Improved Zero-knowledge Protocol for the ISIS Problem, and ... · Improved Zero-knowledge Protocol...
Transcript of Improved Zero-knowledge Protocol for the ISIS Problem, and ... · Improved Zero-knowledge Protocol...
Improved Zero-knowledge Protocol for the ISIS Problem,and Applications
Khoa Nguyen, Nanyang Technological University
(Based on a joint work with San Ling, Damien Stehle and Huaxiong Wang)
December, 29, 2014
Content
1 BackgroundThe ISIS ProblemPrevious Works
2 Our Zero-knowledge Proof for ISISOur ResultOur Techniques
3 Applications of SternExtBasic ApplicationsMore Advanced Constructions
The ISIS Problem [GPV’08]
ISIS = Inhomogeneous Small Integer Solution.
ISIS∞n,m,q,β
Let n,m, q, β be integers. Given matrix A$←− Zn×m
q and vector y$←− Zn
q,find x ∈ Zm such that
‖x‖∞ ≤ β and A · x = y mod q.
A
x
= y (mod q)n
m
For big enough m, the system has solutions.
But finding a small solution is not that easy.
Khoa Nguyen, NTU Improved ZKP for ISIS 3 / 19
The ISIS Problem [GPV’08]
ISIS = Inhomogeneous Small Integer Solution.
ISIS∞n,m,q,β
Let n,m, q, β be integers. Given matrix A$←− Zn×m
q and vector y$←− Zn
q,find x ∈ Zm such that
‖x‖∞ ≤ β and A · x = y mod q.
A
x
= y (mod q)n
m
For big enough m, the system has solutions.
But finding a small solution is not that easy.
Khoa Nguyen, NTU Improved ZKP for ISIS 3 / 19
Why ISIS?
Easy to understand, involving only basic linear algebra.
Hardness guarantee from lattice problems (e.g., SIVP)
A
x
= y (mod q) b1
b2
Widely used in lattice-based cryptography in recent years:
CRHF [Ajtai’96], commitment scheme [KTX’08].
Identification schemes [Lyu’08], [KTX’08],...
Digital signatures [GPV’08], [Boyen’10], [CHKP’10], [Lyu’12],...
Khoa Nguyen, NTU Improved ZKP for ISIS 4 / 19
Why ISIS?
Easy to understand, involving only basic linear algebra.
Hardness guarantee from lattice problems (e.g., SIVP)
A
x
= y (mod q) b1
b2
Widely used in lattice-based cryptography in recent years:
CRHF [Ajtai’96], commitment scheme [KTX’08].
Identification schemes [Lyu’08], [KTX’08],...
Digital signatures [GPV’08], [Boyen’10], [CHKP’10], [Lyu’12],...
Khoa Nguyen, NTU Improved ZKP for ISIS 4 / 19
Zero-knowledge Proof of Knowledge for ISIS
An interactive protocol that allows a Prover to convince a Verifier that heknows a secret solution x to a given ISIS instance (A, y).
1 Completeness: An honest prover can convince an honest verifier.
2 Zero-knowledgeness: The verifier should learn no additionalinformation about the prover’s secret x.
3 Proof of knowledge: If an algorithm succeeds, then we can use it toextract an ISIS solution x′.
Why we need ZKPoK for ISIS?
Building blocks in many lattice-based cryptographic constructions:identification schemes, signature schemes (via Fiat-Shamir heuristics),...
Khoa Nguyen, NTU Improved ZKP for ISIS 5 / 19
Previous Proof Systems for ISIS∞β
1 One can derive a ZKPoK for ISIS from Micciancio-Vadhan’s proofsystem for GapCVP [MV’03].
2 Lyubashevsky [Lyu’08]: a witness-indistinguishable PoK for ISIS.
Proof systems [MV’03] [Lyu’08]
Zero-knowledge? 3 7 (WI)
Perfect completeness? 3 7
Norm bound in the
ISIS hardness assumption β · O(n) β · O(n)
Communication cost k · O(n log q) O(n log q)
Limitation: Breaking these proof systems is potentially easier than solvingthe underlying ISIS problem: there is a “gap” of O(n).
Khoa Nguyen, NTU Improved ZKP for ISIS 6 / 19
Our Result
A zero-knowledge proof of knowledge for ISIS∞β , called SternExt, with:
Very strong security guarantee: Breaking the protocol is at least as hard as
solving ISIS∞β . (There is no gap in the security reduction.)
Reasonable communication cost.
Proof systems [MV’03] [Lyu’08] SternExt
Zero-knowledge? 3 7 (WI) 3
Perfect completeness? 3 7 3
Norm bound in the
ISIS hardness assumption β · O(n) β · O(n) β
Communication cost k · O(n log q) O(n log q) log β · O(n log q)
Our main idea: Extending the Stern-KTX ([Stern’96,KTX’08]) proof system.
Khoa Nguyen, NTU Improved ZKP for ISIS 7 / 19
The Stern-KTX Proof System
Stern [Stern’96] proposed a ZKPoK for the Syndrome Decoding Problem.
Let n,m and k < m be integers. Given A$←− Zn×m
2 and y$←− Zn
2. Find avector x ∈ Zm
2 s.t. wt(x) = k and A · x = y mod 2.
Restrictions on x: x ∈ {0, 1}m and wt(x) = k.
Stern’s idea
For π ∈ Sm, (x satisfies those restrictions) ⇔ (π(x) also does).
Kawachi et al. [KTX’08] adapted Stern’s protocol to obtain a ZKPoK fora very restricted version of the ISIS problem: x ∈ {0, 1}m and wt(x) = k .
Technical tool: A string commitment scheme COM that isstatistically hiding and computationally binding.
Khoa Nguyen, NTU Improved ZKP for ISIS 8 / 19
Stern-KTX’s Interactive Protocol
Common Input A ∈ Zn×mq , y ∈ Zn
q.
Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.
Prover
1. Pick r$←− Zm
q , π$←− Sm.
Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)
c2 = COM(π(r))
c3 = COM(π(x + r))
3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.3. If Ch = 3, reveal c1 and c2.Send π and s = r.
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if v ∈ {0, 1}m, wt(v) = k,and {
c2 = COM(w)
c3 = COM(v + w)
Check that{c1 = COM(π,Az− y mod q)
c3 = COM(π(z))
Check that{c1 = COM(π,As mod q)
c2 = COM(π(s))
Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19
Stern-KTX’s Interactive Protocol
Common Input A ∈ Zn×mq , y ∈ Zn
q.
Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.
Prover
1. Pick r$←− Zm
q , π$←− Sm.
Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)
c2 = COM(π(r))
c3 = COM(π(x + r))
3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.3. If Ch = 3, reveal c1 and c2.Send π and s = r.
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if v ∈ {0, 1}m, wt(v) = k,and {
c2 = COM(w)
c3 = COM(v + w)
Check that{c1 = COM(π,Az− y mod q)
c3 = COM(π(z))
Check that{c1 = COM(π,As mod q)
c2 = COM(π(s))
Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19
Stern-KTX’s Interactive Protocol
Common Input A ∈ Zn×mq , y ∈ Zn
q.
Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.
Prover
1. Pick r$←− Zm
q , π$←− Sm.
Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)
c2 = COM(π(r))
c3 = COM(π(x + r))
3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.3. If Ch = 3, reveal c1 and c2.Send π and s = r.
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if v ∈ {0, 1}m, wt(v) = k,and {
c2 = COM(w)
c3 = COM(v + w)
Check that{c1 = COM(π,Az− y mod q)
c3 = COM(π(z))
Check that{c1 = COM(π,As mod q)
c2 = COM(π(s))
Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19
Stern-KTX’s Interactive Protocol
Common Input A ∈ Zn×mq , y ∈ Zn
q.
Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.
Prover
1. Pick r$←− Zm
q , π$←− Sm.
Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)
c2 = COM(π(r))
c3 = COM(π(x + r))
3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)
3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.3. If Ch = 3, reveal c1 and c2.Send π and s = r.
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if v ∈ {0, 1}m, wt(v) = k,and {
c2 = COM(w)
c3 = COM(v + w)
Check that{c1 = COM(π,Az− y mod q)
c3 = COM(π(z))
Check that{c1 = COM(π,As mod q)
c2 = COM(π(s))
Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19
Stern-KTX’s Interactive Protocol
Common Input A ∈ Zn×mq , y ∈ Zn
q.
Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.
Prover
1. Pick r$←− Zm
q , π$←− Sm.
Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)
c2 = COM(π(r))
c3 = COM(π(x + r))
3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)
3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.3. If Ch = 3, reveal c1 and c2.Send π and s = r.
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if v ∈ {0, 1}m, wt(v) = k,and {
c2 = COM(w)
c3 = COM(v + w)
Check that{c1 = COM(π,Az− y mod q)
c3 = COM(π(z))
Check that{c1 = COM(π,As mod q)
c2 = COM(π(s))
Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19
Stern-KTX’s Interactive Protocol
Common Input A ∈ Zn×mq , y ∈ Zn
q.
Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.
Prover
1. Pick r$←− Zm
q , π$←− Sm.
Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)
c2 = COM(π(r))
c3 = COM(π(x + r))
3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)
3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.
3. If Ch = 3, reveal c1 and c2.Send π and s = r.
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if v ∈ {0, 1}m, wt(v) = k,and {
c2 = COM(w)
c3 = COM(v + w)
Check that{c1 = COM(π,Az− y mod q)
c3 = COM(π(z))
Check that{c1 = COM(π,As mod q)
c2 = COM(π(s))
Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19
Stern-KTX’s Interactive Protocol
Common Input A ∈ Zn×mq , y ∈ Zn
q.
Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.
Prover
1. Pick r$←− Zm
q , π$←− Sm.
Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)
c2 = COM(π(r))
c3 = COM(π(x + r))
3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)
3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.
3. If Ch = 3, reveal c1 and c2.Send π and s = r.
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if v ∈ {0, 1}m, wt(v) = k,and {
c2 = COM(w)
c3 = COM(v + w)
Check that{c1 = COM(π,Az− y mod q)
c3 = COM(π(z))
Check that{c1 = COM(π,As mod q)
c2 = COM(π(s))
Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19
Stern-KTX’s Interactive Protocol
Common Input A ∈ Zn×mq , y ∈ Zn
q.
Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.
Prover
1. Pick r$←− Zm
q , π$←− Sm.
Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)
c2 = COM(π(r))
c3 = COM(π(x + r))
3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.
3. If Ch = 3, reveal c1 and c2.Send π and s = r.
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if v ∈ {0, 1}m, wt(v) = k,and {
c2 = COM(w)
c3 = COM(v + w)
Check that{c1 = COM(π,Az− y mod q)
c3 = COM(π(z))
Check that{c1 = COM(π,As mod q)
c2 = COM(π(s))
Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19
Stern-KTX’s Interactive Protocol
Common Input A ∈ Zn×mq , y ∈ Zn
q.
Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.
Prover
1. Pick r$←− Zm
q , π$←− Sm.
Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)
c2 = COM(π(r))
c3 = COM(π(x + r))
3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.
3. If Ch = 3, reveal c1 and c2.Send π and s = r.
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if v ∈ {0, 1}m, wt(v) = k,and {
c2 = COM(w)
c3 = COM(v + w)
Check that{c1 = COM(π,Az− y mod q)
c3 = COM(π(z))
Check that{c1 = COM(π,As mod q)
c2 = COM(π(s))
Khoa Nguyen, NTU Improved ZKP for ISIS 9 / 19
Removing Stern’s Restrictions
3 Stern-KTX protocol has no gap in the security reduction.7 However, it works only for a restricted class of ISIS solutions, namely:
x ∈ {0, 1}m & wt(x) = k .
It does not seem to suffice for a wide range of applications.
How to remove these restrictions?
The Decomposition-Extension technique: A two-step solution
Extensions → Removing restriction on the Hamming weight:Proving in ZK the possession of an ISIS solution x ∈ {−1, 0, 1}m.
Decomposition → Removing restriction on the bound: Proving inZK the possession of an ISIS solution x ∈ [−β, β]m, for any β ≥ 1.
Khoa Nguyen, NTU Improved ZKP for ISIS 10 / 19
Removing Stern’s Restrictions
3 Stern-KTX protocol has no gap in the security reduction.7 However, it works only for a restricted class of ISIS solutions, namely:
x ∈ {0, 1}m & wt(x) = k .
It does not seem to suffice for a wide range of applications.
How to remove these restrictions?
The Decomposition-Extension technique: A two-step solution
Extensions → Removing restriction on the Hamming weight:Proving in ZK the possession of an ISIS solution x ∈ {−1, 0, 1}m.
Decomposition → Removing restriction on the bound: Proving inZK the possession of an ISIS solution x ∈ [−β, β]m, for any β ≥ 1.
Khoa Nguyen, NTU Improved ZKP for ISIS 10 / 19
Extensions
Let B3m be the set of all vectors in {−1, 0, 1}3m having exactly mcoordinates −1; m coordinates 0; and m coordinates 1.
A
m
nx
=
︸︷︷︸x ∈ {−1, 0, 1}m
A 0︸ ︷︷ ︸A∗ ∈ Zn×3m
q
2m
x
x∗ ∈ B3m
︸︷︷︸
=
y (mod q)
Observations1 Ax = y mod q ⇔ A∗ · x∗ = y mod q.
2 ∀π ∈ S3m, x∗ ∈ B3m ⇔ π(x∗) ∈ B3m.
−→ A ZKPoK for ISIS with ‖x‖∞ = 1.
Khoa Nguyen, NTU Improved ZKP for ISIS 11 / 19
Extensions
Let B3m be the set of all vectors in {−1, 0, 1}3m having exactly mcoordinates −1; m coordinates 0; and m coordinates 1.
A
m
nx
=
︸︷︷︸x ∈ {−1, 0, 1}m
A 0︸ ︷︷ ︸A∗ ∈ Zn×3m
q
2m
x
x∗ ∈ B3m
︸︷︷︸
= y (mod q)
Observations1 Ax = y mod q ⇔ A∗ · x∗ = y mod q.
2 ∀π ∈ S3m, x∗ ∈ B3m ⇔ π(x∗) ∈ B3m.
−→ A ZKPoK for ISIS with ‖x‖∞ = 1.
Khoa Nguyen, NTU Improved ZKP for ISIS 11 / 19
Decomposition
Let β be any positive integer, and let p = blog βc+ 1.Define the sequence of integers β1, . . . , βp as follows:
β1 = dβ/2e, β2 = d(β − β1)/2e, β3 = d(β − β1 − β2)/2e, . . . , βp = 1.
Example: Let β = 115, then p = blog (115)c+ 1 = 7, and:
β1 = 58, β2 = 29, β3 = 14, β4 = 7, β5 = 4, β6 = 2, β7 = 1.
Properties:∑p
i=1 βi = β and any integer k ∈ [−β, β] can beexpressed as k =
∑pi=1 ci · βi , where ci ∈ {−1, 0, 1}.
Then one can efficiently decompose any x ∈ [−β;β]m into p vectorsv1, . . . , vp ∈ {−1, 0, 1}m.
x = v1β1· + v2β2· + . . .+ βp· vp
Khoa Nguyen, NTU Improved ZKP for ISIS 12 / 19
Decomposition
Let β be any positive integer, and let p = blog βc+ 1.Define the sequence of integers β1, . . . , βp as follows:
β1 = dβ/2e, β2 = d(β − β1)/2e, β3 = d(β − β1 − β2)/2e, . . . , βp = 1.
Example: Let β = 115, then p = blog (115)c+ 1 = 7, and:
β1 = 58, β2 = 29, β3 = 14, β4 = 7, β5 = 4, β6 = 2, β7 = 1.
Properties:∑p
i=1 βi = β and any integer k ∈ [−β, β] can beexpressed as k =
∑pi=1 ci · βi , where ci ∈ {−1, 0, 1}.
Then one can efficiently decompose any x ∈ [−β;β]m into p vectorsv1, . . . , vp ∈ {−1, 0, 1}m.
x = v1β1· + v2β2· + . . .+ βp· vp
Khoa Nguyen, NTU Improved ZKP for ISIS 12 / 19
The Decomposition-Extension Technique
A
m
nx
=
‖x‖∞ ≤ β
A 0
2m
v1
u1 ∈ B3m
β1· + . . .+ βp·
vp
up ∈ B3m
y= (mod q)
If the verifier is convinced that A∗ ·( p∑i=1
βi · ui
)= y mod q, and
ui ∈ B3m,∀i , then he is also convinced that A · x = y mod q, and‖x‖∞ ≤ β.
Khoa Nguyen, NTU Improved ZKP for ISIS 13 / 19
The SternExt Proof System
Decomposition-Extension(x)→ (u1, . . . ,up).
Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p
i=1 βi · ui ) = y mod q.
Prover
1. Pick {ri}pi=1$←− Z3m
q , {πi}pi=1$←− S3m.
Send (c1, c2, c3), wherec1 =COM
({πi}pi=1,A
∗(∑p
i=1 βi · ri ))
c2 =COM(π1(r1), . . . , πp(rp)
)c3 =COM
(π1(u1+r1), . . . , πp(up+rp)
)3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if ti ∈ B3m,∀i , and{c2 = COM
({wi}pi=1
)c3 = COM
({ti + wi}pi=1
)Check that
c1 = COM({πi}pi=1,
A∗(∑p
i=1 βi · zi )− y)
c3 = COM({πi (zi )}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · si ))
c2 = COM(π1(s1), . . . , πp(sp)
).
Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19
The SternExt Proof System
Decomposition-Extension(x)→ (u1, . . . ,up).
Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p
i=1 βi · ui ) = y mod q.
Prover
1. Pick {ri}pi=1$←− Z3m
q , {πi}pi=1$←− S3m.
Send (c1, c2, c3), wherec1 =COM
({πi}pi=1,A
∗(∑p
i=1 βi · ri ))
c2 =COM(π1(r1), . . . , πp(rp)
)c3 =COM
(π1(u1+r1), . . . , πp(up+rp)
)
3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if ti ∈ B3m,∀i , and{c2 = COM
({wi}pi=1
)c3 = COM
({ti + wi}pi=1
)Check that
c1 = COM({πi}pi=1,
A∗(∑p
i=1 βi · zi )− y)
c3 = COM({πi (zi )}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · si ))
c2 = COM(π1(s1), . . . , πp(sp)
).
Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19
The SternExt Proof System
Decomposition-Extension(x)→ (u1, . . . ,up).
Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p
i=1 βi · ui ) = y mod q.
Prover
1. Pick {ri}pi=1$←− Z3m
q , {πi}pi=1$←− S3m.
Send (c1, c2, c3), wherec1 =COM
({πi}pi=1,A
∗(∑p
i=1 βi · ri ))
c2 =COM(π1(r1), . . . , πp(rp)
)c3 =COM
(π1(u1+r1), . . . , πp(up+rp)
)
3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if ti ∈ B3m,∀i , and{c2 = COM
({wi}pi=1
)c3 = COM
({ti + wi}pi=1
)Check that
c1 = COM({πi}pi=1,
A∗(∑p
i=1 βi · zi )− y)
c3 = COM({πi (zi )}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · si ))
c2 = COM(π1(s1), . . . , πp(sp)
).
Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19
The SternExt Proof System
Decomposition-Extension(x)→ (u1, . . . ,up).
Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p
i=1 βi · ui ) = y mod q.
Prover
1. Pick {ri}pi=1$←− Z3m
q , {πi}pi=1$←− S3m.
Send (c1, c2, c3), wherec1 =COM
({πi}pi=1,A
∗(∑p
i=1 βi · ri ))
c2 =COM(π1(r1), . . . , πp(rp)
)c3 =COM
(π1(u1+r1), . . . , πp(up+rp)
)3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .
3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if ti ∈ B3m,∀i , and{c2 = COM
({wi}pi=1
)c3 = COM
({ti + wi}pi=1
)Check that
c1 = COM({πi}pi=1,
A∗(∑p
i=1 βi · zi )− y)
c3 = COM({πi (zi )}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · si ))
c2 = COM(π1(s1), . . . , πp(sp)
).
Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19
The SternExt Proof System
Decomposition-Extension(x)→ (u1, . . . ,up).
Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p
i=1 βi · ui ) = y mod q.
Prover
1. Pick {ri}pi=1$←− Z3m
q , {πi}pi=1$←− S3m.
Send (c1, c2, c3), wherec1 =COM
({πi}pi=1,A
∗(∑p
i=1 βi · ri ))
c2 =COM(π1(r1), . . . , πp(rp)
)c3 =COM
(π1(u1+r1), . . . , πp(up+rp)
)3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .
3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if ti ∈ B3m,∀i , and{c2 = COM
({wi}pi=1
)c3 = COM
({ti + wi}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · zi )− y)
c3 = COM({πi (zi )}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · si ))
c2 = COM(π1(s1), . . . , πp(sp)
).
Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19
The SternExt Proof System
Decomposition-Extension(x)→ (u1, . . . ,up).
Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p
i=1 βi · ui ) = y mod q.
Prover
1. Pick {ri}pi=1$←− Z3m
q , {πi}pi=1$←− S3m.
Send (c1, c2, c3), wherec1 =COM
({πi}pi=1,A
∗(∑p
i=1 βi · ri ))
c2 =COM(π1(r1), . . . , πp(rp)
)c3 =COM
(π1(u1+r1), . . . , πp(up+rp)
)
3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .
3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .
3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if ti ∈ B3m,∀i , and{c2 = COM
({wi}pi=1
)c3 = COM
({ti + wi}pi=1
)Check that
c1 = COM({πi}pi=1,
A∗(∑p
i=1 βi · zi )− y)
c3 = COM({πi (zi )}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · si ))
c2 = COM(π1(s1), . . . , πp(sp)
).
Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19
The SternExt Proof System
Decomposition-Extension(x)→ (u1, . . . ,up).
Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p
i=1 βi · ui ) = y mod q.
Prover
1. Pick {ri}pi=1$←− Z3m
q , {πi}pi=1$←− S3m.
Send (c1, c2, c3), wherec1 =COM
({πi}pi=1,A
∗(∑p
i=1 βi · ri ))
c2 =COM(π1(r1), . . . , πp(rp)
)c3 =COM
(π1(u1+r1), . . . , πp(up+rp)
)
3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .
3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .
3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if ti ∈ B3m,∀i , and{c2 = COM
({wi}pi=1
)c3 = COM
({ti + wi}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · zi )− y)
c3 = COM({πi (zi )}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · si ))
c2 = COM(π1(s1), . . . , πp(sp)
).
Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19
The SternExt Proof System
Decomposition-Extension(x)→ (u1, . . . ,up).
Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p
i=1 βi · ui ) = y mod q.
Prover
1. Pick {ri}pi=1$←− Z3m
q , {πi}pi=1$←− S3m.
Send (c1, c2, c3), wherec1 =COM
({πi}pi=1,A
∗(∑p
i=1 βi · ri ))
c2 =COM(π1(r1), . . . , πp(rp)
)c3 =COM
(π1(u1+r1), . . . , πp(up+rp)
)
3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .
3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri , ∀i .
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if ti ∈ B3m,∀i , and{c2 = COM
({wi}pi=1
)c3 = COM
({ti + wi}pi=1
)Check that
c1 = COM({πi}pi=1,
A∗(∑p
i=1 βi · zi )− y)
c3 = COM({πi (zi )}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · si ))
c2 = COM(π1(s1), . . . , πp(sp)
).
Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19
The SternExt Proof System
Decomposition-Extension(x)→ (u1, . . . ,up).
Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p
i=1 βi · ui ) = y mod q.
Prover
1. Pick {ri}pi=1$←− Z3m
q , {πi}pi=1$←− S3m.
Send (c1, c2, c3), wherec1 =COM
({πi}pi=1,A
∗(∑p
i=1 βi · ri ))
c2 =COM(π1(r1), . . . , πp(rp)
)c3 =COM
(π1(u1+r1), . . . , πp(up+rp)
)
3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .
3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri , ∀i .
Verifier
2. Send a challenge
Ch$←− {1, 2, 3}
Check if ti ∈ B3m,∀i , and{c2 = COM
({wi}pi=1
)c3 = COM
({ti + wi}pi=1
)Check that
c1 = COM({πi}pi=1,
A∗(∑p
i=1 βi · zi )− y)
c3 = COM({πi (zi )}pi=1
)
Check thatc1 = COM
({πi}pi=1,
A∗(∑p
i=1 βi · si ))
c2 = COM(π1(s1), . . . , πp(sp)
).
Khoa Nguyen, NTU Improved ZKP for ISIS 14 / 19
1 BackgroundThe ISIS ProblemPrevious Works
2 Our Zero-knowledge Proof for ISISOur ResultOur Techniques
3 Applications of SternExtBasic ApplicationsMore Advanced Constructions
Khoa Nguyen, NTU Improved ZKP for ISIS 15 / 19
Improved Lattice-based ID-based Identification
Identification scheme [FS’86]: Allows a user (holding SK) toidentify himself to a verifier (holding PK).
Identity-based cryptography [Shamir’84]: The user’s public key is astring representing his identity (e.g. email address).
Lattice-based ID-based identification schemes:
Stehle et al.’s scheme [SSTX’09] combines [GPV’08] signature + [MV’03]
protocol. Assumption: “SIVPγ is hard for γ = O(n2).”
Ruckert’s scheme [Ruckert’10] combines [CHKP’10] signature + [Lyu’08]
protocol. Assumption: “SVPγ is hard for γ = O(n3.5).”
Our scheme: [GPV’08] + SternExt
An improved lattice-based ID-based identification scheme in terms of security
assumption: “SIVPγ is hard for γ = O(n1.5).”
Khoa Nguyen, NTU Improved ZKP for ISIS 16 / 19
Improved Proof of Plaintext Knowledge for Regev
Public-key encryption: Anyone can encrypt messages (plaintexts) usingpk, but only the holder of sk can decrypt the ciphertexts.
Proof of plaintext knowledge: Given the public key pk, the proverconvinces the verifier that it knows the plaintext M of a ciphertextc = Enc(pk,M). The proof should be zero-knowledge.
Previous ZKPoPK [BD’10,BDOZ’11,AJLT+’12,DL’12] for Regev’sLWE-based encryption scheme [Regev’05]:
1 Relatively inefficient: Communication cost O(n2 log q).2 Strong hardness assumption: “SIVPγ is hard for γ = nω(1).”
Our result
Using SternExt, we obtain an improved ZKPoPK for [Regev’05] with:
Lower communication cost: O(n log q).
Much weaker hardness assumption: “SIVPγ is hard for γ = O(n).”
Khoa Nguyen, NTU Improved ZKP for ISIS 17 / 19
More Advanced Constructions based on SternExt
Group signature with verifier-local revocation [LLNW’14].
Policy-based signature [CNW’14].
Improved group signature [LNW’15].
And more: Designated confirmer signature, verifiable encryption anddecryption protocols, group encryption, ...
Khoa Nguyen, NTU Improved ZKP for ISIS 18 / 19
Proof systems [MV’03] [Lyu’08] SternExt
Zero-knowledge? 3 7 (WI) 3
Perfect completeness? 3 7 3
Norm bound in the
ISIS hardness assumption β · O(n) β · O(n) β
Communication cost k · O(n log q) O(n log q) log β · O(n log q)
Thank you for your attention!
Khoa Nguyen, NTU Improved ZKP for ISIS 19 / 19
Improved ZKPoPK for Regev’s Encryption Scheme
PoPK for Regev’s encryption scheme: Given public key (A,b) ∈ Zn×mq × Zm
q , andthe ciphertext (u, c) ∈ Zn
q × Zq, prover convinces verifier that he knows theplaintext M ∈ {0, 1} and the randomness r ∈ {0, 1}m s.t.
(u, c) = (A · r mod q, bT · r + M · bq/2c mod q).
Observation: A ZKPoPK for [Regev’05] can be derived from a ZKPoK for ISIS.
A 0
bT
bq/2c
n
1
m 1
︸ ︷︷ ︸A∗
r
M
x ∈ {0, 1}m+1
u
c
= (mod q)
y
−→ Run SternExt with common input (A∗, y) and prover’s secret x.Khoa Nguyen, NTU Improved ZKP for ISIS 19 / 19