More Efficient Amortization of Exact Zero-Knowledge Proofs for LWE

Bootle, Jonathan; Lyubashevsky, Vadim; Nguyen, Ngoc Khanh; Seiler, Gregor

doi:10.1007/978-3-030-88428-4_30

Cited by 8 publications

(8 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One big problem of both transforms [15,29] is that, they only work for Σ protocols but not the more generic multi-round public-coin interactive proofs (PCIP). As several recent results of interactive proofs are exploiting the multiround property of PCIP to gain efficiency, such as bullet proofs [7], exact proofs [21] or amortized exact proofs [4], an interesting question would be to extend the [15,29] transforms to multi-round interactive protocols. Moreover, between these two transforms, [15] not only requires less properties of the starting Σ-protocol than [29] (optimal soundness against special soundness) but it is also more efficient.…”

Section: Limits Of Nizk In Nprommentioning

confidence: 99%

“…However, the [15] transform relies heavily on the existence of an OR-composition of interactive protocols. Unfortunately, the most efficient interactive lattice-based proof systems are all 2-round protocols [4,5,21], and the previous OR-compositions of interactive proof systems [1,16,24] cannot be applied to multi-round PCIPs.…”

Section: From Interactive To Non-interactivementioning

confidence: 99%

“…Here, we recall that h i b ,b can be computed by using π , H(X 0 ), H(X 1 ) as in Equation (4). By the definition of the answerable challenge predicate, assuming a valid proof π ∨ , the corresponding partial proof π = (X 0 , X 1 ) verifies that Γ ((X 0 , X 1 ), (H(X 0 ), H(X 1 ))) = True.…”

Section: Measure-and-reprogram 20 Multiple Inputmentioning

confidence: 99%

See 2 more Smart Citations

A Generic Transform from Multi-round Interactive Proof to NIZK

Fouque

Georgescu

Qian

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We present a new generic transform that takes a multi-round interactive proof for the membership of a language L and outputs a non-interactive zero-knowledge proof (not of knowledge) in the common reference string model. Similar to the Fiat-Shamir transform, it requires a hash function H. However, in our transform the zero-knowledge property is in the standard model, and the adaptive soundness is in the non-programmable random oracle model (NPROM). Behind this new generic transform, we build a new generic OR-composition of two multi-round interactive proofs. Note that the two common techniques for building OR-proofs (parallel OR-proof and sequential OR-proof) cannot be naturally extended to the multi-round setting. We also give a proof of security for our OR-proof in the quantum oracle model (QROM), surprisingly the security loss in QROM is independent from the number of rounds.

show abstract

Section: Limits Of Nizk In Nprommentioning

confidence: 99%

Section: From Interactive To Non-interactivementioning

confidence: 99%

See 1 more Smart Citation

A Generic Transform from Multi-round Interactive Proof to NIZK

Fouque

Georgescu

Qian

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…An alternative to the aborts approach is probabilistically checkable proofs (PCPs) and interactive oracle proofs (IOPs) cleverly combined with lattice-based algebraic techniques. For example, [10] presents a zeroknowledge system for proving knowledge of Learning With Errors (LWE) pre-images, which does not involve aborts. Unfortunately, this solution is more efficient than a general lattice-based system (with aborts) only for some specific settings, for instance, when proving at the same time knowledge of a lot of LWE pre-images with the same matrix A.…”

Section: Introductionmentioning

confidence: 99%

“…We stress that the abort-free protocol in[10] is not really suitable for this setting, in terms of efficiency.…”

mentioning

confidence: 99%

How to Avoid Repetitions in Lattice-Based Deniable Zero-Knowledge Proofs

et al. 2022

View full text Add to dashboard Cite

Interactive zero-knowledge systems are a very important cryptographic primitive, used in many applications, especially when deniability (also known as non-transferability) is desired. In the lattice-based setting, the currently most efficient interactive zero-knowledge systems employ the technique of rejection sampling, which implies that the interaction does not always finish correctly in the first execution; the whole interaction must be re-run until abort does not happen. While repetitions due to aborts are acceptable in theory, in some practical applications it is desirable to avoid re-runs for usability reasons. In this work we present a generic technique that departs from an interactive zero-knowledge system (that might require multiple re-runs to complete the protocol) and obtains a 3-moves zero-knowledge system (without re-runs). The transformation combines the well-known Fiat-Shamir technique with a couple of initially exchanged messages. The resulting 3-moves system enjoys honest-verifier zero-knowledge and can be easily turned into a fully deniable proof using standard techniques. We show some practical scenarios where our transformation can be beneficial and we also discuss the results of an implementation of our transformation.

show abstract

Post‐quantum secure two‐party computing protocols against malicious adversaries

Huo,

Zhao,

Qin

et al. 2023

Concurrency and Computation

View full text Add to dashboard Cite

SummarySecure two‐party computation allows a pair of parties to compute a function together while keeping their inputs private. Ultimately, each party receives only its own correct output. In this paper, a post‐quantum secure two‐party computation protocol is proposed that can be used to effectively block malicious parties. The protocol solves the problems of traditional protocols based on garbled circuits, which are vulnerable to quantum attacks, high communication costs and low computational efficiency. The input garbled keys of the circuit constructor is structured as a Learning with Error (LWE) equation, enabling the circuit constructor to employ a zero‐knowledge proof that demonstrates the uniformity of inputs across all circuits.In the key transfer phase, an LWE‐based batch single‐choice cut‐and‐choose oblivious transfer is proposed to avoid selective failure attacks. In addition, the protocol employs a penalty mechanism to detect if the circuit constructor has generated an incorrect circuit. We have compared the communication overhead of this protocol with three other secure two‐party computation protocols based on Cut‐and‐Choose technology. The analytical results show that this protocol has the best error probability and is resilient to quantum attacks under the malicious adversary model. In addition, with appropriate parameters, the protocol is able to reduce its communication bandwidth by an average of 40.41%.

show abstract

More Efficient Amortization of Exact Zero-Knowledge Proofs for LWE

Cited by 8 publications

References 33 publications

A Generic Transform from Multi-round Interactive Proof to NIZK

A Generic Transform from Multi-round Interactive Proof to NIZK

How to Avoid Repetitions in Lattice-Based Deniable Zero-Knowledge Proofs

Post‐quantum secure two‐party computing protocols against malicious adversaries

Contact Info

Product

Resources

About