Skip to main content

Towards Non-Interactive Zero-Knowledge for NP from LWE

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2019 (PKC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11443))

Included in the following conference series:

Abstract

Non-interactive zero-knowledge (\(\mathsf {NIZK}\)) is a fundamental primitive that is widely used in the construction of cryptographic schemes and protocols. Despite this, general purpose constructions of \(\mathsf {NIZK}\) proof systems are only known under a rather limited set of assumptions that are either number-theoretic (and can be broken by a quantum computer) or are not sufficiently well understood, such as obfuscation. Thus, a basic question that has drawn much attention is whether it is possible to construct general-purpose \(\mathsf {NIZK}\) proof systems based on the learning with errors (\(\mathsf {LWE}\)) assumption.

Our main result is a reduction from constructing \(\mathsf {NIZK}\) proof systems for all of \(\mathbf {NP}\) based on \(\mathsf {LWE}\), to constructing a \(\mathsf {NIZK}\) proof system for a particular computational problem on lattices, namely a decisional variant of the Bounded Distance Decoding (\(\mathsf {BDD}\)) problem. That is, we show that assuming \(\mathsf {LWE}\), every language \(L \in \mathbf {NP}\) has a \(\mathsf {NIZK}\) proof system if (and only if) the decisional \(\mathsf {BDD}\) problem has a \(\mathsf {NIZK}\) proof system. This (almost) confirms a conjecture of Peikert and Vaikuntanathan (CRYPTO, 2008).

To construct our \(\mathsf {NIZK}\) proof system, we introduce a new notion that we call prover-assisted oblivious ciphertext sampling (\(\mathsf {POCS}\)), which we believe to be of independent interest. This notion extends the idea of oblivious ciphertext sampling, which allows one to sample ciphertexts without knowing the underlying plaintext. Specifically, we augment the oblivious ciphertext sampler with access to an (untrusted) prover to help it accomplish this task. We show that the existence of encryption schemes with a \(\mathsf {POCS}\) procedure, as well as some additional natural requirements, suffices for obtaining \(\mathsf {NIZK}\) proofs for \(\mathbf {NP}\). We further show that such encryption schemes can be instantiated based on \(\mathsf {LWE}\), assuming the existence of a \(\mathsf {NIZK}\) proof system for the decisional \(\mathsf {BDD}\) problem.

R. D. Rothblum—This research was conducted in part while the author was at MIT and Northeastern University. Research supported in part by the Israeli Science Foundation (Grant No. 1262/18). Research also supported in part by NSF Grants CNS-1413920 and CNS-1350619, by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236, the Simons Investigator award agreement dated 6-5-12 and the Cybersecurity and Privacy Institute at Northeastern University.

A. Sealfon—Research supported in part by a DOE CSGF fellowship, NSF MACS CNS-1413920, DARPA/NJIT Palisade 491512803, Sloan/NJIT 996698, MIT/IBM W1771646, NSF Center for Science of Information (CSoI) CCF-0939370, and the Simons Investigator award agreement dated 6-5-12.

K. Sotiraki—Research supported in part by NSF grants CNS-1350619, CNS-1718161, CNS-1414119.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    As a matter of fact, resolving this question carries a symbolic cash prize; see https://simons.berkeley.edu/crypto2015/open-problems.

  2. 2.

    Doubly enhanced trapdoor permutations were actually introduced in [Gol11] (with the motivation of implementing the hidden-bits model). See further discussion in [GR13, CL17].

  3. 3.

    In particular, the naive algorithm that chooses at random \(b \in \{0,1\}\) and outputs \(E_{\mathsf {pk}}(b)\) is not oblivious since its random coins fully reveal b.

  4. 4.

    For simplicity, we focus for now on schemes with perfect correctness.

  5. 5.

    Further related issues were recently uncovered by Canetti and Lichtenberg [CL17].

  6. 6.

    Actually, the [BY96] protocol only certifies that the index specifies a function that is close to a permutation (i.e., they provide a non-interactive zero-knowledge proof of proximity, a notion recently formalized by Berman et al. [BRV17]) which suffices in this context.

  7. 7.

    Actually, it is important for us to also establish that \(\mathbf {{s}}\) is unique. We enforce this by having the matrix \(\mathbf {A}\) be specified as part of the CRS (rather than by the prover). Indeed, it is not too difficult to show that a lattice spanned by a random matrix \(\mathbf {A}\) does not have short vectors and therefore \(\mathbf {{b}}\) cannot be close to two different lattice points.

  8. 8.

    In the literature, typically \(\mathbf {B}\) is defined as a set of column vectors. However, for our applications it is more convenient to use row vectors.

  9. 9.

    Note that in the actual definition we only require the latter to hold with high probability over the choice of the public randomness for every valid public key. The notion of encryption schemes with public randomness is discussed in Sect. 2.1.

  10. 10.

    Jumping ahead, we note that for our final \(\mathsf {NIZK}\) protocol, achieving standard soundness, we will need to repeat steps 36 for \(\ell = \mathrm{poly}(\kappa )\) times for the same \(\mathsf {pk}\) to amplify soundness.

  11. 11.

    Here we are utilizing the fact that the hidden-bits proof-system has perfect completeness to save us the effort of arguing that the hidden bits are indeed (sufficiently) unbiased.

  12. 12.

    The argument here resembles the standard argument for obtaining adaptively sound \(\mathsf {NIZK}\)s from \(\mathsf {NIZK}\)s that only have non-adaptive soundness.

  13. 13.

    From Lemma 3 this happens with overwhelming probability.

  14. 14.

    Since the complementary event happens with negligible probability in \(\kappa \), in case it does happen we choose the public-keys to have zero noise.

  15. 15.

    Again, the complementary event happens with negligible probability, in which case we can output a ciphertext with zero noise.

  16. 16.

    Alternatively, we could reduce the bias to be negligible using Von Neumann’s trick [VN61] for transforming a biased source to an almost unbiased source.

References

  1. Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35

    Chapter  Google Scholar 

  2. Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_2

    Chapter  Google Scholar 

  3. Alamati, N., Peikert, C., Stephens-Davidowitz, N.: New (and old) proof systems for lattice problems. Cryptology ePrint Archive, Report 2017/1226 (2017)

    Google Scholar 

  4. Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991)

    Article  MathSciNet  Google Scholar 

  5. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC (1988)

    Google Scholar 

  6. Bender, A., Katz, J., Morselli, R.: Rin signatures: stronger definitions, and constructions without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 60–79. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_4

    Chapter  Google Scholar 

  7. Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_38

    Chapter  Google Scholar 

  8. Bitansky, N., Paneth, O.: ZAPs and non-interactive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_16

    Chapter  MATH  Google Scholar 

  9. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS (1993)

    Google Scholar 

  10. Berman, I., Rothblum, R.D., Vaikuntanathan, V.: Zero-knowledge proofs of proximity. IACR Cryptology ePrint Archive 2017:114 (2017)

    Google Scholar 

  11. Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) \(\sf {LWE}\). SIAM J. Comput. 43(2), 831–871 (2014)

    Article  MathSciNet  Google Scholar 

  12. Bellare, M., Yung, M.: Certifying permutations: noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptol. 9(3), 149–166 (1996)

    Article  MathSciNet  Google Scholar 

  13. Canetti, R., Chen, Y., Reyzin, L., Rothblum, R.D.: Fiat-shamir and correlation intractability from strong KDM-secure encryption. Cryptology ePrint Archive, Report 2018/131 (2018)

    Google Scholar 

  14. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)

    Article  MathSciNet  Google Scholar 

  15. Canetti, R., Lichtenberg, A.: Certifying trapdoor permutations, revisited. IACR Cryptology ePrint Archive 2017:631 (2017)

    Google Scholar 

  16. Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM Rev. 45(4), 727–784 (2003)

    Article  MathSciNet  Google Scholar 

  17. Dwork, C., Naor, M.: Zaps and their applications. SIAM J. Comput. 36(6), 1513–1543 (2007)

    Article  MathSciNet  Google Scholar 

  18. del Pino, R., Lyubashevsky, V.: Amortization with fewer equations for proving knowledge of small secrets. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 365–394. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_13

    Chapter  Google Scholar 

  19. Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)

    Article  MathSciNet  Google Scholar 

  20. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  21. Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci. 60(3), 540–563 (2000)

    Article  MathSciNet  Google Scholar 

  22. Goldwasser, S., Kalai, Y.T.: On the (in)security of the fiat-shamir paradigm. In: FOCS (2003)

    Google Scholar 

  23. Goldwasser, S., Kharchenko, D.: Proof of plaintext knowledge for the ajtai-dwork cryptosystem. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 529–555. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_29

    Chapter  MATH  Google Scholar 

  24. Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: FOCS (2000)

    Google Scholar 

  25. Goldwasser, S., Kalai, Y., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC (2013)

    Google Scholar 

  26. Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. IACR Cryptology ePrint Archive 2017:274 (2017)

    Google Scholar 

  27. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)

    Article  MathSciNet  Google Scholar 

  28. Goldreich, O.: The Foundations of Cryptography - Basic Techniques, vol. 1. Cambridge University Press, Cambridge (2001)

    Book  Google Scholar 

  29. Goldreich, O.: The Foundations of Cryptography - Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)

    Book  Google Scholar 

  30. Goldreich, O.: Basing non-interactive zero-knowledge on (Enhanced) trapdoor permutations: the state of the art. In: Goldreich, O. (ed.) Studies in Complexity and Cryptography. Miscellanea on the Interplay between Randomness and Computation. LNCS, vol. 6650, pp. 406–421. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22670-0_28

    Chapter  Google Scholar 

  31. Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zero-knowledge. J. ACM 59(3), 11:1–11:35 (2012)

    Article  MathSciNet  Google Scholar 

  32. Goldreich, O., Rothblum, R.D.: Enhancements of trapdoor permutations. J. Cryptol. 26(3), 484–512 (2013)

    Article  MathSciNet  Google Scholar 

  33. Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_19

    Chapter  Google Scholar 

  34. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24

    Chapter  Google Scholar 

  35. Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25

    Chapter  Google Scholar 

  36. Kalai, Y.T., Rothblum, G.N., Rothblum, R.D.: From obfuscation to the security of fiat-shamir for proofs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 224–251. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_8

    Chapter  Google Scholar 

  37. Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_23

    Chapter  Google Scholar 

  38. Kim, S., Wu, D.J.: Multi-theorem preprocessing NIZKs from lattices. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 733–765. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_25

    Chapter  Google Scholar 

  39. Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_13

    Chapter  Google Scholar 

  40. Lyubashevsky, V., Micciancio, D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 577–594. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_34

    Chapter  Google Scholar 

  41. Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_8

    Chapter  Google Scholar 

  42. Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_10

    Chapter  Google Scholar 

  43. Micciancio, D., Vadhan, S.P.: Statistical zero-knowledge proofs with efficient provers: lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_17

    Chapter  Google Scholar 

  44. Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 735–763. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_26

    Chapter  Google Scholar 

  45. Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_6

    Chapter  Google Scholar 

  46. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC (1990)

    Google Scholar 

  47. Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC (2009)

    Google Scholar 

  48. Peikert, C., Vaikuntanathan, V.: Noninteractive statistical zero-knowledge proofs for lattice problems. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 536–553. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_30

    Chapter  Google Scholar 

  49. Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31

    Chapter  Google Scholar 

  50. Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC (2008)

    Google Scholar 

  51. Rabin, M.O.: Digitalized signatures and public-key functions as intractable as factorization. Technical report, Cambridge, MA, USA (1979)

    Google Scholar 

  52. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009)

    Article  MathSciNet  Google Scholar 

  53. Rothblum, R.D., Sealfon, A., Sotiraki, K.: Towards non-interactive zero-knowledge for NP from LWE. IACR Cryptology ePrint Archive 2018:240 (2018)

    Google Scholar 

  54. Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS (1999)

    Google Scholar 

  55. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)

    Article  MathSciNet  Google Scholar 

  56. Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 1757–1768 (1996)

    Article  MathSciNet  Google Scholar 

  57. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC (2014)

    Google Scholar 

  58. Vadhan, S.P.: A study of statistical zero-knowledge proofs. Ph.D. thesis, Massachusetts Institute of Technology, Cambridge, MA, USA (1999)

    Google Scholar 

  59. Von Neumann, J.: Various techniques used in connection with random digits, Paper no. 13 in Monte Carlo method. NBS Applied Mathematics Series (12) (1961)

    Google Scholar 

  60. Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. IACR Cryptology ePrint Archive 2017:276 (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Katerina Sotiraki .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rothblum, R.D., Sealfon, A., Sotiraki, K. (2019). Towards Non-Interactive Zero-Knowledge for NP from LWE. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11443. Springer, Cham. https://doi.org/10.1007/978-3-030-17259-6_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17259-6_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17258-9

  • Online ISBN: 978-3-030-17259-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics