Code-Based Zero-Knowledge Protocols and Their Applications

Abstract

We present a survey of recent results in the area of zero-knowledge (ZK) protocols based on coding problems and the related Learning Parities with Noise (LPN) problem. First, we sketch the constructions of two ZK code-based identification schemes: the one based on general decoding by Jain et al. (Asiacrypt 2012) and the one based on syndrome decoding by Stern (Crypto 1993). Next, we show that these two systems can also be used to implement a proof of plaintext knowledge for the code-based public key encryption schemes: the one by McEliece and the one by Niederreiter, respectively. Finally, we briefly discuss verifiable encryption and digital signatures as applications.

This survey is based on the paper: Rong Hu, Kirill Morozov, Tsuyoshi Takagi: “Zero-Knowledge Protocols for Code-Based Public Key Encryption.” IEICE Transactions 98-A(10): 2139–2151 (2015) [26].

9 Appendix: Proof of Theorem 3.1

We adapt the proof of [26]. It generally follows the argument of [44], but for the proof of soundness it uses the argument from [45], since it is shorter. We emphasize that the gap in the proof of [45] pointed out in the full version of [27] concerned only the proof of the zero-knowledge property.

Completeness. It is easy to check that \(\mathsf {P}\) who knows the plaintext m can answer all the three challenges correctly. This implies that \(\langle \mathsf {P}(m),\mathsf {V}\rangle (pk,c)=1\).

Soundness.

Lemma 9.1

Protocol 1 is sound according to Definition 2.6, if the underlying commitment scheme is binding, the SD problem is hard, and \(r(\kappa )=\omega (\log \kappa )\).

The proof of this lemma follows from the two auxiliary lemmas presented next. In their proofs, we will omit mentioning the fact that the parameters r and \(\varepsilon \) depend on the security parameter \(\kappa \), for simplicity.

Lemma 9.2

If the witness does not exist, then the probability for \(\widetilde{\mathsf {P}}\) to be accepted in the above protocol is at most \(\left( \frac{2}{3}\right) ^r\), after r rounds.

Proof

We show that if \(\widetilde{\mathsf {P}}\)’s replies to all the three challenges are accepted, then a (valid) witness can be computed from them. This will contradict the assumption, and imply that \(\widetilde{\mathsf {P}}\) is not able to answer all the three challenges at the same time, hence his probability to be accepted is at most \(\frac{2}{3}\) in every round.

Consider the following challenge–response pairs:

• \(b=0\) : \((y_0,\pi _0)\),

• \(b=1\) : \((w_1,\pi _1)\) (\(w_1\) corresponds to \(y+m\)),

• \(b=2\) : \((z_2,t_2)\) (correspond to \(y\pi \) and \(m\pi \), respectively).

Since, the information in the opened commitments is consistent by assumption, we have: \((\pi _0,H y_0^T)=Open(C_1)=(\pi _1,H w_1^T + c)\). Since binding holds, we conclude that \(\pi _0=\pi _1\) and \(H y_0^T=H w_1^T + c\). Similarly, by consistency of the commitments \(C_2\) and \(C_3\), and by the binding property, we can show that \(z_2=y_0\pi _0\), \(z_2+t_2=w_1\pi _1\), and \(w_H(t_2)=t\). Therefore, we have that \(t_2=z_2+(t_2+z_2)=(y_0+w_1)\pi _0\) such that \(w_H(y_0+w_1)=t\). Now from \(H(y_0+w_1)^T=H y_0^T+H w_1^T=c\), we conclude that \(y_0+w_1\) is a valid witness.

Lemma 9.3

If \(\mathsf {V}\) accepts \(\widetilde{\mathsf {P}}\)’s proof with probability at least \((\frac{2}{3})^r+\varepsilon \), then there exists an expected PPT algorithm WE which, with overwhelming probability, computes a witness m.

Proof

Let \(\mathscr {T}(RA)\) be an execution tree of the protocol \((\widetilde{\mathsf {P}},\mathsf {V})\), where RA is the random tape of \(\widetilde{\mathsf {P}}\). This tree is constructed as follows: A vertex will represent the commitments made by \(\widetilde{\mathsf {P}}\), and the edges will be labeled by the challenges of \(\mathsf {V}\). An edge will be present only if \(\widetilde{\mathsf {P}}\) is able to correctly reply to the challenge. Remember that \(\mathsf {V}\) can send 3 possible challenges at each stage. First, we will argue that as long as the binding property of the commitment holds, a witness m can be computed from a vertex with 3 descendants, that is from the correct answers to three challenges. Next, we will show that a PPT WE can find such a vertex in \(\mathscr {T}(RA)\) with overwhelming probability.

Let v be a vertex with three descendants. This corresponds to a situation, where three commitments \(C_1\), \(C_2\), and \(C_3\) have been made and where the three challenges were correctly answered. Then, the witness can be computed from these correct answers as described in Lemma 9.2.

Next, we can use the argument from [45] to show that the probability for \(\mathscr {T}(RA)\) to have a vertex with three descendants is at least \(\varepsilon \). We give this argument here for the sake of completeness.

Let us consider the random tape RA of \(\widetilde{\mathsf {P}}\) as a set of \(\mu \) elements, from which \(\widetilde{\mathsf {P}}\) randomly picks its values and let \(Q=\{1,2,3\}\). These two sets are considered as probability spaces, both of them with uniform distribution.

A pair \((a,b)\in (RA\times Q)^r\) represents the commitments, challenges, and responses communicated between \(\widetilde{\mathsf {P}}\) and \(\mathsf {V}\). This is indeed the case, since the random tape of the prover, along with the challenges, uniquely defines all the messages sent by her during the protocol. A pair (a, b) is called valid, if the execution of \((\widetilde{\mathsf {P}},\mathsf {V})\) is accepted.

Let V be the subset of valid pairs in \((RA\times Q)^r\). By the hypothesis of the lemma,

$$ \frac{|V|}{|(RA\times Q)^r|} \ge \left( \frac{2}{3}\right) ^r+\varepsilon . $$

Let \(\varOmega _r\subset RA^r\) be such that:

\(\bullet \) If \(a\in \varOmega _r\), then \(2^r+1\le |\{b:(a,b)\text { are valid}\}| \le 3^r\),

\(\bullet \) If \(a\in RA^r\setminus \varOmega _r\), then \(0\le |\{b:(a,b) \text { are valid}\}| \le 2^r\).

Then, we write \(V=\{\text {valid } (a,b),a\in \varOmega _r\} \cup \{\text {valid } (a,b), a\in RA^r\setminus \varOmega _r\}\), therefore \(|V|\le |\varOmega _r|\cdot 3^r+(\mu ^r-|\varOmega _r|)\cdot 2^r\). Taking into account that \(|RA^r|=\mu ^r\) and \(|Q^r|=3^r\), we have

$$ \frac{|V|}{|(RA\times Q)^r|} \le \left( \frac{|\varOmega _r|}{|RA^r|} + 2^r\left( 3^{-r} - \frac{|\varOmega _r|}{|(RA\times Q)^r|} \right) \right) \le \frac{|\varOmega _r|}{|RA^r|} + \left( \frac{2}{3} \right) ^r. $$

Now, it follows that \(|\varOmega _r|/|RA^r|\ge \varepsilon \), which shows that the probability that \(\widetilde{\mathsf {P}}\) replies correctly to at least \(2^r+1\) challenges, by choosing random values from RA, is at least \(\varepsilon \). Moreover, in this case, \(\mathscr {T}(RA)\) has at least \(2^r+1\) leaves. Indeed, by construction of \(\mathscr {T}(RA)\), a correctly answered challenge corresponds to an edge, and therefore, the number of leaves is lower bounded by the number of correctly answered challenges. This implies that \(\mathscr {T}(RA)\) has at least one vertex with three descendants. Now, the machine WE will simply rewind the above \(\widetilde{\mathsf {P}}\) polynomially many times, hereby finding an execution tree containing a vertex with three descendants with overwhelming probability, as claimed. Specifically, we can directly use the analysis by Stern from Lemma 1 in the journal version of [44] to verify that the number of necessary rewindings is \(\frac{10}{\varepsilon ^3}\).     \(\square \)

Note that the machine WE constructed in the above proof, finds a valid witness, hereby contradicting hardness of the SD problem, unless the binding property of the commitment is violated. Therefore, for a cheating prover \(\widetilde{\mathsf {P}}\), we must have \(\mathrm {Pr}[\langle \widetilde{\mathsf {P}}, V\rangle (pk,c)=1] \le (2/3)^r+\varepsilon \), which is negligible in \(\kappa \).

Zero-knowledge. Let us denote by \(\mathscr {R}\) the communication tape for \(\mathsf {P}\) and \(\mathsf {V}\), that is a concatenation of all bits they exchange during the protocol. We consider the probability distributions on \(\mathscr {R}\).

Lemma 9.4

Protocol 1 is computational (respectively statistical) zero-knowledge according to Definition 5.1, if the underlying commitment scheme is computationally (respectively statistically) hiding.

Proof

We construct a simulator \(\mathsf {SIM}\), which generates, in expected PPT, a communication tape \(\mathscr {R}_s\), whose distribution is indistinguishable from that of \(\mathscr {R}\) in a computational or statistical sense (depending on the type of commitments, which are used).

Suppose that \(\widetilde{\mathsf {V}}\) chose a particular strategy depending on the information received from \(\mathsf {P}\). Denote this strategy by \(St(C_1,C_2,C_3)\).

The simulator \(\mathsf {SIM}\) works as follows:

1. 1.

   Pick a challenge \(b\mathop {\leftarrow }\limits ^{\$}\{0,1,2\}\).

   • If \(b=0\), choose \(y\mathop {\leftarrow }\limits ^{\$}\mathbb {F}_2^n\), \(\pi \mathop {\leftarrow }\limits ^{\$}\mathscr {S}_n\), compute \(C_1=Com(\pi ,H^{pub} y^T)\), \(C_2=Com(y\pi )\), \(C_3=Com(0)\), and \(Rep=(y,\pi )\), where by Rep, we denote the reply of the prover. Clearly, the distributions of \(C_1\), \(C_2\), \(C_3\), and Rep are identical to those from the communication tape of the actual protocol.

   • If \(b=1\), choose \(y\mathop {\leftarrow }\limits ^{\$}\mathbb {F}_2^n\), \(\pi \mathop {\leftarrow }\limits ^{\$}\mathscr {S}_n\), and \(w=y+z\), where \(z\in \mathbb {F}_2^n\) is such that \(H^{pub} z^T=c\), \(z\ne m\), \(w_H(z)\ne t\). Note that such the vector w can be computed in polynomial time as shown in [37, Proposition 1]. Then, compute \(C_1=Com(\pi ,H^{pub} y^T)\), \(C_2=Com(0)\), \(C_3=Com(w\pi )\), and \(Rep=(w,\pi )\). It is easy to check that the openings of the above commitments and Rep will pass the verification of Step 3 in Protocol 1, and also that distributions of the commitments and Rep are identical to those in the actual protocol. In particular, in the simulation, the distribution of w is uniform over \(\mathbb {F}_2^n\), and hence the contents of \(C_3\) has the distribution identical to that in Protocol 1.

   • If \(b=2\), choose \(y\mathop {\leftarrow }\limits ^{\$}\mathbb {F}_2^n\), \(\pi \mathop {\leftarrow }\limits ^{\$}\mathscr {S}_n\), and \(z\mathop {\leftarrow }\limits ^{\$}\{x\in \mathbb {F}_2^n|w_H(x)=t\}\). Then, compute \(C_1=Com(0)\), \(C_2=Com(y\pi )\), \(C_3=Com((y+z)\pi )\), and \(Rep=(y\pi ,z\pi )\). It is again easy to check that the values in Rep will pass the verification of Step 3 in Protocol 1, and that distributions of the commitments and Rep are identical to those in the actual protocol.

2. 2.

   \(\mathsf {SIM}\) computes \(b'=St(C_1,C_2,C_3)\).

3. 3.

   If \(b=b'\), then \(\mathsf {SIM}\) writes on the tape \(\mathscr {R}_s\) the values \(H^{pub}\), b, Rep, otherwise it goes to Step 1.

Note that in the above simulator, in the case of commitments to zero, we use the hiding property of the commitment to ensure that the distributions in question are identical.

We can see that in 3r rounds on the average, \(\mathsf {SIM}\) produces the communication tape \(\mathscr {R}_s\), which is indistinguishable from the communication tape \(\mathscr {R}\) produced by the honest parties, who execute r rounds of Protocol 1.

We conclude that \(\langle \mathsf {P}(m),\widetilde{\mathsf {V}}\rangle (pk,c)\), and \(\langle \mathsf {SIM},\widetilde{\mathsf {V}}\rangle (pk,c)\) are indistinguishable. Note that the simulation is perfect by itself, and the type of indistinguishability, statistical or computational—and hence the type of the ZK proof, which we obtain—depends solely on the underlying commitment scheme.

Using Lemmas 9.1 and 9.4, and the observation on the completeness, we conclude the proof of Theorem 3.1.     \(\square \)