Amortization with Fewer Equations for Proving Knowledge of Small Secrets

del Pino, Rafael; Lyubashevsky, Vadim

doi:10.1007/978-3-319-63697-9_13

Rafael del Pino^15,16,17,18 &
Vadim Lyubashevsky¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10403))

Included in the following conference series:

Annual International Cryptology Conference

2882 Accesses
13 Citations
7 Altmetric

Abstract

For a linear function f, a vector $\mathbf{x}$ with small coefficients, and a vector $y=f(\mathbf{x})$, we would like to be able to give a zero-knowledge proof for the knowledge of an $\mathbf{x}'$ with small coefficients that satisfies $f(\mathbf{x}')=y$. This is a common scenario in lattice-based cryptography, and there is currently no satisfactory solution for this problem. All known protocols are built via the repetition of a basic protocol that only has constant (1/2 or 2/3) soundness error. This implies that the communication complexity of the final protocol will be at least a factor of k larger than that of the basic one, where k is the security parameter.

One can do better if one considers simultaneously proving the knowledge of many instances of the above linear equation. The protocol that has the smallest amortized communication complexity while achieving close-to-optimal slack (i.e. the ratio between the coefficients in the secret and those that can be extracted from the proof) is due to Cramer et al. (Eurocrypt ’17) which builds on an earlier work of Baum et al. (Crypto ’16). The main downside of this protocol is that the amortization only kicks in when the number of equations is rather large – $4k^2$. This means that for $k=128$, it is only truly optimal when one has more than $2^{16}$ equations to prove. The aforementioned work of Cramer et al. also shows how to achieve a protocol requiring $o(k^2)$ samples, but it is only applicable for much larger values of k and the number of required samples ends up being larger than $2^{16}$.

The main result of our work is reducing the concrete minimal number of equations required for the amortization, while keeping the communication complexity almost unchanged. The cost of this is an increase in the running time of the zero-knowledge proof. More specifically, we show that one can decrease the required number of equations by a factor of $\varOmega (\log ^2{\alpha })$ at the cost of increasing the running time by a factor of $\varOmega (\alpha )$. For example, increasing the running time by a factor of 8 allows us to decrease the required number of samples from 69000 to 4500 – a factor of 15. As a side benefit, the slack of our protocol decreases by a factor of $\log {\alpha }$ as well.

We also show that in the case that f is a function over the polynomial ring $\mathbb {Z}[X]/(X^d+1)$ and we would like to give a proof of knowledge of an $\mathbf{x}'$ with small coefficients such that $f(\mathbf{x}')=2y$, then the number of samples needed for amortization is even lower. Without any trade-offs in the running time, our algorithm requires around 2000 samples, and for the same factor 8 increase in the running time, the requirement goes down to 850.

You have full access to this open access chapter, Download conference paper PDF

Amortized Complexity of Zero-Knowledge Proofs Revisited: Achieving Linear Soundness Slack

More Efficient Amortization of Exact Zero-Knowledge Proofs for LWE

Non-Interactive Zero-Knowledge Proofs of Non-Membership

1 Introduction

Every lattice-based cryptographic construction relies on the fact that when given a matrix $\mathbf{A}$ and a vector y over some ring R (such as $\mathbb {Z}_q$ or $\mathbb {Z}_q[X]/(X^d+1)$ with the usual addition and multiplication operations), it is hard to recover a vector $\mathbf{x}$ with small coefficients such that

$$\begin{aligned} \mathbf{A}\mathbf{x}=y. \end{aligned}$$

(1)

In many instances, one would also like to construct a zero-knowledge protocol where the prover, who knows $\mathbf{x}$, is able to convince a verifier (who only has $\mathbf{A}$ and y) that he possesses this knowledge.

There are several known approaches for constructing such protocols. The first method is to adapt the classic Stern protocol [Ste93], which was used for a similar code-based problem, to working over larger rings [KTX08, LNSW13]. The main issue with this protocol is that each round has soundness error 2/3 and therefore needs to be repeated 192 times (to achieve 128 bits of security). For most practical applications, this technique is therefore unsuitable.

A second approach is to use the “Fiat-Shamir with Aborts” idea of Lyubashevsky [Lyu08, Lyu09, Lyu12] whose original application was to digital signatures. If one uses a ring R that contains a lot of elements with small coefficients (e.g. $R=\mathbb {Z}_q[X]/(X^d+1)$), then one can prove the knowledge of a short $\mathbf{x}'$ and $c\in R$ such that $\mathbf{A}\mathbf{x}'=cy$. This is not exactly equivalent to proving (1), but it suffices for the purposes of digital signatures, commitments [BKLP15], and to some applications of verifiable encryption [LN17].

The most natural and useful scenario, however, is proving the knowledge of some $\mathbf{s}'$ that exactly satisfies (1). One could directly apply the “Fiat-Shamir with Aborts” technique with 0/1 challenges, but this leads to protocols with soundness error 1/2, which is essentially as inefficient as those using the Stern technique. When working over the ring $R=\mathbb {Z}_q[X]/(X^d+1)$, it was shown that one can decrease the soundness error to $1/(2d+1)$ [BCK+14] and prove the knowledge of an $\mathbf{x}'$ such that $\mathbf{A}\mathbf{x}'=2y$. The main observation in that paper was that rather than using challenges from the set $0{\slash }1$, one could use them from the set $\{0,X^i\}$ for $0\le i<2d$. Even though this latter proof does not exactly prove (1), the fact that one can prove the knowledge for a constant multiple of y (rather than some arbitrary, unknown c) makes this type of proof suitable for a variety of applications. But still, the soundness error of $1/(2d+1)$ would require the proof to be repeated around a dozen times for typical values of $d=1024$.

Amortized Proofs. A very interesting line of work, which built upon ideas from [CD09], considered the amortized complexity of the [Lyu08, Lyu09] protocol. In [DPSZ12], it was shown that one could prove the knowledge of a linear (in the security parameter) number of equations with essentially optimal communication per equation. The main downside was that, for a security parameter k, while the prover may have known $\mathbf{x}_i$ with small coefficients that satisfied $\mathbf{A}\mathbf{x}_i=y_i$, he would only be able to prove knowledge of $\mathbf{x}_i'$ whose coefficients were on the order of $2^{\varOmega (k)}$ larger. In practice, this slack is quite bad as it would require setting all the parameters to be very large so as to make the proofs non-vacuous (i.e. so that there isn’t an efficient algorithm that can simply compute such $\mathbf{x}'$ from $\mathbf{A}$ and y).

More recently, using different and novel ideas, Baum et al. [BDLN16] showed how to reduce the slack to super-polynomial in the security parameter, and the most recent work of Cramer et al. [CDXY17] reduced this slack to being only a factor k larger than what one would get by running the basic protocol from [Lyu08, Lyu09] with $0{\slash }1$ challenges. The main downside of this latter algorithm is that it requires doing at least $4k^2$ proofs at the same time. So for $k=128$, this implies that one needs to have at least $2^{16}$ equations that one wishes to prove simultaneously. When wanting to prove fewer than that, one could include some “dummy” values, but this will have the effect of increasing the per-proof communication complexity and running time. The main open direction in this line of work is therefore to reduce the necessary number of equations while keeping the slack and communication to be as low as in [CDXY17]. This is the main result of the current paper.

1.1 Prior Work

High-level overview of [BDLN16, CDXY17]. We will use the notation from [CDXY17]. The setup is that the prover has a linear function f and ordered pairs $(y_1,\mathbf{x}_1),\ldots ,(y_n,\mathbf{x}_n)$ such that $f(\mathbf{x}_i)=y_i$ (in (1), the function f is defined by the matrix $\mathbf{A}$). He wishes to prove the knowledge of $\mathbf{x}_i'$ with small coefficients such that $f(\mathbf{x}_i')=y_i$. The algorithm from [CDXY17] works in two stages. In the first stage, it runs the “imperfect prover” from [BDLN16] which proves the knowledge of all-but-k $\mathbf{x}_i'$. The main issue is that after the first stage, we do not know which k secrets the extractor cannot extract.

In the second stage, the prover creates $4k^2$ additive combinations of $y_i$, for which the pre-image is the corresponding additive combination of the $\mathbf{x}_i$ due to the linearity of the function f.^{Footnote 1} The main result of the paper is showing a strategy for producing these combinations such that for any set S of $\mathbf{x}_i$ of size k, each $\mathbf{x}_i$ from S appears in at least $k+1$ combinations without any other $\mathbf{x}_i$ from S. One can then run the imperfect proof on the $4k^2$ linear combinations and again get the guarantee that all but k secrets can be extracted. Each element in S therefore appears in some extracted combination in which all other elements were already extracted in the first stage. And due to the linearity of f, we can now extract the sole element from the set S appearing in the combination.

An asymptotically more efficient construction is also given in [CDXY17]. This construction uses two different additive combinations of the $y_i$, the first one is a relaxed version in which for any set S of $\mathbf{x}_i$ of size k, all but $k-5k^{0.75}$ of the $\mathbf{x}_i$ from S appears in at least $k+1$ combinations without any other $\mathbf{x}_i$ from S. By running the imperfect proof on these sums all but $5k^{0.75}$ secrets can now be extracted. The second additive combination is identical to the one of the previous proof but is now used on sets of size $5k^{0.75}$, ensuring that after another execution of the imperfect proof all secrets can be extracted. This improved version requires at least $4(5k^{0.75})^2=100k^{1.5}=O(k^{1.5})$ secrets. However it is clear that this construction only makes sense if $k>5k^{0.75}$, i.e. $k>625$. So while this construction is more efficient asymptotically we only consider the previous one which is better for all reasonable security parameters.

More concrete description of the “imperfect proof” from [BDLN16]. The original protocol from [BDLN16] is a $\varSigma $-protocol that can be seen as a very particular type of parallel composition of the protocol from [Lyu08]. The basic protocol from [Lyu08] for proving the knowledge of $\mathbf{x}'$ such that $f(\mathbf{x}')=y$ is as follows: The prover starts by choosing a mask $\mathbf{g}$ from some distribution and sends $h=f(\mathbf{g})$. The verifier then chooses a random bit $c\in \{0,1\}$ as a challenge and sends it to the prover. The prover computes $c\mathbf{x}+\mathbf{g}$ and performs a rejection sampling step, i.e. he aborts with a probability that depends on the value of $c\mathbf{x}+\mathbf{g}$ (this is necessary for zero-knowledge). If it passes, then the prover sends $c\mathbf{x}+\mathbf{g}$ to the verifier. The verifier checks that $f(c\mathbf{x}+\mathbf{g})=cy+h$.

The idea in [BDLN16] for giving “imperfect proofs” for n equations was to choose $T=2\kappa n$ masking parameters $\mathbf{g}_j$ (for some small constant $\kappa $) and send $h_j=f(\mathbf{g}_j)$ to the verifier. The verifier then sends a T-bit challenge string $c_1,\ldots ,c_T$, and the prover sends the $\mathbf{g}_j$ for which $c_j=0$. For every $1\le i\le n$, the prover also tries to send $\mathbf{x}_i+\mathbf{g}_j$ for the first non-used $\mathbf{g}_j$ (a $\mathbf{g}_j$ is considered used if it was revealed in the clear or was previously tried to be used for masking another $\mathbf{x}_{i'}$ with $i'<i$ – there should initially be approximately $\kappa n$ unused $\mathbf{g}_j$). If the rejection sampling step passes, then the prover indeed sends the $\mathbf{x}_i+\mathbf{g}_j$. Otherwise, he tries to send $\mathbf{x}_i+\mathbf{g}_{j'}$ where $\mathbf{g}_{j'}$ is the next unused $\mathbf{g}$. The verifier checks that all the revealed $\mathbf{g}_j$ satisfy $f(\mathbf{g}_j)=h_j$, and then checks that $y_i+h_j=f(\mathbf{x}_i+\mathbf{g}_j)$ for all i. It is then shown that if a prover succeeds with probability $2^{-k+1}$, then an extractor can extract $n-k$ vectors $\mathbf{x}_i'$ that satisfy $f(\mathbf{x}_i')=y_i$. Thus the protocol is a proof of knowledge of all-but-k pre-images.

1.2 Our Results

Our main result builds upon the works of [BDLN16, CDXY17] and allows us to reduce the required minimum number of proofs at the expense of a higher running time. Most importantly, the communication complexity per equation does not increase too much. As an example, if we increase the running-time by a factor of 8, we can decrease the required number of equations from 69000 to around 4500 (see Table 1). We also construct a protocol for proving knowledge of $\mathbf{s}_i$ with small coefficients over the ring $R=\mathbb {Z}_q[X]/(X^d+1)$ such that $\mathbf{A}\mathbf{s}_i=2\mathbf{t}_i$. This protocol gets an even better trade-off between running time and the minimum number of samples. For the same factor of 8 increase in running time, we only now need to have 841 equations.

The importance of these trade-offs becomes even more substantial in the quantum setting. If we model a hash function with k bits of output as a random oracle, it is commonly assumed that while finding a preimage takes classical time $2^{k}$, by using Grover’s algorithm one only needs time $2^{k/2}$ on a quantum computer. In most practical uses the Fiat-Shamir transform [FS86] is used to make the zero-knowledge protocol non interactive by replacing the verifier by a random oracle. This entails that to achieve 128 bits of security one would use a security parameter k $=$ 256, in turn forcing amortization to be done on at least $4k^2=2^{18}$ equations. When using our construction we obtain the same factor 4 between the number of equations needed to achieve 128 bits of classical and quantum security (see Table 1).

Table 1. Trade-offs between the running time and the minimum number of samples for either 128 bits of classical or quantum security. We are considering proofs for (Ring)-LWE instances of dimension 1024 where the secrets and errors have coefficients drawn from $\{-1,0,1\}$.

Full size table

Figure 1 shows a graph that illustrates how increasing the running time by a factor $\alpha $ reduces the minimum number of required equations. The implication is that for larger values of $\alpha $, the added reduction in the minimum number of equations is not worth the increase in the running time. For practical purposes, the best trade-offs are achieved for small $\alpha $’s. Figure 2 illustrates the small effect that increasing $\alpha $ has on the communication complexity of the protocol. Even increasing $\alpha $ by $2^{20}$, which is not advisable as we just mentioned, would result in the communication complexity growing by less than a factor of 2.

Techniques. We achieve this improvement by modifying the first stage of the protocol – that is, the “imperfect proof” from [BDLN16]. Improving this protocol to make it a proof of knowledge of all-but-$\tau $ pre-images for some $\tau <k$, allows us to only do the amortized second stage of [CDXY17] with only $4\tau ^2 < 4k^2$ equations. A way to reduce $\tau $ is for the prover to produce a larger number of $h_j$ in the first step of the $\varSigma $-protocol and then for the verifier to demand that the prover reveal the pre-images of a larger fraction of the $h_j$. The protocol of [BDLN16] can be thought of as a cut-and-choose protocol, thus more reveals intuitively implies a higher probability of the correctness of the non-revealed parts. If we introduce a parameter $\alpha $, then the prover produces $T=\alpha \kappa n$ elements $h_j$ in the first part, sends them to the verifier, and receives a challenge $c_1,\ldots ,c_T$ where a $1-1/\alpha $ fraction of the $c_j$ are 0. The prover reveals the pre-images of the corresponding $h_j$ and then uses the non-revealed $\mathbf{g}_j$ (of which there are $\kappa n$) to send $\mathbf{x}_i+\mathbf{g}_j$ in the same manner as in [BDLN16] described in Sect. 1.1. We prove that this results in a protocol that proves the knowledge of all-but-$\tau $ pre-images for $\tau =k/\log {\alpha }.$ Therefore, now only $4(k/\log {\alpha })^2$ equations are needed for amortization to kick in.

One issue that still needs to be resolved is the communication complexity. Naively, it seems that one would need to send $T=\alpha \kappa n$ elements $h_j$ which would increase the communication complexity by a factor $\alpha $. We instead give an approach in which the communication is only logarithmically dependent on $\alpha $ – furthermore it will only be small additive factors that have a dependence on $\log {\alpha }$. Rather than sending $h_1,\ldots ,h_T$, the prover can instead send a hash $h=H(h_1,\ldots ,h_T)$ where H is a collision-resistant hash function. This does not completely solve the problem because at some point the prover will need to send the $h_j$ so that the verifier can check the validity of h. But here we use the fact that all except $\kappa n$ of the $h_j$ will have their pre-images simply revealed. Our strategy is therefore as follows: we create the $\mathbf{g}_j$ from 256-bit seeds $s_j$ which are leaves on a tree generated by a pseudorandom function. That is, from the root of the tree, one can generate the entire tree. When required to reveal pre-images of a set of $h_j$, the prover does not need to send the $\mathbf{g}_j$ (or their seeds) individually. He can instead send roots of sub-trees which only include the seeds that will be revealed. We prove that with this strategy, rather than sending $\alpha \kappa n$ seeds, one only needs to send a maximum of $\kappa n \log {\alpha }$ many elements from the tree (which are themselves 256 bits each).

Putting everything together, we show that at the expense of increasing the running time by a factor of $\alpha $, one can reduce the minimum number of samples required for amortization by a factor of $\log ^2{\alpha }$. Our second contribution is showing that when working over the ring $\mathbb {Z}[X]/(X^d+1)$, proving the knowledge of $\mathbf{x}_i$ such that $f(\mathbf{x}_i)=2y_i$ has an even better trade-off between running-time and the minimum number of samples. In particular, we show that at the expense of an $\alpha $-fold increase in running time, one can reduce the minimum number of vectors by a factor of $\left( \frac{\log {\alpha }+\log {2d}}{1+1/\log {\alpha }}\right) ^2$.

To obtain such an improvement we adapt the proof of [BCK+14] to the framework of [BDLN16]. Though merging the two protocols is rather straightforward, the knowledge extractors of both of these schemes don’t combine as nicely. The knowledge extractor of [BDLN16] first recovers a set of all but k of the masking parameters $\mathbf {g}_j$ and then simply extracts $\mathbf {x}_i$ from $\mathbf {x}_i+\mathbf {g}_j$. This method falls apart when used with the protocol of [BCK+14] as the latter scheme uses rewinding to obtain two equations $X^a\mathbf {x}+\mathbf {g}$ and $X^b\mathbf {x} +\mathbf {g}$ and recovers a pre-image from their difference. The same rewinding is still possible in our scheme but will yield two equations of the form $X^a\mathbf {x}_i+\mathbf {g}_j$ and $X^b\mathbf {x}_i +\mathbf {g}_{j'}$ and extraction will be only possible if $j=j'$, which cannot be guaranteed. We resolve this issue by conditioning our extractor on the fact that $j=j'$ which results in a slightly sub-optimal number of extracted preimages: $n-\frac{k\cdot (1+1/\log \alpha )}{\log \alpha +\log 2d}$ instead of simply $n-\frac{k}{\log \alpha +\log 2d}$. It is not clear to us whether this small loss is necessary or simply an artifact of our proof.

1.3 Paper Organization

In Sect. 2, we introduce the notation and definitions that we will be using throughout the paper. In Sect. 3 we present a modification of the “imperfect proof” protocol of [BDLN16], which is a proof of knowledge of all-but-$\tau $ pre-images for $\tau =k/\log {\alpha }$. This protocol only serves as intuition, and we do not formally prove its correctness or security because the communication complexity (i.e. the proof size) grows linearly in $\alpha $. In Sect. 4, we show how to reduce the communication complexity of the interactive protocol from Sect. 3 and prove its correctness, zero-knowledge, and soundness. We only show honest-verifier zero-knowledge because this is enough to convert the protocol to a non-interactive one using the Fiat-Shamir transform, which is the manner in which one would use these schemes in practice. Analyzing the size of the communication is delayed until in Sect. 6 because this analysis also applies to the protocol in Sect. 5. In Sect. 5, we show that if the proof is done over the ring $\mathbb {Z}[X]/(X^d+1)$, then the number of required equations can be made even smaller if one wants to prove $f(\mathbf{x}')=2y$.

2 Preliminaries

2.1 Notation

We will write vectors such as $\mathbf {b}$ or $\mathbf {B}$ in bold face. We refer to the i$^{th}$ position of a vector $\mathbf {b}$ as $\mathbf {b} \left[ i \right] $. Define $\left[ r \right] =\left\{ 1,\ldots ,r \right\} $. The Euclidean norm of a vector, $\mathbf {b}\in \mathbb {Z}^r$ is $\left\| {\mathbf {b}}\right\| =\sqrt{\sum _{i\in \left[ r \right] }{\mathbf {b} \left[ i \right] }^2}$. For a set $\mathcal S$, we write $s\mathop {\leftarrow }\limits ^{{}_\$}\mathcal S$ to denote that s was drawn uniformly at random from $\mathcal S$. For a distribution D, we write $s\leftarrow D$ to denote that s is drawn from D.

2.2 Homomorphic OWF

In this section we follow the framework of [BDLN16] in defining homomorphic one-way functions over integer vectors (which includes polynomial rings) as well as amortized zero-knowledge proofs of preimage for these functions. Let $\lambda \in \mathbb {N}$ be a security parameter, G be an Abelian group, $\beta ,r\in \mathbb {N}$, $f:\mathbb {Z}^r \rightarrow G$ be a function and $\mathcal {A}$ be any algorithm. Consider the following game:

$\mathbf {Invert}_{\mathcal {A},f,\beta }(\lambda )$ :

1.
Choose $\mathbf {x}\in \mathbb {Z}^r$, $\left\| {\mathbf {x}}\right\| \le \beta $ and compute $y=f(\mathbf {x})$.
2.
On input $(1^\lambda ,y)$ the algorithm $\mathcal {A}$ computes an $\mathbf {x}'$.
3.
Output 1 iff $f(\mathbf {x}')=y$, $\left\| {\mathbf {x}'}\right\| \le \beta $, and 0 otherwise.

Definition 2.1

(Homomorphic OWF over Integer Vectors (ivOWF)). A function $f: \mathbb {Z}^r \rightarrow G$ is called a homomorphic one-way function over the integers if the following conditions hold:

There exist a polynomial time algorithm $eval_f$ such that $eval_f(\mathbf {x})=f(\mathbf {x})$ for all $\mathbf {x}\in \mathbb {Z}^r$.
for all $\mathbf {x}, \mathbf {x}'\in \mathbb {Z}^r$ it holds that $f(\mathbf {x})+f(\mathbf {x}')=f(\mathbf {x} + \mathbf {x}')$.
for every PPT algorithm $\mathcal {A}$ there exists a negligible function $negl (\lambda )$ such that:
$$\begin{aligned} \Pr \left[ {\mathbf {Invert}_{\mathcal {A},f,\beta }(\lambda )=1}\right] \le negl (\lambda ). \end{aligned}$$

2.3 Rejection Sampling and the Normal Distribution

For a protocol to be zero-knowledge, the output of the prover needs to be independent of his secret. In certain situations achieving this independence requires rejection sampling. While [BDLN16] used rejection sampling in the infinity norm (as in [Lyu08, Lyu09]) we use the euclidean norm and thus rejection sampling over the $\ell _2$ norm using normal distributions (as in [Lyu12]), which allows for tighter parameters. But all our techniques easily work for the $\ell _\infty $ norm as well.

Definition 2.2

(Continuous Normal Distribution). The continuous Normal distribution over $\mathbb {R}^r$ centered at $\mathbf {v}$ with standard deviation $\sigma $ is defined by the probability density function $\rho _{\mathbf {v},\sigma }^r(\mathbf {x})=\left( \frac{1}{\sqrt{2\pi \sigma ^2}} \right) ^re^{-\frac{\left\| {\mathbf {x} - \mathbf {v}}\right\| ^2}{2\sigma ^2}}$.

Definition 2.3

(Discrete Normal Distribution). The discrete Normal distribution over $\mathbb {Z}^r$ centered at $\mathbf {v}$ with standard deviation $\sigma $ is defined by the probability mass function $\mathcal D_{\mathbf {v},\sigma }^r(\mathbf {x})=\rho _{\mathbf {v},\sigma }^r(\mathbf {x})/\rho _{\mathbf {v},\sigma }^r(\mathbb {Z}^r) $.

Lemma 2.4

(Tail-Cut Bound [Ban93]). $\Pr \left[ {\left\| {\mathbf {z}}\right\| \ge 2\sigma \sqrt{r}; \mathbf {z} \leftarrow \mathcal D_\sigma ^r}\right] < 2^{-r}$.

Theorem 2.5

(Rejection sampling [Lyu12] Theorem 4.6). Let V be a subset of $\mathbb {Z}^r$ with elements of norm less than T, let h be a distribution over V. Let $\sigma =11T$, for $\mathbf {v}, \mathbf {z}\in \mathbb {Z}^r$ let $\mathbf {Rej}(\mathbf {v},\mathbf {z})$ be the algorithm that outputs 1 with probability $\min \left( \mathcal D_\sigma ^r(\mathbf {z})/(3\mathcal D_{\mathbf {v},\sigma }^r(\mathbf {z})),1 \right) $ and 0 otherwise. Then we have:

$$\begin{aligned} \left( \mathbf {v}, \mathbf {z}\mid \mathbf {Rej}(\mathbf {v},\mathbf {z})=1 \right) \sim _s\left( \mathbf {v}, \mathbf {z}' \right) \end{aligned}$$

where $\mathbf {v}\leftarrow h$, $\mathbf {z}\leftarrow \mathcal D_{\mathbf {v},\sigma }^r$, and $\mathbf {z}'\leftarrow \mathcal D_{\sigma }^r$, i.e. the distribution of $\mathbf {z}$ conditioned on $\mathbf {Rej}(\mathbf {v},\mathbf {z})=1$ is exactly a discrete Normal distribution centered on 0. Moreover the probability, taken over the choice of $\mathbf {v} \leftarrow h$ and $\mathbf {z}\leftarrow \mathcal D_{\mathbf {v},\sigma }^r$ that $\mathbf {Rej}$ outputs 1 is exponentially close to 1/3:

$$\begin{aligned} \left| {\mathop {\Pr }\limits _{\mathbf {v} \leftarrow h,\mathbf {z}\leftarrow \mathcal D_{\mathbf {v},\sigma }^r}\left[ \mathbf {Rej}(\mathbf {v},\mathbf {z})=1 \right] -\frac{1}{3}}\right| \le 2^{-100} \end{aligned}$$

2.4 Zero-Knowledge Proofs of Knowledge

We will consider amortized proofs of knowledge for preimages of an ivOWF. Formally, given an ivOWF f the relation we want to give a zero-knowledge proof of knowledge for is:

$$\begin{aligned} \mathcal R_{\text {KSP}}(n,f,\beta ) = \left\{ (Y,\mathbf {X})\in (G\times \mathbb {Z}^r)^n \biggm |\right.&Y =(y_1,\ldots ,y_n)\wedge \mathbf {X} = (\mathbf {x}_1,\ldots ,\mathbf {x}_n) \\&\qquad \left. {\wedge }\, \left[ y_i=f(\mathbf {x}_i) \wedge \left\| {\mathbf {x}_i}\right\| \le \beta \right] _{i\in \left[ n \right] } \right\} \end{aligned}$$

We define a second binary relation $\mathcal R'$, such that $\mathcal R\subset \mathcal R'$, which characterizes the soundness slack of the protocol, i.e. while the input to the protocol is a pair $(Y,\mathbf {X})\in \mathcal R$ the knowledge extractor can only extract values in $\mathcal R'$. Typically the relation $\mathcal R'$ is identical to $\mathcal R$ except for the fact that the components of $\mathbf {X}$ are bounded in norm by a constant $\beta '> \beta $. We will however see in Sect. 5 a ZKPOK for a different relation $\mathcal R'$.

Definition 2.6

(Zero-Knowledge Proof of Knowledge). Let $\mathcal P_{\text {ZK}}$ be a two-party protocol, let $\mathcal R, \mathcal R'$ be binary relations such that $\mathcal R\subseteq \mathcal R'$, let k be a statistical security parameter. $\mathcal P_{\text {ZK}}$ is a zero-knowledge proof of knowledge if the following properties hold:

$\mathbf {Correctness}$ : If $\mathcal P, \mathcal V$ are honest and run $\mathcal P_{\text {ZK}}$ on an instance of $\mathcal R$, then the protocol terminates with probability greater than $1-2^{O(k)}$.

$\mathbf {Computational~Honest}\text {-}\mathbf {Verifier~Zero}\text {-}\mathbf {Knowledge}$ : There exists an expected PPT simulator $\mathcal {S}$ such that for any $(a,b)\in \mathcal R$, and for any PPT algorithm $\mathcal {A}$. $\mathcal {A}$ has advantage $negl (k)$ in distinguishing between the two following distributions:

$View_{\mathcal V}\left[ \mathcal P(a,b)\leftrightarrow \mathcal V(a) \right] $ the view of $\mathcal V$ consisting in the transcript of the protocol as well as the random coins of $\mathcal V$.
$\mathcal {S}(a)$.

$\mathbf {Soundness}$ : For any pair $(a,b)\in \mathcal R$, for any deterministic prover $\hat{\mathcal P}$ that succeeds with probability $p>2^{-k}$ one can extract $b'$ such that $(a,b')\in \mathcal R'$ in expected time $poly(s,k)\cdot 1{\slash }p$, where s is the size of the input to the protocol.

2.5 Imperfect Proof of Knowledge and a Compiler

In [BDLN16], the authors introduce the concept of an imperfect proof of knowledge. An imperfect proof of knowledge is a protocol that proves knowledge of pre-images in the relation $\mathcal R_{\text {KSP}}$, however the knowledge extractor is not required to be able to extract all the pre-images.

Definition 2.7

(Imperfect Proof of knowledge). Let $\mathcal P_{IProof}$ be a two-party protocol, let f be an ivOWF, let $\mathcal R_{\text {KSP}}(n,f,\beta )$ and $\mathcal R_{\text {KSP}}(n,f,\beta ')$ be two binary relations on f, k be the security parameter. The protocol $\mathcal P_{IProof}$ is an imperfect proof of knowledge with imperfection $\tau (k)$ if the following properties hold:

$\mathbf {{Correctness}}$ : $\mathcal P_{IProof}$ is correct as in Definition 2.6.

$\mathbf {Computational~Honest}\text {-}\mathbf {Verifier~Zero}\text {-}\mathbf {Knowledge}$ : $\mathcal P_{IProof}$ is honest verifier zero-knowledge as in Definition 2.6.

$\mathbf {{Impefect~Soundness}}$ : For any pair $(Y=(y_1,\ldots ,y_n),\mathbf {X}=(\mathbf {x}_1,\ldots ,\mathbf {x}_n))\in \mathcal R_{\text {KSP}}(n,f,\beta )$, for any deterministic prover $\hat{\mathcal P}$ that succeeds with probability $p>2^{-k}$ one can extract at least $n-\tau (k)$ values $\mathbf {x}_i'$ such that $f(\mathbf {x}_i')=y_i$ and $\left\| {\mathbf {x}_i'}\right\| \le \beta '$ in expected time $poly(s,k)\cdot 1{\slash }p$, where s is the size of the input to the protocol.

[BDLN16] introduced a ZKPOK that uses an imperfect proof as a building block. The construction was later improved in [CDXY17] allowing for very efficient proofs that only require two executions of the imperfect proof system, while only introducing an additional soundness slack of k. The protocol, however, requires the amortization to be done on at least $4k^2$ secrets, which can be impractical. We give a somewhat refined statement of this construction as the proof of [CDXY17] can be straightforwardly adapted to using the imperfection $\tau (k)$ instead of k.

Theorem 2.8

(Compiler [CDXY17] Theorem 2). Let f be an ivOWF, let k be a statistical security parameter, let $\mathcal R_{\text {KSP}}(n,f,\beta )$ and $\mathcal R_{\text {KSP}}(n,f,\beta ')$ be two binary relations on f. Let $\mathcal P_{IProof}$ be an imperfect proof with imperfection $\tau (k)$. If $n\ge 4 \tau (k)^2+O(\log k)$ then there exists an efficient construction for a zero-knowledge proof of knowledge $\mathcal P_{CProof}$ with soundness slack $\tau (k)\beta '$.

In this paper, we give constructions that can reduce the imperfection $\tau (k)$ of the imperfect proof to values less than k, thus allowing for more efficient zero-knowledge protocols in cases where the number of available equations is less than $\tau (k)$.

3 Warmup Construction

We present a first construction that achieves imperfection $\tau (k)=k/log(\alpha )+1$ for any parameter $\alpha $, but has proof size that grows linearly in $\alpha $. This first construction is similar to the one of [BDLN16]. Their protocol works in two phases: first the prover samples masking parameters $\mathbf {g}_j,j\in \left[ T \right] $ and a cut-and-choose protocol reveals each one with probability one half. After this step, the verifier is convinced that with probability $1-2^{-k}$ all but k of them are well formed. In the second phase the masking parameters that were not revealed are used to hide the secrets of the prover. We modify the first phase of this protocol so that the prover reveals each masking parameter with probability $1-1/\alpha $. For $\alpha \ge 2$, this reduces the percentage of $\mathbf {g}_j$ on which the prover can cheat and, in turn, reduces the imperfection of the proof. However, the number of masking parameters necessary for the second phase is on the order of n, meaning that, since the prover will reveal a fraction $1-1/\alpha $ of them, the protocol then requires $T=\varTheta (\alpha n)$ masking parameters.

We describe this protocol in Fig. 3. We do not give a formal proof that it is an imperfect proof of knowledge with imperfection $k/\log \alpha +1$ as the protocol presented in the next section is a strict improvement upon this one. While this first protocol achieves better imperfection than the one of [BDLN16], it has a major downside in that the communication cost grows linearly with $\alpha $, since we need $T\ge \alpha n$. This voids any improvement over the previous protocol. To remedy this problem we will modify this protocol as follows:

Rather than sending the hash of every $a_i$ in the first round the prover will only send $h=H(h_1,\ldots ,h_T)$, thus making the first flow of the protocol constant size.
In his second move, the prover sends $\mathbf {g}_j,j\in \mathcal O$. This is an issue because $\left| \mathcal O \right| \simeq (\alpha -1)4n$, but also because the $\mathbf {g}_i$ can be rather large. We solve these problems by sending a set of seeds from which a PRG will be used to derive the $\mathbf {g}_i$. This way only 256 bits need to be sent for each seed. Most crucially, by using a tree data-structure, we show that the prover only needs to send $4n\log \alpha $ seeds in his second move.

4 Amortized Proof for $f(\mathbf{x}_i)=y_i$ with Fewer Equations

In this section we describe our first concrete imperfect proof of knowledge and prove that it has imperfection $\tau (k)=k/\log \alpha +1$. We show that the proof is only slightly dependent on $\alpha $ in Sect. 6.

We will need the following two functions, which can both be efficiently implemented using an extendable output function (e.g. SHAKE128 [BDPA16]):

$\mathbf {PRF}$ : $\{0,1\}^{256}\rightarrow \{0,1\}^{512}$ a size doubling pseudo-random function
$\mathbf {PRG}$ : $\{0,1\}^{256} \rightarrow \{0,1\}^*$ a pseudo-random generator

For a randomized algorithm h and a seed $s\in \{0,1\}^{256}$ we will write $h\left[ \mathbf {PRG}(s) \right] $ to denote an execution of h using as randomness the bits output by $\mathbf {PRG}(s)$.

We first describe the tree structure that we will use. From now on we will only consider $T=2^t$ a power of two, which simplifies the description of the protocols and does not affect efficiency – all the results we obtain can be adapted to general T. A tree $\varGamma $ is a binary tree with nodes labeled in $\{0,1\}^*$ (the root will have the label $\emptyset $, its left child will have label 0, its right child will have label 1, etc.). We consider complete binary trees of depth t, which implies that the leaves will be labeled in $\{0,1\}^t$. We map the range $\left[ T \right] $ to the labels of the leaves through the mapping where the image of $t\in \left[ T \right] $ is the leaf labeled by the binary decomposition of $t-1$. Each node will have two extra attributes, one will be the seed associated to the node (which can be bottom for the verifier since he will not know all the seeds), the other will be a bit indicating whether the associated seed must be sent to the verifier in the first flow.

The purpose of this seed tree is twofold. We will use the leaves as seeds for the $\mathbf {PRG}$ when generating the $\mathbf {g}_j,{j\in \left[ T \right] }$. This way sending the seeds to the verifier in the first flow will be sufficient as he can then reconstruct the $\mathbf {g}_j,{j\in \mathcal O}$ using the $\mathbf {PRG}$. More importantly, rather than directly sending the leaves of the seed tree, it will be more efficient to send the smallest set of nodes needed to recover the leaves for indices that lie in $\mathcal O$. We define the tree structure as follows:

Tree T:

Label $\subset \left\{ 0,1 \right\} ^*$
Left $\in \mathbf{Tree }\;\cup \perp $
Right $\in \mathbf{Tree }\; \cup \perp $
Leaf $\in \{0,1\}$
Sel $\in \{0,1\}$
Seed $\in \{0,1\}^{256} \; \cup \perp $

For $j\in \{0,1\}^*$ we denote by $\varGamma \left[ j \right] $ the node with label j. We will describe four algorithms: the first to initialize the tree will be performed by both parties, the second to initialize the seeds will only be used by the prover, the third to compute the indexes of the seeds that will be sent in the first flow of the protocol will be used by both parties, and the fourth to recover the seeds needed to compute the $\mathbf {g}_j, j\in \mathcal O$ will only be used by the verifier.

The second algorithm $\mathbf {Initialize}$ will use a seed fixed by the prover and compute the seed associated with the children of each node as the first and second half of $\mathbf {PRF}$ applied on the seed of the parent node.

The $\mathbf {Prefix}$ algorithm will compute the prefix of a set of nodes and set their attribute Sel to 1. A node n will be in the prefix of a set $\mathcal O$ if all the leaves that descend from n are in $\mathcal O$ and none of the ancestors of n are in the prefix of $\mathcal O$. The algorithm ensues directly from this definition.

The $\mathbf {Reconstruct}$ algorithm will use a tree in which the prefix $\mathcal S$ of $\mathcal O$ has been computed as well as a set of seeds $s_j,j\in \mathcal S$ and will reconstruct the seeds $s_j,j\in \mathcal O$ by using $\mathbf {SeedTree}$ for each node in $\mathcal S$.

We give in Fig. 5 an example of a seed tree as well as a set $\mathcal O$ and its prefix.

We describe our improved protocol in Fig. 4.

Theorem 4.1

Let f be an ivOWF, k be a statistical security parameter, H a collision resistant hash function, $r\ge 128$ be an integer, $\chi $ the bernouilli distribution of parameter $1/\alpha $ (i.e. $P\left[ \chi =0 \right] =1-P\left[ \chi =1 \right] =1-1/\alpha $). Let $T=5\alpha n$, $\sigma =11\beta $, $B=2\sigma \sqrt{r}$. The protocol $\mathcal P_{IProof}$ given in Fig. 4 is an imperfect proof of knowledge for inputs in $\mathcal R_{\text {KSP}}(n,f,\beta )$, with soundness extractor in $\mathcal R_{\text {KSP}}(n,f,2B)$ and imperfection $\frac{k}{\log \alpha }+1$.

Proof

We prove correctness in Lemma 4.2, honest-verifier zero-knowledge in Lemma 4.3, and soundness in Lemma 4.4.

We first prove correctness.

Lemma 4.2

(Correctness). With parameters set as in Theorem 4.1, the protocol $\mathcal P_{IProof}$ described in Fig. 4 completes with probability greater than $1-2^{-100}$.

Proof

By the homomorphic property of f and by construction of $\mathbf {Initialize}$, $\mathbf {SeedTree}$, $\mathbf {Prefix}$, and $\mathbf {Reconstruct}$ all the checked equalities hold. We fist consider the probability that $\mathcal P$ aborts. $\mathcal P$ will abort if he runs out of samples during the rejection sampling. For each $\mathbf {g}_j,j\in \left[ T \right] $ the probability that $\mathbf {g}_j$ will not be revealed is $1/\alpha $, and by Theorem 2.5 the probability that the rejection sampling will succeed is 1/3, in which case the vector obtained will be of norm less than B with overwhelming probability (2.4). We can model the probability that each $g_j$ will not be revealed and will pass both checks of the rejection step by a Bernoulli variable $X_j$ s.t $\Pr \left[ {X_j=1}\right] =1/(3\alpha )-2^{-O(n)}$. $\mathcal P$ will abort if $\sum _{j\in \left[ T \right] }X_j<n$. Using the Chernoff bound we obtain:

$$\begin{aligned} \Pr \left[ {\sum _{j\in \left[ T \right] }X_j<n}\right]&\le \exp \left( -\frac{(T-3\alpha n)^2}{3\alpha T}+2^{-O(n)} \right) \\&= \exp \left( {-\frac{4n}{15}}+2^{-O(n)} \right) , \end{aligned}$$

which is negligible asymptotically (and in practice less than $2^{-100}$ whenever we amortize over $n\ge 260$ secrets.)

We now consider the probability that $\mathcal V$ aborts. $\mathcal V$ will abort if there exists either $j\in \mathcal O$ such that $\left\| {\mathbf {g}_j}\right\| > B$ or $i\in \left[ n \right] $ such that $\left\| {\mathbf {z}_i}\right\| >B$. Since the $\mathbf {g}_j$ and the $\mathbf {z}_i$ are drawn independently from the distribution $\mathcal D_\sigma ^r$ by using a union bound we have that the probability that the norm of one of them exceeds $B$ is less than $(T+n)2^{-r}$. $\square $

We now show that this protocol is honest-verifier zero-knowledge.

Lemma 4.3

(HVZK). With parameters set as in Theorem 4.1, the protocol $\mathcal P_{IProof}$ described in Fig. 4 is computationally honest-verifier zero-knowledge.

Proof

The honest-verifier zero-knowledge proof is very close to that of [BDLN16], but we still include it here for completeness as there are slight differences. Consider the following algorithm $\mathcal {S}_{IProof}$:

On input $(\mathbf {Y}=(y_1,\ldots ,y_n),\beta )$ sample $s\mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^{256}$ and $(s_j)_{j\subset \{0,1\}^t}$ using $\mathbf {SeedTree}$.
Sample $\mathbf {c}\leftarrow \chi ^T$, compute the sets $\mathcal O$ and $\mathcal C$.
Set $\varPhi '=\emptyset $, for $j\in \mathcal C$ sample $\mathbf {z}_j\leftarrow \mathcal D_\sigma ^r$ and do the following:
- Sample $b\mathop {\leftarrow }\limits ^{{}_\$}\left\{ 0,1,2 \right\} $
- If $b=0 \wedge \left\| {\mathbf {z}_j}\right\| \le B$ then $\varPhi '=\varPhi ' \cup j$
For $j\in \mathcal O$ set $h_j=H(f(\mathcal D_\sigma ^r \left[ \mathbf {PRG}(s_j) \right] ))$.
If $\left| \varPhi ' \right| <n$ then for $j\in \mathcal C$ set $h_j\mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^{256}$, $h=H(h_1,\ldots ,h_T)$, output $(h,\mathbf {c},(s_j)_{j\in prefix(\mathcal O)},(h_j)_{j\in \mathcal C})$ and abort.
If $\left| \varPhi ' \right| \ge n$ set $\varPhi $ to be the first n elements of $\varPhi '$ and for $i\in \left[ n \right] $ rename $\mathbf {z}_{\varPhi \left[ i \right] }$ as $\mathbf {z}_i$. For $j\in \mathcal C {{\setminus }} \varPhi $ set $h_j\mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^{256}$.
For $i\in \left[ n \right] $ set $a_{\varPhi \left[ i \right] }=f(\mathbf {z}_{i})-y_i$, $h_{\varPhi \left[ i \right] }=H(a_{\varPhi \left[ i \right] })$.
Set $h=H(h_1,\ldots ,h_T)$, output
$$\begin{aligned} (h,\mathbf {c}, (s_j)_{j\in prefix (\mathcal O)},(h_j)_{j\in \mathcal C},\,\varPhi ,\,(\mathbf {z}_{\varPhi \left[ i \right] })_{i\in \left[ n \right] }). \end{aligned}$$

We first consider the abort probability of the simulator: $\mathcal {S}$ will abort if $\left| {\varPhi '}\right| <n$. For each $j\in \left[ T \right] $ the simulator adds a $\mathbf {z}_j$ to $\varPhi '$ iff $\mathbf {c}\left[ j \right] =1 \wedge b=0\wedge \left\| {\mathbf {z}_j}\right\| \le B$, the probability of this event is $1/(3\alpha )-2^{-O(n)}$, thus the probability of abort will be exponentially close to the one of $\mathcal P_{IProof}$. Regardless of whether the simulator aborts or not, all the checks performed by the verifier will accept: h is set to be $h=H(h_1,\ldots ,h_T)$, and when $\mathcal {S}$ does not abort he sets $h_{\varPhi \left[ i \right] }$ so that $H(f(\mathbf {z}_i)-y_i)=h_{\varPhi \left[ i \right] }$. The sets $\mathcal O$ and $\mathcal C$ are defined in the same way as in $\mathcal P_{IProof}$ and the $s_j,j\in prefix(\mathcal O)$ are also sampled according to the protocol. Note that in $\mathcal P_{IProof}$ for $j\in \mathcal C {{\setminus }} \varPhi $ the $h_j$ are distributed uniformly since H is modeled as a random oracle and no preimages of the $h_j$ are given (note that for some leaves of the tree the verifier knows half of the output of $\mathbf {PRF}$ on the parent node, even conditioning on this knowledge the second half of the output is uniform as $\mathbf {PRF}$ is modeled as a random oracle). It remains to analyze the distribution of $\mathbf {z}_i$ for $i\in \left[ n \right] $. We have by Theorem 2.5 that the distribution of $\mathbf {z}_i,i\in \left[ n \right] $ in $\mathcal P_{IProof}$ is that of a discrete gaussian centered in 0 with standard deviation $\sigma $ and thus identical to the distribution of $\mathbf {z}_i$ in $\mathcal {S}$. $\square $

We finally show the soundness of the protocol, i.e. that one can extract all but $\tau (k)=k/\log \alpha +1$ preimages from a prover that succeeds with probability greater than $2^{-k}$.

Lemma 4.4

(Soundness). With parameters set as per Theorem 4.1, the protocol $\mathcal P_{IProof}$ has imperfection $\tau (k)=k/\log \alpha +1$ and slack 2B.

Proof

The soundness proof is similar to the one of [BDLN16] as the use of the hashes and seed trees does not affect it significantly. We will however give a detailed proof, first to address the differences with the proof of [BDLN16], and second because the soundness proof of the protocol described in Sect. 5 will build upon this first proof.

Let $k'= k/\log \alpha +1$, let $\hat{\mathcal P}$ be a deterministic prover that makes an honest verifier accept with probability $p>2^{-k}$. We will construct an extractor $\mathcal E$ that extracts $n-k'$ values $\mathbf {x}_i',i\in I\subset \left[ n \right] $ such that $f(\mathbf {x}_i')=y_i$ and $\left\| {\mathbf {x}_i'}\right\| \le 2B$. $\mathcal E$ will run in expected time $poly(s,k)\cdot 1{\slash }p$ where s is the size of the input to $\mathcal P_{IProof}$.

We first give a high-level overview of the proof. Remark that by collision resistance of H we can consider $\mathbf {g}_1,\ldots ,\mathbf {g}_T$ as being fixed by the value of h. $\mathcal E$ will begin by running $\hat{\mathcal P}$ on random challenges, and thus random sets $\mathcal O\subset \left[ T \right] $. Each time $\hat{\mathcal P}$ is successful $\mathcal E$ will be able to extract $\mathbf {g}_j$ for j in $\mathcal O$ (since the prover is effectively revealing $\mathbf {g}_j, j\in \mathcal O$ in his first message after the challenge). $\mathcal E$ will repeat this step until he has extracted all but $k'$ vectors $\mathbf {g}_j$, we will prove that this takes expected time $O(1{\slash }p)$. Once this is done $\mathcal E$ can run $\hat{\mathcal P}$ until he succeeds and obtain vectors $\mathbf {z}_i,i\in \left[ n \right] $ such that, by collision resistance of H, $f(\mathbf {z}_i)=y_i+f(\mathbf {g}_{\varPhi [i]})$. If $\mathcal E$ has previously extracted $\mathbf {g}_{\varPhi [i]}$ he can compute $\mathbf {z}_i-\mathbf {g}_{\varPhi [i]}$ which is a preimage of $y_i$. Since $\mathcal E$ knows all but $k'$ vectors $\mathbf {g}_j$, $\mathcal E$ will be able to obtain preimages for all but $k'$ secrets $y_i$.

Formally: $\mathcal E$ starts $\hat{\mathcal P}$ who outputs h and runs the protocol on random challenges until he outputs $(s_j)_{j\in prefix(\mathcal O)}$ and $(h_j)_{j\in \mathcal C}$, from this $\mathcal E$ can recover hashes $(h_j)_{j\in \left[ T \right] }$ such that $H(h_1,\ldots ,h_T)=h$, fix $\overline{h}:=h$ and $\overline{h}_j:=h_j$. Set $A:=\emptyset $ and run T instances of $\hat{\mathcal P}$ in parallel, which we denote $\hat{\mathcal P}_1,\ldots ,\hat{\mathcal P}_T$. Do the following until $\left| {A}\right| \ge T-k'$:

For each $\hat{\mathcal P}_j$ sample a random challenge $\mathbf {c}_j\leftarrow \chi ^T$ subject to $\mathbf {c}_j\left[ j \right] =0$ and run $\hat{\mathcal P}_j$ on challenge $\mathbf {c}_j$.
For each instance $\hat{\mathcal P}_j$ that does not abort, reconstruct $s_j$ from the prover’s response and set $\mathbf {g}_j= \mathcal D_\sigma ^r\left[ \mathbf {PRG}(s_j) \right] $. Verify the proof output by $\hat{\mathcal P}_j$ and set $A=A\cup \mathbf {g}_j$. Note that if the proof is valid then the verifier can reconstruct $h_1,\ldots ,h_T$ s.t
$$\begin{aligned} H(h_1,\ldots ,h_T)=\overline{h}=H(\overline{h}_1,\ldots ,\overline{h}_T) \end{aligned}$$
since H is collision resistant we have in particular that $h_j=\overline{h}_j$ which implies $H(f(\mathbf {g}_j))=\overline{h}_j$. We also have $\left\| {\mathbf {g}_j}\right\| \le B$.

Observe that if this algorithm terminates we obtain a set A of at least $T-k'$ preimages of the $\overline{h}_j$ by the function $H \circ f$. We will now show that this extractor finishes in expected polynomial time. This proof is very similar to the one of [BDLN16] but we choose to present it anyway as it will be reused in the next section.

Let $p_j$ be the probability that $\hat{\mathcal P}_j$ outputs a good $\mathbf {g}_j$ (i.e. such that $H(f(\mathbf {g}_j))=\overline{h}_j \wedge \left\| {\mathbf {g}_j}\right\| \le B$). We say that $p_j$ is bad if $p_j <p/k'$ and good otherwise. Let $X_j$ be the event that $\hat{\mathcal P}_j$ eventually outputs a good $\mathbf {g}_j$, where $X_j=1$ if the event happens and $X_j=0$ otherwise. If $p_j$ is good then after l iterations:

$$\begin{aligned} \Pr \left[ {X_j=0}\right] \le \left( 1-p/k' \right) ^l\le e^{- l p/k'} \end{aligned}$$

so after at most $l=k\cdot k'/p$ iterations we can expect that $\mathbf {g}_j$ was extracted except with probability negligible in k. This can be generalized to the success of all $\hat{\mathcal P}_j$ (where $p_j$ is good) by a union bound, and the probability of failing is still negligible because T is polynomial in k. The resulting extractor thus runs in time $O(Tk^2/p\log \alpha )$ provided there are less than $k'$ bad $p_j$.

Assume there are $k'$ bad $p_j$ which, for simplicity, are $p_1,\ldots ,p_{k'}$. In the protocol the challenge is taken according to the distribution $\chi ^T$. The success probability of $\hat{\mathcal P}$ can be conditioned on the value of $\mathbf {c}\left[ 1 \right] $ as

$$\begin{aligned} p \,=\,&\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\text { succeeds}}&{\mathbf {c}\left[ 1 \right] =0} \end{array} \right] \cdot \Pr \left[ {\mathbf {c}\left[ 1 \right] =0}\right] \\&+\,\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\text { succeeds}}&{\mathbf {c}\left[ 1 \right] =1} \end{array} \right] \cdot \Pr \left[ {\mathbf {c}\left[ 1 \right] =1}\right] \\ {=}\,&p_1\left( 1-\frac{1}{\alpha } \right) +\frac{1}{\alpha }\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\text { succeeds}}&{\mathbf {c}\left[ 1 \right] =1} \end{array} \right] \\ \end{aligned}$$

Conditioning additionally on $\mathbf {c}\left[ 2 \right] $ yields

$$\begin{aligned} p&\le p_1\left( 1-\frac{1}{\alpha } \right) +\frac{1}{\alpha } \left( \left( 1-\frac{1}{\alpha } \right) \alpha p_2+ \frac{1}{\alpha }\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\text { succeeds}}&{\mathbf {c}\left[ 1 \right] =1\wedge \mathbf {c}\left[ 2 \right] =1} \end{array} \right] \right) \\&= \left( 1-\frac{1}{\alpha } \right) (p_1+p_2)+\frac{1}{\alpha ^2}\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\text { succeeds}}&{\mathbf {c}\left[ 1 \right] =1\wedge \mathbf {c}\left[ 2 \right] =1} \end{array} \right] \end{aligned}$$

The reason the inequality holds is as follows: the probability that a random challenge s.t $\mathbf {c}\left[ 2 \right] $ will yield a preimage of $\overline{h}_2$ is $p_2$. Now conditioning on $\mathbf {c}\left[ 1 \right] =1$, which occurs with probability $1/\alpha $, will increase that probability from $p_2$ to at most $\alpha p_2$.

Repeating the above argument generalizes to

$$\begin{aligned} p \, {\le }\,&\left( 1-\frac{1}{\alpha } \right) (p_1+p_2+\ldots +p_{k'})\\&{+}\, \frac{1}{\alpha ^{k'}}\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\text { succeeds}}&{\mathbf {c}\left[ 1 \right] =1\wedge \ldots \wedge \mathbf {c} \left[ k' \right] =1} \end{array} \right] \\ {<} \,&\left( 1-\frac{1}{\alpha } \right) p+\frac{1}{\alpha ^{k'}} \end{aligned}$$

This entails that

$$\begin{aligned} p&<\frac{1}{\alpha ^{k'-1}}=\alpha ^{-{k/log\alpha }}=2^{-k} \end{aligned}$$

From this we conclude that there are less than k’ bad $p_j$, and thus that $\mathcal E$ has extracted a set A of size at least $T-k'$ of elements $\mathbf {g}_j$ s.t

$$\begin{aligned} H(f(\mathbf {g}_j))=\overline{h}_j \wedge \left\| {\mathbf {g_j}}\right\| \le B. \end{aligned}$$

We will now show how to use this set A to extract $n-k'$ secrets $\mathbf {x}_i'$.

$\mathcal E$ runs $\hat{\mathcal P}$ on random challenges until it succeeds. Call this successful instance $\widetilde{\mathcal P}$, this takes expected time $1{\slash }p$. From the output of $\widetilde{\mathcal P}$, $\mathcal E$ obtains a set $\widetilde{\varPhi }$ as well as $(\widetilde{\mathbf {z}}_i)_{i\in \left[ n \right] }$ s.t $H(f(\widetilde{\mathbf {z}}_i)-y_i)=\overline{h}_{\widetilde{\varPhi }\left[ i \right] }$ (by collision resistance of H and by the fact that $H(\widetilde{h}_1,\ldots ,\widetilde{h}_T)=\overline{h}$) and $\left\| {\widetilde{\mathbf {z}}_i}\right\| \le B$. For each $i\in \left[ n \right] $ if there exists $\mathbf {g}_{\widetilde{\varPhi }\left[ i \right] }\in A$, then we have $H(f(\widetilde{\mathbf {z}}_i)-y_i)=H(f(\mathbf {g}_{\widetilde{\varPhi }\left[ i \right] }))$, setting $\mathbf {x}_i'=\widetilde{\mathbf {z}}_i - \mathbf {g}_{\widetilde{\varPhi }\left[ i \right] }$ gives $f(\mathbf {x}_i')=y_i$ and $\left\| {\mathbf {x}_i'}\right\| \le 2B$. Since $\left| {A}\right| \ge T-k'$ there are at most $k'$ of the $\widetilde{\varPhi }\left[ i \right] $ that are not in this set and $\mathcal E$ can extract $n-k'$ preimages $\mathbf {x}_i'$. $\square $

Using this imperfect proof with the compiler of Theorem 2.8 results in a proof of knowledge with soundness slack $4k\sqrt{r} \beta /\log \alpha $, communication overhead O(1) (we will discuss this in further details in Sect. 6) and amortization over $4\left( \frac{k}{\log \alpha }+1 \right) ^2$ secrets. e.g. for $\alpha =2^{10}$ one can create amortized proofs for as few as 853 secrets with a security parameter $k=128$, while the construction of [CDXY17] needs to amortize over at least 67103 secrets for the same security. However this protocol is not strictly better in the sense that the computation cost, which is essentially the number of evaluations of the function f, increases multiplicatively in $\alpha $ for both the prover and the verifier, making this protocol impractical for very large $\alpha $. In the next section we describe a new variant of the scheme inspired by the work of [BCK+14] that reduces the soundness errror $\tau (k)$ without necessarily increasing the computational cost of the protocol.

5 Proving $f(\mathbf{x}_i)=2y_i$ with Even Fewer Equations

In this section we use an idea from the zero-knowledge proof of [BCK+14] to improve the imperfection of our previous scheme. In [BCK+14] the authors prove knowledge of preimages for an ivOWF over a polynomial ring of dimension d, they take advantage of this structure by replacing the binary challenge of the classic 3-round ZKPOK with a challenge in $\left\{ 0,\pm 1,\pm X,\ldots ,\pm X^{d-1} \right\} $ this improves the soundness error of the protocol from 1/2 to $1/(2d+1)$. We adapt this technique to further improve the imperfection of our imperfect proof. The knowledge extractor becomes however substantially more complicated.

Let $\mathcal R$ be the polynomial ring $\mathbb {Z}[{X}]/\langle {X}^d+1\rangle $. For $(a_1,\ldots ,a_l)\in \mathcal R^l$ and for $b\in \mathcal R$ let $\star $ be the following product $\star :\mathcal R\times \mathcal R^l\rightarrow \mathcal R^l$ such that $b\star (a_1,\ldots ,a_l)=(ba_1,\ldots ,ba_l)$.

In this section we will consider ivOWFs $f:\mathbb {Z}^r\simeq \mathcal R^l\rightarrow \mathcal R$ such that for $b\in \mathcal R$ and $a\in \mathcal R^l$ we have $f(b\star a)=bf(a)$. This type of one-way function is often used in ideal-lattice constructions.

Lemma 5.1

([BCK+14] Lemma 3.2). Let d be a power of 2, let $a,b\in \left\{ \pm 1,\ldots , \pm X^{d-1} \right\} $. Then $2(a-b)^{-1} \mod X^d+1$ only has coefficients in $\left\{ -1,0,1 \right\} $. In particular $\left\| {2(a-b)^{-1}}\right\| \le \sqrt{d}$.

We now prove that the construction of Fig. 6 is an imperfect proof of knowledge.

Theorem 5.2

Let $f:\mathcal R^l\rightarrow \mathcal R$ be an ivOWF, $r=ld\ge 128$ be an integer, let $f'=2f$, let k be a statistical security parameter, H a collision resistant hash function, $\chi $ a distribution over $\left\{ 0,\pm 1,\pm X,\ldots ,\pm X^{d-1} \right\} $ with $\Pr \left[ {\chi =0}\right] =1-1/\alpha $ and $\forall c \in \left\{ \pm 1,\ldots ,\pm X^{d-1} \right\} $, $\Pr \left[ {\chi =c}\right] =1/(2d\alpha )$. Let $T=5\alpha n$, $\sigma =11\beta $, $B=2\sqrt{r}\sigma $. The protocol $\mathcal P_{IProof}$ given in Fig. 6 is an imperfect proof of knowledge for inputs in $\mathcal R_{\text {KSP}}(f,n,\beta )$, with soundness extractor in $\mathcal R_{\text {KSP}}(f',n,\sqrt{d}B)$ and imperfection $\frac{k(1+1/\log \alpha )}{\log \alpha +\log 2d}+1$.

Proof

The proofs for the correctness and zero-knowledge of the protocol are identical to the proofs in the previous section. On the other hand the soundness proof is more involved.

Soundness: Let $k'= \frac{k(1+1/\log \alpha )}{\log \alpha +\log 2d}+1$, let $\hat{\mathcal P}$ be a deterministic prover that makes an honest verifier accept with probability $p>2^{-k}$. We will construct an extractor $\mathcal E$ that extracts $n-k'$ values $\mathbf {x}_i',i\in I\subset \left[ n \right] $ such that $f(\mathbf {x}_i')=2y_i$ and $\left\| {\mathbf {x}_i'}\right\| \le \sqrt{d}B$. $\mathcal E$ will run in time $poly(s,k)\cdot 1/p^{1+2/\log \alpha }$ where s is the size of the input to $\mathcal P_{IProof}$.

We first give a high level overview of the soundness proof. $\mathcal E$ starts by running the extractor from Lemma 4.4 to obtain all but $k/\log \alpha +1$ vectors $\mathbf {g}_j$ as well as all but $k/\log \alpha +1$ preimages $\mathbf {x}_i$. Next we would like to have $\mathcal E$ run $\hat{\mathcal P}$ until he is successful twice and obtain two outputs:

$\mathbf {z}_1,\ldots ,\mathbf {z}_n$ such that $f(\mathbf {z}_i)=\mathbf {c}[\varPhi [i]]\cdot y_i+\mathbf {g}_{\varPhi [i]}$
$\mathbf {z}_1',\ldots ,\mathbf {z}_n'$ such that $f(\mathbf {z}_i')=\mathbf {c}'[\varPhi '[i]]\cdot y_i+\mathbf {g}_{\varPhi '[i]}$

Now if for a given $i\in [n]$ we have both:

$$\begin{aligned} \varPhi [i]=\varPhi '[i] \end{aligned}$$

(2)

$$\begin{aligned} \mathbf {c}[\varPhi [i]]\ne \mathbf {c}'[\varPhi [i]] \end{aligned}$$

(3)

Then $\mathcal E$ can extract $\left( \mathbf {z}_i-\mathbf {z}_i' \right) \cdot 2\left( \mathbf {c}[\varPhi [i]]- \mathbf {c}[\varPhi '[i]] \right) ^{-1}$ which is a preimage of $2y_i$. We would thus like to show that there are at least $n-k'$ indices $i\in [n]$ for which both of these equations are true with non negligible probability. However proving such a thing is difficult as the probabilities that (2) is true for each $i \in [n]$ are not independent. We instead show a somewhat stronger statement: we prove that there exists a function g, going from the set of indices i for which $\mathbf {x}_i$ was not extracted to the set of indices j for which $\mathbf {g}_j$ was not extracted, such that if $\hat{\mathcal P}$ succeeds on a random challenge then with good probability $\varPhi [i]=g(i)$ for all indices i for which $\mathbf {x}_i$ was not extracted. Intuitively we simply show that one mapping $\varPhi $ from the unextracted $\mathbf {x}_i$ to the unextracted $\mathbf {g}_j$ has to occur more often than the others, which we call g. Since there are not too many such mappings (less than $2^{k/\log \alpha }$) we can restrict our extractor to only consider the outputs of $\hat{\mathcal P}$ where he uses $\varPhi =g$. Now $\mathcal E$ can run $\hat{\mathcal P}$ until he outputs two valid proofs, for which we are guaranteed that for all relevant $i\in [n]$, $\varPhi [i]=\varPhi '[i]=g(i)$. To conclude we show that there exist at least $n-k'$ indices i for which the success probability of $\hat{\mathcal P}$ is still high even when conditioned on $\mathbf {c}[\varPhi [i]]\ne \mathbf {c}'[\varPhi [i]]$. Doing so we obtain $n-k'$ indices $i\in [n]$ for which both (2) and (3) are true, and $\mathcal E$ can extract all but $n-k'$ preimages.

Formally: We first use the same extractor as in the proof of Lemma 4.4. Though this scheme is different, the same extractor applies with the only difference being that the equation verified by the extracted $\mathbf {x}_i'$ will be of the form $f(\mathbf {x}_i')=b X^ay_i$ for some $b\in \left\{ -1,1 \right\} , a\in \left[ d \right] $. Which directly gives $f(-bX^{d-a}\mathbf {x}_i')=y_i$, since this new pre-image has the same norm we can rename it and obtain the same result. We thus obtain the following:

$\overline{h}$ the hash sent by $\hat{\mathcal P}$ on his first flow.
$\overline{h}_1,\ldots ,\overline{h}_T$ such that $H(\overline{h}_1,\ldots ,\overline{h}_T)=\overline{h}$.
A set A of at least $T-k/\log \alpha -1$ vectors $\mathbf {g}_j'$ such that $H(f(\mathbf {g}_j'))=\overline{h}_j$. We define $\varPsi \subset \left[ T \right] $ to be the indices of the $\overline{h}_j$ for which a preimage was not extracted.
A set S of at least $n-k/\log \alpha -1$ vectors $\mathbf {x}_i'$ such that $f(\mathbf {x}_i')=y_i$. We define $\varUpsilon \subset \left[ n \right] $ to be the indices of the $y_i$ for which a preimage was not extracted.

By construction of this extractor we have $\left| {\varUpsilon }\right| \le \left| {\varPsi }\right| \le k/\log \alpha +1$.

Observe that, on a successful run of $\hat{\mathcal P}$, the set $\varPhi $ is a strictly increasing mapping from $\left[ n \right] $ to $\left[ T \right] $ (this is explicitly checked by the verifier). In the previous protocol this was used to show zero-knowledge, as reusing randomness could leak information, but this is now crucial for soundness. We also note that since $\varPhi $ is a function from $\left[ n \right] $ to $\left[ T \right] $ we have either:

$\left( A \right) $ :: $\varPhi (\varUpsilon )\subset \varPsi $
$\left( B \right) $ :: Or $\exists i\in \varUpsilon $ s.t. $\varPhi [i]\notin \varPsi $

If on a run $\hat{\mathcal P}$ is successful and $\left( B \right) $ occurs then there exist $i,j\in \left[ n \right] \times \left[ T \right] $ such that $H(f(\mathbf {z}_i)-\mathbf {c} \left[ j \right] y_i)=h_{j}$ and $j=\varPhi [i]\notin \varPsi $. As we have already extracted $\mathbf {g}_j'$ with $H(f(\mathbf {g}_j'))=\overline{h}_j=h_j$ we obtain that $\mathbf {x}_i'=\mathbf {c}\left[ j \right] ^{-1}(\mathbf {z}_i-\mathbf {g}_j')$ is a preimage of $y_i$. We can thus redefine the set $\varUpsilon $ to be $\varUpsilon := \varUpsilon {{\setminus }} i$. Suppose that on a successful run of $\hat{\mathcal P}$, $\left( B \right) $ occurs with probability greater than $1{\slash }2$. The extractor can then run $\hat{\mathcal P}$ $O(2{\slash }p)$ times, successfully extract a new preimage of the $y_i$ and reduce the size of $\varUpsilon $ by 1. After repeating this procedure O(k) times we have either that $\left| {\varUpsilon }\right| <k'$, in which case the extractor is done, or that $\left( B \right) $ occurs with probability strictly lower than $1{\slash }2$ on a successful run. For the rest of the proof we assume the latter. Since either $\left( A \right) $ or $\left( B \right) $ occurs on a successful run this implies that $\left( A \right) $ happens with probability strictly greater than $1{\slash }2$.

On any run where $\left( A \right) $ occurs, $\varPhi $ induces a strictly increasing mapping from $\varUpsilon $ to $\varPsi $, let $\mathcal G$ be the set of all such mappings, we have

$$\begin{aligned} \left| {\mathcal G}\right| ={\left| {\varPsi }\right| \atopwithdelims ()\left| {\varUpsilon }\right| }\le 2^{\left| {\varPsi }\right| }\le 2^{k/\log \alpha +1}. \end{aligned}$$

The extractor runs $\left| {\mathcal G}\right| $ parallel instances of $\hat{\mathcal P}$ denoted as $\hat{\mathcal P}^g,g\in \mathcal G$, and does the following until $\left| {S}\right| \ge n-k'$.

Run instance $\hat{\mathcal P}^g$ with fresh randomness until it succeeds, $\left( A \right) $ occurs and $\varPhi (\varPsi )=g(\varPsi )$. Denote the challenge used as $\widetilde{\mathbf {c}}^g$ and the output of the prover as $\widetilde{\mathbf {z}}_i^g, i\in \left[ n \right] $.
Run $\left| {\varUpsilon }\right| $ parallel instances of $\hat{\mathcal P}^g$ denoted as $\hat{\mathcal P}^g_i,i\in \varUpsilon $, do the following:
- For each $\hat{\mathcal P}^g_i$ sample a random challenge $\mathbf {c}^g_i\leftarrow \chi ^T$ subject to $\mathbf {c}^g_i\left[ i \right] \ne \widetilde{\mathbf {c}}^g \left[ i \right] $ and run $\hat{\mathcal P}^g_i$ on challenge $\mathbf {c}^g_i$.
- For each instance $\hat{\mathcal P}^g_i$ that does not abort. If $\left( A \right) $ occurs and $\varPhi (\varPsi )=g(\varPsi )$, then the vector $\mathbf {z}_i$ output by the prover verifies:
  $$\begin{aligned} H(f(\mathbf {z}_i)-\mathbf {c}^g_i \left[ g(i) \right] y_i)=\overline{h}_i. \end{aligned}$$
  From the previous step we had $\widetilde{\mathbf {z}}_i^g$ such that
  $$\begin{aligned} H(f(\widetilde{\mathbf {z}}_i^g)-\widetilde{\mathbf {c}}^g \left[ g(i) \right] y_i)=\overline{h}_i. \end{aligned}$$
  The extractor sets
  $$\begin{aligned} \mathbf {x}_i'=\left( \mathbf {z}_i^g-\widetilde{\mathbf {z}}_i^g \right) \cdot 2\left( \mathbf {c}^g_i \left[ g(i) \right] -\widetilde{\mathbf {c}}^g\left[ g(i) \right] \right) ^{-1} \end{aligned}$$
  Note that $f(\mathbf {x}_i')=2y_i$ and by Lemma 5.1 $\left\| {\mathbf {x}_i'}\right\| \le \sqrt{d}B$.

We now prove that this extractor terminates in expected time $\frac{\mathop {\text {poly}}(s,k)}{p^{1+2/\log \alpha }}$. Since $\left| {\mathcal G}\right| \le 2/p^{1/\log \alpha }$ it is sufficient to show that there exists g in $\mathcal G$ such that $\hat{\mathcal P}^g$ runs in time $\mathop {\text {poly}}(s,k)\cdot 1/p^{1+1/\log \alpha }$. On any run where $\left( A \right) $ occurs, $\varPhi (\varUpsilon )$ is a function in $\mathcal G$, this implies that

$$\begin{aligned} \Pr \left[ {\hat{\mathcal P}\; succeeds \wedge \left( A \right) }\right] =\sum _{g\in \mathcal G} \Pr \left[ {\hat{\mathcal P}\; succeeds \wedge \left( A \right) \wedge \varPhi (\varUpsilon )=g}\right] \end{aligned}$$

and thus

$$\begin{aligned} \exists \gamma \in \mathcal G\text { s.t. } \Pr \left[ {\hat{\mathcal P}\; succeeds \wedge \left( A \right) \wedge \varPhi (\varUpsilon )=\gamma }\right]&\ge \frac{\Pr \left[ {\hat{\mathcal P}\; succeeds \wedge \left( A \right) }\right] }{\left| {\mathcal G}\right| }\\&\ge \frac{p^{1+1/\log \alpha }}{2} \end{aligned}$$

We will use the shorthand $\hat{\mathcal P}\wedge \gamma $ for the event $\hat{\mathcal P}\; succeeds \wedge \left( A \right) \wedge \varPhi (\varUpsilon )=\gamma $. Let $p_i$ be the probability that $\hat{\mathcal P}_i^\gamma $ succeeds, i.e.

$$\begin{aligned} p_i=\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\wedge \gamma }&{\mathbf {c}\left[ \gamma (i) \right] \ne \widetilde{\mathbf {c}}^\gamma \left[ \gamma (i) \right] } \end{array} \right] , \end{aligned}$$

we say that $p_i$ is bad if $p_i<\frac{\Pr \left[ {\hat{\mathcal P}\wedge \gamma }\right] }{k'}$ and good otherwise. If there are less than $k'$ bad $p_i$ then the extractor terminates in expected time

$$\begin{aligned} \mathop {\text {poly}}(s,k)\cdot \frac{\left| {\mathcal G}\right| }{\Pr \left[ {\hat{\mathcal P}\wedge \gamma }\right] }=\mathop {\text {poly}}(s,k)\cdot 2^{k(1+2/\log \alpha )} \end{aligned}$$

(c.f. the proof of Lemma 4.4). Assume that there are $k'$ bad $p_i$ which, for simplicity, are $p_1,\ldots ,p_{k'}$. Then the event $\hat{\mathcal P}\wedge \gamma $ can be conditioned on the value of $\mathbf {c}[\gamma (1)]$ as

$$\begin{aligned} \Pr \left[ {\hat{\mathcal P}\wedge \gamma }\right] \,{=}\,&\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\wedge \gamma }&{\mathbf {c}\left[ \gamma (1) \right] \ne \widetilde{\mathbf {c}}^\gamma \left[ \gamma (1) \right] } \end{array} \right] \cdot \Pr \left[ {\mathbf {c}\left[ \gamma (1) \right] \ne \widetilde{\mathbf {c}}^\gamma \left[ \gamma (1) \right] }\right] \\&{+}\,\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\wedge \gamma }&{\mathbf {c}\left[ \gamma (1) \right] = \widetilde{\mathbf {c}}^\gamma \left[ \gamma (1) \right] } \end{array} \right] \cdot \Pr \left[ {\mathbf {c}\left[ \gamma (1) \right] = \widetilde{\mathbf {c}}^\gamma \left[ \gamma (1) \right] }\right] \\ {=}\,&\frac{2d\alpha -1}{2d\alpha }p_1+\frac{1}{2d\alpha }\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\wedge \gamma }&{\mathbf {c}\left[ \gamma (1) \right] = \widetilde{\mathbf {c}}^\gamma \left[ \gamma (1) \right] } \end{array} \right] \end{aligned}$$

Conditioning on $\mathbf {c}\left[ \gamma (2) \right] ,\ldots ,\mathbf {c}\left[ \gamma (k') \right] $ we have

$$\begin{aligned} \Pr \left[ {\hat{\mathcal P}\wedge \gamma }\right]&\le \frac{2d\alpha -1}{2d\alpha }\left( p_1+\ldots +p_{k'} \right) \\&+ \frac{1}{(2d\alpha )^{k'}}\Pr \left[ \begin{array}{c|c} {\hat{\mathcal P}\wedge \gamma }&{\mathbf {c}\left[ \gamma (1) \right] = \widetilde{\mathbf {c}}^\gamma \left[ \gamma (1) \right] ,\ldots ,\mathbf {c}\left[ \gamma (k') \right] = \widetilde{\mathbf {c}}^\gamma \left[ \gamma (k') \right] } \end{array} \right] \\&<\frac{2d\alpha -1}{2d\alpha }\Pr \left[ {\hat{\mathcal P}\wedge \gamma }\right] +\frac{1}{(2d\alpha )^{k'}}\\&\le \frac{1}{(2d\alpha )^{k'-1}}\\&< 2^{-k(1+1/\log \alpha )-1}\\ \end{aligned}$$

which contradicts the fact that $\Pr \left[ {\hat{\mathcal P}\wedge \gamma }\right] \ge \frac{p^{1+1/\log \alpha }}{2}$.

From this we conclude that there are less than $k'$ bad $p_i$, and thus that the extractor has extracted a set S of $n-k'$ vectors $\mathbf {x}_i'$ such that $\left\| {\mathbf {x}_i'}\right\| \le \sqrt{d}B$ and $f(\mathbf {x}_i')=2y_i$ in time $\mathop {\text {poly}}(s,k)\cdot 2^{k(1+2/\log \alpha )}.$ $\square $

6 Proof Size

In this section we will go more in-depth in the trade-offs offered by the schemes described in Sects. 4 and 5. We first give the expected value as well as an upper bound on the size of the prefix $\mathcal S$ of the set $\mathcal O$ as the second flow of the prover will consist in sending $\left| {\mathcal S}\right| $ seeds (and $\left| {\mathcal C}\right| $ hashes).

Lemma 6.1

Let $T=2^t$, let $\mathbf {c} \leftarrow \chi ^T\in C^T$ (the set C from which the values of $\mathbf {c}$ are taken does not matter, all that matters is the probability with which 0 is sampled) with $\chi $ such that $\Pr \left[ {\chi =0}\right] =1-1/\alpha $, let $\mathcal O=\left\{ j\in \left[ T \right] ,\mathbf {c}\left[ j \right] =0 \right\} $, and let $\mathcal S(\mathbf {c})=prefix(\mathcal O)$ be as defined in Sect. 4. Then:

With overwhelming probability we can bound the size of $\mathcal S(\mathbf {c})$ by
$$\begin{aligned} \left| {\mathcal S(\mathbf {c})}\right| \le \left\lfloor \frac{1.4T}{\alpha }\log {\frac{\alpha }{1.4}}\right\rfloor \end{aligned}$$

Proof

Consider the binary tree $\varGamma $ which leaves are numbered according to $\left[ T \right] $, we will say that a leaf $j\in \left[ T \right] $ is selected if $\mathbf {c} \left[ j \right] =0$. First observe that we can split $\varGamma $ into two trees $\varGamma _L$ and $\varGamma _R$ of size $T{\slash }2$, $\varGamma _L$ being the binary tree associated to the first $T{\slash }2$ values $\mathbf {c}_L$ of $\mathbf {c}$ and $\varGamma _R$ the tree associated to the last $T{\slash }2$ vales $\mathbf {c}_R$ of $\mathbf {c}$. The prefix $\mathcal S(\mathbf {c})$ of $\varGamma $ will be the union of the prefixes $\mathcal S(\mathbf {c}_L)$ and $\mathcal S(\mathbf {c}_R)$, except if all the leaves of $\varGamma $ are selected, in which case its prefix will be its root. i.e. $\forall \mathbf {c} \ne (0,\ldots ,0)$, $\mathcal S=\mathcal S(\mathbf {c}_L)\cup \mathcal S(\mathbf {c}_R)$, which implies $\left| {\mathcal S(\mathbf {c})}\right| =\left| {\mathcal S(\mathbf {c}_L)}\right| +\left| {\mathcal S(\mathbf {c}_R)}\right| $.

We first use the Chernoff bound to obtain a lower bound on the size of $\mathcal O$. Let $\mathcal C=\left[ T \right] {{\setminus }} \mathcal O$, we have:

$$\begin{aligned} \Pr \left[ {\left| {\mathcal C}\right| >1.4T/\alpha }\right] \le e^{-\frac{T}{15\alpha }}= e^{-\frac{n}{3}} \end{aligned}$$

since for all practical parameters we will have $n\ge 250$, we can assume that $\left| {C}\right| \le 1.4T/\alpha $. We consider the worst case for the size of $\mathcal S$ for a given $\left| {\mathcal C}\right| =a$, i.e. we define

$$\begin{aligned} W(T,a)=\underset{\#_0(\mathbf {c})=T-a}{\max } \left( \left| {\mathcal S(\mathbf {c})}\right| \right) . \end{aligned}$$

We will prove that $\forall a \in \left[ T \right] , W(T,a)\le a\log \left( T/a \right) $. Remark that for all T, $W(T,0)=1$. Since for all $\mathbf {c}\in C^T$ we have

$$\begin{aligned} \left| {S(\mathbf {c})}\right| \le \left| {S(\mathbf {c}_L)}\right| +\left| {S(\mathbf {c}_R)}\right| , \end{aligned}$$

we get

$$\begin{aligned} W(T,a)\le \underset{b}{\max }\left( W(T/2,b)+W(T/2,a-b) \right) \end{aligned}$$

where $\max (0,a-T/2)\le b \le \min (a,T/2)$. We prove that

$$\begin{aligned} \forall a \in \left[ T \right] , W(T,a)\le a\log \left( T/a \right) \end{aligned}$$

by induction over $T=2^t$:

For $T=1$, $W(1,1)=1$
For 2T: Assume that for all $1\le b\le T$, $W(T,b)\le b\log \left( T/b \right) $ (and $W(T,0)=1$). Fix $a\in \left[ 2T \right] $. Let $f(b)=W(T,b)+W(T,a-b)$, then
$$\begin{aligned} W(2T,a)\le \underset{b}{\max }(f(b)) \end{aligned}$$
for $\max (0,a-T/2)\le b \le \min (a,T/2)$.
- For $b=a$ or $b=0$,
  $$\begin{aligned} f(b)=W(T,a)+W(T,0)\le a\log (T/a)+1\le a\log (2T/a) \end{aligned}$$
- For $b \ne a$ and $b\ne 0$,
  $$\begin{aligned} f(b)\le a\log (T/a)+(a-b)\log (T/(a-b)). \end{aligned}$$
  Simple analysis shows that this function reaches its maximum for $b=a/2$, and thus $f(b)\le a \log (2T/a)$

We conclude by using the fact that W(T, a) is an integer. Finally, with high probability

$$\begin{aligned} \left| {\mathcal S(\mathbf {c})}\right| \le W(T,1.4T/\alpha )\le \left\lfloor \frac{1.4T}{\alpha }\log {\frac{\alpha }{1.4}}\right\rfloor \end{aligned}$$

$\square $

We will show that the size of the protocol given in Fig. 4 can be made nearly independent of the parameter $\alpha $ by cleverly encoding each flow. We will consider the four flows of the protocol each on its own (though it is clear that the proof really is a three-move protocol since the last two flows can be sent simultaneously).

First Flow: The prover sends $h\in \{0,1\}^{256}$ to the verifier, this is clearly independent of $\alpha $.

$$\begin{aligned} \text {Flow size}=256 \text { bits} \end{aligned}$$

Second Flow: The verifier sends $\mathbf {c}\in \{0,1\}^T$ to the prover, this takes $5\alpha n$ bits since $T=5\alpha n$. However the verifier can compute the sets $\mathcal O$ and $\mathcal C=\left[ T \right] {\setminus } \mathcal O$ before sending $\mathbf {c}$ (rather than doing it afterwards) and equivalently send the set $\mathcal C$. We have $\left| {\mathcal C}\right| \le 7n$ and since the indices of $\mathcal C$ are in $\left[ T \right] $ they can be encoded in $\log (5\alpha n)$ bits. The second flow only depends on $\alpha $ logarithmically.

$$\begin{aligned} \text {Flow size}\le 7n\log (5\alpha n)\text { bits} \end{aligned}$$

Third Flow: The prover sends $(s_j)_{j\in \mathcal S}$ and $(h_j)_{j\in \mathcal C}$ to the verifier. From Lemma 6.1 we have that $\left| {\mathcal S}\right| \le 7 n\log (\alpha /1.4)$ and similarly $\left| {\mathcal C}\right| \le 7n$, since the seeds and hash all are in $\{0,1\}^{256}$ this flow depends logarithmically on $\alpha $.

$$\begin{aligned} \text {Flow size}\le 7n\log \left( \frac{2\alpha }{1.4} \right) \cdot 256\text { bits} \end{aligned}$$

Fourth Flow (i.e. second part of the Third Flow): The prover sends $\varPhi $ and $(\mathbf {z}_i)_{i\in \left[ n \right] }$ to the verifier. Since $\varPhi \in [T]^n$ sending it naively would require $n\log (5\alpha n)$ bits, however all the elements of $\varPhi $ correspond to non-zero indices of $\mathbf {c}$, i.e. they are in $\mathcal C$. $\varPhi $ can thus be encoded using $n\log (\left| {\mathcal C}\right| )\le n\log (7n)$ bits. The coefficients of the $\mathbf {z}_i$ come form $\mathcal D_\sigma $ by a tail cutting argument they can be represented in $\log (11\sigma )=\log (11^2\beta )$ bits each and there are nr of them. The fourth flow is independent of $\alpha $.

$$\begin{aligned} \text {Flow size}\le n\log (7n)+nr\log (11^2\beta )\text { bits} \end{aligned}$$

The proof in Fig. 6 only differs in size from this proof on the second flow, where the challenge $\mathbf {c}$ is in $\left\{ 0,\pm 1,\pm X,\ldots ,\pm X^{d-1} \right\} ^T$. But similarly to the encoding we use for the first protocol, the verifier can simply send the set $\mathcal C$ as well as a vector of dimension $\left| {\mathcal C}\right| $ containing the challenges in $\left\{ \pm 1,\pm X,\ldots ,\pm X^{d-1} \right\} $. The size of the second flow now becomes $7n\log (5\alpha n)+7n\log (2d)$. The total size of the proof is finally upper bounded by:

$$\begin{aligned} 256+n\left( 7\log (5\alpha n)+1792\log \left( \frac{2\alpha }{1.4} \right) +\log (7n)+\boxed {7\log (2d)}+r\log (11^2\beta ) \right) \text { bits} \end{aligned}$$

where the boxed term only exists in the protocol from Fig. 6. Note that this size only has a very slight dependence on $\alpha $. In fact the largest summand will be the one corresponding to the $\mathbf {z}_i$ up to $\alpha \sim 2^{30}$, for which the computation requirements of the proof will already be the bottleneck. The complete proof consists in two iterations of the imperfect proof, one with parameter $\beta $ and the second with parameter $\tau (k)\beta $, the size of the complete proof is thus:

And if we consider the average case rather than the worst case we can assume that $\left| {\mathcal S}\right| \le 5n\log \alpha $ and $\left| {\mathcal C}\right| = 5n$. Which gives the expected proof size:

Table 2. Comparison between [CDXY17] and our protocols for the R-LWE ivOWF with binary secrets. Masking parameters are revealed with probability $1-1/\alpha $, k is the security parameter, $\tau (k)$ the imperfection of the protocol, and n the number of secrets. The communication is per secret and the run-time is in number of evaluations of the ivOWF per secret per player.

Full size table

We compare in Table 2 our scheme with the one of [CDXY17] for the (Ring)-LWE one-way function with dimension $d=1024$ (so $r=2048$), and binary secrets (so $\beta =\sqrt{r}$). For a fair comparison we consider the protocol of [CDXY17] in the euclidean norm and with our improvements (only one hash in the first flow and seeds instead of $\mathbf {g}_j$ in the third flow). The communication cost per secret and the slack are rather similar in all three protocols. The main difference being that our protocols allows for amortization over very few secrets but at a larger computation cost. In Fig. 1 we plot the number n of secrets we can amortize over as a function of $\log \alpha $. It is apparent that increasing $\log \alpha $ past a certain threshold yields very little advantage while drastically increasing the computation cost (which grows linearly in $\alpha $). It is also clear that our second protocol gives better amortization than the first one, though this only proves the knowledge of short pre-images of 2y.

Notes

1.
To be more precise, the number of combinations is $p^2$, with p the first prime greater than $2k+1$.

References

Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen 296, 625–635 (1993)
Article MathSciNet MATH Google Scholar
Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45611-8_29
Google Scholar
Baum, C., Damgård, I., Larsen, K.G., Nielsen, M.: How to prove knowledge of small secrets. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 478–498. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53015-3_17
Chapter Google Scholar
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The keccak sponge function family (2016)
Google Scholar
Benhamouda, F., Krenn, S., Lyubashevsky, V., Pietrzak, K.: Efficient zero-knowledge proofs for commitments from learning with errors over rings. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 305–325. Springer, Cham (2015). doi:10.1007/978-3-319-24174-6_16
Chapter Google Scholar
Cramer, R., Damgård, I.: On the amortized complexity of zero-knowledge protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 177–191. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_11
Chapter Google Scholar
Cramer, R., Damgård, I., Xing, C., Yuan, C.: Amortized complexity of zero-knowledge proofs revisited: achieving linear soundness slack. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 479–500. Springer, Cham (2017). doi:10.1007/978-3-319-56620-7_17
Chapter Google Scholar
Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_38
Chapter Google Scholar
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi:10.1007/3-540-47721-7_12
Google Scholar
Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89255-7_23
Chapter Google Scholar
Lyubashevsky, V., Neven, G.: One-shot verifiable encryption from lattices. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 293–323. Springer, Cham (2017). doi:10.1007/978-3-319-56620-7_11
Chapter Google Scholar
Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36362-7_8
Chapter Google Scholar
Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78440-1_10
Chapter Google Scholar
Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_35
Chapter Google Scholar
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_43
Chapter Google Scholar
Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994). doi:10.1007/3-540-48329-2_2
Google Scholar

Download references

Author information

Authors and Affiliations

INRIA, Paris, France
Rafael del Pino
École Normale Supérieure, Paris, France
Rafael del Pino
CNRS, Paris, France
Rafael del Pino
IBM Research Zurich, Zurich, Switzerland
Rafael del Pino & Vadim Lyubashevsky

Authors

Rafael del Pino
View author publications
You can also search for this author in PubMed Google Scholar
Vadim Lyubashevsky
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rafael del Pino .

Editor information

Editors and Affiliations

University of Maryland, College Park, Maryland, USA
Jonathan Katz
UC San Diego, La Jolla, California, USA
Hovav Shacham

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

del Pino, R., Lyubashevsky, V. (2017). Amortization with Fewer Equations for Proving Knowledge of Small Secrets. In: Katz, J., Shacham, H. (eds) Advances in Cryptology – CRYPTO 2017. CRYPTO 2017. Lecture Notes in Computer Science(), vol 10403. Springer, Cham. https://doi.org/10.1007/978-3-319-63697-9_13

Download citation

DOI: https://doi.org/10.1007/978-3-319-63697-9_13
Published: 02 August 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-63696-2
Online ISBN: 978-3-319-63697-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Amortization with Fewer Equations for Proving Knowledge of Small Secrets

Abstract

Similar content being viewed by others

Amortized Complexity of Zero-Knowledge Proofs Revisited: Achieving Linear Soundness Slack

More Efficient Amortization of Exact Zero-Knowledge Proofs for LWE

Non-Interactive Zero-Knowledge Proofs of Non-Membership

1 Introduction

1.1 Prior Work

1.2 Our Results

1.3 Paper Organization

2 Preliminaries

2.1 Notation

2.2 Homomorphic OWF

Definition 2.1

2.3 Rejection Sampling and the Normal Distribution

Definition 2.2

Definition 2.3

Lemma 2.4

Theorem 2.5

2.4 Zero-Knowledge Proofs of Knowledge

Definition 2.6

2.5 Imperfect Proof of Knowledge and a Compiler

Definition 2.7

Theorem 2.8

3 Warmup Construction

4 Amortized Proof for \(f(\mathbf{x}_i)=y_i\) with Fewer Equations

Theorem 4.1

Proof

Lemma 4.2

Proof

Lemma 4.3

Proof

Lemma 4.4

Proof

5 Proving \(f(\mathbf{x}_i)=2y_i\) with Even Fewer Equations

Lemma 5.1

Theorem 5.2

Proof

6 Proof Size

Lemma 6.1

Proof

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation