Skip to main content

Short Zero-Knowledge Proof of Knowledge for Lattice-Based Commitment

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12100)


Commitment scheme, together with zero-knowledge proof, is a fundamental tool for cryptographic design. Recently, Baum et al. proposed a commitment scheme (BDLOP), which is by far the most efficient lattice-based one and has been applied on several latest constructions of zero-knowledge proofs. In this paper, we propose a more efficient zero-knowledge proof of knowledge for BDLOP commitment opening with a shorter proof. There are a few technical challenges, and we develop some new techniques: First, we make an adaption of BDLOP commitment by evaluating the opening with the singular value rather than \(\ell _2\) norm in order to get compact parameters. Then, we try to use the bimodal Gaussian technique to minimize the size of the proof. Finally, utilizing a modulus-switch technique, we can retain the size of the commitment.


  • Lattice-based commitment
  • Zero-knowledge proof of knowledge
  • Bimodal Gaussian

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    It degenerates to RSIS and RLWE when \(n=1\).

  2. 2.

    We choose \(C=\frac{1}{\sqrt{2\pi }}\) empirically. Besides, for \(\delta =0\) and \(t=5\), the above probability is approximate \(2^{-112}\).

  3. 3.

    Since there is no efficient zero-knowledge proofs that can prove knowledge of the message and randomness in the commit phase, some additional element \(\mathbf{f}\) is applied for a relaxed opening, which makes the zero-knowledge proof can prove something weaker. Such property is also used in [5] and [3].

  4. 4.

    In [21], one should only use \(d=\sqrt{\frac{N\log q}{\log \delta }}\) columns and zero out the others, which results in a short vector with length as \(\min \{q,q^{\frac{N}{d}}\delta ^d\}=\min \{q,q^{\frac{2N}{d}}\}\).

  5. 5.

    In [3], a valid opening of commitment \(\mathbf{c}=\left( \begin{array}{c} \mathbf{c}_1 \\ \mathbf{c}_2\\ \end{array}\right) \) is a 3-tuple \((\mathbf{x},\mathbf{r},\mathbf{f})\) with \(\mathbf{r}=\left( \begin{array}{c} \mathbf{r}_1 \\ \cdots \\ \mathbf{r}_k\\ \end{array}\right) \in \mathcal {R}_q^k\) and \(\mathbf{f}\in \bar{\mathcal {C}}'\), where \(\bar{\mathcal {C}}'\) is a set of differences \(\mathcal {C}'-\mathcal {C}'\) excluding \(\mathbf{0}\). The verifier checks that \(\mathbf{f}\left( \begin{array}{c} \mathbf{c}_1 \\ \mathbf{c}_2\\ \end{array}\right) =\left( \begin{array}{c} \mathbf{A}_1 \\ \mathbf{A}_2\\ \end{array}\right) \mathbf{r}+\mathbf{f}\left( \begin{array}{c} \mathbf{0} \\ \mathbf{x}\\ \end{array}\right) \), and that for all i, \(\Vert \mathbf{r}_i\Vert _2\le 4\sigma \sqrt{N}\).


  1. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)

    CrossRef  MathSciNet  Google Scholar 

  2. Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014).

    CrossRef  Google Scholar 

  3. Baum, C., Damgård, I., Lyubashevsky, V., Oechsner, S., Peikert, C.: More efficient commitments from structured lattice assumptions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 368–385. Springer, Cham (2018).

    CrossRef  Google Scholar 

  4. Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014).

    CrossRef  Google Scholar 

  5. Benhamouda, F., Krenn, S., Lyubashevsky, V., Pietrzak, K.: Efficient zero-knowledge proofs for commitments from learning with errors over rings. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 305–325. Springer, Cham (2015).

    CrossRef  Google Scholar 

  6. Blum, M.: Coin flipping by telephone - a protocol for solving impossible problems. In: COMPCON 1982, pp. 133–137. IEEE Computer Society (1982)

    Google Scholar 

  7. Bootle, J., Lyubashevsky, V., Seiler, G.: Algebraic techniques for short(er) exact lattice-based zero-knowledge proofs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 176–202. Springer, Cham (2019).

    CrossRef  Google Scholar 

  8. Bos, J.W., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy, EuroS&P, pp. 353–367. IEEE (2018)

    Google Scholar 

  9. Cramer, R., Franklin, M., Schoenmakers, B., Yung, M.: Multi-authority secret-ballot elections with linear work. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 72–83. Springer, Heidelberg (1996).

    CrossRef  Google Scholar 

  10. Damgård, I.: On Sigma-Protocols. Lectures on Cryptologic Protocol Theory, Faculty of Science, University of Aarhus (2010)

    Google Scholar 

  11. Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002).

    CrossRef  Google Scholar 

  12. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013).

    CrossRef  Google Scholar 

  13. Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)

    CrossRef  MathSciNet  Google Scholar 

  14. Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997).

    CrossRef  Google Scholar 

  15. Haitner, I., Reingold, O.: Statistically-hiding commitment from any one-way function. In: Johnson, D.S., Feige, U. (eds.) Proceedings of the 39th Annual ACM Symposium on Theory of Computing, pp. 1–10. ACM (2007)

    Google Scholar 

  16. Jain, A., Krenn, S., Pietrzak, K., Tentes, A.: Commitments and efficient zero-knowledge proofs from learning parity with noise. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 663–680. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  17. Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008).

    CrossRef  Google Scholar 

  18. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  19. Lyubashevsky, V., Seiler, G.: Short, invertible elements in partially splitting cyclotomic rings and applications to lattice-based zero-knowledge proofs. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 204–224. Springer, Cham (2018).

    CrossRef  MATH  Google Scholar 

  20. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  21. Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009).

    CrossRef  MATH  Google Scholar 

  22. Naor, M.: Bit commitment using pseudo-randomness. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 128–136. Springer, New York (1990).

    CrossRef  Google Scholar 

  23. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992).

    CrossRef  Google Scholar 

  24. Vershynin, R.: Introduction to the non-asymptotic analysis of random matrices. CoRR abs/1011.3027 (2010)

    Google Scholar 

  25. Xie, X., Xue, R., Wang, M.: Zero knowledge proofs from ring-LWE. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 57–73. Springer, Cham (2013).

    CrossRef  Google Scholar 

  26. Yang, R., Au, M.H., Zhang, Z., Xu, Q., Yu, Z., Whyte, W.: Efficient lattice-based zero-knowledge arguments with standard soundness: construction and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 147–175. Springer, Cham (2019).

    CrossRef  Google Scholar 

Download references


The authors would like to thank the anonymous reviewers for their valuable comments. This work was partially supported by National Natural Science Foundation of China (Nos. 61772520, 61632020, 61472416, 61802392, 61972094), Key Research and Development Project of Zhejiang Province (Nos. 2017C01062, 2020C01078), Beijing Municipal Science and Technology Project (Grant Nos. Z191100007119007, Z191100007119002).

Author information

Authors and Affiliations


Corresponding authors

Correspondence to Yang Tao or Rui Zhang .

Editor information

Editors and Affiliations

A Discussion on Protocol of [3] with Compression Technique

A Discussion on Protocol of [3] with Compression Technique

The proof \(\mathbf{z}\) of zero-knowledge proof of opening in [3] contains two part: \(\mathbf{z}^{(1)}\) corresponds to the proof that gets multiplied by the identity matrix of public matrix \(\mathbf{A}_1\) and \(\mathbf{z}^{(2)}\) corresponds to the proof that gets multiplied by \(\mathbf{A}_1'\). The compression technique [2] is to discard \(\mathbf{z}^{(1)}\) totally and the verifier merely checks an approximate equality, i.e. an equality of high-order part.

For an inter x with \(x=\lceil x\rceil _{\gamma }\cdot 2^{\gamma }+[x]_{\gamma }\), we denote \(\lceil x\rceil _{\gamma }\) as the high-order bits and \([x]_{\gamma }=x \bmod 2^{\gamma }\) as the low-order \(\gamma \) bits. The challenge space is \(\mathcal {C}'=\{\mathbf{d}\in \mathcal {R}_q|\Vert \mathbf{d}\Vert _{\infty }=1, \Vert \mathbf{d}\Vert _1=\kappa \}\). The improved protocol \(\varPi _{com}\) of [3] with compression technique [2] is given in Table 3, which satisfies the property of completeness, special soundness and honest-verifier zero-knowledge. Since honest-verifier zero-knowledge property is not affected and will hold as [3] has shown, we only discuss the completeness and special soundness of \(\varPi _{com}\).

Table 3. Improved zero-knowledge proof of knowledge in [3].

Completeness: It is guaranteed by \(\mathbf{A}'_1\mathbf{z}-\mathbf{d}{} \mathbf{c}_1=\mathbf{t}-\mathbf{d}{} \mathbf{r}_1\) and \(\lceil \mathbf{t}-\mathbf{d}{} \mathbf{r}_1 \rceil _{\gamma }=\lceil \mathbf{t}\rceil _{\gamma }\) when \([\mathbf{t}-\mathbf{d}{} \mathbf{r}_1]_{\gamma } < \frac{\gamma }{2}-\max _{\mathbf{d},\mathbf{r}_1}\Vert \mathbf{d}{} \mathbf{r}_1\Vert _2\) holds, which brings an additional abort condition. Thus, adopting an wide-accepted assumption that the low-order bits are uniformly distributed modulo \(\gamma \), the non-abort probability is approximately \((\frac{2(\frac{\gamma }{2}-\max _{\mathbf{d},\mathbf{r}_1}\Vert \mathbf{d}{} \mathbf{r}_1\Vert _2)-1}{\gamma })^N\), which means the larger \(\gamma \) is, the larger non-abort probability we can get.

Special Soundness: Given a commitment \(\mathbf{c}\) and two valid transcripts \((\mathbf{t},\mathbf{d},\mathbf{z}),(\mathbf{t},\mathbf{d}',\mathbf{z}')\), we can extract a valid opening of commitment \(\mathbf{c}\) as follows.

$$\begin{aligned}&\lceil \mathbf{A}'_1\mathbf{z}-\mathbf{d}{} \mathbf{c}_1 \rceil _{\gamma }=\lceil \mathbf{t}\rceil _{\gamma } \end{aligned}$$
$$\begin{aligned}&\lceil \mathbf{A}'_1\mathbf{z}'-\mathbf{d}'{} \mathbf{c}_1 \rceil _{\gamma }=\lceil \mathbf{t}\rceil _{\gamma } \end{aligned}$$

Therefore, there exist two low-order term \(\mathbf{e},\mathbf{e}'\) with \(\Vert \mathbf{e}\Vert _{\infty },\Vert \mathbf{e}'\Vert _{\infty }\le \frac{\gamma }{2}\), such that

$$\begin{aligned}&\mathbf{A}'_1\mathbf{z}-\mathbf{d}{} \mathbf{c}_1 =\lceil \mathbf{t}\rceil _{\gamma }\cdot 2^{\gamma }+\mathbf{e} \end{aligned}$$
$$\begin{aligned}&\mathbf{A}'_1\mathbf{z}'-\mathbf{d}'{} \mathbf{c}_1=\lceil \mathbf{t}\rceil _{\gamma }\cdot 2^{\gamma }+\mathbf{e}' \end{aligned}$$

From Eqs. (13) and (14), we obtain

$$\begin{aligned} \mathbf{A}_1'(\mathbf{z}-\mathbf{z}')-(\mathbf{d}-\mathbf{d}')\mathbf{c}_1=\mathbf{e}-\mathbf{e}', \end{aligned}$$

and it yields

$$\begin{aligned} \mathbf{A}_1\left( \begin{array}{c} \mathbf{e}-\mathbf{e}' \\ \mathbf{z}-\mathbf{z}'\\ \end{array}\right) =(\mathbf{d}-\mathbf{d}')\mathbf{c}_1 \end{aligned}$$

Notice that \(\Vert \mathbf{e}-\mathbf{e}'\Vert _{\infty }\le \gamma \). Assuming \(\gamma \le 4\sigma \), we have \(\Vert \mathbf{e}-\mathbf{e}'\Vert _2\le 4\sigma \sqrt{N}\). Set \(\mathbf{f}=\mathbf{d}-\mathbf{d}'\), \(\mathbf{r}=\left( \begin{array}{c} \mathbf{e}-\mathbf{e}' \\ \mathbf{z}-\mathbf{z}'\\ \end{array}\right) \) and \(\mathbf{x}=\mathbf{c}_2-\mathbf{f}^{-1}{} \mathbf{A}_2\mathbf{r}\). Then \((\mathbf{x},\mathbf{r},\mathbf{f})\) is a valid openingFootnote 5 of commitment \(\mathbf{c}\) in [3].

Now we claim there is a trade-off between the reduced proof size, non-abort probability and security for \(\varPi _{\text {com}}\). When instantiating the protocol \(\varPi _{\text {com}}\), we have to consider the non-abort probability \((\frac{2(\frac{\gamma }{2}-\max _{\mathbf{d},\mathbf{r}_1}\Vert \mathbf{d}{} \mathbf{r}_1\Vert _2)-1}{\gamma })^N\) for completeness and condition \(\gamma \le 4\sigma \) for special soundness. An observation is that the non-abort probability is \(3.7\times 10^{-4}\) with \(\sigma \approx 27000\) and \(\gamma \approx 108000\) under the parameter in [3] (Set I-[3] in Table 2). Thus, it is inevitable to expand \(\sigma \) for a practical non-abort probability. If we choose the non-abort probability \((\frac{2(\frac{\gamma }{2}-\max _{\mathbf{d},\mathbf{r}_1}\Vert \mathbf{d}{} \mathbf{r}_1\Vert _2)-1}{\gamma })^N\approx 0.3\), then Gaussian parameter \(\sigma \) should be 6.3\(\times \) larger than before, which may result in a weaker SIS problem. In fact, the root Hermite factor of SIS increases to 1.0047, though the proof size can be reduced to 5KB under the expanded \(\sigma \). Thus, it seems such improvement with compression technique is possible but at the cost of low non-abort probability or security.

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tao, Y., Wang, X., Zhang, R. (2020). Short Zero-Knowledge Proof of Knowledge for Lattice-Based Commitment. In: Ding, J., Tillich, JP. (eds) Post-Quantum Cryptography. PQCrypto 2020. Lecture Notes in Computer Science(), vol 12100. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-44222-4

  • Online ISBN: 978-3-030-44223-1

  • eBook Packages: Computer ScienceComputer Science (R0)