Algebraic Techniques for Short(er) Exact Lattice-Based Zero-Knowledge Proofs

A key component of many lattice-based protocols is a zero-knowledge proof of knowledge of a vector \(\vec {s}\) with small coefficients satisfying \(A\vec {s}=\vec {u}\bmod \,q\). While there exist fairly efficient proofs for a relaxed version of this equation which prove the knowledge of \(\vec {s}'\) and c satisfying \(A\vec {s}'=\vec {u}c\) where \(\Vert \vec {s}'\Vert \gg \Vert \vec {s}\Vert \) and c is some small element in the ring over which the proof is performed, the proofs for the exact version of the equation are considerably less practical. The best such proof technique is an adaptation of Stern’s protocol (Crypto ’93), for proving knowledge of nearby codewords, to larger moduli. The scheme is a \(\varSigma \)-protocol, each of whose iterations has soundness error \(2{/}3\), and thus requires over 200 repetitions to obtain soundness error of \(2^{-128}\), which is the main culprit behind the large size of the proofs produced.

[1]  Damien Stehlé,et al.  Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications , 2013, Public Key Cryptography.

[2]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[3]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[4]  Vadim Lyubashevsky,et al.  Short Discrete Log Proofs for FHE and Ring-LWE Ciphertexts , 2019, IACR Cryptol. ePrint Arch..

[5]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[6]  Jens Groth,et al.  Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits , 2018, IACR Cryptol. ePrint Arch..

[7]  Huaxiong Wang,et al.  Constant-Size Group Signatures from Lattices , 2018, Public Key Cryptography.

[8]  Man Ho Au,et al.  Efficient Lattice-Based Zero-Knowledge Arguments with Standard Soundness: Construction and Applications , 2019, IACR Cryptol. ePrint Arch..

[9]  Jacques Stern,et al.  A New Identification Scheme Based on Syndrome Decoding , 1993, CRYPTO.

[10]  Xavier Boyen,et al.  Lattice Mixing and Vanishing Trapdoors A Framework for Fully Secure Short Signatures and more , 2010 .

[11]  Ivan Damgård,et al.  More Efficient Commitments from Structured Lattice Assumptions , 2018, SCN.

[12]  Jan Camenisch,et al.  Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures , 2014, ASIACRYPT.

[13]  Markulf Kohlweiss,et al.  One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin , 2015, EUROCRYPT.

[14]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[15]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[16]  Jens Groth,et al.  A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Journal of Cryptology.

[17]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[18]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.

[19]  Vadim Lyubashevsky,et al.  Lattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability , 2018, IACR Cryptol. ePrint Arch..

[20]  Ward Beullens On sigma protocols with helper for MQ and PKP, fishy signature schemes and more , 2019, IACR Cryptol. ePrint Arch..

[21]  Carsten Baum,et al.  Concretely-Efficient Zero-Knowledge Arguments for Arithmetic Circuits and Their Application to Lattice-Based Cryptography , 2020, IACR Cryptol. ePrint Arch..

[22]  Keisuke Tanaka,et al.  Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of Lattice Problems , 2008, ASIACRYPT.

[23]  Léo Ducas,et al.  Improved Short Lattice Signatures in the Standard Model , 2014, CRYPTO.