Compact Privacy Protocols from Post-quantum and Timed Classical Assumptions

Abstract

While basic lattice-based primitives like encryption and digital signature schemes are already fairly short, more advanced privacy-preserving protocols (e.g. group signatures) that are believed to be post-quantum secure have outputs of at least several hundred kilobytes. In this paper, we propose a framework for building privacy protocols with significantly smaller parameter sizes whose secrecy is based on post-quantum assumptions, but soundness additionally assumes that some classical assumption, e.g., the discrete logarithm problem (DLP), is hard to break within a short amount of time.

The main ingredients of our constructions are statistical zero-knowledge proofs of knowledge for certain relations, whose soundness rely on the hardness of solving the discrete logarithm problem for a fresh DLP instance per proof. This notion has recently been described by the term quantum annoyance. Using such proofs, while also enforcing that they be completed in a fixed amount of time, we then show how to construct privacy-preserving primitives such as (dynamic) group signatures and DAA schemes, where soundness is based on the hardness of the “timed” discrete logarithm problem and SIS. The outputs of our schemes are significantly shorter (\({\approx }30X)\) than purely lattice-based schemes.

A. Lehmann—Work done while being at IBM Research – Zurich.

Appendices

A Lattice-Based ZKP for Relation 6

Below we provide the prover and verifier algorithms for relation 6 adapted from [8].

If \(R_q=\mathbb {Z}_q[X]/(X^d+1)\), then we define the set \(\mathcal {M}=\{0,\pm x^i\,\, 0\le i<d\}\). The size of \(\mathcal {M}\) is \(2d+1\). We also define a parameter \(\lambda \) which controls the soundness error of the proof. The soundness error will be \(|\mathcal {M}|^{-\lambda }\approx d^{-\lambda -1}\). For example, if \(d=2048\), then to get the soundness error to be less than \(2^{-128}\), we need to set \(\lambda =11\).

The proof in Algorithm 7 uses Gaussian-based rejection sampling and can be shown to be zero-knowledge, and requiring 3 iterations on average, using [31, Theorem 4.6]. If \(|\mathcal {M}|^\lambda >2^{128}\), then a prover succeeding with probability greater than \({\approx }2^{-128}\) can be rewound to produce two solutions \(\varvec{A}\varvec{z}_i = \varvec{w}_i+c_i\varvec{t}\) and \(\varvec{A}\varvec{z}_i' = \varvec{w}_i+c_i'\varvec{t}\) for distinct \(c_i\in \mathcal {M}\). These can be combined to form the solution

$$\begin{aligned} \varvec{A}(\varvec{z}_i-\varvec{z}_i')/(c_i-c_i') = \varvec{t}. \end{aligned}$$

By [8, Lemma 3.1], we know that for \(c_i\ne c_i'\in \mathcal {M}\), the quotient \(2/(c_i-c_i')\) is a polynomial with coefficients in \(\{-1,0,1\}\) and therefore has \(\ell _2\)-norm at most \(\sqrt{d}\). The parameters for the size of \(\bar{\varvec{s}}\) in (6) then follow from the parameters in Algorithms 7 and 8.

B Hash Functions with Efficient Proofs

In our group signature and DAA scheme, we need to use a hash function that allows for efficient zero-knowledge proofs that a hash was correctly computed and that the prover knows a pre-image of the hash value. We will use zero-knowledge proofs based on the discrete logarithm assumption, which naturally lend themselves to proving statements over fields of large prime order. Therefore, we would like to use a hash-function built around arithmetic over such fields.

The MiMC Hash Function Family. MiMC [3] is a family of hash functions designed with precisely this in mind. MiMC hash functions are based on the sponge construction [10]. The construction works by cubing the input over the field, adding randomly chosen constant values, and repeating the process many times.

For fixed input size, output size, and security level, the MiMC family includes a range of hash functions with a trade-off between the size of the prime field used and the number of multiplication gates in a circuit which verifies correct computing of the hash function. Later, in our choices of zero-knowledge proof-system, we will see that for every multiplication in the circuit, the prover must perform some exponentiations over a cryptographic group. Therefore, in the two cases below, we have carefully selected the parameters of the MiMC hash functions in order to minimise the computational burden on the prover. To specify an MiMC hash function, one must give the desired security level and the ‘rate’ of the round function, which determines the prime field to be used.

As part of our schemes, we will use a pre-image resistant function (later referred to as \(F_{R_{+}}\)) to protect the user’s secret key. We instantiate this function with an MiMC hash function with an input length of 256 bits and an output length of 1,024 bits. The circuit used to prove knowledge of a hash pre-image has 60,192 multiplication gates. We will also use a hash-function, modelled as a random oracle, which maps the output of the previous function onto a ring element from \(\mathbb {Z}_q[X]/(X^d+1)\). In this case, we use an MiMC hash function with an input length of 1,024 bits and an output length of 14,336 bits. For the new, larger input and output sizes, the circuit used to prove knowledge of a hash pre-image has 831,577 multiplication gates.

In both cases, we use MiMC hash functions with capacity 512, and a 521-bit prime. This choice of parameters comes from our requirement that the hash function has 256 bits of classical security and therefore 128 bits of quantum security against collision-finding attacks. For 256 bits of classical security, the internal workings of the hash function force us to use a prime of at least 512 bits. Hence, we use a 521-bit prime so that we can use a standardised NIST elliptic curve, for which we expect highly optimised implementations of curve operations compared with unstandardised curves.

C Quantum Annoying and Timed ZKPs

The core observation behind our timed ZKPs is that while certain hard problems, such as the discrete logarithm problem, can be solved in polynomial-time by (sufficiently sized) quantum computers, it is likely that solving them won’t be instantaneous or at least prohibitively expensive. Thus, forcing the adversary to solve a fresh DLP instance for each proof might render the attack infeasible.

This property has recently been described as quantum annoyance [22] and formalized through a two stage adversary. Roughly, in an offline pre-computation phase the adversary is granted full quantum power, but gets restricted to be classical when turning to an online phase.

We now apply this concept to zero-knowledge proofs, more precisely, we consider ZKPs for generalized statements following the form of Eq. (7) of the proof system recently introduced in [17]. The proof system uses a CRS made up of random group elements \(g_1,\ldots ,g_{n}\), and assuming the DL problem is hard, it allows to prove knowledge of a witness for various NP statements. For example, the protocol of [17] actually proves is that the prover knows a SIS solution \(\mathbf {s}\) or a non-trivial discrete logarithm relation between \(g_1,\ldots ,g_{n}\). Generalizing this idea we consider proofs of the form: \(\mathsf {ZKP}\{(w): (x_q,w) \in \mathcal {R}_q ~\vee ~ (x_c,w) \in \mathcal {R}_c\}\), where \(\mathcal {R}\) denotes a NP relation and w is a witness for a statement x if \((x,w)\in \mathcal {R}\).

In this plain form, the soundness of the proof relies on the weaker of both relations, i.e., the DL assumption in the case of [17] even though it also proves a lattice relation. We can transform the proof into a quantum annoying (and later timed) version by simply letting the verifier freshly choose \(x_c\) (i.e., \(g_i\) in our concrete scheme) when the proof starts.

Let be a generator that produces a random instance \(x \in \mathcal {L}\) for security parameter \({1^{\lambda }}\) and language \(\mathcal {L}=\{x \ \vert \ \exists w: (x,w) \in \mathcal {R}\}\). We can then formulate quantum-annoying soundness for an interactive proof protocol \((\mathcal {P}, \mathcal {V})\) for statements \((x_q,w) \in \mathcal {R}_q ~\vee ~ (x_c,w) \in \mathcal {R}_c\) as follows: For any efficient adversary \((\mathcal {A}_1, \mathcal {A}_2)\)—where \(\mathcal {A}_1\) is quantum, and \(\mathcal {A}_2\) is classical—running the following game

1. 1.

   sample random

2. 2.
3. 3.

   sample random

4. 4.

   where \(\mathsf {Pr}\left[ \langle \mathcal {A}_2(\mathsf {st}, x_q,x_c), \mathcal {V}(x_q,x_c)\rangle =1\right] > \epsilon \)

there exist an efficient extractor \(\mathcal {E}\) with rewindable black-box access to \(\mathcal {A}_2\) that outputs w s.t. \((x_q,w) \in \mathcal {R}_q \vee (x_c,w) \in \mathcal {R}_c\) with probability \(\ge \epsilon /\mathsf {poly}({1^{\lambda }})\).

Generally, the online adversary \(\mathcal {A}_2\) can be seen as a resource-restricted adversary that cannot break the classical problem. While quantum-annoyance models the resource restriction by simply limiting \(\mathcal {A}_2\) to be classical, we can also be more generous and give \(\mathcal {A}_2\) quantum power, yet restrict its running time.

That is, the verifier only accepts a proof when the prover correctly responds within some fixed short time \(\varDelta \). The soundness of our ZKP then even holds against a full quantum adversary under the additional assumption that the problem \(\mathcal {R}_c\) is hard to solve within a short amount of time. We will refer to such an assumption as \(\varDelta \)-hardness.

Note that there are subtle constraints on how to choose the time \(\varDelta \) for a concrete ZKP instantiation based on a \(\varDelta '\)-hard problem. For satisfying completeness, \(\varDelta \) must be chosen large enough, such that honest provers can still complete the proof (for \(\mathcal {L}_q\)) in time. For soundness, \(\varDelta \) depends on the loss in the reduction, i.e., the running time of the extractor that will be used to break the \(\varDelta '\)-hard problem needs to be taken into account. We leave a more formal treatment of these relations as interesting future work.

D Zero-Knowledge Proofs for Group Signature Algorithms

In this section, we explain how to give the zero-knowledge proofs for the group signature algorithms of Sect. 4 in terms of the proof systems of [17] for SIS relations and [13] for more complicated relations with less special structure available.

Both proof systems rely on the discrete logarithm assumption.

Definition 1 (Discrete Log Relation)

For all PPT adversaries \(\mathcal {A}\) and for all \(n\ge 2\) there exists a negligible function \(\mu (\lambda )\) such that

$$\begin{aligned} P\left[ \begin{array}{l}\mathcal {C}=\mathcal {G}(1^\lambda ),\ g_1,\dots ,g_n\leftarrow \mathcal {C};\\ a_1,\dots ,a_n \in \mathbb {Z}\leftarrow \mathcal {A}(G,g_1,\dots ,g_n) \end{array} : \exists a_i \ne 0 \wedge \prod _{i=1}^n g_i^{a_i}=1 \right] \le \mu (\lambda ) \end{aligned}$$

For \(n \ge 2\), this is equivalent to the discrete logarithm assumption.

Sign: A zero-knowledge proof of the following statement is computed:

$$\begin{aligned} \mathsf {ZKP}^{\varDelta }_{\mathsf {DLR}}\left\{ \begin{array}{l}s_1,s_2, \\ e_1,e_2,e_1',e_2',\rho \end{array} : \begin{array}{l} as_1+s_2=H_{R_q}(F_{R_{+}}(\rho )) \\ \wedge ~ 2(he_1+e_2)+F_{R_{+}}(\rho )=u \\ \wedge ~ 2(h'e_1'+e_2')+F_{R_{+}}(\rho )=u' \\ \wedge ~ s_1,s_2\in \mathcal {S}~\wedge ~ \rho \in \mathcal {N}\\ ~\wedge ~ e_1,e_2,e_1',e_2'\in R_{\pm }\end{array} \right\} (\mu ) \end{aligned}$$

The conditions in this relation can be rewritten as follows, with appropriate size bounds on different elements. Set \(k = F_{R_{\pm }}(\rho )\) and \(l = H_{R_q}(k)\).

$$\begin{aligned} \begin{bmatrix} 2h &{} 2 &{} 0 &{} 0 &{} 1\\ 0 &{} 0 &{} 2h' &{} 2 &{} 1\end{bmatrix}\cdot \begin{bmatrix}e_1\\ e_2\\ e_1'\\ e_2'\\ k\end{bmatrix}&=\begin{bmatrix} u\\ u'\end{bmatrix} \wedge \begin{bmatrix} a&1&-1 \end{bmatrix}\cdot \begin{bmatrix} s_1\\ s_2 \\ l\end{bmatrix} = 0 \\&\wedge ~ k = F_{R_{\pm }}(\rho ) ~\wedge ~ l = H_{R_q}(k) \end{aligned}$$

We prove the necessary conditions as follows. We use the proof system of [17] to give a zero knowledge proof for the first linear equation, which has an infinity norm bound of 1 on \(e_1,e_2, e_1',e_2'\) and k. The size of this proof is roughly 76 group elements and 6 field elements for the parameters that we have chosen. We also use the same proof system from [17] to give a zero-knowledge proof for the second linear equation, with an infinity norm bound of q on \(s_1,s_2\) and l.

The remaining conditions that we have to check are the conditions \(k = F_{R_{\pm }}(\rho )\), \(l = H_{R_q}(k)\), and the fact that the \(\ell _2\)-norms of \(s_1\) and \(s_2\) are bounded by \(1.5\sigma \sqrt{d}\). We use the proof system of [13] to achieve this. This proof system works with general arithmetic circuits. The number of multiplication gates in the circuit required to prove these conditions is the sum of the sizes of the circuits for \(F_{R_{\pm }}\) and \(H_{R_q}\), plus roughly 2096 extra multiplications which are used for checking that the norms of \(s_1\) and \(s_2\) are bounded correctly. The extra multiplication gates compute the squares of the \(\ell _2\) norms of each of \(s_1\) and \(s_2\), using 2048 multiplications, check that roughly 48 values are bits by checking that when multiplying them with their complements, the result is zero, and then show that the squares of the \(\ell _2\) norms are represented by the binary values, so that the norms must be in the correct range. Since we have already used the proof system [17] to check that the infinity norms of \(s_1\) and \(s_2\) are bounded, and we work over a prime field with a much larger modulus than the base ring of \(s_1\) and \(s_2\), we need not worry about overflow when computing the squares of the \(\ell _2\) norms. We give zero-knowledge proofs of arithmetic circuit satisfiability and prove all of these things using one single proof from [13]. This proof contributes 48 group elements and 5 finite field elements.

In order to use these proof systems, and be sure that certain secret values are consistent across the different proofs, we need to make some adjustments. The first tweak is to split some of the long commitments made in the protocols into several parts, to allow values to be shared between the two proof systems. This is described in the full version. Separate commitments to k and \(s_1,s_2,l\) allow these values to be shared between the first two proofs for linear relations and the third proof for non-linear relations.

The second tweak is to modify the protocol of [17] so that it works even if we are proving that the entries of the secret vector lie in an interval whose width is not a power of 2. This is easily achieved using techniques from [15]. The idea is that a binary expansion of the form \(\sum _i x_i 2^i\) uniquely expresses every integer in a given interval whose width is a power of 2, but if we change the powers of two in the expression to other values, we can obtain (possibly non-unique) binary expansions for other intervals which suffice for the purpose of giving range proofs. This change has no impact on proof size.

Open: The following zero-knowledge proof is needed:

$$\begin{aligned} \mathsf {ZKP}^{\varDelta }_{\mathsf {DLR}}\left\{ (f,g,v)~ : \begin{array}{l} hg-f=0 ~\wedge ~ ug = 2v+gm \\ ~\wedge ~ f,g\in R_{\pm }~\wedge ~ v\in \mathcal {R}\text { s.t. }\Vert v\Vert _\infty < q/4 - d/2 \end{array} \right\} \end{aligned}$$

The conditions in this relation can be rewritten as follows, with appropriate size bounds on different elements.

$$\begin{aligned} \begin{bmatrix} h &{} 1 &{}0 \\ u &{} 0 &{} 2\end{bmatrix}\cdot \begin{bmatrix}g \\ -f \\ -v\end{bmatrix}&= \begin{bmatrix} 0\\ m\end{bmatrix} \end{aligned}$$

This relation is proved by using the proof system from [17] twice. The first proof proves the linear relation from the first row of the matrix, which does not include v. Therefore, the proof system can be used with norm bound 1. The second proof proves the linear relation from the second row of the matrix, which does include v, and therefore works with norm bound \(q/4-d_2\). As with the signing algorithm, we use the adjustments described to make sure that the preimage values are consistent across the two proofs.