Lattice-Based Zero-Knowledge Arguments for Integer Relations

Libert, Benoît; Ling, San; Nguyen, Khoa; Wang, Huaxiong

doi:10.1007/978-3-319-96881-0_24

Lattice-Based Zero-Knowledge Arguments for Integer Relations

Benoît Libert^15,16,
San Ling¹⁷,
Khoa Nguyen¹⁷ &
…
Huaxiong Wang¹⁷

Conference paper
First Online: 24 July 2018

3076 Accesses
21 Citations

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10992))

Abstract

We provide lattice-based protocols allowing to prove relations among committed integers. While the most general zero-knowledge proof techniques can handle arithmetic circuits in the lattice setting, adapting them to prove statements over the integers is non-trivial, at least if we want to handle exponentially large integers while working with a polynomial-size modulus q. For a polynomial L, we provide zero-knowledge arguments allowing a prover to convince a verifier that committed L-bit bitstrings x, y and z are the binary representations of integers X, Y and Z satisfying $Z=X+Y$ over $\mathbb {Z}$. The complexity of our arguments is only linear in L. Using them, we construct arguments allowing to prove inequalities $X<Z$ among committed integers, as well as arguments showing that a committed X belongs to a public interval $[\alpha ,\beta ]$, where $\alpha $ and $\beta $ can be arbitrarily large. Our range arguments have logarithmic cost (i.e., linear in L) in the maximal range magnitude. Using these tools, we obtain zero-knowledge arguments showing that a committed element X does not belong to a public set S using $\widetilde{\mathcal {O}}(n \cdot \log |S|)$ bits of communication, where n is the security parameter. We finally give a protocol allowing to argue that committed L-bit integers X, Y and Z satisfy multiplicative relations $Z=XY$ over the integers, with communication cost subquadratic in L. To this end, we use our protocol for integer addition to prove the correct recursive execution of Karatsuba’s multiplication algorithm. The security of our protocols relies on standard lattice assumptions with polynomial modulus and polynomial approximation factor.

You have full access to this open access chapter, Download conference paper PDF

1 Introduction

Lattice-based cryptography has been an extremely active area since the celebrated results of Ajtai [3] and Regev [58]. In comparison with discrete-logarithm and factoring-based techniques, it indeed offers numerous advantages like simpler arithmetic operations, a better asymptotic efficiency, advanced functionalities or a conjectured resistance to quantum computing. Its development was further boosted by breakthrough results of [26, 53] showing how to safely use lattice trapdoors, which have been the cornerstone of many advanced primitives.

While lattices enable powerful functionalities that have no counterpart using traditional number theoretic tools, they do not easily lend themselves to the realization of certain fundamental tasks, like efficient zero-knowledge proofs. Zero-knowledge protocols [30] make it possible to prove properties about certain secret witnesses in order to have users demonstrate their correct behavior while protecting their privacy. For simple statements such as proving knowledge of a secret key, efficient solutions have been reported in [39, 47, 50, 55]. In order to prove relations among committed values, the best known methods rely on the extra algebraic structure [5, 8, 60] offered by the ring-$\mathsf {LWE}$ or ring-$\mathsf {SIS}$ problems [51] and no truly efficient solution is known for standard (i.e., non-ideal) lattices.

In this paper, we investigate the problem of proving, under standard lattice assumptions, that large committed integers satisfy certain algebraic relations. Namely, if $\mathbf {c}_x$, $\mathbf {c}_y$ and $\mathbf {c}_z$ are commitments to integers X, Y, Z of arbitrary polynomial bit-size $L=\mathsf {poly}(n)$, where n is the security parameter, we consider the problem of proving statements of the form $Z = X+Y$ and $Z=X\cdot Y$ over $\mathbb {Z}$. Note that this problem is different from the case of arithmetic circuits addressed in [8]: here, we are interested in proving relations over the integers. Furthermore, we would like to design zero-knowledge arguments for various other relations among large committed integers. As specific applications, we consider the problems of: (i) Proving that a committed integer X belongs to a publicly known range $[\alpha ,\beta ]$; (ii) Proving order relations $ Y< X < Z$ between committed integers Y, X, Z; (iii) Proving that a committed element X does not belong to a public set (which allows users to prove their non-blacklisting).

While these problems received much attention in the literature, the most efficient solutions [21, 34, 48] handling large integers appeal to integer commitments [22, 25] based on hidden-order groups (e.g., RSA groups), which are vulnerable to quantum computing. In particular, designing a solution based on mild assumptions in standard lattices is a completely open problem to our knowledge. Even in ideal lattices, handling integers of polynomial length L requires to work with exponentially large moduli, which affects both the efficiency and the approximation factor of the lattice assumption. Here, our goal is to realize the aforementioned protocols using polynomial moduli and approximation factors.

If we were to use known zero-knowledge proof systems [5, 8, 60] in ideal lattices to handle additive relations over $\mathbb {Z}$, we would need (super-)exponentially large moduli. In particular, in order to prove that committed integers X, Y, Z of bit-size $L = \mathsf {poly}(n)$ satisfy $Z=X+Y$, these protocols would require to prove that $Z=X + Y \mod q$ for a large modulus $q=2^{\mathsf {poly}(n)}$. With current techniques, this would imply to work with a commitment scheme over rings $R_q$, for the same modulus q. In terms of efficiency, a single ring element would cost thousand times L bits to represent since the modulus should contain more than L bits. When it comes to proving smallness of committed values (in order to prove $Z = X + Y$ over $\mathbb {Z}$ via $Z = X + Y \mod q$, the prover should guarantee that X and Y are small w.r.t. q) together with relations among them, the prover may need to send hundreds of ring elements. As a consequence, the communication cost could be as large as $k \cdot L$, where k is up to hundreds of thousands. In terms of security, we note that such approaches may require at least sub-exponential approximation factors for the underlying ideal-lattice problems. Moreover, ensuring soundness may be non-trivial as the protocols of [5, 8] only guarantee relaxed soundness.

Our Contributions. We provide statistical zero-knowledge arguments allowing to prove additive and multiplicative relations among committed integers of bit-size $L = \mathsf {poly}(n)$ under mild assumptions in standard (i.e., non-ideal) lattices. Our protocols can work with two flavors of the commitment scheme by Kawachi, Tanaka and Xagawa (KTX) [39]. If we commit to integers in a bit-by-bit fashion, the modulus q can be as small as $\widetilde{\mathcal {O}}(n)$ and the security of our protocols can rely on the worst-case hardness of $\mathsf {SIVP}_{\gamma }$ with $\gamma = \widetilde{\mathcal {O}}(n)$, which turns out to be one the weakest assumptions in the entire literature on lattice-based cryptography. On the other hand, if we rely on a stronger assumption with $\gamma = \widetilde{\mathcal {O}}(\sqrt{L}\cdot n)$ for a modulus $q = \widetilde{\mathcal {O}}(\sqrt{L}\cdot n)$, then we can commit to L bits at once and reduce the communication cost. For this all-at-once commitment variant, the complexities of our protocols are summarized as follows.

The protocol for integer additions has communication cost $(\zeta + 20L)\cdot \kappa $ bits, where $\zeta = \widetilde{\mathcal {O}}(n) + 6L \log q$ is the cost of proving knowledge of valid openings for the commitments to X, Y, Z and $\kappa = \omega (\log n)$ is the number of protocol repetitions to make the soundness error negligibly small. Thus, the actual cost for proving the additive relation is $20L\cdot \kappa $ bits. In terms of computation complexity, both the prover and the verifier only perform $\mathcal {O}(L)$ simple operations.

We offer two options for proving integer multiplications. For practically interesting values of L, e.g., $L \le 8000$, we can emulate the schoolbook multiplication algorithm by proving L additive relations, and obtain communication cost $\widetilde{\mathcal {O}}(n + L^2)\cdot \kappa $ as well as computation costs $\mathcal {O}(L^2)$ for both parties. To our knowledge, all known methods for proving integer multiplications (sometimes implicitly) involve $\mathcal {O}(L^2)$ computation and/or communication complexities. Can we break this quadratic barrier?

As a theoretical contribution, we put forward the first protocol for multiplicative relations that does not incur any quadratic costs. Specifically, by proving in zero-knowledge the correct execution of a Karatsuba multiplication algorithm [38], we obtain both computation and communication complexities of order $\mathcal {O}(L^{\log _2 3})$.

Applications. While our protocol for additive relations only handles non-negative integers, it suffices for many applications, such as arguments of inequalities among committed integers, range membership for public/hidden ranges, and set non-membership. Moreover, it can also be used in higher-level protocols like zero-knowledge lists [27].^{Footnote 1} In particular, for a set of N elements with bit-size $\widetilde{\mathcal {O}}(n)$, our protocol for proving non-membership of a committed value only cost $\widetilde{\mathcal {O}}(n \cdot \log N)$ bits. In the lattice setting, this is the first non-membership proof that achieves communication cost logarithmic in the cardinality of the set. Meanwhile, in our protocol for proving that a committed L-bit integer belongs to a given range $[\alpha , \beta ]$, where $\beta - \alpha \approx 2^L$, besides the cost of proving knowledge of a valid opening for the commitment, the prover only has to send $23L \cdot \kappa $ bits to the verifier. In Table 1, we provide the concrete cost of the protocol variant achieving soundness error $2^{-80}$, for commonly used lattice parameters.

Table 1. Concrete communication cost of our lattice-based zero-knowledge argument (Sect. 5.1) for proving knowledge of committed integer X belonging to a given range, w.r.t. various range sizes. We work with lattice parameters $n = 256$, $q \approx 2^{15}$, $m = 4608$. To achieve soundness error $2^{-80}$, we set $\kappa =137$.

Full size table

We remark that, if we only had to prove the correct evaluation of binary addition circuits, MPC-based techniques [20, 28, 36] could perform slightly better than our protocols. However, they become much less efficient for the algebraic parts of the statements we have to prove (in particular, we also need to prove knowledge of openings of $\mathsf {SIS}$-based commitments). Indeed, the MPC-in-the head paradigm [36] and its follow-ups [20, 28] have linear complexities in the size of the circuit, which is much larger than the witness size as the commitment relation entails $\varTheta (n(L+m))$ additions and multiplications over $\mathbb {Z}_q$. In our protocols, proving knowledge of an opening takes $\varTheta ((L+m)\log q)$ bits of communication.

Our Techniques. We proceed by emulating integer commitments by means of bit commitments. To commit to an L-bit integer X in an all-in-one fashion, we generate a KTX commitment $\mathbf {c}_x= \sum _{i=0}^{L-1} \mathbf {a}_i \cdot x_i + \mathbf {B} \cdot \mathbf {r} \in \mathbb {Z}_q^n$ to its binary representation $(x_{L-1}, \ldots , x_0)_2$ using public matrices $\mathbf {A}=[\mathbf {a}_{0} \mid \ldots | \mathbf {a}_{L-1}] \in \mathbb {Z}_q^{n \times L}$ and $\mathbf {B} \in \mathbb {Z}_q^{n \times m}$ and random coins $\mathbf {r} \hookleftarrow U(\{0,1\}^m)$.

Integer Additions. To prove additive relations among committed integers, we come up with an idea that may sound natural for computer processors, but, to the best of our knowledge, has not been considered in the context of zero-knowledge proofs. The idea is to view integer additions as binary additions with carries. Suppose that we add two bits x and y with carry-in $c_{in}$ to obtain a bit z and carry-out $c_{out}$. Then, the relations among these bits are captured by equations

$$\begin{aligned} z = x + y + c_{in} \bmod 2 , \qquad \quad c_{out} = x \cdot y + z \cdot c_{in} + c_{in} \bmod 2, \end{aligned}$$

which is equivalent to a homogeneous system of two equations over $\mathbb {Z}_2$. Using the above adder, we consider the addition of L-bit integers $X = (x_{L-1}, ..., x_0)_2$ and $Y = (y_{L-1}, ..., y_0)_2$ assuming that the committed sum is of length $L+1$ and written as $Z = (z_L, z_{L-1}, ..., z_0)_2$. For each $ i \in \{ 0, ..., L-1\}$, we denote by $c_{i+1}$ the carry-out of the i-th addition and define $c_{L} = z_{L}$. The equations become

$$\begin{aligned} z_0 + x_0 + y_0= & {} 0 \bmod 2 \\ c_1 + x_0 \cdot y_0= & {} 0 \bmod 2 \\ z_1 + x_1 + y_1 + c_1= & {} 0 \bmod 2 \\ c_2 + x_1 \cdot y_1 + z_1 \cdot c_1 + c_1= & {} 0 \bmod 2 \\&\vdots&\\ z_{L-1} + x_{L-1} + y_{L-1} + c_{L-1}= & {} 0 \bmod 2 \\ z_L + x_{L-1} \cdot y_{L-1} + z_{L-1} \cdot c_{L-1} + c_{L-1}= & {} 0 \bmod 2. \end{aligned}$$

We observe that all the terms in the above equations are either bits or products of two bits. By adapting the Stern-like [59] techniques for hiding secret bits [44] and handling quadratic relations [42], we manage to prove that the bits of X, Y, Z satisfy the above equations modulo 2, which is equivalent to $X + Y = Z$ over $\mathbb {Z}$. Meanwhile, to prove that those bits coincide with the values committed under the KTX commitment requires to additionally prove a linear equation modulo q.

Interestingly, we show that, not only the problem of proving additive relations among committed integers can be reduced to proving secret bits satisfying linear and quadratic equations modulo 2 and one linear equation modulo q, such type of reduction is doable for all subsequently considered relations (multiplications, range membership, set non-membership). To handle the reduced statements in a modular manner, we thus design (in Sect. 3) a general zero-knowledge protocol that subsumes all argument systems of this work. In comparison with previous protocols [39, 43, 45, 47] built on Stern’s framework [59], this general protocol introduces a technical novelty which allows to reduce the communication cost.

Range Membership and Set Non-Membership. Our techniques for additions of non-negative integers directly yield a method for proving inequalities of the form $X\le Z$, where it suffices to show the existence of non-negative integer Y such that $X + Y = Z$. This method can be further adapted to handle strict inequalities. To prove that $X < Z$, we demonstrate the existence of non-negative Y such that $X + Y + 1 = Z$, for which only a small additional treatment for the least significant bits of X, Y, Z is needed. Then, by combining two sub-protocols for inequalities, we can obtain range arguments for the statements “$X \in [\alpha , \beta ]$”, “$X \in [\alpha , \beta )$”, “$X \in (\alpha , \beta ]$” and “$X \in (\alpha , \beta )$”, where X is committed under the KTX commitment, and $\alpha , \beta $ can be hidden/committed or public.

Given the techniques for proving inequalities, we can further obtain arguments of non-membership. In order to prove that a committed string $X \in \{0,1\}^k$ does not belong to a public set $S=\{s_1,\ldots ,s_N\}$, the prover generates a (publicly computable) Merkle tree [52] whose leaves are the elements of S arranged in lexicographical order. Then, the prover can use the technique of Libert et al. [44] – which allows arguing possession of a path in a lattice-based Merkle tree – to prove knowledge of two paths leading to adjacent leaves for which the corresponding set elements $Y,Z \in \{0,1\}^k$ satisfy $Y< X < Z $ in lexicographical order. Here, the adjacency of the leaves Y and Z is argued using our techniques for integers additions, which allows proving that their labels (i.e., the binary encoding of the path that connects them to the root) encode integers V, W such that $W=V+1$.

Subquadratic Integer Multiplications. Proving multiplicative relations among L-bit committed integers with subquadratic complexity requires some additional tricks. Karatsuba’s technique [38] divides integers X, Y into equal halves $ X= X_1| X_0$ and $Y = Y_1 | Y_0$, each of which has length L / 2. If the length is odd, the factors must be padded with zeroes in the left halves, which raises technical difficulties as will be explained below. We have $ X = 2^{L/2} \cdot X_1 + X_0$ and $Y = 2^{L/2} \cdot Y_1 + Y_0$, so that $X \cdot Y$ can be written

$$\begin{aligned} X \cdot Y = (2^{L} - 2^{L/2})(X_1Y_1) + (1 - 2^{L/2})(X_0Y_0 ) + 2^{L/2}(X_1 + X_0)(Y_1 + Y_0).\quad \end{aligned}$$

(1)

To prove this equation, we first prove knowledge of 3 partial products and then prove their correct shifting w.r.t. multiplication by powers of 2 before proving the correctness of additions. Each of the factors $X_1, Y_1, X_0, Y_0, X_1 + X_0, Y_1 + Y_0$ of (1) is recursively broken into 3 smaller products until reaching an easy-to-prove “base multiplication”. One difficulty is that the length of $X_1 + X_0$ and $Y_1 + Y_0$ are one bit longer than the length L / 2 of $X_0,X_1,Y_0,Y_1$. Since $L/2+1$ is odd, we need to pad with a zero before dividing any further and the same issue arises when dividing $X_1, Y_1, X_0, Y_0$. In the context of zero-knowledge proofs, it makes it very complicated to keep track of the lengths of witnesses in the underlying equations and determine where the original bits of X and Y should be.

To address the problems caused by carry-on bits in additions, Knuth [40] suggested to use subtractions and re-write the product $X \cdot Y$ as

$$\begin{aligned} (2^{L} + 2^{L/2}) \cdot (X_1 \cdot Y_1) + (1 + 2^{L/2}) \cdot (X_0 \cdot Y_0 ) - 2^{L/2} \cdot (X_1 - X_0) \cdot (Y_1 - Y_0).\quad \end{aligned}$$

(2)

The difference $X_1 - X_0$ is now guaranteed to have length L / 2, which allows using $L= 2^k$ and recursively come down to base multiplications of two-bit integers. However, this modification introduces another problem as $X_1-X_0$ and $Y_1-Y_0$ can now be negative integers, which are more difficult to handle in our setting. For this reason, we need to make sure that we always subtract a smaller integer from a larger one, while preserving the ability to prove correct computations.

To this end, our idea is to compare $X_1$ and $X_0$ and let the smaller one be subtracted from the larger one. To do this, we define auxiliary variables $X'_1, X'_0$ such that $X'_1 > X'_0$ and $\{X_1',X_0'\}=\{X_1,X_0\}$. Letting b be the bit such that $b = 1$ if $X'_1 \ge X'_0$ and $b = 0$ otherwise, this can be expressed by the equation:

$$\begin{aligned} (X'_1 - X'_0) = b \cdot (X_1 - X_0) + (1-b) \cdot (X_0 - X_1), \end{aligned}$$

which is provable in zero-knowledge using our techniques for integer additions. If we repeat the above process and define variables $Y_1',Y_0'$ such that $\{Y_1', Y_0'\}=\{Y_1, Y_0\}$ and an order control bit $c \in \{0,1\}$, if we define $d= b+c \bmod 2$, we have

$$\begin{aligned} (X_1 - X_0) \cdot (Y_1 - Y_0)= & {} (X'_1 - X'_0) \cdot (Y'_1 - Y'_0) ~~\quad \text { if } \quad d = 0 \\ (X_1 - X_0) \cdot (Y_1 - Y_0)= & {} - (X'_1 - X'_0) \cdot (Y'_1 - Y'_0) \quad \text { if } \quad d = 1. \end{aligned}$$

The term $(X_1 - X_0) \cdot (Y_1 - Y_0)$ appearing in Eq. (2) can thus be written as

$$\begin{aligned} (X_1 - X_0) \cdot (Y_1 - Y_0) = (1-d) \cdot (X'_1 - X'_0) \cdot (Y'_1 - Y'_0) - d \cdot (X'_1 - X'_0) \cdot (Y'_1 - Y'_0), \end{aligned}$$

which yields an equation compatible our techniques while avoiding to handle negative integers. At each recursive step, we further divide the differences $X'_1 - X'_0 $ and $Y'_1 - Y'_0$ and keep track of the control bits b, c, d which are part of the witnesses.

Related Work. The first integer commitment scheme was proposed by Fujisaki and Okamoto [25] who suggested to use it to prove relation over the integers. They underlined the importance of zero-knowledge arguments over the integers in order to be able to prove modular relations when the modulus is not known in advance, when the commitment key is generated. Damgård and Fujisaki [22] corrected a flaw in the Fujisaki-Okamoto commitment and generalized it to abelian groups satisfying specific properties.

Lipmaa [48] highlighted the cryptographic importance of the class $\mathbf {D}$ of Diophantine sets^{Footnote 2} [1] and gave improved constructions of zero-knowledge proofs for Diophantine equations. As special cases, he obtained efficient zero-knowledge arguments for intervals, unions of intervals, exponential relations and $\gcd $ relations. In [33], Groth suggested another integer commitment scheme based on the Strong RSA assumption [4] which, like [22, 25], relies on groups of hidden order. Couteau, Peters and Pointcheval [21] recently suggested to combine integer commitments with a commitment scheme to field elements in order to improve the efficiency of zero-knowledge proofs over the integers. They also revisited the Damgård-Fujisaki commitment [22] and proved it the security of its companion argument system under the standard RSA assumption. While our results are not as general as those of [21, 48] as we do not handle negative integers, they suffice for many applications of integer commitments, as we previously mentioned.

Range proofs were introduced by Brickell et al. [10] and received a permanent attention [9, 12, 18, 19, 21, 31, 35, 48] since then. They served as a building block of countless cryptographic applications, which include anonymous credentials [14], anonymous e-cash [13], auction protocols [49], e-voting [34] and many more.

Currently known range proofs proceed via two distinct approaches. The first one proceeds by breaking integers into bits or small digits [7, 10, 12, 23, 31, 35], which allows communicating a sub-logarithmic (in the range size) number of group elements in the best known constructions [12, 31, 35]. The second approach [9, 21, 34, 48] appeals to integer commitments and groups of hidden order. This approach is usually preferred for very large ranges (which often arise in applications like anonymous credentials [14], where range elements are comprised of thousands of bits) where it tends to be more efficient and it does not require the maximal range length to be known when the commitment key is chosen.

Despite three decades of research, all known efficient range proofs (by “efficient”, we mean that the communication complexity should be only logarithmic in the range size) build on quantum-vulnerable assumptions and the only candidates supporting very large integers rely on groups of hidden order. By proving knowledge of small secret vectors, lattice-based protocols [39, 47] can be seen as providing a limited form of range proofs: if we can prove that a committed $\mathbf {x} \in \mathbb {Z}^m$ has infinity norm $\Vert \mathbf {x} \Vert _{\infty } < B$ for some basis $B<q$ of a B-ary representation, we can prove that $\mathbf {x}$ encodes an integer X in the range $[ 0 , B^m-1]$. However, it is not clear how to deal with arbitrary ranges. Using homomorphic integer commitments, any range $[\alpha ,\beta ]$ can be handled (see [17] and references therein) by exploiting the homomorphic properties of the commitment scheme and proving that $X -\alpha \in [0,\beta -\alpha ]$. With homomorphic commitments used in the context of lattice-based cryptography, there is no obvious way to shift the committed value by an integer $\alpha $ when $\alpha >q$. Even with a sub-exponential modulus q, the size L of integers can be at most sub-linear in n. To our knowledge, no flexible solution has been proposed in the lattice setting, let alone under standard lattice assumptions with polynomial approximation factors and polynomial-size moduli. Our schemes thus provide a first answer to this question.

In the context of set non-membership, our construction bears resemblance with a technique used by Nakanishi et al. [56] to handle revocation in privacy-preserving protocols by proving inequalities over the integers. For a public set $S=\{s_1,\ldots ,s_N\}$ arranged in lexicographical order, they rely on a trusted authority to create Camenisch-Lysyanskaya signatures [16] on all ordered pairs $\{\mathsf {Msg}_i=(s_i,s_{i+1})\}_{i=1}^{N-1}$ of adjacent set elements. To prove that a committed s is not in S, the prover proceeds with a proof of knowledge of two message-signature pairs $(\mathsf {Msg}_j,sig_j)$, $(\mathsf {Msg}_{j+1},sig_{j+1})$ for which $\mathsf {Msg}_j=(s_j,s_{j+1})$ and $\mathsf {Msg}_{j+1}=(s_{j+1},s_{j+2})$ contain elements $s_j,s_{j+1}$ such that $s_j< s < s_{j+1}$. While this approach could be instantiated with our technique for proving integer inequalities, it would require proofs of knowledge of signatures and thus lattice trapdoors (indeed, all known lattice-based signatures compatible with proofs of knowledge rely on lattice trapdoors [26, 53]). By using proofs of knowledge of a Merkle tree path [44] instead of signatures, our solution eliminates the need for lattice trapdoors, which allows for a better efficiency (note that proving inequalities $s_j< s < s_{j+1}$ incurs a complexity $\varOmega (\log N)$ in both cases, so that using Merkle trees does not affect the asymptotic complexity). Moreover, the technique of Nakanishi et al. [56] involves a trusted entity to sign all pairs $(s_i,s_{i+1})\}_{i=1}^{N-1}$ in a setup phase whereas no trusted setup is required in our construction.

Other approaches to prove (non-)membership of a public set were suggested in [12, 15, 41, 46]. However, they rely on a trusted entity to approve the sets of which (non-)membership must be proven during a setup phase. Setup-free accumulator-based set membership proofs were described in [11, 44], but they are not known to support non-membership proofs.

In [6], Bayer and Groth cleverly used $\varSigma $ protocols to handle proofs of non-membership without assuming a trusted setup. Their construction achieves logarithmic complexity in the cardinality of the set, but it crucially relies on commitment schemes, like Pedersen’s discrete-log-based commitment [57], with homomorphic properties over the message space and the randomness space. For lack of a lattice-based commitment scheme with similar properties, their approach does not seem readily instantiable under lattice assumptions.

2 Preliminaries

Notations. When working with an integer $X \in [0, 2^{L}-1]$, we use the notation $X = (x_{L-1}, \ldots , x_0)_2$ to describe its bits, and use bold lower-case letter $\mathbf {x}$ to denote the representation of X as binary column vector $(x_{L-1}, \ldots , x_0) \in \{0,1\}^L$. The column concatenation of matrices $\mathbf {A} \in \mathbb {Z}^{n \times k}$ and $\mathbf {B} \in \mathbb {Z}^{n \times m}$ is denoted by $[\mathbf {A}| \mathbf {B}] \in \mathbb {Z}^{n \times (k + m)}$. When concatenating column vectors $\mathbf {x} \in \mathbb {Z}^k$ and $\mathbf {y} \in \mathbb {Z}^m$, for simplicity, we often use the notation $(\mathbf {x} \Vert \mathbf {y}) \in \mathbb {Z}^{k + m}$ (instead of $(\mathbf {x}^\top \Vert \mathbf {y}^\top )^\top $).

2.1 Lattice-Based Cryptographic Building Blocks

We first recall the average-case problem SIS and its hardness.

Definition 1

($\mathsf {SIS}^{\infty }_{n,m,q,\beta }$ [2, 26]). Given uniformly random matrix $\mathbf {A} \in \mathbb {Z}_q^{n \times m}$, find a non-zero vector $\mathbf {x} \in \mathbb {Z}^m$ such that $\Vert \mathbf {x}\Vert _\infty \le \beta $ and $\mathbf {A\cdot x=0} \bmod q.$

If $m, \beta = \mathsf {poly}(n)$, and $q > \beta \cdot \widetilde{\mathcal {O}}(\sqrt{n})$, the $\mathsf {SIS}^{\infty }_{n,m,q,\beta }$ problem is at least as hard as worst-case lattice problem $\mathsf {SIVP}_\gamma $ for some $\gamma = \beta \cdot \widetilde{\mathcal {O}}(\sqrt{nm})$ (see, e.g., [26, 54]).

We will use two SIS-based cryptographic ingredients: the commitment scheme of Kawachi, Tanaka and Xagawa [39] (KTX) and the Merkle hash tree from [44].

The KTX commitment scheme. The scheme works with security parameter n, prime modulus $q = {\mathcal {O}}(\sqrt{L}\cdot n)$, and dimension $m = n(\lceil \log _2 q\rceil +3)$. We will consider several flavours of the scheme.

In the variant that allows committing to $L \le \mathsf {poly}(n)$ bits, the commitment key is $(\mathbf {a}_0, \ldots , \mathbf {a}_{L-1}, \mathbf {B}) \hookleftarrow U(\mathbb {Z}_q^{n \times (m+L)})$. To commit to a bitstring $x_0, \ldots , x_{L-1}$, one samples $\mathbf {r} \hookleftarrow U(\{0,1\}^m)$, and outputs $\mathbf {c} = \sum _{i=0}^{L-1}\mathbf {a}_i\cdot x_i + \mathbf {B}\cdot \mathbf {r} \bmod q$. Then, to open the commitment, one simply reveals $x_0, \ldots , x_{L-1} \in \{0,1\}$ and $\mathbf {r} \in \{0,1\}^m$.

If one can compute two valid openings $(x'_0, \ldots , x'_{L-1}, \mathbf {r}')$ and $(x''_0, \ldots , x''_{L-1},$ $\mathbf {r}'')$ for the same commitment $\mathbf {c}$, where $(x'_0, \ldots , x'_{L-1}) \ne (x''_0, \ldots , x''_{L-1})$, then one can compute a solution to the $\mathsf {SIS}_{n,m+L, q,1}^\infty $ problem associated with the uniformly random matrix $[\mathbf {a}_0 \mid \ldots \mid \mathbf {B}] \in \mathbb {Z}_q^{n \times (m+L)}$. Thus, the scheme is computationally binding, assuming the worst-case hardness of $\mathsf {SIVP}_{\widetilde{\mathcal {O}}(\sqrt{L}\cdot n)}$. On the other hand, by the Leftover Hash Lemma [29], the distribution of a commitment $\mathbf {c}$ is statistically close to uniform over $\mathbb {Z}_q^n$. This implies that the scheme is statistically hiding.

In the special case when $L=1$, the scheme becomes a bit commitment scheme, in which case it can use a small modulus $q = \widetilde{\mathcal {O}}(n)$ and rely on a weak $\mathsf {SIVP}$ assumption with $\gamma = \widetilde{\mathcal {O}}(n)$.

Kawachi et al. [39] extended the above fixed-length commitment scheme to a string commitment scheme $\mathsf {COM}: \{0,1\}^* \times \{0,1\}^m \rightarrow \mathbb {Z}_q^n$. The obtained scheme is also statistically hiding for the given setting of parameters, and computationally binding assuming that $\mathsf {SIVP}_{\widetilde{\mathcal {O}}(n)}$ is hard.

Here, we will use the first commitment variant to commit to secret bits and the string commitment scheme COM as a building block for Stern-like protocols.

Lattice-based Merkle hash tree. The construction relies on the following collision-resistant hash function. Let n be the security parameter, $q = \widetilde{\mathcal {O}}(n)$, $k = n\lceil \log _2 q\rceil $ and $m = 2k$. Define the “powers-of-2” matrix

$$\begin{aligned} \mathbf {G} = \mathbf {I}_n \otimes [1~2~4~\ldots ~2^{\lceil \log _2 q\rceil -1} ] \in \mathbb {Z}_q^{n \times k}. \end{aligned}$$

Note that for every $\mathbf {v} \in \mathbb {Z}_q^n$, we have $\mathbf {v} = \mathbf {G}\cdot \mathsf {bin}(\mathbf {v})$, where $\mathsf {bin}(\mathbf {v}) \in \{0,1\}^{k}$ denotes the binary representation of $\mathbf {v}$.

For matrix ${\mathbf {B}} = [\mathbf {B}_0 \mid \mathbf {B}_1] \hookleftarrow U(\mathbb {Z}_q^{n \times m})$, where $\mathbf {B}_0, \mathbf {B}_1 \in \mathbb {Z}_q^{n \times k}$, define the function $h_{{\mathbf {B}}} : \{0,1\}^{k} \times \{0,1\}^{k} \rightarrow \{0,1\}^{k}$ as follows:

$$\begin{aligned} (\mathbf {u}_0, \mathbf {u}_1) ~\mapsto & {} ~ h_{{\mathbf {B}}} (\mathbf {u}_0, \mathbf {u}_1) = \mathsf {bin}\big (\mathbf {B}_0 \cdot \mathbf {u}_0 + \mathbf {B}_1\cdot \mathbf {u}_1 \bmod q\big ). \end{aligned}$$

Note that $h_{\mathbf {B}}(\mathbf {u}_0, \mathbf {u}_1) = \mathbf {u} \Leftrightarrow \mathbf {B}_0\cdot \mathbf {u}_0 + \mathbf {B}_1 \cdot \mathbf {u}_1 = \mathbf {G}\cdot \mathbf {u} \bmod q$. This hash function was shown collision-resistant if $\mathsf {SIVP}_{\widetilde{\mathcal {O}}(n)}$ is hard [2, 44]. It allows building Merkle trees to securely accumulate data. In particular, for an ordered set $S = \{\mathbf {d}_{0}, \ldots , \mathbf {d}_{2^\ell -1}\}$ consisting of $2^\ell \in \mathsf {poly}(n)$ elements of bit-size k, one builds the binary tree of depth $\ell $ on top of elements of the set, as follows. First, associate the $2^\ell $ leaf nodes with elements of the set, with respect to the order of these elements. Then, every non-leaf node of the tree is associated with the hash value of its two children. Finally, output the root of the tree $\mathbf {u} \in \{0,1\}^{k}$. Note that, the collision resistance of the hash function $h_{{\mathbf {B}}}$ guarantees that it is infeasible to find a tree path starting from the root $\mathbf {u}$ and ending with $\mathbf {d}' \not \in S$.

2.2 Zero-Knowledge Argument Systems and Stern-Like Protocols

We will work with statistical zero-knowledge argument systems, where remain zero-knowledge for any cheating verifier while the soundness property only holds against computationally bounded cheating provers. More formally, let the set of statements-witnesses $\mathrm {R} = \{(y,w)\} \in \{0,1\}^* \times \{0,1\}^*$ be an NP relation. A two-party game $\langle \mathcal {P},\mathcal {V} \rangle $ is called an interactive argument system for the relation $\mathrm {R}$ with soundness error e if the following conditions hold:

Completeness. If $(y,w) \in \mathrm {R}$ then $\mathrm {Pr}\big [\langle \mathcal {P}(y,w),\mathcal {V}(y) \rangle =1\big ]=1.$
Soundness. If $(y,w) \not \in \mathrm {R}$, then $\forall $ PPT $\widehat{\mathcal {P}}$: $\mathrm {Pr}[\langle \widehat{\mathcal {P}}(y,w),\mathcal {V}(y) \rangle =1] \le e.$

An argument system is called statistical zero-knowledge if there exists a PPT simulator $\mathcal {S}(y)$ having oracle access to any $\widehat{\mathcal {V}}(y)$ and producing a simulated transcript that is statistically close to the one of the real interaction between $\mathcal {P}(y,w)$ and $\widehat{\mathcal {V}}(y)$. A related notion is argument of knowledge, which requires the witness-extended emulation property. For protocols consisting of 3 moves (i.e., commitment-challenge-response), witness-extended emulation is implied by special soundness [32], where the latter assumes that there exists a PPT extractor which takes as input a set of valid transcripts with respect to all possible values of the “challenge” to the same “commitment”, and outputs $w'$ such that $(y,w') \in \mathrm {R}$.

The statistical zero-knowledge arguments of knowledge presented in this work are Stern-like [59] protocols. In particular, they are $\varSigma $-protocols in the generalized sense defined in [37] (where 3 valid transcripts are needed for extraction, instead of just 2). The basic protocol consists of 3 moves: commitment, challenge, response. If a statistically hiding and computationally binding string commitment scheme, such as the KTX scheme [39], is employed in the first move, then one obtains a statistical zero-knowledge argument of knowledge (ZKAoK) with perfect completeness, constant soundness error 2 / 3. In many applications, the protocol is repeated $\kappa = \omega (\log n)$ times to make the soundness error negligibly small in n.

3 A General Zero-Knowledge Argument of Knowledge

This section presents a general Stern-like zero-knowledge argument system that subsumes all the subsequent constructions in Sects. 4, 5 and 6. Before describing the protocol, we first recall two previous Stern-like techniques that it will use.

3.1 Some Previous Extending-then-Permuting Techniques

Let us recall the techniques for proving knowledge of a single secret bit x, and for proving knowledge of bit product $x_1 \cdot x_2$, from [42, 44], respectively. These techniques will be employed in the protocol presented in Sect. 3.2.

For any bit $b \in \{0,1\}$, denote by $\overline{b}$ the bit $\overline{b} = b + 1 \bmod 2$, and by $\mathsf {ext}_2(b)$ the 2-dimensional vector $(\overline{b}, b) \in \{0,1\}^2$.

For any bit $c \in \{0,1\}$, define $P^2_c$ as the permutation that transforms the integer vector $\mathbf {v} = (v_0, v_1) \in \mathbb {Z}^2$ into $P^2_c(\mathbf {v}) = (v_c, v_{\overline{c}})$. Namely, if $c=0$ then $P^2_c$ keeps the arrangement the coordinates of $\mathbf {v}$; or swaps them if $c=1$. Note that:

$$\begin{aligned} \mathbf {v} = \mathsf {ext}_2(b) \quad \Longleftrightarrow \quad P^2_c(\mathbf {v}) = \mathsf {ext}_2(b + c\bmod 2). \end{aligned}$$

(3)

As shown in [44], the equivalence (3) helps proving knowledge of a secret bit x that may appear in several correlated linear equations. To this end, one extends x to $\mathsf {ext}_2(x) \in \{0,1\}^2$, and permutes the latter using $P^2_c$, where c is a uniformly random bit. Seeing the permuted vector $\mathsf {ext}_2(x + c \bmod 2)$ convinces the verifier that the original vector $\mathsf {ext}_2(x)$ is well-formed – which in turn implies knowledge of some bit x – while c acts as a “one-time pad” that completely hides x.

To prove that a bit is the product $x_1 \cdot x_2$ of two secret bits, Libert et al. [42] introduced the following t echnique. For any two bits $b_1, b_2$, define

$$\begin{aligned} \mathsf {ext}_4(b_1,b_2) = (\overline{b}_1\cdot \overline{b}_2, \overline{b}_1\cdot {b}_2, {b}_1\cdot \overline{b}_2,\, b_1\cdot b_2)\in \{0,1\}^4, \end{aligned}$$

which is an extension of the bit product $b_1 \cdot b_2$. Next, define a specific type of permutation associated with two bits, as follows.

For any two bits $c_1, c_2 \in \{0,1\}$, define $P^4_{c_1, c_2}$ as the permutation that transforms the integer vector $\mathbf {v} = (v_{0,0}, v_{0,1}, v_{1,0}, v_{1,1})\in \mathbb {Z}^4$ into

$$\begin{aligned} P^4_{c_1, c_2}(\mathbf {v}) = \big (v_{c_1,c_2}, v_{c_1, \overline{c}_2}, v_{\overline{c}_1, c_2}, v_{\overline{c}_1, \overline{c}_2}\big )\in \mathbb {Z}^4. \end{aligned}$$

For any bits $b_1,b_2, c_1, c_2$ and any vector $\mathbf {v} = (v_{0,0}, v_{0,1}, v_{1,0}, v_{1,1})\in \mathbb {Z}^4$, we have

$$\begin{aligned} \mathbf {v} = \mathsf {ext}_4(b_1,b_2) \quad \Longleftrightarrow \quad P^4_{c_1, c_2}(\mathbf {v}) = \mathsf {ext}_4(b_1 + c_1 \bmod 2, b_2 + c_2 \bmod 2). \end{aligned}$$

(4)

As a result, to prove the well-formedness of $x_1 \cdot x_2$, one can extend it to the vector $\mathsf {ext}_4(x_1, x_2)$, permute the latter using $P^4_{c_1, c_2}$, where $c_1, c_2$ are uniformly random bits, and send the permuted vector to the verifier who should be convinced that the original vector, i.e., $\mathsf {ext}_4(x_1, x_2)$, is well-formed, while learning nothing else about $x_1$ and $x_2$, thanks to the randomness of $c_1$ and $c_2$. Furthermore, this sub-protocol can be combined with other Stern-like protocols, where one has to additionally prove that $x_1, x_2$ satisfy other conditions. This is done by using the same “one-time pads” $c_1, c_2$ at all occurrences of $x_1$ and $x_2$, respectively.

3.2 Our General Protocol

Let $N, \mathfrak {m}_1, \mathfrak {m}_2$ be positive integers, where $\mathfrak {m}_1 \le N$. Let $T = \{(i_1, j_1), \ldots , (i_{|T|}, j_{|T|})\}$ be a non-empty subset of $[N] \times [N]$. Define $d_1 = 2(\mathfrak {m}_1 + \mathfrak {m}_2)$, $d_2 = 2N + 4|T|$ and $d= d_1 + d_2$. Let $n_1 \le d_1, n_2 \le d_2$ and $q>2$ be positive integers. The argument system we aim to construct can be summarized as follows.

Public input consists of $\mathbf {g}_1, \ldots , \mathbf {g}_{\mathfrak {m}_1}, \mathbf {b}_1, \ldots , \mathbf {b}_{\mathfrak {m}_2}, \mathbf {u}_1 \in \mathbb {Z}_q^{n_1}$ and
$$\{h_{\ell ,k}\}_{(\ell ,k) \in [n_2]\times [N]}; \,\,\{f_{\ell ,t}\}_{(\ell ,t) \in [n_2]\times [|T|]}; \,\, v_1, \ldots , v_{n_2} \in \mathbb {Z}_2.$$
Prover’s witness is ($N + \mathfrak {m}_2$)-bit vector $\mathbf {s} = (s_1, \ldots ,s_{\mathfrak {m}_1}, \ldots , s_N, \ldots ,$ $ s_{N+\mathfrak {m}_2})$.
Prover’s goal is to prove in zero-knowledge that:

1.
The first $\mathfrak {m}_1$ bits $s_1, \ldots , s_{m_1}$ and the last $\mathfrak {m}_2$ bits $s_{N+1}, \ldots , s_{N + \mathfrak {m}_2}$ satisfy the following linear equation modulo q.
$$\begin{aligned} \displaystyle&\sum _{i \in [\mathfrak {m}_1]} \mathbf {g}_{i}\cdot s_i + \sum _{j \in [\mathfrak {m}_2]} \mathbf {b}_{j}\cdot s_{N+j} = \mathbf {u}_1 \bmod q. \end{aligned}$$
(5)
2.
The first N bits $s_1, \ldots , s_{\mathfrak {m}_1}, \ldots , s_N$ satisfy the following $n_2$ equations modulo 2 that contain N linear terms and a total of |T| quadratic terms $\{s_{i_t}\cdot s_{j_t}\}_{t=1}^{|T|}$.
$$\begin{aligned} \displaystyle \forall \ell \in [n_2]:&\sum _{k=1}^N h_{\ell ,k} \cdot s_k + \sum _{t=1}^{|T|} f_{\ell ,t}\cdot (s_{i_t}\cdot s_{j_t}) = v_\ell \bmod 2. \end{aligned}$$
(6)

Looking ahead, all the statements that we will consider in Sects. 4, 5 and 6 can be handled as special cases of the above general protocol, which will serve as an “umbrella” for all of our subsequent constructions.

As a preparation for the protocol construction, let us first introduce a few notations and techniques.

Encoding vector $\mathsf {ENC}(\cdot )$. In the protocol, we will work with a binary vector of length $\mathbf {d}$ that has a very specific constraint determined by $N+\mathfrak {m}_2$ bits. For any $\mathbf {b} = (b_1, \ldots , b_{\mathfrak {m}_1}, \ldots , b_N, \ldots , b_{N+\mathfrak {m}_2}) \in \{0,1\}^{N + \mathfrak {m}_2}$, we denote by $\mathsf {ENC}(\mathbf {b}) \in \{0,1\}^d$ the vector encoding $\mathbf {b}$ as follows:

where $\mathsf {ext}_2(\cdot )$ and $\mathsf {ext}_4(\cdot , \cdot )$ are as in Sect. 3.1.

Permutation $\varGamma $. To prove in zero-knowledge of a vector that has the form $\mathsf {ENC}(\cdot )$, we will need to a specific type of permutation. To this end, we associate each $\mathbf {c} = (c_1, \ldots , c_N, \ldots , c_{N + \mathfrak {m}_2}) \in \{0,1\}^{N + \mathfrak {m}_2}$ with a permutation $\varGamma _{\mathbf {c}}$ that acts as follows. When being applied to vector

$$\begin{aligned}&\mathbf {v} = \big (\mathbf {v}_1 \Vert \ldots \Vert \mathbf {v}_{\mathfrak {m}_1} \Vert \mathbf {v}_{\mathfrak {m}_1 + 1} \Vert \ldots \Vert \mathbf {v}_{\mathfrak {m}_1 + \mathfrak {m}_2} \Vert \mathbf {v}_{\mathfrak {m}_1 + \mathfrak {m}_2 +1} \Vert \ldots \Vert \mathbf {v}_{\mathfrak {m}_1 + \mathfrak {m}_2 +N} \Vert \\&\quad \quad \quad \quad \quad \quad \quad \,\;\,\Vert \mathbf {v}_{\mathfrak {m}_1 + \mathfrak {m}_2 + N +1} \Vert \ldots \Vert \mathbf {v}_{\mathfrak {m}_1 + \mathfrak {m}_2 + N + |T|} \big ) \in \mathbb {Z}^d, \end{aligned}$$

whose first $\mathfrak {m}_1 + \mathfrak {m}_2 + N$ blocks are of length 2 and last |T| blocks are of length 4, it transforms these blocks as described below.

$$\begin{aligned}&\mathbf {v}_i \mapsto P^{2}_{c_i}(\mathbf {v}_i), \forall i \in [\mathfrak {m}_1]; \quad \quad \mathbf {v}_{\mathfrak {m}_1 +j} \mapsto P^{2}_{c_{N+j}}(\mathbf {v}_{\mathfrak {m}_1 +j}), \forall j \in [\mathfrak {m}_2];\\&\qquad \qquad \quad \mathbf {v}_{\mathfrak {m}_1 + \mathfrak {m}_2 + k} \mapsto P^2_{c_k}(\mathbf {v}_{\mathfrak {m}_1 + \mathfrak {m}_2 + k}), \forall k \in [N];\\&\qquad \mathbf {v}_{\mathfrak {m}_1 + \mathfrak {m}_2 + N + t} \mapsto P^4_{c_{i_t}, c_{j_t}}(\mathbf {v}_{\mathfrak {m}_1 + \mathfrak {m}_2 + N + t}), \forall t \in [|T|]. \end{aligned}$$

Based on the equivalences observed in (3)–(4), it can be checked that the following holds. For all $\mathbf {b}, \mathbf {c} \in \{0,1\}^{N + \mathfrak {m}_2}$, all $\mathbf {v} \in \mathbb {Z}^d$,

$$\begin{aligned} \mathbf {v} = \mathsf {ENC}(\mathbf {b}) \quad \Longleftrightarrow \quad \varGamma _{\mathbf {c}}(\mathbf {v}) = \mathsf {ENC}(\mathbf {b} + \mathbf {c} \bmod 2). \end{aligned}$$

(7)

Let us now present the protocol, based on the above notations and techniques. First, we perform the following extensions for the secret objects:

$$\begin{aligned} {\left\{ \begin{array}{ll} \forall k \in [N+\mathfrak {m}_2]: \mathbf {s}_k = \mathsf {ext}_2(s_k) \in \{0,1\}^2 \\ \forall (i_t,j_t) \in T: \mathbf {y}_{i_t,j_t} = \mathsf {ext}_4(s_{i_t}, s_{j_t}) \in \{0,1\}^4. \end{array}\right. } \end{aligned}$$

(8)

Now, we will perform some transformations regarding Eq. (5). Observe that, for each $i \in [\mathfrak {m}_1]$, if we form matrix $\mathbf {G}_i = [\mathbf {0}^{n_1} \mid \mathbf {g}_i] \in \mathbb {Z}_q^{n_1 \times 2}$, then we will have $\mathbf {G}_i \cdot \mathbf {s}_i = \mathbf {g}_i \cdot s_i \bmod q$. Similarly, for each $j \in [\mathfrak {m}_2]$, if we form $\mathbf {B}_j = [\mathbf {0}^{n_1} \mid \mathbf {b}_j] \in \mathbb {Z}_q^{n_1 \times 2}$, then we will have $\mathbf {B}_j \cdot \mathbf {s}_{N+j} = \mathbf {b}_j \cdot s_{N + j} \bmod q$.

Therefore, if we build matrix $\mathbf {M}_1 = [\mathbf {G}_1 \mid \ldots \mid \mathbf {G}_{\mathfrak {m}_1} \mid \mathbf {B}_1 \mid \ldots \mid \mathbf {B}_{\mathfrak {m}_2}] \in \mathbb {Z}_q^{n_1 \times d_1}$, Eq. (5) can be expressed as $\mathbf {M}_1 \cdot \mathbf {w}_1 = \mathbf {u}_1 \bmod q,$ where $\mathbf {w}_1 = \big (\mathbf {s}_1 \Vert \ldots \Vert \mathbf {s}_{\mathfrak {m}_1} \Vert \mathbf {s}_{N+1} \Vert \ldots \Vert \mathbf {s}_{N + \mathfrak {m}_2}\big ) \in \{0,1\}^{d_1}$.

Next, we will unify all the $n_2$ equations in (6) into just one equation modulo 2, in the following manner. We form matrices

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {H}_{\ell , k} = \big [0 \mid h_{\ell ,k} \big ] \in \mathbb {Z}_2^{1 \times 2}, \forall (\ell ,k) \in [n_2]\times [N]; \\ \mathbf {F}_{\ell , t} = \big [0 \mid 0 \mid 0 \mid f_{\ell ,t}\big ] \in \mathbb {Z}_2^{1 \times 4}, \forall (\ell ,t) \in [n_2]\times [|T|], \end{array}\right. } \end{aligned}$$

and note that $\mathbf {H}_{\ell ,k} \cdot \mathbf {s}_k = h_{\ell ,k}\cdot s_k \bmod 2$ and $\mathbf {F}_{\ell ,t}\cdot \mathbf {y}_{i_t, j_t} = f_{\ell ,t}\cdot (s_{i_j}\cdot s_{i_t}) \bmod 2$. Thus, (6) can be rewritten as:

$$\begin{aligned} \mathbf {H}_{1,1} \cdot \mathbf {s}_1+ & {} \ldots + \mathbf {H}_{1, N}\cdot \mathbf {s}_N + \mathbf {F}_{1,1}\cdot \mathbf {y}_{i_1, j_1} + \cdots + \mathbf {F}_{1, |T|}\cdot \mathbf {y}_{i_{|T|}, j_{|T|}} = v_1 \bmod 2 \\ \mathbf {H}_{2,1} \cdot \mathbf {s}_1+ & {} \ldots + \mathbf {H}_{2, N}\cdot \mathbf {s}_N + \mathbf {F}_{2,1}\cdot \mathbf {y}_{i_1, j_1} + \cdots + \mathbf {F}_{2, |T|}\cdot \mathbf {y}_{i_{|T|}, j_{|T|}} = v_2 \bmod 2 \\ ~~~&~~~\vdots ~\quad \qquad \qquad ~~\vdots \quad \qquad \qquad ~~\vdots ~~~~~ \\ \mathbf {H}_{n_2,1} \cdot \mathbf {s}_1+ & {} \cdots + \mathbf {H}_{n_2, N}\cdot \mathbf {s}_N + \mathbf {F}_{n_2,1}\cdot \mathbf {y}_{i_1, j_1} + \cdots + \mathbf {F}_{n_2, |T|}\cdot \mathbf {y}_{i_{|T|}, j_{|T|}} = v_{n_2} \bmod 2. \end{aligned}$$

Letting $\mathbf {u}_2 = (v_1, \ldots , v_{n_2})^\top \in \mathbb {Z}_2^{n_2}$, the above equations can be unified into

$$\begin{aligned} \mathbf {M}_2 \cdot \mathbf {w}_2 = \mathbf {u}_2 \bmod 2, \end{aligned}$$

(9)

where matrix $\mathbf {M}_2 \in \mathbb {Z}_2^{n_2 \times d_2}$ is built from $\mathbf {H}_{\ell ,k}, \mathbf {F}_{\ell ,t}$, and

$$\begin{aligned} \mathbf {w}_2 = \big (\mathbf {s}_1 \Vert \ldots \,\,\Vert \mathbf {s}_N \Vert \mathbf {y}_{i_1,j_1} \Vert \ldots \Vert \,\,\mathbf {y}_{i_{|T|}, j_{|T|}}\big )\in \{0,1\}^{2N + 4|T|}. \end{aligned}$$

Now, let us construct the vector $\mathbf {w} = (\mathbf {w}_1 \Vert \mathbf {w}_2) \in \{0,1\}^{d}$, which has the form

$$\begin{aligned} \big ( \mathbf {s}_1 \Vert \ldots \,\,\Vert \mathbf {s}_{\mathfrak {m}_1} \Vert \mathbf {s}_{N+1} \Vert \ldots \Vert \, \mathbf {s}_{N + \mathfrak {m}_2} \Vert \mathbf {s}_1 \,\Vert \ldots \,\,\Vert \mathbf {s}_N \,\,\Vert \mathbf {y}_{i_1,j_1} \Vert \,\, \ldots \Vert \,\, \mathbf {y}_{i_{|T|}, j_{|T|}} \big ), \end{aligned}$$

where its components blocks are as described in (8). Then, by our above definition of encoding vectors, we have $\mathbf {w} = \mathsf {ENC}(\mathbf {s})$.

The transformations we have done so far allow us to reduce the original statement to proving knowledge of vector $\mathbf {s} \in \{0,1\}^{N + \mathfrak {m}_2}$, such that the component vectors $\mathbf {w}_1 \in \{0,1\}^{d_1}$, $\mathbf {w}_2 \in \{0,1\}^{d_2}$ of $\mathbf {w} = \mathsf {ENC}(\mathbf {s})$ satisfy the equations $\mathbf {M}_1 \cdot \mathbf {w}_1 = \mathbf {u}_1 \bmod q$ and $\mathbf {M}_2 \cdot \mathbf {w}_2 = \mathbf {u}_2 \bmod 2$. The derived statement can be handled in Stern’s framework, based on the following main ideas.

To prove that $\mathbf {w} = \mathsf {ENC}(\mathbf {s})$, we will use the equivalence (7). To this end, we sample a uniformly random $\mathbf {c} \in \{0,1\}^{N + \mathfrak {m}_2}$ and prove instead that $\varGamma _{\mathbf {c}}(\mathbf {w}) = \mathsf {ENC}(\mathbf {s} + \mathbf {c} \bmod 2)$. Seeing this, the verifier is convinced in ZK that $\mathbf {w}$ indeed satisfies the required constraint, thanks to the randomness of $\mathbf {c}$.
To prove that equations $\mathbf {M}_1 \cdot \mathbf {w}_1 = \mathbf {u}_1 \bmod q$ and $\mathbf {M}_2 \cdot \mathbf {w}_2 = \mathbf {u}_2 \bmod 2$ hold, we sample uniformly random $\mathbf {r}_1 \in \mathbb {Z}_q^{d_1}$, $\mathbf {r}_2 \in \mathbb {Z}_2^{d_2}$, and demonstrate that
$$\begin{aligned} \mathbf {M}_1 \cdot (\mathbf {w}_1 + \mathbf {r}_1) = \mathbf {u}_1 + \mathbf {M}_1 \cdot \mathbf {r}_1 \bmod q; \mathbf {M}_2 \cdot (\mathbf {w}_2 + \mathbf {r}_2) = \mathbf {u}_2 + \mathbf {M}_2 \cdot \mathbf {r}_2 \bmod 2. \end{aligned}$$

The interactive protocol. Our interactive protocol goes as follows.

The public input consists of matrices $\mathbf {M}_1, \mathbf {M}_2$ and vectors $\mathbf {u}_1, \mathbf {u}_2$, which are constructed from the original public input, as discussed above.
The prover’s witness consists of the original secret vector $\mathbf {s} \in \{0,1\}^{N + \mathfrak {m}_2}$ and vector $\mathbf {w} = (\mathbf {w}_1 \Vert \mathbf {w}_2) = \mathsf {ENC}(\mathbf {s})$ derived from $\mathbf {s}$, as described above.

The prover $\mathcal {P}$ and the verifier $\mathcal {V}$ interact as described in Fig. 1. The protocol uses the KTX string commitment scheme COM, which is statistically hiding and computationally binding. For simplicity of presentation, for vectors $\mathbf {w} = \big (\mathbf {w}_1\Vert \mathbf {w}_2\big ) \in \mathbb {Z}^d$ and $\mathbf {r} = \big (\mathbf {r}_1 \Vert \mathbf {r}_2\big ) \in \mathbb {Z}^d$, we denote by $\mathbf {w} \boxplus \mathbf {r}$ the operation that computes $\mathbf {z}_1 = \mathbf {w}_1 + \mathbf {r}_1 \bmod q$, $\mathbf {z}_2 = \mathbf {w}_2 + \mathbf {r}_2 \bmod 2$, and outputs d-dimensional integer vector $\mathbf {z} = \big (\mathbf {z}_1 \Vert \mathbf {z}_2\big )$. We note that, for all $\mathbf {c} \in \{0,1\}^{N+\mathfrak {m}_2}$, if $\mathbf {t} = \varGamma _{\mathbf {c}}(\mathbf {w})$ and $\mathbf {s} = \varGamma _{\mathbf {c}}(\mathbf {r})$, then we have $\varGamma _{\mathbf {c}}(\mathbf {w} \boxplus \mathbf {r}) = \mathbf {t} \boxplus \mathbf {s}$.

The described protocol can be seen as an improved version of a Stern-like protocol presented in [45], in the following aspect. In the case $Ch=1$, instead of sending $\varGamma _{\mathbf {c}}(\mathbf {w})= \mathsf {ENC}(\mathbf {c}^\star )$ - which costs $d = 2(\mathfrak {m}_1 + \mathfrak {m}_2) + 2N + 4|T|$ bits, we let the prover send $\mathbf {c}^\star $ which enables the verifier to compute the value $\mathsf {ENC}(\mathbf {c}^\star )$ and which costs only $N+ \mathfrak {m}_2$ bits. Due to this modification, the results from [45] are not directly applicable to our protocol, and thus, in the proof of Theorem 1, we will analyze the protocol from scratch.

Theorem 1

Suppose that $\mathsf {COM}$ is a statistically hiding and computationally binding string commitment. Then, the protocol described above is a statistical $\mathsf {ZKAoK}$ for the considered relation, with perfect completeness, soundness error 2 / 3 and communication cost $\zeta + 2 + N + \mathfrak {m}_2 + 2(\mathfrak {m}_1 + \mathfrak {m}_2) \lceil \log _2 q\rceil + 2N + 4|T|$, where $\zeta = \mathcal {O}(n \log n)$ is the total bit-size of $\mathrm {CMT}$ and two commitment randomness.

Proof

We first analyze the completeness and efficiency of the protocol. Then we prove that it is a zero-knowledge argument of knowledge.

Completeness. Suppose that the prover is honest and follows the protocol. Then, observe that the verifier outputs 1 under the following conditions.

1.
$\mathbf {t} \boxplus \mathbf {v} = \varGamma _{\mathbf {c}}(\mathbf {z})$. This conditions holds, since $\mathbf {w} = \mathsf {ENC}(\mathbf {s})$, and by equivalence (7), we have $\mathbf {t} = \mathsf {ENC}(\mathbf {c}^\star )= \mathsf {ENC}(\mathbf {s} + \mathbf {c} \bmod 2) = \varGamma _{\mathbf {c}}(\mathsf {ENC}(\mathbf {s})) = \varGamma _{\mathbf {c}}(\mathbf {w})$. Hence, $\mathbf {t} \boxplus \mathbf {v} = \varGamma _{\mathbf {c}}(\mathbf {w}) \boxplus \varGamma _{\mathbf {c}}(\mathbf {r}) = \varGamma _{\mathbf {c}}(\mathbf {w} \boxplus \mathbf {r}) = \varGamma _{\mathbf {c}}(\mathbf {z}).$
2.
$\mathbf {M}_1\cdot \mathbf {x}_1 - \mathbf {u}_1 = \mathbf {M}_1\cdot \mathbf {r}_1 \bmod q$ and $\mathbf {M}_2\cdot \mathbf {x}_2 - \mathbf {u}_2 = \mathbf {M}_2\cdot \mathbf {r}_2 \bmod 2$. These two equations hold, because $\mathbf {x}_1 = \mathbf {w}_1 + \mathbf {r}_1 \bmod q$, $\mathbf {x}_2 = \mathbf {w}_2 + \mathbf {r}_2 \bmod 2$ and $\mathbf {M}_1 \cdot \mathbf {w}_1 = \mathbf {u}_1 \bmod q$, $\mathbf {M}_2 \cdot \mathbf {w}_2 = \mathbf {u}_2 \bmod 2$.

Therefore, the protocol has perfect completeness.

Efficiency. Both prover and verifier only have to carry out $\mathcal {O}(d)$ simple operations modulo q and modulo 2. In terms of communication cost, apart from $\zeta $ bits needed for transferring CMT and two commitment randomness, the prover has to send a vector in $\{0,1\}^{N+ \mathfrak {m}_2}$, a vector in $\mathbb {Z}_q^{d_1}$ and a vector in $\mathbb {Z}_2^{d_2}$, while the verifier only has to send 2 bits. Thus, the total cost is $\zeta + 2 + N + \mathfrak {m}_2 + 2(\mathfrak {m}_1 + \mathfrak {m}_2) \lceil \log _2 q\rceil + 2N + 4|T|$ bits. (When $\mathsf {COM}$ is the KTX string commitment scheme, we have $\zeta = 3n\lceil \log _2 q\rceil + 2m$.)

Zero-Knowledge Property. We construct a PPT simulator $\mathsf {SIM}$ interacting with a (possibly dishonest) verifier $\widehat{\mathcal {V}}$, such that, given only the public input, it outputs with probability negligibly close to 2 / 3 a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.

The simulator first chooses a random $\overline{Ch} \in \{1,2,3\}$ as a prediction of the challenge value that $\widehat{\mathcal {V}}$ will not choose.

Case $\overline{Ch}=1$: $\mathsf {SIM}$ uses linear algebra over $\mathbb {Z}_{q}$ and $\mathbb {Z}_2$ to find $\mathbf {w}'_1 \in \mathbb {Z}_{q}^{d_1}$ and $\mathbf {w}'_2 \in \mathbb {Z}_2^{d_2}$ s.t. $\mathbf {M}_1\cdot \mathbf {w}'_1 = \mathbf {u}_1 \bmod q$ and $\mathbf {M}_2 \cdot \mathbf {w}'_2 = \mathbf {u}_2 \bmod 2$. Let $\mathbf {w}' = (\mathbf {w}'_1 \Vert \mathbf {w}'_2)$.

Next, it samples $\mathbf {c} \leftarrow U(\{0,1\}^{N + \mathfrak {m}_2})$, $\mathbf {r}_1 \leftarrow U(\mathbb {Z}_{q}^{d_1}), \mathbf {r}_2 \leftarrow U(\mathbb {Z}_{2}^{d_2})$, and computes $\mathbf {r} = (\mathbf {r}_1 \Vert \mathbf {r}_2)$, $\mathbf {z}' = \mathbf {w}' \boxplus \mathbf {r}$. Then, it samples randomness $\rho _1, \rho _2, \rho _3$ for $\mathsf {COM}$ and sends the commitment $\mathrm {CMT}= \big (C'_1, C'_2, C'_3\big )$ to $\widehat{\mathcal {V}}$, where

$$\begin{aligned}&C'_1 = \mathsf {COM}(\mathbf {c}, \mathbf {M}_1\cdot \mathbf {r}_1 \bmod q, \mathbf {M}_2 \cdot \mathbf {r}_2 \bmod 2; \rho _1), \\&\,C'_2 = \mathsf {COM}(\varGamma _{\mathbf {c}}(\mathbf {r}); \rho _2), \quad C'_3 = \mathsf {COM}(\varGamma _{\mathbf {c}}(\mathbf {z}'); \rho _3). \end{aligned}$$

Receiving a challenge Ch from $\widehat{\mathcal {V}}$, the simulator responds as follows:

If $Ch=1$: Output $\bot $ and abort.
If $Ch=2$: Send $\mathrm {RSP} = \big (\mathbf {c}, \mathbf {z}' , \rho _1, \rho _3 \big )$.
If $Ch=3$: Send $\mathrm {RSP} = \big (\mathbf {c}, \mathbf {r}, \rho _1, \rho _2\big )$.

Case $\overline{Ch}=2$: $\mathsf {SIM}$ samples $\mathbf {s}' \leftarrow U(\{0,1\}^{N+\mathfrak {m}_2})$ and computes $\mathbf {w}' = \mathsf {ENC}(\mathbf {s}')$. Next, it picks $\mathbf {c} \leftarrow U(\{0,1\}^{N+\mathfrak {m}_2})$, and $\mathbf {r}_1 \leftarrow U(\mathbb {Z}_{q}^{d_1}), \mathbf {r}_2 \leftarrow U(\mathbb {Z}_{2}^{d_2})$, and computes $\mathbf {r} = (\mathbf {r}_1 \Vert \mathbf {r}_2)$, $\mathbf {z}' = \mathbf {w}' \boxplus \mathbf {r}$. Then, it samples randomness $\rho _1, \rho _2, \rho _3$ for $\mathsf {COM}$ and sends the commitment $\mathrm {CMT}= \big (C'_1, C'_2, C'_3\big )$ to $\widehat{\mathcal {V}}$, where

$$\begin{aligned}&C'_1 = \mathsf {COM}(\mathbf {c}, \mathbf {M}_1\cdot \mathbf {r}_1 \bmod q, \mathbf {M}_2 \cdot \mathbf {r}_2 \bmod 2; \,\,\rho _1), \\&\,\, C'_2 = \mathsf {COM}(\varGamma _{\mathbf {c}}(\mathbf {r}); \,\rho _2), \quad C'_3 = \mathsf {COM}(\varGamma _{\mathbf {c}}(\mathbf {z}'); \,\rho _3). \end{aligned}$$

Receiving a challenge Ch from $\widehat{\mathcal {V}}$, the simulator responds as follows:

If $Ch=1$: Send $\mathrm {RSP} = \big (\mathbf {s}' + \mathbf {c} \bmod 2, \varGamma _{\mathbf {c}}(\mathbf {r}), \rho _2, \rho _3\big )$.
If $Ch=2$: Output $\bot $ and abort.
If $Ch=3$: Send $\mathrm {RSP} = \big (\mathbf {c}, \mathbf {r}, \rho _1, \rho _2\big )$.

Case $\overline{Ch}=3$: $\mathsf {SIM}$ prepares $\mathrm {CMT}= \big (C'_1, C'_2, C'_3\big )$ as in the case $\overline{Ch}=2$ above, except that $C'_1$ is computed as

$$\begin{aligned} C'_1 = \mathsf {COM}(\mathbf {c}, \mathbf {M}_1\cdot (\mathbf {w}'_1 + \mathbf {r}_1) - \mathbf {u}_1 \bmod q, \mathbf {M}_2 \cdot (\mathbf {w}'_2 + \mathbf {r}_2) - \mathbf {u}_2 \bmod 2; \,\,\rho _1). \end{aligned}$$

Receiving a challenge Ch from $\widehat{\mathcal {V}}$, it responds as follows:

If $Ch=1$: Send $\mathrm {RSP}$ computed as in the case $(\overline{Ch}=2, Ch=1)$.
If $Ch=2$: Send $\mathrm {RSP}$ computed as in the case $(\overline{Ch}=1, Ch=2)$.
If $Ch=3$: Output $\bot $ and abort.

In all the above cases, since $\mathsf {COM}$ is statistically hiding, the distribution of the commitment $\mathrm {CMT}$ and that of the challenge Ch from $\widehat{\mathcal {V}}$ are statistically close to those of the real interaction. Hence, the probability that the simulator outputs $\bot $ is negligibly far from 1 / 3. Moreover, whenever the simulator does not halt, it provides an accepting transcript, of which the distribution is statistically close to that of the prover in a real interaction. We thus described a simulator that can successfully emulate the honest prover with probability negligibly close to 2 / 3.

Argument of Knowledge. Suppose that we have $\mathrm {RSP}_1 = (\mathbf {c}^\star , \mathbf {v}, \rho _2^{(1)}, \rho _3^{(1)}) $, $\mathrm {RSP}_2 = (\mathbf {b}, \mathbf {x}, \rho _1^{(2)}, \rho _3^{(2)})$, and $ \mathrm {RSP}_3 = (\mathbf {e}, \mathbf {y}, \rho _1^{(3)}, \rho _2^{(3)})$, which are accepting transcripts for the three possible values of the challenge and the same commitment $\mathrm {CMT} = (C_1, C_2, C_3)$. Let us parse $\mathbf {x}$ and $\mathbf {y}$ as $\mathbf {x} = (\mathbf {x}_1 \Vert \mathbf {x}_2)$, $\mathbf {y} = (\mathbf {y}_1 \Vert \mathbf {y}_2)$, where $\mathbf {x}_1, \mathbf {y}_1 \in \mathbb {Z}_{q}^{d_1}$ and $\mathbf {x}_2, \mathbf {y}_2 \in \mathbb {Z}_2^{d_2}$. The validity of the given responses implies that:

$$ {\left\{ \begin{array}{ll} C_1 = \mathsf {COM}(\mathbf {b}, \mathbf {M}_1\cdot \mathbf {x}_1 - \mathbf {u}_1 \bmod q, \mathbf {M}_2\cdot \mathbf {x}_2 - \mathbf {u}_2 \bmod 2; \rho _1^{(2)}); \\ C_1 = \mathsf {COM}(\mathbf {e}, \mathbf {M}_1\cdot \mathbf {y}_1 \bmod q, \mathbf {M}_2 \cdot \mathbf {y}_2 \bmod 2; \rho _1^{(3)}); \\ C_2 = \mathsf {COM}(\mathbf {v}; \rho _2^{(1)}) = \mathsf {COM}(\varGamma _{\mathbf {e}}(\mathbf {y}); \rho _2^{3}); \\ C_3 = \mathsf {COM}(\mathbf {t} \boxplus \mathbf {v}; \rho _3^{(1)}) = \mathsf {COM}(\varGamma _{\mathbf {b}}(\mathbf {x}); \rho _3^{(2)}), \end{array}\right. } $$

where $\mathbf {t} = \mathsf {ENC}(\mathbf {c}^\star )$. Since COM is computationally binding, we can deduce that:

Let $\mathbf {s}' = \mathbf {c}^\star + \mathbf {e} \bmod 2$ and $\mathbf {w}' = [\varGamma _{\mathbf {e}}]^{-1}(\mathbf {t})$. Since $\mathbf {t} = \mathsf {ENC}(\mathbf {c}^\star )$, by equivalence (7), we have that $\mathbf {w}' = \mathsf {ENC}(\mathbf {s}')$. Furthermore, note that $\varGamma _{\mathbf {e}}(\mathbf {w}') \boxplus \varGamma _{\mathbf {e}}(\mathbf {y}) = \varGamma _{\mathbf {e}}(\mathbf {x})$, which implies that $\mathbf {w}' \boxplus \mathbf {y} = \mathbf {x}$.

Now, parse $\mathbf {w}'$ as $\mathbf {w}' = (\mathbf {w}'_1 \Vert \mathbf {w}'_2)$, where $\mathbf {w}'_1 \in \{0,1\}^{d_1}$ and $\mathbf {w}'_2 \in \{0,1\}^{d_2}$. Then, we have $\mathbf {w}'_1 + \mathbf {y}_1 = \mathbf {x}_1 \bmod q$, $\mathbf {w}'_2 + \mathbf {y}_2 = \mathbf {x}_2 \bmod 2$, and

$$\begin{aligned} \mathbf {M}_1 \cdot \mathbf {w}'_1 = \mathbf {M}_1\cdot \mathbf {x}_1 - \mathbf {M}_1\cdot \mathbf {y}_1 = \mathbf {u}_1\bmod q; \\ \mathbf {M}_2 \cdot \mathbf {w}'_2 = \mathbf {M}_2\cdot \mathbf {x}_2 - \mathbf {M}_2\cdot \mathbf {y}_2 = \mathbf {u}_2\bmod 2. \end{aligned}$$

This implies $\mathbf {w}'= (\mathbf {w}'_1 \Vert \mathbf {w}'_2) = \mathsf {ENC}(\mathbf {s}')$, as well as $\mathbf {M}_1 \cdot \mathbf {w}'_1 = \mathbf {u}_1 \bmod q$ and $\mathbf {M}_2 \cdot \mathbf {w}'_2= \mathbf {u}_2 \bmod 2$. Let $\mathbf {s}' = (s'_1, \ldots , s'_{\mathfrak {m}_1}, \ldots , s'_N, \ldots , s'_{N+\mathfrak {m}_2}) \in \{0,1\}^{N + \mathfrak {m}_2}$. By reversing the transformations, it can be seen that the bits of $\mathbf {s}'$ satisfy

$$\begin{aligned} \sum _{i \in [\mathfrak {m}_1]} \mathbf {g}_{i}\cdot s'_i + \sum _{j \in [\mathfrak {m}_2]} \mathbf {b}_{j}\cdot s'_{N+j} = \mathbf {u}_1 \bmod q; \\ \forall \ell \in [n_2]:~ \sum _{k=1}^N h_{\ell ,k} \cdot s'_k + \sum _{t=1}^{|T|} f_{\ell ,t}\cdot (s'_{i_t}\cdot s'_{j_t}) = v_\ell \bmod 2. \end{aligned}$$

Hence, we have extracted $\mathbf {s}' = (s'_1, \ldots , s'_{\mathfrak {m}_1}, \ldots , s'_N, \ldots , s'_{N+\mathfrak {m}_2})$, which is a valid witness for the considered relation. $\square $

As we mentioned earlier, all the statements we will consider in the next sections will be reduced into instances of the presented general protocol. For each of them, we will employ the same strategy. First, we demonstrate that the considered statement can be expressed as an equation modulo q of the form (5) and equations modulo 2 of the form (6). This implies that we can run the general protocol to handle the statement, and obtain a statistical ZKAoK via Theorem 1. Next, as the complexity of the protocol depends on $\mathfrak {m}_1 + \mathfrak {m}_2, N, |T|$, we count these respective numbers in order to evaluate its communication cost.

4 Zero-Knowledge Arguments for Integer Additions

This section presents our lattice-based ZK argument system for additive relation among committed integers. Let n be the security parameter, and let $L = \mathsf {poly}(n)$. Given KTX commitments to L-bit integers $X = (x_{L-1},\ldots , x_0)_2$, $Y = (y_{L-1},\ldots , y_0)_2$ and $(L+1)$-bit integer $Z = (z_{L}, z_{L-1}, \ldots , z_0)_2$, the protocol allows the prover to convince the verifier in ZK that $X + Y = Z$ over $\mathbb {Z}$.

As discussed in Sects. 1 and 2.1, using different flavors of the KTX commitment scheme, we can commit to all the bits of X, Y, Z at once or a bit-by-bit fashion. Both approaches are both compatible with (and independent of) our ZK techniques. Depending on which commitments we use, we obtain different give trade-offs in terms of parameters, key sizes, security assumptions and communication costs. In the following, we will use the former variant, which yields communication complexity $\widetilde{\mathcal {O}}(L + n)$. Our protocol can be easily adjusted to handle the bit-wise commitment variant, which yields complexity $\widetilde{\mathcal {O}}(L \cdot n)$, but allows smaller parameters, smaller keys and weaker lattice assumption.

Commitments. Let a prime $q = \widetilde{\mathcal {O}}(\sqrt{L} \cdot n)$ and ${m = n(\lceil \log _2 q\rceil +3)}$. Choose a commitment key $(\mathbf {a}_0, \ldots , \mathbf {a}_{L-1}, \mathbf {a}_L, \mathbf {b}_1, \ldots , \mathbf {b}_m)\, \hookleftarrow U(\mathbb {Z}_q^{n \times (L+m+1)})$. To commit to X, Y, Z, sample ${r}_{i,1}, \,\, \ldots , r_{i, m}, \hookleftarrow U(\{0,1\}) $, for $i \in \{1,2,3\}$, and compute

$$\begin{aligned} {\left\{ \begin{array}{ll} \sum \nolimits _{i=0}^{L-1} \mathbf {a}_i \cdot x_i + \sum _{j=1}^m \mathbf {b}_j \cdot r_{1,j} = \mathbf {c}_x \bmod q; \\ \sum \nolimits _{i=0}^{L-1} \mathbf {a}_i \cdot y_i + \sum _{j=1}^m \mathbf {b}_j \cdot r_{2,j} = \mathbf {c}_y \bmod q; \\ \sum \nolimits _{i=0}^{L} \mathbf {a}_i \cdot z_i + \sum _{j=1}^m \mathbf {b}_j \cdot r_{3,j} = \mathbf {c}_z \bmod q, \end{array}\right. } \end{aligned}$$

(10)

and output commitments ${\mathbf {c}_x, \mathbf {c}_y, \mathbf {c}_z \in \mathbb {Z}_q^n}$. The scheme relies on the worst-case hardness of ${\mathsf {SIVP}_\gamma }$, for ${\gamma = \widetilde{\mathcal {O}}(\sqrt{L}\cdot n)}$.

Before presenting our protocol, we note that the three equations (10) can be unified into one equation of the form

$$\begin{aligned} \sum _{i=0}^{L-1} \mathbf {a}^{(1)}_{i} \cdot x_{i} + \sum _{i = 0}^{L-1} \mathbf {a}^{(2)}_{i}\cdot y_i + \sum _{i=0}^{L} \mathbf {a}^{(3)}_{i}\cdot z_i +\,\sum _{(i,j) \in [3] \times [m]}\,\mathbf {b}^{(i)}_{j}\cdot r_{i,j} = \mathbf {c} \bmod q,\quad \, \end{aligned}$$

(11)

where are extensions of are extensions of $\mathbf {b}_j$; and $\mathbf {c} = (\mathbf {c}_x \Vert \mathbf {c}_y \Vert \mathbf {c}_z) \in \mathbb {Z}_q^{3n}$. Having done this simple transformation, we observe that Eq. (11) does have the form captured by Eq. (5) in the protocol we put forward in Sect. 3. Here, the secret bits contained in the equations are the bits of X, Y, Z and those of the commitment randomness.

Proving Integer Additions. At a high level, our main idea consists in translating the addition operation $X+ Y$ over the integers into the binary addition operation with carries of $(x_{L-1}, \ldots , x_0)_2$ and $(y_{L-1}, \ldots , y_0)_2$ and proving that this process indeed yields result $(z_{L}, z_{L-1}, \ldots , z_0)_2$. For the latter statement, we capture the whole process as equations modulo 2 that contain linear and quadratic terms, and show how this statement, when combined with the commitment equations (11), reduces to an instance of the protocol of Sect. 3.

Let us first consider the addition of two bits x, y with carry-in bit $c_\mathsf{in}$. Let the output be bit z and the carry-out bit be $c_\mathsf{out}$. Then, observe that the relation among $x, y, z, c_\mathsf{in}, c_\mathsf{out} \in \{0,1\}$ is captured by equations

Therefore, the addition with carries of $(x_{L-1}, \ldots , x_0)_2$ and $(y_{L-1}, \ldots , y_0)_2$ results in $(z_{L}, z_{L-1}, \ldots , z_0)_2$ if and only if the following equations hold:

$$\begin{aligned} {\left\{ \begin{array}{ll} z_0 + x_0 + y_0 = 0 \bmod 2; \\ c_1 + x_0 \cdot y_0 = 0 \bmod 2; \\ z_1 + x_1 + y_1 + c_1 = 0 \bmod 2; \\ c_2 + x_1 \cdot y_1 + z_1 \cdot c_1 + c_1 = 0 \bmod 2; \\ \qquad \quad \vdots \\ z_{L-1} + x_{L-1} + y_{L-1} + c_{L-1} = 0 \bmod 2; \\ z_L + x_{L-1}\cdot y_{L-1} + z_{L-1}\cdot c_{L-1} + c_{L-1} = 0 \bmod 2 . \end{array}\right. } \end{aligned}$$

(12)

Here, for each $i \in \{1, \ldots , L-1\}$, $c_i$ denotes the carry-out bit at the i-th step which is also the carry-in bit at the $(i+1)$-th step. (The last carry-out bit is $z_L$.)

Now, observe that, together with Eq. (11), the 2L equations in (12) lead us to an instance of the protocol of Sect. 3. It indeed fits the pattern if we let $N: = 4L$, $\mathfrak {m}_1: = 3L+1$, $\mathfrak {m}_2: = 3m$ and denote the ordered tuple of $N+ \mathfrak {m}_2$ secret bits $\big (x_0, \ldots , x_{L-1}, y_0, \ldots , y_{L-1}, z_0, \ldots , z_L, c_1, \ldots , c_{L-1}, r_{1,1}, \ldots , r_{3,m} \big )$ by $\big (s_1, \ldots , s_{N+ \mathfrak {m}_2}\big )$. Then, note that the first $\mathfrak {m}_1$ bits $s_1, \ldots , s_{\mathfrak {m}_1}$ and the last $\mathfrak {m}_2$ bits $s_{N+1}, \ldots , s_{N + \mathfrak {m}_2}$ satisfy the linear equation modulo q from (11), while the first N bits $s_1, \ldots , s_N$ satisfy the equations modulo 2 in (12), which contain N linear terms and a total of $|T|: = 2L-1$ quadratic terms, i.e.:

$$ x_0 \cdot y_0, \,x_1 \cdot y_1, \,\,z_1 \cdot c_1, \,\ldots , \,\,x_{L-1}\cdot y_{L-1}, \,\,z_{L-1}\cdot c_{L-1}. $$

As a result, our ZK argument system can be obtained from the protocol constructed in Sect. 3. The protocol is a statistical ZKAoK assuming the security of two variants of the KTX commitment scheme: the variant used to commit to X, Y, Z - which relies on the hardness of $\mathsf {SIVP}_{\widetilde{\mathcal {O}}(\sqrt{L}\cdot n)}$, and the commitment COM used in the interaction between two parties - which relies on the hardness of $\mathsf {SIVP}_{\widetilde{\mathcal {O}}(n)}$. By Theorem 1, each execution of the protocol has perfect completeness, soundness error 2 / 3 and communication cost

$$ \mathcal {O}(n \log n) + 3m + 2(3L+1 + 3m)\lceil \log _2 q\rceil + 20L $$

bits, where $\mathcal {O}(n \log n)$ is the total bit-size of 3 KTX commitments (sent by the prover in the first move) and 2 commitment randomness. Here, it is important to note that the cost of proving knowledge of valid openings for $\mathbf {c}_x, \mathbf {c}_y, \mathbf {c}_z$ is $\mathcal {O}(n \log n) + 3m + 2(3L+1 + 3m)\lceil \log _2 q\rceil $ bits. Thus, the actual cost for proving the addition relation is 20L bits.

We further remark that the protocol can easily be adapted to less challenging situations such as: (i) The bit-size of the sum Z is public known to be exactly L (instead of $L+1$); (ii) Not all elements X, Y, Z need to be hidden and committed. Indeed, in those scenarios, our strategy of expressing the considered relations as equations modulo q and modulo 2 easily goes through. Moreover, it even simplifies the resulting protocols and reduces their complexity because the number of secret bits to deal with is smaller than in the above protocol.

5 Logarithmic-Size Arguments for Range Membership and Set Non-Membership

We present two applications of our zero-knowledge protocol for integer additions from Sect. 4: range membership and set non-membership arguments.

5.1 Range Membership Arguments

Our range arguments build on the integer addition protocol of Sect. 4. We consider the problem of proving in ZK that a committed integer X satisfies $X \in [\alpha , \beta ]$, i.e., $\alpha \le X \le \beta $, for publicly known integers $\alpha , \beta $.

Let $L = \mathsf {poly}(n)$, $q = \widetilde{\mathcal {O}}(\sqrt{L}\cdot n)$ and $m = n(\lceil \log _2 q \rceil +3)$. Suppose that L-bit integer $X = (x_{L-1}, \ldots , x_0)_2$ is committed via the KTX commitment scheme, using a public commitment key $\mathbf {a}_0, \ldots , \mathbf {a}_{L-1}, \mathbf {b}_1, \ldots , \mathbf {b}_m \in \mathbb {Z}_q^n$ and randomness $r_1, \ldots , r_m\in \{0,1\}$. Namely, the commitment $\mathbf {c} \in \mathbb {Z}_q^n$ is computed as

$$\begin{aligned} \sum _{i=0}^{L-1} \mathbf {a}_i \cdot x_i + \sum _{j=1}^m \mathbf {b}_j \cdot r_{j} = \mathbf {c} \bmod q. \end{aligned}$$

(13)

Our goal is to prove in ZK that $X \in [\alpha , \beta ]$, for publicly given L-bit integers $\alpha = (\alpha _{L-1}, \ldots , \alpha _0)_2$ and $\beta = (\beta _{L-1}, \ldots , \beta _0)_2$.

The main idea. We observe that X satisfies $\alpha \le X \le \beta $ if and only if there exist non-negative L-bit integers Y, Z such that

$$\begin{aligned} \alpha + Y = X \quad \text { and }\quad X + Z = \beta . \end{aligned}$$

(14)

We thus reduce the task of proving $X \in [\alpha , \beta [$ to proving two addition relations among integers, which can be achieved using the techniques of Sect. 4. To this end, it suffices to demonstrate that the relations among the secret bits of X, Y, Z and public bits of $\alpha , \beta $ can be expressed as equations modulo 2 of the form (6).

The underlying equations modulo 2. Let the bits of integers Y, Z be $(y_{L-1}, \ldots , y_{0})_2$ and $(z_{L-1}, \ldots , z_{0})_2$, respectively. The addition $\alpha + Y = X$ over $\mathbb {Z}$, when viewed as a binary addition with carries, can be expressed as the following 2L equations modulo 2 which contain $L-1$ quadratic terms $x_1 \cdot c_1, \ldots , x_{L-1}\cdot c_{L-1}$.

(15)

The relation $X + Z = \beta $ is handled similarly. We obtain the following 2L equations modulo 2, which contain L quadratic terms $x_0\cdot z_0, x_1 \cdot z_1, \ldots ,$ $x_{L-1}\cdot z_{L-1}$.

(16)

Combining (15) and (16), we obtain a system of 4L equations modulo 2, which contain $N: = 5L -2$ linear terms

$$\begin{aligned} x_{0}, \ldots , x_{L-1}, y_0, \ldots , y_{L-1}, z_{0}, \ldots , z_{L-1}, c_1, \ldots , c_{L-1}, e_1, \ldots , e_{L-1}, \end{aligned}$$

and a total of $|T| = 2L-1$ quadratic terms

$$ x_1 \cdot c_1, \ldots , x_{L-1}\cdot c_{L-1}, x_0\cdot z_0, x_1 \cdot z_1, \ldots , x_{L-1}\cdot z_{L-1}. $$

Putting it altogether. Based on the above transformations, we have translated the task of proving that committed integer X satisfies $X \in [\alpha , \beta ]$ to proving knowledge of $N + \mathfrak {m}_2 = 5L-2 + m$ secret bits

$$\begin{aligned} x_{0}, \ldots , x_{L-1}, y_0, \ldots , y_{L-1}, z_{0}, \ldots , z_{L-1}, c_1, \ldots , c_{L-1}, e_1, \ldots , e_{L-1}, r_1, \ldots , r_m, \end{aligned}$$

(17)

where the first $\mathfrak {m}_1 = L$ bits and the last $\mathfrak {m}_2 = m$ bits satisfy Eq. (13) modulo q, while the first $N = 5L-2$ bits satisfy a system of equations modulo 2 containing N linear terms and $|T| = 2L-1$ quadratic terms. In other words, we have reduced the considered statement to an instance of the general protocol of Sect. 3.2. By running the latter with the witness described in (17), we obtain a statistical ZKAoK hardness of based on the hardness of $\mathsf {SIVP}_{\gamma }$ with factor $\gamma \le \widetilde{\mathcal {O}}(\sqrt{L}\cdot n)$. Each execution of the protocol has perfect completeness, soundness error 2 / 3 and communication cost

$$ \mathcal {O}(n \log n) + m + 2(L + m) \lceil \log _2 q\rceil + 23L $$

bits, where $\mathcal {O}(n \log n)$ is the total bit-size of 3 KTX commitments (sent by the prover in the first move) and 2 commitment randomness. Here, the cost of proving knowledge of a valid opening for $\mathbf {c}$ is $\mathcal {O}(n \log n) + m + 2(L + m) \lceil \log _2 q\rceil $ bits. The actual cost for proving the range membership thus amounts to 23L bits.

Variants. Our techniques can be easily adapted to handle other variants of range membership arguments. To prove a strict inequality, e.g., $X < \beta $ for a given $\beta $, we can simply prove that $X \le \beta -1$ using the above approach. In the case of hidden ranges, e.g., when we need prove that $Y< X < Z$ where X, Y, Z are all committed, then we proceed by proving the existence of non-negative L-bit integers $Y_1, Z_1$ such that $Y + Y_1 +1 = X$ and $X + Z_1 +1 = Z$. This can be done by executing two instances of the protocol for addition relation among committed integers from Sect. 4.

5.2 Set Non-Membership Arguments

In this section, we construct a protocol allowing to prove that a committed element is not in a public set $\mathsf {Set}$. The goal is to do this without relying on a trusted third party to approve the description of $\mathsf {Set}$ by signing its elements or any other means. To this end, we combine our protocols for integer addition and inequalities with arguments of knowledge of a path in a Merkle tree [44]. While Merkle trees were introduced for proving set membership, we (somewhat counter-intuitively) use them for dual purposes.

For security parameter n, choose $q = \widetilde{\mathcal {O}}(n)$, $k = n\lceil \log _2 q\rceil $ and $m = 2k$. Sample uniformly random matrices $\mathbf {A}, \mathbf {B}_0, \mathbf {B}_1 \in \mathbb {Z}_q^{n \times k}$, and denote their columns as $\mathbf {a}_0, \ldots , \mathbf {a}_{k-1}, \mathbf {b}_{0,0}, \ldots , \mathbf {b}_{0,k-1}, \mathbf {b}_{1,0}, \ldots , \mathbf {b}_{1, k-1} \in \mathbb {Z}_q^n$. These vectors will serve as public key for the KTX commitment scheme with k-bit committed values, while matrix $\mathbf {B} = [\mathbf {B}_0 \mid \mathbf {B}_1] \in \mathbb {Z}_q^{n \times 2k}$ will also serve as the public key for the Merkle tree from [43]. Let $\mathbf {G} \in \mathbb {Z}_q^{n \times k}$ be the “powers-of-2” matrix of Sect. 2.1.

Let $X = (x_{k-1}, \ldots , x_0)_2$ be a k-bit integer, and let $\mathbf {c} \in \mathbb {Z}_q^n$ be a KTX commitment to X, i.e., we have the following equation modulo q:

$$\begin{aligned} \sum _{i=0}^{k-1}\mathbf {a}_i \cdot x_i + \sum _{(i,j) \in \{0,1\} \times k} \mathbf {b}_{i,j}\cdot r_{i,j} = \mathbf {c} \bmod q, \end{aligned}$$

(18)

where bits $r_{0,1}, \ldots , r_{1,k} \in \{0,1\}$ are the commitment randomness.

Let $\mathsf {Set} = \{S_1, \ldots , S_{M}\}$ be a public set containing $M = \mathsf {poly}(n)$ integers of bit-size k, where $S_1< S_2< \ldots < S_M$. We wish to prove in ZK that an integer X, which has been committed to via $\mathbf {c} \in \mathbb {Z}_q^n$, does not belong to $\mathsf {Set}$. We aim at communication complexity $\mathcal {O}(\log M)$, so that the protocol scales well for large sets. To this end, we will use the lattice-based Merkle hash tree from [44].

Without loss of generality, assuming that $M = 2^\ell - 2$ for some positive integer $\ell $.^{Footnote 3} For each $i =0, \ldots , M$, let $\mathbf {s}_i \in \{0,1\}^k$ be the binary-vector representation of $S_i$. Let $\mathbf {s}_0 = (0,\ldots , 0)$ and $\mathbf {s}_{M+1} = (1, \ldots , 1)$ be the all-zero and all-one vectors of length k, which represent 0 and $2^k-1$, the smallest and the largest non-negative integers of bit-size k, respectively. Using the SIS-based hash function $h_{\mathbf {B}}$ (see Sect. 2.1), we build a Merkle tree of depth $\ell $ on top of $2^\ell $ vectors $\mathbf {s}_0, \mathbf {s}_1, \ldots , \mathbf {s}_M, \mathbf {s}_{M+1}$ and obtain the root $\mathbf {u} \in \{0,1\}^k$. For each $i\in [0, M+1]$, the tree path from leaf $\mathbf {s}_i$ to root $\mathbf {u}$ is determined by the $\ell $ bits representing integer i.

We prove knowledge of two consecutive paths from leaves $\mathbf {y} \in \{0,1\}^k$ and $\mathbf {z} \in \{0,1\}^k$ to the public root $\mathbf {u}$ such that the k-bit integers Y and Z corresponding to $\mathbf {y}$ and $\mathbf {z}$ satisfy $Y< X < Z$, where X is the integer committed in $\mathbf {c}$.

Let $v_{\ell -1}, \ldots , v_0$ and $w_{\ell -1}, \ldots , w_0$ be the bits determining the paths from the leaves $\mathbf {y}$ and $\mathbf {z}$, respectively, to root $\mathbf {u}$. Then, by “consecutive”, we mean that the $\ell $-bit integers $V = (v_{\ell -1}, \ldots , v_0)_2$ and $W = (w_{\ell -1}, \ldots , w_0)_2$ satisfy $V + 1 = W$.

We remark that the truth of the statement – which is ensured by the soundness of the argument – implies that the integer committed in $\mathbf {c}$ does not belong to $\mathsf {Set}$, assuming the collision-resistance of the Merkle hash tree and the security of the commitment scheme. This is because: (i) The existence of the two tree paths guarantees that $\mathbf {y}, \mathbf {z} \in \mathsf {Set}$; (ii) The fact that they are consecutive further ensures that $(\mathbf {y}, \mathbf {z}) = (\mathbf {s}_i, \mathbf {s}_{i+1})$, for some $i \in [0, M]$; (iii) The inequalities $Y< X < Z$ then implies that either $X < S_1$ or $S_M < X$ or $S_j< X < S_{j+1}$, for some $j \in [1, M-1]$. In either case, it must be true that $X \not \in \mathsf {Set}$.

The considered statement can be divided into 4 steps: (1) Proving knowledge of X committed in $\mathbf {c}$; (2) Proving knowledge of the tree paths from $\mathbf {y}$ and $\mathbf {z}$; (3) Proving the range membership $Y< Z < X$; (4) Proving the addition relation $V+1 = W$. We show that the entire statement can be expressed as one linear equation modulo q together with linear and quadratic equations modulo 2, which allows reducing it to an instance of the general protocol from Sect. 3.2. Regarding (1), we have obtained Eq. (18). As for (2), we use the techniques from [44] to translate Merkle tree inclusions into a set of provable equations modulo q and modulo 2. The sub-statement (3) can be handled as in Sect. 5.1. Finally, (4) can easily be expressed as $2\ell -1$ simple equations modulo 2.

The details of these steps are provided in the full version of the paper. We finally remark that set elements can have a longer representation than $k=n \lceil \log q \rceil $ bits if we hash them into k-bit string before building the Merkle tree. For this purpose, a $\mathsf {SIS}$-based hash function $H_{\mathsf {SIS}} : \{0,1\}^m \rightarrow \mathbb {Z}_q^n$ like [2] should be used to preserve the compatibility with zero-knowledge proofs.

6 Subquadratic Arguments for Integer Multiplications

For $L = \mathsf {poly}(n)$, we consider the problem of proving that committed integers $X = (x_{L-1},\ldots , x_0)_2$, $Y = (y_{L-1},\ldots , y_0)_2$, $Z = (z_{2L-1}, \ldots , z_0)_2$ satisfy the multiplicative relation $Z = XY$. This task can be realized by running L instances of the protocol for integer additions from Sect. 4, but this naive method would yield complexity at least $\mathcal {O}(L^2)$. Our target here is to design an asymptotically more efficient protocol with computation/communication cost subquadratic in L. From a theoretical point of view, such a protocol is particularly interesting, because its execution must somehow employ a subquadratic multiplication algorithm. This inspires us to consider for the first time in the context of ZK proofs the Karatsuba multiplication algorithm [38] that achieves subquadratic complexity $\mathcal {O}(L^{\log _2 3})$. Specifically, we will prove that the result of applying the Karatsuba algorithm to committed integers X, Y is exactly the committed integer Z.

Commitments. Choose a prime $q = \widetilde{\mathcal {O}}(\sqrt{L} \cdot n)$ and let $m = n(\lceil \log _2 q\rceil +3)$. We use the KTX commitment scheme with public key $(\mathbf {a}_0, \ldots , \mathbf {a}_{2L-1}, \mathbf {b}_1, \ldots , \mathbf {b}_m) \hookleftarrow U(\mathbb {Z}_q^{n \times (2L+m)})$. Let $\mathbf {c}_x, \mathbf {c}_y, \mathbf {c}_z \in \mathbb {Z}_q^n$ be commitments to X, Y, Z, where

where bits $\{r_{i,j}\}_{(i,j) \in [3]\times [m]}$ are the commitment randomness. Then, as in Sect. 4, we can unify the 3 equations into one linear equation modulo q:

$$\begin{aligned} \sum _{i=0}^{L-1} \mathbf {a}^{(1)}_{i} \cdot x_{i} + \sum _{i = 0}^{L-1} \mathbf {a}^{(2)}_{i}\cdot y_i + \sum _{i=0}^{2L-1} \mathbf {a}^{(3)}_{i}\cdot z_i +\sum _{(i,j) \in [3] \times [m]}\mathbf {b}^{(i)}_{j}\cdot r_{i,j} = \mathbf {c} \bmod q. \end{aligned}$$

(19)

6.1 An Interpretation of the Karatsuba Algorithm

Let $L = 2^k$ for some positive integer k. We will employ a variant of the Karatsuba algorithm, suggested by Knuth [40, Sect. 4.3.3]. First, we need to interpret the execution of the algorithm in a fashion compatible with our ZK technique.

The First Iteration. For the first application of Karatsuba algorithm, we break X and Y into their “most significant” and “least significant” halves:

$$\begin{aligned} X = [X^{(1)}, X^{(0)}] \text { and } Y = [Y^{(1)}, Y^{(0)}], \end{aligned}$$

(20)

where $X^{(1)}, X^{(0)}, Y^{(1)}, Y^{(0)}$ are L / 2-bit integers. Then, as suggested by Knuth, the product Z can be written as:

(21)

The advantage of Knuth’s approach over Karatsuba’s is that it allows working with the differences $(X^{(1)} - X^{(0)})$, $(Y^{(1)} - Y^{(0)})$ that guarantee to have bit-size L / 2, rather than working with the sums $(X^{(1)} + X^{(0)})$, $(Y^{(1)} + Y^{(0)})$ that cause a burden of carry-on bits. However, this modification introduces a new issue as these differences may be negative, which are more difficult to handle in our setting. For this reason, we need to make sure that we always subtract a smaller integer from a larger one, while preserving the ability to prove correct computations.

Let $\widehat{X}^{(1)}, \widehat{X}^{(0)}$ such that $\widehat{X}^{(1)} \ge \widehat{X}^{(0)}$ and $\{\widehat{X}^{(1)}, \widehat{X}^{(0)}\} = \{X^{(1)}, X^{(0)}\}$. If we use an order control bit b that is assigned value 1 if $X^{(1)} \ge X^{(0)}$, or value 0 otherwise, and let $X^{(2)} = \widehat{X}^{(1)} - \widehat{X}^{(0)} \ge 0$, then we have the relations

$$\begin{aligned} \widehat{X}^{(1)} = b \cdot X^{(1)} + \overline{b}\cdot X^{(0)}; \,\, \widehat{X}^{(0)} = \overline{b} \cdot X^{(1)} + b \cdot X^{(0)}; \,\,\,X^{(2)} + \widehat{X}^{(0)} = \widehat{X}^{(1)}.\qquad \end{aligned}$$

(22)

Conversely, if non-negative integers $X^{(1)}, X^{(0)}, \widehat{X}^{(1)}, \widehat{X}^{(0)}, X^{(2)}$ and bit b satisfy (22), then it holds that $\{\widehat{X}^{(1)}, \widehat{X}^{(0)}\} = \{X^{(1)}, X^{(0)}\}$ and $\widehat{X}^{(1)} \ge \widehat{X}^{(0)}$ and $X^{(2)} = \widehat{X}^{(1)} - \widehat{X}^{(0)}$.

Similarly, we can obtain $\widehat{Y}^{(1)}, \widehat{Y}^{(0)}$ such that $\widehat{Y}^{(1)} \ge \widehat{Y}^{(0)}$, non-negative $Y^{(2)}$ such that $Y^{(2)} = \widehat{Y}^{(1)} - \widehat{Y}^{(0)}$, as well as a control bit d satisfying

$$\begin{aligned} \widehat{Y}^{(1)} = d \cdot {Y}^{(1)} + \overline{d} \cdot Y^{(0)}; \,\, \widehat{Y}^{(0)} = \overline{d} \cdot {Y}^{(1)} + {d} \cdot Y^{(0)}; \,\,Y^{(2)} + \widehat{Y}^{(0)} = \widehat{Y}^{(1)}. \end{aligned}$$

(23)

Relations (22)–(23) essentially establish a “bridge” that allows us to work (in the subtractions ${X}^{(1)} - {X}^{(0)}$ and ${Y}^{(1)} - {Y}^{(0)}$ incurring in (21)) with non-negative integers $X^{(2)}$ and $Y^{(2)}$ instead of possibly negative integers. Indeed, letting $s = b + d \bmod 2$, we have

$$ ({X}^{(1)} - {X}^{(0)})({Y}^{(1)} - {Y}^{(0)}) = \overline{s} \cdot X^{(2)}Y^{(2)} - s \cdot X^{(2)}Y^{(2)}. $$

Then, Eq. (21) can be expressed as

$$\begin{aligned} \nonumber Z = XY = (2^L + 2^{L/2}) Z^{(1)} + (2^{L/2}+1) Z^{(0)} + 2^{L/2} (s \cdot Z^{(2)}) - 2^{L/2} (\overline{s} \cdot Z^{(2)}),\\ \end{aligned}$$

(24)

where $Z^{(1)} = X^{(1)}Y^{(1)}$, $Z^{(0)} = X^{(0)}Y^{(0)}$ and $Z^{(2)} = X^{(2)}Y^{(2)}$ are L-bit integers. These values are computed based on recursive applications of the Karatsuba algorithm until we reach integers of bit-size $L/2^{k-1} = 2$, as described below.

The Recursion. For $t =1$ to $k-2$, and for string $\alpha \in \{0,1,2\}^t$, on input of $L/2^t$-bit integers $X^{(\alpha )} $ and $Y^{(\alpha )} $, we recursively obtain $L/2^{t+1}$-bit integers

$$\begin{aligned} X^{(\alpha 1)}; \,\,X^{(\alpha 0)}; \,\,\widehat{X}^{(\alpha 1)}; \,\,\widehat{X}^{(\alpha 0)}; \,\,X^{(\alpha 2)}; \,\, Y^{(\alpha 1)}; \,\,Y^{(\alpha 0)}; \,\,\widehat{Y}^{(\alpha 1)}; \,\,\widehat{Y}^{(\alpha 0)}; \,\,Y^{(\alpha 2)}, \end{aligned}$$

and bits $b^{(\alpha )}, d^{(\alpha )}, s^{(\alpha )}$ satisfying the following relations.

$$\begin{aligned} {\left\{ \begin{array}{ll} X^{(\alpha )}= [X^{(\alpha 1)}, X^{(\alpha 0)}];\\ \widehat{X}^{(\alpha 1)} = b^{(\alpha )}\cdot X^{(\alpha 1)} + \overline{b}^{(\alpha )}\cdot X^{(\alpha 0)}; \,\, \widehat{X}^{(\alpha 0)} = \overline{b}^{(\alpha )}\cdot X^{(\alpha 1)} + {b}^{(\alpha )}\cdot X^{(\alpha 0)};\\ {X}^{(\alpha 2)} + \widehat{X}^{(\alpha 0)} = \widehat{X}^{(\alpha 1)}; \\ Y^{(\alpha )}= [Y^{(\alpha 1)}, Y^{(\alpha 0)}]; \\ \widehat{Y}^{(\alpha 1)} = d^{(\alpha )}\cdot Y^{(\alpha 1)} + \overline{d}^{(\alpha )}\cdot Y^{(\alpha 0)}; \,\, \widehat{Y}^{(\alpha 0)} = \overline{d}^{(\alpha )}\cdot Y^{(\alpha 1)} + {d}^{(\alpha )}\cdot Y^{(\alpha 0)};\\ {Y}^{(\alpha 2)} + \widehat{Y}^{(\alpha 0)} = \widehat{Y}^{(\alpha 1)}; \\ s^{(\alpha )} = b^{(\alpha )} + d^{(\alpha )} \bmod 2. \end{array}\right. } \end{aligned}$$

(25)

Let $Z^{(\alpha 1)} = X^{(\alpha 1)}Y^{(\alpha 1)}$, $Z^{(\alpha 0)} = X^{(\alpha 0)}Y^{(\alpha 0)}$, $Z^{(\alpha 2)} = X^{(\alpha 2)}Y^{(\alpha 2)}$. Note that these $L/2^t$-bit integers satisfy the equation:

$$\begin{aligned} Z^{(\alpha )}: = X^{(\alpha )}Y^{(\alpha )}= & {} \big (2^{L/2^t} + 2^{L/2^{t+1}}\big )\cdot Z^{(\alpha 1)} + (2^{L/2^{t+1}} + 1)\cdot Z^{(\alpha 0)} \nonumber \\+ & {} 2^{L/2^{t+1}}\cdot (s^{(\alpha )}\cdot Z^{(\alpha 2)}) - 2^{L/2^{t+1}}\cdot (\overline{s}^{(\alpha )}\cdot Z^{(\alpha 2)}). \end{aligned}$$

(26)

We remark that the number of secret bits contained in the integers

$$ \{X^{(\alpha 1)}; \,\, X^{(\alpha 0)}; \,\, \widehat{X}^{(\alpha 1)}; \,\, \widehat{X}^{(\alpha 0)}; \,\, X^{(\alpha 2)} \},\,\, \text { where } \,\,\alpha \in \{0,1,2\}^t, \forall t =0, \ldots , k-2, $$

derived from X in the above process is

$$ 5\cdot \sum _{t=0}^{k-2} \big ( 3^t \cdot \frac{L}{2^{t+1}} \big ) = \frac{5L}{3}\cdot \sum _{t=0}^{k-2} \left( \frac{3}{2}\right) ^{t+1} = \frac{10L}{3}\cdot \left( \frac{3}{2}\right) ^{k} - 5L = \frac{10}{3}\cdot 3^{\log _2 L} - 5L. $$

That is also the number of secret bits in the integers derived from Y. Meanwhile, the number of control bits $b^{(\alpha )}, d^{(\alpha )}, s^{(\alpha )}$ is $3 \cdot \sum _{t=0}^{k-2} 3^t = (3^{\log _2 L} -3)/2$. In total, the process gives us $\mathcal {O}(3^{\log _2 L}) = \mathcal {O}(L^{\log _2 3})$ secret bits.

6.2 Representing All Relations as Equations Modulo 2

As shown in Sects. 4 and 5, to prove that committed integers satisfy some statement, it suffices to demonstrate that the statement can be expressed as one linear equation modulo q together with linear and quadratic equations modulo 2, which effectively reduces it to an instance of the general protocol of Sect. 3.2. We have already obtained the linear equation modulo q from (19). Our main task is now to show that all the relations among $\mathcal {O}(L^{\log _2 3})$ secret bits obtained in Sect. 6.1 can be expressed in terms of linear and quadratic equations modulo 2.

We observe that, apart from the linear equations $s^{(\alpha )} = b^{(\alpha )} + d^{(\alpha )} \bmod 2$, there are several common types of relations among the secret objects derived in Sect. 6.1, for which we handle as follows.

The first type is relation of the form $X^{(\alpha )}= [X^{(\alpha 1)}, X^{(\alpha 0)}]$, between an $L/2^t$-bit integer $X^{(\alpha )}$ and its halves $X^{(\alpha 1)}$ and $X^{(\alpha 0)}$. Let $X^{(\alpha )}= (x^{(\alpha )}_{\frac{L}{2^t} -1}, \ldots , x^{(\alpha )}_0)_2$ and $X^{(\alpha 1)} = (x^{(\alpha 1)}_{\frac{L}{2^{t+1}}-1}, \ldots , x^{(\alpha 1)}_{0})_2$, $X^{(\alpha 0)} = (x^{(\alpha 0)}_{\frac{L}{2^{t+1}}-1}, \ldots , x^{(\alpha 0)}_{0})_2$. This type of relation can be expressed as the following linear equations modulo 2:

$$\begin{aligned} \forall i = 0, \ldots , \frac{L}{2^{t+1}}-1: x^{(\alpha 0)}_{i} + x^{(\alpha )}_i = 0 \bmod 2; \,\, x^{(\alpha 1)}_{i} + x^{(\alpha )}_{i + \frac{L}{2^{t+1}}} = 0 \bmod 2. \end{aligned}$$

The second type is relation of the form

$$ \widehat{X}^{(\alpha 1)} = b^{(\alpha )}\cdot X^{(\alpha 1)} + \overline{b}^{(\alpha )}\cdot X^{(\alpha 0)}; \,\, \widehat{X}^{(\alpha 0)} = \overline{b}^{(\alpha )}\cdot X^{(\alpha 1)} + {b}^{(\alpha )}\cdot X^{(\alpha 0)}, \,\, $$

reflecting how $L/2^{t+1}$-bit integers $\widehat{X}^{(\alpha 1)}, \widehat{X}^{(\alpha 0)}$ are computed from $X^{(\alpha 1)}, X^{(\alpha 0)}$ based on a control bit $b^{(\alpha )}$. This type of relation can be translated into the following equations modulo 2, with respect to the bits of those integers

$$\begin{aligned} \forall i = 0, \ldots , {L}/2^{t+1}-1:&\hat{x}^{(\alpha 1)}_i + b^{(\alpha )}\cdot x^{(\alpha 1)}_i + \overline{b}^{(\alpha )}\cdot x^{(\alpha 0)}_i = 0 \bmod 2; \\ \forall i = 0, \ldots , {L}/{2^{t+1}}-1:&\hat{x}^{(\alpha 0)}_i + \overline{b}^{(\alpha )}\cdot x^{(\alpha 1)}_i + {b}^{(\alpha )}\cdot x^{(\alpha 0)}_i = 0 \bmod 2, \end{aligned}$$

that contains $4 \cdot \frac{L}{2^{t+1}}$ quadratic terms.

The third type is the addition relation ${X}^{(\alpha 2)} + \widehat{X}^{(\alpha 0)} = \widehat{X}^{(\alpha 1)}$ among $L/2^{t+1}$-bit integers. This can be handled using our techniques from Sect. 4, resulting in equations modulo 2 with less than $2\cdot \frac{L}{2^{t+1}}$ quadratic terms in total.

The fourth type of relations appears when we reach the base multiplication of 2-bit integers: e.g., $Z^{(\alpha 1)} = X^{(\alpha 1)}Y^{(\alpha 1)}$, where $\alpha \in \{0,1,2\}^{k-2}$. Let $X^{(\alpha 1)} = (x^{(\alpha 1)}_1, x^{(\alpha 1)}_0)_2$, $Y^{(\alpha 1)} = (y^{(\alpha 1)}_1, y^{(\alpha 1)}_0)_2$ and $Z^{(\alpha 1)} = (z^{(\alpha 1)}_3, z^{(\alpha 1)}_2, z^{(\alpha 1)}_1, z^{(\alpha 1)}_0)_2$. This relation can then be expressed by the following equations modulo 2, which contain 6 quadratic terms.

$$\begin{aligned} {\left\{ \begin{array}{ll} z^{(\alpha 1)}_0 + x^{(\alpha 1)}_0\cdot y^{(\alpha 1)}_0 = 0 \bmod 2; \\ t^{(\alpha 1)}_{1,0} + x^{(\alpha 1)}_1\cdot y^{(\alpha 1)}_0 = 0 \bmod 2; \,\,\,\,// \,\,\,\hbox {assign value}\,\,\, x^{(\alpha 1)}_1\cdot y^{(\alpha 1)}_0\,\,\, \hbox {to}\,\, t^{(\alpha 1)}_{1,0}\\ t^{(\alpha 1)}_{0,1} + x^{(\alpha 1)}_0\cdot y^{(\alpha 1)}_1 = 0 \bmod 2; \,\,\,\,// \,\,\, \hbox {assign value}\,\, x^{(\alpha 1)}_0\cdot y^{(\alpha 1)}_1 \,\,\hbox {to} \,\, t^{(\alpha 1)}_{0,1}\\ z^{(\alpha 1)}_1 + t^{(\alpha 1)}_{1,0} + t^{(\alpha 1)}_{0,1} = 0 \bmod 2; \\ c^{(\alpha 1)}_1 + t^{(\alpha 1)}_{1,0} \cdot t^{(\alpha 1)}_{0,1} = 0 \bmod 2; \,\,\,\,// \,\,\, \hbox {carry bit}\\ t^{(\alpha 1)}_{1,1} + x^{(\alpha 1)}_1\cdot y^{(\alpha 1)}_1 = 0 \bmod 2; \,\,\,\,// \,\,\, \hbox {assign value}\,\,\,\, x^{(\alpha 1)}_1\cdot y^{(\alpha 1)}_1\,\,\, \hbox {to}\,\,\ t^{(\alpha 1)}_{1,1}\\ z^{(\alpha 1)}_2 + t^{(\alpha 1)}_{1,1} + c^{(\alpha 1)}_1 = 0 \bmod 2; \\ z^{(\alpha 1)}_3 + t^{(\alpha 1)}_{1,1} \cdot c^{(\alpha 1)}_1 = 0 \bmod 2, \end{array}\right. } \end{aligned}$$

The other types of relations come into the scene when we add up partial products and their shifts to compute the $Z^{(\alpha )}$’s and finally reach Z, which are reflected by equations (26) and (24). To handle the shifts, e.g., left-shifting integer $Z^{(\alpha 1)}$ by ${L/2^{t+1}}$ positions, we assign an auxiliary variable $\widetilde{Z}^{(\alpha 1)}: = 2^{L/2^{t+1}}\cdot Z^{(\alpha 1)}$ and express the relations between bits of $\widetilde{Z}^{(\alpha 1)}$ and $Z^{(\alpha 1)}$ as linear equations modulo 2, as is done for the first type of relation considered above. After performing all the shifts, we will need to handle a few additions of integers to compute a partial product such as $Z^{(\alpha )}$ in (26). There, the subtraction by $2^{L/2^{t+1}}\cdot (\overline{s}^{(\alpha )}\cdot Z^{(\alpha 2)})$ can be transformed into an equivalent addition relation. Then, we can represent each of the addition operations in (26) as linear and quadratic equations modulo 2.

Based on the above discussion, it can be seen that the whole execution of the Karatsuba algorithm can be expressed as linear and quadratic equations modulo 2. Combining with the linear equation modulo q from (19), we thus obtain an instance of the general protocol from Sect. 3.2. As a result, we achieve a statistical ZKAoK of committed integers X, Y, Z satisfying $XY=Z$. The security of the argument system relies on the binding of the COM used in the interaction and the binding of the commitment variant used for committing to X, Y, Z. Overall, the protocol is secure assuming the hardness of $\mathsf {SIVP}_{\widetilde{\mathcal {O}}(\sqrt{L}\cdot n)}$.

We remark that, in our process of translating the relations in Sect. 6.1 into equations modulo 2, for each type of relations, the number of secret bits and the number of quadratic terms we need to handle are only a constant times larger than those before translating. Thus, the final numbers N and |T| are of order $\mathcal {O}(L^{\log _2 3})$. Meanwhile, from Eq. (19), we obtain that $\mathfrak {m}_1 + \mathfrak {m}_2 = 4L + 3m$. Therefore, when repeating the protocol $\kappa = \omega (\log n)$ times to achieve negligible soundness error, the total communication cost is of order $ \big (\mathcal {O}\big (L + m) \log q\big ) + \mathcal {O}(L^{\log _2 3})\big )\cdot \kappa . $ In terms of computation cost, the total number of bit operations performed by the prover and the verifier is of order $\mathcal {O}(L^{\log _2 3})$, i.e., subquadratic in L.

Notes

1.
These involve a prover wishing to convince a verifier that a committed list contains elements $\{a_i\}_i$ in a specific order without revealing anything else.
2.
For $k,\ell \in \mathbb {N}$, a Diophantine set is a set of the form $S = \{ \varvec{x} \in \mathbb {Z}^k \mid \exists \varvec{w} \in \mathbb {Z}^\ell : P_S(\varvec{x},\varvec{w})=0 \}$, for some representing polynomial $P_S(\varvec{X},\varvec{W})$ defined over integer vectors $\varvec{X} \in \mathbb {Z}^k$, $\varvec{W} \in \mathbb {Z}^\ell $. Any recursively enumerable set is [24] Diophantine.
3.
If M does not have this form, one can duplicate $S_1$ sufficiently many times until the cardinality of the set has this property. Our protocol remains the same in this case.

References

Adleman, L., Mander, K.: Diophantine complexity. In: SFCS, pp. 81–88. IEEE Computer Society (1976)
Google Scholar
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC 1996 (1996)
Google Scholar
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1
Chapter Google Scholar
Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_33
Chapter Google Scholar
Baum, C., Damgård, I., Oechsner, S., Peikert, C.: Efficient commitments and zero-knowledge protocols from ring-sis with applications to lattice-based threshold cryptosystems. IACR Cryptology ePrint Archive, 2016:997 (2016)
Google Scholar
Bayer, S., Groth, J.: Zero-knowledge argument for polynomial evaluation with application to blacklists. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 646–663. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_38
Chapter Google Scholar
Bellare, M., Goldwasser, S.: Verifiable partial key escrow. In: ACM-CCS (1997)
Google Scholar
Benhamouda, F., Krenn, S., Lyubashevsky, V., Pietrzak, K.: Efficient zero-knowledge proofs for commitments from learning with errors over rings. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 305–325. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_16
Chapter Google Scholar
Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_31
Chapter MATH Google Scholar
Brickell, E.F., Chaum, D., Damgård, I.B., van de Graaf, J.: Gradual and verifiable release of a secret (Extended Abstract). In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 156–166. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_11
Chapter Google Scholar
Camacho, P., Hevia, A., Kiwi, M.A., Opazo, R.: Strong accumulators from collision-resistant hashing. Int. J. Inf. Sec. 11(5), 349–363 (2012)
Article Google Scholar
Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_15
Chapter Google Scholar
Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact e-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_18
Chapter Google Scholar
Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7
Chapter Google Scholar
Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_5
Chapter Google Scholar
Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_4
Chapter Google Scholar
Chaabouni, R.: Enhancing privacy protection: set membership, range proofs, and the extended access control. Ph.D. thesis, EPFL, Lausanne (2017)
Google Scholar
Chaabouni, R., Lipmaa, H., Zhang, B.: A non-interactive range proof with constant communication. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 179–199. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_14
Chapter Google Scholar
Chan, A., Frankel, Y., Tsiounis, Y.: Easy come — easy go divisible cash. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 561–575. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054154
Chapter Google Scholar
Chase, M., Derler, D., Goldfeder, S., Orlandi, C., Ramacher, S., Rechberger, C., Slamanig, D., Zaverucha, G.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: ACM-CCS (2017)
Google Scholar
Couteau, G., Peters, T., Pointcheval, D.: Removing the strong RSA assumption from arguments over the integers. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 321–350. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_11
Chapter Google Scholar
Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_8
Chapter Google Scholar
Damgård, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_9
Chapter Google Scholar
Davis, M., Putnam, H., Robinson, J.: The decision problem for exponential diophantine equations. Ann. Math. 74, 425–436 (1961)
Article MathSciNet Google Scholar
Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052225
Chapter Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC (2008)
Google Scholar
Ghosh, E., Ohrimenko, O., Tamassia, R.: Zero-knowledge authenticated order queries and order statistics on a list. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 149–171. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_8
Chapter MATH Google Scholar
Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: USENIX Security Symposium (2016)
Google Scholar
Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Robustness of the learning with errors assumption. In: ICS 2010, pp. 230–240 (2010)
Google Scholar
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: STOC (1985)
Google Scholar
González, A., Ráfols, C.: New techniques for non-interactive shuffle and range arguments. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 427–444. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_23
Chapter MATH Google Scholar
Groth, J.: Evaluating security of voting schemes in the universal composability framework. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 46–60. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24852-1_4
Chapter MATH Google Scholar
Groth, J.: Cryptography in subgroups of $\mathbb{Z}_{n}^{*}$. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 50–65. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_4
Chapter MATH Google Scholar
Groth, J.: Non-interactive zero-knowledge arguments for voting. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 467–482. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_32
Chapter Google Scholar
Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_23
Chapter Google Scholar
Ishai, Y., Kushilevitz, E., Ostrovksy, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: STOC (2007)
Google Scholar
Jain, A., Krenn, S., Pietrzak, K., Tentes, A.: Commitments and efficient zero-knowledge proofs from learning parity with noise. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 663–680. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_40
Chapter Google Scholar
Karatsuba, A., Ofman, Y.: Multiplication of many-digital numbers by automatic computers. Phys. Dokl. 7, 595–596 (1963)
Google Scholar
Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_23
Chapter Google Scholar
Knuth, D.E.: The Art of Computer Programming. Seminumerical Algorithms, vol. 2, 3rd edn. Addison-Wesley, Reading (1998)
MATH Google Scholar
Li, J., Li, N., Xue, R.: Universal accumulators with efficient nonmembership proofs. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 253–269. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_17
Chapter Google Scholar
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Zero-knowledge arguments for matrix-vector relations and lattice-based group encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 101–131. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_4
Chapter Google Scholar
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_13
Chapter Google Scholar
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 1–31. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_1
Chapter Google Scholar
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based PRFs and applications to e-cash. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 304–335. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_11
Chapter Google Scholar
Libert, B., Peters, T., Yung, M.: Scalable group signatures with revocation. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 609–627. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_36
Chapter Google Scholar
Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_8
Chapter Google Scholar
Lipmaa, H.: On Diophantine complexity and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_26
Chapter Google Scholar
Lipmaa, H., Asokan, N., Niemi, V.: Secure vickrey auctions without threshold trust. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 87–101. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36504-4_7
Chapter Google Scholar
Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_10
Chapter Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Chapter Google Scholar
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
Chapter Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_2
Chapter Google Scholar
Micciancio, D., Vadhan, S.P.: Statistical zero-knowledge proofs with efficient provers: lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_17
Chapter Google Scholar
Nakanishi, T., Fujii, H., Hira, Y., Funabiki, N.: Revocable group signature schemes with constant costs for signing and verifying. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 463–480. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_26
Chapter Google Scholar
Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Chapter Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC (2005)
Google Scholar
Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 2757–2768 (1996)
Article MathSciNet Google Scholar
Xie, X., Xue, R., Wang, M.: Zero knowledge proofs from Ring-LWE. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 57–73. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02937-5_4
Chapter Google Scholar

Download references

Acknowledgements

Part of this research was funded by Singapore Ministry of Education under Research Grant MOE2016-T2-2-014(S) and by the French ANR ALAMBIC project (ANR-16-CE39-0006). Another part was funded by BPI-France in the context of the national project RISQ (P141580). This work was also supported in part by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701).

Author information

Authors and Affiliations

CNRS, Laboratoire LIP, Lyon, France
Benoît Libert
ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, Inria, UCBL), Lyon, France
Benoît Libert
School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
San Ling, Khoa Nguyen & Huaxiong Wang

Authors

Benoît Libert
View author publications
You can also search for this author in PubMed Google Scholar
San Ling
View author publications
You can also search for this author in PubMed Google Scholar
Khoa Nguyen
View author publications
You can also search for this author in PubMed Google Scholar
Huaxiong Wang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benoît Libert .

Editor information

Editors and Affiliations

The University of Texas at Austin, Austin, Texas, USA
Hovav Shacham
Georgia Institute of Technology, Atlanta, Georgia, USA
Alexandra Boldyreva

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Libert, B., Ling, S., Nguyen, K., Wang, H. (2018). Lattice-Based Zero-Knowledge Arguments for Integer Relations. In: Shacham, H., Boldyreva, A. (eds) Advances in Cryptology – CRYPTO 2018. CRYPTO 2018. Lecture Notes in Computer Science(), vol 10992. Springer, Cham. https://doi.org/10.1007/978-3-319-96881-0_24

Download citation

DOI: https://doi.org/10.1007/978-3-319-96881-0_24
Published: 24 July 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-96880-3
Online ISBN: 978-3-319-96881-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)