Lattice-Based Zero-Knowledge Proofs and Applications: Shorter, Simpler, and More General

• Published in: Advances in Cryptology - CRYPTO 2022 Vol. 13508; pp. 71 - 101
• Main Authors: Lyubashevsky, Vadim, Nguyen, Ngoc Khanh, Plançon, Maxime
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer 2022; Springer Nature Switzerland
• Series: Lecture Notes in Computer Science
• ISBN: 9783031159787; 3031159780
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-031-15979-4_3

We present a much-improved practical protocol, based on the hardness of Module-SIS and Module-LWE problems, for proving knowledge of a short vector s→ $$\vec s$$ satisfying As→=t→modq $$A\vec s=\vec t\bmod q$$ . The currently most-efficient technique for constructing such a proof works by showing that the ℓ∞ $$\ell _\infty $$ norm of s→ $$\vec s$$ is small. It creates a commitment to a polynomial vector m $$\textbf{m}$$ whose CRT coefficients are the coefficients of s→ $$\vec s$$ and then shows that (1) A·CRT(m)=t→modq $$A\cdot \textsf{CRT}(\textbf{m})=\vec t\bmod \,q$$ and (2) in the case that we want to prove that the ℓ∞ $$\ell _\infty $$ norm is at most 1, the polynomial product (m-1)·m·(m+1) $$(\textbf{m}- \boldsymbol{1})\cdot \textbf{m}\cdot (\textbf{m}+\boldsymbol{1})$$ equals to 0. While these schemes are already quite practical, the requirement of using the CRT embedding and only being naturally adapted to proving the ℓ∞ $$\ell _\infty $$ -norm, somewhat hinders the efficiency of this approach. In this work, we show that there is a more direct and more efficient way to prove that the coefficients of s→ $$\vec s$$ have a small ℓ2 $$\ell _2$$ norm which does not require an equivocation with the ℓ∞ $$\ell _\infty $$ norm, nor any conversion to the CRT representation. We observe that the inner product between two vectors r→ $$\vec r$$ and s→ $$\vec s$$ can be made to appear as a coefficient of a product (or sum of products) between polynomials which are functions of r→ $$\vec r$$ and s→ $$\vec s$$ . Thus, by using a polynomial product proof system and hiding all but one coefficient, we are able to prove knowledge of the inner product of two vectors (or of a vector with itself) modulo q. Using a cheap, “approximate range proof”, one can then lift the proof to be over Z $$\mathbb {Z}$$ instead of Zq $$\mathbb {Z}_q$$ . Our protocols for proving short norms work over all (interesting) polynomial rings, but are particularly efficient for rings like Z[X]/(Xn+1) $$\mathbb {Z}[X]/(X^n+1)$$ in which the function relating the inner product of vectors and polynomial products happens to be a “nice” automorphism. The new proof system can be plugged into constructions of various lattice-based privacy primitives in a black-box manner. As examples, we instantiate a verifiable encryption scheme and a group signature scheme which are more than twice as compact as the previously best solutions.