Abstract
We construct a public-coin 3-round zero-knowledge argument for NP assuming (i) the sub-exponential hardness of the learning with errors (LWE) problem and (ii) the existence of keyless multi-collision-resistant hash functions against slightly super-polynomial-time adversaries. These assumptions are almost identical to those that were used recently to obtain a private-coin 3-round zero-knowledge argument [Bitansky et al., STOC 2018]. (The difference is that we assume sub-exponential hardness instead of quasi-polynomial hardness for the LWE problem.)
The full version of this paper is available at https://ia.cr/2022/820.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Some of these works constructed even 2-round or non-interactive ZK arguments under weak security definitions.
- 2.
More precisely, they obtained it by relying on various cryptographic primitives that can be based on these assumptions.
- 3.
e.g., those that hash length-\(\lambda ^2\) strings to length-\(\lambda \) strings.
- 4.
In Bitansky et al. [10], the input queries need to be encrypted by an FHE scheme so that the prover cannot learn the input queries. We ignite this detail in this overview.
- 5.
Their SNARG works in the common random string model and therefore can be viewed as a public-coin 2-round delegation scheme.
- 6.
Their SNARG works in the common random string model and therefore can be viewed as a public-coin 2-round delegation scheme.
- 7.
A computation is log-uniform if it has a circuit that can be generated by a log-space Turing machine.
- 8.
If the reader is familiar with the GKR interactive proof, we note that the scheme of Jawale et al. [32] uses the GKR interactive proof with a super-polynomially large field, and as a result, the low-degree encoding of the input is super-polynomially long.
- 9.
For example, polylogarithmic-depth collision-resistant hash functions can be obtained by using a sub-exponentially hard collision-resistant hash function with a polylogarithmic security parameter.
- 10.
We consider a slightly weaker notion of correctness where t is at most \(\bar{t}(\lambda )\). (In [10], t is at most \(2^{\lambda }\).)
- 11.
We assume that \(h\in \mathcal {H}_{\lambda }\) hashes a string of length \(2\lambda \) to a string of length \(\lambda \). Therefore, \(\textsf{TreeHash}_h\) hashes a string of length \(2^i\lambda \) to a string of length \(\lambda \).
- 12.
More precisely, in [26], it is observed that the verifier can delegate the evaluation of \(\{\widetilde{\textsf{add}}_i, \widetilde{\textsf{mult}}_i \}_{i\in [D]}\) to the prover, and in a subsequent work [22], it is observed that the verifier can evaluate \(\{\widetilde{\textsf{add}}_i, \widetilde{\textsf{mult}}_i \}_{i\in [D]}\) efficiently.
- 13.
For convenience, we use a slightly stronger lower bound for \(\delta \). (In [26], the requirement is \(|\mathbb {H} |-1\le \delta <|\mathbb {F} |\).) See Footnote 14.
- 14.
In [26, Theorem 3.1], the encoding \(\widehat{x}\) is required to be the LDE of x. However, the only requirement that is used in the analysis of [26, Theorem 3.1] is that the individual degree of \(\widehat{x}\) is upper bounded by the degree parameter \(\delta \). Since we guarantee \(\delta \ge m(|\mathbb {H} |-1)\), it suffices to require that the total degree of \(\widehat{x}\) is at most \(m(\mathbb {H}-1)\) (which implies that the individual degree is at most \(\delta \)).
- 15.
- 16.
This is a super-polynomial upper bound that is sufficient for our purpose.
- 17.
Note that the Fiat–Shamir transformation only requires hashing the transcript (excluding x) as shown in [31, Figure 1].
- 18.
- 19.
For those who are familiar with the RAM delegation of [17], we note that we allow the statements of the batch-NP argument to contain the input of the RAM machine.
- 20.
Technically, the public-coin property can be verified by observing that under the LWE assumption, all the components of the scheme of [17] can be made public coin by using, e.g., an FHE scheme with pseudorandom public keys and ciphertexts.
- 21.
Actually, \(\textsf{Mem}\) in [18, Figure 5] outputs a pair \(\textsf{dig}= (\textsf{st}, \textsf{rt})\), but as noted above, we consider an extended version that additionally includes \(|\textsf{DB} |\) in \(\textsf{dig}\).
- 22.
R emulates the working tape of M by writing it to the memory \(\textsf{DB}\). (It is assumed that \(\textsf{DB}\) contains a padding string as a suffix so that it is long enough for the emulation of the working tape. It is also assumed that M is designed to ignore this padding part of \(\textsf{DB}\).)
- 23.
Recall that \(\mathsf {RDel.Setup}\) is public coin.
- 24.
Formally, completeness holds under a slightly modified definition where for each \(\langle M, t, y \rangle \in \{0,1 \}^{\textsf{poly}(\lambda )}\), we only consider a memory \(\textsf{DB}\) that contains a padding string as a suffix so that it is of length \(T \,{:}{=}\,\textsf{poly}_R(t)\) (cf. Footnote 22).
- 25.
These locations can be determined based on the proof and the verifier query.
References
Badrinarayanan, S., Goyal, V., Jain, A., Kalai, Y.T., Khurana, D., Sahai, A.: Promise zero knowledge and its applications to round optimal MPC. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 459–487. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_16
Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd FOCS, pp. 106–115. IEEE Computer Society Press (2001). https://doi.org/10.1109/SFCS.2001.959885
Barak, B., Goldreich, O., Goldwasser, S., Lindell, Y.: Resettably-sound zero-knowledge and its applications. In: 42nd FOCS, pp. 116–125. IEEE Computer Society Press (2001). https://doi.org/10.1109/SFCS.2001.959886
Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_17
Berman, I., Degwekar, A., Rothblum, R.D., Vasudevan, P.N.: Multi-Collision Resistant Hash Functions and Their Applications. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 133–161. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_5
Bitansky, N., Brakerski, Z., Kalai, Y., Paneth, O., Vaikuntanathan, V.: 3-message zero knowledge against human ignorance. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part I. LNCS, vol. 9985, pp. 57–83. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_3
Bitansky, N., et al.: The hunting of the SNARK. J. Cryptol. 30(4), 989–1066 (2016). https://doi.org/10.1007/s00145-016-9241-9
Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: On the existence of extractable one-way functions. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 505–514. ACM Press (2014). https://doi.org/10.1145/2591796.2591859
Bitansky, N., Eizenstadt, N., Paneth, O.: Weakly extractable one-way functions. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part I. LNCS, vol. 12550, pp. 596–626. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_21
Bitansky, N., Kalai, Y.T., Paneth, O.: Multi-collision resistance: a paradigm for keyless hash functions. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) 50th ACM STOC, pp. 671–684. ACM Press (2018). https://doi.org/10.1145/3188745.3188870
Bitansky, N., Khurana, D., Paneth, O.: Weak zero-knowledge beyond the black-box barrier. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1091–1102. ACM Press (2019). https://doi.org/10.1145/3313276.3316382
Bitansky, N., Lin, H.: One-message zero knowledge and non-malleable commitments. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part I. LNCS, vol. 11239, pp. 209–234. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03807-6_8
Bitansky, N., Paneth, O.: On round optimal statistical zero knowledge arguments. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 128–156. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_5
Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, vol. 2, pp. 1444–1451 (1986)
Bronfman, L., Rothblum, R.D.: PCPs and instance compression from a cryptographic lens. In: Braverman, M. (ed.) ITCS 2022, vol. 215, pp. 30:1–30:19. LIPIcs (2022). https://doi.org/10.4230/LIPIcs.ITCS.2022.30
Canetti, R., Dakdouk, R.R.: Extractable perfectly one-way functions. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 449–460. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_37
Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for \(\cal{P} \) from LWE. In: 62nd FOCS, pp. 68–79. IEEE Computer Society Press (2022). https://doi.org/10.1109/FOCS52979.2021.00016
Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for \(\cal{{P}}\) from LWE. Cryptology ePrint Archive, Report 2021/808, Version 20211108:181325 (2021). https://eprint.iacr.org/2021/808. An extended version of [17]
Chung, K.-M., Kalai, Y.T., Liu, F.-H., Raz, R.: Memory delegation. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 151–168. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_9
Deng, Y.: Individual simulations. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 805–836. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_27
Garg, S., Jain, A., Sahai, A.: Leakage-resilient zero knowledge. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 297–315. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_17
Goldreich, O.: On the doubly-efficient interactive proof systems of GKR. In: Electronic Colloquium on Computational Complexity (2017). https://eccc.weizmann.ac.il/report/2017/101
Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)
Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994). https://doi.org/10.1007/BF00195207
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. J. ACM 62(4), 27:1-27:64 (2015)
Hada, S., Tanaka, T.: On the existence of 3-round zero-knowledge protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 408–423. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055744
Holmgren, J., Lombardi, A., Rothblum, R.D.: Fiat-Shamir via list-recoverable codes (or: Parallel repetition of GMW is not zero-knowledge). Cryptology ePrint Archive, Report 2021/286, Version: 20210307:022349 (2021). https://eprint.iacr.org/2021/286. An extended version of [29]
Holmgren, J., Lombardi, A., Rothblum, R.D.: Fiat-Shamir via list-recoverable codes (or: parallel repetition of GMW is not zero-knowledge). In: Khuller, S., Williams, V.V. (eds.) 53rd ACM STOC, pp. 750–760. ACM Press (2021). https://doi.org/10.1145/3406325.3451116
Jain, A., Kalai, Y.T., Khurana, D., Rothblum, R.: Distinguisher-dependent simulation in two rounds and its applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 158–189. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_6
Jawale, R., Kalai, Y.T., Khurana, D., Zhang, R.: SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE. Cryptology ePrint Archive, Report 2020/980, Version 20200819:035531 (2020). https://eprint.iacr.org/2020/980. An extended version of [32]
Jawale, R., Kalai, Y.T., Khurana, D., Zhang, R.: SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE. In: Khuller, S., Williams, V.V. (eds.) 53rd ACM STOC, pp. 708–721. ACM Press (2021). https://doi.org/10.1145/3406325.3451055
Kalai, Y., Paneth, O., Yang, L.: On publicly verifiable delegation from standard assumptions. Cryptology ePrint Archive, Report 2018/776 (2018). https://eprint.iacr.org/2018/776
Kalai, Y.T., Paneth, O., Yang, L.: How to delegate computations publicly. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1115–1124. ACM Press (2019). https://doi.org/10.1145/3313276.3316411
Kalai, Y.T., Raz, R., Rothblum, R.D.: How to delegate computations: the power of no-signaling proofs. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 485–494. ACM Press (2014). https://doi.org/10.1145/2591796.2591809
Khurana, D., Sahai, A.: How to achieve non-malleability in one or two rounds. In: Umans, C. (ed.) 58th FOCS, pp. 564–575. IEEE Computer Society Press (2017). https://doi.org/10.1109/FOCS.2017.58
Komargodski, I., Naor, M., Yogev, E.: Collision Resistant Hashing for Paranoids: Dealing with Multiple Collisions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 162–194. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_6
Pass, R.: Simulation in quasi-polynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_10
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Kiyoshima, S. (2022). Public-Coin 3-Round Zero-Knowledge from Learning with Errors and Keyless Multi-Collision-Resistant Hash. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13507. Springer, Cham. https://doi.org/10.1007/978-3-031-15802-5_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-15802-5_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15801-8
Online ISBN: 978-3-031-15802-5
eBook Packages: Computer ScienceComputer Science (R0)