Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Size: px

Start display at page:

Download "Improved Zero-knowledge Protocol for the ISIS Problem, and Applications"

Berniece Porter
5 years ago
Views:

1 Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29, 2014

2 Content 1 Background The ISIS Problem Previous Works 2 Our Zero-knowledge Proof for ISIS Our Result Our Techniques 3 Applications of SternExt Basic Applications More Advanced Constructions

3 The ISIS Problem [GPV 08] ISIS = Inhomogeneous Small Integer Solution. ISIS n,m,q,β Let n, m, q, β be integers. Given matrix A $ Z n m q and vector y $ Z n q, find x Z m such that x β and A x = y mod q. n A m x = y (mod q) Khoa Nguyen, NTU Improved ZKP for ISIS 3 / 19

4 The ISIS Problem [GPV 08] ISIS = Inhomogeneous Small Integer Solution. ISIS n,m,q,β Let n, m, q, β be integers. Given matrix A $ Z n m q and vector y $ Z n q, find x Z m such that x β and A x = y mod q. n A m x = y (mod q) For big enough m, the system has solutions. But finding a small solution is not that easy. Khoa Nguyen, NTU Improved ZKP for ISIS 3 / 19

5 Why ISIS? Easy to understand, involving only basic linear algebra. Hardness guarantee from lattice problems (e.g., SIVP) A x = y (mod q) b 1 b 2 Khoa Nguyen, NTU Improved ZKP for ISIS 4 / 19

6 Why ISIS? Easy to understand, involving only basic linear algebra. Hardness guarantee from lattice problems (e.g., SIVP) A x = y (mod q) b 1 b 2 Widely used in lattice-based cryptography in recent years: CRHF [Ajtai 96], commitment scheme [KTX 08]. Identification schemes [Lyu 08], [KTX 08],... Digital signatures [GPV 08], [Boyen 10], [CHKP 10], [Lyu 12],... Khoa Nguyen, NTU Improved ZKP for ISIS 4 / 19

7 Zero-knowledge Proof of Knowledge for ISIS An interactive protocol that allows a Prover to convince a Verifier that he knows a secret solution x to a given ISIS instance (A, y). 1 Completeness: An honest prover can convince an honest verifier. 2 Zero-knowledgeness: The verifier should learn no additional information about the prover s secret x. 3 Proof of knowledge: If an algorithm succeeds, then we can use it to extract an ISIS solution x. Why we need ZKPoK for ISIS? Building blocks in many lattice-based cryptographic constructions: identification schemes, signature schemes (via Fiat-Shamir heuristics),... Khoa Nguyen, NTU Improved ZKP for ISIS 5 / 19

8 Previous Proof Systems for ISIS β 1 One can derive a ZKPoK for ISIS from Micciancio-Vadhan s proof system for GapCVP [MV 03]. 2 Lyubashevsky [Lyu 08]: a witness-indistinguishable PoK for ISIS. Proof systems [MV 03] [Lyu 08] Zero-knowledge? (WI) Perfect completeness? Norm bound in the ISIS hardness assumption β Õ(n) β Õ(n) Communication cost k Õ(n log q) Õ(n log q) Limitation: Breaking these proof systems is potentially easier than solving the underlying ISIS problem: there is a gap of Õ(n). Khoa Nguyen, NTU Improved ZKP for ISIS 6 / 19

9 Our Result A zero-knowledge proof of knowledge for ISIS β, called SternExt, with: Very strong security guarantee: Breaking the protocol is at least as hard as solving ISIS β. (There is no gap in the security reduction.) Reasonable communication cost. Proof systems [MV 03] [Lyu 08] SternExt Zero-knowledge? (WI) Perfect completeness? Norm bound in the ISIS hardness assumption β Õ(n) β Õ(n) β Communication cost k Õ(n log q) Õ(n log q) log β Õ(n log q) Our main idea: Extending the Stern-KTX ([Stern 96,KTX 08]) proof system. Khoa Nguyen, NTU Improved ZKP for ISIS 7 / 19

10 The Stern-KTX Proof System Stern [Stern 96] proposed a ZKPoK for the Syndrome Decoding Problem. Let n, m and k < m be integers. Given A $ Z n m 2 and y $ Z n 2. Find a vector x Z m 2 s.t. wt(x) = k and A x = y mod 2. Restrictions on x: x {0, 1} m and wt(x) = k. Stern s idea For π S m, (x satisfies those restrictions) (π(x) also does). Kawachi et al. [KTX 08] adapted Stern s protocol to obtain a ZKPoK for a very restricted version of the ISIS problem: x {0, 1} m and wt(x) = k. Technical tool: A string commitment scheme COM that is statistically hiding and computationally binding. Khoa Nguyen, NTU Improved ZKP for ISIS 8 / 19

11 Stern-KTX s Interactive Protocol Common Input A Z n m q, y Z n q. Prover s goal Convince the verifier in ZK that he knows x {0, 1} m s.t. wt(x) = k and A x = y mod q. Prover Verifier Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19

12 Stern-KTX s Interactive Protocol Common Input A Z n m q, y Z n q. Prover s goal Convince the verifier in ZK that he knows x {0, 1} m s.t. wt(x) = k and A x = y mod q. Prover Verifier 1. Pick r $ Z m q, π $ S m. Send (c 1, c 2, c 3 ), where c 1 = COM(π, Ar mod q) c 2 = COM(π(r)) c 3 = COM(π(x + r)) Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19

13 Stern-KTX s Interactive Protocol Common Input A Z n m q, y Z n q. Prover s goal Convince the verifier in ZK that he knows x {0, 1} m s.t. wt(x) = k and A x = y mod q. Prover 1. Pick r $ Z m q, π $ S m. Send (c 1, c 2, c 3 ), where c 1 = COM(π, Ar mod q) c 2 = COM(π(r)) c 3 = COM(π(x + r)) Verifier 2. Send a challenge Ch $ {1, 2, 3} Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19

14 Stern-KTX s Interactive Protocol Common Input A Z n m q, y Z n q. Prover s goal Convince the verifier in ZK that he knows x {0, 1} m s.t. wt(x) = k and A x = y mod q. Prover 1. Pick r $ Z m q, π $ S m. Send (c 1, c 2, c 3 ), where c 1 = COM(π, Ar mod q) c 2 = COM(π(r)) c 3 = COM(π(x + r)) Verifier 2. Send a challenge Ch $ {1, 2, 3} 3. If Ch = 1, reveal c 2 and c 3. Send v = π(x) and w = π(r) Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19

15 Stern-KTX s Interactive Protocol Common Input A Z n m q, y Z n q. Prover s goal Convince the verifier in ZK that he knows x {0, 1} m s.t. wt(x) = k and A x = y mod q. Prover 1. Pick r $ Z m q, π $ S m. Send (c 1, c 2, c 3 ), where c 1 = COM(π, Ar mod q) c 2 = COM(π(r)) c 3 = COM(π(x + r)) 3. If Ch = 1, reveal c 2 and c 3. Send v = π(x) and w = π(r) Verifier 2. Send a challenge Ch $ {1, 2, 3} Check if v {0, 1} m, wt(v) = k, and { c 2 = COM(w) c 3 = COM(v + w) Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19

16 Stern-KTX s Interactive Protocol Common Input A Z n m q, y Z n q. Prover s goal Convince the verifier in ZK that he knows x {0, 1} m s.t. wt(x) = k and A x = y mod q. Prover 1. Pick r $ Z m q, π $ S m. Send (c 1, c 2, c 3 ), where c 1 = COM(π, Ar mod q) c 2 = COM(π(r)) c 3 = COM(π(x + r)) Verifier 2. Send a challenge Ch $ {1, 2, 3} 3. If Ch = 2, reveal c 1 and c 3. Send π and z = x + r. Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19

17 Stern-KTX s Interactive Protocol Common Input A Z n m q, y Z n q. Prover s goal Convince the verifier in ZK that he knows x {0, 1} m s.t. wt(x) = k and A x = y mod q. Prover 1. Pick r $ Z m q, π $ S m. Send (c 1, c 2, c 3 ), where c 1 = COM(π, Ar mod q) c 2 = COM(π(r)) c 3 = COM(π(x + r)) 3. If Ch = 2, reveal c 1 and c 3. Send π and z = x + r. Verifier 2. Send a challenge Ch $ {1, 2, 3} Check that { c 1 = COM(π, Az y mod q) c 3 = COM(π(z)) Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19

18 Stern-KTX s Interactive Protocol Common Input A Z n m q, y Z n q. Prover s goal Convince the verifier in ZK that he knows x {0, 1} m s.t. wt(x) = k and A x = y mod q. Prover 1. Pick r $ Z m q, π $ S m. Send (c 1, c 2, c 3 ), where c 1 = COM(π, Ar mod q) c 2 = COM(π(r)) c 3 = COM(π(x + r)) Verifier 2. Send a challenge Ch $ {1, 2, 3} 3. If Ch = 3, reveal c 1 and c 2. Send π and s = r. Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19

19 Stern-KTX s Interactive Protocol Common Input A Z n m q, y Z n q. Prover s goal Convince the verifier in ZK that he knows x {0, 1} m s.t. wt(x) = k and A x = y mod q. Prover 1. Pick r $ Z m q, π $ S m. Send (c 1, c 2, c 3 ), where c 1 = COM(π, Ar mod q) c 2 = COM(π(r)) c 3 = COM(π(x + r)) 3. If Ch = 3, reveal c 1 and c 2. Send π and s = r. Verifier 2. Send a challenge Ch $ {1, 2, 3} Check that { c 1 = COM(π, As mod q) c 2 = COM(π(s)) Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19

20 Removing Stern s Restrictions Stern-KTX protocol has no gap in the security reduction. However, it works only for a restricted class of ISIS solutions, namely: x {0, 1} m & wt(x) = k. It does not seem to suffice for a wide range of applications. Khoa Nguyen, NTU Improved ZKP for ISIS 10 / 19

21 Removing Stern s Restrictions Stern-KTX protocol has no gap in the security reduction. However, it works only for a restricted class of ISIS solutions, namely: x {0, 1} m & wt(x) = k. It does not seem to suffice for a wide range of applications. How to remove these restrictions? The Decomposition-Extension technique: A two-step solution Extensions Removing restriction on the Hamming weight: Proving in ZK the possession of an ISIS solution x { 1, 0, 1} m. Decomposition Removing restriction on the bound: Proving in ZK the possession of an ISIS solution x [ β, β] m, for any β 1. Khoa Nguyen, NTU Improved ZKP for ISIS 10 / 19

22 Extensions Let B 3m be the set of all vectors in { 1, 0, 1} 3m having exactly m coordinates 1; m coordinates 0; and m coordinates 1. m n A x = y (mod q) }{{} x { 1, 0, 1} m Khoa Nguyen, NTU Improved ZKP for ISIS 11 / 19

23 Extensions Let B 3m be the set of all vectors in { 1, 0, 1} 3m having exactly m coordinates 1; m coordinates 0; and m coordinates 1. m 2m n Observations A x = A 0 }{{}}{{} A Z n 3m q x { 1, 0, 1} m 1 Ax = y mod q A x = y mod q. x = y (mod q) 2 π S 3m, x B 3m π(x ) B 3m. A ZKPoK for ISIS with x = 1. }{{} x B 3m Khoa Nguyen, NTU Improved ZKP for ISIS 11 / 19

24 Decomposition Let β be any positive integer, and let p = log β + 1. Define the sequence of integers β 1,..., β p as follows: β 1 = β/2, β 2 = (β β 1 )/2, β 3 = (β β 1 β 2 )/2,..., β p = 1. Example: Let β = 115, then p = log (115) + 1 = 7, and: β 1 = 58, β 2 = 29, β 3 = 14, β 4 = 7, β 5 = 4, β 6 = 2, β 7 = 1. Khoa Nguyen, NTU Improved ZKP for ISIS 12 / 19

25 Decomposition Let β be any positive integer, and let p = log β + 1. Define the sequence of integers β 1,..., β p as follows: β 1 = β/2, β 2 = (β β 1 )/2, β 3 = (β β 1 β 2 )/2,..., β p = 1. Example: Let β = 115, then p = log (115) + 1 = 7, and: β 1 = 58, β 2 = 29, β 3 = 14, β 4 = 7, β 5 = 4, β 6 = 2, β 7 = 1. Properties: p β i = β and any integer k [ β, β] can be expressed as k = p c i β i, where c i { 1, 0, 1}. Then one can efficiently decompose any x [ β; β] m into p vectors v 1,..., v p { 1, 0, 1} m. x = β 1 v 1 + β 2 v β p v p Khoa Nguyen, NTU Improved ZKP for ISIS 12 / 19

26 The Decomposition-Extension Technique m 2m n A x = A 0 v 1 v p = y (mod q) x β β β p u 1 B 3m u p B 3m If the verifier is convinced that A ( p ) β i u i = y mod q, and u i B 3m, i, then he is also convinced that A x = y mod q, and x β. Khoa Nguyen, NTU Improved ZKP for ISIS 13 / 19

27 The SternExt Proof System Decomposition-Extension(x) (u 1,..., u p ). Prove that u 1,..., u p B 3m, and A ( p β i u i ) = y mod q. Prover Verifier Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19

28 The SternExt Proof System Decomposition-Extension(x) (u 1,..., u p ). Prove that u 1,..., u p B 3m, and A ( p β i u i ) = y mod q. Prover 1. Pick {r i } p $ Z 3m q, {π i } p $ S 3m. Send (c 1, c 2, c 3 ), where c 1 =COM ( {π i } p, A ( p β i r i ) ) c 2 =COM ( π 1 (r 1 ),..., π p (r p ) ) c 3 =COM ( π 1 (u 1 +r 1 ),..., π p (u p +r p ) ) Verifier Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19

29 The SternExt Proof System Decomposition-Extension(x) (u 1,..., u p ). Prove that u 1,..., u p B 3m, and A ( p β i u i ) = y mod q. Prover Verifier 1. Pick {r i } p $ Z 3m q, {π i } p $ S 3m. Send (c 1, c 2, c 3 ), where c 1 =COM ( {π i } p, A ( p β i r i ) ) c 2 =COM ( π 1 (r 1 ),..., π p (r p ) ) c 3 =COM ( π 1 (u 1 +r 1 ),..., π p (u p +r p ) ) 2. Send a challenge Ch $ {1, 2, 3} Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19

30 The SternExt Proof System Decomposition-Extension(x) (u 1,..., u p ). Prove that u 1,..., u p B 3m, and A ( p β i u i ) = y mod q. Prover Verifier 1. Pick {r i } p $ Z 3m q, {π i } p $ S 3m. Send (c 1, c 2, c 3 ), where c 1 =COM ( {π i } p, A ( p β i r i ) ) c 2 =COM ( π 1 (r 1 ),..., π p (r p ) ) c 3 =COM ( π 1 (u 1 +r 1 ),..., π p (u p +r p ) ) 2. Send a challenge Ch $ {1, 2, 3} 3. If Ch = 1, reveal c 2 and c 3. Send t i = π i (u i ), and w i = π i (r i ), i. Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19

31 The SternExt Proof System Decomposition-Extension(x) (u 1,..., u p ). Prove that u 1,..., u p B 3m, and A ( p β i u i ) = y mod q. Prover Verifier 1. Pick {r i } p $ Z 3m q, {π i } p $ S 3m. Send (c 1, c 2, c 3 ), where c 1 =COM ( {π i } p, A ( p β i r i ) ) c 2 =COM ( π 1 (r 1 ),..., π p (r p ) ) c 3 =COM ( π 1 (u 1 +r 1 ),..., π p (u p +r p ) ) 3. If Ch = 1, reveal c 2 and c 3. Send t i = π i (u i ), and w i = π i (r i ), i. 2. Send a challenge Ch $ {1, 2, 3} Check if t i B 3m, i, and { c 2 = COM ( {w i } p ) c 3 = COM ( {t i + w i } p ) Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19

32 The SternExt Proof System Decomposition-Extension(x) (u 1,..., u p ). Prove that u 1,..., u p B 3m, and A ( p β i u i ) = y mod q. Prover Verifier 1. Pick {r i } p $ Z 3m q, {π i } p $ S 3m. Send (c 1, c 2, c 3 ), where c 1 =COM ( {π i } p, A ( p β i r i ) ) c 2 =COM ( π 1 (r 1 ),..., π p (r p ) ) c 3 =COM ( π 1 (u 1 +r 1 ),..., π p (u p +r p ) ) 2. Send a challenge Ch $ {1, 2, 3} 3. If Ch = 2, reveal c 1 and c 3. Send π i and z i = u i + r i, i. Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19

33 The SternExt Proof System Decomposition-Extension(x) (u 1,..., u p ). Prove that u 1,..., u p B 3m, and A ( p β i u i ) = y mod q. Prover Verifier 1. Pick {r i } p $ Z 3m q, {π i } p $ S 3m. Send (c 1, c 2, c 3 ), where c 1 =COM ( {π i } p, A ( p β i r i ) ) c 2 =COM ( π 1 (r 1 ),..., π p (r p ) ) c 3 =COM ( π 1 (u 1 +r 1 ),..., π p (u p +r p ) ) 3. If Ch = 2, reveal c 1 and c 3. Send π i and z i = u i + r i, i. 2. Send a challenge Ch $ {1, 2, 3} Check that c 1 = COM ( {π i } p, A ( p β i z i ) y ) c 3 = COM ( {π i (z i )} p ) Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19

34 The SternExt Proof System Decomposition-Extension(x) (u 1,..., u p ). Prove that u 1,..., u p B 3m, and A ( p β i u i ) = y mod q. Prover Verifier 1. Pick {r i } p $ Z 3m q, {π i } p $ S 3m. Send (c 1, c 2, c 3 ), where c 1 =COM ( {π i } p, A ( p β i r i ) ) c 2 =COM ( π 1 (r 1 ),..., π p (r p ) ) c 3 =COM ( π 1 (u 1 +r 1 ),..., π p (u p +r p ) ) 2. Send a challenge Ch $ {1, 2, 3} 3. If Ch = 3, reveal c 1 and c 2. Send π i and s i = r i, i. Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19

35 The SternExt Proof System Decomposition-Extension(x) (u 1,..., u p ). Prove that u 1,..., u p B 3m, and A ( p β i u i ) = y mod q. Prover Verifier 1. Pick {r i } p $ Z 3m q, {π i } p $ S 3m. Send (c 1, c 2, c 3 ), where c 1 =COM ( {π i } p, A ( p β i r i ) ) c 2 =COM ( π 1 (r 1 ),..., π p (r p ) ) c 3 =COM ( π 1 (u 1 +r 1 ),..., π p (u p +r p ) ) 3. If Ch = 3, reveal c 1 and c 2. Send π i and s i = r i, i. 2. Send a challenge Ch $ {1, 2, 3} Check that c 1 = COM ( {π i } p, A ( p β i s i )) c 2 = COM ( π 1 (s 1 ),..., π p (s p ) ). Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19

36 1 Background The ISIS Problem Previous Works 2 Our Zero-knowledge Proof for ISIS Our Result Our Techniques 3 Applications of SternExt Basic Applications More Advanced Constructions Khoa Nguyen, NTU Improved ZKP for ISIS 15 / 19

37 Improved Lattice-based ID-based Identification Identification scheme [FS 86]: Allows a user (holding SK) to identify himself to a verifier (holding PK). Identity-based cryptography [Shamir 84]: The user s public key is a string representing his identity (e.g. address). Lattice-based ID-based identification schemes: Stehlé et al. s scheme [SSTX 09] combines [GPV 08] signature + [MV 03] protocol. Assumption: SIVP γ is hard for γ = Õ(n2 ). Rückert s scheme [Rückert 10] combines [CHKP 10] signature + [Lyu 08] protocol. Assumption: SVP γ is hard for γ = Õ(n3.5 ). Our scheme: [GPV 08] + SternExt An improved lattice-based ID-based identification scheme in terms of security assumption: SIVP γ is hard for γ = Õ(n1.5 ). Khoa Nguyen, NTU Improved ZKP for ISIS 16 / 19

38 Improved Proof of Plaintext Knowledge for Regev Public-key encryption: Anyone can encrypt messages (plaintexts) using pk, but only the holder of sk can decrypt the ciphertexts. Proof of plaintext knowledge: Given the public key pk, the prover convinces the verifier that it knows the plaintext M of a ciphertext c = Enc(pk, M). The proof should be zero-knowledge. Previous ZKPoPK [BD 10,BDOZ 11,AJLT + 12,DL 12] for Regev s LWE-based encryption scheme [Regev 05]: 1 Relatively inefficient: Communication cost Õ(n2 log q). 2 Strong hardness assumption: SIVP γ is hard for γ = n ω(1). Our result Using SternExt, we obtain an improved ZKPoPK for [Regev 05] with: Lower communication cost: Õ(n log q). Much weaker hardness assumption: SIVP γ is hard for γ = Õ(n). Khoa Nguyen, NTU Improved ZKP for ISIS 17 / 19

39 More Advanced Constructions based on SternExt Group signature with verifier-local revocation [LLNW 14]. Policy-based signature [CNW 14]. Improved group signature [LNW 15]. And more: Designated confirmer signature, verifiable encryption and decryption protocols, group encryption,... Khoa Nguyen, NTU Improved ZKP for ISIS 18 / 19

40 Proof systems [MV 03] [Lyu 08] SternExt Zero-knowledge? (WI) Perfect completeness? Norm bound in the ISIS hardness assumption β Õ(n) β Õ(n) β Communication cost k Õ(n log q) Õ(n log q) log β Õ(n log q) Thank you for your attention! Khoa Nguyen, NTU Improved ZKP for ISIS 19 / 19

41 Improved ZKPoPK for Regev s Encryption Scheme PoPK for Regev s encryption scheme: Given public key (A, b) Z n m q Z m q, and the ciphertext (u, c) Z n q Z q, prover convinces verifier that he knows the plaintext M {0, 1} and the randomness r {0, 1} m s.t. (u, c) = (A r mod q, b T r + M q/2 mod q). Observation: A ZKPoPK for [Regev 05] can be derived from a ZKPoK for ISIS. m 1 n 1 A 0 r b T q/2 }{{} M A x {0, 1} m+1 = u (mod q) c y Run SternExt with common input (A, y) and prover s secret x. Khoa Nguyen, NTU Improved ZKP for ISIS 19 / 19

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based