Paper 2019/808

2-Message Publicly Verifiable WI from (Subexponential) LWE

Alex Lombardi, Vinod Vaikuntanathan, and Daniel Wichs


We construct a 2-message publicly verifiable witness indistinguishable argument system for NP assuming that the Learning with Errors (LWE) problem is subexponentially hard. Moreover, the protocol is ``delayed input''; that is, the verifier message in this protocol does not depend on the instance. This means that a single verifier message can be reused many times. We construct two variants of this argument system: one variant is adaptively sound, while the other is public-coin (but only non-adaptively sound). We obtain our result via a generic transformation showing that the correlation intractable hash families constructed by Canetti et al. (STOC 2019) and Peikert and Shiehian (CRYPTO 2019) suffice to construct such 2-message WI arguments when combined with an appropriately chosen ``trapdoor Sigma-protocol.'' Our construction can be seen as an adaptation of the Dwork-Naor ``reverse randomization'' paradigm (FOCS '00) for constructing ZAPs to the setting of computational soundness rather than statistical soundness. Our adaptation of the Dwork-Naor transformation crucially relies on complexity leveraging to prove that soundness is preserved.

Available format(s)
Publication info
Preprint. Minor revision.
Contact author(s)
alexjl @ mit edu
2019-07-14: received
Short URL
Creative Commons Attribution


      author = {Alex Lombardi and Vinod Vaikuntanathan and Daniel Wichs},
      title = {2-Message Publicly Verifiable WI from (Subexponential) LWE},
      howpublished = {Cryptology ePrint Archive, Paper 2019/808},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.