Zero-Knowledge for Multivariate Polynomials

Transcription

1 Zero-Knowledge for Multivariate Polynomials Valérie Nachef, Jacques Patarin 2, Emmanuel Volte Department of Mathematics, University of Cergy-Pontoise, CNRS UMR avenue Adolphe Chauvin, 95 Cergy-Pontoise Cedex, France 2 PRISM, University of Versailles 45 avenue des Etats-Unis, 7835 Versailles Cedex, France valerie.nachef@u-cergy.fr, emmanuel.volte@u-cergy.fr jacques.patarin@prism.uvsq.fr Abstract. In [2] a Zero-Knowledge scheme ZK2 was designed from a solution of a set of multivariate quadratic equations over a finite field. In this paper we will give two methods to generalize this construction for polynomials of any degree d, i.e. we will design two Zero-Knowledge schemes ZKd and ZKd from a set of polynomial equations of degree d. We will show that ZKd is optimal in term of the number of computations to be performed and that ZKd is optimal in term of the number of bits to be send. Moreover this property is still true for all kinds of polynomials: for example if the polynomials are sparse or dense. Finally, we will present two examples of applications: with Brent equations, or with morphisms of polynomials. Key words: Authentication scheme, Zero-Knowledge, Multivariate polynomials. Introduction The first Zero-Knowledge schemes were based on the factorization problem for example Fischer-Micali-Rackoff in 984, or Fiat-Shamir in 986 or the Graph Isomorphism Problem. However the factorization problem is not expected to be a NP complete problem since it is in NP and Co NP and it has sub-exponential algorithms such as NFS and even polynomial algorithms on quantum computers Shor algorithm. Then, it was proved in 99 by O. Goldreich, S. Micali and A. Widgerson that any problem of NP has a Zero-Knowledge proof [4]. But the general construction cf [4] of Zero-Knowledge proofs from any problem of NP is usually not very efficient. This is why various Zero-Knowledge schemes have been specifically designed from some well suited and well chosen NP complete schemes based on simple combinatorial problems expected to be exponentially difficult, such as PKP of Adi Shamir [3], PP of David Pointcheval [] or CLE [5] or SD [4] of Jacques Stern for example. Recently [2] such a scheme was designed from the MQ problem, i.e. the problem of finding a solution from a set of multivariate quadratic equations over a finite field. This MQ problem is related to various primitives in cryptography [2, 7 9], and is NP-complete over any finite field [3, ].

2 In this paper, we will generalize the construction of [2] in order to design a Zero-Knowledge authentication from a solution of any set of multivariate polynomials of degree d over a finite field i.e. not only d = 2. We will describe two schemes extending the results of [2]. The Zkd scheme is optimal if we focus on the number of bits to be sent and the ZKd scheme is optimal if we consider the number of computations. This is true for any kind of polynomials dense or sparse. For practical applications the case d = 3 i.e. cubic equations is particularly important, since from these polynomials we will be able to design Zero-Knowledge schemes based on the NP-complete Morphism problem MP or from the Brent equations related to the optimal way to solve sets of linear equations i.e. improvements of the Gauss elimination. We will explain in this paper why these two problems are really interesting for cryptography. We can notice that MP morphism of Polynomial is NP hard while IP isomorphism of Polynomials is expected not to be NP hard since it has an Arthur-Merlin game for yes or no answers. We will detail the case d = 3 and give only the features of the general schemes ZKd and ZKd. 2 Zero-Knowledge Protocols and Commitments In an interactive Protocol, there are two entities: the prover and the verifier. The Prover wants to convince the verifier that she knows a secret. Both interact and at the end, the verifier accepts or refuses. In Zero-Knowledge Protocols there is a possibility of fraud. A cheater will be able to answer some of the questions but not all of them. The protocol must be designed such that an answer to one of the question does not give any indication on the secret but if someone is able to answer all the questions then this will reveal the Prover s secret. We will use the following definitions in order to describe the properties that we want to be satisfied by our protocols:. The protocol has perfect correctness is a legitimate prover is always accepted. 2. The protocol is statistically zero knowledge if there exists an efficient simulating algorithm U such that for every feasible Verifier strategy V, the distributions produced by the simulator and the proof protocol are statistically indistinguishable. 3. The protocol is proof of zero knowledge with error knowledge α if there is a knowledge extractor K and a polynomial Q such that if p denotes the probability that K finds a valid witness for x using its access to a prover P and p x denotes the probability that P convinces the honest verifier on x, and p x > α, then we have p Qp x α. In our protocols, we will need string commitment schemes. A string commitment function is denoted by Com. The commitment scheme runs in two phases. In the first phase, the sender computes a commitment value c = Coms; ρ and sends c to the receiver, where s is the committed string and ρ is a random string. In the second phase, the sender gives s, ρ and the receiver verifies if c = Coms; ρ. we require the two following properties of Com.

3 . The commitment scheme is statistically hiding if for uniform x, ρ and x, ρ the distributions Coms, ρ and Comx, ρ are statistically indistinguishable. This means that the commitment to x reveals almost no information on x even to an infinitely powerful Verifier. 2. The commitment scheme is computationally binding if the probability to that two different values x, ρ and x, ρ produce the same c = Comx, ρ = Comx, ρ is negligible in polynomial time, i.e. the chances to change the committed value after the first phase are very small. A practical construction of such a commitment is given in [5]. 3 Systems of Multivariate equations of degree d We consider the following function of degree d from F n q to F m q : F x = f x, f 2 x,..., f m x where l, l m, and x = x,..., x n : f l x = i... i d n γ l i...i d x i x i2... x id i i 2 n We omit the constant term. Let Gr, r,..., r d = γ l i i 2 x i x i2 + d d i i= i... i d n i n S {,...,d } S =i γ l i...i d x i x i2... x id γ l i x i F j S r j Then G is d-linear. For F, a multivariate function of degree d, we define a binary relation R F = {v, x F m q F n q ; v = F x}. The problem is: Given F and v F m q find s F n q such that F s = v, i.e. s R F v. 4 ZK3 Schemes We consider the following cubic functions: F x = f x, f 2 x,..., f m x where l, l m and x = x,..., x n f l x = γijkx l i x j x k + γijx l i x j + γi l x i i j k n i j n i n We omit the constant term. Let Gx, y, z = F x + y + z F x + y F x + z F y + z + F x + F y + F z

4 We have: Gx, y, z = g x, y, z, g 2 x, y, z,..., g m x, y, z where l, l m, x = x,..., x n, y = y,..., y n and z = z,..., z n g l x, y, z = i j k n γ l ijkx i y j z k + x i y k z j + x j y i z k + x j y k z i + x k y i z j + x k y j z i Then G is trilinear. The problem is: Given F and v F m q find s F n q such that F s = v. The public key is F, v. The secret is s such that F s = v. The Prover is going to convince the Verifier of his knowledge of s pass scheme For simplicity, the random string in Com is not written explicitly. If X is a set, x R E means that x is randomly chosen in X with the uniform distribution.. The Prover picks up r, r, t R F n q and e, f, h R F m q. Then she computes r 2 = s r r, t = r t e = F r e, f = F r + r f, h = F r + r 2 h The Prover sends to the Verifier c = Comr, r 2, Gt, r, r 2 e + f + h c = Comr, t, e, f, c 2 = Comr, t, e, f c 3 = Comr 2, t, e, h, c 4 = Comr 2, t, e, h 2. The verifier chooses a query Q R {,, 2, 3} and sends Q to the prover. 3. a If Q = then the Prover sends r, r, t, e, f. The Verifier checks if c = Comr, r t, F r e, F r +r f, c 2 = Comr, t, e, f b If Q = then the Prover sends r, r 2, t, e, h. The Verifier checks if c 3 = Comr 2, r t, F r e, F r +r 2 h, c 4 = Comr 2, t, e, h c If Q = 2 then the Prover sends r, r 2, t, e, f, h. The Verifier checks if c = Comr, r 2, v Gt, r, r 2 +e f h F r +r 2 +F r +F r 2, c 2 = Comr, t, e, f, c 4 = Comr 2, t, e, h d If Q = 3 then the Prover sends r, r 2, t, e, f, h. The Verifier checks if c = Comr, r 2, Gt, r, r 2 e + f + h, c = Comr, t, e, f, c 3 = Comr 2, t, e, h The verifier outputs if the she gets the correct value in the commitments, otherwise. 4.2 Properties of the 3-pass scheme It is easy to see that the verifier always accepts an interaction with the honest prover. Thus the 3-pass scheme has perfect correctness.

5 Theorem The 3-pass protocol is statistically zero knowledge when the commitment scheme Com is statistically hiding. Proof. We construct a black-box simulator S which have oracle access to a cheating verifier CV takes F and v, and outputs a simulated transcripts with probability 3/4 as follows. The simulator randomly chooses a value Q R {,, 2, 3} and vectors s, r, r, t R F n q and e, f, h R F m q, where Q is a prediction what value the cheating verifier CV will not choose. Then it computes Moreover it sets: r 2 = s r + r, t r t, e F r e. If Q =, f = v F s + F r + r f, else f = F r + r f. 2. If Q =, h = v F s + F r + r 2 f, else h = F r + r 2 h. 3. If Q = 3, c = Comr, r 2, v Gt, r, r 2 f h + e F r + r 2 + F r + F r 2, else c = Comr, r 2, Gt, r, r 2 f h + e It also computes: c = Comr, t, e, f, c 2 = Comr, t, e, f c 3 = Comr 2, t, e, h, c 4 = Comr 2, t, e, h and sends c, c, c 2, c 3, c 4 to CV. Receiving a query Q from CV the simulator outputs if Q = Q and stops. If S does not output, it produces a transcript as follows: If Q =, it outputs c, c, c 2, c 3, c 4,, r, r, t, e, f If Q =, it outputs c, c, c 2, c 3, c 4,, r, r 2, t, e, h If Q = 2, it outputs c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h If Q = 3, it outputs c, c, c 2, c 3, c 4, 3, r, r 2, t, e, f, h We can check that if S does not output, the transcript is accepted. For example, we consider the case where Q = and Q = 2. The output is c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h. Thus, we have the right values for c 2 and c 4. Now, c is computed as follows: c = Comr, r 2, v Gt, r, r 2 + e f h F r + r 2 + F r + fr 2. Here f = v F s + F r + r f. Thus we obtain c = Comr, r 2, Gt, r, r 2 f h + e and the transcript is accepted. The other cases are checked similarly. We now show that the distribution of the output S is statistically close to the distribution of a real transcript since the commitment is statistically hiding. A real transcript between the the legitimate prover P and a cheating verifier CV on F, v, s is denoted by P s, CV F, v. The simulator output is denoted by S, CV F, v. We analyze the output distribution. First first we consider the case where Q =. Then P s, CV F, v = c, c, c 2, c 3, c 4,, r, r, t, e, f S, CV F, v = c, c, c 2, c 3, c 4,, r, r, t, e, f

6 Assume that r, r, t, e, f = r, r, t, e, f. Then we obtain t = t, e = e, f = f and c = c, c 2 = c 2 in all cases Q =, 2, 3. The second case is when Q =. Then P s, CV F, v = c, c, c 2, c 3, c 4,, r, r 2, t, e, h S, CV F, v = c, c, c, c 3, c 4,, r, r 2, t, e, h This case is very similar to the previous one. We get t = t, e = e, h = h and c 3 = c 3, c 4 = c 4 in all cases Q =, 2, 3. The third case is Q = 2. Then P s, CV F, v = c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h S, CV F, v = c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h When Q =, assume that r, r, t, e, f, h = r + s s, r, t + s s, e F r +F r +s s, f F r +r +v F s +F r +r +s s, h F r + r 2 + F r + r 2 + s s. When Q =, assume that r, r, t, e, f, h = r +s s, r, t +s s, e F r +F r +s s, f F r +r +F r +r + s s, h F r + r 2 + v F s + F r + r 2 + s s. When Q =, assume that r, r, t, e, f, h = r + s s, r, t + s s, e F r + F r + s s, f F r + r + F r + r + s s, h F r + r 2 + F r + r 2 + s s. We can check that for all these cases we obtain: r 2 = r 2, t = t, e = e, f = f, h = h and then c = c, c 2 = c 2, c 4 = c 4. The last case is Q = 2. Then P s, CV F, v = c, c, c 2, c 3, c 4, 3, r, r 2, t, e, f, h 3 S, CV F, v = c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h Assume that r, r, t, e, f, h = r s s, r, t, e, f, h, then we obtain r 2 = r 2, c = c, c = c and c 3 = c 3. Since the commitment is statistically hiding, we get that when S does not output, the distribution of the output of S is statistically close to the distribution of the real transcript. Theorem 2 The 3-pass protocol is proof of zero knowledge with zero knowledge error 3/4 when the commitment scheme Com is computationally binding. Proof. Suppose that there exists a false prover C that can answer all the questions. Then either C will compute a collision for Com or will extract a solution for F, v. Let c, c, c 2, c 3, c 4, Q, Rsp, c, c, c 2, c 3, c 4, Q, Rsp, c, c, c 2, c 3, c 4, Q 2, Rsp 2, c, c, c 2, c 3, c 4, Q 3, Rsp 3, be four transcripts such that Q i = i and all the responses are accepted. Consider the situation where the responses are parsed as Rsp = r, r, t, e, f, Rsp = r, r 2, t, e, h, Rsp 2 = r 2, r2 2, t2, e2, f 2, h2, Rsp 3 = r 3, r3 2, t, e, f, h. We obtain: c = Com r 2, r2 2, v Gt2, r2, r2 2 f 2 h 2 + e 2 F r 2 + r 2 + F r2 + F r2 2 = Com r 3, r3 2, Gt, r 3, r3 2 + f + h e

7 c = Com r, r t, F r e, F r + r f = Com r 3, t, e, f 2 c 2 = Comr, t, e, f = Comr2, t2, e2, f 2 3 c 3 = Com r 2, r t, F r e, F r + r 2 h = Com r 3 2, t, e, h 4 c 4 = Comr 2, t, e, h = Comr2 2, t2, e2, h2 5 If two tuples of the arguments of Com are are distinct on either of the above equations, then we have a collision for Com. Otherwise, these equalities give: h 5 = h 2, r 2 = r 3 = r 2, t 3 = t 5 = t 2, r 3,4 = r and r 2 2 = r = r 2, e2 3 = e 2,4 = e, f 3 = f 2 So, all upper scripts are useless and from we have: v = Gt + t, r, r 2 + f + h e + F r + r 2 F r F r 2 + f + h e Then, from 2 and 4 we have r = t +t, F r = e +e, F r +r = f +f and F r + r 2 = h + h, so if we replace these values in the previous equality, we obtain: v = Gr, r, r 2 + F r + r + F r + r 2 + F r + r 2 F r F r F r 2 = F r + r + r 2 This means that a solution r + r + r 2 for v is extracted. Let p s be the probability that P convinces the honest verifier on s and p the probability that all the 3 transcripts are accepted. Suppose that p s > 3 4. Depending on the fact that the 4 transcripts are accepted or not, we get p s p p. This implies that p 4p s 3 4. Thus the proof of Theorem 2 is complete. 4.3 Computations in the 3-pass scheme We give the maximum number of computations that have to be done either by the prover or by the receiver in the case of F 2. We must calculate the number of computations for F and for G. Moreover we see that F is computed at most 3 times and G is computed just one time. We only count multiplications. In F 2, we have: x 3 i = x2 i = x i. We can write: f l x = n [ x i γ l i + γii l + γiii l + i= n j=i+ x j γ l ij + γ l ijj + n k=j+ γ l ijkx k ] Let M denotes the number of multiplications needed to compute F. Using the above expression for F, we obtain M n3 6 m. In the following table, we give the characteristics of the scheme ZK3 and the values that we obtain when we

8 choose n = 84, m = 8, in order to have 8-bit security cf. [2]. Moreover if we want an impersonation probability less than 2 3, we need to perform at least 73 rounds. R stands for the number of rounds and C for the maximum number of computations that have to be done either by the prover or by the receiver. The values are given in Table. Remark. We may need less computations. It depends on the number of non Table. ZK3 Scheme Formulas Parameters for 2 8 security Public key bit m 8 Secret key bit n 84 n M n + 2m R Communication bit or n + 3m R 72 Number of multiplications C=9MR 2 33 zero coefficients. This is the case for Brent equations as explain in Section pass scheme Here we describe briefly a 5-pass scheme. Proofs are sketched in Appendix A.. The Prover picks up at random r, r, t F n q and e, f, h F m q. Then she computes r 2 = s r r. The Prover sends to the Verifier c = Comr, r 2, Gt, r, r 2 e + f + h c = Comr, t, e, f c 2 = Comr, t, e, f c 3 = Comr 2, t, e, h c 4 = Comr 2, t, e, h 2. The verifier picks α R F q and sends α to the prover. 3. The prover computes: t, e f, h = αr t, αf r e, αf r + r f, αf r + r 2 h and sends t, e f, h to the verifier. 4. The verifier picks Q R {,, 2} and sends Q to the prover. 5. a If Q =, then the prover sends r, r. The verifier checks if c = Comr, r, αr t, αf r e, αf r + r f. b If Q =, then the prover sends r, r 2. The verifier checks if c = Comr, r 2, αr t, αf r e, αf r + r 2 h. c If Q = 2, then the prover sends r, r 2. The verifier checks if c 2 = Comr, r 2, αv F r +r 2 +F r +F r 2 Gt, r, r 2 f h +e.

9 As for the 3-pass scheme, we have perfect correctness and the following results: Theorem 3 The 5-pass protocol is statistically zero knowledge when the commitment scheme Com is statistically hiding. Theorem 4 The 5-pass protocol is proof of zero knowledge with zero knowledge error 2/3 + /3q when the commitment scheme Com is computationally binding. 5 The ZK3 Scheme. In this section, we propose another scheme inspired from [2]. The idea is to transform the cubic system into a quadratic one and the to use the scheme given in [2]. As we will see, the number of computations is smaller, but the number of communication bits is more important. We investigate the transformation of a system with cubic equations to a system with quadratic equations. We will introduce new variables. Once we have obtained a system of equations with quadratic polynomials, we can apply the identification scheme of [2]. We will calculate the number of multiplications in this case. In our system, we have F x = f x, f 2 x,..., f m x where l, l m, f l x = γijkx l i x j x k + γijx l i x j + γi l x i i j k n i j n i n and x = x,..., x n. We introduce the new variables i, j, i j n, X ij = x i x j. The number of new variables is nn 2, if q = 2, and nn+ 2, if q 2. In our new system, we have F = f,..., f m, f ij i j n where for x = x,..., x n, X ij i j n and l m, f l x = i j k n γ l ijkx ij x k + i j n γ l ijx ij + i n γ l i x i and for i j n, f ij x = X ij x i x j. Here the number of variables is ñ n + n2 2 and the number of equations is m = m + n2 2. As before, M denotes the number of multiplications needed to compute F. M denotes the number of multiplications for the computation of F. We choose q = 2. Then M = M + nn 2. Thus M M n3 6. C stands for the maximum number of computations that have to be done either by the prover or by the receiver. If R denotes the number of rounds performed in order to have an impersonation probability less than 2 3, then R = 52 cf. [2]. The following table gives the characteristics of the ZK3 Scheme and the values we get when n = 84 and m = 8.

10 Table 2. ZK3 Scheme Formulas Parameters for 2 8 security Public key bit m 3483 Secret key bit n 84 n M 6 Communication bit ñ + m R 5658 Number of multiplications C = 3 M R ZKd and ZKd Schemes for any d 6. The ZKd Scheme We will design a 3-pass scheme We consider the following function of degree d from F n q to F m q : where l, l m, i i... i d n f l x = F x = f x, f 2 x,..., f m x i i... i d n γ l i...i d x i x i2... x id γ l i...i d x i x i2... x id + i i i 2 n and x = x,..., x n. We omit the constant term. Let Gr, r,..., r d = d d i i= S {,...,d } S =i γ l i i 2 x i x i2 + F j S r j i i n Then G is d-linear. The problem is: Given F and v F m q find s F n q such that F s = v The public key is F, v. The secret is s such that F s = v. γ l i x i. The Prover picks up at random r, r,..., r d 2, t R F n q, f R F m q, and p, p d 2, i,... i p, i < i 2 <... i p d, f i...ip, R F m q. Then she computes r d = s d 2 i= r i t = r t f = F r f and p, p d 2, i,... i p, i < i 2 <... i p d f i...ip = F r + r i r ip f i...ip

11 Then the Prover sends to the Verifier c Com r,..., r d, Gt, r,..., r d + d 2 d p f i...ip p= i <...<i p d + d f i, i d c 2i Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip c 2i Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j i j i, f i...ip The verifier chooses a query Q R {,,..., d} and sends Q to the prover. 2. a If Q =, then the Prover sends r, r 2,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, f i...ip. The Verifier checks if c = Com r,..., r d, Gt, r,..., r d + i <...<i p d f i...ip + d f d 2 d p p= and i, i d, c 2i = Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip b If Q = d, then the Prover sends r, r 2,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, f i...ip. i, i d, The Verifier checks if c = Com r,..., r d, v Gt, r,..., r d d 2 d p p=

12 d f + i <...<i p d d d i i= f i...ip S {,...,d } S =i F r j j S and i, i d, c 2i = Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip c if Q = i, then the prover sends r, r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip The Verifier checks if c 2i = Com r,..., r i, r i+,..., r d, r t, F r f, and p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, F r + r i r ip f i...ip c 2i = Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip As for the the case d = 3, we have perfect correctness and the following results see Appendix B for details: Theorem 5 The 3-pass protocol ZKd is statistically zero knowledge when the commitment scheme Com is statistically hiding. Theorem 6 The 3-pass protocol is proof of zero knowledge with zero knowledge error when the commitment scheme Com is computationally binding. d d+ Remark. As for the case d = 3, it is possible to design a 5-pass scheme. 6.2 The ZKd Scheme Here we explain how it is possible to design the ZKd Scheme. Again there are two functions F and F. If M resp. M denotes the number of computations for F resp. F, then M n d /d! and M nd d! + n d 2 / d 2! M. For ZKd, there are n variables and m equations. For ZKd, there are ñ n + n d 2 / d 2! variables and m m + n d 2 / d 2! equations. There are more multiplications in ZKd and more communication bits in ZKd. The values for both schemes are given in Table 3. Here we have an impersonation probability less than 2 3.

13 Table 3. ZKd and ZKd Schemes ZKd scheme ZKd scheme Public key bits m m m + n d 2 / d 2! Secret key bits n n M Rounds n d d! R = m 3 ln2 ln+/d n d d! m R = 52 Number of 5dn + ln d + 2 2d R Communication or n + m + 3n d 2 / d! R 2 bits 3dn + ln d + 2 2d 2 R Multiplications C = 92 d + d!mr C = 3 M R 6.3 Relations for sparse systems In the previous computations, we have supposed that we have the maximum number of coefficients. Then we obtained that in both cases, M M nd d!. Then the total number of multiplications is a function of M or M and the number of rounds. For sparse systems, M or M will be smaller but we will still have the same relations between C, M and R and similarly C, M and R. Here again, we can see that there are more variables and more communications bits in the ZKd schemes and more computations in the ZKd schemes. 7 Relations between the number of computations and the number of coefficients We begin with the ZKd scheme. We have: f l x, x 2,..., x n = γ l i...i d x i x i2... x id + i,...,i d S l d γ l i...i d x i x i2... x id i i,...,i d S l d γ l i i 2 x i x i2 + γ l i x i i i,i 2 S2 l i i S2 l The number of multiplications for f l is given by d Sd l + d Sd l + d 2 Sd 2 l S2 l + S l and for F the number M of multiplications is m [ ] M = d Sd l + d Sd l + d 2 Sd 2 l S2 l + S l l=

14 Moreover, F is computed at most 2 d times during the process. For g l we have d!d + m Sd l multiplications and for G, d!d + S l d multiplications and G is computed one time. Finally, for one round, the number of multiplications is given by m [ d2 d + d!d + Sd l + d Sd l + d 2 Sd 2 l l= l= ] 2 S2 l + S l and then we have to multiply by the number of rounds R to get C. For the ZKd scheme, we have M = M + n d 2 / d 2!. Then C = 3 M R. 8 The particular case of Brent equations In this section, we introduce the Brent equations. Suppose we want to multiply two N N matrices. The naive method will use N 2 multiplications. In fact for N = 2, Strassen s algorithm [6] requires 7 multiplications instead of 8 multiplications and Laderman showed that when N = 3 it is possible to use 23 multiplications instead of 3 3 = 27 [6]. For N = 2, 7 is the least number we can obtain. For N = 3, it is not known if 23 is the least number in the non-commutative case. In [], it is shown that obtaining the product of two matrices N N can be done using s multiplications is equivalent to solve the following system of cubic s equations: γ ijk α abk β cdk = δ bc δ ia δ jd a, b, c, d, i, j {, 2,..., n} k= Here we have n = 3sN 2, m = N 6. If we use formula, we obtain that the number of multiplications is 22 s N 6 if we use the ZK3 scheme. It is also interesting to design an authentication public key cryptographic scheme as close as possible to Brent equations. In order to do this, we choose a system similar to Brent equations but for which we know a particular solution. It is possible to proceed as follows:. We consider the finite field Z/2Z 2. We take the Brent equations with s = 22 in order obtain an open problem in the non-commutative case 3. We pick randomly variables α, β, γ in Z/2Z 4. We deduce the corresponding constants 5. We then use either ZK3 or ZK3 to have a zero-knowledge protocol.

15 9 Morphisms of polynomials and systems of cubic equations 9. The MP Problem The IP problem Isomorphism of Polynomials has been used to construct pubic key schemes cf [9]. On one hand, this is not a NP-complete problem since it admits an Arthur-Merlin game when the answer is yes and when the answer is no. On the other hand, the MP problem morphisms of polynomials where matrices are not supposed to be invertible is proved to be NP-complete [3, ] and thus is much more difficult. So it is interesting to design a public key authentication scheme based on MP. We explain briefly below how it is possible to construct such a scheme by transforming MP very efficiently into a system of equations of degree 3 and then applying our ZK3 or ZK3 protocols. 9.2 From MP to polynomials of degree 3 We consider the two following systems: A c k = B z t = i n, j n i p, j p γ k ija i a j + α t ijx i x j + We want to find 2 matrices M = m rs r v s u M c. c u = z. z v n µ k i a i, k u i= p βix t i, i= and H For all t, t v, on one hand, we have: u n z t = m ts γija s i a j + µ s i a i z t = z t = s= i n j n u m ts s= p i n j n p [ u γ s ij f= b= s= i n j n i= t v and H = h df d n f p x. x p p p n h if x f h jb x b + f= other hand, we have: z t = b= γ s ijm ts h if h jb ]x f x b + i p j p α t ijx i x j + f= i= = µ s i a. a n p h if x f f= s= i= such that p [ u n µ s i m ts h if ]x f. On the p βix t i. This gives t t i=

16 v, f, f p, b, b p, α t fb + β t f = u s= i= u s= i n j n γ s ijm ts h if h jb + n µ s i m ts h if. Thus we obtain vp 2 cubic equations and np + vu unknowns. Conclusion In [2], a very efficient zero-knowledge proof based on the MQ problem multivariate quadratic polynomials is given. In this paper we proved that this construction can be generalized to polynomials of degree d for any d 3. We studied several constructions and we presented here the two most efficient ones denoted by ZKd and ZKd. ZKd is quasi optimal in term of communication bits and ZKd is quasi optimal in term of number of computations. This result is true for dense or sparse systems. We also presented two important specific problems Brent equations and morphisms of polynomials that can be transformed into efficient public key schemes using ZKd and ZKd. References. Gregory V. Bard. New Practical Strassen-like Approximate Matrixmultiplication Algorithms found via solving a system of cubic equations Come Berbain, Henri Gilbert, and Jacques Patarin. QUAD: A Practical Cipher with Provable Security. In Serge Vaudenay, editor, Advances in Cryptology EUROCRYPT 26, volume 444 of Lecture Notes in Computer Science, pages Springer-Verlag, Michael R. Garey and David S. Johnson. Computers and Intractability; A Guide to the Theory of NP-Completness. W.H. Freeman and Co, Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but their validity or all languages in np have zero-knowledge proof systems. J. ACM, 38:69 728, July Shai Halevi and Silvio Micali. Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing. In Neal Koblitz, editor, Advances in Cryptology CRYPTO 996, volume 9 of Lecture Notes in Computer Science, pages Springer-Verlag, J.Laderman. A noncomuutative algorithm for multiplying 3 x3 matrices using 23 multiplication. Bulletin of the American Mathematical Society, 82:26 28, Aviad Kipnis, Jacques Patarin, and Louis Goubin. Unbalanced Oil and Vinegar Signature Schemes. In Jacques Stern, editor, Advances in Cryptology EURO- CRYPT 999, volume 492 of Lecture Notes in Computer Science, pages Springer-Verlag, Tsutomu Matsumo and Hideki Imai. Public Quadratic polynomial-tuples for Efficient Signature-Verification and Message-Encryption. In C.G. Gunther, editor, Advances in Cryptology EUROCRYPT 988, volume 33 of Lecture Notes in Computer Science, pages Springer-Verlag, 988.

17 9. Jacques Patarin. Hidden Fields Equations HFE and Isomorphims of Polynomials IP: Two New Families of Asymmetric Algorithms. In Ueli Maurer, editor, Advances in Cryptology EUROCRYPT 996, volume 7 of Lecture Notes in Computer Science, pages Springer-Verlag, Jacques Patarin and Louis Goubin. Trapdoor one-way permutations and multivariate polynomials. In Yongfei Han, Tatsuaki Okamoto, and Sihan Qing, editors, ICICS, volume 334 of LNCS, pages Springer, David Poincheval. A New Identification Scheme based on the Perceptrons Problem. In Alfredo de Santis, editor, Advances in Cryptology EUROCRYPT 995, volume 95 of Lecture Notes in Computer Science, pages Springer-Verlag, Koichi Sakumuto, Taizo Shirai, and Harunaga Hiwatari. Public-Key Identification Schemes based on Multivariate Quadratic Polynomials. In Philip Rogaway, editor, Advances in Cryptology CRYPTO 2, volume 684 of Lecture Notes in Computer Science, pages Springer-Verlag, Adi Shamir. An Efficient Identification Scheme Based on Permuted Kernels Extended Abstract. In Gilles Brassard, editor, Advances in Cryptology CRYPTO 989, volume 435 of LNCS, pages Springer-Verlag, Jacques Stern. A New Identification Scheme based on Syndrome Decoding. In Douglas R. Stinson, editor, Advances in Cryptology CRYPTO 993, volume 773 of Lecture Notes in Computer Science, pages 3 2. Springer, Jacques Stern. Designing Identification Schemes with Keys of Short Size. In Yvo G. Desmedt, editor, Advances in Cryptology CRYPTO 994, volume 839 of Lecture Notes in Computer Science, pages Springer, Volker Strassen. Gaussion Elimination is not optimal. Numerische Mathematik, 33: , 969. A 5-pass scheme for ZK3 In this appendix, we give sketches of proof for the 5-passes scheme.. The Prover picks up at random r, r, t F n q and e, f, h F m q. Then she computes r 2 = s r r. The Prover sends to the Verifier c = Comr, r 2, Gt, r, r 2 e + f + h c = Comr, t, e, f c 2 = Comr, t, e, f c 3 = Comr 2, t, e, h c 4 = Comr 2, t, e, h 2. The verifier picks α R F q and sends α to the prover. 3. The prover computes: t, e f, h = αr t, αf r e, αf r + r f, αf r + r 2 h and sends t, e f, h to the verifier. 4. The verifier picks Q R {,, 2} and sends Q to the prover. 5. a If Q =, then the prover sends r, r. The verifier checks if c = Comr, r, αr t, αf r e, αf r + r f.

18 b If Q =, then the prover sends r, r 2. The verifier checks if c = Comr, r 2, αr t, αf r e, αf r + r 2 h. c If Q = 2, then the prover sends r, r 2. The verifier checks if c 2 = Comr, r 2, αv F r +r 2 +F r +F r 2 Gt, r, r 2 f h +e. As for the 3-pass scheme, we have perfect correctness and the following resultsproofs are sketched in Appendix A: Theorem 7 The 5-pass protocol is statistically zero knowledge when the commitment scheme Com is statistically hiding. Proof sketch. Let S be a simulator which takes F and v without knowing s, and interacts with a cheating verifier CV. We show that the simulator can impersonate the honest prover with probability 2/3. The simulator randomly chooses a value Ch R {,, 2} and vectors s, r, r, t R F n q and e, f, h R F m q, where Ch is a prediction what value the cheating verifier CV will not choose. Then it computes r 2 s r + r c Comr, r, t, e, f c Comr, r 2, t, e, h c 2 Comr, r 2, Gt, r, r 2 + f + h e and sends c, c, c 2 to CV. Then receiving a challenge α from CV, it computes: t = αr t e = αf r e Now if Ch = it sets f = αv F s +F r +r f, else f = αf r +r f if Ch = it sets h = αv F s +F r +r 2 h, else f = αf r +r 2 h Then it sends t, e f, h to CV Due to the statistically hiding property of Com, a challenge Ch from CV is different from Ch with probability 2/3. If Ch Ch, then r, r, r, r 2, and r, r 2 are accepted responses to Ch =, and 2 respectively. Theorem 8 The 5-pass protocol is proof of zero knowledge with zero knowledge error 2/3+/3q when the commitment scheme Com is computationnaly binding., h i, Ch j, Rsp i,j be six tran- Proof sketch. Let c, c, c 2, α i, t i, ẽi i, f scripts for i {, } and j {,, 2} such that DecF, v, c, c, c 2, α i, t i, ẽi, f i, h i, Ch j, Rsp i,j p =, α α, and Ch j = j. Then, by using the six transcripts, we show that we are able either to break the binding property of Com or extract a solution for v. Consider the situation where the responses are parsed as Rsp, = r, r

19 Then we have: Rsp, = r, r 2 Rsp,2 = r, r 2 Rsp, = r, r Rsp, = r, r 2 Rsp,2 = r, r 2 c = Com r, r, α r t, α F r ẽ, α F r = Com r, r, α r t, α F r ẽ, α F r + r + r f f 6 c = Com r, r 2, α r t, α F r ẽ, α F r = Com r, r 2, α r t, α F r ẽ, α F r + r 2 + r 2 h h 7 c 2 = Com r, r 2, α v F r + r 2 + F r f h + ẽ = Com r, r 2, α v F r + r 2 + F r + F r 2 + F r 2 f h + ẽ 8 G t, r, r 2 G t, r, r 2 If two tuples of the arguments of Com are are distinct on either of the above equations, the binding property of Com is broken. Otherwise, 6 gives: r = r, r = r This implies: α α r = t + t α α F r = ẽ + ẽ α α F r + r = f + f If we use 7, we obtain two more equations: Now 8 gives r 2 = r 2 and α α F r α v F r + r 2 + F r = α v F r + r 2 + F r + F r 2 + F r 2 + r 2 G t, r = h + h, r 2 G t, r, r 2 f h + ẽ f h + ẽ

20 This implies that [ α α v = α α F r + r 2 F r F r 2 + G r, r, r Thus we obtain v = F r + r for v is extracted. ] +F r + r + F r + r 2 F r + r 2 2. This means that a solution r + r + r 2 B Proofs for the ZKd Scheme Theorem 9 The 3-pass protocol is statistically zero knowledge when the commitment scheme Com is statistically hiding. Proof sketch. Let S be a simulator which takes F and v without knowing s, and interacts with a cheating verifier CV. We show that the simulator can impersonate the honest prover with probability d d+. The simulator randomly chooses a value Ch R {,,..., d} and vectors s, r, r,..., r d 2, t R F n q, f R F m q, and p, p d 2, i,... i p, i < i 2 <... i p d, f...i p, R F m q, where Ch is a prediction what value the cheating verifier CV will not choose. Then it computes d 2 r d s Moreover it sets: i= t r t f F r f p, p d 2, i,... i p, i < i 2 <... i p d, f i...i p F r + r i r i p f i...i p. If Ch =, c = v Gt, r,..., r d d 2 p= d p i f i...i p <...<i p d d f d i= d i S {,...,d } F j S r j, S =i else c = Gt, r,..., r d + d 2 p= d p i f i...i p <...<i p d + d f 2. If Ch = i, i d, f 2...i i+...d = v F s + F r + r r i + r i r d f 2...i i+...d, else f 2...i i+...d = F r + r r i + r i r d f 2...i i+...d, r i

21 It also computes: i, i d c 2i Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...i p c 2i Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j i j i, f i...i p and sends c, c, c 2,..., c 2d 2 to tcv. Due to the statistically hiding property of Com, a challenge Ch from CV is different from Ch with probability d d+. If Ch Ch, then r, r 2,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, f i...ip, and i, i d, r, r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j i j i, f i...ip are accepted responses to Ch =,,... d. Theorem The 3-pass protocol is proof of zero knowledge with zero knowledge error when the commitment scheme Com is computationnaly binding. d d+ Proof sketch. Let i, i d, let c, c, c 2,..., c 2d 2, Ch i, Rsp i be d + transcripts such that Ch i = i and DecF, v; c, c, c 2,..., c 2d 2, Ch i, Rsp i = for i {,, 2,..., d}. Then, by using the four transcripts, we show that we are able either to break the binding property of Com or extract a solution for v. Consider the situation where the responses are parsed as Rsp = r, r 2,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, f,i...i p i, i d, Rsp i = r i, ri,..., ri i, ri i+,..., ri d, t i, f i, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i,i...i p Rsp d = r d, rd 2,..., rd d, t d, f, p, p d 2, i,... i p, i < i 2 <... i p d, f d,i...i p

22 We obtain: d 2 c = Com r d,..., rd d d, v G t, rd,..., rd d d p d f d + i <...<i p d d d i i= f d,i...ip S {,...,d } S =i F j S p= r d j d 2 = Com r,..., r d, G t, r,..., r d + d p i <...<i p d p= f,i...ip + d f i, i d, c 2i = Com r i,..., ri i, ri i+,..., ri d, ri t i, F ri i f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, F r i + r i i r i i,i...ip i p f = Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d,,i such that j, i j i, f...i p c 2i = Com r i,..., ri i, ri i+,..., ri d, t i i, f, p, p d 2, i,... i p, i < i 2 <... i p d, i,i such that j, i j i, f...i p = Com r d,..., rd i, rd i+,..., rd d, t d d, f, p, p d 2, i,... i p, i < i 2 <... i p d, d,i such that j, i j i, f...i p If two tuples of the arguments of Com are are distinct on either of the above equations, the binding property of Com is broken. Otherwise the conditions on c give: r = r d,..., r d = rd d

23 d 2 v = G t + t d, rd,..., rd d + d p i <...<i p d + d d f + f The conditions on c 2i give:,i...ip f + d d i i= p= f d,i...ip S {,...,d } S =i F j S r d j r i = r,..., ri i = r i, ri i+ = r i+,... ri d = r d t i = t f i = f p, p d 2, i,... i p, i < i 2 <... i p d, The conditions on c 2i give: such that j, i j i, f i,i...i p = f,i...ip We obtain: r i = r d,..., ri i = rd i, ri i+ = rd i+,... ri d = rd d t i = t d f i = f d p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i,i...i p = t + t d = t + t = r F r = f + f = i, i d, F r + r d i = F r + r i = More generally f d,i...ip d f + f,i,i f + f = F r + r d i r d i p = F r + r i r i p =,i d,i f + f Finally, we obtain f,i...ip,i...ip + f =,i...ip d,i...ip f + f v = F r + r d r d d This means that a solution r + r d r d d for v is extracted.