Lattice-based zero-knowledge arguments for additive and multiplicative relations

Abstract

In this work, we propose new lattice-based protocols which are used to prove additive and multiplicative relations of committed integers. We introduce three new protocols. The first protocol proves additive relation of integers. In this framework, we introduce a new computational technique which splits the integers into chunks helping to achieve a significant improvement to the integer addition protocol proposed at CRYPTO’18 by reducing the computational costs significantly for commonly used integers of length \(L\in \{2^5,2^6,2^7\}\). Our second protocol presents a new way of proving multiplicative relations of polynomials and improves the performance of the existing polynomial multiplication protocol proposed at ESORICS’15 for small integers. Using these two developed protocols as building blocks, we present our third contribution to prove multiplicative relation of integers and achieve a notable reduction in computational complexity compared to the existing integer multiplication protocol presented at CRYPTO’18.

A. More definitions

Lemma 5

([26], Lemma 4.4)

1. 1.

   For any \(\kappa >0\), .

2. 2.

   For any \(\mathbf {z}\in \mathbb {Z}^m\), and \(\sigma \ge 3/\sqrt{2\pi }, D_{\sigma }^m(\mathbf {z})\le 2^{-m}\).

3. 3.

   For any \(\kappa >1\), if \(m\ge 110\).

Zero-knowledge arguments of knowledge [4]. Let \(\mathcal { P}\) be the prover and \(\mathcal { V}\) be the verifier which are both PPT algorithms. The PPT algorithm \(\mathtt {KeyGen}\) generates the public parameters pp. Note, that in this paper the public parameter is represented by the commitment key of our lattice-based commitment. Furthermore, let \({\texttt {R}}\) be a relation and w be a witness for the statement x. Then, the language is defined as \(L_{pp} =\{x|\exists w: (pp,x,w)\in {\texttt {R}}\}\), which is the set of statements x that have a witness w in the relation \({\texttt {R}}\). When prover \(\mathcal { P}\) interacts with \(\mathcal { V}\), the output of the interaction is denoted by a transcript tr which consists of the initial message from the prover, the challenge from the verifier and the answer from the prover and the decision from the verifier.

Definition 11

(Argument of knowledge) The system \((\mathtt {KeyGen},\mathcal { P},\mathcal { V})\) is called an argument of knowledge for the relation \({\texttt {R}}\) if it satisfies the two properties: completeness and \(k+1\)-special soundness, which are defined below.

Definition 12

(Completeness) The system \((\mathtt {KeyGen},\mathcal { P},\mathcal { V})\) has perfect completeness if for all non-uniform PPT adversaries \(\mathcal { A}\) holds that:

$$\begin{aligned} \Pr \left[ \begin{array}{l}pp\leftarrow \mathtt {KeyGen}(1^\lambda ); (x,w)\leftarrow \mathcal { A}(pp):\\ (pp,x,w)\notin R \vee \langle \mathcal { P}(pp,x,w),\mathcal { V}(pp,x)\rangle =1\end{array}\right] =1-\alpha . \end{aligned}$$

where \(\alpha \) is completeness error.

The second property “k+1 special soundness” is relaxed meaning that the verifier is only convinced of the argument of knowledge of a witness w for a relaxed relation \({\texttt {R}}'\).

Definition 13

(\(k+1\)-Special Soundness) A system \((\mathtt {KeyGen},\mathcal { P},\mathcal { V})\) is \(k+1\) special sound if for all probabilistic polynomial time \(\mathcal { P}^{*}\) there exists an extractor \(\mathcal { E}\), such that for all non-uniform polynomial time interactive adversaries \(\mathcal { A}\) holds:

$$\begin{aligned}&\Pr \left[ \begin{array}{l}pp\leftarrow \mathtt {KeyGen}(1^\lambda ) ; (x,s)\leftarrow \mathcal { A}(pp); tr\leftarrow \langle \mathcal { P}^{*}(pp,x,s),\mathcal { V}(pp,x)\rangle :\mathcal { A}(tr)=1\end{array}\right] \\&\quad \approx \Pr \left[ \begin{array}{l}pp\leftarrow \mathtt {KeyGen}(1^\lambda ) ; (x,s)\leftarrow \mathcal { A}(pp);\\ (tr_i,w)\leftarrow \mathcal { E}^{\langle \mathcal { P}^{*}(pp,x,s),\mathcal { V}(pp,x)\rangle }(pp,x):\mathcal { A}(tr)=1\\ \text {and if }\ \forall i\in [0,k]\ tr_i \ \text {is accepting, then} \ (\sigma ,x,w)\in {\texttt {R}}\end{array}\right] . \end{aligned}$$

Definition 14

(Special Honest Verifier Zero-Knowledge) An argument is called a perfect special honest verifier zero knowledge (SHVZK) argument for a relation \({\texttt {R}}\) if there exists a probabilistic polynomial time simulator \(\mathcal { S}\) such that for all interactive non-uniform polynomial time adversaries \(\mathcal { A}\) we have

$$\begin{aligned}&\Pr \left[ \begin{array}{l}pp\leftarrow \mathtt {KeyGen}(1^\lambda ); (x,w,\rho )\leftarrow \mathcal { A}(pp); tr\leftarrow \\ \langle \mathcal { P}(pp,x:\rho ),\mathcal { V}(pp,x; \rho )\rangle : (pp,x,w)\in {\texttt {R}} \wedge \mathcal { A}(tr)=1\end{array}\right] \\&\quad \approx \Pr \left[ \begin{array}{l}pp\leftarrow KG(1^\lambda ); (x,w,\rho )\leftarrow \mathcal { A}(pp);\\ tr\leftarrow \mathcal { S}(pp,x,\rho ): (pp,x,w)\in {\texttt {R}}\wedge \mathcal { A}(tr)=1\end{array}\right] , \end{aligned}$$

where s denotes the state of \(\mathcal { P}^*\) including the randomness. This means that whenever \(\mathcal { P}^*\) manages to provide a convincing argument while being in stage s, the emulator is able to extract a witness w.

Definition 15

(Public coin) An argument \((\mathtt {KeyGen},\mathcal { P},\mathcal { V})\) is called public coin if the verifier picks the challenges uniformly at random and independent of prover’s messages. It means that the challenges correspond to the verifier’s randomness \(\rho \).

Definition 16

(Commitment Scheme) The formal definition of a commitment scheme is given as follows. A commitment scheme consists of the following three algorithms:

\(\mathtt {KeyGen}:\) is a probabilistic polynomial-time (PPT) algorithm that outputs a commitment key ck and a definition of message space \(\mathfrak {M}_{ck}\).

\(\texttt {Com}:\) is a PPT algorithm that on input the commitment key ck and a message \(\mu \in \mathfrak {M}_{ck}\) outputs values \({\textsf {C}},r\), where \({\textsf {C}}\) is the commitment on \(\mu \) and \(r\in \mathfrak {R}_{ck}\) is the corresponding randomness sampled from randomness space \(\mathfrak {R}_{ck}\).

\(\mathtt {Open}:\) is a deterministic algorithm that on input ck, a message \(\mu \) and values \({\textsf {C}},r\) opens the commitment to the value \(\mu \).

Homomorphic commitment A homomorphic commitment scheme is a non-interactive commitment scheme such that the following property holds:

$$\begin{aligned}&\texttt {Com}_{ck}(a,r_a)+\texttt {Com}_{ck}(b,r_b)=\texttt {Com}(a+b,r_a+r_b),\\&\xi \cdot \texttt {Com}_{ck}(a,r_a)=\texttt {Com}_{ck}(\xi \cdot a,\xi \cdot r_a), \end{aligned}$$

for all \(a,b,\xi \in \mathfrak {M}_{ck}\), and \(r_a,r_b\in \mathfrak {R}_{ck}\).

Definition 17

(Hiding) The commitment scheme given above is computationally hiding if the commitment does not reveal the committed value. Formally, a commitment scheme is hiding if for all PPT interactive adversaries \(\mathcal {A}\) the following approximation holds

$$\begin{aligned} \Pr \left[ \begin{array}{l}ck\leftarrow \mathtt {KeyGen}(1^{\lambda }); (\mu _0,\mu _1)\leftarrow \mathcal {A}(ck);b\leftarrow \{0,1\};\\ r\leftarrow \mathfrak {R}_{ck}; {\textsf {C}}\leftarrow \texttt {Com}_{ck}(\mu _b,r):\mathcal {A}(c)=b\end{array}\right] \approx \frac{1}{2}, \end{aligned}$$

where \(\mathcal {A}\) outputs \(\mu _0,\mu _1\in \mathfrak {M}_{ck}.\)

Definition 18

(Binding) The commitments scheme is computationally binding if a commitment can be opened to one value from the binding set \(\mathfrak {B}_{ck}\) and if for all PPT adversaries \(\mathcal {A}\), it holds that

$$\begin{aligned} \Pr \left[ \begin{array}{l}ck\leftarrow \mathtt {KeyGen}(1^{\lambda }); (\mu _0,r_0,\mu _1,r_1)\leftarrow \mathcal {A}(ck);\\ (\mu _0,r_0)\ne (\mu _1,r_1); \texttt {Com}_{ck}(\mu _0,r_0)=\texttt {Com}_{ck}(\mu _1,r_1)\end{array}\right] \approx 0, \end{aligned}$$

where \(\mathcal {A}\) outputs \((\mu _0,r_0),(\mu _1,r_1)\in \mathfrak {B}_{ck}\).