Efficient Zero-Knowledge Arguments for Matrix Relations over Rings and Non-malleable Enhancement

Abstract

Various matrix relations widely appeared in data-intensive private computations, as a result their efficient zero-knowledge proofs/ arguments are indispensable in such applications. In the first part of this paper, we concretely establish efficient zero-knowledge arguments for linear matrix relation \(\textbf{A} \textbf{U}=\textbf{B}\) over the residue ring \(\textrm{Z}_m\) with logarithmic message complexity. We take a direct, matrix-oriented (rather than vector-oriented in usual) approach to such establishments on basis of the elegant commitment scheme over finite ring recently established by Attema et al. (2022). The commit-and-proof protocol is public-coin and in c.r.s paradigm (c.r.s used only as the public-key of the commitment scheme), suitable for matrices in any size and significantly outperforms the protocols constructed in usual approach with smaller-sized c.r.s.(e.g., decreased by a factor of d where d is the extension degree of Galois ring and n is the order of the witness square), fewer rounds (decreased by a fraction \(>\log d / 2 \log n\)) and lower message complexity (e.g., number of ring elements decreased by a fraction \(>\log d / \log n\)) for large-size squares. The on-line computational complexities are almost the same in both approaches. In the second part, on basis of the simulation-sound tag-based trapdoor commitment scheme we establish a general compiler to transform any public coin proof/argument protocol into the one which is concurrently non-malleable with unchanged number of rounds, slightly increased message and computational complexity. Such enhanced protocols, e.g., the version compiled from the construction in the first part of this work, can run in parallel environment while keeping all their security properties, particularly resisting man-in-the-middle attacks.

Appendix A. Proof of Lemma 3

Let \(\textrm{P}^* \equiv \left( \textrm{P}_1{ }^*, \textrm{P}_2{ }^*\right) \) be a P.P.T. algorithm which convinces the verifier with a statement \(x^*\) in the game \({\text {Exp}}^{\textrm{P}^*}\) in Definition 8 , i.e.:

where \({\text {Tr}}^* \equiv \left[ s_{-} v k^*, y_1{ }^*, \ldots , y_k{ }^*,\left( x_1{ }^*, d_1{ }^*, \ldots , x_k{ }^*, d_k{ }^*, x_{k+1}{ }^*\right) , s^*\right] , \textrm{S} \equiv \left( \textrm{S}_1, \mathrm {~S}_2\right) \) be the simulator constructed in Lemma 3’s proof. For presentational simplicity, let \(\mu _1=\ldots =\) \(\mu _k \equiv \mu \), otherwise for \(\mu \equiv \max \mu _i\) the following argument is still valid.

We construct a P.P.T. extractor Ext which calls P \(^*\) and interacts with it both in the role of prover (via its component algorithm Ext::P) and the role of verifier (via the component algorithm Ext:V). Since Ext can rewind \(\textrm{P}^*\) (mainly \(\textrm{P}_2{ }^*\) in the following) to any state, for presentational simplicity we take an equivalent view in concurrent environment that Ext can fork \(\textrm{P}^*\) instance at any state. The forked instance inherits its parent state and proceeds as specified in the protocol from that state on.

Ext executes the interactions with \(\textrm{P}^*\) in the follow way:

In the role of prover, Ext::P calls the simulator \(\textrm{S}\) to interact with \(\textrm{P}_1{ }^*\). Note that \(\textrm{S}_1\) calls SSTC’s key-generator TCGen to generate and output the public/secret key pair (pk, sk) so Ext can obtain this key pair from \(\textrm{S}\).

In the role of verifier, each time right before Ext::V sends the first challenge \(e_1\) to \(\textrm{P}_2{ }^*\), Ext forks it into \(\mu \) \( \textrm{P}_2{ }^*\)-instances and sends randomly independent and pairwise distinct challenges \(e_i^{(1)}, i=1, \ldots , \mu \) to each \(\textrm{P}_2{ }^*\)-instance.

Every time right before Ext::V sends the second challenge \(e_2\) to some \(\textrm{P}_2{ }^*\)- instance, Ext forks it into \(\mu \) \( \textrm{P}_2{ }^*\)-instances, sends independent and pairwise distinct challenges \(e_1{ }^{(2)}, \ldots , e_\mu { }^{(2)}\) to each instance.

Every instance inherits its parent’s state and proceeds after receiving its challenge. Such operations proceed until all rounds are finished in protocol CNM\(\textrm{ZKAoK} / \textrm{R}\).

Let \(\textrm{T}\left( x^*\right) \) be a tree constructed as stated in Definition 3 for the above interactions, with \(\left[ s_{-} v k^*, y_1^*\right] \) as its root. According to the above operation, \(\textrm{T}\left( x^*\right) \) is a session tree and each path \(\gamma \) in the tree is a trace \({\text {Tr}}<\textrm{P}_2{ }^*, \mathrm {~V}>\left( x^*\right) \).

Since the verifier generates k challenges in CNM-ZKAoK/R, i.e., each path in \(\textrm{T}\left( x^*\right) \) has k edges along it, so in the tree:

$$\begin{aligned} \begin{aligned} & \text {Total number of edges } \textrm{N}=\mu +\mu ^2+\ldots +\mu ^k<\mu ^{k+1} \\ & \text {Total number of nodes } \textrm{M}=1+\mu +\mu ^2+\ldots +\mu ^{k-1}<\mu ^k \\ & \textrm{K}= \text{ total } \text{ number } \text{ of } \text{ leaves } =\mu ^k\\ \end{aligned} \end{aligned}$$

(A.1)

Define a event as:

Tree \(\textrm{T}\left( x^*\right) \) is accepting, i.e., \(b^*(\gamma )=1\) for every path \(\gamma \) in the tree.

Consider two subevents \(\textrm{P}\left[ {\text {Succ}} \wedge \textrm{T}^0\left( x^*\right) \right] \) and \(\textrm{P}\left[ {\text {Succ}} \wedge \sim \textrm{T}^0\left( x^*\right) \right] \).

In the event of , Succ occurs and all session variables \(x_i\) associated with nodes \(y_i(\gamma )\left( y_i(\gamma )\right. \) stands for a node on path \(\gamma \) and at level \(\left. i\right) \) in the accepting tree \(\textrm{T}\left( x^*\right) \) are in consistency with each other, i.e., \(x_i(\gamma )=x_i(\beta )\) for any path \(\gamma \) and \(\beta \) bifurcating at node \(y_i(\gamma )\) (so \(y_i(\gamma )=y_i(\beta ) \equiv y_i, i \ge 1\)), so after replacing each node \(y_i\) with \(x_i\) one can obtain an accepting session tree of protocol ZKAoK/R., denoted as \(\textrm{T}^0\left( x^*\right) \).

Since \(\textrm{ZKAoK} / \textrm{R}\) is \(\left( \mu _1, \ldots , \mu _k\right) \)-special sound, its P.P.T. extractor \({\text {Ext}}^0\) can be called by Ext to output a \(w^*\) s.t. \(\left( x^*, w^*\right) \in \) R. In particular:

$$\begin{aligned} \textrm{P}\left[ {\text {Succ}} \wedge \textrm{T}^0\left( x^*\right) \right] \le \textrm{P}\left[ \text{ Ext } \text{ outputs } \text{ a } w^* \text{ s.t. } \left( x^*, w^*\right) \in \textrm{R}\right] \end{aligned}$$

(A.2)

and note that the event on the right side is just .

For arguments on the complimentary event , i.e., no session tree for protocol \(\textrm{ZKAoK} / \textrm{R}\) can be successfully derived from \(\textrm{T}\left( x^*\right) \) in the abovementioned way, we consider two further subcases.

Case I : \(s_{-} v k^*\) Does Not Appear in Any Message Output from \(\textrm{S}_2\)

We construct a P.P.T. algorithm \(\textbf{A}\) on basis of \(\textrm{P}^*\) to destroy SSTC’s simulation soundness in this case. \(\textbf{A}\) has SSTC’s public key pk as one of its input, has access to oracle-\(\textrm{O}(. \mid s k)\) and controls interactions of \(\textrm{S}\) (in role of prover) and \(\textrm{V}\) with \(\textrm{P}^*\) similarly as Ext does. During the interactions, whenever \(\textrm{S}_2\) needs to generate the message \(Y_i\) or \(D_i\) in the protocol(see (A.1) and (A.2)), \(\textbf{A}\) queries its oracle-\(\textrm{O}(. \mid s k)\) with [“commit”, \(t_i\) ] or [“decommit”, \(\left. Y_i, X_i\right] \) and returns the oracle’s response to \(\textrm{S}_2\).

In the event of \({\text {Succ}} \wedge \sim \textrm{T}^0\left( x^*\right) \), there exist at least two paths \(\gamma ^*\) and \(\beta ^*\) in \(\textrm{T}\left( x^*\right) \) which bifurcate at some node \(y_i\left( \gamma ^*\right) =y_i\left( \beta ^*\right) \equiv y_i^*(i \ge 1)\) with the associated session variables unequal: \(x_i\left( \gamma ^*\right) \ne x_i\left( \beta ^*\right) \). On the other hand, \(b\left( \gamma ^*\right) =b\left( \beta ^*\right) =1\) so

$$\begin{aligned} {\text {TCvf}}\left( p k, y_i^*, x_i\left( \gamma ^*\right) , t_i, d_i\left( \gamma ^*\right) \right) =1 \wedge {\text {TCvf}}\left( p k, y_i^*, x_i\left( \beta ^*\right) , t_i, d_i\left( \beta ^*\right) \right) =1 \end{aligned}$$

where \(t_i=\textrm{H}\left( s_{-} v k^*|| i\right) \) is independent with any path.

In case I \(s_{-} v k^*\) does not appear in any message output from \(\textrm{S}_2\) and \(\textrm{H}\) is collision-resistant, no \(t_i\) can be in the set of tags once received by oracle-O\((. \mid s k)\). As a result, the algorithm \(\textbf{A}\) generates a output destroying scheme SSTC’s simulation soundness with the probability

$$\begin{aligned} p_{\textrm{I}} \equiv \textrm{P}\left[ {\text {Succ}} \wedge \sim \textrm{T}^0\left( x^*\right) \wedge \text{ Case } \textrm{I}\right] \le \textrm{MAdv}_{T C}^{S S}(\lambda )<\mu ^k {\text {Adv}}_{T C}^{S S}(\lambda ) \end{aligned}$$

(A.3)

Case II : \(s_{-} v k^*\) Does Appear in Some Message Output from \(\textrm{S}_2\)

On basis of \(\textrm{P}^*\), we construct a P.P.T. algorithm \(\textbf{B}\) to destroy strong unforgeabililty of the one-time signature scheme \(\textrm{SG}\) in this case. \(\textbf{B}\) has the signature verification key \(s_{-} v k^*\) as one of its input and has access to the signing oracle-OSgn(. \(\left. \mid s_{-} s k^*\right) \) at most one-time.

Let \(\textrm{T}\) be total number of message sequences output from \(\textrm{S}_2\) during interactions with \(\textrm{P}^*\). B selects a \(m \in \{1,2, \ldots , T\}\) uniformly, inserts \(s_{-} v k^*\) into the m-th message sequence during the interactions between \(\textrm{S}_2\) and \(\textrm{P}_1^*\), and generates the signature of this trace required by CNM-ZKAoK/R via accessing oracle-OSgn(. \(\left. \mid s_{-} s k^*\right) \).

If the m-th sequence \({\text {Tr}}_m\) is the one where \(s_{-} v k^*\) appeared, then B makes \(\textrm{P}^*\) succeed in generating an accepting trace \({\text {Tr}}^* \ne {\text {Tr}}_m\). The fact that \({\text {Tr}}^*\) contains a signature \(s^*\) satisfying \({\text {Vf}}\left( s_{-} v k^*, {\text {Tr}}^*, s^*\right) =1\) implies B’s success in destroying SG’s onetime unforgeability. Obviously:

$$\begin{aligned} p_{\textrm{II}} \equiv \textrm{P}\left[ {\text {Succ}} \wedge \sim \textrm{T}^0\left( x^*\right) \wedge \text{ Case } \text{ II } \right] \le \textrm{TAdv}_{S G}^{U F(1)}(\lambda ) \end{aligned}$$

(A.4)

Since Case I and II are complementary, from (A.3) and (A.4) one obtains

$$\begin{aligned} \textrm{P}\left[ {\text {Succ}} \wedge \sim \textrm{T}^0\left( x^*\right) \right] =p_{\textrm{I}}+p_{\textrm{II}} \le \mu ^k {\text {Adv}}_{T C}^{S S}(\lambda )+{\text {TAdv}}_{S G}^{U F(1)}(\lambda ) \end{aligned}$$

(A.5)

Combining (A.2) and (A.5) one has:

$$\begin{aligned} \begin{aligned} & \textrm{P}[ \text{ Succ } ]=\textrm{P}\left[ {\text {Succ}} \wedge \textrm{T}^0\left( x^*\right) \right] +\textrm{P}\left[ {\text {Succ}} \wedge \sim \textrm{T}^0\left( x^*\right) \right] \\ \le & \textrm{P}[{\text {EXT}}]+\mu ^k {\text {Adv}}_{T C}^{S S}(\lambda )+{\text {TAdv}}_{S G}^{U F(1)}(\lambda ) \end{aligned} \end{aligned}$$

(A.6)

On the other hand, one can apply an analysis similar as that in Sect.  3 in [13] (see Lemma 5 there) to obtain a lower-bound of \(\textrm{P}[\)Succ] as:

$$\begin{aligned} \textrm{P}[ {\text {Succ}}]>\pi \left( \textrm{P}^* \mid \lambda \right) -k \mu /|\textrm{E}| \end{aligned}$$

(A.7)

So

$$\begin{aligned} \textrm{P}[\textrm{EXT}]>\pi \left( \textrm{P}^* \mid \lambda \right) -k \mu /|\textrm{E}|-\mu ^k {\text {Adv}}_{T C}^{S S}(\lambda )+{\text {TAdv}}_{S G}^{U F(1)}(\lambda ) \end{aligned}$$

(A.8)

Note that \(n, \mathrm {~T}={\text {poly}}(\lambda ), \mu =\textrm{O}(1)\) and \(k=\textrm{O}(\log n)\) so the third and fourth terms in (A.8) are both negligible in \(\lambda \). According to Ext’s construction, its running time is \(\mu ^k {\text {poly}}(n)=\textrm{O}({\text {poly}}(n))=\textrm{O}({\text {poly}}(\lambda ))\). This completes the proof.