Lattice-Based Zero-Knowledge Arguments for Integer Relations

Transcription

1 Lattice-Based Zero-Knowledge Arguments for Integer Relations Benoît Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018

2 Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations. Large : Committed integers X, Y, Z are of bit-size L = poly(n). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

3 Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations. Large : Committed integers X, Y, Z are of bit-size L = poly(n). Relations : Addition: X + Y = Z over Z Multiplication: X Y = Z over Z Range: X [α, β] Set non-membership: X SET, where SET is a public set. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

4 Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations. Large : Committed integers X, Y, Z are of bit-size L = poly(n). Relations : Addition: X + Y = Z over Z Multiplication: X Y = Z over Z Range: X [α, β] Set non-membership: X SET, where SET is a public set. Assumptions : Solutions from DL/strong-RSA, e.g. + and : Fujisaki-Okamoto (C 97), Damgård-Fujisaki (AC 02), Lipmaa (AC 03), Couteau et al. (EC 17) Range: Camenisch et al. (AC 08), Gonzalez-Ràfols (ACNS 17) Set non-membership: Camenisch-Lysyanskaya (C 02), Nakanishi et al. (PKC 09), Bayer-Groth (EC 13) Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

5 In the Lattice Setting... The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X, Y, Z of bit-size L = poly(n) satisfy X + Y = Z over Z: Require to prove X + Y = Z mod q for a large modulus q = 2 poly(n). Each ring element (used in the commitment) would cost thousand times L bits. Proving that X, Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k L bits, where k Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

6 In the Lattice Setting... The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X, Y, Z of bit-size L = poly(n) satisfy X + Y = Z over Z: Require to prove X + Y = Z mod q for a large modulus q = 2 poly(n). Each ring element (used in the commitment) would cost thousand times L bits. Proving that X, Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k L bits, where k Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial. Some limited forms of range proofs/arguments, e.g., X [0, 2 m 1]. No efficient non-membership argument is known. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

7 Our Results Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly(n) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC 08). Small modulus: q = Õ( L n). Weak assumption: SIVP γ is hard for γ = Õ( L n). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

8 Our Results Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly(n) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC 08). Small modulus: q = Õ( L n). Weak assumption: SIVP γ is hard for γ = Õ( L n). Addition argument with comm. cost ζ + 20L κ, where ζ is the cost of proving openings and κ = ω(log n) - the number of repetitions. Range arguments with comm. cost ζ + O(L) κ, for ranges of size 2 L. Non-membership argument with comm. cost O(n log SET ). Multiplication arguments that can achieve sub-quadratic complexity O(L ) in both computation and comm. aspects. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

9 Outline 1 Background and Our Results 2 Our Ideas and Techniques Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

10 Binary Additions with Carries Main idea: View integer additions as binary additions with carries, then prove in ZK that they are done correctly. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

11 Binary Additions with Carries Main idea: View integer additions as binary additions with carries, then prove in ZK that they are done correctly. Suppose that we add two bits x and y with carry-in c in to obtain a bit z and carry-out c out. x y c in z c out Then, the relations among these bits are captured by equations z = x + y + c in mod 2, c out = x y + z c in + c in mod 2. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

12 Additions of Committed Integers Let X = (x L 1,..., x 0 ) 2, Y = (y L 1,..., y 0 ) 2, Z = (z L, z L 1,..., z 0 ) 2. For i [0, L 1], let c i+1 be the carry-out of the i-th addition. We have: z 0 + x 0 + y 0 = 0 mod 2 c 1 + x 0 y 0 = 0 mod 2 z 1 + x 1 + y 1 + c 1 = 0 mod 2 c 2 + x 1 y 1 + z 1 c 1 + c 1 = 0 mod 2. z L 1 + x L 1 + y L 1 + c L 1 = 0 mod 2 z L + x L 1 y L 1 + z L 1 c L 1 + c L 1 = 0 mod 2. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

13 Additions of Committed Integers Let X = (x L 1,..., x 0 ) 2, Y = (y L 1,..., y 0 ) 2, Z = (z L, z L 1,..., z 0 ) 2. For i [0, L 1], let c i+1 be the carry-out of the i-th addition. We have: z 0 + x 0 + y 0 = 0 mod 2 c 1 + x 0 y 0 = 0 mod 2 z 1 + x 1 + y 1 + c 1 = 0 mod 2 c 2 + x 1 y 1 + z 1 c 1 + c 1 = 0 mod 2. z L 1 + x L 1 + y L 1 + c L 1 = 0 mod 2 z L + x L 1 y L 1 + z L 1 c L 1 + c L 1 = 0 mod 2. X, Y, Z are committed via [KTX-AC 08] equations modulo q. a 0 x a L 1 x L 1 + b j r 1,j = c x mod q; a 0 y a L 1 y L 1 + b j r 2,j = c y mod q; a 0 z a L x L + b j r 3,j = c z mod q. Goal: Prove in ZK that we know the secret bits x i, y i, z i, c i, r k,j such that all equations mod 2 and mod q hold Stern-like techniques. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

14 Stern-like Zero-Knowledge Techniques Stern (Crypto 93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

15 Stern-like Zero-Knowledge Techniques Stern (Crypto 93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting. Handling secret bits [Libert, Ling, N, Wang - EC 16]: For any b {0, 1}, let b = 1 b and ext 2 (b) = (b, b) {0, 1} 2. For any c {0, 1}, define P c as the permutation transforming v = (v 0, v 1 ) Z 2 into P c (v) = (v c, v c ). Observation: v = ext 2 (b) P c (v) = ext 2 (b + c mod 2). (1) Proving knowledge of secret bit b that may appear in several correlated equations. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

16 Stern-like Zero-knowledge Techniques (cont.) Products of 2 secret bits [Libert, Ling, Mouhartem, N, Wang - AC 16]: For any bits b 1, b 2, define ext 4 (b 1, b 2 ) = (b 1 b 2, b 1 b 2, b 1 b 2, b 1 b 2 ) {0, 1} 4. For any bits c 1, c 2, define T c1,c 2 as the permutation transforming v = (v 0,0, v 0,1, v 1,0, v 1,1 ) Z 4 T c1,c 2 (v) = (v c1,c 2, v c1,c 2, v c1,c 2, v c1,c 2 ). Observation: v = ext 4 (b 1, b 2 ) T c1,c 2 (v) = ext 4 (b 1 + c 1 mod 2, b 2 + c 2 mod 2). (2) Proving knowledge of product of secret bits b 1 b 2, where b 1, b 2 may appear in other equations. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

17 Stern-like ZK Arguments for Integer Additions Using permuting techniques, we can prove that all the secrets in the equations mod 2 and mod q are well-formed: Bits x i, y i, z i, c i, r k,j Bit products x 0 y 0, x 1 y 1,..., x L 1 y L 1, z 1 c 1,..., z L 1 c L 1. To prove that the equations hold: 1 Transform all equations into M 2 s = 0 mod 2 and M q t = c mod q. 2 Random masking with vectors over Z 2 and Z q : M 2 (s + r s ) = M 2 r s mod 2 M q (t + r t ) c = M q r t mod q. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

18 Inequalities and Range Arguments Additions of non-negative integers Inequalities, ranges Inequalities X Y : There exists non-negative Z s.t. X + Z = Y. X < Y : There exists non-negative Z s.t. X + Z + 1 = Y. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

19 Inequalities and Range Arguments Additions of non-negative integers Inequalities, ranges Inequalities X Y : There exists non-negative Z s.t. X + Z = Y. X < Y : There exists non-negative Z s.t. X + Z + 1 = Y. Ranges X [α, β], [α, β), (α, β], [α, β], where α, β may be hidden. Two inequalities, e.g., X α and X < β. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

20 Inequalities and Range Arguments Additions of non-negative integers Inequalities, ranges Inequalities X Y : There exists non-negative Z s.t. X + Z = Y. X < Y : There exists non-negative Z s.t. X + Z + 1 = Y. Ranges X [α, β], [α, β), (α, β], [α, β], where α, β may be hidden. Two inequalities, e.g., X α and X < β. Next: Range arguments + additional techniques Set non-membership arguments. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

21 Non-Membership Arguments Problem Given a public set SET = {S 1,..., S M } containing M = poly(n) integers of bit-size n, where S 1 < S 2 <... < S M. Prove in ZK that committed integer X does not belong to SET. Target: Communication complexity O(log M). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

22 Non-Membership Arguments Problem Given a public set SET = {S 1,..., S M } containing M = poly(n) integers of bit-size n, where S 1 < S 2 <... < S M. Prove in ZK that committed integer X does not belong to SET. Target: Communication complexity O(log M). Let S 0 = 0 n and S M+1 = 1 n. Prove that X (S j, S j+1 ), for some j. 1 Y < X < Z, for some secret Y, Z. Range argument. 2 Y, Z {S 0, S 1,..., S M, S M+1 } and Y, Z are consecutive. Structures/techniques allowing O(log M) membership argument. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

23 Lattice-Based Merkle Hash Trees u u 0 u 1 u 00 u 01 u 10 u 11 u 000 u 001 u 010 u 011 u 100 u 101 u 110 u 111 S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 Y Z Build a Merkle tree over {S 0, S 1,..., S M, S M+1 } and prove knowledge of 2 tree paths from leaves Y and Z to root u [LLNW-EC 16]. Prove that the two tree paths are consecutive: V = (011) 2 and W = (100) 2 satisfy V + 1 = W (integer addition). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

24 Arguments for Integer Multiplications Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments O(L 2 ) multiplication argument. Straightforward; suitable for practical values of L, e.g., L 8000 Can we break the quadratic barrier? E.g., with Karatsuba algorithm? Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

25 Arguments for Integer Multiplications Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments O(L 2 ) multiplication argument. Straightforward; suitable for practical values of L, e.g., L 8000 Can we break the quadratic barrier? E.g., with Karatsuba algorithm? X = X 1 X 0 X = 2 L/2 X 1 + X 0 Y = Y 1 Y 0 Y = 2 L/2 Y 1 + Y 0. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

26 Arguments for Integer Multiplications Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments O(L 2 ) multiplication argument. Straightforward; suitable for practical values of L, e.g., L 8000 Can we break the quadratic barrier? E.g., with Karatsuba algorithm? X = X 1 X 0 X = 2 L/2 X 1 + X 0 Y = Y 1 Y 0 Y = 2 L/2 Y 1 + Y 0. Karasuba s observation: The number of partial products can be reduced from 4 to 3 complexity O(L log 2 3 ) X Y = (2 L 2 L/2 )(X 1 Y 1 ) + (1 2 L/2 )(X 0 Y 0 ) + 2 L/2 (X 1 + X 0 )(Y 1 + Y 0 ). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

27 Arguments for Integer Multiplications Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments O(L 2 ) multiplication argument. Straightforward; suitable for practical values of L, e.g., L 8000 Can we break the quadratic barrier? E.g., with Karatsuba algorithm? X = X 1 X 0 X = 2 L/2 X 1 + X 0 Y = Y 1 Y 0 Y = 2 L/2 Y 1 + Y 0. Karasuba s observation: The number of partial products can be reduced from 4 to 3 complexity O(L log 2 3 ) X Y = (2 L 2 L/2 )(X 1 Y 1 ) + (1 2 L/2 )(X 0 Y 0 ) + 2 L/2 (X 1 + X 0 )(Y 1 + Y 0 ). Our method: Emulate the Karatsuba multiplication X Y and prove that it gives Z in ZK ZK argument for multiplicative relations with sub-quadratic communication/computation complexity O(L log 2 3 ). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

28 Reduce relations of large integers to binary additions with carries. Proving binary operations in ZK using Stern-like techniques. Small modulus, weak lattice assumptions, scalability. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

29 Reduce relations of large integers to binary additions with carries. Proving binary operations in ZK using Stern-like techniques. Small modulus, weak lattice assumptions, scalability. Some concrete estimations of comm cost for range argument X [α, β]: Range size β α Commitment opening Membership X [α, β] Total comm. cost 3.54 MB 4.4 MB 6.13 MB 9.59 MB Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15

30 Reduce relations of large integers to binary additions with carries. Proving binary operations in ZK using Stern-like techniques. Small modulus, weak lattice assumptions, scalability. Some concrete estimations of comm cost for range argument X [α, β]: Range size β α Commitment opening Membership X [α, β] Total comm. cost 3.54 MB 4.4 MB 6.13 MB 9.59 MB Thank you for your attention! Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15