Efficient Zero-Knowledge Arguments and Digital Signatures via Sharing Conversion in the Head

Abstract

We present a novel technique within the MPC-in-the-Head framework, aiming to design efficient zero-knowledge protocols and digital signature schemes. The technique allows for the simultaneous use of additive and multiplicative sharings of secret information, enabling efficient proofs of linear and multiplicative relations. The applications of our technique are manifold. It is first applied to construct zero-knowledge arguments of knowledge for Double Discrete Logarithms. The resulting protocol achieves improved communication complexity without compromising efficiency. We also propose a new zero-knowledge argument of knowledge for the Permuted Kernel Problem. Eventually, we propose a short (candidate) post-quantum digital signature scheme constructed from a new one-way function based on simple polynomials known as fewnomials. This scheme offers simplicity and ease of implementation.

A Security Proofs

Proof

(Theorem 1). For any sampling of the random coins of \(\mathcal {P}\) and \(\mathcal {V}\), if the computation described in the protocol 3 is honestly performed, all the checks of \(\mathcal {V}\) pass. The completeness is hence perfect.    \(\square \)

Proof

(Theorem 2). To prove the special soundness, one has to build an efficient knowledge extractor that returns a solution of the DDLP instance. We first show how to extract a DDLP solution from 3 specific transcripts. Then we explain how to get such transcripts from rewindable black-box access to \(\tilde{\mathcal {P}}\). First, assume that we can get three transcripts \(T_i = (\textsc {Com}^{(i)}, \textsc {Ch}_1^{(i)}, \textsc {Rsp}_1^{(i)}, \textsc {Ch}_2^{(i)}, \textsc {Rsp}_2^{(i)})\) for \(i\in \{1,2,3\}\) from \(\tilde{\mathcal {P}}\), with \(\textsc {Ch}_1^{(i)}:= J^{(i)}\), \( \textsc {Ch}_2^{(i)} := \{\ell ^{(i)}_j\}_{j \in J^{(i)}}\), which satisfy the conditions:

1. 1.

   \(\textsc {Com}^{(1)} = \textsc {Com}^{(2)} = \textsc {Com}^{(3)} = h\),

2. 2.

   there exists \( j_0 \in (J^{(1)} \cap J^{(2)}) \setminus J^{(3)}\) s.t. \(\ell _{j_0}^{(1)} \not = \ell _{j_0}^{(2)}\)

3. 3.

   \(T_1\) and \(T_2\) are success transcripts (i.e. which pass all the tests of \(\mathcal {V}\)),

4. 4.

   \(\textsf {seed}^{[j_0]}\) from \(\textsc {Rsp}_1^{(3)}\) is consistent with the \((x^{[j_0]}, r^{[j_0]}, s^{[j_0]})\) from \(T_1\) and \(T_2\).

We show how to extract a solution of the DDLP instance (g, h, y) from the three transcripts. First, we can assume that all the revealed shares are mutually consistent between the three transcripts. Otherwise, we find a hash collision via condition 1. Thus, we know all the shares for the iteration \(j_0\) from \(T_1\) and \(T_2\) using condition 2. For the sake of clarity, we only consider the variables of the iteration \(j_0\). Thus, this notation is omitted in the following. Consider \(x' := \sum _{j=1}^N \llbracket x\rrbracket _j \bmod p\) as a natural candidate solution for x. Via the multi-party computation, we know

• \(h^{x'}=h^{\sum _{j=1}^N \llbracket x\rrbracket _j} =\prod _{j=1}^N h^{\llbracket x\rrbracket _j}=\prod _{j=1}^N \langle h^{x}\rangle _j \bmod q\)

• the broadcasting of \(\langle \alpha \rangle =\frac{\langle h^{x}\rangle }{\langle s\rangle }\) i.e. \( \alpha =\frac{h^{x}}{s}\bmod q\)

• an additive sharing of \(h^x\) via \(\alpha \llbracket r\rrbracket =\frac{h^{x}}{s}\llbracket r\rrbracket =\llbracket h^{x}\rrbracket \), since from the checked equations at the end of \(T_3\) we get that \(r=s\).

• \(y=\prod _{j=1}^N \langle y\rangle _j \bmod q\) with \(\langle y\rangle _j=g^{\llbracket h^x\rrbracket _j} \bmod q\).

Hence, \(g^{h^{x'}}=g^{\prod _{j=1}^N \langle h^x\rangle _j}=g^{\sum _{j=1}^N \llbracket h^{x}\rrbracket _j}=\prod _{j=1}^N g^{\llbracket h^{x}\rrbracket _j}=\prod _{j=1}^N \langle y\rangle _j = y \bmod q.\) Therefore, \(x'\) is a solution of the considered DDLP. Now, the extractor for the three transcripts can be the one described in appendix E of [FJR23].    \(\square \)

Proof

(Theorem 3). We build a simulator that outputs transcripts indistinguishable from real transcripts without knowing the secret. It has oracle access to some probabilistic polynomial time \(\tilde{\mathcal {V}}\).

1. 1.

   Sample \(J \xleftarrow {\$}\{J\subset [1,M]; |J| = \tau \} \text { and } L = \{\ell _e\}_{e\in J} \xleftarrow {\$}[1,N]^\tau \)

2. 2.

   Sample \(\textsf {mseed}^{[0]} \xleftarrow {\$}\{0,1\}^{\lambda }\)

3. 3.

   \((\textsf {mseed}^{[e]})_{e \in [1,M]} \leftarrow {\text {TreePRG}}(\textsf {mseed}^{[0]})\)

4. 4.

   For \(e\in [1,M]\backslash J\), follow honestly the protocol and deduce \(h_e\)

5. 5.

   For \(e\in J\),

   • Compute \((\textsf {seed}_1^{[e]}, \rho _1^{[e]}), \ldots , (\textsf {seed}_N^{[e]}, \rho _N^{[e]})\) with \({\text {TreePRG}}(\textsf {mseed}^{[e]})\)

   • For each party \(j \in [1,N]\backslash \{\ell _e\}: (\llbracket x^{[e]}\rrbracket _j,\llbracket r^{[e]}\rrbracket _j,\langle s^{[e]}\rangle _j) \leftarrow {\text {PRG}}(\textsf {seed}_j^{[e]}), \textsf {com}_j^{[e]} = \textsf {Com} (\textsf {seed}_j^{[e]}; \rho _j^{[e]})\)

   • Sample \(\varDelta x^{[e]} \xleftarrow {\$}\mathbb {F}_p,\llbracket r^{[e]}\rrbracket _{\ell _e} \xleftarrow {\$}\mathbb {F}_{q}, \langle s^{[e]}\rangle _{\ell _e} \xleftarrow {\$}\mathbb {F}^\times _{q}\)

   • \(\varDelta s^{[e]} = \sum _{j=1}^N \llbracket r^{[e]}\rrbracket _j/ \prod _j \langle s\rangle ^{[e]}_j \bmod q\)

   • \(\alpha ^{[e]}=h^{\sum _{j=1}^N\llbracket x^{[e]}\rrbracket _j+\varDelta x^{[e]}}/ (\varDelta s^{[e]} \prod _{j=1}^N\langle s^{[e]}\rangle _j) \bmod q\)

   • \(\langle g^{h^{x^{[e]}}}\rangle _j=g^{\alpha ^{[e]}\llbracket r^{[e]}\rrbracket _j} \bmod q\)

   • Adapt the output of the party \(\ell _e\): \(\langle g^{h^{x^{[e]}}}\rangle _{\ell _e}=y/\prod _{j\ne \ell _e} \langle g^{h^{x^{[e]}}}\rangle _j \bmod q\)

   • Sample a random commitment \(\textsf {com}_{\ell _e}^{[e]}\).

   • Compute \(h_e = \mathcal {H}_1(\varDelta s^{[e]},\textsf {com}_1^{[e]},\ldots ,\textsf {com}_n^{[e]}), h'_e = \mathcal {H}_3(\varDelta x^{[e]},\langle g^{h^{x^{[e]}}}\rangle ,\alpha ^{[e]})\)

6. 6.

   Compute \(h=\mathcal {H}_2(h_1,\ldots ,h_M),h'=\mathcal {H}_4((h'_e)_{e\in J})\)

7. 7.

   Outputs the transcript

   $$\big (h, h', (\textsf {mseed}^{[e]})_{e\in [1,M]\backslash J}, ((\textsf {seed}_i^{[e]}, \rho _i^{[e]})_{i\not =\ell _e}, \textsf {com}_{\ell _e}^{[e]}, \varDelta x^{[e]}, \varDelta s^{[e]}, \alpha ^{[e]})_{e\in J}\big )~.$$

The distribution of the output transcript is identical to a real one, except for the commitment of the party \(\ell _e\) in each execution \(e\in J\). Distinguishing them means breaking the commitment hiding property or the PRG security.    \(\square \)