Skip to main content

A Non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12171)

Abstract

Today’s most compact zero-knowledge arguments are based on the hardness of the discrete logarithm problem and related classical assumptions. If one is interested in quantum-safe solutions, then all of the known techniques stem from the PCP-based framework of Kilian (STOC 92) which can be instantiated based on the hardness of any collision-resistant hash function. Both approaches produce asymptotically logarithmic sized arguments but, by exploiting extra algebraic structure, the discrete logarithm arguments are a few orders of magnitude more compact in practice than the generic constructions.

In this work, we present the first (poly)-logarithmic, potentially post-quantum zero-knowledge arguments that deviate from the PCP approach. At the core of succinct zero-knowledge proofs are succinct commitment schemes (in which the commitment and the opening proof are sub-linear in the message size), and we propose two such constructions based on the hardness of the (Ring)-Short Integer Solution (Ring-SIS) problem, each having certain trade-offs. For commitments to N secret values, the communication complexity of our first scheme is \(\tilde{O}(N^{1/c})\) for any positive integer c, and \(O(\log ^2 N)\) for the second. Both of these are a significant theoretical improvement over the previously best lattice construction by Bootle et al. (CRYPTO 2018) which gave \(O(\sqrt{N})\)-sized proofs.

Keywords

  • Lattices
  • Zero-knowledge proofs
  • SNARKS

This work was supported by the SNSF ERC Transfer Grant CRETP2-166734 – FELICITY. The work was done while the first author was at IBM Research – Zurich.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-56880-1_16
  • Chapter length: 29 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   99.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-56880-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   129.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

Notes

  1. 1.

    Though still technically heuristic because of the assumption that a concrete hash function acts as a random oracle.

  2. 2.

    We provide additional background in Sect. 2.3 for readers not familiar with previous work.

  3. 3.

    We note that more concrete bounds could be computed. However, this non-tight bound already shows that Bulletproofs folding offers smaller proof size.

  4. 4.

    Here, n denotes the degree of the underlying cyclotomic polynomial \(X^n+1\).

  5. 5.

    This would only asymptotically tell us which method offers smaller proof size.

  6. 6.

    For improved efficiency, one could reduce the number of columns in \(\mathbf {A}_1\) and make the commitment scheme computationally-hiding based on the hardness of the LWE problem.

  7. 7.

    This constant \(\delta \) is related to the optimal block-size in BKZ reduction [22], which is the currently best way of solving the SIS problem. Presently, the optimal lattice reductions set \(\delta \approx 1.005\).

  8. 8.

    By collecting extracted solutions for all \(\alpha \), we can merge them and thus obtain the overall solution.

  9. 9.

    Slack here means the Euclidean norm of an extracted solution.

  10. 10.

    We neglect the \(\log p\) term.

References

  1. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, STOC 1996, pp. 99–108 (1996)

    Google Scholar 

  2. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 2087–2104 (2017)

    Google Scholar 

  3. Attema, T., Lyubashevsky, V., Seiler, G.: Practical product proofs for lattice commitments. IACR Cryptology ePrint Archive, 2020:517 (2020)

    Google Scholar 

  4. Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296(1), 625–635 (1993)

    MathSciNet  CrossRef  Google Scholar 

  5. Baum, C., Bootle, J., Cerulli, A., del Pino, R., Groth, J., Lyubashevsky, V.: Sub-linear lattice-based zero-knowledge arguments for arithmetic circuits. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 669–699. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_23

    CrossRef  Google Scholar 

  6. Ben-Sasson, E., et al.: Computational integrity with a public random string from quasi-linear PCPs. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 551–579. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_19

    CrossRef  Google Scholar 

  7. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable zero knowledge with no trusted setup. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 701–732. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_23

    CrossRef  Google Scholar 

  8. Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4

    CrossRef  Google Scholar 

  9. Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_29

    CrossRef  Google Scholar 

  10. Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The sphincs\({}^{\text{+}}\) signature framework. In: CCS, pp. 2129–2146. ACM (2019)

    Google Scholar 

  11. Boneh, D., Ishai, Y., Sahai, A., Wu, D.J.: Quasi-optimal SNARGs via linear multi-prover interactive proofs. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 222–255. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_8

    CrossRef  Google Scholar 

  12. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    CrossRef  MATH  Google Scholar 

  13. Bootle, J., Lyubashevsky, V., Seiler, G.: Algebraic techniques for short(er) exact lattice-based zero-knowledge proofs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 176–202. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_7

    CrossRef  Google Scholar 

  14. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: Proceedings of the 39th IEEE Symposium on Security and Privacy, S&P 2018, pp. 315–334 (2018)

    Google Scholar 

  15. Don, J., Fehr, S., Majenz, C.: The measure-and-reprogram technique 2.0: multi-round Fiat-Shamir and more. CoRR, abs/2003.05207 (2020)

    Google Scholar 

  16. Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13

    CrossRef  MATH  Google Scholar 

  17. Ducas, L., et al.: Crystals-dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018)

    MathSciNet  Google Scholar 

  18. Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_2

    CrossRef  Google Scholar 

  19. Esgin, M.F., Nguyen, N.K., Seiler, G.: Practical exact proofs from lattices: new techniques to exploit fully-splitting rings. IACR Cryptology ePrint Archive, 2020:518 (2020)

    Google Scholar 

  20. Esgin, M.F., Steinfeld, R., Liu, J.K., Liu, D.: Lattice-based zero-knowledge proofs: new techniques for shorter and faster constructions and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 115–146. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_5

    CrossRef  Google Scholar 

  21. Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2

    CrossRef  Google Scholar 

  22. Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_3

    CrossRef  Google Scholar 

  23. Gennaro, R., Minelli, M., Nitulescu, A., Orrù, M.: Lattice-based zk-SNARKs from square span programs. In: Proceedings of the 25th ACM Conference on Computer and Communications Security, CCS 2018, pp. 556–573 (2018)

    Google Scholar 

  24. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)

    Google Scholar 

  25. Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_23

    CrossRef  Google Scholar 

  26. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

    CrossRef  Google Scholar 

  27. Groth, J., Kohlweiss, M., Maller, M., Meiklejohn, S., Miers, I.: Updatable and universal common reference strings with applications to zk-SNARKs. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 698–728. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_24

    CrossRef  Google Scholar 

  28. Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18

    CrossRef  MATH  Google Scholar 

  29. Lamport, L.: Constructing digital signatures from a one-way function (1979)

    Google Scholar 

  30. Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12

    CrossRef  Google Scholar 

  31. Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35

    CrossRef  Google Scholar 

  32. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43

    CrossRef  Google Scholar 

  33. Lyubashevsky, V., Micciancio, D.: Asymptotically efficient lattice-based digital signatures. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 37–54. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_3

    CrossRef  Google Scholar 

  34. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    CrossRef  Google Scholar 

  35. Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21

    CrossRef  Google Scholar 

  36. Nitulescu, A.: Lattice-based zero-knowledge SNARGs for arithmetic circuits. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 217–236. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_11

    CrossRef  Google Scholar 

  37. Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions

  38. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Jonathan Bootle , Vadim Lyubashevsky , Ngoc Khanh Nguyen or Gregor Seiler .

Editor information

Editors and Affiliations

A Knowledge Soundness

A Knowledge Soundness

In this section, we state the heavy-rows lemma and describe the extraction algorithms used in the proof of Theorem 3.3. A detailed analysis of the extraction algorithms is provided in the full version of this paper.

Fig. 7.
figure 7

Construction of a tree \(\mathcal {T}\) of partial transcripts for \(\mathcal {P}^*\). We denote \(\mathbf {c}'^T_{i+1,j}\) (resp. \(\mathbf {c}'^T_{i+1,j}\)) to be the j-th row of \(\mathbf {C}'_{i+1}\) (resp. \(\mathbf {C}'_{i+1}\)).

Fig. 8.
figure 8

Extracting relaxed openings of levelled commitments, or more concretely, preimages of \(F_{i+1,d}\).

Lemma A.1

Let \(K > 1\) and \(\mathbf{H} \in \left\{ 0,1 \right\} ^{\ell \times n}\) for some \(n,\ell >1\), such that a fraction \(\varepsilon \) of the inputs of \(\mathbf{H}\) are 1. We say that a row of \(\mathbf{H}\) is “heavy” if it contains a fraction at least \( \varepsilon /K\) of ones. Then less than 1/K of the ones in \(\mathbf{H}\) are located in heavy rows.

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Bootle, J., Lyubashevsky, V., Nguyen, N.K., Seiler, G. (2020). A Non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge. In: Micciancio, D., Ristenpart, T. (eds) Advances in Cryptology – CRYPTO 2020. CRYPTO 2020. Lecture Notes in Computer Science(), vol 12171. Springer, Cham. https://doi.org/10.1007/978-3-030-56880-1_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-56880-1_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-56879-5

  • Online ISBN: 978-3-030-56880-1

  • eBook Packages: Computer ScienceComputer Science (R0)