Towards Non-Interactive Zero-Knowledge for NP from LWE

  • Ron D. Rothblum
  • Adam Sealfon
  • Katerina SotirakiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11443)


Non-interactive zero-knowledge (\(\mathsf {NIZK}\)) is a fundamental primitive that is widely used in the construction of cryptographic schemes and protocols. Despite this, general purpose constructions of \(\mathsf {NIZK}\) proof systems are only known under a rather limited set of assumptions that are either number-theoretic (and can be broken by a quantum computer) or are not sufficiently well understood, such as obfuscation. Thus, a basic question that has drawn much attention is whether it is possible to construct general-purpose \(\mathsf {NIZK}\) proof systems based on the learning with errors (\(\mathsf {LWE}\)) assumption.

Our main result is a reduction from constructing \(\mathsf {NIZK}\) proof systems for all of \(\mathbf {NP}\) based on \(\mathsf {LWE}\), to constructing a \(\mathsf {NIZK}\) proof system for a particular computational problem on lattices, namely a decisional variant of the Bounded Distance Decoding (\(\mathsf {BDD}\)) problem. That is, we show that assuming \(\mathsf {LWE}\), every language \(L \in \mathbf {NP}\) has a \(\mathsf {NIZK}\) proof system if (and only if) the decisional \(\mathsf {BDD}\) problem has a \(\mathsf {NIZK}\) proof system. This (almost) confirms a conjecture of Peikert and Vaikuntanathan (CRYPTO, 2008).

To construct our \(\mathsf {NIZK}\) proof system, we introduce a new notion that we call prover-assisted oblivious ciphertext sampling (\(\mathsf {POCS}\)), which we believe to be of independent interest. This notion extends the idea of oblivious ciphertext sampling, which allows one to sample ciphertexts without knowing the underlying plaintext. Specifically, we augment the oblivious ciphertext sampler with access to an (untrusted) prover to help it accomplish this task. We show that the existence of encryption schemes with a \(\mathsf {POCS}\) procedure, as well as some additional natural requirements, suffices for obtaining \(\mathsf {NIZK}\) proofs for \(\mathbf {NP}\). We further show that such encryption schemes can be instantiated based on \(\mathsf {LWE}\), assuming the existence of a \(\mathsf {NIZK}\) proof system for the decisional \(\mathsf {BDD}\) problem.


  1. [ACPS09]
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). Scholar
  2. [AFV11]
    Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011). Scholar
  3. [APSD17]
    Alamati, N., Peikert, C., Stephens-Davidowitz, N.: New (and old) proof systems for lattice problems. Cryptology ePrint Archive, Report 2017/1226 (2017)Google Scholar
  4. [BDSMP91]
    Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991)MathSciNetCrossRefGoogle Scholar
  5. [BFM88]
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC (1988)Google Scholar
  6. [BKM06]
    Bender, A., Katz, J., Morselli, R.: Rin signatures: stronger definitions, and constructions without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 60–79. Springer, Heidelberg (2006). Scholar
  7. [BMW03]
    Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003). Scholar
  8. [BP15]
    Bitansky, N., Paneth, O.: ZAPs and non-interactive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015). Scholar
  9. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS (1993)Google Scholar
  10. [BRV17]
    Berman, I., Rothblum, R.D., Vaikuntanathan, V.: Zero-knowledge proofs of proximity. IACR Cryptology ePrint Archive 2017:114 (2017)Google Scholar
  11. [BV14]
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) \(\sf {LWE}\). SIAM J. Comput. 43(2), 831–871 (2014)MathSciNetCrossRefGoogle Scholar
  12. [BY96]
    Bellare, M., Yung, M.: Certifying permutations: noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptol. 9(3), 149–166 (1996)MathSciNetCrossRefGoogle Scholar
  13. [CCRR18]
    Canetti, R., Chen, Y., Reyzin, L., Rothblum, R.D.: Fiat-shamir and correlation intractability from strong KDM-secure encryption. Cryptology ePrint Archive, Report 2018/131 (2018)Google Scholar
  14. [CGH04]
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)MathSciNetCrossRefGoogle Scholar
  15. [CL17]
    Canetti, R., Lichtenberg, A.: Certifying trapdoor permutations, revisited. IACR Cryptology ePrint Archive 2017:631 (2017)Google Scholar
  16. [DDN03]
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM Rev. 45(4), 727–784 (2003)MathSciNetCrossRefGoogle Scholar
  17. [DN07]
    Dwork, C., Naor, M.: Zaps and their applications. SIAM J. Comput. 36(6), 1513–1543 (2007)MathSciNetCrossRefGoogle Scholar
  18. [dPL17]
    del Pino, R., Lyubashevsky, V.: Amortization with fewer equations for proving knowledge of small secrets. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 365–394. Springer, Cham (2017). Scholar
  19. [FLS99]
    Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)MathSciNetCrossRefGoogle Scholar
  20. [FS86]
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). Scholar
  21. [GG00]
    Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci. 60(3), 540–563 (2000)MathSciNetCrossRefGoogle Scholar
  22. [GK03]
    Goldwasser, S., Kalai, Y.T.: On the (in)security of the fiat-shamir paradigm. In: FOCS (2003)Google Scholar
  23. [GK05]
    Goldwasser, S., Kharchenko, D.: Proof of plaintext knowledge for the ajtai-dwork cryptosystem. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 529–555. Springer, Heidelberg (2005). Scholar
  24. [GKM+00]
    Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: FOCS (2000)Google Scholar
  25. [GKP+13]
    Goldwasser, S., Kalai, Y., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC (2013)Google Scholar
  26. [GKW17]
    Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. IACR Cryptology ePrint Archive 2017:274 (2017)Google Scholar
  27. [GM84]
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefGoogle Scholar
  28. [Gol01]
    Goldreich, O.: The Foundations of Cryptography - Basic Techniques, vol. 1. Cambridge University Press, Cambridge (2001)CrossRefGoogle Scholar
  29. [Gol04]
    Goldreich, O.: The Foundations of Cryptography - Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)CrossRefGoogle Scholar
  30. [Gol11]
    Goldreich, O.: Basing non-interactive zero-knowledge on (Enhanced) trapdoor permutations: the state of the art. In: Goldreich, O. (ed.) Studies in Complexity and Cryptography. Miscellanea on the Interplay between Randomness and Computation. LNCS, vol. 6650, pp. 406–421. Springer, Heidelberg (2011). Scholar
  31. [GOS12]
    Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zero-knowledge. J. ACM 59(3), 11:1–11:35 (2012)MathSciNetCrossRefGoogle Scholar
  32. [GR13]
    Goldreich, O., Rothblum, R.D.: Enhancements of trapdoor permutations. J. Cryptol. 26(3), 484–512 (2013)MathSciNetCrossRefGoogle Scholar
  33. [Gro10]
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). Scholar
  34. [GS08]
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). Scholar
  35. [GVW15]
    Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). Scholar
  36. [KRR17]
    Kalai, Y.T., Rothblum, G.N., Rothblum, R.D.: From obfuscation to the security of fiat-shamir for proofs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 224–251. Springer, Cham (2017). Scholar
  37. [KTX08]
    Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). Scholar
  38. [KW18]
    Kim, S., Wu, D.J.: Multi-theorem preprocessing NIZKs from lattices. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 733–765. Springer, Cham (2018). Scholar
  39. [LLM+16]
    Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016). Scholar
  40. [LM09]
    Lyubashevsky, V., Micciancio, D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 577–594. Springer, Heidelberg (2009). Scholar
  41. [LNSW13]
    Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013). Scholar
  42. [Lyu08]
    Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008). Scholar
  43. [MV03]
    Micciancio, D., Vadhan, S.P.: Statistical zero-knowledge proofs with efficient provers: lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003). Scholar
  44. [MW16]
    Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 735–763. Springer, Heidelberg (2016). Scholar
  45. [Nao03]
    Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003). Scholar
  46. [NY90]
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC (1990)Google Scholar
  47. [Pei09]
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC (2009)Google Scholar
  48. [PV08]
    Peikert, C., Vaikuntanathan, V.: Noninteractive statistical zero-knowledge proofs for lattice problems. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 536–553. Springer, Heidelberg (2008). Scholar
  49. [PVW08]
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). Scholar
  50. [PW08]
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC (2008)Google Scholar
  51. [Rab79]
    Rabin, M.O.: Digitalized signatures and public-key functions as intractable as factorization. Technical report, Cambridge, MA, USA (1979)Google Scholar
  52. [Reg09]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009)MathSciNetCrossRefGoogle Scholar
  53. [RSS18]
    Rothblum, R.D., Sealfon, A., Sotiraki, K.: Towards non-interactive zero-knowledge for NP from LWE. IACR Cryptology ePrint Archive 2018:240 (2018)Google Scholar
  54. [Sah99]
    Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS (1999)Google Scholar
  55. [Sho99]
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)MathSciNetCrossRefGoogle Scholar
  56. [Ste96]
    Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 1757–1768 (1996)MathSciNetCrossRefGoogle Scholar
  57. [SW14]
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC (2014)Google Scholar
  58. [Vad99]
    Vadhan, S.P.: A study of statistical zero-knowledge proofs. Ph.D. thesis, Massachusetts Institute of Technology, Cambridge, MA, USA (1999)Google Scholar
  59. [VN61]
    Von Neumann, J.: Various techniques used in connection with random digits, Paper no. 13 in Monte Carlo method. NBS Applied Mathematics Series (12) (1961)Google Scholar
  60. [WZ17]
    Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. IACR Cryptology ePrint Archive 2017:276 (2017)Google Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Ron D. Rothblum
    • 1
  • Adam Sealfon
    • 2
  • Katerina Sotiraki
    • 2
    Email author
  1. 1.TechnionHaifaIsrael
  2. 2.MITCambridgeUSA

Personalised recommendations