eprint.iacr.org will be offline for approximately an hour for routine maintenance again at 10pm UTC on Wednesday, April 17.

Paper 2019/057

Short Discrete Log Proofs for FHE and Ring-LWE Ciphertexts

Rafael del Pino, Vadim Lyubashevsky, and Gregor Seiler


In applications of fully-homomorphic encryption (FHE) that involve computation on encryptions produced by several users, it is important that each user proves that her input is indeed well-formed. This may simply mean that the inputs are valid FHE ciphertexts or, more generally, that the plaintexts $m$ additionally satisfy $f(m)=1$ for some public function $f$. The most efficient FHE schemes are based on the hardness of the Ring-LWE problem and so a natural solution would be to use lattice-based zero-knowledge proofs for proving properties about the ciphertext. Such methods, however, require larger-than-necessary parameters and result in rather long proofs, especially when proving general relationships. In this paper, we show that one can get much shorter proofs (roughly $1.25$KB) by first creating a Pedersen commitment from the vector corresponding to the randomness and plaintext of the FHE ciphertext. To prove validity of the ciphertext, one can then prove that this commitment is indeed to the message and randomness and these values are in the correct range. Our protocol utilizes a connection between polynomial operations in the lattice scheme and inner product proofs for Pedersen commitments of Bünz et al. (S&P 2018). Furthermore, our proof of equality between the ciphertext and the commitment is very amenable to amortization -- proving the equivalence of $k$ ciphertext / commitment pairs only requires an additive factor of $O(\log{k})$ extra space than for one such proof. For proving additional properties of the plaintext(s), one can then directly use the logarithmic-space proofs of Bootle et al. (Eurocrypt 2016) and Bünz et al. (IEEE S&P 2018) for proving arbitrary relations of discrete log commitment. Our technique is not restricted to FHE ciphertexts and can be applied to proving many other relations that arise in lattice-based cryptography. For example, we can create very efficient verifiable encryption / decryption schemes with short proofs in which confidentiality is based on the hardness of Ring-LWE while the soundness is based on the discrete logarithm problem. While such proofs are not fully post-quantum, they are adequate in scenarios where secrecy needs to be future-proofed, but one only needs to be convinced of the validity of the proof in the pre-quantum era. We furthermore show that our zero-knowledge protocol can be easily modified to have the property that breaking soundness implies solving discrete log in a short amount of time. Since building quantum computers capable of solving discrete logarithm in seconds requires overcoming many more fundamental challenges, such proofs may even remain valid in the post-quantum era.

Available format(s)
Publication info
Published by the IACR in PKC 2019
Zero-Knowledge ProofsBulletproofsFHEVerifiable EncryptionRing-LWE Encryption
Contact author(s)
Rafael Del Pino @ ens fr
vadim lyubash @ gmail com
gseiler @ inf ethz ch
2019-01-25: received
Short URL
Creative Commons Attribution


      author = {Rafael del Pino and Vadim Lyubashevsky and Gregor Seiler},
      title = {Short Discrete Log Proofs for FHE and Ring-LWE Ciphertexts},
      howpublished = {Cryptology ePrint Archive, Paper 2019/057},
      year = {2019},
      note = {\url{https://eprint.iacr.org/2019/057}},
      url = {https://eprint.iacr.org/2019/057}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.