zero knowledge proofs from ring lwe
play

Zero Knowledge Proofs from Ring-LWE Xiang Xie, Rui Xue, Minqian Wang - PowerPoint PPT Presentation

Nov 27, 2023 •237 likes •607 views

Zero Knowledge Proofs from Ring-LWE Xiang Xie, Rui Xue, Minqian Wang Chinese Academy of Sciences CANS 2013, Paraty Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Outline ZKPs 1 Related Works 2 Our

  1. Zero Knowledge Proofs from Ring-LWE Xiang Xie, Rui Xue, Minqian Wang Chinese Academy of Sciences CANS 2013, Paraty

  2. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Outline ZKPs 1 Related Works 2 Our Results 3 Tools 4 Σ -Protocol Learning with Errors over Rings Commitment from RLWE 5 ZKP from RLWE 6 Proving Knowledge of Valid Opending Component-Wise Relations Reduce Communication Complexity 2 / 26

  3. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Zero-Knowledge Proofs [GoldwassorMicaliRackoff’85] π = ( x, ω ) ∈ R . . . Prover Verifier π reveals nothing except the statement itself. 3 / 26

  4. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Related Works of ZKPs ◮ Number Theoretical: [FeigeShamir’90], [CramerDamg˚ ard’98], [CramerDamg˚ ard’09], [GrothSahai’08] (paring), etc. ◮ General: [IshaiKushilevitzOstrovskySahai’07] (MPC). ◮ Lattice-Based: [MicciancioVadhan’03], [KawachiTanakaXagawa’08], [AsharovJainL´ opez-AltTromerVaikuntanathanWichs’12], [Lyubashevsky’08], [Lyubashevsky’12], [LingNguyenStehl´ eWang’13]. ◮ LPN-based: [JainKrennPietrzakTentes’12]. 4 / 26

  5. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Our Results ◮ Commitment scheme from Ring Learning with Errors (RLWE). ◮ ZKP that proves the knowledge of the message hidden in our commitment scheme. ◮ Two ZKPs that prove component-wise relations of the messages in the commitment scheme. 5 / 26

  6. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Σ -Protocol ◮ Our ZKPs are essentially Σ -protocols (see [Damg˚ ard’04]). Σ -protocol: t c ← C s Prover Verifier 6 / 26

  7. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Completeness : The verifier V accepts whenever ( x, ω ) ∈ R . ◮ Special Soundness : There exists a PPT algorithm Ext such that: ω ′ ← Ext ( { ( t, c, s c ) : c ∈ C} ) , and ( x, ω ′ ) ∈ R . ◮ Special honest-verifier zero-knowledge : There exists a PPT simulator S such that: ( t x , c, s x ) ← S ( x, c ) ≈ ( t, c, s ) . 7 / 26

  8. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Completeness : The verifier V accepts whenever ( x, ω ) ∈ R . ◮ Special Soundness : There exists a PPT algorithm Ext such that: ω ′ ← Ext ( { ( t, c, s c ) : c ∈ C} ) , and ( x, ω ′ ) ∈ R . ◮ Special honest-verifier zero-knowledge : There exists a PPT simulator S such that: ( t x , c, s x ) ← S ( x, c ) ≈ ( t, c, s ) . Note: ◮ Σ -protocol can be extended to a ZKP for the same relation [Damg˚ ard’04], [Damg˚ ardGoldreichOkamoto’95]. ◮ Soundness is different from standard definition. We require Ext has input ( t, c, s c ) for all c ∈ C with the same t . The knowledge error of the resulting ZKP scheme is 1 − 1 / |C| instead of 1 / |C| . 7 / 26

  9. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Learning with Errors over Rings (RLWE) ◮ RLWE is introduced by Lyubashevsky, Peikert and Regev [LPR’10]. Let R = Z [ X ] / ( X d + 1) , where d = 2 k for some k ≥ 0 . For an integer q , let R q = R/qR . The following two distributions are hard to distinguish: a 1 ← R q ; b 1 = a 1 · s + e 1 mod q a 2 ← R q ; b 2 = a 2 · s + e 2 mod q . . . a m ← R q ; b m = a m · s + e m mod q a 1 ← R q ; b 1 ← R q a 2 ← R q ; b 2 ← R q . . . a m ← R q ; b m ← R q Where s ← R q , and e i ← χ over R . � e i � ∞ ≤ β ≪ q . 8 / 26

  10. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE [LyubashevskyPeikertRegev’10] If there exists a PPT algorithm solves RLWE problem, then there exists a PPT quantum algorithm solves some hard lattice problems for all d -dimensional ideal lattices . 9 / 26

  11. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Commitment from RLWE The message space is R ℓ q . Let χ be a β -bounded distribution over R . ◮ KeyGen (1 λ ) : Sample a 1 ← R m q and A 2 ← R m × ℓ , output q A = [ a 1 | A 2 ] ∈ R m × ( ℓ +1) . q ◮ Com ( A , m ∈ R ℓ q ) : Sample s ← R q and e ← χ m , output c = A [ s | m ] + e ∈ R m q . ◮ Ver ( A , c , ( s, m )) : Accept iff � c − A [ s | m ] � ∞ ≤ β . 10 / 26

  12. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Commitment from RLWE The message space is R ℓ q . Let χ be a β -bounded distribution over R . ◮ KeyGen (1 λ ) : Sample a 1 ← R m q and A 2 ← R m × ℓ , output q A = [ a 1 | A 2 ] ∈ R m × ( ℓ +1) . q ◮ Com ( A , m ∈ R ℓ q ) : Sample s ← R q and e ← χ m , output c = A [ s | m ] + e ∈ R m q . ◮ Ver ( A , c , ( s, m )) : Accept iff � c − A [ s | m ] � ∞ ≤ β . Security: ◮ Computational hiding: c = A [ s | m ] + e = a 1 · s + e + A 2 m ◮ Perfect binding: For uniformly random A , Pr[ � y � ∞ ≤ 2 β : y = Ax , x � = 0 ] ≤ negl ( λ ) . 10 / 26

  13. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Proving Knowledge of Valid Opending Relation: R RLWE = { (( A , c ) , ( s, m , e )) : c = A ( s � m ) + e mod q ∧ � e � ∞ ≤ β } . ◮ Extend Stern’s ZKP for syndrome decoding problem. Similar to [JainKrennPietrzakTentes’12] and [LingNguyenStehl´ eWang’13]. ◮ The challenge set C = { 1 , 2 , 3 } . The first two openings prove A , c have the form c = A [ s | m ] + e . ◮ Obstacle: How to prove e is “short” without revealing anything else? 11 / 26

  14. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ If e ∈ { 0 , 1 } m and � e � 1 = β : Prover sends π ( e ) for a uniformly random permutation π . π ( e ) only reveals the Hamming weight of e . 12 / 26

  15. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ If e ∈ { 0 , 1 } m and � e � 1 = β : Prover sends π ( e ) for a uniformly random permutation π . π ( e ) only reveals the Hamming weight of e . ◮ If e ∈ { 0 , 1 } m and � e � 1 ≤ β : Extend e ∈ { 0 , 1 } m to e ′ ∈ { 0 , 1 } m + β by padding, such that � e ′ � 1 = β . Prover sends π ( e ′ ) . m m β 12 / 26

  16. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ If e ∈ Z m and � e � ∞ ≤ β : Decompose e : k − 1 2 i · ˜ � e i ∈ {− 1 , 0 , 1 } m e = e i , k = ⌊ log β ⌋ + 1 , ˜ i =0 e i ∈ {− 1 , 0 , 1 } m to e i ∈ {− 1 , 0 , 1 } 3 m . Prover sends π i ( e i ) . Extend ˜ m m # {− 1 } = m 2 m # { 0 } = m # { 1 } = m 13 / 26

  17. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ If e ∈ R m and � e � ∞ ≤ β . View e ∈ Z dm by the coefficient representation. The same as above. 14 / 26

  18. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE Basic ZKP Relation: R RLWE = { (( A , c ) , ( s, m , e )) : c = A ( s � m ) + e mod q ∧ � e � ∞ ≤ β } . ◮ Prover first decomposes e ∈ R m to e i ∈ R 3 m according the method above. ◮ Define matrix ˆ I = [ I m | 0 m | 0 m ] ∈ R m × 3 m . Note that : k − 1 2 i · e i ) � c = A ( s | m ) + e ⇔ c = A ( s | m ) + ˆ I ( i =0 15 / 26

  19. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Prover samples ( r 0 , ..., r k − 1 ) ← ( R 3 m q ) k , v ← R 1+ ℓ , and k random q permutations ( π 0 , ..., π k − 1 ) . Sends:  � � i =0 2 i · r i ) { π i } k − 1 i =0 , t 1 = Av + ˆ I ( � k − 1 C 1 = Com     � � { t 2 i = π i ( r i ) } k − 1 C 2 = Com i =0  � � { t 3 i = π i ( r i + e i ) } k − 1  C 3 = Com   i =0 16 / 26

  20. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Prover samples ( r 0 , ..., r k − 1 ) ← ( R 3 m q ) k , v ← R 1+ ℓ , and k random q permutations ( π 0 , ..., π k − 1 ) . Sends:  � � i =0 2 i · r i ) { π i } k − 1 i =0 , t 1 = Av + ˆ I ( � k − 1 C 1 = Com     � � { t 2 i = π i ( r i ) } k − 1 C 2 = Com i =0  � � { t 3 i = π i ( r i + e i ) } k − 1  C 3 = Com   i =0 ◮ Verifier chooses Ch ← { 1 , 2 , 3 } and sends to Prover. 16 / 26

  21. Outline ZKPs Related Works Our Results Tools Commitment from RLWE ZKP from RLWE ◮ Prover samples ( r 0 , ..., r k − 1 ) ← ( R 3 m q ) k , v ← R 1+ ℓ , and k random q permutations ( π 0 , ..., π k − 1 ) . Sends:  � � i =0 2 i · r i ) { π i } k − 1 i =0 , t 1 = Av + ˆ I ( � k − 1 C 1 = Com     � � { t 2 i = π i ( r i ) } k − 1 C 2 = Com i =0  � � { t 3 i = π i ( r i + e i ) } k − 1  C 3 = Com   i =0 ◮ Verifier chooses Ch ← { 1 , 2 , 3 } and sends to Prover. ◮ According to Ch , Prover does the following:  Ch = 1 , open C 1 , C 2 ;  Ch = 2 , open C 1 , C 3 ; Ch = 3 , open C 2 , C 3 .  16 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S (1) Orange Labs, Caen, France (2) Ecole Normale Sup erieure, Paris,

556 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

332 views • 32 slides
Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

3.29k views • 145 slides
Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient way to do 1-in-N proofs zk-SNARKs A general way to prove anything in Zero-Knowledge (if you dont know how to do it any other way, use

3.26k views • 68 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich Zero-Knowledge Proofs Zero-Knowledge Proofs Relation f(s)=t, and want to prove knowledge of s Zero-Knowledge Proofs Relation f(s)=t, and

1.04k views • 72 slides
On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP

835 views • 56 slides
Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved P vs NP? S I How? Here is the proof Can I convince someone the validity of something Clay without revealing the proof? Institute

619 views • 46 slides
Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 We can verify all basic operations (+,-,*,assignment) We

1.28k views • 62 slides
1 Services for Mobile Users Services for Mobile Users Mobicast : information dissemination to

1 Services for Mobile Users Services for Mobile Users Mobicast : information dissemination to

Hint on Question 5.2 in HW2 Compute the maximum processor utilization that can be assigned to a Deferrable Server to guarantee the task Sensor Netw ork Services set (periodic tasks). for Mobile Users 1/ 1/ n n +

472 views • 10 slides
An Empirical Study of the Energy Consumption of Android Applications Ding Li, Shuai Hao, Jiaping

An Empirical Study of the Energy Consumption of Android Applications Ding Li, Shuai Hao, Jiaping

An Empirical Study of the Energy Consumption of Android Applications Ding Li, Shuai Hao, Jiaping Gui, William G.J. Halfond Department of Computer Science University of Southern California This work was supported in part by the National Science

1.03k views • 69 slides
Ring-LWE: A number theorists perspective joint with (Yara Elias, Kristin E. Lauter, and Ekin

Ring-LWE: A number theorists perspective joint with (Yara Elias, Kristin E. Lauter, and Ekin

Ring-LWE: A number theorists perspective joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) SaTC, June 16th, 2016 Learning with errors Let q be prime, n a positive integer. Problem: Find a secret

792 views • 19 slides
Outline Background Research Questions Experimental Workloads Experiments/Evaluation

Outline Background Research Questions Experimental Workloads Experiments/Evaluation

IC2E 2018 Wes J. Lloyd 4/20/2018 Wes Lloyd, Shruti Ramesh, Swetha Chinthalapati, Lan Ly, Shrideep Pallickara April 20, 2018 Institute of Technology, University of Washington, Tacoma, Washington USA IC2E 2018 : IEEE International Conference

596 views • 24 slides
Views, Privileges, and Catalogs PDBM 7.4, 7.67.7 Dr. Chris Mayfield Department of Computer

Views, Privileges, and Catalogs PDBM 7.4, 7.67.7 Dr. Chris Mayfield Department of Computer

Views, Privileges, and Catalogs PDBM 7.4, 7.67.7 Dr. Chris Mayfield Department of Computer Science James Madison University Feb 20, 2020 Section 7.4 SQL Views: logical data independence Virtual views Three types of relations in SQL 1.

558 views • 24 slides
Research Questions Beyond Cross-Cultural Understanding: Preparing tomorrows Language and RQ

Research Questions Beyond Cross-Cultural Understanding: Preparing tomorrows Language and RQ

3/8/19 Research Questions Beyond Cross-Cultural Understanding: Preparing tomorrows Language and RQ 1: How do Indonesian teachers of English learn to teach about culture? Culture Educators Tabitha Kidwell RQ 2: What beliefs do novice RQ 3:

293 views • 6 slides
Feedback in radio-quiet quasars Nadia Zakamska Johns Hopkins University Overview From galaxy

Feedback in radio-quiet quasars Nadia Zakamska Johns Hopkins University Overview From galaxy

Feedback in radio-quiet quasars Nadia Zakamska Johns Hopkins University Overview From galaxy formation: Quasar feedback likely necessary for limiting maximal mass of galaxies, reheating intracluster medium Mechanism, energetics Strong

752 views • 24 slides
On the Unique-Lifting Property Amitabh Basu Joint Work with Gennadiy Averkov 18th Aussois

On the Unique-Lifting Property Amitabh Basu Joint Work with Gennadiy Averkov 18th Aussois

On the Unique-Lifting Property Amitabh Basu Joint Work with Gennadiy Averkov 18th Aussois Combinatorial Optimization Workshop Cut Generating Functions for Mixed-Integer Linear Programs Solve problem as Linear Program and obtain optimal

746 views • 51 slides

More recommend