Short Zero-Knowledge Proof of Knowledge for Lattice-Based Commitment

Abstract

Commitment scheme, together with zero-knowledge proof, is a fundamental tool for cryptographic design. Recently, Baum et al. proposed a commitment scheme (BDLOP), which is by far the most efficient lattice-based one and has been applied on several latest constructions of zero-knowledge proofs. In this paper, we propose a more efficient zero-knowledge proof of knowledge for BDLOP commitment opening with a shorter proof. There are a few technical challenges, and we develop some new techniques: First, we make an adaption of BDLOP commitment by evaluating the opening with the singular value rather than \(\ell _2\) norm in order to get compact parameters. Then, we try to use the bimodal Gaussian technique to minimize the size of the proof. Finally, utilizing a modulus-switch technique, we can retain the size of the commitment.

A Discussion on Protocol of [3] with Compression Technique

The proof \(\mathbf{z}\) of zero-knowledge proof of opening in [3] contains two part: \(\mathbf{z}^{(1)}\) corresponds to the proof that gets multiplied by the identity matrix of public matrix \(\mathbf{A}_1\) and \(\mathbf{z}^{(2)}\) corresponds to the proof that gets multiplied by \(\mathbf{A}_1'\). The compression technique [2] is to discard \(\mathbf{z}^{(1)}\) totally and the verifier merely checks an approximate equality, i.e. an equality of high-order part.

For an inter x with \(x=\lceil x\rceil _{\gamma }\cdot 2^{\gamma }+[x]_{\gamma }\), we denote \(\lceil x\rceil _{\gamma }\) as the high-order bits and \([x]_{\gamma }=x \bmod 2^{\gamma }\) as the low-order \(\gamma \) bits. The challenge space is \(\mathcal {C}'=\{\mathbf{d}\in \mathcal {R}_q|\Vert \mathbf{d}\Vert _{\infty }=1, \Vert \mathbf{d}\Vert _1=\kappa \}\). The improved protocol \(\varPi _{com}\) of [3] with compression technique [2] is given in Table 3, which satisfies the property of completeness, special soundness and honest-verifier zero-knowledge. Since honest-verifier zero-knowledge property is not affected and will hold as [3] has shown, we only discuss the completeness and special soundness of \(\varPi _{com}\).

Table 3. Improved zero-knowledge proof of knowledge in [3].

Completeness: It is guaranteed by \(\mathbf{A}'_1\mathbf{z}-\mathbf{d}{} \mathbf{c}_1=\mathbf{t}-\mathbf{d}{} \mathbf{r}_1\) and \(\lceil \mathbf{t}-\mathbf{d}{} \mathbf{r}_1 \rceil _{\gamma }=\lceil \mathbf{t}\rceil _{\gamma }\) when \([\mathbf{t}-\mathbf{d}{} \mathbf{r}_1]_{\gamma } < \frac{\gamma }{2}-\max _{\mathbf{d},\mathbf{r}_1}\Vert \mathbf{d}{} \mathbf{r}_1\Vert _2\) holds, which brings an additional abort condition. Thus, adopting an wide-accepted assumption that the low-order bits are uniformly distributed modulo \(\gamma \), the non-abort probability is approximately \((\frac{2(\frac{\gamma }{2}-\max _{\mathbf{d},\mathbf{r}_1}\Vert \mathbf{d}{} \mathbf{r}_1\Vert _2)-1}{\gamma })^N\), which means the larger \(\gamma \) is, the larger non-abort probability we can get.

Special Soundness: Given a commitment \(\mathbf{c}\) and two valid transcripts \((\mathbf{t},\mathbf{d},\mathbf{z}),(\mathbf{t},\mathbf{d}',\mathbf{z}')\), we can extract a valid opening of commitment \(\mathbf{c}\) as follows.

$$\begin{aligned}&\lceil \mathbf{A}'_1\mathbf{z}-\mathbf{d}{} \mathbf{c}_1 \rceil _{\gamma }=\lceil \mathbf{t}\rceil _{\gamma } \end{aligned}$$

(11)

$$\begin{aligned}&\lceil \mathbf{A}'_1\mathbf{z}'-\mathbf{d}'{} \mathbf{c}_1 \rceil _{\gamma }=\lceil \mathbf{t}\rceil _{\gamma } \end{aligned}$$

(12)

Therefore, there exist two low-order term \(\mathbf{e},\mathbf{e}'\) with \(\Vert \mathbf{e}\Vert _{\infty },\Vert \mathbf{e}'\Vert _{\infty }\le \frac{\gamma }{2}\), such that

$$\begin{aligned}&\mathbf{A}'_1\mathbf{z}-\mathbf{d}{} \mathbf{c}_1 =\lceil \mathbf{t}\rceil _{\gamma }\cdot 2^{\gamma }+\mathbf{e} \end{aligned}$$

(13)

$$\begin{aligned}&\mathbf{A}'_1\mathbf{z}'-\mathbf{d}'{} \mathbf{c}_1=\lceil \mathbf{t}\rceil _{\gamma }\cdot 2^{\gamma }+\mathbf{e}' \end{aligned}$$

(14)

From Eqs. (13) and (14), we obtain

$$\begin{aligned} \mathbf{A}_1'(\mathbf{z}-\mathbf{z}')-(\mathbf{d}-\mathbf{d}')\mathbf{c}_1=\mathbf{e}-\mathbf{e}', \end{aligned}$$

(15)

and it yields

$$\begin{aligned} \mathbf{A}_1\left( \begin{array}{c} \mathbf{e}-\mathbf{e}' \\ \mathbf{z}-\mathbf{z}'\\ \end{array}\right) =(\mathbf{d}-\mathbf{d}')\mathbf{c}_1 \end{aligned}$$

(16)

Notice that \(\Vert \mathbf{e}-\mathbf{e}'\Vert _{\infty }\le \gamma \). Assuming \(\gamma \le 4\sigma \), we have \(\Vert \mathbf{e}-\mathbf{e}'\Vert _2\le 4\sigma \sqrt{N}\). Set \(\mathbf{f}=\mathbf{d}-\mathbf{d}'\), \(\mathbf{r}=\left( \begin{array}{c} \mathbf{e}-\mathbf{e}' \\ \mathbf{z}-\mathbf{z}'\\ \end{array}\right) \) and \(\mathbf{x}=\mathbf{c}_2-\mathbf{f}^{-1}{} \mathbf{A}_2\mathbf{r}\). Then \((\mathbf{x},\mathbf{r},\mathbf{f})\) is a valid opening⁵ of commitment \(\mathbf{c}\) in [3].

Now we claim there is a trade-off between the reduced proof size, non-abort probability and security for \(\varPi _{\text {com}}\). When instantiating the protocol \(\varPi _{\text {com}}\), we have to consider the non-abort probability \((\frac{2(\frac{\gamma }{2}-\max _{\mathbf{d},\mathbf{r}_1}\Vert \mathbf{d}{} \mathbf{r}_1\Vert _2)-1}{\gamma })^N\) for completeness and condition \(\gamma \le 4\sigma \) for special soundness. An observation is that the non-abort probability is \(3.7\times 10^{-4}\) with \(\sigma \approx 27000\) and \(\gamma \approx 108000\) under the parameter in [3] (Set I-[3] in Table 2). Thus, it is inevitable to expand \(\sigma \) for a practical non-abort probability. If we choose the non-abort probability \((\frac{2(\frac{\gamma }{2}-\max _{\mathbf{d},\mathbf{r}_1}\Vert \mathbf{d}{} \mathbf{r}_1\Vert _2)-1}{\gamma })^N\approx 0.3\), then Gaussian parameter \(\sigma \) should be 6.3\(\times \) larger than before, which may result in a weaker SIS problem. In fact, the root Hermite factor of SIS increases to 1.0047, though the proof size can be reduced to 5KB under the expanded \(\sigma \). Thus, it seems such improvement with compression technique is possible but at the cost of low non-abort probability or security.