Abstract
We show that for \(\textbf{x}\overset{\$}{\leftarrow }[0,2^\lambda )^\mu \) and any integer N the probability that \(f(\textbf{x})\equiv 0 \bmod N\) for any non-zero multilinear polynomial \(f\in \mathbb {Z}[X_1, \dots ,X_\mu ]\), co-prime to N is inversely proportional to N. As a corollary we show that if \(\log _2 N\ge \log _2(2\mu )\lambda +8\mu ^2 \) then the probability is bounded by \(\frac{\mu +1}{2^\lambda }\). We also give tighter numerically derived bounds, showing that if \(\log _2 N\ge {418}\), and \(\mu \le 20\) the probability is bounded by \(\frac{\mu }{2^\lambda }+2^{-120}\).
We then apply this Multilinear Composite Schwartz-Zippel Lemma (LCSZ) to resolve an open problem in the literature on succinct arguments: that the Bulletproofs protocol for linear relations over classical Pedersen commitments in prime-order groups remains knowledge sound when generalized to commitment schemes that are binding only over short integer vectors. In particular, this means that the Bulletproofs protocol can be instantiated with plausibly post-quantum commitments from lattice hardness assumptions (SIS/R-SIS/M-SIS). It can also be instantiated with commitments based on groups of unknown order (GUOs), in which case the verification time becomes logarithmic instead of linear time.\(^{1}\)
Prior work on lattice-based Bulletproofs (Crypto 2020) and its extensions required modifying the protocol to sample challenges from special sets of polynomial size. This results in a non-negligible knowledge error, necessitating parallel repetition to amplify soundness, which impacts efficiency and poses issues for the Fiat-Shamir transform. Our analysis shows knowledge soundness for the original Bulletproofs protocol with the exponential-size integer challenge set \([0,2^\lambda ]\) and thus achieves a negligible soundness error without repetition, circumventing a previous impossibility result (Crypto 2021). Our analysis also closes a critical gap in the original security proof of DARK, a GUO-based polynomial commitment scheme (Eurocrypt 2020). Along the way to achieving our result we also define Almost Special Soundness (AMSS), a generalization of Special-Soundness. Our main result is divided into two parts: (1) that the Bulletproofs protocol over generalized commitments is AMSS, and (2) that AMSS implies knowledge soundness. This framework serves to simplify the application of our analytical techniques to protocols beyond Bulletproofs in the future(\(^{1}\)This paper incorporates content published in the updated EPRINT of DARK [18]. The full version of this paper containing proofs is available online [17].).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The analysis we provide in this paper also applies to DARK in its original form. We include this in an updated appendix of the original DARK paper.
- 2.
The subgroup sampling algorithm takes \(\mathbb {G}\) as input, which is interpreted as a succinct description of \(\mathbb {G}\), such as a list of generators, not necessarily the list of all elements in \(\mathbb {G}\).
- 3.
The extractor can run \(\mathcal {A}\) for any specified number of steps, inspect the internal state of \(\mathcal {A}\), and even rewind \(\mathcal {A}\) to a previous state.
- 4.
Crucially, the definition does not require the ith position of all transcripts to use the same commitment index. The commitment index \(\mu _i\) used in a particular transcript for the ith commitment \(C^{(i)}\) might be a function of the transcript prefix preceding \(C^{(i)}\).
- 5.
In a group of unknown order it may be difficult to check that \(z \ne 0 \bmod |\mathbb {G}|\). If g is a generator (e.g., the generator of a subgroup of unknown order) then it suffices to check \(z \cdot g = 0\). In any case, GUOs are typically used for commitments under the hardness assumption that it is difficult to compute any multiple of the order of \(\mathbb {G}\), in which case checking \(z \ne 0 \bmod |\mathbb {G}|\) can be dropped from verification.
- 6.
When m is a power of two we have that \(\varPhi _m(x) = x^{m/2} + 1\).
- 7.
If the generators \(\textbf{g}_{\textsf {pp}_\iota }\) are uniformly distributed for any \(\iota \) and \(\mathbb {G}\) is cyclic (or more generally a random element in the span of \(\textbf{g}_{\textsf {pp}_\iota }\) is statistically close to uniform over \(\mathbb {G}\)) then this is equivalent to the assumption that it is hard to compute a multiple of the order of a random element, which is implied by the difficulty of taking square roots of random elements (the RSA assumption) for \(\mathbb {G}\). In certain groups where it is difficult to compute any integer that shares a common factor with \(|\mathbb {G}|\) then the assumption holds regardless of how \(\textbf{g}_{\textsf {pp}_\iota }\) is sampled. One such group is the multiplicative subgroup \(\mathbb {H} = \{x^4: x \in \mathbb {Z}_N^\times \}\) for \(N = p \cdot q\), where p and q are unknown safe primes and thus \(|\mathbb {H}| = (p-1)(q-1)/4 = p'\cdot q'\) for unknown primes \(p',q'\).
References
Albrecht, M.R., Lai, R.W.F.: Subtractive sets over cyclotomic rings. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 519–548. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_18
Attema, T., Cramer, R.: Compressed \(\Sigma \)-protocol theory and practical application to plug & play secure algorithmics. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 513–543. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_18
Attema, T., Cramer, R., Kohl, L.: A compressed \(\Sigma \)-protocol theory for lattices. Cryptology ePrint Archive, Report 2021/307 (2021). https://eprint.iacr.org/2021/307
Attema, T., Cramer, R., Kohl, L.: A compressed \(\Sigma \)-protocol theory for lattices. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 549–579. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_19
Attema, T., Fehr, S., Kloos, M.: Fiat-Shamir transformation of multi-round interactive proofs. Cryptology ePrint Archive, Report 2021/1377 (2021). https://eprint.iacr.org/2021/1377
Attema, T., Lyubashevsky, V., Seiler, G.: Practical product proofs for lattice commitments. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 470–499. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_17
Beullens, W., Seiler, G.: LaBRADOR: compact proofs for R1CS from module-SIS. Cryptology ePrint Archive, Report 2022/1341 (2022). https://eprint.iacr.org/2022/1341
Bishnoi, A., Clark, P.L., Potukuchi, A., Schmitt, J.R.: On zeros of a polynomial in a finite grid (2015). https://doi.org/10.48550/ARXIV.1508.06020. https://arxiv.org/abs/1508.06020
Block, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Time- and space-efficient arguments from groups of unknown order. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 123–152. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_5
Boneh, D., Drake, J., Fisch, B., Gabizon, A.: Halo Infinite: proof-carrying data from additive polynomial commitments. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 649–680. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_23
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Bootle, J., Chiesa, A., Sotiraki, K.: Sumcheck arguments and their applications. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 742–773. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_26
Bootle, J., Lyubashevsky, V., Nguyen, N.K., Seiler, G.: A non-PCP approach to succinct quantum-safe zero-knowledge. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 441–469. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_16
Bowe, S., Grigg, J., Hopwood, D.: Halo: recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021 (2019). https://eprint.iacr.org/2019/1021
Buchmann, J., Hamdy, S.: A survey on IQ cryptography. In: Public-Key Cryptography and Computational Number Theory, pp. 1–15 (2001)
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press (2018). https://doi.org/10.1109/SP.2018.00020
Bünz, B., Fisch, B.: Schwartz-Zippel for multilinear polynomials mod N. Cryptology ePrint Archive, Report 2022/458 (2022). https://eprint.iacr.org/2022/458
Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK Compilers. Cryptology ePrint Archive, Report 2019/1229 (2019). https://eprint.iacr.org/2019/1229
Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24
Campanelli, M., Nitulescu, A., Ràfols, C., Zacharakis, A., Zapico, A.: Linear-map vector commitments and their practical applications. Cryptology ePrint Archive, Report 2022/705 (2022). https://eprint.iacr.org/2022/705
Couteau, G., Peters, T., Pointcheval, D.: Removing the strong RSA assumption from arguments over the integers. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 321–350. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_11
DeMillo, R.A., Lipton, R.J.: A Probabilistic Remark on Algebraic Program Testing. Technical report, Georgia Inst of Tech Atlanta School of Information and Computer Science (1977)
Esgin, M.F., Nguyen, N.K., Seiler, G.: Practical exact proofs from lattices: new techniques to exploit fully-splitting rings. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 259–288. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_9
Gentry, C., Halevi, S., Lyubashevsky, V.: Practical non-interactive publicly verifiable secret sharing with thousands of parties. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, pp. 458–487. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-06944-4_16
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press (2008). https://doi.org/10.1145/1374376.1374407
Hoffmann, C., Hubácek, P., Kamath, C., Klein, K., Pietrzak, K.: Practical statistically- sound proofs of exponentiation in any group. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, pp. 370–399. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_13
Kabanets, V., Impagliazzo, R.: Derandomizing polynomial identity tests means proving circuit lower bounds. Comput. Complex. 13(1–2), 1–46 (2004). https://doi.org/10.1007/s00037-004-0182-6
Lai, R.W.F., Malavolta, G.: Subvector commitments with application to succinct arguments. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 530–560. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_19
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)
Lyubashevsky, V., Nguyen, N.K., Seiler, G.: Shorter lattice-based zero-knowledge proofs via one-time commitments. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 215–241. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_9
Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_2
Nguyen, N.K., Seiler, G.: Practical sublinear proofs for R1CS from lattices. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, pp. 133–162. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_5
Pietrzak, K.: Proofs of catalytic space. In: Blum, A. (ed.) ITCS 2019, pp. 59:1–59:25. LIPIcs (2019). https://doi.org/10.4230/LIPIcs.ITCS.2019.59
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. Assoc. Comput. Mach. 21(2), 120–126 (1978)
Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM (JACM) 27(4), 701–717 (1980)
Wahby, R.S., Tzialla, I., shelat, a., Thaler, J., Walfish, M.: Doubly-efficient zk- SNARKs without trusted setup. In: 2018 IEEE Symposium on Security and Privacy, pp. 926–943. IEEE Computer Society Press (2018). https://doi.org/10.1109/SP.2018.00060
Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13
Wikström, D.: Special soundness in the random oracle model. Cryptology ePrint Archive, Report 2021/1265 (2021). https://eprint.iacr.org/2021/1265
Zippel, R.: Probabilistic algorithms for sparse polynomials. In: International Symposium on Symbolic and Algebraic Manipulation, pp. 216–226 (1979)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Bünz, B., Fisch, B. (2023). Multilinear Schwartz-Zippel Mod N and Lattice-Based Succinct Arguments. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14371. Springer, Cham. https://doi.org/10.1007/978-3-031-48621-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-48621-0_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48620-3
Online ISBN: 978-3-031-48621-0
eBook Packages: Computer ScienceComputer Science (R0)
