Abstract
Non-interactive zero-knowledge (\(\mathsf {NIZK}\)) is a fundamental primitive that is widely used in the construction of cryptographic schemes and protocols. Our main result is a reduction from constructing \(\mathsf {NIZK}\) proof systems for all of \(\mathbf {NP}\) based on \(\mathsf {LWE}\), to constructing a \(\mathsf {NIZK}\) proof system for a particular computational problem on lattices, namely a decisional variant of the bounded distance decoding (\(\mathsf {BDD}\)) problem. That is, we show that assuming \(\mathsf {LWE}\), every language \(L \in \mathbf {NP}\) has a \(\mathsf {NIZK}\) proof system if (and only if) the decisional \(\mathsf {BDD}\) problem has a \(\mathsf {NIZK}\) proof system. This (almost) confirms a conjecture of Peikert and Vaikuntanathan (CRYPTO, 2008). To construct our \(\mathsf {NIZK}\) proof system, we introduce a new notion that we call prover-assisted oblivious ciphertext sampling (\(\mathsf {POCS}\)), which we believe to be of independent interest. This notion extends the idea of oblivious ciphertext sampling, which allows one to sample ciphertexts without knowing the underlying plaintext. Specifically, we augment the oblivious ciphertext sampler with access to an (untrusted) prover to help it accomplish this task. We show that the existence of encryption schemes with a \(\mathsf {POCS}\) procedure, as well as some additional natural requirements, suffices for obtaining \(\mathsf {NIZK}\) proofs for \(\mathbf {NP}\). We further show that such encryption schemes can be instantiated based on \(\mathsf {LWE}\), assuming the existence of a \(\mathsf {NIZK}\) proof system for the decisional \(\mathsf {BDD}\) problem.
Similar content being viewed by others
Notes
In particular, the naive algorithm that chooses at random \(b \in \{0,1\}\) and outputs \(E_{\mathsf {pk}}(b)\) is not oblivious since its random coins fully reveal b.
For simplicity, we focus for now on schemes with perfect correctness.
Further related issues were recently uncovered by Canetti and Lichtenberg [17].
Actually, it is important for us to also establish that \(\mathbf {s}\) is unique. We enforce this by having the matrix \(\mathbf {A}\) be specified as part of the CRS (rather than by the prover). Indeed, it is not too difficult to show that a lattice spanned by a random matrix \(\mathbf {A}\) does not have short vectors and therefore \(\mathbf {b}\) cannot be close to two different lattice points.
In the literature, typically \(\mathbf {B}\) is defined as a set of column vectors. However, for our applications it is more convenient to use row vectors.
Note that in the actual definition we only require the latter to hold with high probability over the choice of the public randomness for every valid public key. The notion of encryption schemes with public randomness is discussed in Sect. 2.1.
Jumping ahead, we note that for our final \(\mathsf {NIZK}\) protocol, achieving standard soundness, we will need to repeat steps 3–6 for \(\ell = \mathrm{poly}(\kappa )\) times for the same \(\mathsf {pk}\) to amplify soundness.
Here we are utilizing the fact that the hidden-bits proof-system has perfect completeness to save us the effort of arguing that the hidden bits are indeed (sufficiently) unbiased.
The argument here resembles the standard argument for obtaining adaptively sound \(\mathsf {NIZK}\)s from \(\mathsf {NIZK}\)s that only have non-adaptive soundness.
From Lemma 2.16 this happens with overwhelming probability.
Since the complementary event happens with negligible probability in \(\kappa \), in case it does happen we choose the public-keys to have zero noise.
Again, the complementary event happens with negligible probability, in which case we can output a ciphertext with zero noise.
Alternatively, we could reduce the bias to be negligible using Von Neumann’s trick [65] for transforming a biased source to an almost unbiased source.
More precisely, the output of \(\mathsf {Sample}\) is a ciphertext of the secret-key variant of Regev’s encryption scheme, whereas the output of \(\mathsf {EncryptAndExplain}\) is a ciphertext of the public-key version. Still, under the (decisional) \(\mathsf {LWE}\) assumption, these ciphertexts are both indistinguishable from random and therefore also from each other.
References
B. Applebaum, D. Cash, C. Peikert, and A. Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In CRYPTO, 2009.
S. Agrawal, D.M. Freeman, and V. Vaikuntanathan. Functional encryption for inner product predicates from learning with errors. In ASIACRYPT, 2011.
N. Alamati, C. Peikert, and N. Stephens-Davidowitz. New (and old) proof systems for lattice problems. Cryptology ePrint Archive, Report 2017/1226, 2017.
M. Blum, A. De Santis, S. Micali, and G. Persiano. Noninteractive zero-knowledge. SIAM Journal on Computing, 20(6):1084–1118, 1991.
M. Blum, P. Feldman, and S. Micali. Non-interactive zero-knowledge and its applications (extended abstract). In STOC, 1988.
A. Bender, J. Katz, and R. Morselli. Ring signatures: Stronger definitions, and constructions without random oracles. In TCC. Springer, 2006.
M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In EUROCRYPT, 2003.
N. Bitansky and O. Paneth. Zaps and non-interactive witness indistinguishability from indistinguishability obfuscation. In TCC, 2015.
M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In CCS, 1993.
I. Berman, R.D. Rothblum, and V. Vaikuntanathan. Zero-knowledge proofs of proximity. IACR Cryptology ePrint Archive, 2017:114, 2017.
Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. SIAM J. Comput., 43(2):831–871, 2014.
M. Bellare and M. Yung. Certifying permutations: Noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptology, 9(3):149–166, 1996.
R. Canetti, Y. Chen, J. Holmgren, A. Lombardi, G.N. Rothblum, R.D. Rothblum, and D. Wichs. Fiat-Shamir: from practice to theory. In STOC, 2019.
R. Canetti, Y. Chen, L. Reyzin, and R.D. Rothblum. Fiat-Shamir and correlation intractability from strong kdm-secure encryption. Cryptology ePrint Archive, Report 2018/131, 2018.
R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. J. ACM, 51(4):557–594, 2004.
G. Couteau and D. Hofheinz. Designated-verifier pseudorandom generators, and their applications. In EUROCRYPT, 2019.
R. Canetti and A. Lichtenberg. Certifying trapdoor permutations, revisited. IACR Cryptology ePrint Archive, 2017:631, 2017.
D. Dolev, C. Dwork, and M. Naor. Nonmalleable cryptography. SIAM Review, 45(4):727–784, 2003.
C. Dwork and M. Naor. Zaps and their applications. SIAM J. Comput., 36(6):1513–1543, 2007.
R. del Pino and V. Lyubashevsky. Amortization with fewer equations for proving knowledge of small secrets. In CRYPTO, 2017.
U. Feige, D. Lapidot, and A. Shamir. Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput., 29(1):1–28, 1999.
A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In CRYPTO, 1986.
O. Goldreich and S. Goldwasser. On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci., 60(3):540–563, 2000.
S. Goldwasser and Y.T. Kalai. On the (in)security of the fiat-shamir paradigm. In FOCS, 2003.
S. Goldwasser and D. Kharchenko. Proof of plaintext knowledge for the ajtai-dwork cryptosystem. In TCC, 2005.
Y. Gertner, S. Kannan, T. Malkin, O. Reingold, and M. Viswanathan. The relationship between public key encryption and oblivious transfer. In FOCS, 2000.
S. Goldwasser, Y. Kalai, R.A. Popa, V. Vaikuntanathan, and N. Zeldovich. Reusable garbled circuits and succinct functional encryption. In STOC, 2013.
R. Goyal, V. Koppula, and B. Waters. Lockable obfuscation. IACR Cryptology ePrint Archive, 2017:274, 2017.
S. Goldwasser and S. Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299, 1984.
O. Goldreich. The Foundations of Cryptography - Volume 1, Basic Techniques. Cambridge University Press, 2001.
O. Goldreich. The Foundations of Cryptography - Volume 2, Basic Applications. Cambridge University Press, 2004.
O. Goldreich. Basing non-interactive zero-knowledge on (enhanced) trapdoor permutations: The state of the art. In Studies in Complexity and Cryptography. Springer Berlin Heidelberg, 2011.
J. Groth, R. Ostrovsky, and A. Sahai. New techniques for noninteractive zero-knowledge. J. ACM, 59(3):11:1–11:35, 2012.
O. Goldreich and R.D. Rothblum. Enhancements of trapdoor permutations. J. Cryptology, 26(3):484–512, 2013.
J. Groth. Short pairing-based non-interactive zero-knowledge arguments. In ASIACRYPT, 2010.
J. Groth and A. Sahai. Efficient non-interactive proof systems for bilinear groups. In EUROCRYPT, 2008.
S. Gorbunov, V. Vaikuntanathan, and H. Wee. Predicate encryption for circuits from lwe. In CRYPTO. Springer, 2015.
S. Katsumata, R. Nishimaki, S. Yamada, and T. Yamakawa. Designated verifier/prover and preprocessing nizks from diffie-hellman assumptions. In EUROCRYPT, 2019.
Y.T. Kalai, G.N. Rothblum, and R.D. Rothblum. From obfuscation to the security of fiat-shamir for proofs. In CRYPTO, 2017.
A. Kawachi, K. Tanaka, and K. Xagawa. Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In ASIACRYPT, 2008.
S. Kim and D.J. Wu. Multi-theorem preprocessing nizks from lattices. In CRYPTO, 2018.
B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang. Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In ASIACRYPT, 2016.
V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In CRYPTO, 2009.
S. Ling, K. Nguyen, D. Stehlé, and H. Wang. Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In PKC, 2013.
A. Lombardi, W. Quach, R.D. Rothblum, D. Wichs, and D.J. Wu. New constructions of reusable designated-verifier nizks. IACR Cryptology ePrint Archive, 2019:242, 2019.
V. Lyubashevsky. Lattice-based identification schemes secure under active attacks. In PKC, 2008.
D. Micciancio and S. Vadhan. Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. CRYPTO, 2003.
P. Mukherjee and D. Wichs. Two round multiparty computation via multi-key FHE. In EUROCRYPT, 2016.
M. Naor. On cryptographic assumptions and challenges. In CRYPTO, 2003.
M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In STOC, 1990.
C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In STOC, 2009.
C. Peikert and S. Shiehian. Noninteractive zero knowledge for NP from (plain) learning with errors. IACR Cryptology ePrint Archive, 2019:158, 2019.
C. Peikert and V. Vaikuntanathan. Noninteractive statistical zero-knowledge proofs for lattice problems. In CRYPTO, 2008.
C. Peikert, V. Vaikuntanathan, and B. Waters. A framework for efficient and composable oblivious transfer. In CRYPTO, 2008.
C. Peikert and B. Waters. Lossy trapdoor functions and their applications. In STOC, 2008.
W. Quach, R.D. Rothblum, and D. Wichs. Reusable designated-verifier nizks for all NP from CDH. In EUROCRYPT, 2019.
M.O. Rabin. Digitalized Signatures and Public-key Functions as Intractable as Factorization. Laboratory for Computer Science. Massachusetts Institute of Technology, Laboratory for Computer Science, 1979.
O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):34:1–34:40, 2009.
R.D. Rothblum, A. Sealfon, and K. Sotiraki. Towards non-interactive zero-knowledge for np from lwe. In D. Lin and K. Sako, editors, Public-Key Cryptography – PKC 2019, pages 472–503, Cham, 2019. Springer International Publishing.
A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In FOCS, 1999.
P.W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Review, 41(2):303–332, 1999.
J. Stern. A new paradigm for public key identification. IEEE Trans. Information Theory, 42(6):1757–1768, 1996.
A. Sahai and B. Waters. How to use indistinguishability obfuscation: deniable encryption, and more. In STOC, 2014.
S.P. Vadhan. A Study of Statistical Zero-Knowledge Proofs. PhD thesis, Massachusetts Institute of Technology, Cambridge, MA, USA, 1999.
J. Von Neumann. Various techniques used in connection with random digits, paper no. 13 in “Monte Carlo method”. NBS Applied Mathematics Series, 1961.
D. Wichs and G. Zirdelis. Obfuscating compute-and-compare programs under LWE. IACR Cryptology ePrint Archive, 2017:276, 2017.
Acknowledgements
We thank Akshay Degwekar, Shafi Goldwasser and Vinod Vaikuntanathan for illuminating conversations. We also thank the anonymous reviewers for useful comments.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Jonathan Katz.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A preliminary version of this work appeared in PKC 2019 [59].
Ron D. Rothblum: This research was conducted in part while the author was at MIT and Northeastern University. Research supported in part by the Israeli Science Foundation (Grant No. 1262/18). Research also supported in part by NSF Grants CNS-1413920 and CNS-1350619, by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236, the Simons Investigator award agreement dated 6-5-12 and the Cybersecurity and Privacy Institute at Northeastern University.
Adam Sealfon: This research was conducted in part while the author was at MIT. Research supported in part by a DOE CSGF fellowship, NSF MACS CNS-1413920, DARPA/NJIT Palisade 491512803, Sloan/NJIT 996698, MIT/IBM W1771646, NSF Center for Science of Information (CSoI) CCF-0939370, and the Simons Investigator award agreement dated 6-5-12.
Katerina Sotiraki: This research was conducted in part while the author was at MIT. Research supported in part by NSF Grants CNS-1350619, CNS-1718161, CNS-1414119.
Rights and permissions
About this article
Cite this article
Rothblum, R.D., Sealfon, A. & Sotiraki, K. Toward Non-interactive Zero-Knowledge Proofs for NP from LWE. J Cryptol 34, 3 (2021). https://doi.org/10.1007/s00145-020-09365-w
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-020-09365-w