Skip to main content
SpringerLink
Log in

Public-Coin 3-Round Zero-Knowledge from Learning with Errors and Keyless Multi-Collision-Resistant Hash

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2022 (CRYPTO 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13507))

Included in the following conference series:

Abstract

We construct a public-coin 3-round zero-knowledge argument for NP assuming (i) the sub-exponential hardness of the learning with errors (LWE) problem and (ii) the existence of keyless multi-collision-resistant hash functions against slightly super-polynomial-time adversaries. These assumptions are almost identical to those that were used recently to obtain a private-coin 3-round zero-knowledge argument [Bitansky et al., STOC 2018]. (The difference is that we assume sub-exponential hardness instead of quasi-polynomial hardness for the LWE problem.)

The full version of this paper is available at https://ia.cr/2022/820.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Some of these works constructed even 2-round or non-interactive ZK arguments under weak security definitions.

  2. 2.

    More precisely, they obtained it by relying on various cryptographic primitives that can be based on these assumptions.

  3. 3.

    e.g., those that hash length-\(\lambda ^2\) strings to length-\(\lambda \) strings.

  4. 4.

    In Bitansky et al. [10], the input queries need to be encrypted by an FHE scheme so that the prover cannot learn the input queries. We ignite this detail in this overview.

  5. 5.

    Their SNARG works in the common random string model and therefore can be viewed as a public-coin 2-round delegation scheme.

  6. 6.

    Their SNARG works in the common random string model and therefore can be viewed as a public-coin 2-round delegation scheme.

  7. 7.

    A computation is log-uniform if it has a circuit that can be generated by a log-space Turing machine.

  8. 8.

    If the reader is familiar with the GKR interactive proof, we note that the scheme of Jawale et al. [32] uses the GKR interactive proof with a super-polynomially large field, and as a result, the low-degree encoding of the input is super-polynomially long.

  9. 9.

    For example, polylogarithmic-depth collision-resistant hash functions can be obtained by using a sub-exponentially hard collision-resistant hash function with a polylogarithmic security parameter.

  10. 10.

    We consider a slightly weaker notion of correctness where t is at most \(\bar{t}(\lambda )\). (In [10], t is at most \(2^{\lambda }\).)

  11. 11.

    We assume that \(h\in \mathcal {H}_{\lambda }\) hashes a string of length \(2\lambda \) to a string of length \(\lambda \). Therefore, \(\textsf{TreeHash}_h\) hashes a string of length \(2^i\lambda \) to a string of length \(\lambda \).

  12. 12.

    More precisely, in [26], it is observed that the verifier can delegate the evaluation of \(\{\widetilde{\textsf{add}}_i, \widetilde{\textsf{mult}}_i \}_{i\in [D]}\) to the prover, and in a subsequent work [22], it is observed that the verifier can evaluate \(\{\widetilde{\textsf{add}}_i, \widetilde{\textsf{mult}}_i \}_{i\in [D]}\) efficiently.

  13. 13.

    For convenience, we use a slightly stronger lower bound for \(\delta \). (In [26], the requirement is \(|\mathbb {H} |-1\le \delta <|\mathbb {F} |\).) See Footnote 14.

  14. 14.

    In [26, Theorem 3.1], the encoding \(\widehat{x}\) is required to be the LDE of x. However, the only requirement that is used in the analysis of [26, Theorem 3.1] is that the individual degree of \(\widehat{x}\) is upper bounded by the degree parameter \(\delta \). Since we guarantee \(\delta \ge m(|\mathbb {H} |-1)\), it suffices to require that the total degree of \(\widehat{x}\) is at most \(m(\mathbb {H}-1)\) (which implies that the individual degree is at most \(\delta \)).

  15. 15.

    Unlike the original version [26], the version given in [33] (which is the version that we use) requires the verifier to read \(\widehat{x}\) at two points.

  16. 16.

    This is a super-polynomial upper bound that is sufficient for our purpose.

  17. 17.

    Note that the Fiat–Shamir transformation only requires hashing the transcript (excluding x) as shown in [31, Figure 1].

  18. 18.

    Unlike [17, 34], we refrain from using the term “configuration” to refer to the memory and state since we allow RAM machines to additionally have inputs.

  19. 19.

    For those who are familiar with the RAM delegation of [17], we note that we allow the statements of the batch-NP argument to contain the input of the RAM machine.

  20. 20.

    Technically, the public-coin property can be verified by observing that under the LWE assumption, all the components of the scheme of [17] can be made public coin by using, e.g., an FHE scheme with pseudorandom public keys and ciphertexts.

  21. 21.

    Actually, \(\textsf{Mem}\) in [18, Figure 5] outputs a pair \(\textsf{dig}= (\textsf{st}, \textsf{rt})\), but as noted above, we consider an extended version that additionally includes \(|\textsf{DB} |\) in \(\textsf{dig}\).

  22. 22.

    R emulates the working tape of M by writing it to the memory \(\textsf{DB}\). (It is assumed that \(\textsf{DB}\) contains a padding string as a suffix so that it is long enough for the emulation of the working tape. It is also assumed that M is designed to ignore this padding part of \(\textsf{DB}\).)

  23. 23.

    Recall that \(\mathsf {RDel.Setup}\) is public coin.

  24. 24.

    Formally, completeness holds under a slightly modified definition where for each \(\langle M, t, y \rangle \in \{0,1 \}^{\textsf{poly}(\lambda )}\), we only consider a memory \(\textsf{DB}\) that contains a padding string as a suffix so that it is of length \(T \,{:}{=}\,\textsf{poly}_R(t)\) (cf. Footnote 22).

  25. 25.

    These locations can be determined based on the proof and the verifier query.

References

  1. Badrinarayanan, S., Goyal, V., Jain, A., Kalai, Y.T., Khurana, D., Sahai, A.: Promise zero knowledge and its applications to round optimal MPC. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 459–487. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_16

    Chapter  Google Scholar 

  2. Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd FOCS, pp. 106–115. IEEE Computer Society Press (2001). https://doi.org/10.1109/SFCS.2001.959885

  3. Barak, B., Goldreich, O., Goldwasser, S., Lindell, Y.: Resettably-sound zero-knowledge and its applications. In: 42nd FOCS, pp. 116–125. IEEE Computer Society Press (2001). https://doi.org/10.1109/SFCS.2001.959886

  4. Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_17

    Chapter  Google Scholar 

  5. Berman, I., Degwekar, A., Rothblum, R.D., Vasudevan, P.N.: Multi-Collision Resistant Hash Functions and Their Applications. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 133–161. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_5

    Chapter  Google Scholar 

  6. Bitansky, N., Brakerski, Z., Kalai, Y., Paneth, O., Vaikuntanathan, V.: 3-message zero knowledge against human ignorance. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part I. LNCS, vol. 9985, pp. 57–83. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_3

    Chapter  Google Scholar 

  7. Bitansky, N., et al.: The hunting of the SNARK. J. Cryptol. 30(4), 989–1066 (2016). https://doi.org/10.1007/s00145-016-9241-9

    Article  MathSciNet  MATH  Google Scholar 

  8. Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: On the existence of extractable one-way functions. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 505–514. ACM Press (2014). https://doi.org/10.1145/2591796.2591859

  9. Bitansky, N., Eizenstadt, N., Paneth, O.: Weakly extractable one-way functions. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part I. LNCS, vol. 12550, pp. 596–626. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_21

    Chapter  Google Scholar 

  10. Bitansky, N., Kalai, Y.T., Paneth, O.: Multi-collision resistance: a paradigm for keyless hash functions. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) 50th ACM STOC, pp. 671–684. ACM Press (2018). https://doi.org/10.1145/3188745.3188870

  11. Bitansky, N., Khurana, D., Paneth, O.: Weak zero-knowledge beyond the black-box barrier. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1091–1102. ACM Press (2019). https://doi.org/10.1145/3313276.3316382

  12. Bitansky, N., Lin, H.: One-message zero knowledge and non-malleable commitments. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part I. LNCS, vol. 11239, pp. 209–234. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03807-6_8

    Chapter  Google Scholar 

  13. Bitansky, N., Paneth, O.: On round optimal statistical zero knowledge arguments. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 128–156. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_5

    Chapter  Google Scholar 

  14. Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, vol. 2, pp. 1444–1451 (1986)

    Google Scholar 

  15. Bronfman, L., Rothblum, R.D.: PCPs and instance compression from a cryptographic lens. In: Braverman, M. (ed.) ITCS 2022, vol. 215, pp. 30:1–30:19. LIPIcs (2022). https://doi.org/10.4230/LIPIcs.ITCS.2022.30

  16. Canetti, R., Dakdouk, R.R.: Extractable perfectly one-way functions. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 449–460. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_37

    Chapter  Google Scholar 

  17. Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for \(\cal{P} \) from LWE. In: 62nd FOCS, pp. 68–79. IEEE Computer Society Press (2022). https://doi.org/10.1109/FOCS52979.2021.00016

  18. Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for \(\cal{{P}}\) from LWE. Cryptology ePrint Archive, Report 2021/808, Version 20211108:181325 (2021). https://eprint.iacr.org/2021/808. An extended version of [17]

  19. Chung, K.-M., Kalai, Y.T., Liu, F.-H., Raz, R.: Memory delegation. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 151–168. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_9

    Chapter  Google Scholar 

  20. Deng, Y.: Individual simulations. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 805–836. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_27

    Chapter  Google Scholar 

  21. Garg, S., Jain, A., Sahai, A.: Leakage-resilient zero knowledge. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 297–315. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_17

    Chapter  Google Scholar 

  22. Goldreich, O.: On the doubly-efficient interactive proof systems of GKR. In: Electronic Colloquium on Computational Complexity (2017). https://eccc.weizmann.ac.il/report/2017/101

  23. Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)

    Article  MathSciNet  Google Scholar 

  24. Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)

    Article  MathSciNet  Google Scholar 

  25. Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994). https://doi.org/10.1007/BF00195207

    Article  MathSciNet  MATH  Google Scholar 

  26. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. J. ACM 62(4), 27:1-27:64 (2015)

    Article  MathSciNet  Google Scholar 

  27. Hada, S., Tanaka, T.: On the existence of 3-round zero-knowledge protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 408–423. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055744

    Chapter  Google Scholar 

  28. Holmgren, J., Lombardi, A., Rothblum, R.D.: Fiat-Shamir via list-recoverable codes (or: Parallel repetition of GMW is not zero-knowledge). Cryptology ePrint Archive, Report 2021/286, Version: 20210307:022349 (2021). https://eprint.iacr.org/2021/286. An extended version of [29]

  29. Holmgren, J., Lombardi, A., Rothblum, R.D.: Fiat-Shamir via list-recoverable codes (or: parallel repetition of GMW is not zero-knowledge). In: Khuller, S., Williams, V.V. (eds.) 53rd ACM STOC, pp. 750–760. ACM Press (2021). https://doi.org/10.1145/3406325.3451116

  30. Jain, A., Kalai, Y.T., Khurana, D., Rothblum, R.: Distinguisher-dependent simulation in two rounds and its applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 158–189. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_6

    Chapter  MATH  Google Scholar 

  31. Jawale, R., Kalai, Y.T., Khurana, D., Zhang, R.: SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE. Cryptology ePrint Archive, Report 2020/980, Version 20200819:035531 (2020). https://eprint.iacr.org/2020/980. An extended version of [32]

  32. Jawale, R., Kalai, Y.T., Khurana, D., Zhang, R.: SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE. In: Khuller, S., Williams, V.V. (eds.) 53rd ACM STOC, pp. 708–721. ACM Press (2021). https://doi.org/10.1145/3406325.3451055

  33. Kalai, Y., Paneth, O., Yang, L.: On publicly verifiable delegation from standard assumptions. Cryptology ePrint Archive, Report 2018/776 (2018). https://eprint.iacr.org/2018/776

  34. Kalai, Y.T., Paneth, O., Yang, L.: How to delegate computations publicly. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1115–1124. ACM Press (2019). https://doi.org/10.1145/3313276.3316411

  35. Kalai, Y.T., Raz, R., Rothblum, R.D.: How to delegate computations: the power of no-signaling proofs. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 485–494. ACM Press (2014). https://doi.org/10.1145/2591796.2591809

  36. Khurana, D., Sahai, A.: How to achieve non-malleability in one or two rounds. In: Umans, C. (ed.) 58th FOCS, pp. 564–575. IEEE Computer Society Press (2017). https://doi.org/10.1109/FOCS.2017.58

  37. Komargodski, I., Naor, M., Yogev, E.: Collision Resistant Hashing for Paranoids: Dealing with Multiple Collisions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 162–194. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_6

    Chapter  Google Scholar 

  38. Pass, R.: Simulation in quasi-polynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_10

    Chapter  Google Scholar 

  39. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. NTT Research, Sunnyvale, CA, USA

    Susumu Kiyoshima

Authors
  1. Susumu Kiyoshima
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Susumu Kiyoshima .

Editor information

Editors and Affiliations

  1. New York University, New York, NY, USA

    Yevgeniy Dodis

  2. University of Florida, Gainesville, FL, USA

    Thomas Shrimpton

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kiyoshima, S. (2022). Public-Coin 3-Round Zero-Knowledge from Learning with Errors and Keyless Multi-Collision-Resistant Hash. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13507. Springer, Cham. https://doi.org/10.1007/978-3-031-15802-5_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15802-5_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15801-8

  • Online ISBN: 978-3-031-15802-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation