑚𝑜𝑑𝑃� = 𝑥 forall𝑖

43

Speed-uptechnique2: CRT-packingtechniquesupportinginter-slotoperations

44

Speed-uptechnique2: CRT-packingtechniquesupportinginter-slotoperations

Selectedreferences• [GMR85]Goldwasser etal.,“Theknowledgecomplexityofinteractiveproof-systems”,STOC‘85.

• [Sch89]Schnorr,“Efficientidentificationandsignaturesforsmartcards”,CRYPTO‘89.• [Lyu09]Lyubashevsky,“Fiat-ShamirwithAborts:ApplicationstoLatticeandFactoring-BasedSignatures”,ASIACRYPT’09.

• [Lyu12]Lyubashevsky,“LatticeSignatureswithoutTrapdoors.”,EUROCRYPT‘12.• [GK15]Groth andKohlweiss,“One-out-of-manyproofs:Orhowtoleakasecretandspendacoin”,EUROCRYPT‘15.

• [D+17]Ducas etal.,“CRYSTALS-Dilithium:ALattice-BasedDigitalSignatureScheme”,CHES‘18.

• [E+19a]Esgin etal.,“Shortlattice-basedone-out-of-manyproofsandapplicationstoringsignatures,ACNS‘19

• [E+19b]Esgin etal.,“Lattice-basedZero-KnowledgeProofs:NewTechniquesforShorterandFasterConstructionsandApplications”,CRYPTO‘19(toappear)

45

THANKYOU

46