lattice based zero knowledge arguments for integer
play

Lattice-Based Zero-Knowledge Arguments for Integer Relations t - PowerPoint PPT Presentation

Aug 29, 2022 •110 likes •422 views

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018 Zero-Knowledge

  1. Lattice-Based Zero-Knowledge Arguments for Integer Relations ıt Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Benoˆ 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018

  2. Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations . ⋆ “Large” : Committed integers X , Y , Z are of bit-size L = poly( n ). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 2 / 15

  3. Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations . ⋆ “Large” : Committed integers X , Y , Z are of bit-size L = poly( n ). ⋆ “Relations” : Addition: X + Y = Z over Z Multiplication: X · Y = Z over Z Range: X ∈ [ α, β ] Set non-membership: X �∈ SET , where SET is a public set. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 2 / 15

  4. Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations . ⋆ “Large” : Committed integers X , Y , Z are of bit-size L = poly( n ). ⋆ “Relations” : Addition: X + Y = Z over Z Multiplication: X · Y = Z over Z Range: X ∈ [ α, β ] Set non-membership: X �∈ SET , where SET is a public set. ⋆ “Assumptions” : Solutions from DL/strong-RSA, e.g. + and × : Fujisaki-Okamoto (C’97), Damg˚ ard-Fujisaki (AC’02), Lipmaa (AC’03), Couteau et al. (EC’17) Range: Camenisch et al. (AC’08), Gonzalez-R` afols (ACNS’17) Set non-membership: Camenisch-Lysyanskaya (C’02), Nakanishi et al. (PKC’09), Bayer-Groth (EC’13) Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 2 / 15

  5. In the Lattice Setting... The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X , Y , Z of bit-size L = poly( n ) satisfy X + Y = Z over Z : Require to prove X + Y = Z mod q for a large modulus q = 2 poly( n ) . Each ring element (used in the commitment) would cost thousand times L bits. Proving that X , Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k · L bits, where k ≈ 10 5 . Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 3 / 15

  6. In the Lattice Setting... The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X , Y , Z of bit-size L = poly( n ) satisfy X + Y = Z over Z : Require to prove X + Y = Z mod q for a large modulus q = 2 poly( n ) . Each ring element (used in the commitment) would cost thousand times L bits. Proving that X , Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k · L bits, where k ≈ 10 5 . Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial. Some limited forms of range proofs/arguments, e.g., X ∈ [0 , 2 m − 1]. No efficient non-membership argument is known. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 3 / 15

  7. Our Results Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly( n ) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC’08). √ Small modulus: q = � O ( L · n ). √ Weak assumption: SIVP γ is hard for γ = � O ( L · n ). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 4 / 15

  8. Our Results Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly( n ) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC’08). √ Small modulus: q = � O ( L · n ). √ Weak assumption: SIVP γ is hard for γ = � O ( L · n ). Addition argument with comm. cost ζ + 20 L · κ , where ζ is the cost of proving openings and κ = ω (log n ) - the number of repetitions. Range arguments with comm. cost ζ + O ( L ) · κ , for ranges of size 2 L . Non-membership argument with comm. cost O ( n · log | SET | ). Multiplication arguments that can achieve sub-quadratic complexity O ( L 1 . 585 ) in both computation and comm. aspects. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 4 / 15

  9. Outline Background and Our Results 1 Our Ideas and Techniques 2 Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 5 / 15

  10. Binary Additions with Carries Main idea: View integer additions as binary additions with carries , then prove in ZK that they are done correctly. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 6 / 15

  11. Binary Additions with Carries Main idea: View integer additions as binary additions with carries , then prove in ZK that they are done correctly. Suppose that we add two bits x and y with carry-in c in to obtain a bit z and carry-out c out . x 0 0 0 0 1 1 1 1 y 0 0 1 1 0 0 1 1 c in 0 1 0 1 0 1 0 1 z 0 1 1 0 1 0 0 1 c out 0 0 0 1 0 1 1 1 Then, the relations among these bits are captured by equations z = x + y + c in mod 2 , c out = x · y + z · c in + c in mod 2 . Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 6 / 15

  12. Additions of Committed Integers Let X = ( x L − 1 , . . . , x 0 ) 2 , Y = ( y L − 1 , . . . , y 0 ) 2 , Z = ( z L , z L − 1 , . . . , z 0 ) 2 . For i ∈ [0 , L − 1], let c i +1 be the carry-out of the i -th addition. We have: z 0 + x 0 + y 0 = 0 mod 2 c 1 + x 0 · y 0 = 0 mod 2 z 1 + x 1 + y 1 + c 1 = 0 mod 2 c 2 + x 1 · y 1 + z 1 · c 1 + c 1 = 0 mod 2 . . . z L − 1 + x L − 1 + y L − 1 + c L − 1 = 0 mod 2 z L + x L − 1 · y L − 1 + z L − 1 · c L − 1 + c L − 1 = 0 mod 2 . Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 7 / 15

  13. Additions of Committed Integers Let X = ( x L − 1 , . . . , x 0 ) 2 , Y = ( y L − 1 , . . . , y 0 ) 2 , Z = ( z L , z L − 1 , . . . , z 0 ) 2 . For i ∈ [0 , L − 1], let c i +1 be the carry-out of the i -th addition. We have: z 0 + x 0 + y 0 = 0 mod 2 c 1 + x 0 · y 0 = 0 mod 2 z 1 + x 1 + y 1 + c 1 = 0 mod 2 c 2 + x 1 · y 1 + z 1 · c 1 + c 1 = 0 mod 2 . . . z L − 1 + x L − 1 + y L − 1 + c L − 1 = 0 mod 2 z L + x L − 1 · y L − 1 + z L − 1 · c L − 1 + c L − 1 = 0 mod 2 . X , Y , Z are committed via [KTX-AC’08] → equations modulo q . a 0 · x 0 + . . . + a L − 1 · x L − 1 + � b j · r 1 , j = c x mod q ; a 0 · y 0 + . . . + a L − 1 · y L − 1 + � b j · r 2 , j = c y mod q ; a 0 · z 0 + . . . + a L · x L + � b j · r 3 , j = c z mod q . Goal: Prove in ZK that we know the secret bits x i , y i , z i , c i , r k , j such that all equations mod 2 and mod q hold ⇐ Stern-like techniques . Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 7 / 15

  14. Stern-like Zero-Knowledge Techniques Stern (Crypto’93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 8 / 15

  15. Stern-like Zero-Knowledge Techniques Stern (Crypto’93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting. ⋆ Handling secret bits [Libert, Ling, N, Wang - EC’16]: For any b ∈ { 0 , 1 } , let b = 1 − b and ext 2 ( b ) = ( b , b ) ∈ { 0 , 1 } 2 . For any c ∈ { 0 , 1 } , define P c as the permutation transforming v = ( v 0 , v 1 ) ∈ Z 2 into P c ( v ) = ( v c , v c ). Observation: v = ext 2 ( b ) ⇐ ⇒ P c ( v ) = ext 2 ( b + c mod 2) . (1) ⇒ Proving knowledge of secret bit b that may appear in several correlated equations. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 8 / 15

  16. Stern-like Zero-knowledge Techniques (cont.) Products of 2 secret bits [Libert, Ling, Mouhartem, N, Wang - AC’16]: ⋆ For any bits b 1 , b 2 , define ext 4 ( b 1 , b 2 ) = ( b 1 · b 2 , b 1 · b 2 , b 1 · b 2 , b 1 · b 2 ) ∈ { 0 , 1 } 4 . For any bits c 1 , c 2 , define T c 1 , c 2 as the permutation transforming v = ( v 0 , 0 , v 0 , 1 , v 1 , 0 , v 1 , 1 ) ∈ Z 4 → T c 1 , c 2 ( v ) = ( v c 1 , c 2 , v c 1 , c 2 , v c 1 , c 2 , v c 1 , c 2 ) . Observation: v = ext 4 ( b 1 , b 2 ) ⇐ ⇒ T c 1 , c 2 ( v ) = ext 4 ( b 1 + c 1 mod 2 , b 2 + c 2 mod 2) . (2) ⇒ Proving knowledge of product of secret bits b 1 · b 2 , where b 1 , b 2 may appear in other equations. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 9 / 15

  17. Stern-like ZK Arguments for Integer Additions ⋆ Using permuting techniques, we can prove that all the secrets in the equations mod 2 and mod q are well-formed: Bits x i , y i , z i , c i , r k , j Bit products x 0 · y 0 , x 1 · y 1 , . . . , x L − 1 · y L − 1 , z 1 · c 1 , . . . , z L − 1 · c L − 1 . ⋆ To prove that the equations hold: 1 Transform all equations into M 2 · s = 0 mod 2 and M q · t = c mod q . 2 Random masking with vectors over Z 2 and Z q : M 2 · ( s + r s ) = M 2 · r s mod 2 M q · ( t + r t ) − c = M q · r t mod q . Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 10 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2

712 views • 33 slides
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

618 views • 46 slides
Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Short Pairing-based Non-interactive Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In a zero knowledge protocol a prover can convince a verifier that some statement is true without leaking any side

628 views • 14 slides
Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay October 15, 2019 1 / 24 zkSNARKs Arguments ZK proofs

435 views • 24 slides
Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

971 views • 94 slides
Cutting planes for integer programming based on lattice-free sets Ricardo Fukasawa Department of

Cutting planes for integer programming based on lattice-free sets Ricardo Fukasawa Department of

Cutting planes for integer programming based on lattice-free sets Ricardo Fukasawa Department of Combinatorics & Optimization University of Waterloo November 28th, 2013 Retrospective Workshop on Discrete Geometry, Optimization, and Symmetry

1.13k views • 86 slides
Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation

1.03k views • 66 slides
Interpre'ng and that can refer to integer arguments. Compiling Intex Intex is the first in a

Interpre'ng and that can refer to integer arguments. Compiling Intex Intex is the first in a

A New Mini-Language: Intex Intex programs are simple arithme'c expressions on integers Interpre'ng and that can refer to integer arguments. Compiling Intex Intex is the first in a sequence of mini-languages that can be extended to culminate in

224 views • 5 slides
Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs Vadim Lyubashevsky Gregor Seiler IBM Research Zurich April 30, 2018 Motivation: Lattice-Based Zero-Knowledge Proofs

790 views • 42 slides
Integer Programming and Lattice Point Enumeration Seminar Mathematical Software, Prof.

Integer Programming and Lattice Point Enumeration Seminar Mathematical Software, Prof.

Introduction and Definitions LattE and Barvinoks algorithm Calculating the Hilbert basis using 4ti2 Integer Programming and Lattice Point Enumeration Seminar Mathematical Software, Prof. Komei Fukuda Christoph Glanzer November 25,

884 views • 31 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Lattice Reduction, Integer Programming, and Knapsacks Daniel Lichtblau danl@wolfram.com Wolfram

Lattice Reduction, Integer Programming, and Knapsacks Daniel Lichtblau danl@wolfram.com Wolfram

Lattice Reduction, Integer Programming, and Knapsacks Daniel Lichtblau danl@wolfram.com Wolfram Research, Inc. 100 Trade Centre Dr. Champaign IL USA, 61820 ICMS, Castro Urdiales, Spain September 13, 2006 Abstract We will discuss

755 views • 31 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
Lattice closure of polyhedra Oktay G unl uk Math Sciences, IBM Research joint work with

Lattice closure of polyhedra Oktay G unl uk Math Sciences, IBM Research joint work with

Lattice closure of polyhedra Oktay G unl uk Math Sciences, IBM Research joint work with Sanjeeb Dash and Diego Moran January 2017 Aussois Cutting planes for mixed-integer sets 1 Consider the mixed-integer set: P IP = { x R n

232 views • 21 slides
On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki University of Technology http://www.tcs.hut.fi/helger Pedase Theory Day, 04.10.2003 On Diophantine Complexity and SZK Arguments, Helger Lipmaa 1

501 views • 24 slides
DAY-2 PRACTICE (ORALLY)

DAY-2 PRACTICE (ORALLY)

DAY-2 PRACTICE (ORALLY) PRACTICE (ORALLY) WRITE IN HINDI 1.Ghaak 2.Kaak

715 views • 23 slides
Diet monitoring is a big issue in many health- related topics, so there has been many

Diet monitoring is a big issue in many health- related topics, so there has been many

Hamid Hassannejad, Guido Matrella, Monica Mordonini, and Stefano Cagnoni 14 th Conference of the Italian Association for Artificial Intelligence September 2015 Diet monitoring is a big issue in many health- related topics, so there has been

262 views • 13 slides
Real-time Protection Against Ransomware at End-Hosts Written By Amin Kharraz and Engin Kirda

Real-time Protection Against Ransomware at End-Hosts Written By Amin Kharraz and Engin Kirda

Redemption: Real-time Protection Against Ransomware at End-Hosts Written By Amin Kharraz and Engin Kirda RAJSHAKHAR PAUL Outlines Introduction Existing works Contribution Threat Model Design Overview Evaluation

527 views • 48 slides
What does random mean? Random - Something or a group of things that follow no criteria

What does random mean? Random - Something or a group of things that follow no criteria

What does random mean? Random - Something or a group of things that follow no criteria or pattern. A word often misused by morons who dont know very many other words. -- supaDISC What does random mean? Please

677 views • 32 slides
Introduction of Introduction of APCERT APCERT Yurie Ito, JPCERT/CC Yurie Ito, JPCERT/CC (On

Introduction of Introduction of APCERT APCERT Yurie Ito, JPCERT/CC Yurie Ito, JPCERT/CC (On

Introduction of Introduction of APCERT APCERT Yurie Ito, JPCERT/CC Yurie Ito, JPCERT/CC (On behalf of the APCERT Secretariat) (On behalf of the APCERT Secretariat) 2005 (C) JPCERT/CC, APCERT APCERT APCERT APCERT APCERT (Asia Pacific

446 views • 10 slides
HCMUS at the NTCIR-14 Lifelog-3 Task Nguyen-Khang Le, Dieu-Hien Nguyen, Trung-Hieu Hoang,

HCMUS at the NTCIR-14 Lifelog-3 Task Nguyen-Khang Le, Dieu-Hien Nguyen, Trung-Hieu Hoang,

HCMUS at the NTCIR-14 Lifelog-3 Task Nguyen-Khang Le, Dieu-Hien Nguyen, Trung-Hieu Hoang, Thanh-An Nguyen, Thanh-Dat Truong, Duy-Tung Dinh, Quoc-An Luong, Viet-Khoa Vo-Ho Vinh-Tiep Nguyen, Minh-Triet Tran University of Science, VNU-HCM, Ho Chi

821 views • 24 slides
A Mathematics Learning Community on Inclusive Teaching P . Gavin LaRose Department of

A Mathematics Learning Community on Inclusive Teaching P . Gavin LaRose Department of

A Mathematics Learning Community on Inclusive Teaching P . Gavin LaRose Department of Mathematics University of Michigan glarose@umich.edu 11 December, 2018 2018 Gavin LaRose c A Mathematics Learning Community on Inclusive Teaching 1 /

649 views • 19 slides
Intergenerational mobility of education in Vietnam: Evidence from the Vietnam War Khoa Vu 1,2

Intergenerational mobility of education in Vietnam: Evidence from the Vietnam War Khoa Vu 1,2

Intergenerational mobility of education in Vietnam: Evidence from the Vietnam War Khoa Vu 1,2 Maria Lo Bue 2 1 University of Minnesota 2 UNU-WIDER May 2019 1 / 51 Table of Contents Research motivation 1 Research question 2 Data and

1.09k views • 54 slides

More recommend