**Algebraic Techniques for Short(er) Exact Lattice-Based Zero-Knowledge Proofs**

*Jonathan Bootle and Vadim Lyubashevsky and Gregor Seiler*

**Abstract: **A key component of many lattice-based protocols is a zero-knowledge proof of knowledge of a vector $\vec{s}$ with small coefficients satisfying $A\vec{s}=\vec{u}\bmod\,q$. While there exist fairly efficient proofs for a relaxed version of this equation which prove the knowledge of $\vec{s}'$ and $c$ satisfying $A\vec{s}'=\vec{u}c$ where $\|\vec{s}'\|\gg\|\vec{s}\|$ and $c$ is some small element in the ring over which the proof is performed, the proofs for the exact version of the equation are considerably less practical. The best such proof technique is an adaptation of Stern's protocol (Crypto '93), for proving knowledge of nearby codewords, to larger moduli. The scheme is a $\Sigma$-protocol, each of whose iterations has soundness error $2/3$, and thus requires over $200$ repetitions to obtain soundness error of $2^{-128}$, which is the main culprit behind the large size of the proofs produced.

In this paper, we propose the first lattice-based proof system that significantly outperforms Stern-type proofs for proving knowledge of a short $\vec{s}$ satisfying $A\vec{s}=\vec{u}\bmod\,q$. Unlike Stern's proof, which is combinatorial in nature, our proof is more algebraic and uses various relaxed zero-knowledge proofs as sub-routines. The main savings in our proof system comes from the fact that each round has soundness error of $1/n$, where $n$ is the number of columns of $A$. For typical applications, $n$ is a few thousand, and therefore our proof needs to be repeated around $10$ times to achieve a soundness error of $2^{-128}$. For concrete parameters, it produces proofs that are around an order of magnitude smaller than those produced using Stern's approach.

**Category / Keywords: **public-key cryptography / Lattices, Zero-Knowledge Proofs, Commitments

**Original Publication**** (in the same form): **IACR-CRYPTO-2019

**Date: **received 2 Jun 2019, last revised 28 Jun 2019

**Contact author: **jbt at zurich ibm com,vad@zurich ibm com,gregor seiler@inf ethz ch

**Available format(s): **PDF | BibTeX Citation

**Note: **Added acknowledgements.

**Version: **20190628:082525 (All versions of this report)

**Short URL: **ia.cr/2019/642

[ Cryptology ePrint archive ]