and Applications Vadim Lyubashevsky IBM Research Zurich Dec. 14, - - PowerPoint PPT Presentation
Lattice-Based Zero-Knowledge and Applications Vadim Lyubashevsky IBM Research Zurich Dec. 14, 2019 In the discrete log world g x =h x is randomly chosen in Z p for p 2 256 Given g and h, its hard to find x Based on this
Vadim Lyubashevsky IBM Research – Zurich
x is randomly chosen in Zp for p ≈ 2256 Given g and h, it’s hard to find x Based on this assumption, one can build all sorts of schemes In many schemes, we want to prove - in Zero-Knowledge - that we know x It’s easy and efficient for discrete log – e.g. the Schnorr protocol
y Zp w:=gy w c Zp c z:=xc+y z
check if: gz = hcw
Correctness:
gxc+y = gxcgy Prover: (g,x) Verifier: (g,h)
y Zp w:=gy w c Zp c z:=xc+y z
check if: gz = hcw
Honest-Verifier Zero Knowledge
Generate random c,z Zp. Set w=gz / hc (w,c,z) has the same distribution as in the protocol Prover: (g,x) Verifier: (g,h)
w c Zp c z
gz = hcw
Proof of Knowledge: gz-z’ = hc-c’ ➔ g(z-z’)/(c-c’) = h
c’ Zp c’ z’
gz’ = hc’w
A successful prover must be able to answer more than one distinct challenge x
Prover: (g,x) Extractor: (g,h)
S t
mod q
q is ≈ 212 (for encryption) ≈ 220 (for signatures) > 230 (for more complicated things e.g. FHE)
small coefficients – e.g. {0,1}
Given A,t find s (with small coefficients) such that As=t All lattice problems (e.g. LWE, SIS) look like this
n m
Prover: (A,s) Verifier: (A,t) y Zq
m
w:=Ay w c Zq c z:=sc+y z
check if: Az = tc + w
Correctness:
A(sc+y) = Asc+Ay
Honest-Verifier Zero Knowledge
Generate random c Zq, z Zq
(w,c,z) has the same distribution as in the protocol Prover: (A,s) Verifier: (A,t) y Zq
m
w:=Ay w c Zq c z:=sc+y z
check if: Az = tc + w
w c Zq c z
Az = tc+w
Proof of Knowledge: A(z-z’) = t(c-c’) ➔ A(z-z’)/(c-c’) = t
c’ Zq c’ z’
A successful prover must be able to answer more than one distinct challenge
s
Prover: (A,s) Extractor: (A,t)
Az’=tc’+w
w c Zq c z
Az = tc+w
Proof of Knowledge: A(z-z’) = t(c-c’) ➔ A(z-z’)/(c-c’) = t
c’ Zq c’ z’
Az’=tc’+w
A successful prover must be able to answer more than one distinct challenge
s
Prover: (A,s) Extractor: (A,t)
NO! The challenge space is only q ≈220
Big! Big!
We wanted to prove knowledge of an s with small coefficients!
Prover: (A,s) Verifier: (A,t) y Zq
m
w:=Ay w c Zq c z:=sc+y z
check if: Az = tc + w Doesn’t prove what we want – extracted s too big Soundness error only 2-20 – challenge space too small
Prover: (A,s) Verifier: (A,t) y1, … yk {0,1}m wi:=Ayi w1 , … ,wk c1, … ,ck {0,1} c1, … ,ck zi :=sci +yi z1 , …. ,zk
for all i check if: Azi = tci + wiand coeffs
Azi = tci+wi and coeffs of zi in {0,1,2} Azi
’ =tci ’+wi and
coeffs of zi
’ in {0,1,2}
A successful prover must be able to answer more than one distinct challenge
Prover: (A,s) Extractor: (A,t) w1 , … ,wk c1, … ,ck c1
’ , … ,ck ’
z1
’ , … ,zk ’
z1, … ,zk
Proof of Knowledge: A(zi - zi
’) = t(ci - ci ’) ➔ A(zi - zi ’)/(ci - ci ’) = t
{-1,1} {-2,1,0,1,2} {-2,1,0,1,2}
Prover: (A,s) Verifier: (A,t) y1, … yk {0,1}m wi:=Ayi w1 , … ,wk c1, … ,ck {0,1} c1, … ,ck zi :=sci +yi z1 , …. ,zk
Proved knowledge of s with {-2,-1,0,1,2} coefficients satisfying As = t Have to repeat the protocol k=128 – 256 times And there is a bigger problem…
for all i check if: Azi = tci + wiand coeffs
Honest-Verifier Zero Knowledge
Generate random c1, … ,ck {0,1}, z ?? Distribution of z is not uniform - depends on s. y1, … yk {0,1}m wi:=Ayi w1 , … ,wk c1, … ,ck {0,1} c1, … ,ck zi :=sci +yi z1 , …. ,zk Prover: (A,s) Verifier: (A,t)
for all i check if: Azi = tci + wiand coeffs
1 2 1 2 1 1 1 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? sc coefficients in {0,1} y coefficients random in {0,1} z coefficients suppose that c=1, then …
1 2 1 2 1 1 1 ? 1 ? 1 ? ? ? ? 1 ? 1 ? ? ? sc=s coefficients in {0,1} y coefficients random in {0,1} z coefficients suppose that c=1, then …
4 2 3 6 5 2 4 1 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? sc=s coefficients in {0,1} y coefficients random in {0,1,2,3,4,5} z coefficients suppose that c=1, then …
4 2 3 6 5 2 4 1 ? ? ? 5 ? ? ? ? ? ? ? 1 ? ? ? ? sc=s coefficients in {0,1} y coefficients random in {0,1,2,3,4,5} z coefficients
z coefficient = 0 or 6 reveals the coefficient of s But none of the other coefficients of s are revealed!
4 2 3 6 5 2 4 1 5 1 sc=s coefficients in {0,1} y coefficients random in {0,1,2,3,4,5} z coefficients
z coefficient = 0 or 6 reveals the coefficient of s But none of the other coefficients of s are revealed!
0/1 0/1 4/3 0/1 0/1 0/1 0/1 0/1 2/1 5/4 2/1 4/3 1/0 3/2
Pr[z=4 | s=0] = Pr[y=4] =1/6 Pr[z=4 | s=1] = Pr[y=3] =1/6
4 2 3 6 5 2 4 1 5 1
0/1 0/1 4/3 0/1 0/1 0/1 0/1 0/1 2/1 5/4 2/1 4/3 1/0 3/2
Pr[z=0 | s=0] = 1/6 Pr[z=0 | s=1] = 0 Pr[z=1 | s=0] = 1/6 Pr[z=1 | s=1] = 1/6 Pr[z=2 | s=0] = 1/6 Pr[z=2 | s=1] = 1/6 Pr[z=3 | s=0] = 1/6 Pr[z=3 | s=1] = 1/6 Pr[z=4 | s=0] = 1/6 Pr[z=4 | s=1] = 1/6 Pr[z=5 | s=0] = 1/6 Pr[z=5 | s=1] = 1/6 Pr[z=6 | s=0] =0 Pr[z=6 | s=1] = 1/6
coefficients 1,2,3,4,5 are equally likely to appear regardless of s so let’s only send z when all coefficients are in this range!
Suppose s has coefficients in {0,…,a} y is chosen randomly from {0,…,b-1}, b > a For all a ≤ j < b, Pry[s+y = j] = 1/b (and there are b-a such j), so 1-a/b chance of keeping s a secret
? ? ? ? ? ? ? ? ? ? 1 1 1 1 1 1 sc=s coefficients in {0,1} y coefficients random in {0,…,b-1} z coefficients suppose that c=1, then …
Pr[coefficient of z in {1,…,b-1}]=1-1/b Pr[all coefficients of z in {1,…,b-1}] = (1-1/b)m Pr[all coefficients of all zi in {1,…,b-1}] = (1-1/b)mk Set b = mk ➔ (1-1/b)mk ≈ 1/e
Prover: (A,s) Verifier: (A,t) w1 , … ,wk c1, … ,ck {0,1} c1, … ,ck zi :=sci +yi
If any coefficient of any zi is 0 or mk+1, abort (send ◊)
z1 , …. ,zk
for all i check if: Azi = tci + wiand coeffs
y1, … yk {0,…,mk}m wi:=Ayi
Azi = tci+wi and coeffs of zi in {0,…,mk} A zi
’ =t ci ’+wi and
coeffs of zi
’ in {0,…,mk}
A successful prover must be able to answer more than one distinct challenge
Prover: (A,s) Extractor: (A,t) w1 , … ,wk c1, … ,ck c1
’ , … ,ck ’
z1
’ , … ,zk ’
z1, … ,zk
Proof of Knowledge: A(zi - zi
’) = t(ci - ci ’) ➔ A(zi - zi ’)/(ci - ci ’) = t
{-1,1} {-mk,…,mk} {-mk, … ,mk}
Prover: (A,s) Verifier: (A,t) w1 , … ,wk c1, … ,ck {0,1} c1, … ,ck zi :=sci +yi
If any coefficient of any zi is 0 or mk+1, abort (send ◊)
z1 , …. ,zk
for all i check if: Azi = tci + wiand coeffs
Honest-Verifier Zero Knowledge
What is wi when zi = ◊? Can’t simulate this, but doesn’t matter. y1, … yk {0,…,mk}m wi:=Ayi
Prover: (A,s) Verifier: (A,t) y1, … yk {0,…,mk}m wi:=Ayi r=H(w1 , … ,wk) c1, … ,ck {0,1} c1, … ,ck zi :=sci +yi
If any coefficient of any zi is 0 or mk+1, abort (send ◊)
z1 , …. ,zk
for all i check if: H(Az1 - tc1, … , Azk - tck)=r and coeffs of zi are in {0,...,mk}
Honest-Verifier Zero Knowledge
What is wi when zi = ◊? Don’t care, just send random r.
Prover: (A,s) Verifier: (A,t) y1, … yk {0,…,mk}m wi:=Ayi r=H(w1 , … ,wk) c1, … ,ck {0,1} c1, … ,ck zi :=sci +yi
If any coefficient of any zi is 0 or mk+1, abort (send ◊)
z1 , …. ,zk
for all i check if: H(Az1 - tc1, … , Azk - tck)=r and coeffs of zi are in {0,...,mk}
Proved knowledge of s with {-mk,…,mk} coefficients satisfying As = t Have to repeat the protocol 128 – 256 times
equations (amortization with log growth)
allows for “1-shot” approximate proofs ➔digital signatures)
shot exact proofs (i.e. prove that coefficients of s are in {0,1})
Have equations As1 = t1, … , Asj = tj si have 0/1 coefficients
S T
n m j
Prover: (A,S) Verifier: (A,T) Y {0,…,mkj}m x k W:=AY W C {0,1}j x k C Z:=SC+Y
if some coefficient
abort (send ◊)
Z
check if: AZ = TC + W and all coefficients of Z are less than mkj
Pr[not sending ◊] = (1-j/mkj)mk ≈ 1/e Dimension of Z not dependent on j
Prover: (A,S) Verifier: (A,T) Y {0,…,mkj}m x k W:=AY W C {0,1}j x k C Z:=SC+Y
if some coefficient
abort (send ◊)
Z
check if: AZ = TC + W and all coefficients of Z are less than mkj
Correctness and honest verifier zero- knowledge exactly as before
W C {0,1}j x k C Z
AZ = TC+W
C’ Z’
AZ’=TC’+W
Prover: (A,S) Extractor: (A,T)
random from {0,1}k Prover must be able to answer correctly over this randomness
W C {0,1}j x k C Z
AZ = TC+W
C’ Z’
AZ’=TC’+W
Prover: (A,S) Extractor: (A,T)
Z-Z’ T
0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
A(Z-Z’) = T(C-C’)
W C {0,1}j x k C Z
AZ = TC+W
C’ Z’
AZ’=TC’+W
Prover: (A,S) Extractor: (A,T)
Z-Z’ T
0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Asi = ti
S t
mod q
n m
S
c The challenge c should be small and come from a large space. Impossible when c is in the ring Z Solution: Work over larger rings that have many small elements e.g. Instead of Z, work over Z[X]/(Xd+1)
39
Elements are z(x)=z3X3+z2X2+z1X+z0 where zi are integers mod 17 Addition is the usual coordinate-wise addition Multiplication is the usual polynomial multiplication followed by reduction modulo X4+1
40
(X3 - 2X - 1)(-3X2 + 6) = (-3X5 + 12X3 +3X2 -12X - 6) = (3X + 12X3 + 3X2 -12X - 6) = (-5X3 +3X2 +8X -6) Important: Reductions modulo X4+1 do not increase the coefficients! (For some moduli, there could be an exponential increase – these are not useful for crypto).
S t
mod q
n/d m/d
Can define the same problems over the ring Z[X]/(Xd+1) Can have the dimensions divided by d for the same (believed) hardness Big advantage for ZK proofs → there are 2d elements with 0/1 coefficients
R=Z[X]/(Xd+1) Rq=Zq[X]/(Xd+1) [B] = subset of R with coefficients between –B and B
Prover: (A,s) Verifier: (A,t) y [β+d]m w:=Ay w c [1] c z:=sc+y
If z is not in [β]m, send ◊
z
check if: Az = tc + w and z is in [β]
Correctness and HVZK as before
w c [1] c z
Az = tc+w
Proof of Knowledge: A(z-z’) = t(c-c’) ➔ A(z-z’)/(c-c’) = t
c’ [1] c’ z’
Az’=tc’+w
A successful prover must be able to answer more than one distinct challenge
s
Prover: (A,s) Extractor: (A,t)
The quotient of two small polynomials is not small small small good enough for signatures / commitments
Signer: (A,s) Verifier: (A,t) y [β+d]m w:=Ay w c:=H(w,μ) z:=sc+y
If z is not in [β]m, restart
z
check if: Az = tc + w and z is in [β]
c
Simulating the signer with an unknown random t = HVZK proof Extraction = ZK proof extraction + Programming the random oracle H Obtain A(z-z’) = t(c-c’)
Signer: (A,s) Verifier: (A,t) y [β+d]m w:=Ay c:=H(w,μ) z:=sc+y
If z is not in [β]m, restart
z
check if: H(Az – tc, μ) = c and z is in [β]
c
Simulating the signer with an unknown random t = HVZK proof Extraction = ZK proof extraction + Programming the random oracle H Obtain A(z-z’) = t(c-c’)
t
n/d m/d
z-z’
c-c’
looks random by LWE SIS
with ZK opening (used in the next section)
(pk ≈ 1.5KB, sig ≈ 2.7KB)
square root in the dimension in the output norm by using gaussians
For vectors s,t s ∘ t is the component-wise product of s and t
s1 s2 s3 t1 t2 t3
=
s1t1 s2t2 s3t3
∘
Coefficients of s are 0/1 iff s ∘ (s-1) = 0
For vectors s,t (over field Fp) S=Com(s), T=Com(t) Commitment properties:
1. Hiding 2. Binding 3. Homomorphism: Open(S + T) = s + t
➔ For all c in Fp, Open(cS) = cs
4.
Practical ZKPoK of homomorphic relations
choose random y w = Ay w c z = y + cs z
Key observation: z ∘ (z - c1) = (y + cs) ∘ (y + c(s - 1)) = c2s∘(s-1) + cy∘(2s-1) + y2
h g choose random c in Fp
Prover Verifier
choose random y w = Ay w c z = y + cs z “verify” that:
Key observation: z ∘ (z - c1) = (y + cs) ∘ (y + c(s - 1)) = c2s∘(s-1) + cy∘(2s-1) + y2
h g
Prover Verifier
“verify” that:
s∘(s-1) = 0 As = t Follows from the Schwartz-Zippel lemma: Suppose that s∘(s-1) = r ≠ 0 Then z ∘ (z-c1) = c2r + cg’ + h’ S-Z Lemma: Prc[c2r + cg’ + h’ = cg + h] ≤ 2/p
choose random y w = Ay S = Com(s) Y = Com(y) G = Com(g) H = Com(h) S,Y,G,H,w c
π1, ... , π6, z
Check π1, ... , π6
Prover Verifier
Key observation: z ∘ (z - c1) = (y + cs) ∘ (y + c(s - 1)) = c2s∘(s-1) + cy∘(2s-1) + y2
h g
choose random y w = Ay S = Com(s) Y = Com(y) G = Com(g) H = Com(h) S,Y,G,H,w c π1, ... , π6, z The challenge c is used in three distinct places and needs to have compatible algebraic properties:
Check π1, ... , π6
choose random y w = Ay S = Com(s) Y = Com(y) G = Com(g) H = Com(h) S,Y,G,H,w c π1, ... , π6, z Must be in the field in which we want to have 0/1 coefficients
Check π1, ... , π6
choose random y w = Ay S = Com(s) Y = Com(y) G = Com(g) H = Com(h) S,Y,G,H,w c π1, ... , π6, z Must be compatible with multiplication with s
Check π1, ... , π6
choose random y w = Ay S = Com(s) Y = Com(y) G = Com(g) H = Com(h) S,Y,G,H,w c π1, ... , π6, z Must be compatible with multiplication with S
Check π1, ... , π6
[BLS ’19], [YAZXYW ‘19] Public matrices B1, B2 Commitment to a vector m is (B1r, B2r+m) Has all the required homomorphic, ZKPoK properties [BDLOP ’18] Uses challenges in Fp, so soundness error of each iteration is 1/p
Proving SIS relations using Reed-Solomon code commitments
Roughly the same size as when using lattice commitments for proving single instances Smaller when proving several unrelated (i.e. A1s1= t1, … , Aksk= tk) SIS instances Much smaller when proving several related (i.e. As1= t1, … , Ask= tk) SIS instances (asymptotically sub-linear)
m r w
This “commitment scheme” is binding and homomorphic. But not hiding! Given w (or even a large part of w), can recover m,r.
m r w
This “commitment scheme” is perfectly hiding and homomorphic. But not binding! Given x, any m is possible and easy to find an r for. x
part of w
m r w
x Verifier asks for a small part of w Prover sends x Verifier is somehow convinced that this is really a part of a codeword w The extractor can then get more parts of w At some point, it’s enough to recover m. So the commitment scheme is binding using an interactive proof
HOW?
m r
Verifier asks for a small part of w Prover sends x Verifier is somehow convinced that this is really a part of a codeword w
HOW?
w1 w2 w3 wk
H(w1) H(w2) H(w3) H(wk) Prover sends H(w1), … ,H(wk) Verifier can check that the coefficients in x are really what the prover hashed. But still no proof that the hashes are of a codeword.
z
rz Z S Y z = y + cs rz= ry +crs Verifier is given: c
+
Lemma (informal): If cS+Y is equal to a codeword for a random c in Fp, then with probability ≈ 1-1/p, S and Y are close to codewords and c∙Decode(S) + Decode(Y) = z
check
S Y c
+
H(S1,Y1) H(S2,Y2) H(S3,Y3) H(Sk,Yk) Prover needs to send all the H(Si,Yi) And then prove that he is opening the correct slots. Put all the H(Si,Yi) as leaves of a Merkle tree, send the root in the first step. Send the path of each leaf that needs to be opened. O(security parameter openings required)
Hash all the corresponding positions together Still one tree and the paths are the same length as before
Proving SIS relations using Reed-Solomon code commitments
Roughly the same size as when using lattice commitments for proving single instances (have a few more optimizations / tricks that reduces the output size for all proofs) Smaller when proving several unrelated (i.e. A1s1= t1, … , Aksk= tk) SIS instances Much smaller when proving several related (i.e. As1= t1, … , Ask= tk) SIS instances (asymptotically sub-linear) reuse the hash tree Reuse the hash tree + other (more involved) techniques …
(See a recent tutorial on my IBM web page for how to construct lattice-based encryptions / signatures with many optimizations)