 Hi everyone, my name is Khan. I'm a PhD student at IBM Research Zürich and ETH Zürich and today I'm going to talk about shorter lattice-based zero-knowledge proofs via one-time commitments. So this is joint work with Vadim Ljuboszewski and Gregor Seiler. Okay, so in this area of lattice-based zero-knowledge proofs, the statements are usually of the following form. We want to prove knowledge of a vector s, which has small coefficients, for example binary or ternary, and we want to prove some linear relations about it. So given the public matrix A and some public vector u, you want to prove that AS is equal to u. So in terms of the underlying ring, this can be over the integers modulus of prime q or over some polynomial ring. So there have been many recent works. Which use lattice commitments to prove such statements and they mostly consider practical statements which can be directly applied to construct some cryptographic derivatives like group signatures or ring signatures. In this setting, well, so the security of these schemes are rely on quantum-safe assumptions, presumably like module LWE or module CIS, and then the runtime is also pretty fast. They can be efficiently implemented because one can make use of the algebraic structure of the underlying polynomial ring, for example, using entities and so on. And then so the runtime is pretty fast. On the other hand, well, in terms of the concrete proof size, it can still be pretty small. But then asymptotically, the proof size is kind of linear in the number of commitments or the size of the witness. So if the statement gets bigger or if the witness gets bigger, then the proof size might just blow. Well, then there is more generic approach. For example, the PCP, which, yeah, the proof size becomes sublinear or even logarithmic. Then they rely on collision resistant hash functions, which is also quantum safe. But then the runtime is pretty slow compared to the lattices, especially the part where you have to hash a lot. And this might be actually very important if we want to implement these protocols on constrained devices. So we want the protocols to be efficiently implemented and have some small proof size. So actually, there have been a few recent papers which consider sublinear constructions using lattice commitments. And so this is a very active area of current research. So in terms of concrete sizes, they might still not be as good as the linear ones, but this shows that there is still some space to improve. Okay, so if we look at all these solutions using lattice commitments, so in order to ensure the zero knowledge property, they make use of the rejection sampling. So we will just briefly recall what that is. So suppose we have the example, we want to prove knowledge of an S such that AS is equal to U over some ring. So, okay, so we will just do that simple Schnorr-like protocol. So we have the prover who knows AS and U, and we have the verifier who knows A and U. So actually nowadays they should wear a mask, but to just assume that they are quite far away and maybe outdoors, so let's say they don't have the masks. Yeah, so the prover generates some Y. In this case we use the Gaussian rejection sampling. So Y is chosen from a discrete Gaussian and dimensional with standard deviation sigma. And then the prover computes W, which is A times Y. So it sends the Y, W, and then the verifier generates a challenge C, and then sends it to the prover, and then the prover sends Z, which is equal to Y plus CS. Then the verifier checks that Z is small and then A Z is equal to W plus CU. So we observe that the distribution of Z is, well, depends on the S, right, depends on the secret. So the main idea of the rejection sampling is to force the distribution of Z to be independent of the secret. So now, like in this case, the distribution of Z is actually the discrete Gaussian, well, shifted discrete Gaussian centered at C times S, right? So the idea here is to force the distribution to be the Gaussian centered at zero. So because then, if we can force it this way, then we can simulate the transcripts without knowing the secret. Okay, so let's have a look at this, the following rejection sampling algorithm, which is basically what the prover does. So we sample Y, and then we sample V. Well, V will be the secret from some distribution H, and then we set Z to be equal to Y plus V. And here V, in our case, V is equal to C times S, basically. And then we output Z and V with probability, well, the minimum of one ends the probability of getting Z from the discrete Gaussian centered at zero divided by some parameter M times the probability of getting Z from the shifted discrete Gaussian centered at V. And then we have the simulation sampling algorithm where we just sample V like before, and then we sample Z from a discrete Gaussian centered at zero, and then we output Z and V with probability one over M. So this parameter M we will call the repetition rate, which basically means that if we run it M times, then it should accept at some point. So the result by Ljuboszewski says that these distributions are basically very close. So what do we mean by close? What's the distance between these two algorithms? So distance basically depends on how often this term here is less than one or less or equal to one. So if we choose M so that for all Z, it's always less or equal to one, then they will be identical. But in practice, well, we will just see how M is chosen usually. It happens with overwhelming probability and then that's why these two distributions are statistically close. So how is M chosen? Okay, so what we do is that we take, we look at the maximum over Z of this probability of getting Z from the shifted discrete Gaussian divided by the probability of getting Z from the well discrete Gaussian centered at zero. And then if we just do the math, we end up with the maximum over Z of e to the minus two times the inner product of Z and V plus the norm of V squared divided by two sigma squared. So now we will use the tailbone inequality which says that if Z is chosen from a discrete Gaussian, then the absolute value of the inner product is less or equal to 12 times the standard deviation sigma times the norm of V with probability at least one minus two to the minus 100. And then we set M to be equal to, well to that expression, e to the 24 sigma times norm of V plus norm of V squared divided by two sigma squared. So concretely, if we want to have the repetition rate equal to three, which means that we would probably, well most likely just repeat it three times. Once this is standard deviation sigma equal to 11 times the norm of V. So now the question is if we can do better. So the main idea of this paper is the observation that, well what happens if we force the inner product to be greater or equal to zero. So here we don't want to rely on the tail bound. So what do we mean by that? So this means that in the rejection sampling algorithm, we have additional step which says that if the inner product is less than zero, we reject. And then similarly in the simulation sampling algorithm, if the inner product is less than zero, then we also reject. So we have the two results. So yeah, in terms of the proof technique, they are very similar to the paper by Lubaszewski. But basically if we choose M so that this term, this fraction here is always less or equal to one and it's all, it will be as we will show in the next slide, then these two distributions are identical. And then the probability that rejection sampling algorithm outputs something is at least one over two M. So why is it, why over two, one over two M and not one over M just like before? So the idea is that if Z is chosen from a discrete Gaussian centered at zero, so we observe that it is symmetric. So the probability that the inner product of Z and V is greater or equal to zero is at least one half. That's why this term one half comes in in the result one B. So the repetition rate is actually two M now. Okay, so if we force the inner product to be greater or equal to zero, then when we have this, we can use that in the in quality here. So we can bound this term by e to the, well e to the norm of V squared divided by two sigma squared. And this is how we pick M. And now if we set M to be one, one and a half, then we will set the standard deviation to be sigma equal to, well, sigma around 1.11 times the norm of V. And then the repetition rate now is two M, right? So it's going to be three. And using the previous method for the same rate, we obtain sigma equal around 11 times norm of V. So that's why we managed to decrease the standard deviation by a factor of 10. Okay, so let's go back to the protocol. So what happens here is that apart from using the standard rejection sampling, we want to force the inner product of Z and Cs to be greater or equal to zero. So yeah, so if the inner product is less than zero, we abort. Otherwise, we do the rejection sampling step as before, and then we send the Z. But some people might notice that there is something fishy going on here. So the verifier actually knows, so if the verifier gets to Z, they know that the inner product of Z and Cs is greater or equal to zero, right? So in some settings, this is not really secure, because if, for example, if you want to construct a signature scheme from here, then one might get a lot of information about the secret key just by having a lot of signatures, because the verifier knows Z and C and the sign of the inner product Z and Cs. So this already sounds fishy if you want to construct signature schemes from there, from that. Okay, so that's why in the title, we have the phrase one-time commitments. So let's see. So there are a few previous works which develop a framework for proving linear and multiplicative relations between the committed messages, and it's very efficient. So then for, okay, so these protocols look basically as follows. So the prover, so the prover wants to prove some relations between the committed messages, right? So what the prover does is it generates fresh randomness R and then it sends the commitments to the messages with the randomness R. So it sends the T. So these previous works use the BDLOP commitment scheme, and then, okay, so in between, there are some fancy stuff happening to prove linear and multiplicative relations, which are maybe not relevant to this talk. And then, yeah, in the end, the prover wants to prove that they know the opening for these commitments. So this is this opening proof. So the verifier sends the C in the end, which is the challenge, and then the prover computes Z equal to Y plus C R, and then if, and then, yeah, we do the rejection sampling. If it aborts, then we abort. Otherwise, we send the Z and then the verifier checks if it checks the verification equations. So what's new here is that we will force the inner product of Z and C R to be, well, to be greater or equal to zero. So if it's less than zero, then we abort. Then, yeah, we have the same argument, meaning that the verifier can say, okay, I know the inner product of Z and C R. Well, they know the sign. So, yeah, they know that the inner product of Z and C R is greater or equal to zero. But that's actually okay, because we, in the proof, we will only use the R once. So if you want to run a new proof, we will generate new randomness. So this problem with the signature scheme doesn't really hold here. So how do we prove, well, how do we prove zero knowledge in this case? So these previous works, like ALS, ENS, LNS, they prove the honest verifier zero knowledge property by reducing it to the module LWE assumption. In this setting, where we reveal that one bit, we reduce that property to the hardness of the so-called extended module LWE, which basically says that, well, it's kind of very similar to the standard module LWE, but there are some hints. So we have the matrix A, and then we want to distinguish between A times R and some uniform U. And now we also have some hints, right? So C, we have the C, we have the vector Z, and the hint is that we also know the sign of the inner product of Z and CR. Okay, so the last question is, why is this a reliable assumption? So first of all, we notice that our non-algebraic version, the non-algebraic version of our assumption is very similar to the extended LWE problem defined in the paper by Albin Sheriff and Peichert. And using very similar, well, the same techniques as in that paper, we prove that our non-algebraic version can be reduced to plain LWE. So next, well, the hardness of ring module LWE is often analyzed as the plain LWE problem, because so far the best attacks don't really use any algebraic structure of the polynomial ring. And actually, in terms of concrete analysis, solving search LWE is actually more efficient than solving the decisional version of LWE. So if we look at our problem as the search version, then revealing one bit about R shouldn't really make much difference because the vector, randomness vector R has high enough entropy. So that's why we believe that our assumption is makes sense and it's reliable. Okay, so in terms of concrete improvements, we take three examples from the previous works. So for the proof of knowledge of an LWE sample, the previous works obtained 47 kilobytes proof. And here we reduce it to a little bit more than 33 kilobytes. For the integer addition proof with 128 bit integers, from 20 around 25 kilobytes, we end up with around 17. And then for the 128 bit integer multiplication from 40 kilobytes, we end up with around 28 kilobytes. So in terms of these numbers, this comparison is a bit unfair because the previous works use the uniform rejection sampling. But we also checked how they perform with the Gaussian rejection sampling. And then the improvement is still around 20 to 30%. Yeah, so if you reach the end, then thanks very much for watching. And here is the link to the full version of the paper. Thanks. Bye.