Improved Zero-knowledge Protocol for the ISIS Problem, and ... · Improved Zero-knowledge Protocol...

Improved Zero-knowledge Protocol for the ISIS Problem,and Applications

Khoa Nguyen, Nanyang Technological University

(Based on a joint work with San Ling, Damien Stehle and Huaxiong Wang)

December, 29, 2014

Content

1 BackgroundThe ISIS ProblemPrevious Works

2 Our Zero-knowledge Proof for ISISOur ResultOur Techniques

3 Applications of SternExtBasic ApplicationsMore Advanced Constructions

The ISIS Problem [GPV’08]

ISIS = Inhomogeneous Small Integer Solution.

ISIS∞n,m,q,β

Let n,m, q, β be integers. Given matrix A$←− Zn×m

q and vector y$←− Zn

q,find x ∈ Zm such that

‖x‖∞ ≤ β and A · x = y mod q.

A

x

= y (mod q)n

m

For big enough m, the system has solutions.

But finding a small solution is not that easy.

Khoa Nguyen, NTU Improved ZKP for ISIS 3 / 19

Why ISIS?

Easy to understand, involving only basic linear algebra.

Hardness guarantee from lattice problems (e.g., SIVP)

A

x

= y (mod q) b1

b2

Widely used in lattice-based cryptography in recent years:

CRHF [Ajtai’96], commitment scheme [KTX’08].

Identification schemes [Lyu’08], [KTX’08],...

Digital signatures [GPV’08], [Boyen’10], [CHKP’10], [Lyu’12],...


Zero-knowledge Proof of Knowledge for ISIS

An interactive protocol that allows a Prover to convince a Verifier that heknows a secret solution x to a given ISIS instance (A, y).

1 Completeness: An honest prover can convince an honest verifier.

2 Zero-knowledgeness: The verifier should learn no additionalinformation about the prover’s secret x.

3 Proof of knowledge: If an algorithm succeeds, then we can use it toextract an ISIS solution x′.

Why we need ZKPoK for ISIS?

Building blocks in many lattice-based cryptographic constructions:identification schemes, signature schemes (via Fiat-Shamir heuristics),...


Previous Proof Systems for ISIS∞β

1 One can derive a ZKPoK for ISIS from Micciancio-Vadhan’s proofsystem for GapCVP [MV’03].

2 Lyubashevsky [Lyu’08]: a witness-indistinguishable PoK for ISIS.

Proof systems [MV’03] [Lyu’08]

Zero-knowledge? 3 7 (WI)

Perfect completeness? 3 7

Norm bound in the

ISIS hardness assumption β · O(n) β · O(n)

Communication cost k · O(n log q) O(n log q)

Limitation: Breaking these proof systems is potentially easier than solvingthe underlying ISIS problem: there is a “gap” of O(n).


Our Result

A zero-knowledge proof of knowledge for ISIS∞β , called SternExt, with:

Very strong security guarantee: Breaking the protocol is at least as hard as

solving ISIS∞β . (There is no gap in the security reduction.)

Reasonable communication cost.

Proof systems [MV’03] [Lyu’08] SternExt

Zero-knowledge? 3 7 (WI) 3

Perfect completeness? 3 7 3

Norm bound in the

ISIS hardness assumption β · O(n) β · O(n) β

Communication cost k · O(n log q) O(n log q) log β · O(n log q)

Our main idea: Extending the Stern-KTX ([Stern’96,KTX’08]) proof system.


The Stern-KTX Proof System

Stern [Stern’96] proposed a ZKPoK for the Syndrome Decoding Problem.

Let n,m and k < m be integers. Given A$←− Zn×m

2 and y$←− Zn

2. Find avector x ∈ Zm

2 s.t. wt(x) = k and A · x = y mod 2.

Restrictions on x: x ∈ {0, 1}m and wt(x) = k.

Stern’s idea

For π ∈ Sm, (x satisfies those restrictions) ⇔ (π(x) also does).

Kawachi et al. [KTX’08] adapted Stern’s protocol to obtain a ZKPoK fora very restricted version of the ISIS problem: x ∈ {0, 1}m and wt(x) = k .

Technical tool: A string commitment scheme COM that isstatistically hiding and computationally binding.


Stern-KTX’s Interactive Protocol

Common Input A ∈ Zn×mq , y ∈ Zn

q.

Prover’s goal Convince the verifier in ZK that he knows x ∈ {0, 1}m s.t.wt(x) = k and A · x = y mod q.

Prover

1. Pick r$←− Zm

q , π$←− Sm.

Send (c1, c2, c3), wherec1 = COM(π,Ar mod q)

c2 = COM(π(r))

c3 = COM(π(x + r))

3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.3. If Ch = 3, reveal c1 and c2.Send π and s = r.

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}

Check if v ∈ {0, 1}m, wt(v) = k,and {

c2 = COM(w)

c3 = COM(v + w)

Check that{c1 = COM(π,Az− y mod q)

c3 = COM(π(z))

Check that{c1 = COM(π,As mod q)

c2 = COM(π(s))




q.


Prover

1. Pick r$←− Zm

q , π$←− Sm.


c2 = COM(π(r))

c3 = COM(π(x + r))

3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)

3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.3. If Ch = 3, reveal c1 and c2.Send π and s = r.

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}


c2 = COM(w)

c3 = COM(v + w)


c3 = COM(π(z))


c2 = COM(π(s))




q.


Prover

1. Pick r$←− Zm

q , π$←− Sm.


c2 = COM(π(r))

c3 = COM(π(x + r))

3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)

3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.

3. If Ch = 3, reveal c1 and c2.Send π and s = r.

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}


c2 = COM(w)

c3 = COM(v + w)


c3 = COM(π(z))


c2 = COM(π(s))




q.


Prover

1. Pick r$←− Zm

q , π$←− Sm.


c2 = COM(π(r))

c3 = COM(π(x + r))

3. If Ch = 1, reveal c2 and c3.Send v = π(x) and w = π(r)3. If Ch = 2, reveal c1 and c3.Send π and z = x + r.

3. If Ch = 3, reveal c1 and c2.Send π and s = r.

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}


c2 = COM(w)

c3 = COM(v + w)


c3 = COM(π(z))


c2 = COM(π(s))


Removing Stern’s Restrictions

3 Stern-KTX protocol has no gap in the security reduction.7 However, it works only for a restricted class of ISIS solutions, namely:

x ∈ {0, 1}m & wt(x) = k .

It does not seem to suffice for a wide range of applications.

How to remove these restrictions?

The Decomposition-Extension technique: A two-step solution

Extensions → Removing restriction on the Hamming weight:Proving in ZK the possession of an ISIS solution x ∈ {−1, 0, 1}m.

Decomposition → Removing restriction on the bound: Proving inZK the possession of an ISIS solution x ∈ [−β, β]m, for any β ≥ 1.


Extensions

Let B3m be the set of all vectors in {−1, 0, 1}3m having exactly mcoordinates −1; m coordinates 0; and m coordinates 1.

A

m

nx

=

︸︷︷︸x ∈ {−1, 0, 1}m

A 0︸︷︷︸A∗ ∈ Zn×3m

q

2m

x

x∗ ∈ B3m

︸︷︷︸

=

y (mod q)

Observations1 Ax = y mod q ⇔ A∗ · x∗ = y mod q.

2 ∀π ∈ S3m, x∗ ∈ B3m ⇔ π(x∗) ∈ B3m.

−→ A ZKPoK for ISIS with ‖x‖∞ = 1.


Extensions

Let B3m be the set of all vectors in {−1, 0, 1}3m having exactly mcoordinates −1; m coordinates 0; and m coordinates 1.

A

m

nx

=

︸︷︷︸x ∈ {−1, 0, 1}m

A 0︸︷︷︸A∗ ∈ Zn×3m

q

2m

x

x∗ ∈ B3m

︸︷︷︸

= y (mod q)

Observations1 Ax = y mod q ⇔ A∗ · x∗ = y mod q.

2 ∀π ∈ S3m, x∗ ∈ B3m ⇔ π(x∗) ∈ B3m.

−→ A ZKPoK for ISIS with ‖x‖∞ = 1.


Decomposition

Let β be any positive integer, and let p = blog βc+ 1.Define the sequence of integers β1, . . . , βp as follows:

β1 = dβ/2e, β2 = d(β − β1)/2e, β3 = d(β − β1 − β2)/2e, . . . , βp = 1.

Example: Let β = 115, then p = blog (115)c+ 1 = 7, and:

β1 = 58, β2 = 29, β3 = 14, β4 = 7, β5 = 4, β6 = 2, β7 = 1.

Properties:∑p

i=1 βi = β and any integer k ∈ [−β, β] can beexpressed as k =

∑pi=1 ci · βi , where ci ∈ {−1, 0, 1}.

Then one can efficiently decompose any x ∈ [−β;β]m into p vectorsv1, . . . , vp ∈ {−1, 0, 1}m.

x = v1β1· + v2β2· + . . .+ βp· vp


The Decomposition-Extension Technique

A

m

nx

=

‖x‖∞ ≤ β

A 0

2m

v1

u1 ∈ B3m

β1· + . . .+ βp·

vp

up ∈ B3m

y= (mod q)

If the verifier is convinced that A∗ ·( p∑i=1

βi · ui

)= y mod q, and

ui ∈ B3m,∀i , then he is also convinced that A · x = y mod q, and‖x‖∞ ≤ β.


The SternExt Proof System

Decomposition-Extension(x)→ (u1, . . . ,up).

Prove that u1, . . . ,up ∈ B3m, and A∗ · (∑p

i=1 βi · ui ) = y mod q.

Prover

1. Pick {ri}pi=1$←− Z3m

q , {πi}pi=1$←− S3m.

Send (c1, c2, c3), wherec1 =COM

({πi}pi=1,A

∗(∑p

i=1 βi · ri ))

c2 =COM(π1(r1), . . . , πp(rp)

)c3 =COM

(π1(u1+r1), . . . , πp(up+rp)

)3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}

Check if ti ∈ B3m,∀i , and{c2 = COM

({wi}pi=1

)c3 = COM

({ti + wi}pi=1

)Check that

c1 = COM({πi}pi=1,

A∗(∑p

i=1 βi · zi )− y)

c3 = COM({πi (zi )}pi=1

)

Check thatc1 = COM

({πi}pi=1,

A∗(∑p

i=1 βi · si ))

c2 = COM(π1(s1), . . . , πp(sp)

).






Prover


q , {πi}pi=1$←− S3m.


({πi}pi=1,A

∗(∑p

i=1 βi · ri ))

c2 =COM(π1(r1), . . . , πp(rp)

)c3 =COM

(π1(u1+r1), . . . , πp(up+rp)

)

3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}


({wi}pi=1

)c3 = COM

({ti + wi}pi=1

)Check that

c1 = COM({πi}pi=1,

A∗(∑p

i=1 βi · zi )− y)


)

Check thatc1 = COM

({πi}pi=1,

A∗(∑p

i=1 βi · si ))

c2 = COM(π1(s1), . . . , πp(sp)

).






Prover


q , {πi}pi=1$←− S3m.


({πi}pi=1,A

∗(∑p

i=1 βi · ri ))

c2 =COM(π1(r1), . . . , πp(rp)

)c3 =COM

(π1(u1+r1), . . . , πp(up+rp)

)3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .

3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}


({wi}pi=1

)c3 = COM

({ti + wi}pi=1

)Check that

c1 = COM({πi}pi=1,

A∗(∑p

i=1 βi · zi )− y)


)

Check thatc1 = COM

({πi}pi=1,

A∗(∑p

i=1 βi · si ))

c2 = COM(π1(s1), . . . , πp(sp)

).






Prover


q , {πi}pi=1$←− S3m.


({πi}pi=1,A

∗(∑p

i=1 βi · ri ))

c2 =COM(π1(r1), . . . , πp(rp)

)c3 =COM

(π1(u1+r1), . . . , πp(up+rp)

)3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .

3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}


({wi}pi=1

)c3 = COM

({ti + wi}pi=1

)

Check thatc1 = COM

({πi}pi=1,

A∗(∑p

i=1 βi · zi )− y)


)

Check thatc1 = COM

({πi}pi=1,

A∗(∑p

i=1 βi · si ))

c2 = COM(π1(s1), . . . , πp(sp)

).






Prover


q , {πi}pi=1$←− S3m.


({πi}pi=1,A

∗(∑p

i=1 βi · ri ))

c2 =COM(π1(r1), . . . , πp(rp)

)c3 =COM

(π1(u1+r1), . . . , πp(up+rp)

)

3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .

3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .

3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}


({wi}pi=1

)c3 = COM

({ti + wi}pi=1

)Check that

c1 = COM({πi}pi=1,

A∗(∑p

i=1 βi · zi )− y)


)

Check thatc1 = COM

({πi}pi=1,

A∗(∑p

i=1 βi · si ))

c2 = COM(π1(s1), . . . , πp(sp)

).






Prover


q , {πi}pi=1$←− S3m.


({πi}pi=1,A

∗(∑p

i=1 βi · ri ))

c2 =COM(π1(r1), . . . , πp(rp)

)c3 =COM

(π1(u1+r1), . . . , πp(up+rp)

)

3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .

3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .

3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri ,∀i .

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}


({wi}pi=1

)c3 = COM

({ti + wi}pi=1

)

Check thatc1 = COM

({πi}pi=1,

A∗(∑p

i=1 βi · zi )− y)


)

Check thatc1 = COM

({πi}pi=1,

A∗(∑p

i=1 βi · si ))

c2 = COM(π1(s1), . . . , πp(sp)

).






Prover


q , {πi}pi=1$←− S3m.


({πi}pi=1,A

∗(∑p

i=1 βi · ri ))

c2 =COM(π1(r1), . . . , πp(rp)

)c3 =COM

(π1(u1+r1), . . . , πp(up+rp)

)

3. If Ch = 1, reveal c2 and c3. Sendti = πi (ui ), and wi = πi (ri ),∀i .3. If Ch = 2, reveal c1 and c3. Sendπi and zi = ui + ri ,∀i .

3. If Ch = 3, reveal c1 and c2. Sendπi and si = ri , ∀i .

Verifier

2. Send a challenge

Ch$←− {1, 2, 3}


({wi}pi=1

)c3 = COM

({ti + wi}pi=1

)Check that

c1 = COM({πi}pi=1,

A∗(∑p

i=1 βi · zi )− y)


)

Check thatc1 = COM

({πi}pi=1,

A∗(∑p

i=1 βi · si ))

c2 = COM(π1(s1), . . . , πp(sp)

).


1 BackgroundThe ISIS ProblemPrevious Works

2 Our Zero-knowledge Proof for ISISOur ResultOur Techniques

3 Applications of SternExtBasic ApplicationsMore Advanced Constructions


Improved Lattice-based ID-based Identification

Identification scheme [FS’86]: Allows a user (holding SK) toidentify himself to a verifier (holding PK).

Identity-based cryptography [Shamir’84]: The user’s public key is astring representing his identity (e.g. email address).

Lattice-based ID-based identification schemes:

Stehle et al.’s scheme [SSTX’09] combines [GPV’08] signature + [MV’03]

protocol. Assumption: “SIVPγ is hard for γ = O(n2).”

Ruckert’s scheme [Ruckert’10] combines [CHKP’10] signature + [Lyu’08]

protocol. Assumption: “SVPγ is hard for γ = O(n3.5).”

Our scheme: [GPV’08] + SternExt

An improved lattice-based ID-based identification scheme in terms of security

assumption: “SIVPγ is hard for γ = O(n1.5).”


Improved Proof of Plaintext Knowledge for Regev

Public-key encryption: Anyone can encrypt messages (plaintexts) usingpk, but only the holder of sk can decrypt the ciphertexts.

Proof of plaintext knowledge: Given the public key pk, the proverconvinces the verifier that it knows the plaintext M of a ciphertextc = Enc(pk,M). The proof should be zero-knowledge.

Previous ZKPoPK [BD’10,BDOZ’11,AJLT+’12,DL’12] for Regev’sLWE-based encryption scheme [Regev’05]:

1 Relatively inefficient: Communication cost O(n2 log q).2 Strong hardness assumption: “SIVPγ is hard for γ = nω(1).”

Our result

Using SternExt, we obtain an improved ZKPoPK for [Regev’05] with:

Lower communication cost: O(n log q).

Much weaker hardness assumption: “SIVPγ is hard for γ = O(n).”


More Advanced Constructions based on SternExt

Group signature with verifier-local revocation [LLNW’14].

Policy-based signature [CNW’14].

Improved group signature [LNW’15].

And more: Designated confirmer signature, verifiable encryption anddecryption protocols, group encryption, ...


Proof systems [MV’03] [Lyu’08] SternExt

Zero-knowledge? 3 7 (WI) 3

Perfect completeness? 3 7 3

Norm bound in the

ISIS hardness assumption β · O(n) β · O(n) β

Communication cost k · O(n log q) O(n log q) log β · O(n log q)

Thank you for your attention!


Improved ZKPoPK for Regev’s Encryption Scheme

PoPK for Regev’s encryption scheme: Given public key (A,b) ∈ Zn×mq × Zm

q , andthe ciphertext (u, c) ∈ Zn

q × Zq, prover convinces verifier that he knows theplaintext M ∈ {0, 1} and the randomness r ∈ {0, 1}m s.t.

(u, c) = (A · r mod q, bT · r + M · bq/2c mod q).

Observation: A ZKPoPK for [Regev’05] can be derived from a ZKPoK for ISIS.

A 0

bT

bq/2c

n

1

m 1

︸︷︷︸A∗

r

M

x ∈ {0, 1}m+1

u

c

= (mod q)

y

−→ Run SternExt with common input (A∗, y) and prover’s secret x.Khoa Nguyen, NTU Improved ZKP for ISIS 19 / 19

Improved Zero-knowledge Protocol for the ISIS Problem, and ... · Improved Zero-knowledge Protocol...

Documents

Transcript of Improved Zero-knowledge Protocol for the ISIS Problem, and ... · Improved Zero-knowledge Protocol...