Lattice-Based Non-Interactive Arugment Systems

Transcription

1 Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai

2 Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems and Argument Systems [GMR85] x 0,1 Language L 0,1 accept if x L prover verifier Completeness: x L Pr P, V (x) = accept = 1 Honest prover convinces honest verifier of true statements

3 Soundness: x L, P Pr P, V x = accept = 0 No prover can convince honest verifier of false statement Proof Systems and Argument Systems [GMR85] x 0,1 Language L 0,1 accept if x L prover verifier In an argument system, we relax soundness to only consider computationally-bounded (i.e., polynomial-time) provers P Completeness: x L Pr P, V (x) = accept = 1 Honest prover convinces honest verifier of true statements

4 The Complexity Class NP NP the class of languages that are efficiently verifiable a language L is in NP if there exists a polynomial-time verifier R such that x L w 0,1 poly x R x, w = 1 Statement Witness

5 The Complexity Class NP NP the class of languages that are efficiently verifiable a language L is in NP if there exists a polynomial-time verifier R such that x L w 0,1 poly x R x, w = 1 In this talk, will focus on language of Boolean circuit satisfiability: L C = x C x, w = 1 for some w Boolean circuit

6 Non-Interactive Proof Systems for NP L C = x C x, w = 1 for some w prover (x, w) w verifier x accept if C x, w = 1 NP languages have non-interactive proof systems But what if we want other properties?

7 Non-Interactive Proof Systems for NP Zero-Knowledge: The proof reveals nothing more about the statement x prover other than x L C [GMR85] Fundamental primitive to modern cryptography (x, w) Important building block in many protocols (e.g., identification schemes, digital signatures, multiparty computation) L C = x C x, w = 1 for some w w Succinctness: The proof is significantly shorter than C (and verifier correspondingly, w ) [Kil92, Mic00, GW11] Natural complexity-theoretic question: what is the minimal communication x complexity for proofs of NP statements? Numerous applications to delegating and verifying computations as well as privacypreserving cryptocurrencies accept if C x, w = 1 NP languages have non-interactive proof systems But what if we want other properties?

8 The Landscape of Modern Cryptography PKE MPC Signatures SNARKs Short Signatures IBE FHE ABE PE FE Obfuscation Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Late 1970s Cryptography is the study of hardness [Slide inspired by Amit Sahai]

9 The Landscape of Modern Cryptography Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? Which assumptions imply succinct non-interactive arguments?

10 The Landscape of Modern Cryptography Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? Which assumptions imply succinct non-interactive arguments?

11 This Work Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? * In a weaker preprocessing model Which assumptions imply succinct non-interactive arguments?

12 This Work Which assumptions imply non-interactive zero-knowledge? Non-interactive zero-knowledge arguments from standard lattice assumptions in a preprocessing model [Kim-W; CRYPTO 2018] Which assumptions imply succinct non-interactive arguments? Succinct non-interactive arguments (SNARGs) from lattice-based assumptions [Boneh-Ishai-Sahai-W; EUROCRYPT 2017] First construction of a quasi-optimal SNARG from lattice-based assumptions [Boneh-Ishai-Sahai-W; EUROCRYPT 2018] Focus of this talk

13 Why Lattices? Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps (Conjectured) post-quantum resilience Diversifying cryptographic assumptions Enable new properties (e.g., quasi-optimality)

14 Succinct Non-Interactive Arguments

15 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x accept if V x, π = 1 Completeness: Honest prover convinces honest verifier of true statements

16 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x accept if V x, π = 1 Completeness: C x, w = 1 Pr V x, P x, w = 1 = 1 Soundness: No efficient prover can convince honest verifier of false statement

17 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x accept if V x, π = 1 Completeness: C x, w = 1 Pr V x, P x, w = 1 = 1 Soundness: for all provers P of size 2 λ (λ is a security parameter), x L C Pr V x, P x = 1 2 λ

18 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x Argument system is succinct if: accept if V x, π = 1 Prover communication is poly λ + log C V can be implemented by a circuit of size poly λ + x + log C Verifier complexity significantly smaller than classic NP verifier

19 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x Argument system is succinct if: accept if V x, π = 1 Prover communication is poly λ + log C V can be implemented by a circuit of size poly λ + x + log C For general NP languages, succinct non-interactive arguments are unlikely to exist in the standard model [BP04, Wee05]

20 accept if V RO (x, π) = 1 Succinct Non-Interactive Arguments (SNARGs) Instantiation: CS proofs in the random oracle model [Mic94] [Kil92, Mic00, GW11] random oracle RO prover (x, w) π = P RO (x, w) Argument consists of a single message verifier x

21 Succinct Non-Interactive Arguments (SNARGs) Preprocessing SNARGs: allow expensive setup prover (x, w) common reference string (CRS) σ Setup 1 λ τ π = P(σ, x, w) Argument consists of a single message verification state [Kil92, Mic00, GW11] Can consider publiclyverifiable and secretlyverifiable SNARGs verifier x accept if V τ, x, π = 1

22 Complexity Metrics for SNARGs Soundness: for all provers P of size 2 λ : x L C Pr V x, P x = 1 2 λ How short can the proofs be? π = Ω λ Even in the designatedverifier setting How much work is needed to generate the proof? P = Ω C

23 Quasi-Optimal SNARGs Soundness: for all provers P of size 2 λ : x L C Pr V x, P x = 1 2 λ A SNARG (for Boolean circuit satisfiability) is quasi-optimal if it satisfies the following properties: Quasi-optimal succinctness: π = λ polylog λ, C = O(λ) Quasi-optimal prover complexity: P = O C + poly(λ, log C )

24 Asymptotic Comparisons Construction Prover Complexity Proof Size Assumption CS Proofs [Mic94] O( C ) O(λ 2 ) Random Oracle Groth [Gro16] O(λ C ) O(λ) Generic Group Groth [Gro10] GGPR [GGPR12] O(λ C 2 + C λ 2 ) O(λ C ) O(λ) O(λ) Knowledge of Exponent BCIOP (Pairing) [BCIOP13] O(λ C ) O(λ) Linear-Only Encryption This work (over integer lattices) This work (over ideal lattices) O(λ C ) O(λ) O C O(λ) For simplicity, we ignore low order terms poly λ, log C Linear-Only Vector Encryption Linear-Only Vector Encryption in the prover complexity

25 Constructing (Quasi-Optimal) SNARGs New framework for building preprocessing SNARGs (following [BCIOP13]): Step 1 (information-theoretic): Identify useful information-theoretic building block (linear PCPs and linear MIPs) Step 2 (cryptographic): Use cryptographic primitives to compile information-theoretic building block into a preprocessing SNARG Instantiating our framework yields new lattice-based SNARG candidates

26 Linear PCPs [IKO07] PCP where the proof oracle implements a linear function π F m q F m x, w π F m In these instantiations, verifier is oblivious (queries independent of statement) verifier q, π F accept/reject Several possible instantiations: based on the Walsh-Hadamard code [ALMSS92] or quadratic span programs [GGPR13]

27 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Prover constructs linear PCP π from (x, w) x, w Q = q 1 q 2 q 3 q k π F m part of the CRS Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof

28 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof

29 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof

30 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Step 1: Verifier encrypts its queries using an additively homomorphic encryption scheme Prover homomorphically computes Q T π Verifier decrypts encrypted response vector and applies linear PCP verification

31 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Step 1: Verifier encrypts its queries using an additively homomorphic encryption scheme Prover homomorphically computes Q T π Verifier decrypts encrypted response vector and applies linear PCP verification

32 From Linear PCPs to SNARGs Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Step 2: Conjecture that the encryption scheme only supports a limited subset of homomorphic operations (linear-only vector encryption)

33 From Linear PCPs to SNARGs Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Differs from [BCIOP13] compiler which relies on additional consistency checks to build a preprocessing SNARG Using linear-only vector encryption allows for efficient instantiation from lattices (resulting SNARG satisfies quasioptimal succinctness) part of the CRS Step 2: Conjecture that the encryption scheme only supports a limited subset of homomorphic operations (linear-only vector encryption)

34 Linear-Only Vector Encryption v 1 F k v 2 F k v m F k plaintext space is a vector space

35 Linear-Only Vector Encryption v 1 F k v 2 F k v m F k plaintext space is a vector space α i v i F k i [n] encryption scheme is semantically-secure and additively homomorphic

36 Linear-Only Vector Encryption v 1 F k v 2 F k v m F k adversary extractor ct α 1,, α m F, b F k For all adversaries, there is an efficient extractor such that if ct is valid, then the extractor is able to produce a vector of coefficients α 1,, α m F m and b F k such that Decrypt sk, ct = σ i [n] α i v i + b [Weaker property also suffices]

37 From Linear PCPs to SNARGs Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k encrypt row by row Prover constructs linear PCP π from (x, w) Linear-only vector encryption ensures that all prover strategies x, w can be explained by a linear function can appeal π to soundness F m of underlying linear PCP to argue soundness part of the CRS Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof

38 Instantiating Linear-Only Vector Encryption Conjecture: Regev encryption (specifically, variant of the [PVW08] scheme) based on lattices is a linear-only vector encryption scheme. Linear PCPs for Boolean circuit satisfiability Linear-Only Vector Encryption Preprocessing SNARG

39 Complexity of the Construction Oblivious verifier can commit to its queries ahead of time Evaluating inner product requires Ω C homomorphic operations; prover complexity: Ω λ Ω C = Ω λ C Q = q 1 q 2 q 3 q k encrypt row by row Prover constructs linear PCP π from (x, w) x, w π F m Proof consists of a single ciphertext: total part length of the CRS O(λ) bits Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof

40 For simplicity, we ignore low order terms poly λ, log C in the prover complexity Asymptotic Comparisons Construction Prover Complexity Proof Size Assumption CS Proofs [Mic94] O( C ) O(λ 2 ) Random Oracle Groth [Gro16] O(λ C ) O(λ) Generic Group Groth [Gro10] GGPR [GGPR12] O(λ C 2 + C λ 2 ) O(λ C ) O(λ) O(λ) Knowledge of Exponent BCIOP (Pairing) [BCIOP13] O(λ C ) O(λ) Linear-Only Encryption This work (over integer lattices) O(λ C ) O(λ) Linear-Only Vector Encryption

41 Towards Quasi-Optimality Oblivious verifier can commit to its queries ahead of time Evaluating inner product requires Ω C homomorphic operations; prover complexity: Ω λ Ω C = Ω λ C Q = q 1 q 2 q 3 q k encrypt row by row Proof consists of a constant number of ciphertexts: total length part of the CRS O(λ) bits Prover constructs linear PCP π from (x, w) x, w We pay π F m Ω(λ) for each homomorphic operation. Can we reduce this? Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof

42 Linear-Only Encryption over Rings Consider encryption scheme over a polynomial ring R p = Z p x ΤΦ l x Fl p x 1 x 1 x 1 + x 1 x 2 x 3 x 2 x 3 x 2 + x 2 x 3 + x 3 Homomorphic operations correspond to component-wise additions and scalar multiplications x l x l x l + x l Plaintext space can be viewed as a vector of field elements Using RLWE-based encryption schemes, can encrypt l = O(λ) field elements (p = poly λ ) with ciphertexts of size O(λ)

43 Linear-Only Encryption over Rings Consider encryption scheme over a polynomial ring R p = Z p x ΤΦ l x Fl p x 1 x 1 x 1 + x 1 x 2 x 3 x l x 2 x 3 x l x 2 + x 2 x 3 + x 3 x l + x l Homomorphic operations correspond to component-wise additions and scalar multiplications Amortized cost of homomorphic operation on a single field element is polylog(λ) Plaintext space can be viewed as a vector of field elements Using RLWE-based encryption schemes, can encrypt l = O(λ) field elements (p = poly λ ) with ciphertexts of size O(λ)

44 Linear-Only Encryption over Rings q 1 Fm p q 2 Fm p q 3 Fm p m q l F p π 1, q 1 π 2, q 2 π 3, q 3 π l, q l Given encrypted set of query vectors, prover can homomorphically apply independent linear functions to each slot Key idea: Check multiple independent proofs in parallel

45 Linear Multi-Prover Interactive Proofs (MIPs) x, w Verifier has oracle access to multiple linear proof oracles [Proofs may be correlated] Can convert linear MIP to preprocessing SNARG using linearonly (vector) encryption over rings π 1 π 2 π l

46 Linear Multi-Prover Interactive Proofs (MIPs) x, w π 1 π 2 π l Suppose Number of provers l = O λ Proofs π 1,, π l F m p where m = C Τl Number of queries to each π i is polylog(λ) Then, linear MIP is quasi-optimal

47 Linear Multi-Prover Interactive Proofs (MIPs) x, w Prover complexity: O lm = O C Linear MIP size: O l polylog λ = O(λ) Suppose Number of provers l = O λ Proofs π 1,, π l F m p where m = C Τl Number of queries to each π i is polylog(λ) Then, linear MIP is quasi-optimal π 1 π 2 π l

48 Quasi-Optimal Linear MIPs This work: Construction of a quasi-optimal linear MIP for Boolean circuit satisfiability Robust Decomposition Consistency Check Quasi-Optimal Linear MIP

49 Robust Decomposition Statementwitness for C Only depends on x (x, w) Encode x 1 x 2 x 3 x n w 1 w 2 w 3 w h Statement-witness for f 1,, f l Each constraint only needs to read a subset of the input bits Decompose C into constraint functions f 1,, f l, where each constraint can be computed by a circuit of size s/l f 1 f 2 Boolean circuit C of size s f l

50 Robust Decomposition Statementwitness for C Only depends on x (x, w) Encode x 1 x 2 x 3 x n w 1 w 2 w 3 w h Statement-witness for f 1,, f l Each constraint only needs to read a subset of the input bits Decompose C into constraint functions f 1,, f l, where each constraint can be computed by a circuit of size s/l f 1 f 2 Boolean circuit C of size s f l

51 Robust Decomposition Statementwitness for C Only depends on x (x, w) Encode x 1 x 2 x 3 x n w 1 w 2 w 3 w h Statement-witness for f 1,, f l Each constraint only needs to read a subset of the input bits Decompose C into constraint functions f 1,, f l, where each constraint can be computed by a circuit of size s/l f 1 f 2 Boolean circuit C of size s f l

52 Robust Decomposition Statementwitness for C Only depends on x (x, w) Encode x 1 x 2 x 3 x n w 1 w 2 w 3 w h Statement-witness for f 1,, f l Completeness: If C x, w = 1, then f i x, w = 1 for all i Robustness: If x L, then for all w, at most 2/3 of f i x, w = 1 Efficiency: (x, w ) can be computed by a circuit of size O(s) f 1 f 2 Boolean circuit C of size s f l

53 Robust Decomposition f 1 π 1 (x, w) Statement-witness for C Encode (x, w ) Statement-witness for f 1,, f l Boolean circuit C of size s f 2 f l π 2 π l Using linear PCP based on QSPs [GGPR13], π i = O( C Τl) and provides soundness 1/poly λ π i : linear PCP that f i (x, ) is satisfiable (instantiated over F p where p = poly(λ))

54 Robust Decomposition f 1 π 1 (x, w) Statement-witness for C Encode (x, w ) Statement-witness for f 1,, f l Boolean circuit C of size s f 2 π 2 Verifier invokes linear PCP verifier for each instance f l π l π i : linear PCP that f i (x, ) is satisfiable (instantiated over F p where p = poly(λ))

55 Robust Decomposition Boolean circuit C of size s f 1 f 2 f l π 1 π 2 π l Completeness: Follows by completeness of decomposition and linear PCPs Soundness: Each linear PCP provides 1Τpoly λ soundness and for false statement, at least 1/3 of the statements are false, so if l = Ω(λ), verifier accepts with probability Ω λ 2 π i : linear PCP that f i (x, ) is satisfiable (instantiated over F p where p = poly(λ))

56 Robust Decomposition Robustness: If x L, then for all w, at most 2/3 of f i x, w = 1 For false x, no single w can simultaneously satisfy f i x, ; however, all of the f i (x, ) could individually be satisfiable Completeness: Follows by completeness of decomposition and linear PCPs Soundness: Each linear PCP provides 1Τpoly λ soundness and for false statement, at least 1/3 of the statements are false, so if l = Ω(λ), verifier accepts with probability Ω λ 2 Problematic however if prover uses different x, w to construct proofs for different f i s

57 Consistency Checking Require that linear PCPs are systematic: linear PCP π contains a copy of the witness: π 1 π 2 π 3 w 1 w 3 w 1 w 2 w 2 w 3 other components other components other components Goal: check that assignments to w are consistent via linear queries to π i First few components of proof correspond to witness associated with the statement Each proof induces an assignment to a few bits of the common witness w

58 Quasi-Optimal Linear MIP Robust Decomposition C f 1 f 2 f l Robust decomposition can be instantiated by combining MPC-in-the-head paradigm [IKOS07] with a robust MPC protocol with polylogarithmic overhead [DIK10] Checking satisfiability of C corresponds to checking satisfiability of f 1,, f l (each of which can be checked by a circuit of size C Τl) For a false statement, no single witness can simultaneously satisfy more than a constant fraction of f i

59 Quasi-Optimal Linear MIP Robust Decomposition C Consistency Check f 1 f 2 f l Checking satisfiability of C corresponds to checking satisfiability of f 1,, f l (each of which can be checked by a circuit of size C Τl) For a false statement, no single witness can simultaneously satisfy more than a constant fraction of f i Check that consistent witness is used to prove satisfiability of each f i Relies on pairwise consistency checks and permuting the entries to obtain a nice replication structure

60 Asymptotic Comparisons Construction Prover Complexity Proof Size Assumption CS Proofs [Mic94] O( C ) O(λ 2 ) Random Oracle Groth [Gro16] O(λ C ) O(λ) Generic Group Groth [Gro10] GGPR [GGPR12] O(λ C 2 + C λ 2 ) O(λ C ) O(λ) O(λ) Knowledge of Exponent BCIOP (Pairing) [BCIOP13] O(λ C ) O(λ) Linear-Only Encryption This work (over integer lattices) This work (over ideal lattices) O(λ C ) O(λ) O C O(λ) For simplicity, we ignore low order terms poly λ, log C Linear-Only Vector Encryption Linear-Only Vector Encryption in the prover complexity

61 Conclusions A SNARG is quasi-optimal if it satisfies the following properties: Quasi-optimal succinctness: π = O(λ) Quasi-optimal prover complexity: P = O C + poly(λ, log C ) New framework for building SNARGs by combining linear PCPs (and linear MIPs) with linear-only vector encryption Framework yields first quasi-optimal SNARG by combining quasi-optimal linear MIP with linear-only vector encryption Construction of a quasi-optimal linear MIP possible by combining robust decomposition and consistency check

62 Summary Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? Which assumptions imply succinct non-interactive arguments?

63 Summary Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? * In a weaker preprocessing model Which assumptions imply succinct non-interactive arguments?

64 Acknowledgments Special thanks to all of my amazing collaborators!