Zero Knowledge Proofs from Ring-LWE Xiang Xie, Rui Xue, Minqian Wang Chinese Academy of Sciences CANS 2013, Paraty
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Outline ZKPs 1 Related Works 2 Our Results 3 Tools 4 Σ -Protocol Learning with Errors over Rings Commitment from RLWE 5 ZKP from RLWE 6 Proving Knowledge of Valid Opending Component-Wise Relations Reduce Communication Complexity 2 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Zero-Knowledge Proofs [GoldwassorMicaliRackoff’85] π = ( x, ω ) ∈ R . . . Prover Verifier π reveals nothing except the statement itself. 3 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Related Works of ZKPs ◮ Number Theoretical: [FeigeShamir’90], [CramerDamg˚ ard’98], [CramerDamg˚ ard’09], [GrothSahai’08] (paring), etc. ◮ General: [IshaiKushilevitzOstrovskySahai’07] (MPC). ◮ Lattice-Based: [MicciancioVadhan’03], [KawachiTanakaXagawa’08], [AsharovJainL´ opez-AltTromerVaikuntanathanWichs’12], [Lyubashevsky’08], [Lyubashevsky’12], [LingNguyenStehl´ eWang’13]. ◮ LPN-based: [JainKrennPietrzakTentes’12]. 4 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Our Results ◮ Commitment scheme from Ring Learning with Errors (RLWE). ◮ ZKP that proves the knowledge of the message hidden in our commitment scheme. ◮ Two ZKPs that prove component-wise relations of the messages in the commitment scheme. 5 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Σ -Protocol ◮ Our ZKPs are essentially Σ -protocols (see [Damg˚ ard’04]). Σ -protocol: t c ← C s Prover Verifier 6 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Completeness : The verifier V accepts whenever ( x, ω ) ∈ R . ◮ Special Soundness : There exists a PPT algorithm Ext such that: ω ′ ← Ext ( { ( t, c, s c ) : c ∈ C} ) , and ( x, ω ′ ) ∈ R . ◮ Special honest-verifier zero-knowledge : There exists a PPT simulator S such that: ( t x , c, s x ) ← S ( x, c ) ≈ ( t, c, s ) . 7 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Completeness : The verifier V accepts whenever ( x, ω ) ∈ R . ◮ Special Soundness : There exists a PPT algorithm Ext such that: ω ′ ← Ext ( { ( t, c, s c ) : c ∈ C} ) , and ( x, ω ′ ) ∈ R . ◮ Special honest-verifier zero-knowledge : There exists a PPT simulator S such that: ( t x , c, s x ) ← S ( x, c ) ≈ ( t, c, s ) . Note: ◮ Σ -protocol can be extended to a ZKP for the same relation [Damg˚ ard’04], [Damg˚ ardGoldreichOkamoto’95]. ◮ Soundness is different from standard definition. We require Ext has input ( t, c, s c ) for all c ∈ C with the same t . The knowledge error of the resulting ZKP scheme is 1 − 1 / |C| instead of 1 / |C| . 7 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Learning with Errors over Rings (RLWE) ◮ RLWE is introduced by Lyubashevsky, Peikert and Regev [LPR’10]. Let R = Z [ X ] / ( X d + 1) , where d = 2 k for some k ≥ 0 . For an integer q , let R q = R/qR . The following two distributions are hard to distinguish: a 1 ← R q ; b 1 = a 1 · s + e 1 mod q a 2 ← R q ; b 2 = a 2 · s + e 2 mod q . . . a m ← R q ; b m = a m · s + e m mod q a 1 ← R q ; b 1 ← R q a 2 ← R q ; b 2 ← R q . . . a m ← R q ; b m ← R q Where s ← R q , and e i ← χ over R . � e i � ∞ ≤ β ≪ q . 8 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE [LyubashevskyPeikertRegev’10] If there exists a PPT algorithm solves RLWE problem, then there exists a PPT quantum algorithm solves some hard lattice problems for all d -dimensional ideal lattices . 9 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Commitment from RLWE The message space is R ℓ q . Let χ be a β -bounded distribution over R . ◮ KeyGen (1 λ ) : Sample a 1 ← R m q and A 2 ← R m × ℓ , output q A = [ a 1 | A 2 ] ∈ R m × ( ℓ +1) . q ◮ Com ( A , m ∈ R ℓ q ) : Sample s ← R q and e ← χ m , output c = A [ s | m ] + e ∈ R m q . ◮ Ver ( A , c , ( s, m )) : Accept iff � c − A [ s | m ] � ∞ ≤ β . 10 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Commitment from RLWE The message space is R ℓ q . Let χ be a β -bounded distribution over R . ◮ KeyGen (1 λ ) : Sample a 1 ← R m q and A 2 ← R m × ℓ , output q A = [ a 1 | A 2 ] ∈ R m × ( ℓ +1) . q ◮ Com ( A , m ∈ R ℓ q ) : Sample s ← R q and e ← χ m , output c = A [ s | m ] + e ∈ R m q . ◮ Ver ( A , c , ( s, m )) : Accept iff � c − A [ s | m ] � ∞ ≤ β . Security: ◮ Computational hiding: c = A [ s | m ] + e = a 1 · s + e + A 2 m ◮ Perfect binding: For uniformly random A , Pr[ � y � ∞ ≤ 2 β : y = Ax , x � = 0 ] ≤ negl ( λ ) . 10 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Proving Knowledge of Valid Opending Relation: R RLWE = { (( A , c ) , ( s, m , e )) : c = A ( s � m ) + e mod q ∧ � e � ∞ ≤ β } . ◮ Extend Stern’s ZKP for syndrome decoding problem. Similar to [JainKrennPietrzakTentes’12] and [LingNguyenStehl´ eWang’13]. ◮ The challenge set C = { 1 , 2 , 3 } . The first two openings prove A , c have the form c = A [ s | m ] + e . ◮ Obstacle: How to prove e is “short” without revealing anything else? 11 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ If e ∈ { 0 , 1 } m and � e � 1 = β : Prover sends π ( e ) for a uniformly random permutation π . π ( e ) only reveals the Hamming weight of e . 12 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ If e ∈ { 0 , 1 } m and � e � 1 = β : Prover sends π ( e ) for a uniformly random permutation π . π ( e ) only reveals the Hamming weight of e . ◮ If e ∈ { 0 , 1 } m and � e � 1 ≤ β : Extend e ∈ { 0 , 1 } m to e ′ ∈ { 0 , 1 } m + β by padding, such that � e ′ � 1 = β . Prover sends π ( e ′ ) . m m β 12 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ If e ∈ Z m and � e � ∞ ≤ β : Decompose e : k − 1 2 i · ˜ � e i ∈ {− 1 , 0 , 1 } m e = e i , k = ⌊ log β ⌋ + 1 , ˜ i =0 e i ∈ {− 1 , 0 , 1 } m to e i ∈ {− 1 , 0 , 1 } 3 m . Prover sends π i ( e i ) . Extend ˜ m m # {− 1 } = m 2 m # { 0 } = m # { 1 } = m 13 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ If e ∈ R m and � e � ∞ ≤ β . View e ∈ Z dm by the coefficient representation. The same as above. 14 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Basic ZKP Relation: R RLWE = { (( A , c ) , ( s, m , e )) : c = A ( s � m ) + e mod q ∧ � e � ∞ ≤ β } . ◮ Prover first decomposes e ∈ R m to e i ∈ R 3 m according the method above. ◮ Define matrix ˆ I = [ I m | 0 m | 0 m ] ∈ R m × 3 m . Note that : k − 1 2 i · e i ) � c = A ( s | m ) + e ⇔ c = A ( s | m ) + ˆ I ( i =0 15 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Prover samples ( r 0 , ..., r k − 1 ) ← ( R 3 m q ) k , v ← R 1+ ℓ , and k random q permutations ( π 0 , ..., π k − 1 ) . Sends: � � i =0 2 i · r i ) { π i } k − 1 i =0 , t 1 = Av + ˆ I ( � k − 1 C 1 = Com � � { t 2 i = π i ( r i ) } k − 1 C 2 = Com i =0 � � { t 3 i = π i ( r i + e i ) } k − 1 C 3 = Com i =0 16 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Prover samples ( r 0 , ..., r k − 1 ) ← ( R 3 m q ) k , v ← R 1+ ℓ , and k random q permutations ( π 0 , ..., π k − 1 ) . Sends: � � i =0 2 i · r i ) { π i } k − 1 i =0 , t 1 = Av + ˆ I ( � k − 1 C 1 = Com � � { t 2 i = π i ( r i ) } k − 1 C 2 = Com i =0 � � { t 3 i = π i ( r i + e i ) } k − 1 C 3 = Com i =0 ◮ Verifier chooses Ch ← { 1 , 2 , 3 } and sends to Prover. 16 / 26
Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Prover samples ( r 0 , ..., r k − 1 ) ← ( R 3 m q ) k , v ← R 1+ ℓ , and k random q permutations ( π 0 , ..., π k − 1 ) . Sends: � � i =0 2 i · r i ) { π i } k − 1 i =0 , t 1 = Av + ˆ I ( � k − 1 C 1 = Com � � { t 2 i = π i ( r i ) } k − 1 C 2 = Com i =0 � � { t 3 i = π i ( r i + e i ) } k − 1 C 3 = Com i =0 ◮ Verifier chooses Ch ← { 1 , 2 , 3 } and sends to Prover. ◮ According to Ch , Prover does the following: Ch = 1 , open C 1 , C 2 ; Ch = 2 , open C 1 , C 3 ; Ch = 3 , open C 2 , C 3 . 16 / 26
Recommend
More recommend
