Lattice-Based Zero-Knowledge Arguments for Integer Relations t - - PowerPoint PPT Presentation

Lattice-Based Zero-Knowledge Arguments for Integer Relations

Benoˆ ıt Libert1 San Ling2 Khoa Nguyen2 Huaxiong Wang2

1CNRS and ENS Lyon, France 2Nanyang Technological University, Singapore

CRYPTO 2018, 20 August 2018

Zero-Knowledge Proofs/Arguments for Integer Relations

We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations.

⋆ “Large”: Committed integers X, Y , Z are of bit-size L = poly(n).

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 2 / 15

Zero-Knowledge Proofs/Arguments for Integer Relations

We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations.

⋆ “Large”: Committed integers X, Y , Z are of bit-size L = poly(n). ⋆ “Relations”: Addition: X + Y = Z over Z Multiplication: X · Y = Z over Z Range: X ∈ [α, β] Set non-membership: X ∈ SET, where SET is a public set.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 2 / 15

Zero-Knowledge Proofs/Arguments for Integer Relations

We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations.

⋆ “Large”: Committed integers X, Y , Z are of bit-size L = poly(n). ⋆ “Relations”: Addition: X + Y = Z over Z Multiplication: X · Y = Z over Z Range: X ∈ [α, β] Set non-membership: X ∈ SET, where SET is a public set. ⋆ “Assumptions”: Solutions from DL/strong-RSA, e.g. + and ×: Fujisaki-Okamoto (C’97), Damg˚ ard-Fujisaki (AC’02), Lipmaa (AC’03), Couteau et al. (EC’17) Range: Camenisch et al. (AC’08), Gonzalez-R` afols (ACNS’17) Set non-membership: Camenisch-Lysyanskaya (C’02), Nakanishi et al. (PKC’09), Bayer-Groth (EC’13)

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 2 / 15

In the Lattice Setting...

The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X, Y , Z of bit-size L = poly(n) satisfy X + Y = Z over Z:

Require to prove X + Y = Z mod q for a large modulus q = 2poly(n). Each ring element (used in the commitment) would cost thousand times L bits. Proving that X, Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k · L bits, where k ≈ 105. Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 3 / 15

In the Lattice Setting...

The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X, Y , Z of bit-size L = poly(n) satisfy X + Y = Z over Z:

Require to prove X + Y = Z mod q for a large modulus q = 2poly(n). Each ring element (used in the commitment) would cost thousand times L bits. Proving that X, Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k · L bits, where k ≈ 105. Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial.

Some limited forms of range proofs/arguments, e.g., X ∈ [0, 2m − 1]. No efficient non-membership argument is known.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 3 / 15

Our Results

Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly(n) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC’08).

Small modulus: q = O( √ L · n). Weak assumption: SIVPγ is hard for γ = O( √ L · n).

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 4 / 15

Our Results

Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly(n) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC’08).

Small modulus: q = O( √ L · n). Weak assumption: SIVPγ is hard for γ = O( √ L · n).

Addition argument with comm. cost ζ + 20L · κ, where ζ is the cost

• f proving openings and κ = ω(log n) - the number of repetitions.

Range arguments with comm. cost ζ + O(L) · κ, for ranges of size 2L. Non-membership argument with comm. cost O(n · log |SET|). Multiplication arguments that can achieve sub-quadratic complexity O(L1.585) in both computation and comm. aspects.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 4 / 15

Outline

1

Background and Our Results

2

Our Ideas and Techniques

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 5 / 15

Binary Additions with Carries

Main idea: View integer additions as binary additions with carries, then prove in ZK that they are done correctly.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 6 / 15

Binary Additions with Carries

Main idea: View integer additions as binary additions with carries, then prove in ZK that they are done correctly. Suppose that we add two bits x and y with carry-in cin to obtain a bit z and carry-out cout. x 1 1 1 1 y 1 1 1 1 cin 1 1 1 1 z 1 1 1 1 cout 1 1 1 1 Then, the relations among these bits are captured by equations z = x + y + cin mod 2, cout = x · y + z · cin + cin mod 2.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 6 / 15

Additions of Committed Integers

Let X = (xL−1, . . . , x0)2, Y = (yL−1, . . . , y0)2, Z = (zL, zL−1, . . . , z0)2. For i ∈ [0, L − 1], let ci+1 be the carry-out of the i-th addition. We have: z0 + x0 + y0 = 0 mod 2 c1 + x0 · y0 = 0 mod 2 z1 + x1 + y1 + c1 = 0 mod 2 c2 + x1 · y1 + z1 · c1 + c1 = 0 mod 2 . . . zL−1 + xL−1 + yL−1 + cL−1 = 0 mod 2 zL + xL−1 · yL−1 + zL−1 · cL−1 + cL−1 = 0 mod 2.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 7 / 15

Additions of Committed Integers

Let X = (xL−1, . . . , x0)2, Y = (yL−1, . . . , y0)2, Z = (zL, zL−1, . . . , z0)2. For i ∈ [0, L − 1], let ci+1 be the carry-out of the i-th addition. We have: z0 + x0 + y0 = 0 mod 2 c1 + x0 · y0 = 0 mod 2 z1 + x1 + y1 + c1 = 0 mod 2 c2 + x1 · y1 + z1 · c1 + c1 = 0 mod 2 . . . zL−1 + xL−1 + yL−1 + cL−1 = 0 mod 2 zL + xL−1 · yL−1 + zL−1 · cL−1 + cL−1 = 0 mod 2. X, Y , Z are committed via [KTX-AC’08] → equations modulo q. a0 · x0 + . . . + aL−1 · xL−1 + bj · r1,j = cx mod q; a0 · y0 + . . . + aL−1 · yL−1 + bj · r2,j = cy mod q; a0 · z0 + . . . + aL · xL + bj · r3,j = cz mod q.

Goal: Prove in ZK that we know the secret bits xi, yi, zi, ci, rk,j such that all equations mod 2 and mod q hold ⇐ Stern-like techniques.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 7 / 15

Stern-like Zero-Knowledge Techniques

Stern (Crypto’93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 8 / 15

Stern-like Zero-Knowledge Techniques

Stern (Crypto’93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting. ⋆ Handling secret bits [Libert, Ling, N, Wang - EC’16]: For any b ∈ {0, 1}, let b = 1 − b and ext2(b) = (b, b) ∈ {0, 1}2. For any c ∈ {0, 1}, define Pc as the permutation transforming v = (v0, v1) ∈ Z2 into Pc(v) = (vc, vc). Observation: v = ext2(b) ⇐ ⇒ Pc(v) = ext2(b + c mod 2). (1) ⇒ Proving knowledge of secret bit b that may appear in several correlated equations.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 8 / 15

Stern-like Zero-knowledge Techniques (cont.)

⋆ Products of 2 secret bits [Libert, Ling, Mouhartem, N, Wang - AC’16]: For any bits b1, b2, define ext4(b1, b2) = (b1 · b2, b1 · b2, b1 · b2, b1 · b2) ∈ {0, 1}4. For any bits c1, c2, define Tc1,c2 as the permutation transforming v = (v0,0, v0,1, v1,0, v1,1) ∈ Z4 → Tc1,c2(v) = (vc1,c2, vc1,c2, vc1,c2, vc1,c2). Observation: v = ext4(b1, b2) ⇐ ⇒ Tc1,c2(v) = ext4(b1 + c1 mod 2, b2 + c2 mod 2). (2) ⇒ Proving knowledge of product of secret bits b1 · b2, where b1, b2 may appear in other equations.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 9 / 15

Stern-like ZK Arguments for Integer Additions

⋆ Using permuting techniques, we can prove that all the secrets in the equations mod 2 and mod q are well-formed: Bits xi, yi, zi, ci, rk,j Bit products x0 · y0, x1 · y1, . . . , xL−1 · yL−1, z1 · c1, . . . , zL−1 · cL−1. ⋆ To prove that the equations hold:

1 Transform all equations into M2 · s = 0 mod 2 and Mq · t = c mod q. 2 Random masking with vectors over Z2 and Zq:

M2 · (s + rs) = M2 · rs mod 2 Mq · (t + rt) − c = Mq · rt mod q.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 10 / 15

Inequalities and Range Arguments

Additions of non-negative integers ⇒ Inequalities, ranges Inequalities

X ≤ Y : There exists non-negative Z s.t. X + Z = Y . X < Y : There exists non-negative Z s.t. X + Z + 1 = Y .

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 11 / 15

Inequalities and Range Arguments

Additions of non-negative integers ⇒ Inequalities, ranges Inequalities

X ≤ Y : There exists non-negative Z s.t. X + Z = Y . X < Y : There exists non-negative Z s.t. X + Z + 1 = Y .

Ranges X ∈ [α, β], [α, β), (α, β], [α, β], where α, β may be hidden.

Two inequalities, e.g., X ≥ α and X < β.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 11 / 15

Inequalities and Range Arguments

Additions of non-negative integers ⇒ Inequalities, ranges Inequalities

X ≤ Y : There exists non-negative Z s.t. X + Z = Y . X < Y : There exists non-negative Z s.t. X + Z + 1 = Y .

Ranges X ∈ [α, β], [α, β), (α, β], [α, β], where α, β may be hidden.

Two inequalities, e.g., X ≥ α and X < β.

Next: Range arguments + additional techniques ⇒ Set non-membership arguments.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 11 / 15

Non-Membership Arguments

Problem

Given a public set SET = {S1, . . . , SM} containing M = poly(n) integers of bit-size n, where S1 < S2 < . . . < SM. Prove in ZK that committed integer X does not belong to SET. Target: Communication complexity O(log M).

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 12 / 15

Non-Membership Arguments

Problem

Given a public set SET = {S1, . . . , SM} containing M = poly(n) integers of bit-size n, where S1 < S2 < . . . < SM. Prove in ZK that committed integer X does not belong to SET. Target: Communication complexity O(log M). Let S0 = 0n and SM+1 = 1n. Prove that X ∈ (Sj, Sj+1), for some j.

1 Y < X < Z, for some secret Y , Z.

⇐ Range argument.

2 Y , Z ∈ {S0, S1, . . . , SM, SM+1} and Y , Z are“consecutive”.

⇐ Structures/techniques allowing O(log M) membership argument.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 12 / 15

Lattice-Based Merkle Hash Trees

u u000 u111 u011 u100 u010 u101 u001 u110 S0 S7 S3 Y S4 Z S2 S5 S1 S6 u00 u11 u01 u10 u0 u1 Build a Merkle tree over {S0, S1, . . . , SM, SM+1} and prove knowledge

• f 2 tree paths from leaves Y and Z to root u [LLNW-EC’16].

Prove that the two tree paths are consecutive: V = (011)2 and W = (100)2 satisfy V + 1 = W (integer addition).

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 13 / 15

Arguments for Integer Multiplications

Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments → O(L2) multiplication argument.

Straightforward; suitable for practical values of L, e.g., L ≤ 8000

Can we break the quadratic barrier? E.g., with Karatsuba algorithm?

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 14 / 15

Arguments for Integer Multiplications

Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments → O(L2) multiplication argument.

Straightforward; suitable for practical values of L, e.g., L ≤ 8000

Can we break the quadratic barrier? E.g., with Karatsuba algorithm?      X = X1|X0 Y = Y1|Y0 ⇒      X = 2L/2 · X1 + X0 Y = 2L/2 · Y1 + Y0.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 14 / 15

Arguments for Integer Multiplications

Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments → O(L2) multiplication argument.

Straightforward; suitable for practical values of L, e.g., L ≤ 8000

Can we break the quadratic barrier? E.g., with Karatsuba algorithm?      X = X1|X0 Y = Y1|Y0 ⇒      X = 2L/2 · X1 + X0 Y = 2L/2 · Y1 + Y0. Karasuba’s observation: The number of partial products can be reduced from 4 to 3 → complexity O(Llog2 3) X · Y = (2L − 2L/2)(X1Y1) + (1 − 2L/2)(X0Y0) + 2L/2(X1 + X0)(Y1 + Y0).

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 14 / 15

Arguments for Integer Multiplications

Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments → O(L2) multiplication argument.

Straightforward; suitable for practical values of L, e.g., L ≤ 8000

Can we break the quadratic barrier? E.g., with Karatsuba algorithm?      X = X1|X0 Y = Y1|Y0 ⇒      X = 2L/2 · X1 + X0 Y = 2L/2 · Y1 + Y0. Karasuba’s observation: The number of partial products can be reduced from 4 to 3 → complexity O(Llog2 3) X · Y = (2L − 2L/2)(X1Y1) + (1 − 2L/2)(X0Y0) + 2L/2(X1 + X0)(Y1 + Y0). Our method: Emulate the Karatsuba multiplication X · Y and prove that it gives Z in ZK → ZK argument for multiplicative relations with sub-quadratic communication/computation complexity O(Llog2 3).

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 14 / 15

Reduce relations of large integers to binary additions with carries. Proving binary operations in ZK using Stern-like techniques. Small modulus, weak lattice assumptions, scalability.

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 15 / 15

Reduce relations of large integers to binary additions with carries. Proving binary operations in ZK using Stern-like techniques. Small modulus, weak lattice assumptions, scalability. Some concrete estimations of comm cost for range argument X ∈ [α, β]: Range size β − α 21000 22000 24000 28000 Commitment opening 3.16 3.65 4.63 6.59 Membership X ∈ [α, β] 0.38 0.75 1.5 3 Total comm. cost 3.54 MB 4.4 MB 6.13 MB 9.59 MB

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 15 / 15

Reduce relations of large integers to binary additions with carries. Proving binary operations in ZK using Stern-like techniques. Small modulus, weak lattice assumptions, scalability. Some concrete estimations of comm cost for range argument X ∈ [α, β]: Range size β − α 21000 22000 24000 28000 Commitment opening 3.16 3.65 4.63 6.59 Membership X ∈ [α, β] 0.38 0.75 1.5 3 Total comm. cost 3.54 MB 4.4 MB 6.13 MB 9.59 MB

Thank you for your attention!

Khoa Nguyen Lattice-Based ZK for Integers CRYPTO 2018 15 / 15