Multi-theorem Preprocessing NIZKs from Lattices

Non-interactive zero-knowledge (NIZK) proofs are fundamental to modern cryptography. Numerous NIZK constructions are known in both the random oracle and the common reference string (CRS) models. In the CRS model, there exist constructions from several classes of cryptographic assumptions such as trapdoor permutations, pairings, and indistinguishability obfuscation. However, at the time of the initial publication of this work, we did not have constructions of NIZKs from standard lattice assumptions. In this work, we take an initial step toward constructing multi-theorem NIZKs for general $$\mathsf {NP}$$NP languages from standard lattice assumptions by considering a relaxation to the preprocessing model and a new model we call the designated-prover model. In the preprocessing model, a setup algorithm generates secret proving and verification keys for the prover and the verifier, respectively. In the designated-prover model, the proving key is secret, but the verification key is public. In both settings, the proving key is used to construct proofs and the verification key is used to check proofs. Finally, in the multi-theorem setting, both the proving and verification keys should be reusable for an unbounded number of theorems without compromising soundness or zero-knowledge. Previous constructions of NIZKs in the preprocessing model that rely on weaker assumptions like one-way functions or oblivious transfer are only secure in a single-theorem setting. Thus, constructing multi-theorem NIZKs in these relaxed models does not seem to be inherently easier than constructing them in the CRS model. In this work, we first construct a multi-theorem preprocessing NIZK argument from context-hiding homomorphic signatures. In fact, the construction is a designated-prover NIZK. We also show that using homomorphic commitments, we can get statistically sound proofs in the preprocessing and designated-prover models. Together with lattice-based instantiations of homomorphic signatures and commitments, we obtain the first multi-theorem NIZKs in the preprocessing and designated-prover models from standard lattice assumptions. Finally, we show how to generalize our construction to obtain a universally composable NIZK (UC-NIZK) in the preprocessing model from standard lattice assumptions. Our UC-NIZK relies on a simple preprocessing protocol based on a new primitive we call blind homomorphic signatures.

[1]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[2]  Nuttapong Attrapadung,et al.  Homomorphic Network Coding Signatures in the Standard Model , 2011, Public Key Cryptography.

[3]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004, JACM.

[4]  David J. Wu,et al.  Multi-Theorem Preprocessing NIZKs from Lattices , 2018, IACR Cryptol. ePrint Arch..

[5]  Yehuda Lindell,et al.  An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries , 2007, Journal of Cryptology.

[6]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[7]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[8]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[9]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[10]  Ran Canetti,et al.  Non-Interactive Zero Knowledge and Correlation Intractability from Circular-Secure FHE , 2018, IACR Cryptol. ePrint Arch..

[11]  Jiang Zhang,et al.  Two-Round PAKE from Approximate SPH and Instantiations from Lattices , 2017, ASIACRYPT.

[12]  Hovav Shacham,et al.  Compact Proofs of Retrievability , 2008, Journal of Cryptology.

[13]  Dennis Hofheinz,et al.  Designated-verifier pseudorandom generators, and their applications , 2019, IACR Cryptol. ePrint Arch..

[14]  Jonathan Katz,et al.  Smooth Projective Hashing and Password-Based Authenticated Key Exchange from Lattices , 2009, ASIACRYPT.

[15]  Ran Canetti,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[16]  Vinod Vaikuntanathan,et al.  Noninteractive Statistical Zero-Knowledge Proofs for Lattice Problems , 2008, CRYPTO.

[17]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[18]  Michael Backes,et al.  Verifiable delegation of computation on outsourced data , 2013, CCS.

[19]  Chris Peikert,et al.  Faster Bootstrapping with Polynomial Error , 2014, CRYPTO.

[20]  Rui Xue,et al.  Zero Knowledge Proofs from Ring-LWE , 2013, CANS.

[21]  Daniel Wichs,et al.  Simple Lattice Trapdoor Sampling from a Broad Class of Distributions , 2015, Public Key Cryptography.

[22]  Yuval Ishai,et al.  Compressing Vector OLE , 2018, CCS.

[23]  David Mandell Freeman,et al.  Improved Security for Linearly Homomorphic Signatures: A Generic Framework , 2012, Public Key Cryptography.

[24]  Florian Volk,et al.  Security of Sanitizable Signatures Revisited , 2009, Public Key Cryptography.

[25]  Sanjam Garg,et al.  Two-round Multiparty Secure Computation from Minimal Assumptions , 2018, IACR Cryptol. ePrint Arch..

[26]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[27]  Miklós Ajtai,et al.  Generating Hard Instances of the Short Basis Problem , 1999, ICALP.

[28]  Chris Peikert,et al.  Noninteractive Zero Knowledge for NP from (Plain) Learning With Errors , 2019, IACR Cryptol. ePrint Arch..

[29]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[30]  Masayuki Abe,et al.  Signing on Elements in Bilinear Groups for Modular Protocol Design , 2010, IACR Cryptol. ePrint Arch..

[31]  Bogdan Warinschi,et al.  Efficient Network Coding Signatures in the Standard Model , 2012, Public Key Cryptography.

[32]  Rosario Gennaro,et al.  Generalizing Homomorphic MACs for Arithmetic Circuits , 2014, IACR Cryptol. ePrint Arch..

[33]  Ivan Damgård,et al.  Non-interactive Zero-Knowledge from Homomorphic Encryption , 2006, TCC.

[34]  Chris Peikert,et al.  New (and Old) Proof Systems for Lattice Problems , 2018, Public Key Cryptography.

[35]  Ron Rothblum,et al.  Fiat-Shamir: from practice to theory , 2019, STOC.

[36]  Silvio Micali,et al.  Non-Interactive Zero-Knowledge with Preprocessing , 1988, CRYPTO.

[37]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[38]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[39]  Silvio Micali,et al.  Non-Interactive Zero-Knowledge Proof Systems , 1987, CRYPTO.

[40]  Craig Gentry,et al.  Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits , 2014, EUROCRYPT.

[41]  Jens Groth,et al.  Making Sigma-Protocols Non-interactive Without Random Oracles , 2015, Public Key Cryptography.

[42]  Ran Canetti,et al.  Certifying Trapdoor Permutations, Revisited , 2018, IACR Cryptol. ePrint Arch..

[43]  Masayuki Abe,et al.  A Secure Three-Move Blind Signature Scheme for Polynomially Many Signatures , 2001, EUROCRYPT.

[44]  Abhi Shelat,et al.  Unconditional Characterizations of Non-interactive Zero-Knowledge , 2005, CRYPTO.

[45]  Yevgeniy Dodis,et al.  Proofs of Retrievability via Hardness Amplification , 2009, IACR Cryptol. ePrint Arch..

[46]  Ron Rothblum,et al.  Towards Non-Interactive Zero-Knowledge for NP from LWE , 2019, IACR Cryptol. ePrint Arch..

[47]  Lucjan Hanzlik,et al.  A Short Paper on Blind Signatures from Knowledge Assumptions , 2016, Financial Cryptography.

[48]  Damien Stehlé,et al.  Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications , 2013, Public Key Cryptography.

[49]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[50]  Rosario Gennaro,et al.  Fully Homomorphic Message Authenticators , 2013, IACR Cryptol. ePrint Arch..

[51]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[52]  Silvio Micali,et al.  A Completeness Theorem for Protocols with Honest Majority , 1987, STOC 1987.

[53]  Jonathan Katz,et al.  Proofs of Storage from Homomorphic Identification Protocols , 2009, ASIACRYPT.

[54]  Amit Sahai,et al.  Round Optimal Blind Signatures , 2011, CRYPTO.

[55]  Abhi Shelat,et al.  Construction of a Non-malleable Encryption Scheme from Any Semantically Secure One , 2006, CRYPTO.

[56]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[57]  Yael Tauman Kalai,et al.  Succinct Non-Interactive Zero-Knowledge Proofs with Preprocessing for LOGSNP , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[58]  Marc Fischlin,et al.  Round-Optimal Composable Blind Signatures in the Common Reference String Model , 2006, CRYPTO.

[59]  Ron Rothblum,et al.  New Constructions of Reusable Designated-Verifier NIZKs , 2019, IACR Cryptol. ePrint Arch..

[60]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[61]  Practical Round-Optimal Blind Signatures in the Standard Model , 2015, IACR Cryptol. ePrint Arch..

[62]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[63]  Dario Catalano,et al.  Homomorphic Signatures and Message Authentication Codes , 2014, SCN.

[64]  Ron Rothblum,et al.  Fiat-Shamir From Simpler Assumptions , 2018, IACR Cryptol. ePrint Arch..

[65]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[66]  Ron Rothblum,et al.  Fiat-Shamir and Correlation Intractability from Strong KDM-Secure Encryption , 2018, IACR Cryptol. ePrint Arch..

[67]  Daniele Micciancio Almost Perfect Lattices, the Covering Radius Problem, and Applications to Ajtai's Connection Factor , 2003, SIAM J. Comput..

[68]  Jonathan Katz,et al.  Signing a Linear Subspace: Signature Schemes for Network Coding , 2009, IACR Cryptol. ePrint Arch..

[69]  Ran Canetti,et al.  On the Correlation Intractability of Obfuscated Pseudorandom Functions , 2016, TCC.

[70]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[71]  Alex Lombardi,et al.  Cryptographic Hashing from Strong One-Way Functions (Or: One-Way Product Functions and Their Applications) , 2018, 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS).

[72]  Rafail Ostrovsky,et al.  Minimum resource zero knowledge proofs , 1989, 30th Annual Symposium on Foundations of Computer Science.

[73]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[74]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[75]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[76]  Yuval Ishai,et al.  Breaking the Circuit Size Barrier for Secure Computation Under DDH , 2016, CRYPTO.

[77]  Aikaterini Mitrokotsa,et al.  Multi-key Homomorphic Authenticators , 2016, ASIACRYPT.

[78]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[79]  Ron Rothblum,et al.  Reusable Designated-Verifier NIZKs for all NP from CDH , 2019, IACR Cryptol. ePrint Arch..

[80]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[81]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[82]  Daniel Wichs,et al.  Leveled Fully Homomorphic Signatures from Standard Lattices , 2015, IACR Cryptol. ePrint Arch..

[83]  Nigel P. Smart,et al.  Efficient Two-Move Blind Signatures in the Common Reference String Model , 2012, ISC.

[84]  Ryo Nishimaki,et al.  Designated Verifier/Prover and Preprocessing NIZKs from Diffie-Hellman Assumptions , 2019, IACR Cryptol. ePrint Arch..

[85]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[86]  Vinod Vaikuntanathan,et al.  Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE , 2012, EUROCRYPT.

[87]  Daniele Micciancio,et al.  Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions , 2011, CRYPTO.

[88]  Abhi Shelat,et al.  Computing on Authenticated Data , 2012, Journal of Cryptology.

[89]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[90]  Daniel Wichs,et al.  Two Round Multiparty Computation via Multi-key FHE , 2016, EUROCRYPT.

[91]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[92]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[93]  Masayuki Abe,et al.  A framework for universally composable non-committing blind signatures , 2009, Int. J. Appl. Cryptogr..

[94]  Oded Goldreich Basing Non-Interactive Zero-Knowledge on (Enhanced) Trapdoor Permutations: The State of the Art , 2011, Studies in Complexity and Cryptography.

[95]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[96]  Chris Peikert,et al.  Generating Shorter Bases for Hard Random Lattices , 2009, Theory of Computing Systems.

[97]  Ivan Damgård,et al.  Non-Interactive Circuit Based Proofs and Non-Interactive Perfect Zero-knowledge with Proprocessing , 1992, EUROCRYPT.

[98]  Bogdan Warinschi,et al.  Homomorphic Signatures with Efficient Verification for Polynomial Functions , 2014, CRYPTO.

[99]  Markus Rückert,et al.  Lattice-based Blind Signatures , 2010, Algorithms and Number Theory.

[100]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[101]  Georg Fuchsbauer,et al.  Automorphic Signatures in Bilinear Groups and an Application to Round-Optimal Blind Signatures , 2009, IACR Cryptol. ePrint Arch..

[102]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .

[103]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.

[104]  Léo Ducas,et al.  Hash Proof Systems over Lattices Revisited , 2018, IACR Cryptol. ePrint Arch..

[105]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[106]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[107]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[108]  Geoffroy Couteau,et al.  Efficient Designated-Verifier Non-Interactive Zero-Knowledge Proofs of Knowledge , 2018, IACR Cryptol. ePrint Arch..

[109]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[110]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[111]  Aggelos Kiayias,et al.  Concurrent Blind Signatures Without Random Oracles , 2006, SCN.

[112]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[113]  Dhinakaran Vinayagamurthy,et al.  Riding on Asymmetry: Efficient ABE for Branching Programs , 2015, ASIACRYPT.

[114]  Vinod Vaikuntanathan,et al.  Lattice-based FHE as secure as PKE , 2014, IACR Cryptol. ePrint Arch..

[115]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[116]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[117]  Ron Rothblum,et al.  Enhancements of Trapdoor Permutations , 2012, Journal of Cryptology.

[118]  Dan Boneh,et al.  Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures , 2011, Public Key Cryptography.

[119]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[120]  Yuval Ishai,et al.  Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs , 2015, Journal of Cryptology.

[121]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[122]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[123]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[124]  Dario Fiore,et al.  Practical Homomorphic MACs for Arithmetic Circuits , 2013, IACR Cryptol. ePrint Arch..

[125]  Joe Kilian,et al.  An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions , 1998, Journal of Cryptology.

[126]  Yael Tauman Kalai,et al.  From Obfuscation to the Security of Fiat-Shamir for Proofs , 2017, CRYPTO.

[127]  Jens Groth,et al.  Short Non-interactive Zero-Knowledge Proofs , 2010, ASIACRYPT.

[128]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[129]  Alfredo De Santis,et al.  Zero-knowledge proofs of knowledge without interaction , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[130]  Ivan Damgård,et al.  Secret-Key Zero-Knowlegde and Non-interactive Verifiable Exponentiation , 2004, TCC.

[131]  Rafail Ostrovsky,et al.  Zero-Knowledge Proofs from Secure Multiparty Computation , 2009, SIAM J. Comput..

[132]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures and Commitments to Group Elements , 2010, Journal of Cryptology.

[133]  Georg Fuchsbauer,et al.  Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions , 2016, IACR Cryptol. ePrint Arch..

[134]  Anna Lysyanskaya,et al.  Anonymous credentials light , 2013, IACR Cryptol. ePrint Arch..

[135]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[136]  Moti Yung,et al.  Certifying Cryptographic Tools: The Case of Trapdoor Permutations , 1992, CRYPTO.

[137]  Ivan Damgård,et al.  Multiparty Computation from Somewhat Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[138]  Adi Shamir,et al.  Publicly Verifiable Non-Interactive Zero-Knowledge Proofs , 1990, CRYPTO.

[139]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[140]  Jonathan Katz,et al.  Secure Network Coding Over the Integers , 2010, IACR Cryptol. ePrint Arch..

[141]  Jan Camenisch,et al.  Efficient Blind Signatures Without Random Oracles , 2004, SCN.

[142]  Oded Goldreich,et al.  Definitions and properties of zero-knowledge proof systems , 1994, Journal of Cryptology.

[143]  Danna Zhou,et al.  d. , 1934, Microbial pathogenesis.