International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: A non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge

Authors:
Jonathan Bootle , IBM Research - Zurich
Vadim Lyubashevsky , IBM Research - Zurich
Ngoc Khanh Nguyen , IBM Research - Zurich
Gregor Seiler , IBM Research - Zurich and ETH
Download:
DOI: http://dx.doi.org/10.1007/978-3-030-56880-1_16 (login may be required)
Search ePrint
Search Google
Conference: CRYPTO 2020
Abstract: Today's most compact zero-knowledge arguments are based on the hardness of the discrete logarithm problem and related classical assumptions. If one is interested in quantum-safe solutions, then all of the known techniques stem from the PCP-based framework of Kilian (STOC 92) which can be instantiated based on the hardness of any collision-resistant hash function. Both approaches produce asymptotically logarithmic sized arguments but, by exploiting extra algebraic structure, the discrete logarithm arguments are a few orders of magnitude more compact in practice than the generic constructions.\\ In this work, we present the first (poly)-logarithmic \emph{post-quantum} zero-knowledge arguments that deviate from the PCP approach. At the core of succinct zero-knowledge proofs are succinct commitment schemes (in which the commitment and the opening proof are sub-linear in the message size), and we propose two such constructions based on the hardness of the (Ring)-Short Integer Solution (Ring-SIS) problem, each having certain trade-offs. For commitments to $N$ secret values, the communication complexity of our first scheme is $\tilde{O}(N^{1/c})$ for any positive integer $c$, and $O(\log^2 N)$ for the second. %Both of our protocols have somewhat large \emph{slack}, which in lattice constructions is the ratio of the norm of the extracted secrets to the norm of the secrets that the honest prover uses in the proof. The lower this factor, the smaller we can choose the practical parameters. For a fixed value of this factor, our $\tilde{O}(N^{1/c})$-argument actually achieves lower communication complexity. Both of these are a significant theoretical improvement over the previously best lattice construction by Bootle et al. (CRYPTO 2018) which gave $O(\sqrt{N})$-sized proofs.
Video from CRYPTO 2020
BibTeX
@inproceedings{crypto-2020-30405,
  title={A non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge},
  publisher={Springer-Verlag},
  doi={http://dx.doi.org/10.1007/978-3-030-56880-1_16},
  author={Jonathan Bootle and Vadim Lyubashevsky and Ngoc Khanh Nguyen and Gregor Seiler},
  year=2020
}