Efficient Succinct Zero-Knowledge Arguments in the CL Framework

Abstract

The CL cryptosystem, introduced by Castagnos and Laguillaumie in 2015, is a linearly homomorphic encryption scheme that has seen numerous developments and applications in recent years, particularly in the field of secure multiparty computation. Designing efficient zero-knowledge proofs for the CL framework is critical, especially for achieving adaptive security for such multiparty protocols. This is a challenging task due to the particularities of class groups of quadratic fields used to instantiate the groups of unknown order required in the CL framework. In this work, we provide efficient proofs and arguments for statements involving a large number of ciphertexts. We propose a new batched proof for correctness of CL ciphertexts and new succinct arguments for correctness of a shuffle of these ciphertexts. Previous efficient proofs of shuffle for linearly homomorphic encryption were designed for Elgamal “in the exponent" which has only a limited homomorphic property. In the line of a recent work by Braun, Damgård and Orlandi (CRYPTO 2023), all the new proofs and arguments provide partial extractability, a property that we formally introduce here. Thanks to this notion, we show that bulletproof techniques, which are in general implemented with groups of known prime order, can be applied in the CL framework despite the use of unknown order groups, giving non-interactive arguments of logarithmic sizes. To prove the practicability of our approach, we have implemented these protocols with the BICYCL library, showing that computation and communication costs are competitive. We also illustrate that the partial extractability of our proofs provide enough guarantees for complex applications by presenting a bipartite private set intersection sum protocol which achieves security against malicious adversaries using CL encryption, removing limitations of a solution proposed by Miao et al. (CRYPTO 2020).

Appendices

Variants of CL Encryption

1.1 Two-Party CL Encryption

Given a security parameter \(\lambda \), a prime number q and \(({\widehat{G}}, {\widetilde{s}}, g, h, f,\textsf{Solve}_DL )\), the output of \(\textsf{Setup}_{CL }(1^\lambda , q)\), one can construct a two-party encryption scheme as follows:

• A generates its keys with \((\textsf {CL-sk}_A, \textsf {CL-pk}_A) \leftarrow \textsf{KeyGen}_{CL }({\widehat{G}}, {\widetilde{s}}, g, h, f)\), similarly B generates \((\textsf {CL-sk}_B, \textsf {CL-pk}_B) \leftarrow \textsf{KeyGen}_{CL }({\widehat{G}}, {\widetilde{s}}, g, h, f)\)

• \(\textsf {CL-sk}\leftarrow \textsf {CL-sk}_A + \textsf {CL-sk}_B\) and \(\textsf {CL-pk}\leftarrow \textsf {CL-pk}_A \cdot \textsf {CL-pk}_B\). The key \(\textsf {CL-pk}\) is public, while \(\textsf {CL-sk}\) is unknown to both A and B.

• The encryption is done normally using the public key \(\textsf {CL-pk}\).

• The decryption is done in two party as follows: for a ciphertext \(c = (c_1, c_2)\), A computes \(c_2' = c_2 \cdot c_1^{-\textsf {CL-sk}_A}\), and sends it to B. Then, B can decrypt normally, computing first \(d = c_2' \cdot c_1^{-\textsf {CL-sk}_B}\), and retrieving the message by \(m = \textsf{Solve}_DL (d)\). If both parties want to retrieve the message, these operations are done symmetrically.

  In the case in which A can be malicious, B can ask him to prove in a zero-knowledge argument (or \(\textsf {HVZK-AwPE} \)) that he performed the half decryption honestly.

We use this encryption scheme in the PSI protocol exposed in Fig. 9 to encrypt the values, so that both parties can decrypt together the sum in the last step.

1.2 Vector CL Encryption

For efficiency purpose, we can reduce the size of CL ciphertexts for a batch of m messages by sharing randomness. Instead of using one randomness for each message to be encrypted, we only use one for the vector. To allow this, each key (public or private) will be a vector of m keys, i.e., if \(\textbf{sk}= (\textsf {CL-sk}_1, \dots , \textsf {CL-sk}_m)\), then the associated public key is \(\textbf{pk}=(\textsf {CL-pk}_1, \dots , \textsf {CL-pk}_m)=(h^{\textsf {CL-sk}_1}, \dots , h^{\textsf {CL-sk}_m})\).

For \(\varvec{a} = (a_1, \dots , a_m)\) a vector in \((\textbf{Z}/q\textbf{Z})^m\), we denote \(\textsf{Enc}_{CL }(\textbf{pk}; \varvec{a}; r)\) the encryption of \(\varvec{a}\) under the public key \(\textbf{pk}\), and with randomness \(r \xleftarrow {\$}\mathcal {D}_H\). It stands for

$$\textsf{Enc}_{CL }(\textbf{pk}; \varvec{a}; r) = (h^r, \textsf {CL-pk}_1^{r}f^{a_1}, \dots , \textsf {CL-pk}_m^{r}f^{a_m}).$$

With this transformation, a ciphertext encrypts m values in \(m+1\) components instead of 2m if we encrypted separately the values.

We denote \(\textsf{Dec}_{CL }(\textbf{sk}; \varvec{c})\) the decryption of \(\varvec{c}\) under the secret key \(\textbf{sk}\), which is computed as follows:

$$\textsf{Dec}_{CL }(\textbf{sk}; c_0, \dots , c_m) = \left( \textsf{Solve}_DL \left( c_1 \cdot c_0^{-\textsf {CL-sk}_1} \right) , \dots , \textsf{Solve}_DL \left( c_m \cdot c_0^{-\textsf {CL-sk}_m}\right) \right) . $$

In order to simplify the notations, we also define the encryption of a matrix \(\varvec{M}_a=(\varvec{a}_{i})_{i \in \llbracket 1, \ell \rrbracket }\) of size \(\ell \times m\). If \(\textbf{pk}\) is a public key and \(\varvec{r} = (r_1, \dots , r_\ell )\) is a vector of \(\ell \) randomnesses,

$$\textsf{Enc}_{CL }(\textbf{pk}; \varvec{M}_a; \varvec{r})$$

denotes a vector of \(\ell \) ciphertexts, such that for every \(i \in \llbracket 1, \ell \rrbracket \), the i-th ciphertext encrypts the i-th row of \(\varvec{M}_a\) with randomness \(r_i\), i.e.,

$$\textsf{Enc}_{CL }(\textbf{pk}; \varvec{M}_a; \varvec{r}) = (\varvec{c}_1, \dots , \varvec{c}_\ell ),$$

with for every \(1 \le i \le \ell \),

$$\varvec{c}_i = \textsf{Enc}_{CL }(\textbf{pk}; \varvec{a}_i; r_i).$$

The encryption of a matrix of size \(\ell \times m\) thus contains \(\ell (m+1)\) elements of the class group.

Rewinding Procedures

We consider a ZK protocol in which the challenge sent by the verifier is of the form \(\varvec{x}= (x_1, \dots , x_n)\) where the \(x_i\)’s are independent and uniformly random in \(\llbracket 0, \mathcal {C} \llbracket \) and \(n>1\). Figure 1 is an example of such a protocol. We fix a statement \(\mathcal {S}\) and a prover \(\mathcal {P}\) that has probability \(\varepsilon \) of making the verifier accept the proof on the statement \(\mathcal {S}\).

We design an algorithm that outputs in expected polynomial time a set of challenges \(\varvec{x}_1, \varvec{x}_1', \dots , \varvec{x}_n, \varvec{x}_n'\) such that for any \(i \in \llbracket 1, n \rrbracket \), the coordinates of \(\varvec{x}_i\) and \(\varvec{x}_i'\) are the same, except for the i-th coordinate. Moreover, for all i, there exists a set of random coins \(\mathcal {R}_i\) such that if the prover uses \(\mathcal {R}_i\) as its random coins, then the proof is accepting for both challenges \(\varvec{x}_i\) and \(\varvec{x}_i'\).

The next two lemmas essentially follows the rewinding algorithm of [20], slightly adapted to match the case in which the challenge has n independent components. They are exposed mainly for completeness, and to allow a better understanding of Lemma 4.

To visualize the situation, we define M the success matrix of \(\mathcal {P}\) on the statement \(\mathcal {S}\). Precisely, M is a matrix in which each row corresponds to a possible set \(\mathcal {R}\) of random coins for \(\mathcal {P}\), and each of the \(\mathcal {C}^n\) columns corresponds to a value of the challenge \(\varvec{x} = (x_1, \dots , x_n)\). The matrix contains a one in the i-th row and the j-th column if \(\mathcal {P}\) makes \(\mathcal {V}\) accept for the i-th set of random coins and the j-th challenge, and a zero otherwise. Therefore, the proportion of ones is \(\varepsilon \). First, we organize the columns of the matrix by blocks:

$$M = \left[ M_1 | \dots | M_{\mathcal {C}^{n-1}} \right] ,$$

where each block corresponds to a fixed value of the \(n-1\) coordinates \(x_2, \dots , x_n\), i.e., each block has \(\mathcal {C}\) columns, each corresponding to a value of \(x_1\).

Now finding the first pair \(\varvec{x}_1, \varvec{x}_1'\) is just finding two ones in the same block and the same row of the matrix. We now specify the rewinding algorithm:

Fig. 11

Algorithm \(\textsf{TryExtract}\)

Lemma 2

Suppose \(\varepsilon \ge 4/\mathcal {C}\). Set \(w = 13\), then the algorithm \(\textsf{TryExtract}\) presented in Fig. 11 has an expected running time \(\mathbb {E}[T] \le 14/\varepsilon \) and finds two ones in the same combination of block and row with probability \(p \ge 1/8\).

Proof

Let us first study the algorithm \(\textsf{Algo}_a\) of line (a). We consider the event E: “the one found in step 1 is in a combination block/row with a proportion at least \(\varepsilon /2\) of ones”. In this case, the number of other ones in the same block/row is at least \(\mathcal {C} \varepsilon /2 - 1\), so each trial to find another one has a probability of success of at least \(\frac{\mathcal {C} \varepsilon /2 - 1}{\mathcal {C}}\). Its expected running time is

$$\mathbb {E}(T_{a} ~ | ~E) \le \frac{\mathcal {C}}{\mathcal {C} \varepsilon /2 -1} \cdot $$

As soon as \(\varepsilon \ge 4/\mathcal {C}\), one has \(\mathbb {E}[T_{a} ~ | ~ E] \le 4/\varepsilon \). In particular, by Markov inequality,

$$\mathbb {P} (T_{a} \ge 8/\varepsilon ~|~ E ) \le 1/2.$$

Moreover, at least half of the ones are in a row/block with a proportion at least \(\varepsilon /2\) of ones, i.e., \(\mathbb {P} (E) \ge 1/2\).

The algorithm of line (b) is a succession of identical trials with probability of success \(\varepsilon /13\). The probability that the first success happens after the m-th trial is

$$\mathbb {P} (T_{b} \ge m) = \left( 1 - \varepsilon /13 \right) ^{m-1}. $$

In particular, one can show that \(\mathbb {P} (T_{b} \ge 8/\varepsilon ) \ge 1/2.\) Finally,

$$\begin{array}{ll} \mathbb {P}(\textsf{Algo}_a \text { ends}) & \ge \mathbb {P}(\textsf{Algo}_a \text { ends} \, \wedge E) \\ & \ge \mathbb {P} (\textsf{Algo}_a \text { ends} ~|~E)/2 \\ & \ge \mathbb {P}((T_{a} \le 8/\varepsilon ) ~ \wedge (T_{b} \ge 8/\varepsilon ) ~|~ E)/2 \\ & \ge P (T_{a} \le 8/\varepsilon ~|~E) \cdot P (T_{b} \ge 8/\varepsilon )/2 \\ & \ge 1/8. \end{array}$$

Moreover, the expected running time for step 2 is at most the expected running time of (b), so \(13/\varepsilon \), and the expected running time of step 1 is \(1/\varepsilon \) (the time to find a one in a matrix with proportion \(\varepsilon \) of ones), so that the expected running time of the algorithm of Fig. 11 is at most \(14/\varepsilon \). \(\square \)

Lemma 3

If there is a prover \(\mathcal {P}=(\mathcal {P}_1, \mathcal {P}_2)\) with probability \(\varepsilon \ge 4/\mathcal {C}\) of making the verifier accept the proof on a statement \(\mathcal {S}\), then there exists an algorithm running in expected time

$$\mathbb {E}[T] \le \dfrac{112 n}{\varepsilon }$$

that outputs n pairs \((\varvec{x}_1, \varvec{x}_1'), \dots , (\varvec{x}_n, \varvec{x}_n')\) such that for every \(i \in \llbracket 1, n \rrbracket \), \(\varvec{x}_i\) and \(\varvec{x}_i'\) differ only by their i-th coordinate.

Moreover, there exist n sets of prover’s random coins \(\mathcal {R}_1, \dots , \mathcal {R}_n\) such that for all i, \((\mathcal {P}_1(\mathcal {S}, \mathcal {R}_i), \varvec{x}_i, \mathcal {P}_2(\mathcal {S}, \mathcal {R}_i, \varvec{x}_i))\) and \( (\mathcal {P}_1(\mathcal {S}, \mathcal {R}_i),\varvec{x}'_i, \mathcal {P}_2(\mathcal {S}, \mathcal {R}_i, \varvec{x}_i'))\) are two accepting transcripts.

Proof

We set \(w = 13\) and define the following algorithm: for \(i \in \llbracket 1,n \rrbracket \), we define \(M_i = [M_{i,1} | \dots |M_{i,\mathcal {C}^{n-1}}]\) to be the matrix M in which we reorganized the columns so that each block \(M_{i,j}\) corresponds to a given value of \((x_k)_{k \ne i}\). We repeat the algorithm \(\textsf{TryExtract}\) until it finds two ones in the same row of a same block, which corresponds to a pair \(\varvec{x}_i,\varvec{x}_i'\) (and a prover’s randomness \(\mathcal {R}_i\)). Given that the probability of success of \(\textsf{TryExtract}\) is at least 1/8, the expected number of repetitions between two successes is 8, and so the expected number of instances to find all the n pairs is 8n. This algorithm runs in expected time

$$\mathbb {E}[T] \le \dfrac{112n}{\varepsilon } \cdot $$

\(\square \)

We underline that in Lemma 3, the prover’s random coins associated with the accepted transcripts is different for each couple of challenges. This type of rewinding is sufficient for extraction whenever the different components of the challenges do not “interact” in the argument of knowledge. The proof presented in Fig. 1 is such an example: each ciphertext is associated with only one component of the challenge, and the relation proved can be proved independently on each ciphertext.

However, in a case in which the components interact (as in the proof of Fig. 2), we need a stronger property. We now construct an algorithm that is able to find in polynomial time n pairs of challenges \((\varvec{x}_1, \varvec{x}_1'), \dots , (\varvec{x}_n, \varvec{x}_n')\) as before, except that there exists a unique prover’s random coins that make these challenges accepting.

In the matricial modelization, the first situation corresponds to finding two ones in a same row and in a same block, and repeating the operation n times; while the second situation corresponds to finding 2n ones in a same row, that have to be distributed in a particular way. Concretely, the algorithm first looks for a one in the matrix which fixes a row, and from this point, restricts its browsing to only this row, hoping that the chosen row contains enough ones.

Lemma 4

If there is a prover \(\mathcal {P}= (\mathcal {P}_1, \mathcal {P}_2)\) that makes the verifier accept the proof on a statement \(\mathcal {S}\) with probability \(\varepsilon \ge 8/\mathcal {C}\), then there exists an algorithm running in expected time

$$\mathbb {E}(T) \le \dfrac{4(1+390\, n \log n)}{\varepsilon } $$

that outputs n pairs of challenges \((\varvec{x}_1, \varvec{x}_1'), \dots , (\varvec{x}_n, \varvec{x}_n')\) such that for every i, \(\varvec{x}_i\) and \(\varvec{x}_i'\) differ only by their i-th coordinate.

Moreover, there exists a set of random coins \(\mathcal {R}\) and 2n answers such that for all i, \((\mathcal {P}_1(\mathcal {S}, \mathcal {R}), \varvec{x}_i, \mathcal {P}_2(\mathcal {S}, \mathcal {R}, \varvec{x}_i))\) and \((\mathcal {P}_1(\mathcal {S}, \mathcal {R}), \varvec{x}_i', \mathcal {P}_2(\mathcal {S}, \mathcal {R}, \varvec{x}_i'))\) are two accepting transcripts.

Proof

In Fig. 12, we define the algorithm \(\textsf{TryExtractRepeat}\), with integers parameters w and t.

Fig. 12

Algorithm \(\textsf{TryExtractRepeat}\)

We fix \(w = 24\) and

$$t=\Bigg \lceil \frac{\log \left( 1- \exp \left( - \log ( 2)/n\right) \right) }{\log (7/8)} \Bigg \rceil .$$

Let E be the following event: “the one found in step 1 is in a row with a proportion at least \(\varepsilon /2\) of ones”. Then, E has probability at least 1/2 of happening. If E happens, then for every \(i \in \llbracket 1, n \rrbracket \), in step 2, the algorithm \(\textsf{TryExtract}\) is run on a matrix with a proportion at least \(\varepsilon /2 \ge 4/\mathcal {C}\) of ones. Doing the same computations as in the proof of Lemma 3, \(\textsf{Algo}_a\) in \(\textsf{TryExtract}\) runs in time \(T_a \le 16/\varepsilon \) with probability at least 1/2, and \(\textsf{Algo}_b\) has probability

$$\mathbb {P} [T_b \ge 16/\varepsilon ] = \left( 1- \varepsilon /w \right) ^{\lceil 16/\varepsilon \rceil -1} \ge 1/2$$

of exceeding this time. So \(\textsf{TryExtract}\) succeeds with probability at least 1/8, and runs in expected time

$$\mathbb {E}[T_1] \le \frac{2}{\varepsilon }+ \frac{w}{\varepsilon }= \frac{2+w}{\varepsilon } \cdot $$

Now, if we repeat this t times, the probability that at least one of the instances of \(\textsf{TryExtract}\) succeeds is \(p_i \ge 1-(7/8)^t\). We do this for every \(i \in \llbracket 1, n \rrbracket \), so there is a probability

$$p \ge \left( 1-(7/8)^t \right) ^n,$$

that for every i, at least one of the t instances succeeds.

Our choice of t ensures that \(p \ge 1/2\). This means that knowing that E happens, the probability that we find a pair \(\varvec{x}_i, \varvec{x}_i'\) for every \(i \in \llbracket 1, n \rrbracket \) is at least one half. So the probability of success of \(\textsf{TryExtractRepeat}\) is

$$\mathbb {P} [\textsf{TryExtractRepeat} ~ \text {succeeds}] \ge \mathbb {P}[E] \times p \ge 1/4.$$

Moreover, the expected running time of \(\textsf{TryExtractRepeat}\) is

$$\mathbb {E}[T_2] \le \frac{1+nt(2+w)}{\varepsilon } \cdot $$

Finally, consider the algorithm that repeats \(\textsf{TryExtractRepeat}\) until it is successful. The expected number of repetitions is 4, and its expected running time is

$$\mathbb {E}[T] \le \frac{4(1+nt(w+2))}{\varepsilon } \cdot $$

One can show that \(t \le 15 \log n \), for \(n>1\), which gives the bound on the expected running time. \(\square \)