Zero-Knowledge Proofs with Low Amortized Communication from Lattice Assumptions

We construct zero-knowledge proofs of plaintext knowledge (PoPK) and correct multiplication (PoPC) for the Regev encryption scheme with low amortized communication complexity. Previous constructions of both PoPK and PoPC had communication cost linear in the size of the public key (roughly quadratic in the lattice dimension, ignoring logarithmic factors). Furthermore, previous constructions of PoPK suffered from one of the following weaknesses: either the message and randomness space were restricted, or there was a super-polynomial gap between the size of the message and randomness that an honest prover chose and the size of which an accepting verifier would be convinced. The latter weakness was also present in the existent PoPC protocols. In contrast, O(n) proofs (for lattice dimension n) in our PoPK and PoPC protocols have communication cost linear in the public key. Thus, we improve the amortized communication cost of each proof by a factor linear in the lattice dimension. Furthermore, we allow the message space to be ℤp and the randomness distribution to be the discrete Gaussian, both of which are natural choices for the Regev encryption scheme. Finally, in our schemes there is no gap between the size of the message and randomness that an honest prover chooses and the size of which an accepting verifier is convinced. Our constructions use the "MPC-in-the-head" technique of Ishai et al. (STOC 2007). At the heart of our constructions is a protocol for proving that a value is bounded by some publicly known bound. This uses Lagrange's Theorem that states that any positive integer can be expressed as the sum of four squares (an idea previously used by Boudot (EUROCRYPT 2000)), as well as techniques from Cramer and Damgard (CRYPTO 2009).

[1]  Vinod Vaikuntanathan,et al.  Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE , 2012, EUROCRYPT.

[2]  Ueli Maurer,et al.  Robustness for Free in Unconditional Multi-party Computation , 2001, CRYPTO.

[3]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[4]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[5]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[6]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[7]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[8]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[9]  Martin Hirt,et al.  Asynchronous Multi-Party Computation with Quadratic Communication , 2008, ICALP.

[10]  Ivan Damgård,et al.  Threshold Decryption and Zero-Knowledge Proofs for Lattice-Based Cryptosystems , 2010, TCC.

[11]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[12]  Matthew K. Franklin,et al.  Communication complexity of secure computation (extended abstract) , 1992, STOC '92.

[13]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[14]  Helger Lipmaa,et al.  On Diophantine Complexity and Statistical Zero-Knowledge Arguments , 2003, ASIACRYPT.

[15]  Rafail Ostrovsky,et al.  Zero-knowledge from secure multiparty computation , 2007, STOC '07.

[16]  Martin Hirt,et al.  On the theoretical gap between synchronous and asynchronous MPC protocols , 2010, PODC '10.

[17]  Ivan Damgård,et al.  Multiparty Computation for Dishonest Majority: from Passive to Active Security at Low Cost , 2010, IACR Cryptol. ePrint Arch..

[18]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[19]  Ivan Damgård,et al.  Semi-Homomorphic Encryption and Multiparty Computation , 2011, IACR Cryptol. ePrint Arch..

[20]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[21]  Ivan Damgård,et al.  Multiparty Computation from Somewhat Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[22]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[23]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[24]  Jonathan Katz,et al.  Round-Efficient Secure Computation in Point-to-Point Networks , 2007, EUROCRYPT.

[25]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[26]  Ivan Damgård,et al.  On the Amortized Complexity of Zero-Knowledge Protocols , 2009, CRYPTO.

[27]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[28]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[29]  Gerhard Rosenberger,et al.  Number Theory: An Introduction via the Distribution of Primes , 2006 .

[30]  Martin Hirt,et al.  Perfectly-Secure MPC with Linear Communication Complexity , 2008, TCC.

[31]  M. Rabin,et al.  Randomized algorithms in number theory , 1985 .

[32]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.