Logarithmic-Size (Linkable) Ring Signatures from Lattice Isomorphism Problems

Abstract

The Lattice Isomorphism Problem (LIP) asks whether two given lattices are isomorphic via an orthogonal linear transformation. At Eurocrypt 2022, Ducas and van Woerden provide a solid foundation for LIP as a promising candidate for post-quantum cryptography. They then propose a digital signature HAWK from LIP in the hash-then-sign framework, whose module version was recently investigated by Ducas et al. at Asiacrypt 2022. HAWK is one of the brightest prospects at round one of the NIST for additional digital signatures. In this paper, we build the first (linkable) ring signature schemes based on the hardness of LIP. The proposed signatures have the logarithmic size in the number of ring users. Our signature size is significantly smaller than several ring signatures based on other underlying problems when the number of users in the ring is large.

To this end, we leverage group action properties of LIP and follow the Merkle tree-based construction of Beullens, Katsumata and Pintore at Asiacrypt 2020 in the context of isogeny-based cryptography, with suitable adaptions to lattice isomorphism group actions.

Appendices

A Ring Signatures Properties

We require the following properties of ring signatures.

Correctness: means that a correctly generated ring signature is surely accepted. Given the security level \(\lambda \), for every ring size \(N = \textsf{poly}(\lambda )\), and every message m, if \(pp \leftarrow \mathsf {RS.Setup}(1^{\lambda })\), \((sk_i, pk_i) \leftarrow \mathsf {RS.KeyGen}\)(pp), for \(i \in [N]\), \(R = (pk_1, \dots , pk_N)\) and \(\sigma \leftarrow \mathsf {RS.Sign}\)(\(R, sk_j, m\)) for some \(j \in [N]\), then \(\textsf{Pr}\big [ \mathsf {RS.Verify}(\sigma , m, R) = 1 \big ] = 1\).

Anonymity: requires that it is infeasible to determine the signer even if all users’ secret keys in the ring are revealed. Formally, a ring signature \(\textsf{RS}\) is anonymous against full key exposure if for any \(N = \textsf{poly}(\lambda )\), any PPT adversary \(\mathcal {A}\) has negligible advantage against a challenger in the following game:

1. 1.

   The challenger runs \(\mathsf {RS.Setup}\)(\(1^{\lambda }\)) to obtain pp, and uses randomness \(rand_i\) to run \(\mathsf {RS.KeyGen}\)(pp,  \(rand_i\)) to generate key pairs \((sk_i, pk_i)\) for each user \(i \in [N]\).

2. 2.

   The challenger samples a random bit \(b \in \{0, 1\}\) and keeps it secret.

3. 3.

   The challenger sends pp and all \(rand_i\) to the adversary.

4. 4.

   The adversary provides a challenge \((m, R, i_0, i_1 )\) to the challenger, where \(i_0, i_1\) are indices of two users in the ring R.

5. 5.

   The challenger uses his secret bit b to sign \(\sigma ^* = \mathsf {RS.Sign}(R, sk_{i_b}, m)\), and sends the signature \(\sigma ^*\) back to the adversary.

6. 6.

   The adversary guesses a bit \(b^* \in \{0, 1\}\).

7. 7.

   The adversary wins the game if \(b^* = b\).

   The advantage of \(\mathcal {A}\) in this game is \(\mathsf {Adv_{RS}^{anonymity}} = |\textsf{Pr}[\mathcal {A}\text { wins}] - \frac{1}{2}|\).

Unforgeability: means that it is infeasible to forge a valid ring signature without knowing the secret key of some user in the ring. Formally, a ring signature \(\textsf{RS}\) is unforgeable with respect to insider corruption if, for any \(N = \textsf{poly}(\lambda )\), any PPT adversary \(\mathcal {A}\) has negligible advantage against a challenger in the following game:

1. 1.

   The challenger runs \(\mathsf {RS.Setup}\)(\(1^{\lambda }\)) to obtain pp, and uses randomness \(rand_i\) to run \(\mathsf {RS.KeyGen}\)(pp,  \(rand_i\)) to generate key pairs \((sk_i, pk_i)\) for each user \(i \in [N]\).

2. 2.

   The challenger forms a ring \(PK = \{pk_i\}_{i \in [N]}\) and initialises two sets \(SL = \emptyset \), \(CL = \emptyset \).

3. 3.

   The challenger sends pp and PK to the adversary.

4. 4.

   The adversary can make arbitrary polynomially many signing and corruption queries as follows:

   • Signing query \((\textsf{sign}, i, m, R)\): the challenger checks if i is a user in the ring R: \(pk_i \in R\). If i is a user, then the challenger signs \(\sigma = \mathsf {RS.Sign}(R, sk_i, m)\). He sends the signature \(\sigma \) to the adversary and adds (i, m, R) to the signing set \(SL = SL \cup \{(i, m, R)\}\).

   • Corruption query \((\textsf{corrupt}, i)\): the challenger sends the randomness \(rand_i\) of user i to the adversary, and \(pk_i\) to the corruption set \(CL = CL \cup \{pk_i\}\).

5. 5.

   The adversary guesses a ring signature \((\sigma ^*, m^*, R^*)\).

6. 6.

   The adversary wins the game if \(\mathsf {RS.Verify}(\sigma ^*, m^*, R^*) = 1\), \(R^* \subset PK - CL\), and \((i, m^*, R^*) \notin SL\).

B Linkable Ring Signatures Properties

We require the following properties of linkable ring signatures.

Correctness: For every security parameter \(\lambda \in \mathbb {N}, N = \textsf{poly}(\lambda ), j \in [N]\), sets \(D_0, D_1 \subseteq [N] \) such that \(j \in D_0 \cap D_1 \), and every message \(m_0,m_1\), if pp \(\leftarrow \) \( \mathsf {LRS.Setup}\) \((1^\lambda )\) \(, (pk_i,sk_i) \) \(\leftarrow \textsf {LRS.KeyGen}(pp)\) for all \(i \in [N]\), \(R_b:= \{pk_i \}_{i \in D_b}, \sigma _b \leftarrow \textsf {LRS.Sign}\) \((sk_j, m_b, R_b)\) for all \(b \in \{0,1\}\) then \(\textsf {LRS.Verify}(R_b, m_b, \sigma _b)=1\), for all \(b \in \{ 0,1\}\) and \(\textsf {LRS.Link}(\sigma _0, \sigma _1) = 1\).

Linkability: A linkable ring signature scheme \(\textsf{LRS}\) is linkable if, for all \(\lambda \in \mathbb {N}\) and \(N = \textsf{poly}(\lambda )\), any PPT adversary \(\mathcal {A}\) has at most negligible advantage in the following game:

1. 1.

   The challenger runs \(pp \leftarrow \textsf {LRS.Setup}(1^\lambda )\) and provides pp to \(\mathcal {A}\).

2. 2.

   \(\mathcal {A}\) outputs \(PK: = \{pk_i \}_{i \in [N]}\) and a set of tuples \((\sigma _i, m_i, R_i)_{i \in [N+1]};\)

3. 3.

   We say the adversary \(\mathcal {A}\) wins if the following conditions hold:

   • For all \(i \in [N+1]\), we have \(R_i \subseteq PK\);

   • For all \(i \in [N+1]\), we have \(\textsf {LRS.Verify}(R_i,m_i,\sigma _i) =1\);

   • For all \(i,j \in [N+1]\) such that \(i \ne j\), we have \(\textsf {LRS.Link}(\sigma _i, \sigma _j) = 0\).

Linkable Anonymity: A linkable ring signature scheme \(\textsf{LRS}\) is linkable anonymous if, for all \(\lambda \in \mathbb {N}\) and \(N = \textsf{poly}(\lambda )\), any PPT adversary \(\mathcal {A}\) has at most negligible advantage in the following game:

1. 1.

   The challenger runs \(pp \leftarrow \mathsf {LRS.Setup}(1^\lambda )\) and generates key pairs \((pk_i,sk_i) = \mathsf {LRS.KeyGen}(pp,rr_i)\) for all \(i \in [N]\) using random coins \(rr_i\). It also samples a random bit \(b \leftarrow \{0,1\}\);

2. 2.

   The challenger provides pp and \(PK:= \{pk_i\}_{i \in [N]}\) to \(\mathcal {A}\);

3. 3.

   \(\mathcal {A}\) outputs two challenge verification keys \(pk^*_0, pk^*_1 \in PK\) to the challenger. The secret keys corresponding to \(pk^*_0, pk^*_1\) are denoted by \(sk^*_0,sk^*_1\), respectively;

4. 4.

   The challenger provides all random coins \(rr_i\) of the corresponding \(\textsf {pk}_i \in PK - \{ pk^*_0, pk^*_1\}\);

5. 5.

   \(\mathcal {A}\) queries for signatures on input a verification key \(pk \in \{ pk^*_0,pk^*_1\} \), a message m and a ring R such that \(\{ pk^*_0, pk^*_1\} \subseteq R\):

   • If \(pk= pk^*_0\), then the challenger returns \(\sigma \leftarrow \textsf {LRS.Sign}(sk_b^*,m,R)\);

   • If \(pk = pk_1^*\), then the challenger returns \(\sigma \leftarrow \textsf {LRS.Sign}(sk_{1-b}^*,m,R)\);

6. 6.

   \(\mathcal {A}\) outputs a guess \(b^*\). If \(b^* = b\), we say the adversary \(\mathcal {A}\) wins. The advantage of \(\mathcal {A}\) in this game is \(\mathsf {Adv_{LRS}^{anonymity}} = |\textsf{Pr}[\mathcal {A}\text { wins}] - \frac{1}{2}|\).

Non-frameability: A linkable ring signature scheme \(\textsf{LRS}\) is non-frameable if, for all \(\lambda \in N\) and \(N = \textsf{poly}(\lambda )\) any PPT adversary \(\mathcal {A}\) has at most negligible advantage in the following game played against a challenger.

1. 1.

   The challenger runs \(pp \leftarrow \mathsf {LRS.Setup}(1^\lambda )\) and generates key pairs \((pk_i,sk_i) \leftarrow \mathsf {LRS.KeyGen}(pp;rr_i)\) for all \(i \in [N]\) using random coins \(rr_i\). It sets \(PK:=\{ pk_i \}_{i \in [N]}\) and initializes two empty set SL and CL.

2. 2.

   The challenger provides \(\textsf {pp}\) and PK to \(\mathcal {A}\).

• \(\mathcal {A}\) can make signing and corruption queries an arbitrary polynomial number of times:

  • \((\textsf{sign,i,m,R}):\) The challenger checks if \(pk_i \in R\) and if so it computes the signature \(\sigma \leftarrow \mathsf {LRS.Sign}(sk_i,m,R)\). The challenger provides \(\sigma \) to \(\mathcal {A}\) and adds (i, m, R) to SL;

  • \((\textsf{corrupt},i):\) The challenger adds \(pk_i\) to CL and returns \(rr_i\) to \(\mathcal {A}\).

• \(\mathcal {A}\) outputs \((R^*,m^*,\sigma ^*)\). We say the adversary \(\mathcal {A}\) wins if the following conditions are satisfied:

  • \(\mathsf {LRS.Verify}(R^*,m^*,\sigma ^*) = 1\) and \((\cdot ,m^*,R^*) \notin SL\);

  • \(\mathsf {LRS.Link}(\sigma ^*, \sigma )=1\) for some \(\sigma \) returned by the challenger on a signing query \((i,m,R) \in SL\), where \(pk_i \in PK-CL\).

C Proof of Knowledge

A proof of knowledge scheme is a two-party interactive protocol in which a prover \(\mathcal {P}\) tries to prove his knowledge about some statement to a verifier \(\mathcal {V}\). The parties take turns one by one to act in the protocol. First, the prover sends a commitment cmt to the verifier. The verifier generates a challenge \(ch_1\) and returns it to the prover. The prover answers by sending a response \(rsp_1\) to the verifier. The verifier again generates the second challenge \(ch_2\) and sends it to the prover. The prover again answers by sending the second response \(rsp_2\) to the verifier. The parties repeat sending challenges and responses n times. After receiving the last response \(rsp_n\), the verifier returns 1 (accept), which means that he is convinced that the prover possesses the knowledge, or 0 (reject), which means that he is not. With n pairs of challenges-responses, we call this a \((2n+1)\)-round proof of knowledge.

Definition C.1

Consider a relation \(\mathcal {R}= \{(x, w): x \in L, w \in W(x) \}\), where L is an NP language, x is a statement in L and W(x) is the set of witnesses of x. Proof of knowledge for the relation \(\mathcal {R}\) is a two-party interactive protocol in which the prover tries to convince the verifier that he knows a witness for each statement in the given language. We require two properties for proof of knowledge: correctness and soundness.

Correctness: If \((x, w) \in \mathcal {R}\), then a prover who knows the witness w can surely convince the verifier of this knowledge: \(\textsf{Pr}[ \langle \mathcal {P}(x, w), \mathcal {V}(x) \rangle = 1] = 1\).

Soundness: Intuitively, soundness means that a prover who does not know the witness cannot convince the verifier that he knew with nonnegligible probability. Otherwise, an efficient solver would exist for the hard problem of finding witnesses for statements in \(\mathcal {R}\). Formally, a proof of knowledge has soundness error \(\varepsilon \) if for any PPT prover \(\mathcal {P}'\) such that \(\varepsilon ' = \textsf{Pr}[ \langle \mathcal {P}'(x, w), \mathcal {V}(x) \rangle = 1] > \varepsilon \), there exists a PPT algorithm extractor \(\mathcal {E}\) which outputs a witness \(w'\) for x in time \(\textsf{poly}(\lambda , \frac{1}{\varepsilon ' - \varepsilon })\) with probability at least \(\frac{1}{2}\). Here, the extractor \(\mathcal {E}\) has a rewindable black-box access to \(\mathcal {P}'\), meaning that \(\mathcal {E}\) can copy the state of \(\mathcal {P}'\) at any moment in the protocol, relaunch \(\mathcal {P}'\) from a previously copied state, and query \(\mathcal {P}'\) on input messages.

Honest-Verifier Zero-Knowledge: A proof of knowledge between \(\mathcal {P}\) and \(\mathcal {V}\) is an honest-verifier zero-knowledge proof if there exists a PPT algorithm simulator \(\mathcal {S}\) whose output distribution is indistinguishable from the distribution of transcripts produced by the interactive protocol between \(\mathcal {P}\) and \(\mathcal {V}\), for an honest verifier \(\mathcal {V}\).

1.1 C.1 Index-Hiding Merkle Trees

Given a list of elements \(A = [a_1, \dots , a_N]\), one can use the Merkle tree to hash A into a single value called the \(\textsf{root}\) so that it will be efficient to prove that an element is in the list A. For OR proofs of knowledge, we need a variant of the Merkle tree introduced in [6], which has an additional property that also hides the position of an element in the list when proving that this element is in A.

Definition C.2

([6]). An index-hiding Merkle tree is given as a tuple of 3 algorithms \((\textsf{genTree}, \) \( \textsf{getPath}, \) \( \textsf{ReconRoot})\), together with a public hash function \(H: \{0, 1\}^* \rightarrow \{0, 1\}^{2 \lambda }\).

• \(\textsf{genTree}(A) \rightarrow (\textsf{root}, \textsf{tree})\): takes as input a list of \(2^k\) elements \(A = (a_1, \dots , a_{2^k})\), it constructs a binary tree of depth k: the leaf nodes are \(\{ \ell _i = H(a_i)\}_{i \in [2^k]}\), and every inside node h with children nodes \(h_{left}\) and \(h_{right}\) equals the hash digest of a concatenation of \(h_{left}\) and \(h_{right}\). For hiding indices, instead of using the standard concatenation \(h_{left} \Vert h_{right}\), we order the two children nodes with the lexicographical order. This modified concatenation is denoted by \((h_{left}, h_{right})_{lex}\). The algorithm outputs the root of the Merkle tree and a description of the entire tree as \( (\textsf{root}, \textsf{tree})\).

• \(\textsf{getPath}(\textsf{tree}, I) \rightarrow \textsf{path}\): takes as input the tree description \(\textsf{tree}\) and an index \(I \in [2^k]\), outputs the list \(\textsf{path}\) containing the sibling node of \(\ell _I\) and the sibling of all ancestor nodes of \(\ell _I\) ordered by decreasing depth.

• \(\textsf{ReconRoot}(a, \textsf{path}) \rightarrow \textsf{root}\): takes as input an element a in the list A and a path \(\textsf{path} = (n_1, \dots , n_k)\), outputs a reconstructed root \(\textsf{root}' = h_k\) calculated by putting \(h_0 = H(a)\) and defining \(h_i = H((h_i,n_i)_{lex})\) for each \(i \in [k]\).

If H is collision-resistant, then the Merkle tree construction is binding, which means that for any \(b \notin A\), it is infeasible to construct a path to prove that \(b \in A\). The use of the lexicographical order to concatenate two children nodes in the Merkle tree construction implies that the output path of \(\textsf{getPath}\) information-theoretically hides the input index \(I \in [N]\).

1.2 C.2 Seed Tree

In [6], the authors introduce a primitive called seed tree to generate several pseudorandom values and later disclose an arbitrary subset without revealing information on the remaining values. A seed tree is a complete binary tree of \(\lambda \)-bit seed values such that the left/right child node of a seed \(\textsf{seed}_h\) is the left/right half of \(\textsf{Expand}(seed \Vert h)\), where \(\textsf{Expand}\) is a pseudorandom generator (PRG). The unique identifier h of the parent seed is appended to separate the input domains of different calls to the PRG. A sender can efficiently reveal the seed values associated with a subset of the set of leaves by revealing the appropriate set of inside seeds in the tree.

Definition C.3

([6]). Let \(\textsf{Expand}: \{0, 1\}^{\lambda + \lceil \log _2(M-1) \rceil } \rightarrow \{0, 1\}^{2 \lambda }\) be a PRG for \(\lambda , M \in \mathbb {N}\) instantiated by a random oracle \(\mathcal {O}\). A seed tree is a tuple of 4 \(\mathcal {O}\)-oracle calling algorithms \((\textsf{SeedTree}, \textsf{ReleaseSeeds}, \textsf{RecoverLeaves}, \textsf{SimulateSeeds})\).

• \(\textsf{SeedTree}(\textsf{seed}_{\textsf{root}}, M; \mathcal {O}) \rightarrow \{ leaf_i\}_{i \in [M]}\): takes as input a root seed \(\textsf{seed}_{\textsf{root}} \in \{0, 1\}^{\lambda }\) and an integer M, constructs a complete binary tree with M leaves by recursively expanding each seed to obtain its children seeds. Oracle calls are of the form \(\mathcal {O}(\textsf{Expand} \Vert \textsf{seed}_h \Vert h)\), where \(h \in [M-1]\) is a unique identifier for the position of seed in the binary tree.

• \(\textsf{ReleaseSeeds}( \textsf{seed}_{\textsf{root}}, \textbf{c}; \mathcal {O}) \rightarrow \textsf{seeds}_{\textsf{internal}}\): takes as input a root seed \(\textsf{seed}_{\textsf{root}} \in \{0, 1\}^\lambda \) and a challenge \(\textbf{c} \in \{0, 1\}^M\), outputs the list of seeds \(\textsf{seeds}_{\textsf{internal}}\) that covers all the leaves with index i such that \(c_i = 1\). A set of nodes D covers a set of leaves S if the union of the leaves of the subtrees rooted at each node \(v \in D\) is exactly the set S.

• \(\textsf{RecoverLeaves}(\textsf{seeds}_{\textsf{internal}}, \textbf{c}; \mathcal {O}) \rightarrow \{leaf_i\}_{i: c_i = 1}\): takes as input a set \(\textsf{seeds}_{\textsf{internal}}\) and a challenge \(\textbf{c} \in \{0, 1\}^M\), computes and outputs all the leaves of subtrees rooted at seeds in \(\textsf{seeds}_{\textsf{internal}}\) which is exactly the set \(\{ leaf_i \}_{i: c_i = 1}\).

• \(\textsf{SimulateSeeds}(\textbf{c}; \mathcal {O}) \rightarrow \textsf{seeds}_{\textsf{internal}}\): takes as input a challenge \(\textbf{c} \in \{0, 1\}^M\), computes the set of nodes covering the leaves with index i such that \(c_i = 1\). Then random samples a seed from \(\{0, 1\}^\lambda \) for each of these nodes and outputs the set of these seeds as \(\textsf{seeds}_{\textsf{internal}}\).

Such a seed tree is correct and hiding in a sense that:

(i):

the leaves \(\{leaf_i\}_{i:c_i=1}\) output by \(\textsf{SeedTree}(\textsf{seed}_{\textsf{root}}, M)\) are the same as those output by \(\textsf{RecoverLeaves}(\textsf{ReleaseSeeds}( \textsf{seed}_{\textsf{root}}, \textbf{c}), \textbf{c})\) for any \(\textbf{c} \in \{0, 1\}^M\);

(ii):

\(\textsf{SimulateSeeds}\) helps to show that the seeds associated with all the leaves with index i such that \(c_i = 0\) are indistinguishable from uniformly random values for a recipient that is only given \(\textsf{seeds}_{\textsf{internal}}\) and \(\textbf{c}\).

1.3 C.3 Proof of Knowledge for Group Actions

Proof of Group Actions. Consider a group action \(G \times \mathcal {X}\rightarrow \mathcal {X}, (g, x) \mapsto g \cdot x\) of a group G on a set \(\mathcal {X}\). Fix a public element \(X_0 \in \mathcal {X}\).

For two public elements \(X_0, X \in \mathcal {X}\), we want to prove knowledge of a secret group element g such that \(g \cdot X_0 = X\). Following the classical proof of knowledge of graph isomorphism, a proof of group actions is obtained as follows. The prover commits to \(cmt = r \cdot X\), where \(r \in G\) is a random group element. The verifier selects a random bit challenge \(ch \in \{0, 1\} \). If \(ch = 0\), then the prover responds with \(rsp = r \cdot g\). The verifier subsequently checks whether \(rsp \cdot X_0 = cmt\). If \(ch = 1\), then the prove sets \(rsp = r\). The verifier checks whether \(rsp \cdot X = cmt\).

OR Proof of Group Actions. For public elements \(X_0, X_1, \dots , X_N\) of \(\mathcal {X}\), the OR proof of knowledge for group actions aims to prove knowledge of a secret group element g such that \(g \cdot X_0 = X_I\) for some index \(I \in \{ 1, \dots , N \}\). One can easily extend the proof of knowledge above to obtain a secure OR proof of group actions as follows.

For each index \(i = 1, \dots , N\), the prover samples a random group element \(r_i \in G\) and commits to \(cmt_i = r_i \cdot X_i\). Then, the verifier chooses a random bit challenge \(ch \in \{0, 1\} \). If \(ch = 0\), the prover sets his response as \(rsp = r_I \cdot g\). The verifier then checks whether \(rsp \cdot X_0 \in \{cmt_1, \dots , cmt_N\}\). If \(ch = 1\), then the prover sets \(rsp = (r_1, \dots , r_N)\). The verifier checks whether \(\{r_1 \cdot X_1, \dots , r_N \cdot X_N \} = \{ cmt_1, \dots , cmt_N\}\). Sending the commitments in a random order helps to hide the index I as the equation \(rsp \cdot X_0 \in \{cmt_1, \dots , cmt_N\}\) provides no information about the index I in \(rsp = r_I \cdot g\). If we did not randomly shuffle the commitments, then from \(rsp \cdot X_0 = cmt_I\) one would see directly that the signer is I.

Using Merkle Tree to Reduce the Size of the OR Proof to Logarithmic Size. When \(ch = 1\), the commitment in OR proof consists of N elements of \(\mathcal {X}\), which make the proof size linear in the number of users N. A key idea of Beullens, Katsumata and Pintore in [6] is to use the Merkle tree to hash the list of commitments and send only the root as the commitment. Consequently, when \(ch = 0\), we need to send a path in the Merkle tree for correct verification as part of the response. This method reduces the OR proof’s size to be logarithmic in the number of users N.

Given a list of elements \(A = [a_1, \dots , a_N]\), one can use the Merkle tree to hash A into a single value called the \(\textsf{root}\) so that it will be efficient to prove that an element is in the list A. For OR proofs of knowledge, we need a variant of the Merkle tree introduced in [6], which has an additional property that also hides the position of an element in the list when proving that this element is in A.

Another important technique of [6] to reduce proof size is to use unbalanced challenge spaces. Upon applying Merkle tree hashing, opening to the case \(ch = 1\) is much cheaper than when \(ch = 0\). To achieve \(\lambda \) bits of security, instead of repeating the OR proof \(\lambda \) times in parallel, one can choose integers M, K such that \(\left( {\begin{array}{c}M\\ K\end{array}}\right) \ge 2^\lambda \) and \(M > \lambda , K \ll \lambda \), then repeat totally M times the execution of OR proof with exactly K times with challenge \(ch = 0\). Since the more expensive case of \(ch = 0\) is repeated much less frequently, the proof size is significantly reduced. Note that among M parallel executions of the binary challenge OR proofs, \(M-K\) times are used for \(ch = 1\) in which, one simply returns the random seed. The seed tree optimises this step: instead of choosing independent seeds for different runs, one generates the seeds using the seed tree. Instead of responding with total \(M-K\) seeds, the prover outputs the released seeds from the root seed and the challenge \(\textbf{c}\).

D Proof of Theorem 3.2

Correctness: If the protocol is executed correctly, the response is \(rsp = U_1^{1-c} V_1\). The verification equation reads \(Q' = \rho _{V_1}(Q_1) = \rho _{U_1^{1-c} V_1}(\rho _{U_1^{c-1}}(Q_1)) = \rho _{rsp}(Q_c),\) which is correct.

Soundness: Suppose that on the same commitment \(Q'\), we have two valid transcripts \((Q', 0, rsp_0)\), \((Q', 1, rsp_1)\). One has two verification equations \(\rho _{rsp_0}(Q_0) = Q'\) and \(\rho _{rsp_1}(Q_1) = Q'\). It follows that \(\rho _{rsp_0}(Q_0) = \rho _{rsp_1}(Q_1)\), hence we have \(\rho _{rsp_1}^{-1}( \rho _{rsp_0}(Q_0)) = \rho _{rsp_1^{-1}}( \rho _{rsp_0}(Q_0)) = \rho _{rsp_0 \cdot rsp_1^{-1}}(Q_0) = Q_1\). In particular, \(rsp_0 \cdot rsp_1^{-1}\) is an isomorphism from \(Q_0\) to \(Q_1\). We obtain the soundness property under the assumption that the worst-case lattice isomorphism problem is hard.

Zero-Knowledge: We need to simulate the transcript of our protocol on given public quadratic forms \(Q_0, Q_1\) without knowing the secret isomorphism \(U_1\). Sampling \((Q',V)\) with \(\textbf{QSample}(Q_0, s)\) gives \(Q'\) of distribution \(\mathcal {D}_s([Q_0])\), and V is a uniformly random isomorphism from \(Q_0\) to \(Q'\). Next, we sample a random bit c. If \(c=1\), the Protocol 3.1 actually does not use the secret isomorphism \(U_1\), so one can simulate the conversation by proceeding the same way as in the protocol with \(c=1\). The transcript is simply \((Q', 1, V)\). When \(c=0\), we run \(\textbf{QSample}(Q_1, s)\) on \(Q_1\) to obtain \((Q'', V'')\) where \(Q'' = \rho _{V''}(Q_1)\). Thus, \((Q'', 0, V'')\) is a suitable simulated transcript when \(c=0\), as the distributions of \(Q'', V''\) are \(\mathcal {D}_s([Q_1]) = \mathcal {D}_s([Q_0])\) and uniformly random isomorphism from \(Q_0\) to \(Q''\), which are the same as in the case \(c = 0\) of the Protocol 3.1.

E Proof of Theorem 3.4

Correctness. If we run \(\varPi ^{base}\) honestly with prover’s input \((U_I, I)\) which satisfies \(\rho _{U_I}(Q_0) = Q_I\), then the verifier accepts almost surely. If \(ch = 0\), then \(z = U_I V_I\), and we have \( \rho _z(Q_0) = \rho _{U_I V_I}(Q_0) = \rho _{V_I}(\rho _{U_I}(Q_0)) = \rho _{V_I}(Q_I) = Q_I'. \) As the prover computes \(C_I = Q_I' \) in \(\mathcal {P}_1\), \(\textsf{root}'' \leftarrow \) \(\textsf{ReconstructRoot}(C'', \textsf{path})\) reconstructed from the I-th leaf of the Merkle tree in \(\mathcal {V}_2\) will match the root \(\textsf{root}\) in \(\mathcal {P}_1\), hence the verifier accepts. If \(ch = 1\), then in \(\mathcal {V}_2\) the verifier repeats the calculation in \(\mathcal {P}_1\) with \(seed = rsp\), and obtains the same root \(\textsf{root}'' = \textsf{root}\), hence the verifier accepts.

Relaxed Special Soundness. Given two accepting transcripts \((\textsf{root}, 0, (z, \textsf{path}))\) and \((\textsf{root}, 1, \textsf{seed})\), we can extract a witness as either \(U \in GL(n, \mathbb {Z})\) such that \(\rho _U(Q_0) = Q_I\) for some \(I \in [N]\), or a collision in \(\mathcal {H}\), or a collision for the random oracle \(\mathcal {O}\), as follows. One first expands \((\textsf{seed}_1, \dots , \textsf{seed}_N) \leftarrow \mathcal {O}(\textsf{Expand} \Vert \textsf{seed})\) to obtain \( \textsf{seed}_i \in \{0,1\}^\lambda \), then computes \((\textsf{root}', \textsf{tree}) \leftarrow \textsf{MerkleTree}(C_1, \dots , C_N)\), where \(C_i = Q_i'\) is obtained via \(\textbf{QSample}(Q_0, s \Vert \textsf{seed}_i) \). From the two valid transcripts, one obtains that \(\textsf{root}' = \textsf{root}\) and \(\textsf{ReconstructRoot}(C'', \textsf{path}) = \textsf{root}\) with \(C'' = Q'' = \rho _z(Q_0) \). If \(C'' \ne C_i\) for all \(i \in [N]\), then one can use the Merkle tree extractor to find a collision of \(\mathcal {H}\) from \((\textsf{tree}, C'', \textsf{path})\). If there exists \(I \in [N]\) such that \(C'' = C_I\), one checks whether \(Q'' \ne \rho _U(Q_I) \), if so, then the pairs \(Q'', \rho _U(Q_I) \) is a collision of \(\mathcal {O}\). When in addition \(Q'' = \rho _U(Q_I)\), one has \(\rho _{U_I^{-1} z}(Q_0) = Q_I\), hence \(U_I^{-1} z\) is an isomorphism between \(Q_0, Q_I\).

Honest-Verifier Zero-Knowledge. One needs to build a simulator \(\textsf{Sim}\) such that for any valid relation (X, W), and any challenge ch, any computationally unbounded adversary \(\mathcal {A}\) making q queries to the random oracle \(\mathcal {O}\), one has

$$ \big | \textsf{Pr}[ \mathcal {A}(\mathcal {P}(X, W, ch)) = 1] - \textsf{Pr}[ \mathcal {A}(\textsf{Sim}(X, ch)) = 1] \big | \le \frac{2q}{2^\lambda }.$$

In the framework of [6], the proof of zero-knowledge property in [6, Theorem 3.3] is an extension of the proof for graph isomorphism protocol and uses the following ingredients: the problem \(\mathsf {ac\text {-}sLIP}_{s}^{Q_0}\) is hard, \(\textsf{seed}\) and \(\textsf{bits}_i\)’s have high min-entropy and information-theoretically hidden from \(\mathcal {A}\), and that the distributions of \(\textsf{root}\) and \(\textsf{path}\) does not depend on the value of I. For lattice isomorphism sigma protocol, we refer to [17, 24] for proofs of zero-knowledge property in a similar line. One defines \(\textsf{Sim}\) for each case of \(ch = 1\) and \(ch = 0\) separately as follows:

• When \(ch = 1\), the prover does not need a secret key to run the protocol, \(\textsf{Sim}\) just runs the prover on input \((X, ch=1)\) and uses the same output as the prover. As the prover does not use the witness in this case, transcripts when \(ch = 1\) are simulated perfectly.

• When \(ch = 0\), \(\textsf{Sim}\) runs \((Q', V) \leftarrow \text {Algorithm 2.9} (Q_0, s)\), let \(z = V\). It sets \(C_1 = \rho _z(Q_0) \), and sets the remaining commitments \(C_2, \dots , C_N\) to be uniformly random strings from \(\{0, 1\}^{2\lambda }\). It generates a Merkle tree \((\textsf{tree}, \textsf{root}) \leftarrow \textsf{MerkleTree}(C_1, \dots , C_N)\), then extracts a path \(\textsf{path} \leftarrow \textsf{getMerklePath}(\textsf{tree}, 1)\). Finally, \(\textsf{Sim}\) sets its output in this case as \((\textsf{root}, 0, rsp = (z, \textsf{path} )\). When \(ch =0\), one simulates the transcript by randomising its parts one by one to obtain a sequence of simulators \(\textsf{Sim}_i\). Fix an adversary \(\mathcal {A}\) and a relation (X, W). Define the event \(E_i\) as \(\mathcal {A}(\textsf{Sim}_i(X, 0)) = 1\).

• \(\textsf{Sim}_1\): This simulator runs the same procedure as the honest prover \(\mathcal {P}_1\), but it uses uniformly random bit strings \(\textsf{seed}_i\)’s. The adversary only spots the difference in the transcript if he has made a query exactly on \(\textsf{seed}\), which happens with the probability less than \(\frac{q}{2^\lambda }\). Thus, \(\big | \textsf{Pr}[ \mathcal {A}(\mathcal {P}(X, W, 0)) = 1 ]- \textsf{Pr}[E_1] \big | \le \frac{q}{2^\lambda }\).

• \(\textsf{Sim}_2\): This simulator is the same as \(\textsf{Sim}_1\) except that it uses uniformly random bit string for commitments \(C_i\) in \(\mathcal {P}_1\). The adversary only sees the difference in the transcript if he has queried on a commitment \( Q_i' \). Assume that all the \(Q_i\) are distinct. Let \(q_i\) be the number of queries of the form \( Q_i' \). Then the probability that \(\mathcal {A}\) has made queries exactly on input \(\ Q_i' \) is at most \(\frac{q_i}{2^\lambda }\). The probability that \(\mathcal {A}\) can spot the difference in the transcript by making queries on some commitment \( Q_i' \) is at most \(\sum \limits _{i=1}^{N} \frac{q_i}{2^\lambda } \le \frac{q}{2^\lambda }\), which implies \( | \textsf{Pr}[E1] -\textsf{Pr}[E2] | \le \frac{q}{2^\lambda }\).

• \(\textsf{Sim}_3\): This simulator is the same as \(\textsf{Sim}_2\) except that \(\textsf{Sim}_2\) reruns \((Q_I', V_I) \leftarrow \textbf{QSample}(Q_0, s)\) and uses this new \(Q_I' = \rho _{V_I}(Q_0)\) in the step 2 of \(\mathcal {V}_2\). This does not change the distribution of output of \(\textsf{Sim}_2\), so \(|\textsf{Pr}[E2] - \textsf{Pr}[E3]| = 0\).

• \(\textsf{Sim}_4\): The is the final simulator which is different from \(\textsf{Sim}\) only by using \( I = 1 \) instead of the value of I in the true witness. Since different values of I do not affect the distribution of \(\textsf{root}\) and \(\textsf{path}\), one has \( |\textsf{Pr}[E3] - \textsf{Pr}[E4]| = 0\).

After randomising all parts of the transcript, the probability that the adversary can spot changes in the distributions is negligible \(\big | \textsf{Pr}[ \mathcal {A}(\mathcal {P}(X, W, 0)) = 1 ] - \textsf{Pr}[E_4] \big | \le \frac{2q}{2^\lambda }\).