More Efficient Amortization of Exact Zero-Knowledge Proofs for LWE

Abstract

We propose a practical zero-knowledge proof system for proving knowledge of short solutions \(\mathbf {s},\mathbf {e}\) to linear relations \(\mathbf {A}\mathbf {s}+\mathbf {e}=\mathbf {u}\pmod q\) which gives the most efficient solution for two naturally-occurring classes of problems. The first is when \(\mathbf {A}\) is very “tall”, which corresponds to a large number of LWE instances that use the same secret \(\mathbf {s}\). In this case, we show that the proof size is independent of the height of the matrix (and thus the length of the error vector \(\mathbf {e}\)) and rather only linearly depends on the length of \(\mathbf {s}\). The second case is when \(\mathbf {A}\) is of the form \(\mathbf {I} \otimes \mathbf {A}'\), which corresponds to proving many LWE instances (with different secrets) that use the same samples \(\mathbf {A}'\). The length of this second proof is square root in the length of \(\mathbf {s}\), which corresponds to a square root of the length of all the secrets. Our constructions combine recent advances in “purely” lattice-based zero-knowledge proofs with the Reed-Solomon proximity testing ideas present in some generic zero-knowledge proof systems – with the main difference that the latter are applied directly to lattice instances without going through intermediate problems.

The full version of this paper is available at https://eprint.iacr.org/2020/1449.

A The Hiding Property of Reed-Solomon Codes

We show that when \(\mathbf {r}\) is sampled uniformly at random from \(\mathbb {Z}_q^\tau \), then any \(\tau \) entries of the Reed-Solomon encoding \(\mathsf {Enc}\left( \mathbf {m},\mathbf {r}\right) \) corresponding to the input polynomial \(f = \sum _{i=0}^{m-1} \mathbf {m}_iX^i + X^m \sum _{i=0}^{\tau - 1} \mathbf {r}_iX^i\) follow the uniform distribution over \(\mathbb {Z}_q^\tau \).

Let \(\zeta _1,\ldots ,\zeta _l\) be distinct elements of \(\mathbb {Z}_q^\times \) used as the evaluation points for the Reed-Solomon code. We can write the encoding \(\mathsf {Enc}\left( \mathbf {m},\mathbf {r}\right) \) as a matrix multiplication:

$$\begin{aligned} \mathsf {Enc}\left( \mathbf {m},\mathbf {r}\right) = \left[ \begin{array}{ccccc} 1 &{} \zeta _1 &{} \zeta _1^2 &{} \cdots &{} \zeta _1^{m-1}\\ 1 &{} \zeta _2 &{} \zeta _2^2 &{} \cdots &{} \zeta _2^{m-1}\\ \vdots &{} \vdots &{} \vdots &{} \ddots &{} \vdots \\ 1 &{} \zeta _l &{} \zeta _l^2 &{} \cdots &{} \zeta _l^{m-1} \end{array} \right] \mathbf {m} + \left[ \begin{array}{ccc} \zeta _1^{m} &{} \cdots &{} \zeta _1^{m+\tau -1} \\ \zeta _2^{m} &{} \cdots &{} \zeta _2^{m+\tau -1} \\ \vdots &{} \ddots &{} \vdots \\ \zeta _l^{m} &{} \cdots &{} \zeta _l^{m+\tau -1} \\ \end{array} \right] \mathbf {r} = A \mathbf {m} + B \mathbf {r} \end{aligned}$$

Let I be a subset of [l] with \(|I|=\tau \), and let B(I) be the submatrix of B formed by restricting to the rows in I. Observe B(I) forms a Vandermonde matrix where the i-th row has been multiplied by \(\zeta _i^m\). Since the \(\zeta _i\) are distinct and non-zero, B(I) is invertible. Hence, if \(\mathbf {r}\) is sampled uniformly at random from \(\mathbb {Z}_q^\tau \), then \(B(I)\mathbf {r}\) is uniformly distributed over \(\mathbb {Z}_q^\tau \). This argument shows that any \(\tau \) entries of \(\mathsf {Enc}\left( \mathbf {m},\mathbf {r}\right) \) are uniformly distributed.