Skip to main content
SpringerLink
Log in

Orbweaver: Succinct Linear Functional Commitments from Lattices

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14082))

Included in the following conference series:

Abstract

We present Orbweaver, the first plausibly post-quantum functional commitment to achieve quasilinear prover time together with \(O(\log n)\) proof size and \(O(\log n \log \log n)\) verifier time. Orbweaver enables evaluation of linear maps on committed vectors over cyclotomic rings or the integers. It is extractable, preprocessing, non-interactive, structure-preserving, amenable to recursive composition, and supports logarithmic public proof aggregation. The security of our scheme is based on the k-R-ISIS assumption (and its knowledge counterpart), whereby we require a trusted setup to generate a universal structured reference string. We additionally use Orbweaver to construct a succinct polynomial commitment for integer polynomials.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Named for the lattice Orbweaver spider (araneus thaddeus).

  2. 2.

    Proof size is \(O(\log (w\cdot \alpha ))\) and verifier time is \(O(\log (w\cdot \alpha )\log \log (w\cdot \alpha ))\).

  3. 3.

    Our verifier time is \(O(\log (w\cdot \alpha )\log \log (w\cdot \alpha ))\) in the preprocessing setting.

  4. 4.

    We are again ignoring the structure of A as to our knowledge there is no attack that works better for \(R\text {-}\textsf{SIS}\) than \(\textsf{SIS}\).

  5. 5.

    Note that there are known poly-time attacks against some parameter selection for R-SIS, e.g., [21]. Thus, we also need to avoid those parameter selections. In more detail, we follow what is suggested in [2] and pick q such that \(\mathcal {R}_{q}\) fully splits and pick t as specified in Definition 9.

  6. 6.

    Concretely, we can use the set of all \(\mathcal {R}_{q}\) elements t where half of its components in the Chinese remainder theorem representation are zero and the other half are non-zero, as shown in [2].

  7. 7.

    \(\beta _0\) and \(\beta _1\) do not have to be equal, but for simplicity, we set both to \(\beta \). In practice, \(\beta _1\) may be \(\ll \beta _0\), and thus by separating the two, we can greatly reduce the size of \(|{\pi }_{1}|\), but such optimization does not change the asymptotic behavior.

References

  1. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Twenty-Eighth Annual ACM Symposium on Theory of Computing. STOC ’96, pp. 99–108 (1996)

    Google Scholar 

  2. Albrecht, M.R., Cini, V., Lai, R.W.F., Malavolta, G., Thyagarajan, S.A.K.: Lattice-based SNARKs: publicly verifiable, preprocessing, and recursively composable - (extended abstract). In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 102–132. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_4

    Chapter  Google Scholar 

  3. Albrecht, M.R., Lai, R.W.F.: Subtractive sets over cyclotomic rings. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 519–548. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_18

    Chapter  Google Scholar 

  4. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2087–2104 (2017)

    Google Scholar 

  5. Attema, T., Cramer, R.: Compressed \(\varSigma \)-protocol theory and practical application to plug  & play secure algorithmics. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 513–543. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_18

    Chapter  Google Scholar 

  6. Attema, T., Cramer, R., Kohl, L.: A compressed \(\varSigma \)-protocol theory for lattices. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 549–579. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_19

    Chapter  Google Scholar 

  7. Balbás, D., Catalano, D., Fiore, D., Lai, R.W.F.: Functional commitments for circuits from falsifiable assumptions. Cryptology ePrint Archive, Report 2022/1365 (2022)

    Google Scholar 

  8. Baum, C., Bootle, J., Cerulli, A., del Pino, R., Groth, J., Lyubashevsky, V.: Practical lattice-based zero-knowledge proofs for integer relations. In: 38th Annual International Cryptology Conference. CRYPTO 2019, pp. 669–699 (2019)

    Google Scholar 

  9. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: 27th SODA. ACMSIAM, pp. 10–24, January 2016

    Google Scholar 

  10. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Fast reed-solomon interactive oracle proofs of proximity. In: ICALP 2018, Vol. 107. LIPIcs. Schloss Dagstuhl, pp. 14:1–14:17, July 2018

    Google Scholar 

  11. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable zero knowledge with no trusted setup. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 701–732. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_23

    Chapter  Google Scholar 

  12. Ben-sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.: Ligero: lightweight sublinear arguments without a trusted setup. In: Advances in Cryptology - EUROCRYPT 2019, pp. 103–128 (2019)

    Google Scholar 

  13. Ben-Sasson, E., et al.: Functional commitments for all functions, with transparent setup. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press, May 2014

    Google Scholar 

  14. Beullens, W., Seiler, G.: LaBRADOR: compact proofs for R1CS from module- SIS. Cryptology ePrint Archive, Paper 2022/1341 (2022)

    Google Scholar 

  15. Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Functional commitments for all functions, with transparent setup. In: ITCS 2012, pp. 326–349. ACM, January 2012

    Google Scholar 

  16. Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: 45th ACM STOC, pp. 111–120. ACM Press, June 2013

    Google Scholar 

  17. Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_18

    Chapter  Google Scholar 

  18. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    Chapter  MATH  Google Scholar 

  19. Bootle, J., Chiesa, A., Sotiraki, K.: Sumcheck arguments and their applications. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 742–773. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_26

    Chapter  Google Scholar 

  20. Bootle, J., Lyubashevsky, V., Nguyen, N.K., Seiler, G.: A non-PCP approach to succinct quantum-safe zero-knowledge. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 441–469. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_16

  21. Boudgoust, K., Gachon, E., Pellet-Mary, A.: Some easy instances of ideal- SVP and implications on the partial Vandermonde knapsack problem. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13508, pp. 480–509. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_17

  22. Boudgoust, K., Sakzad, A., Steinfeld, R.: Vandermonde meets Regev: public key encryption schemes based on partial Vandermonde problems. Des. Codes Cryptogr. 1899–1936 (2022)

    Google Scholar 

  23. Bowe, S., Grigg, J., Hopwood, D.: Halo: recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021 (2019). https://eprint.iacr.org/2019/1021

  24. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press, May 2018

    Google Scholar 

  25. Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. Cryptology ePrint Archive, Report 2019/1229 (2019). https://eprint.iacr.org/2019/1229

  26. Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24

    Chapter  Google Scholar 

  27. de Castro, L., Peikert, C.: Functional commitments for all functions, with transparent setup. Cryptology ePrint Archive, Paper 2022/1368 (2022)

    Google Scholar 

  28. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26

    Chapter  Google Scholar 

  29. Chiesa, A., Ojha, D., Spooner, N.: Transparent SNARKs from DARK compilers. Cryptology ePrint Archive, Report 2019/1076 (2019). https://eprint.iacr.org/2019/1076

  30. Esgin, M., Nguyen, N.K., Seiler, G.: Practical lattice-based zero-knowledge proofs for integer relations. In: Advances in Cryptology - ASIACRYPT 2020, pp. 259–288 (2020)

    Google Scholar 

  31. Esgin, M.F., Steinfeld, R., Liu, D., Ruj, S.: Functional commitments for all functions, with transparent setup. Cryptology ePrint Archive, Paper 2022/141 (2022)

    Google Scholar 

  32. Esgin, M.F., Steinfeld, R., Liu, J.K., Liu, D.: Lattice-based zero-knowledge proofs: new techniques for shorter and faster constructions and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 115–146. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_5

    Chapter  Google Scholar 

  33. Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019). https://eprint.iacr.org/2019/953

  34. Genise, N., Micciancio, D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 174–203. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_7

    Chapter  Google Scholar 

  35. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

    Chapter  Google Scholar 

  36. Gennaro, R., Minelli, M., Nitulescu, A., Orrù, M.: Lattice-based Zk-SNARKs from square span programs. In: 2018 ACM SIGSAC Conference on Computer and Communications Security. CCS ’18, pp. 556–573 (2018)

    Google Scholar 

  37. Gentry, C., Peikert, C., Vaikuntanathan, V.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. In: Fortieth Annual ACM Symposium on Theory of Computing. STOC ’08, pp. 197–206 (2008)

    Google Scholar 

  38. Golovnev, A., Lee, J., Setty, S., Thaler, J., Wahby, R.S.: Brakedown: lineartime and post-quantum SNARKs for R1CS. Cryptology ePrint Archive, Paper 2021/1043 (2021)

    Google Scholar 

  39. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

    Chapter  Google Scholar 

  40. Groth, J.: Functional commitments for all functions, with transparent setup. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_19

    Chapter  Google Scholar 

  41. Groth, J., Maller, M.: Snarky signatures: minimal signatures of knowledge from simulation-extractable SNARKs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 581–612. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_20

    Chapter  Google Scholar 

  42. Ishai, Y., Su, H., Wu, D.J.: Shorter and faster post-quantum designated- verifier ZkSNARKs from lattices. In: 2021 ACM SIGSAC Conference on Computer and Communications Security. CCS ’21, pp. 212–234 (2021)

    Google Scholar 

  43. Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11

    Chapter  Google Scholar 

  44. Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: Symposium on the Theory of Computing (1992)

    Google Scholar 

  45. Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_10

    Chapter  Google Scholar 

  46. Lyubashevsky, V., Nguyen, N.K., Plançon, M.: Lattice-based zero-knowledge proofs and applications: shorter, simpler, and more general. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13508, pp. 71–101. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_3

  47. Lyubashevsky, V., Nguyen, N.K., Seiler, G.: Practical lattice-based zero- knowledge proofs for integer relations. In: 2020 ACM SIGSAC Conference on Computer and Communications Security. CCS ’20, pp. 1051–1070 (2020)

    Google Scholar 

  48. Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. In: ACM CCS 2019. ACM Press, pp. 2111–2128, November 2019

    Google Scholar 

  49. Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient oneway functions from worst-case complexity assumptions. In: The 43rd Annual IEEE Symposium on Foundations of Computer Science. Proceedings, pp. 356–365 (2002)

    Google Scholar 

  50. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41

    Chapter  Google Scholar 

  51. Micciancio, D., Regev, O.: Functional commitments for all functions, with transparent setup. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191 (2009)

    Google Scholar 

  52. Parno, B., Howell, J., Gentry, C., Raykova, M.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE Computer Society Press, May 2013

    Google Scholar 

  53. Wee, H., Wu, D.J.: Succinct Vector, Polynomial, and Functional Commitments from Lattices. Cryptology ePrint Archive, Paper 2022/1515 (2022)

    Google Scholar 

  54. Xie, T., Zhang, Y., Song, D.: Orion: zero knowledge proof with linear prover time. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13510, pp. 299–328. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15985-5_11

Download references

Acknowledgments

We would like to thank Martin Albrecht and Russell W.F. Lai for answering questions about [2]. We would also like to thank Nicholas Genise for answering our questions about lattice trapdoors.

Author information

Authors and Affiliations

  1. Yale University, New Haven, USA

    Ben Fisch, Zeyu Liu & Psi Vesely

Authors
  1. Ben Fisch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zeyu Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Psi Vesely
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Psi Vesely .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fisch, B., Liu, Z., Vesely, P. (2023). Orbweaver: Succinct Linear Functional Commitments from Lattices. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14082. Springer, Cham. https://doi.org/10.1007/978-3-031-38545-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38545-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38544-5

  • Online ISBN: 978-3-031-38545-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation