and Applications Vadim Lyubashevsky IBM Research Zurich Dec. 14, - PowerPoint PPT Presentation

Lattice-Based Zero-Knowledge and Applications Vadim Lyubashevsky IBM Research – Zurich Dec. 14, 2019

In the discrete log world … g x =h x is randomly chosen in Z p for p ≈ 2 256 Given g and h, it’s hard to find x Based on this assumption, one can build all sorts of schemes In many schemes, we want to prove - in Zero-Knowledge - that we know x It’s easy and efficient for discrete log – e.g. the Schnorr protocol

Schnorr Protocol Prover: (g,x) Verifier: (g,h) y  Z p w w:=g y c  Z p c z z:=xc+y check if: g z = h c w Correctness: g xc+y = g xc g y

Schnorr Protocol Prover: (g,x) Verifier: (g,h) y  Z p w w:=g y c  Z p c z z:=xc+y check if: g z = h c w Honest-Verifier Zero Knowledge Generate random c,z  Z p . Set w=g z / h c (w,c,z) has the same distribution as in the protocol

Schnorr Protocol Prover: (g,x) Extractor: (g,h) w A successful prover must be able to answer more than one distinct challenge c c’ c  Z p c’  Z p z z’ g z = h c w g z ’ = h c’ w Proof of Knowledge: g z- z’ = h c- c’ ➔ g (z- z’)/(c - c’) = h x

In the lattice world … A = t mod q n S q is ≈ 2 12 (for encryption) m ≈ 2 20 (for signatures) > 2 30 (for more complicated things e.g. FHE) small coefficients – e.g. {0,1} Given A,t find s (with small coefficients) such that As=t All lattice problems (e.g. LWE, SIS) look like this

Let’s try the same ZK Proof Prover: (A,s) Verifier: (A,t) y  Z q m w w:=Ay c  Z q c z z:=sc+y check if: Az = tc + w Correctness: A(sc+y) = Asc+Ay

Let’s try the same ZK Proof Prover: (A,s) Verifier: (A,t) y  Z q m w w:=Ay c  Z q c z z:=sc+y check if: Az = tc + w Honest-Verifier Zero Knowledge Generate random c  Z q , z  Z q m . Set w=Az - tc (w,c,z) has the same distribution as in the protocol

Let’s try the same ZK Proof Prover: (A,s) Extractor: (A,t) w A successful prover must be able to answer more than one distinct challenge c c’ c  Z q c’  Z q z z’ Az = tc+w Az ’= tc ’+w Proof of Knowledge: A(z- z’) = t(c - c’) ➔ A(z- z’)/(c - c’) = t s

Many problems… Prover: (A,s) Extractor: (A,t) w A successful prover must be able to answer more than one distinct challenge c c’ c  Z q c’  Z q z z’ Az = tc+w Az ’= tc ’+w NO! The challenge space is only q ≈2 20 Big! Big! Proof of Knowledge: A(z- z’) = t(c - c’) ➔ A(z- z’)/(c - c’) = t We wanted to prove knowledge of an s with s small coefficients!

Same ZK Proof  Prover: (A,s) Verifier: (A,t) y  Z q m w w:=Ay c  Z q c z z:=sc+y check if: Az = tc + w Doesn’t prove what we want – extracted s too big  Soundness error only 2 -20 – challenge space too small 

Make c and y small and repeat Prover: (A,s) Verifier: (A,t) y 1 , … y k  {0,1} m w 1 , … , w k w i :=Ay i c 1 , … , c k  {0,1} c 1 , … , c k z 1 , …. , z k z i :=sc i +y i for all i check if: Az i = tc i + w i and coeffs of z i are in {0,1,2}

Looking at Extraction Prover: (A,s) Extractor: (A,t) w 1 , … , w k A successful prover must be able to answer more than one distinct challenge c 1 , … , c k ’ , … , c k ’ c 1 z 1 , … , z k ’ , … , z k ’ z 1 ’ =tc i ’ +w i and Az i = tc i +w i and Az i ’ in {0,1,2} coeffs of z i in {0,1,2} coeffs of z i {-2,1,0,1,2} {-1,1} Proof of Knowledge: ’ ) ➔ A(z i - z i ’ ) = t(c i - c i ’ )/(c i - c i ’ ) = t A(z i - z i {-2,1,0,1,2}

Make c and y small Prover: (A,s) Verifier: (A,t) y 1 , … y k  {0,1} m w 1 , … , w k w i :=Ay i c 1 , … , c k  {0,1} c 1 , … , c k z 1 , …. , z k z i :=sc i +y i for all i check if: Az i = tc i + w i and coeffs of z i are in {0,1,2}  Proved knowledge of s with {-2,-1,0,1,2} coefficients satisfying As = t  Have to repeat the protocol k=128 – 256 times  And there is a bigger problem…

Is it still zero-knowledge? Prover: (A,s) Verifier: (A,t) y 1 , … y k  {0,1} m w 1 , … , w k w i :=Ay i c 1 , … , c k  {0,1} c 1 , … , c k z 1 , …. , z k z i :=sc i +y i for all i check if: Az i = tc i + w i and coeffs of z i are in {0,1,2} Honest-Verifier Zero Knowledge Generate random c 1 , … , c k  {0,1}, z  ??  Distribution of z is not uniform - depends on s.

Insecurity of the Scheme suppose that c=1, then … sc coefficients in {0,1} ? ? ? ? ? ? ? ? ? ? + y coefficients random in {0,1} ? ? ? ? ? ? ? ? ? ? = z coefficients 0 1 2 1 2 0 1 0 1 1

Insecurity of the Scheme suppose that c=1, then … sc=s coefficients in {0,1} 0 ? 1 ? 1 0 ? 0 ? ? + y coefficients random in {0,1} 0 ? 1 ? 1 0 ? 0 ? ? = z coefficients 0 1 2 1 2 0 1 0 1 1

Maybe sample y from a bigger range? suppose that c=1, then … sc=s coefficients in {0,1} ? ? ? ? ? ? ? ? ? ? + y coefficients random in {0,1,2,3,4,5} ? ? ? ? ? ? ? ? ? ? = z coefficients 0 4 2 3 6 5 0 2 4 1

Maybe sample y from a bigger range? sc=s coefficients in {0,1} 0 ? ? ? 1 ? 0 ? ? ? + y coefficients random in {0,1,2,3,4,5} 0 ? ? ? 5 ? 0 ? ? ? = z coefficients 0 4 2 3 6 5 0 2 4 1 z coefficient = 0 or 6 reveals the coefficient of s But none of the other coefficients of s are revealed!

Maybe sample y from a bigger range? sc=s coefficients in {0,1} 0 0/1 0/1 0/1 1 0/1 0 0/1 0/1 0/1 + y coefficients random in {0,1,2,3,4,5} 0 3/2 5 0 4/3 2/1 5/4 2/1 4/3 1/0 = z coefficients 0 4 2 3 6 5 0 2 4 1 Pr[z=4 | s=0] = Pr[y=4] =1/6 Pr[z=4 | s=1] = Pr[y=3] =1/6 z coefficient = 0 or 6 reveals the coefficient of s But none of the other coefficients of s are revealed!

Maybe sample y from a bigger range? Pr[z=0 | s=0] = 1/6 Pr[z=0 | s=1] = 0 Pr[z=1 | s=0] = 1/6 Pr[z=1 | s=1] = 1/6 Pr[z=2 | s=0] = 1/6 Pr[z=2 | s=1] = 1/6 0 0/1 0/1 0/1 1 0/1 0 0/1 0/1 0/1 Pr[z=3 | s=0] = 1/6 + Pr[z=3 | s=1] = 1/6 Pr[z=4 | s=0] = 1/6 0 3/2 5 0 4/3 2/1 5/4 2/1 4/3 1/0 Pr[z=4 | s=1] = 1/6 = Pr[z=5 | s=0] = 1/6 Pr[z=5 | s=1] = 1/6 0 4 2 3 6 5 0 2 4 1 Pr[z=6 | s=0] =0 Pr[z=6 | s=1] = 1/6 coefficients 1,2,3,4,5 are equally likely to appear regardless of s so let’s only send z when all coefficients are in this range!

In general Suppose s has coefficients in {0,…,a} y is chosen randomly from {0,…,b -1}, b > a For all a ≤ j < b, Pr y [s+y = j] = 1/b (and there are b-a such j), so 1-a/b chance of keeping s a secret

Maybe sample y from a bigger range? suppose that c=1, then … sc=s coefficients in {0,1} 0 1 1 0 1 1 1 0 1 0 + y coefficients random in {0,…,b -1} ? ? ? ? ? ? ? ? ? ? = z coefficients Pr [coefficient of z in {1,…,b -1}]=1-1/b Pr [all coefficients of z in {1,…,b -1}] = (1-1/b) m Pr[all coefficients of all z i in {1,…,b -1}] = (1-1/b) mk Set b = mk ➔ (1-1/b) mk ≈ 1/e

Make c and y small Prover: (A,s) Verifier: (A,t) y 1 , … y k  {0,…, mk} m w 1 , … , w k w i :=Ay i c 1 , … , c k  {0,1} c 1 , … , c k z i :=sc i +y i If any coefficient of z 1 , …. , z k any z i is 0 or mk+1, for all i check if: abort (send ◊ ) Az i = tc i + w i and coeffs of z i are in {0,..,mk}

Extraction Prover: (A,s) Extractor: (A,t) w 1 , … , w k A successful prover must be able to answer more than one distinct challenge c 1 , … , c k ’ , … , c k ’ c 1 z 1 , … , z k ’ , … , z k ’ z 1 ’ =t c i ’ +w i and Az i = tc i +w i and A z i ’ in {0,…, mk} coeffs of z i in {0,…, mk} coeffs of z i {-mk ,…, mk} {-1,1} Proof of Knowledge: ’ ) ➔ A(z i - z i ’ ) = t(c i - c i ’ )/(c i - c i ’ ) = t A(z i - z i {-mk , … , mk}

Small caveat Prover: (A,s) Verifier: (A,t) y 1 , … y k  {0,…, mk} m w 1 , … , w k w i :=Ay i c 1 , … , c k  {0,1} c 1 , … , c k z i :=sc i +y i If any coefficient of z 1 , …. , z k any z i is 0 or mk+1, for all i check if: abort (send ◊ ) Az i = tc i + w i and coeffs of z i are in {0,...,mk} Honest-Verifier Zero Knowledge What is w i when z i = ◊ ? Can’t simulate this, but doesn’t matter.

In practice, w i are not sent Prover: (A,s) Verifier: (A,t) y 1 , … y k  {0,…, mk} m r=H(w 1 , … , w k ) w i :=Ay i c 1 , … , c k  {0,1} c 1 , … , c k z i :=sc i +y i If any coefficient of z 1 , …. , z k any z i is 0 or mk+1, for all i check if: abort (send ◊ ) H(Az 1 - tc 1 , … , Az k - tc k )=r and coeffs of z i are in {0,...,mk} Honest-Verifier Zero Knowledge What is w i when z i = ◊ ? Don’t care, just send random r.

The Protocol so far Prover: (A,s) Verifier: (A,t) y 1 , … y k  {0,…, mk} m r=H(w 1 , … , w k ) w i :=Ay i c 1 , … , c k  {0,1} c 1 , … , c k z i :=sc i +y i If any coefficient of z 1 , …. , z k any z i is 0 or mk+1, for all i check if: abort (send ◊ ) H(Az 1 - tc 1 , … , Az k - tc k )=r and coeffs of z i are in {0,...,mk}  Proved knowledge of s with {-mk ,…, mk} coefficients satisfying As = t  Have to repeat the protocol 128 – 256 times

Can this high-level idea be useful for anything practical? 1. Proof size for 1 equation ≈ proof size for many equations (amortization with log growth) 2. Working over polynomial rings instead of Z q allows for “1 - shot” approximate proofs ➔ digital signatures) 3. More advanced ZK techniques allow for almost 1- shot exact proofs (i.e. prove that coefficients of s are in {0,1})

Amortized Proofs