Keywords

1 Introduction

Commitment schemes are among the most widely used cryptographic primitives. They allow one party, the committer, to commit to a message m to another party. At a later point in time, the committer may reveal m by opening the commitment c. The scheme is said to be secure if it is binding and hiding. The former property says that the committer cannot open c to a message different from m, and the latter ensures that only knowing c gives no information about m to the receiver.

In higher-level protocols, commitments are often used to link different building blocks, e.g., encryption-, signature-, and revocation schemes in constructions of group signatures or anonymous credentials [CKL+14]. In such situations, it is often necessary to prove properties of a message m contained in a commitment, without revealing any additional information about m. This is done via so-called zero-knowledge proofs of knowledge (ZK-PoK). These are two-party protocols which allow a prover to convince a verifier that it knows some secret piece of information, without revealing anything else than what is already revealed by the claim itself [GMR85]. As the efficiency of ZK-PoKs of commitments directly affects the efficiency of many higher-level systems, generic constructions such as [GMW86, GMR85] are too inefficient for practical use. A large amount of research effort has therefore been expended in improving the efficiency of such protocols for concrete proof goals. We continue this direction by presenting the so far most efficient ZK-PoKs for lattice-based commitment schemes.

Our constructions are proved secure under the learning with errors over rings (\(\mathsf{RLWE} \)) assumption. Informally, it says that tuples \((a,a.s+e)\in R_q^2\) are computationally indistinguishable from \((a,u)\in R_q^2\), where asu are uniformly random in \(R_q\) and e is drawn according to some low-weight distribution \(\chi \). We use \(R_q=\mathbb {Z}_q[x]/\langle x^n+1\rangle \), which as a vector space is isomorphic to \(\mathbb {Z}_q^n\) (one can identify \(a=a_1+a_2x+\dots +a_nx^{n-1}\in R_q\) with \((a_1,\dots ,a_n)\in \mathbb {Z}_q^n\)). For appropriately chosen parameters there exists a quantum reduction from certain worst-case problems on ideal lattices to the \(\mathsf{RLWE}\)-problem [LPR10].

1.1 Our Contributions

In this paper is to construct efficient commitments and zero-knowledge proofs from the \(\mathsf{RLWE}\)-assumption. To the best of our knowledge, our protocols are the first to achieve a negligible knowledge error in one run for lattice-based crypto systems.

In detail, our contributions are as follows:

  • Efficient Commitment Schemes from \(\mathsf{RLWE} \) . We first construct a perfectly binding and computationally hiding string commitment scheme. Committing to a message is done as in Xie et al. [XXW13], but we relax requirements on valid openings to be able to realize better ZK proofs while still preserving the binding property of the scheme.

  • Efficient ZK-PoK for Committed Values. We then give a simple and efficient zero-knowledge protocol for proving knowledge of committed values. The protocol differs substantially from previous protocols for \(\mathsf{RLWE}\), and improves over them in the following ways: On the one hand, our protocol already achieves a negligible knowledge error in a single run. Previous protocols only achieved a noticeable knowledge error, e.g., Ling et al. [LNSW13] or Xie et al. [XXW13], and thus many repetitions are required to get meaningful security, resulting in a low efficiency. On the other hand, we only require that the modulus is polynomially larger than the error in the \(\mathsf{RLWE} \) problem. The construction of Asharov et al. [AJLA+12], which achieves a knowledge error of 1 / 2, relied on “smudging out” (or “drowning”) the error, which required stronger assumptions as the modulus-error ratio had to be super-polynomial.

    Our protocols can be turned into concurrently zero-knowledge arguments of knowledge without any additional computational costs.

  • Efficient ZK-PoK for Relations. Starting from our basic ZK-PoK we then construct protocols for proving that committed values \(m_1,m_2,m_3\in R_q\) satisfy \(m_3=m_1+m_2\) as well as \(m_3=m_1m_2\).

1.2 Related Work

At Asiacrypt’12, Jain et al. [JKPT12] presented a commitment scheme whose hiding property relies on the learning parity with noise (\(\mathsf{LPN}\)) assumption, which is defined like \(\mathsf{LWE}\) but over bits, i.e., for \(q=2\). Similar to our work, they give a \(\varSigma \)-protocol to prove any relation among committed values. A single run of their preimage proof requires \(\mathcal {O}(n\log n)\) bits of communication, where each committed message is from \(\left\{ 0,1\right\} ^n\). However, their protocols only achieve a knowledge error of 2 / 3, and thus reaching a success probability of a malicious prover negligible in k, requires \(\mathcal {O}(kn\log n)\) bits of communication. The main open problem of [JKPT12] was to find a commitment scheme and protocols whose security is based on \(\mathsf{LPN}\) or a related problem, and which avoids the dependency on k.

Xie et al. [XXW13] generalized the commitment scheme from Jain et al. [JKPT12] from \(\mathsf{LPN}\) to \(\mathsf{RLWE}\), and gave companion protocols for their scheme. However, their zero-knowledge proofs still require Stern-like techniques [Ste93], and therefore only achieve a knowledge error of 2 / 3. Our commitment scheme is closely related to theirs and may be seen as a generalization as we relax the requirements on valid openings. In their construction, a commitment \({\varvec{c}}\) to a message m can be opened by revealing r and a short \({\varvec{e}}\) such that \({\varvec{c}}={\varvec{a}}m+{\varvec{b}}r+{\varvec{e}}\), where \({\varvec{a}},{\varvec{b}},{\varvec{c}},{\varvec{e}}\in R_q^k\) and \(m,r\in R_q\). Getting a bit ahead, we relax the openings such that we also accept openings of the form \({\varvec{c}}={\varvec{a}}m +{\varvec{b}}r+ f^{-1}{\varvec{e}}\), where \(f\in R_q\) is an additional small polynomial. We will prove that commitments are still binding, and show that this relaxation allows us to overcome the constant knowledge-error “barrier” for the commitment scheme by employing rejection sampling techniques introduced by Lyubashevsky [Lyu09, Lyu12].

Recently, Benhamouda et al. [BCK+14] improved the efficiency of ZK-PoKs for \(\mathsf{RLWE}\)-based encryption schemes. As encryption schemes can also be seen as commitment schemes, it is worthwhile comparing their result to ours. They give a protocol for proving relations of the form \(y=as+e\) (for \(y,a,s,e\in R_q\) and se short) that has a knowledge error of 1 / (2n), where n is the dimension of the ring, and thus also overcomes the above barrier. However, their protocol has a soundness gap in the sense that it only proves that the prover knows a valid representation of 2y, not of y itself, which is still sufficient for many applications as illustrated in their work. We improve over their results by reaching a negligible knowledge error already in one run of the protocol (compared to 1 / (2n)) and by not having such a soundness gap. On the other hand, our protocol requires the ring \(R_q\) to have a large subring that is a field, whereas the protocol in [BCK+14] does not require such a property.

Asharov et al. [AJLA+12] constructed \(\varSigma \)-protocols for several specific languages related to the standard \(\mathsf{LWE}\)-problem. However, they do not give (efficient, i.e., direct) constructions for proving relations among \(\mathsf{LWE}\)-secrets. Furthermore, their protocols have a super-polynomial knowledge-gap, i.e., the norm of the error known to a potentially malicious prover can only be guaranteed to be super-polynomially larger than that known to an honest party, while this gap is only polynomial in our case. This allows us to prove the security of our scheme under weaker assumptions, and to use a smaller modulus in the \(\mathsf{RLWE} \)-problem, giving better efficiency.

Apart from these very closely related works, a large number of cryptographic applications based on the \(\mathsf{LWE}\)-assumption has been proposed, starting with the work of Regev [Reg05]. This includes (fully homomorphic) encryption [BV11a, Gen09, LP11, LPR10, Reg05], signature schemes [DDLL13, GPV08, Lyu09, Lyu12, Rüc10], pseudorandom functions [BPR12] and hash functions [KV09, PR06]. Similarly, efficient (non-)interactive zero-knowledge proofs and arguments have been a vivid topic of research, see, e.g., [AJLA+12, BDP00, CD97, CD98, CD09, DPSZ12, GS08, IKOS07, KR06, KMO90, KP98] and the references therein. Finally, starting with a different motivation, the idea of committing to the first message in a \(\varSigma \)-protocol was also used by Damgård [Dam00], where it was shown how to obtain concurrent zero-knowledge for any \(\varSigma \)-protocol. We commit to the first message to get zero-knowledge in the first place, and we will discuss how the concurrency results also apply to our constructions in Sect. 4.1.

1.3 Roadmap

In Sect. 2 we recap some basic definitions on ZK proofs and \(\mathsf{LWE}\). Then, in Sect. 3 we present our commitment scheme, and give protocols for proving knowledge of, and relations among, the contents of commitments in Sect. 4. We finally briefly conclude in Sect. 5.

2 Preliminaries

We denote vectors by bold lower-case letters (\({\varvec{a}},{\varvec{b}},\dots \)) and algorithms by sans-serif letters (\(\mathsf{A},\mathsf{B},\dots \)). We write \(a\mathop {\leftarrow }\limits ^{{\tiny \$}}A\) for a set A if a was uniformly drawn from A, \(a\mathop {\leftarrow }\limits ^{{\tiny \$}}D\) for a distribution D if a was drawn according to D, and \(a\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathsf{A}\) if \({\varvec{a}}\) is the output of a randomized algorithm \(\mathsf{A}\).

For two distributions DE, we write \(D\mathop {\sim }\limits ^{c}E\), if D and E are computationally indistinguishable. Furthermore, we use the notation \(\mathsf{Pr}[\mathcal {E}:\varOmega ]\) to denote the probability of event \(\mathcal {E}\) over the probability space \(\varOmega \). For instance, \(\mathsf{Pr}[x=y:x,y\mathop {\leftarrow }\limits ^{{\tiny \$}}D]\) denotes the probability that \(x=y\) if xy were drawn according to a distribution D.

The language induced by a binary relation \(\mathcal {R}\) is defined as

$$\begin{aligned} \mathcal {L}(\mathcal {R})=\left\{ c\,:\,\exists w \text{ such } \text{ that } (c,w)\in \mathcal {R}\right\} . \end{aligned}$$

We finally assume that elements of \(\mathbb {Z}_q\) (q odd) are represented by elements from \(\left\{ -\frac{q-1}{2},\dots ,\frac{q-1}{2}\right\} \).

2.1 Commitment Schemes

We now formally define commitment schemes.

Definition 2.1

A commitment scheme consists of three algorithms \((\mathsf{KGen}\), \(\mathsf{Com}\), \(\mathsf{Ver})\) such that:

  • On input \(1^{\ell }\), the key generation algorithm \(\mathsf{KGen}\) outputs a public commitment key pk.

  • The commitment algorithm \(\mathsf{Com}\) takes as inputs a message m from a message space \(\mathcal {M}\) and a commitment key pk, and outputs a commitment/opening pair (cd).

  • The verification algorithm \(\mathsf{Ver}\) takes a key pk, a message m, a commitment c and an opening d and outputs \(\mathsf{accept}\) or \(\mathsf{reject}\).

A commitment scheme has to satisfy the following security requirements:

  • Correctness: \(\mathsf{Ver}\) outputs \(\mathsf{accept}\) whenever the inputs were computed by an honest party, i.e.,

    $$\begin{aligned} \mathsf{Pr}[\mathsf{Ver}(pk,m,c,d)=\mathsf{accept}: m\in \mathcal {M}, (c,d)\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathsf{Com}(m,\mathsf{KGen}(1^\ell ))]=1. \end{aligned}$$
  • Binding: A commitment cannot be opened to different messages. A scheme is said to be perfectly binding if this holds unconditionally, i.e., with overwhelming probability over the choice of the public key \(pk\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathsf{KGen}(1^\ell )\) we have that:

    $$\begin{aligned} \left( (\mathsf{Ver}(pk,m,c,d)=\mathsf{accept})\wedge (\mathsf{Ver}(pk,m',c,d')=\mathsf{accept})\right) \Rightarrow m=m'. \end{aligned}$$

    On the other hand, a scheme is said to be computationally binding if no PPT adversary can come up with a commitment and two different openings, i.e., for every PPT adversary \(\mathsf{A}\) there exists a negligible function negl such that:

    $$\begin{aligned} \mathsf{Pr}\Big [\mathsf{Ver}(pk,m,c,d)=\mathsf{Ver}(pk,m',c,d'):&pk\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathsf{KGen}(1^\ell ), \\&(c,m,d,m',d')\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathsf{A}(pk)\Big ]\le \mathsf{negl}(n). \end{aligned}$$
  • Computational hiding: A commitment computationally hides the committed message: for every probabilistic polynomial time (PPT) adversary \(\mathsf{A}\) there is a negligible function negl such that:

    $$\begin{aligned} \mathsf{Pr}\left[ b=b':\begin{array}{cc}pk\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathsf{KGen}(1^\ell ), (m_0,m_1,\mathsf{aux})\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathsf{A}_1(pk),\\ b\mathop {\leftarrow }\limits ^{{\tiny \$}}\{0,1\}, (c,d)=\mathsf{Com}(m_b,pk), b'\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathsf{A}_2(c,\mathsf{aux})\end{array}\right] \le \frac{1}{2}+\mathsf{negl}(n). \end{aligned}$$

A scheme is called a trapdoor commitment scheme, if \(\mathsf{KGen}\) additionally outputs a trapdoor td for the public key, such that there exists an efficient algorithm taking \((c,d)=\mathsf{Com}(m,pk)\), m, td and \(m'\in \mathcal {M}\) as inputs, that outputs \(d'\) such that \(\mathsf{Ver}(pk,m',c,d')=\mathsf{accept}\). Note that trapdoor commitment schemes can only be computationally binding. See, e.g., Fischlin [Fis01] for a detailed discussion of such schemes.

For the sake of simplicity, we will not state pk explicitly as an input in the following.

2.2 Zero-Knowledge Proofs and \(\varSigma \)-Protocols

Informally, a zero-knowledge proof of knowledge is a two party protocol between a prover and a verifier, which allows the former to convince the latter that it knows some secret piece of information, without revealing anything about the secret apart from what the claim itself already reveals. For a formal definition we refer to Bellare and Goldreich [BG93]. The ZK proofs constructed in this paper will be instantiations of the following definition, which is a straightforward generalization of the standard notion of \(\varSigma \)-protocols [Cra97, Dam10]:

Definition 2.2

Let \((\mathsf{P},\mathsf{V})\) be a two-party protocol, where \(\mathsf{V}\) is PPT, and let \(\mathcal {R},\mathcal {R}'\) be a binary relation such that \(\mathcal {R}\subseteq \mathcal {R}'\). Then \((\mathsf{P},\mathsf{V})\) is called a \(\varSigma _m'\) -protocol for \(\mathcal {R},\mathcal {R}'\) with challenge set \(\mathcal {C}\), public input c and private input w, if and only if it satisfies the following conditions:

  • 3-move form: The protocol is of the following form:

    • The prover \(\mathsf{P}\) computes a commitment t and sends it to \(\mathsf{V}\).

    • The verifier \(\mathsf{V}\) draws a challenge \(d\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathcal {C}\) and sends it to \(\mathsf{P}\).

    • The prover sends a response s to the verifier.

    • Depending on the protocol transcript (tds), the verifier accepts or rejects the proof.

    The protocol transcript (tds) is called accepting, if the verifier accepts the protocol run.

  • Completeness: Whenever \((c,w)\in \mathcal {R}\), the verifier \(\mathsf{V}\) accepts with probability at least \(1-\alpha \).

  • Special soundness: There exists a PPT algorithm \(\mathsf{E}\) (the knowledge extractor) which takes m accepting transcripts \((t,d_1,s_1), \dots , (t,d_m,s_m)\) satisfying \(d_i\ne d_j\) for \(i\ne j\) as inputs, and outputs \(w'\) such that \((c,w')\in \mathcal {R}'\).

  • Special honest-verifier zero-knowledge: There exists a PPT algorithm \(\mathsf{S}\) (the simulator) taking \(c\in \mathcal {L}(\mathcal {R})\) and \(d\in \mathcal {C}\) as inputs, that outputs triples (tds) whose distribution is (computationally) indistinguishable from accepting protocol transcripts generated by real protocol runs.

We now discuss some additional points regarding Definition 2.2. First, the standard definition for \(\varSigma \)-protocols found in the literature considers the case where \(m=2\), \(\mathcal {R}=\mathcal {R}'\) and \(\alpha =0\). In this case, it is well known that the protocol is also a proof of knowledge for the same relation \(\mathcal {R}\) with knowledge error \(1/|\mathcal {C}|\) [Dam10]. However, it can be seen that the proof given there also generalizes to other constants m with a knowledge error of \((m-1)/|\mathcal {C}|\) if \(1-\alpha >(m-1)/|\mathcal {C}|\), and special cases of this result were already used implicitly in previous work, e.g., [JKPT12, Ste93]. Second, the modification that \(\mathcal {R}\subseteq \mathcal {R}'\) means that the protocol is honest-verifier zero-knowledge and complete whenever the prover uses a secret witness w such that \((c,w)\in \mathcal {R}\), but the verifier is only assured that the prover supplied a witness \(w'\) such that \((c,w')\in \mathcal {R}'\). For many interesting relations this gap allows for much more efficient protocols, e.g., Fujisaki et al. [FO97, DF02] or Benhamouda et al. [BCK+14]. If this gap is reasonably small, as is the case in the protocols we present, one still obtains sufficient security guarantees from the protocol. Finally, the above definition only guarantees privacy to the prover against honest-but-curious verifiers, i.e., verifiers not deviating from the protocol. This issue can be solved generically using techniques of, e.g., Damgård et al. [DGOW95] or Fiat and Shamir [FS87]; furthermore, for our concrete protocols it can be solved without any extra costs, cf. Lemma 4.3.

2.3 Learning with Errors

The learning with errors (\(\mathsf{LWE}\)) problems was first introduced by Regev [Reg05]. Informally, it asks to distinguish slightly perturbed random linear equations from truly random ones. \(\mathsf{LWE}\) has been shown to be as hard as certain worst-case problems on lattices, and has served as a basis for a large variety of cryptographic schemes. Unfortunately, schemes built upon \(\mathsf{LWE}\) are inherently inefficient due to a large overhead in the use of the problem. This drawback has been resolved by Lyubashevsky et al. [LPR10] by introducing the ring learning with noise problem, which still enjoys strong hardness guarantees. The following formulation is a special case of the problem restricted to the ring \(\mathbb {Z}[x]/\langle x^n+1\rangle \), with n a power of two:

Definition 2.3

Let \(R=\mathbb {Z}[x]/\langle x^n+1\rangle \) and \(R_q=R/qR\), and let \(\chi \) be a distribution over R.

The (decisional) ring learning with errors assumption (denoted by \(\mathsf{RLWE} _{q,\chi }\)) states that:

$$\begin{aligned} \left\{ (a_i,a_i\cdot s + e_i)\right\} \mathop {\sim }\limits ^{c}\left\{ (a_i,u_i)\right\} , \end{aligned}$$

for any polynomial number of samples, where \(a_i\mathop {\leftarrow }\limits ^{{\tiny \$}}R_q\), \(e_i\mathop {\leftarrow }\limits ^{{\tiny \$}}\chi \), \(u_i\mathop {\leftarrow }\limits ^{{\tiny \$}}R_q\), and \(s\mathop {\leftarrow }\limits ^{{\tiny \$}}R_q\) is secret.

We further recapitulate the definition of Normal distributions:

Definition 2.4

The continuous Normal distribution on \(\mathbb {R}^m\) centered at \({\varvec{v}}\) with standard deviation \(\sigma \) is defined by the density function

$$\begin{aligned} \rho _{{\varvec{v}},\sigma }^m({\varvec{x}}) = \left( \frac{1}{\sqrt{2\pi }\sigma }\right) ^m e^{-\frac{\Vert {\varvec{x}}-{\varvec{v}}\Vert ^2}{2\sigma ^2}}. \end{aligned}$$

We avoid the subscript \({\varvec{v}}\) if \({\varvec{v}}=0^m\).

The discrete Normal distribution on \(\mathbb {Z}^m\) centered at \({\varvec{v}}\) with standard deviation \(\sigma \) is defined by the density function \(D_{{\varvec{v}},\sigma }^m({\varvec{x}}) = \rho _{{\varvec{v}},\sigma }^m({\varvec{x}})/\rho _{\sigma }(\mathbb {Z}^m)\), where \(\rho _{\sigma }(\mathbb {Z}^m)=\sum _{{\varvec{z}}\in \mathbb {Z}^m}\rho _{\sigma }^m({\varvec{z}})\) is the scaling factor required to obtain a probability distribution.

For convenience, sampling the normal distribution over a ring R, we will still write \(D_{{\varvec{v}},\sigma }\) even though it is not a 1-dimensional distribution. Lyubashevsky et al. [LPR10] showed the search and the decisional version of \(\mathsf{RLWE} _{q,\chi }\) are polynomially related, and that there exists a quantum reduction from the worst-case approximate shortest vector problem on ideal lattices to \(\mathsf{RLWE} _{q,\chi }\).Footnote 1

2.4 Rejection Sampling

For proving the zero-knowledge property of our protocol, it is essential that all the responses of the prover can be simulated without knowing the secret key. We thus need that the response elements are from a distribution which is independent of the secret key. In our protocol, however, all the potential responses will be from a shifted distribution \(D_{{\varvec{v}},\sigma }^\ell \) for \(\ell =kn\) and some vector \({\varvec{v}}\) depending on the secret key. To correct for this, we employ rejection sampling [Lyu09, Lyu12], where a potential response is only output with a certain probability, and otherwise the protocol is aborted.

Informally, the following theorem states that if \(\sigma \in \tilde{\varTheta }(\Vert {\varvec{v}}\Vert )\), then the rejection sampling procedure will result in a distribution statistically close to \(D_{\sigma }^\ell \), which is independent of \({\varvec{v}}\) as required. The technique only requires a constant number of iterations before a value is output, and furthermore the output is also statistically close for every \({\varvec{v}}'\) with norm at most \(\Vert {\varvec{v}}\Vert \). For concrete parameters we refer to the original work of Lyubashevsky [Lyu12].

Theorem 2.5

([Lyu12]). Let V be a subset of \(\mathbb {Z}^\ell \) in which all elements have norms less than T, and let h be a probability distribution over V. Then, for any constant M, there exists a \(\sigma =\tilde{\varTheta }(T)\) such that the output distributions of the following algorithms \(\mathsf{A}, \mathsf{F}\) are statistically close:

figure a

Moreover, the probability that \(\mathsf{A}\) outputs something is exponentially close to that of \(\mathsf{F}\), i.e., 1 / M.

In [Lyu12], it is also shown that if \(\sigma =\alpha T\) for a positive \(\alpha \), then \(M=e^{12/\alpha +1/(2\alpha ^2)}\), the output of \(\mathsf{A}\) is within a statistical distance of \(\frac{2^{-100}}{M}\) of the output of \(\mathsf{F}\), and the probability that \(\mathsf{A}\) outputs something is at least \(\frac{1-2^{-100}}{M}\).

3 Commitments from Ring-LWE

Table 1. Overview of parameters used in this document.

In the following we describe our commitment scheme. Table 1 lists the parameters being used and the requirements we pose on them.

  • \(\mathsf{KGen}\): The public commitment key \(pk=({\varvec{a}},{\varvec{b}})\) is computed as \({\varvec{a}},{\varvec{b}}\mathop {\leftarrow }\limits ^{{\tiny \$}}(\mathbb {Z}_q[x]/\langle x^n+1\rangle )^k\), where \(q\equiv 3\text { mod }8\) is prime, and n is a power of 2.

  • \(\mathsf{Com}\): To commit to a message \(m\in \mathbb {Z}_q[x]/\langle x^n+1\rangle \), the commitment algorithm draws \(r\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathbb {Z}_q[x]/\langle x^n+1\rangle \) and \({\varvec{e}}\mathop {\leftarrow }\limits ^{{\tiny \$}}D_{\sigma _e}^k\) conditioned on \(\Vert {\varvec{e}}\Vert _\infty \le n\), and outputs

    $$\begin{aligned} {\varvec{c}}= {\varvec{a}}m + {\varvec{b}}r + {\varvec{e}}, \end{aligned}$$

    and the opening information for \({\varvec{c}}\) is given by \((m,r,{\varvec{e}},1)\).

  • \(\mathsf{Ver}\): Given a commitment \({\varvec{c}}\), a message \(m'\), a randomness \(r'\), as well as \({\varvec{e}}'\) and \(f'\), the verifier accepts, if and only if

    $$\begin{aligned} {\varvec{a}}m' + {\varvec{b}}r' + f'^{-1}{\varvec{e}}' = {\varvec{c}}\,\wedge \, \Vert {\varvec{e}}'\Vert _\infty < \left\lfloor \frac{n^{4/3}}{2}\right\rfloor \,\wedge \, \Vert f'\Vert _\infty \le 1 \,\wedge \, \deg f' < \frac{n}{2}. \end{aligned}$$

The scheme above is a generalization of that by Xie et al. [XXW13], as we allow for the additional small polynomial f in valid openings. While an honest party can always set \(f=1\) when opening \({\varvec{c}}\) and therefore the completeness property is not affected by this relaxation, the immediate question arises whether the given construction is still binding, i.e., whether a malicious user still cannot open a commitment to two different messages. We give a formal security proof in the following.

We want to stress that the above modification will be at the heart for the construction of efficient zero-knowledge proofs of the contained message in Sect. 4.

Theorem 3.1

Let \(\gamma >6\) and qk be polynomial in n such that the following is satisfied:

$$\begin{aligned} q\ge n^\gamma \ge n^6 \quad \text {and} \quad k>\frac{18\gamma }{3\gamma -16}. \end{aligned}$$
(1)

Then, under the \(\mathsf{RLWE}\)-assumption, the above scheme is a computationally hiding and perfectly binding commitment scheme with overwhelming probability over the choices of the public commitment key.

Proof

Correctness is trivial to see.

Computational Hiding. First note that by, e.g., [Lyu12, Lemma 4.4], the probability that \({\varvec{e}}\mathop {\leftarrow }\limits ^{{\tiny \$}}D_{\sigma _e}^k\) has \(\Vert {\varvec{e}}\Vert _\infty >n\) is negligible, and thus the conditional distribution of \({\varvec{e}}\) in \(\mathsf{Com}\) is statistically close to a discrete Normal distribution. Now, by the \(\mathsf{RLWE}\)-assumption, \({\varvec{b}}r+{\varvec{e}}\) is pseudorandom, and thus so is \({\varvec{c}}\).

Binding. For the binding property, we have to show that

$$\begin{aligned} {\varvec{c}}= {\varvec{a}}m' + {\varvec{b}}r' + f'^{-1}{\varvec{e}}' = {\varvec{a}}m'' + {\varvec{b}}r'' + f''^{-1}{\varvec{e}}'' \end{aligned}$$

implies that \(m'=m''\), if \(\Vert {\varvec{e}}'\Vert _\infty ,\Vert {\varvec{e}}''\Vert _\infty < n^{4/3}/2\), \(\Vert f'\Vert _\infty ,\Vert f''\Vert _\infty \le 1\), and \(\deg f',\deg f''<n/2\), or, alternatively, that

$$\begin{aligned} {\varvec{a}}m + {\varvec{b}}r = f'^{-1}{\varvec{e}}' - f''^{-1}{\varvec{e}}'' \end{aligned}$$

implies that \(m=0\) with overwhelming probability over the choices of \({\varvec{a}},{\varvec{b}}\).

Assume by contradiction that this holds for some fixed \(m,r,e',e'',f',f''\) with \(m\ne 0\) and \(e',e'',f',f''\) being sufficiently small. Because of the assumption on n and q, we have that \(x^n+1\) splits into two irreducible factors \(\alpha (x),\beta (x)\) [SSTX09, Lemma 3]. Now, since \(m\ne 0\text { mod }(x^n+1)\), we also have that \(m\ne 0\text { mod }\alpha (x)\) or \(m\ne 0\text { mod }\beta (x)\), and thus \({\varvec{a}}_i m\) takes at least \(q^{n/2}\) different values. We then have that

$$\begin{aligned} \mathsf{Pr}\left[ \begin{pmatrix} {\varvec{a}}_1m+{\varvec{b}}_1r \\ \vdots \\ {\varvec{a}}_km+{\varvec{b}}_kr \end{pmatrix} = \begin{pmatrix} f'^{-1}{\varvec{e}}'_1-f''^{-1}{\varvec{e}}''_1\\ \vdots \\ f'^{-1}{\varvec{e}}'_k-f''^{-1}{\varvec{e}}''_k \end{pmatrix} :{\varvec{a}},{\varvec{b}}\mathop {\leftarrow }\limits ^{{\tiny \$}}(\mathbb {Z}_q[x]/\langle x^n+1\rangle )^k\right] \le \frac{1}{q^{kn/2}}. \end{aligned}$$

Now, taking a union bound over all \(m,r,e',e'',f',f''\) we get that the overall probability that there exists such an \(m\ne 0\) is at most

$$\begin{aligned} \frac{q^{2n}(n^{4/3})^{2kn}3^{2n/2}}{q^{kn/2}} \le \frac{q^{2n}(q^{4/(3\gamma )})^{2kn}3^{2n/2}}{q^{kn/2}} = 3^n q^{(2 + (\frac{8}{3\gamma } - \frac{1}{2})k)n}. \end{aligned}$$

This is negligible in n if \(3q^{2+(8/(3\gamma )-1/2)k} \le 1/2\), which holds if the requirements from (1) are satisfied.    \(\square \)

4 Zero-Knowledge of Proofs of Knowledge

In this section we first present a protocol for proving knowledge of valid openings of commitments as defined in the previous section. We then give protocols which allow one to prove that the messages \(m_1,m_2,m_3\) contained in commitments \({\varvec{c}}_1,{\varvec{c}}_2,{\varvec{c}}_3\) satisfy \(m_3=m_1+m_2\) or \(m_3=m_1m_2\), respectively. Together this allows one to prove knowledge of arbitrary algebraic circuits.

In this entire section we let \((\mathsf{aKGen},\mathsf{aCom},\mathsf{aVer})\) be an arbitrary auxiliary string commitment scheme. For simplicity, the reader may think of it as the scheme from Sect. 3, or as well just as a random oracle. We write \((c_\mathsf{aux},d_\mathsf{aux})=\mathsf{aCom}(s)\), where \(c_\mathsf{aux}\) is the commitment and \(d_\mathsf{aux}\) is the opening of \(c_\mathsf{aux}\).

4.1 Preimage Proofs

Protocol 4.1 is a \(\varSigma _2'\)-protocol for showing knowledge of a valid opening for a single commitment. It is honest-verifier zero-knowledge whenever the commitment was honestly computed, and is sound with respect to valid openings. In particular, whenever a potentially malicious prover can make the verifier accept with more than negligible probability, it must know a valid opening of \({\varvec{c}}\). We stress that this gap between the zero-knowledge and the soundness property is in line with previous protocols, e.g., for discrete logarithms in groups of hidden order [DF02], where the prover is also guaranteed security only for a subset of valid openings. However, this gap is meaningful, as our commitment scheme is still perfectly binding also for the larger set of valid openings, and so the proof still guarantees knowledge of the unique valid opening of \({\varvec{c}}\).

figure b

Theorem 4.2

If the auxiliary commitment scheme is perfectly binding, then Protocol 4.1 is an honest-verifier zero-knowledge proof of knowledge with knowledge error \(1/\left( {\begin{array}{c}n/2\\ \kappa \end{array}}\right) \) for the following relations:

$$\begin{aligned} \mathcal {R}_{LWE}= & {} \left\{ \left( ({\varvec{a}},{\varvec{b}},{\varvec{c}}),(m,r,{\varvec{e}})\right) \,:\,{\varvec{c}}={\varvec{a}}m + {\varvec{b}}r + {\varvec{e}}\ \wedge \ \Vert {\varvec{e}}\Vert _\infty \le n\right\} \, \text{ and }\\ \mathcal {R}_{LWE}'= & {} \Big \{\left( ({\varvec{a}},{\varvec{b}},{\varvec{c}}),(m,r,{\varvec{e}},f)\right) :\,{\varvec{c}}={\varvec{a}}m + {\varvec{b}}r + f^{-1}{\varvec{e}}\ \wedge \ \Vert {\varvec{e}}\Vert _\infty \le \lfloor n^{4/3}/2\rfloor ,\\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \Vert f\Vert _{\infty }\le 1, \deg f<\frac{n}{2}\Big \}. \end{aligned}$$

Proof

The theorem is proved by showing that the protocol is a \(\varSigma _2'\)-protocol for the given relation. The claim then follows directly from the discussion in Sect. 2.2.

The 3-move-form is obvious.

Completeness. An honest prover responses with a probability close to \(\frac{1}{M}\). In this case we get:

$$\begin{aligned} {\varvec{t}}+d{\varvec{c}}= & {} {\varvec{a}}\mu +{\varvec{b}}\rho +\varvec{\eta }+d{\varvec{a}}m+d{\varvec{b}}r+d{\varvec{e}}\\= & {} {\varvec{a}}(\mu +dm)+{\varvec{b}}(\rho +dr)+(\varvec{\eta }+d{\varvec{e}}) = {\varvec{a}}s_m + {\varvec{b}}s_r + s_{{\varvec{e}}}. \end{aligned}$$

Furthermore, we have that with overwhelming probability

$$\begin{aligned} \Vert s_{{\varvec{e}}}\Vert _\infty = \Vert \varvec{\eta }+d{\varvec{e}}\Vert _\infty \le \Vert \varvec{\eta }\Vert _\infty +\kappa \Vert {\varvec{e}}\Vert _\infty \le \lfloor n^{4/3}/4\rfloor , \end{aligned}$$

as the standard deviations of \(D_{\sigma _e},D_{\sigma _\eta }\) are significantly smaller than \(n^{4/3}\).

Special Soundness. Let the extractor \(\mathsf{E}\) be given two accepting protocol transcripts \((c_\mathsf{aux},d',(d_\mathsf{aux}',{\varvec{t}}',s_m',s_r',s_{{\varvec{e}}}'))\) and \((c_\mathsf{aux},d'',(d_\mathsf{aux}'',{\varvec{t}}'',s_m'',s_r'',s_{{\varvec{e}}}''))\), where \(d'\ne d''\). By the perfect binding property of \(\mathsf{aCom}\) we get that \({\varvec{t}}'={\varvec{t}}''={\varvec{t}}\). By subtracting the verification equations performed by the verifier we then obtain:

$$\begin{aligned} \varDelta _d{\varvec{c}}= {\varvec{a}}\varDelta _m + {\varvec{b}}\varDelta _r + \varDelta _{{\varvec{e}}}, \end{aligned}$$

where we set \(\varDelta _d=d'-d''\), \(\varDelta _m=s_m'-s_m''\), \(\varDelta _r=s_r'-s_r''\) and \(\varDelta _{{\varvec{e}}}=s_{{\varvec{e}}}'-s_{{\varvec{e}}}''\). As \(\deg \varDelta _d<n/2\), we also have that \(\varDelta _d\) is invertible in \(R_q\). We get the witness \((\varDelta _d^{-1}\varDelta _m,\varDelta _d^{-1}\varDelta _r,\varDelta _d,\varDelta _{{\varvec{e}}})\), where \(\Vert \varDelta _d\Vert _\infty \le 1\) and \(\Vert \varDelta _{{\varvec{e}}}\Vert \le \lfloor n^{4/3}/2\rfloor \).

Honest-Verifier Zero-Knowledge. Taking a challenge d as an input, the simulator first draws uniformly random elements \(s_m',s_r'\mathop {\leftarrow }\limits ^{{\tiny \$}}\mathbb {Z}_q[x]/\langle x^n+1\rangle \), and \(s_{{\varvec{e}}}'\) to be \(\bot \) with probability \(1-1/M\) and distributed according to \(D_{\sigma _\eta }\) with probability 1 / M. If \(s_{{\varvec{e}}}'\ne \bot \), it computes \((c_\mathsf{aux}',d_\mathsf{aux}')=\mathsf{aCom}({\varvec{t}}'={\varvec{a}}s_m'+{\varvec{b}}s_r' + s_{{\varvec{e}}}' - d{\varvec{c}})\) and outputs \((c_\mathsf{aux}', d, (d_\mathsf{aux}',{\varvec{t}}',s_m',s_r',s_{{\varvec{e}}}'))\). (Note that \(s_i'\) and d uniquely determine \({\varvec{t}}'\) in the protocol and in the simulation.) Otherwise the simulator sets \((c_\mathsf{aux}',d_\mathsf{aux}')=\mathsf{aCom}(0)\) and outputs \((c_\mathsf{aux}',d,\bot )\).

It follows from Theorem 2.5 that the distribution conditioned on the prover not outputting \(\bot \) is indistinguishable from real protocol runs. From the same theorem, it follows that aborts occur with probability \(1-1/M\) for every value of \(d{\varvec{e}}\). In case of an abort, the indistinguishability follows from the hiding property of \(\mathsf{aCom}\) and the fact that for every d, there is an equal chance of an abort happening.    \(\square \)

Lemma 4.3

If the auxiliary commitment scheme is a trapdoor commitment scheme, then Protocol 4.1 is a concurrently secure zero-knowledge argument of knowledge with knowledge error \(1/\left( {\begin{array}{c}n/2\\ \kappa \end{array}}\right) \) for the relation specified in Theorem 4.2.

The proof is similar to Damgård [Dam00] who gives a generic construction to achieve concurrent ZK for any \(\varSigma \)-protocol. However, our technique had a slightly different origin as our protocols are inherently based on the auxiliary commitment scheme to achieve honest-verifier zero-knowledge. The lemma literally also applies for the subsequent protocols.

On the Abort Probability. From Theorem 2.5 and [Lyu12] it follows that the probability that the prover does not abort is exponentially close to \(\frac{1}{M}\), where \(M\in \mathcal {O}(\exp (\frac{\Vert d{\varvec{e}}\Vert }{\sigma _\eta }))\). Thus, on average M repetitions of the protocol are required. By choosing \(\sigma _\eta \) sufficiently large, M can be made arbitrarily small at the cost of requiring larger parameters, see also Lyubashevsky [Lyu12].

Number of Rounds. By nesting the executions, the expected number of rounds until a successful protocol run is about 2M. Alternatively, when only aiming for arguments of knowledge, one can also use the idea of Damgård et al. [DPSZ12], who compute many independent first messages and send a Merkle-tree commitment of those in the first step. While on average requiring more computation on the prover side, this approach gives a constant 3-round protocol.

4.2 Proving Linear Relations

Protocol 4.4 allows one to prove knowledge of messages \(m_1,m_2,m_3\) contained in \({\varvec{c}}_1,{\varvec{c}}_2,{\varvec{c}}_3\), where the \(m_i\) additionally satisfy a linear relation of the form \(m_3=x_1m_1+x_2m_2\) for arbitrary public \(x_i\in \mathbb {Z}_q[x]/\langle x^n+1\rangle \). The construction uses a standard technique: Three instances of Protocol 4.1 are run in parallel for \(m_1,m_2,m_3\) using the same challenge, but instead of choosing the randomness \(\mu _3\) for \(m_3\) in the prover’s first step at random, it is computed such that \(\mu _1,\mu _2,\mu _3\) satisfy the claimed linear relation. Verifying now whether the \(s_{m_i}\) also satisfy that linear relation is enough for the verifier to be guaranteed that the supplied messages have the correct form.

figure c

Theorem 4.5

If the auxiliary commitment scheme is perfectly binding, then Protocol 4.4 is an honest-verifier zero-knowledge proof of knowledge with knowledge error \(1/\left( {\begin{array}{c}n/2\\ \kappa \end{array}}\right) \) for the following relations:

$$\begin{aligned} \mathcal {R}_{LLWE}= & {} \Bigg \{\left( ({\varvec{a}},{\varvec{b}},x_1,x_2,{\varvec{c}}_1,{\varvec{c}}_2,{\varvec{c}}_3),(m_1,m_2,m_3,r_1,r_2,r_3,{\varvec{e}}_1,{\varvec{e}}_2,{\varvec{e}}_3)\right) \,:\\&\bigwedge _{i=1}^3\left( {\varvec{c}}_i={\varvec{a}}m_i + {\varvec{b}}r_i + {\varvec{e}}_i \ \wedge \ \Vert {\varvec{e}}_i\Vert _\infty \le n\right) \ \wedge \ m_3=x_1m_1+x_2m_2 \Bigg \}\,, \end{aligned}$$

and \(\mathcal {R}'_{LLWE}\) is defined accordingly.

Proving Inhomogeneous Relations. As for, e.g., DLOG based protocols, inhomogeneous relations like \(m_3=x_1m_1+x_2m_2+x_3\) can be proved by first removing the inhomogeneity: If \({\varvec{c}}_i\) is a commitment to \(m_i\), both parties first compute \({\varvec{c}}_3'={\varvec{c}}_3-{\varvec{a}}x_3\), and the prover sets \(m_3'=m_3-x_3\). The parties then perform Protocol 4.4 for \({\varvec{c}}_1,{\varvec{c}}_2,{\varvec{c}}_3'\) and \(m_1,m_2,m_3'\) and the homogeneous linear relation \(m_3'=x_1m_1+x_2m_2\).

4.3 Proving Multiplicative Relations

In this section we show how one can prove knowledge of \(m_i,r_i,{\varvec{e}}_i\), \(i=1,2,3\) such that \({\varvec{c}}_i = {\varvec{a}}m_i + {\varvec{b}}r_i + {\varvec{e}}_i\), and additionally \(m_3=m_1\cdot m_2\). We begin by giving the intuition behind the protocol.

  1. (i)

    The prover first proves knowledge of the contents of \({\varvec{c}}_1,{\varvec{c}}_2,{\varvec{c}}_3\) by running 3 instances of Protocol 4.1 in parallel.

  2. (ii)

    Similar to Protocol 4.4, the verifier will check the multiplicative relation by combining the responses for \(m_1,m_2,m_3\) accordingly. Unfortunately, in contrast to linear proofs where we have \(s_{m_1}+s_{m_2}=s_{m_3}\) for an honest prover, we have that \(s_{m_1}s_{m_2}\ne s_{m_3}\). We tackle this problem by letting the prover commit to the arising cross-terms \(\mu _1 m_2+\mu _2 m_1\) and \(\mu _1\mu _2\) in a second part. The according commitments are denoted by \({\varvec{c}}_+\) and \({\varvec{c}}_\times \). Again using two instances of Protocol 4.1, the prover now proves that it knows the openings of those two commitments.

  3. (iii)

    The third part of the proof now establishes the multiplicative relation. It is based on the following observation: from (i) and (ii) it follows that:

    $$\begin{aligned} \tilde{{\varvec{c}}} =&\ {\varvec{a}}s_{m_1}s_{m_2} - d^2{\varvec{c}}_3 - {\varvec{c}}_\times - d{\varvec{c}}_+ \\ =&\ \ \ {\varvec{a}}\left( \mu _1\mu _2 - m_\times + d(\mu _1 m_2+\mu _2 m_1 - m_+) + d^2(m_1m_2-m_3)\right) \\&+ {\varvec{b}}(-d^2r_3 - r_\times - dr_+) + (-d^2{\varvec{e}}_3 - {\varvec{e}}_\times - d{\varvec{e}}_+), \end{aligned}$$

    for some \(m_\times ,m_+\). Note here that the error term \((-d^2{\varvec{e}}_3 - {\varvec{e}}_\times - d{\varvec{e}}_+)\) of \(\tilde{{\varvec{c}}}\) has small norm, because \({\varvec{e}}_3,{\varvec{e}}_\times ,{\varvec{e}}_+\) have small norm and \(\Vert d\Vert _1\le \kappa \).

    Now, for an honest prover it can easily be seen that \(\tilde{{\varvec{c}}}={\varvec{b}}\tilde{r} + \tilde{{\varvec{e}}}\) for \(\tilde{r}\) and \(\tilde{{\varvec{e}}}\) as defined in the protocol, i.e., \(\tilde{{\varvec{c}}}\) is a commitment to 0. On the other hand, if a prover can prove that for at least three different challenges d, the multiplicative relation follows. This can be seen as follows. If

    $$\begin{aligned} \mu _1\mu _2 - m_\times + d(\mu _1 m_2+\mu _2 m_1 - m_+) + d^2(m_1m_2-m_3) = 0, \end{aligned}$$

    for three different values of d, this coefficient must be the zero-polynomial (in the indeterminate d), and thus \(m_3=m_1m_2\). This is because a quadratic polynomial in \(R_q\) can only have at most two distinct roots in \(\mathcal {C}\). The proof of this claim is straightforward and thus omitted.

Theorem 4.6

If the auxiliary commitment scheme is perfectly binding, then Protocol 4.7 is an honest-verifier zero-knowledge proof of knowledge with knowledge error \(2/\left( {\begin{array}{c}n/2\\ \kappa \end{array}}\right) \) for the following relations:

$$\begin{aligned} \mathcal {R}_{MLWE}= & {} \Bigg \{\left( ({\varvec{a}},{\varvec{b}},x_1,x_2,{\varvec{c}}_1,{\varvec{c}}_2,{\varvec{c}}_3),(m_1,m_2,m_3,r_1,r_2,r_3,{\varvec{e}}_1,{\varvec{e}}_2,{\varvec{e}}_3)\right) :\\&\bigwedge _{i=1}^3\left( {\varvec{c}}_i={\varvec{a}}m_i + {\varvec{b}}r_i + {\varvec{e}}_i \ \wedge \ \Vert {\varvec{e}}_i\Vert _\infty \le n\right) \ \wedge \ m_3=m_1m_2 \Bigg \}, \end{aligned}$$

and \(\mathcal {R}'_{MLWE}\) is defined accordingly.

figure d

5 Conclusion

We presented a simple and efficient string commitment scheme whose security is based on the hardness of the \(\mathsf{RLWE} \)-problem, or, equivalently, on the hardness of solving certain problems on ideal lattices. Additionally we gave constructions for zero-knowledge proofs of knowledge of valid openings of such commitments, and for proving arbitrary relations among such messages. By achieving a negligible knowledge error in our protocols, we solve an open problem stated in previous work, e.g., Jain et al. [JKPT12].