Lattice-Based Zero-Knowledge Arguments for Integer Relations t - PowerPoint PPT Presentation

Lattice-Based Zero-Knowledge Arguments for Integer Relations ıt Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Benoˆ 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018

Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations . ⋆ “Large” : Committed integers X , Y , Z are of bit-size L = poly( n ). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 2 / 15

Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations . ⋆ “Large” : Committed integers X , Y , Z are of bit-size L = poly( n ). ⋆ “Relations” : Addition: X + Y = Z over Z Multiplication: X · Y = Z over Z Range: X ∈ [ α, β ] Set non-membership: X �∈ SET , where SET is a public set. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 2 / 15

Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations . ⋆ “Large” : Committed integers X , Y , Z are of bit-size L = poly( n ). ⋆ “Relations” : Addition: X + Y = Z over Z Multiplication: X · Y = Z over Z Range: X ∈ [ α, β ] Set non-membership: X �∈ SET , where SET is a public set. ⋆ “Assumptions” : Solutions from DL/strong-RSA, e.g. + and × : Fujisaki-Okamoto (C’97), Damg˚ ard-Fujisaki (AC’02), Lipmaa (AC’03), Couteau et al. (EC’17) Range: Camenisch et al. (AC’08), Gonzalez-R` afols (ACNS’17) Set non-membership: Camenisch-Lysyanskaya (C’02), Nakanishi et al. (PKC’09), Bayer-Groth (EC’13) Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 2 / 15

In the Lattice Setting... The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X , Y , Z of bit-size L = poly( n ) satisfy X + Y = Z over Z : Require to prove X + Y = Z mod q for a large modulus q = 2 poly( n ) . Each ring element (used in the commitment) would cost thousand times L bits. Proving that X , Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k · L bits, where k ≈ 10 5 . Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 3 / 15

In the Lattice Setting... The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X , Y , Z of bit-size L = poly( n ) satisfy X + Y = Z over Z : Require to prove X + Y = Z mod q for a large modulus q = 2 poly( n ) . Each ring element (used in the commitment) would cost thousand times L bits. Proving that X , Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k · L bits, where k ≈ 10 5 . Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial. Some limited forms of range proofs/arguments, e.g., X ∈ [0 , 2 m − 1]. No efficient non-membership argument is known. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 3 / 15

Our Results Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly( n ) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC’08). √ Small modulus: q = � O ( L · n ). √ Weak assumption: SIVP γ is hard for γ = � O ( L · n ). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 4 / 15

Our Results Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly( n ) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC’08). √ Small modulus: q = � O ( L · n ). √ Weak assumption: SIVP γ is hard for γ = � O ( L · n ). Addition argument with comm. cost ζ + 20 L · κ , where ζ is the cost of proving openings and κ = ω (log n ) - the number of repetitions. Range arguments with comm. cost ζ + O ( L ) · κ , for ranges of size 2 L . Non-membership argument with comm. cost O ( n · log | SET | ). Multiplication arguments that can achieve sub-quadratic complexity O ( L 1 . 585 ) in both computation and comm. aspects. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 4 / 15

Outline Background and Our Results 1 Our Ideas and Techniques 2 Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 5 / 15

Binary Additions with Carries Main idea: View integer additions as binary additions with carries , then prove in ZK that they are done correctly. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 6 / 15

Binary Additions with Carries Main idea: View integer additions as binary additions with carries , then prove in ZK that they are done correctly. Suppose that we add two bits x and y with carry-in c in to obtain a bit z and carry-out c out . x 0 0 0 0 1 1 1 1 y 0 0 1 1 0 0 1 1 c in 0 1 0 1 0 1 0 1 z 0 1 1 0 1 0 0 1 c out 0 0 0 1 0 1 1 1 Then, the relations among these bits are captured by equations z = x + y + c in mod 2 , c out = x · y + z · c in + c in mod 2 . Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 6 / 15

Additions of Committed Integers Let X = ( x L − 1 , . . . , x 0 ) 2 , Y = ( y L − 1 , . . . , y 0 ) 2 , Z = ( z L , z L − 1 , . . . , z 0 ) 2 . For i ∈ [0 , L − 1], let c i +1 be the carry-out of the i -th addition. We have: z 0 + x 0 + y 0 = 0 mod 2 c 1 + x 0 · y 0 = 0 mod 2 z 1 + x 1 + y 1 + c 1 = 0 mod 2 c 2 + x 1 · y 1 + z 1 · c 1 + c 1 = 0 mod 2 . . . z L − 1 + x L − 1 + y L − 1 + c L − 1 = 0 mod 2 z L + x L − 1 · y L − 1 + z L − 1 · c L − 1 + c L − 1 = 0 mod 2 . Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 7 / 15

Additions of Committed Integers Let X = ( x L − 1 , . . . , x 0 ) 2 , Y = ( y L − 1 , . . . , y 0 ) 2 , Z = ( z L , z L − 1 , . . . , z 0 ) 2 . For i ∈ [0 , L − 1], let c i +1 be the carry-out of the i -th addition. We have: z 0 + x 0 + y 0 = 0 mod 2 c 1 + x 0 · y 0 = 0 mod 2 z 1 + x 1 + y 1 + c 1 = 0 mod 2 c 2 + x 1 · y 1 + z 1 · c 1 + c 1 = 0 mod 2 . . . z L − 1 + x L − 1 + y L − 1 + c L − 1 = 0 mod 2 z L + x L − 1 · y L − 1 + z L − 1 · c L − 1 + c L − 1 = 0 mod 2 . X , Y , Z are committed via [KTX-AC’08] → equations modulo q . a 0 · x 0 + . . . + a L − 1 · x L − 1 + � b j · r 1 , j = c x mod q ; a 0 · y 0 + . . . + a L − 1 · y L − 1 + � b j · r 2 , j = c y mod q ; a 0 · z 0 + . . . + a L · x L + � b j · r 3 , j = c z mod q . Goal: Prove in ZK that we know the secret bits x i , y i , z i , c i , r k , j such that all equations mod 2 and mod q hold ⇐ Stern-like techniques . Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 7 / 15

Stern-like Zero-Knowledge Techniques Stern (Crypto’93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 8 / 15

Stern-like Zero-Knowledge Techniques Stern (Crypto’93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting. ⋆ Handling secret bits [Libert, Ling, N, Wang - EC’16]: For any b ∈ { 0 , 1 } , let b = 1 − b and ext 2 ( b ) = ( b , b ) ∈ { 0 , 1 } 2 . For any c ∈ { 0 , 1 } , define P c as the permutation transforming v = ( v 0 , v 1 ) ∈ Z 2 into P c ( v ) = ( v c , v c ). Observation: v = ext 2 ( b ) ⇐ ⇒ P c ( v ) = ext 2 ( b + c mod 2) . (1) ⇒ Proving knowledge of secret bit b that may appear in several correlated equations. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 8 / 15

Stern-like Zero-knowledge Techniques (cont.) Products of 2 secret bits [Libert, Ling, Mouhartem, N, Wang - AC’16]: ⋆ For any bits b 1 , b 2 , define ext 4 ( b 1 , b 2 ) = ( b 1 · b 2 , b 1 · b 2 , b 1 · b 2 , b 1 · b 2 ) ∈ { 0 , 1 } 4 . For any bits c 1 , c 2 , define T c 1 , c 2 as the permutation transforming v = ( v 0 , 0 , v 0 , 1 , v 1 , 0 , v 1 , 1 ) ∈ Z 4 → T c 1 , c 2 ( v ) = ( v c 1 , c 2 , v c 1 , c 2 , v c 1 , c 2 , v c 1 , c 2 ) . Observation: v = ext 4 ( b 1 , b 2 ) ⇐ ⇒ T c 1 , c 2 ( v ) = ext 4 ( b 1 + c 1 mod 2 , b 2 + c 2 mod 2) . (2) ⇒ Proving knowledge of product of secret bits b 1 · b 2 , where b 1 , b 2 may appear in other equations. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 9 / 15

Stern-like ZK Arguments for Integer Additions ⋆ Using permuting techniques, we can prove that all the secrets in the equations mod 2 and mod q are well-formed: Bits x i , y i , z i , c i , r k , j Bit products x 0 · y 0 , x 1 · y 1 , . . . , x L − 1 · y L − 1 , z 1 · c 1 , . . . , z L − 1 · c L − 1 . ⋆ To prove that the equations hold: 1 Transform all equations into M 2 · s = 0 mod 2 and M q · t = c mod q . 2 Random masking with vectors over Z 2 and Z q : M 2 · ( s + r s ) = M 2 · r s mod 2 M q · ( t + r t ) − c = M q · r t mod q . Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 10 / 15