Cryptology ePrint Archive: Report 2020/517

Practical Product Proofs for Lattice Commitments

Thomas Attema and Vadim Lyubashevsky and Gregor Seiler

Abstract: We construct a practical lattice-based zero-knowledge argument for proving multiplicative relations between committed values. The underlying commitment scheme that we use is the currently most efficient one of Baum et al. (SCN 2018), and the size of our multiplicative proof ($9$KB) is only slightly larger than the $7$KB required for just proving knowledge of the committed values. We additionally expand on the work of Lyubashevsky and Seiler (Eurocrypt 2018) by showing that the above-mentioned result can also apply when working over rings $\mathbb{Z}_q[X]/(X^d+1)$ where $X^d+1$ splits into low-degree factors, which is a desirable property for many applications (e.g. range proofs, multiplications over $\mathbb{Z}_q$) that take advantage of packing multiple integers into the NTT coefficients of the committed polynomial.

Category / Keywords: cryptographic protocols / lattice-based, zero-knowledge, commitments

Original Publication (in the same form): IACR-CRYPTO-2020

Date: received 4 May 2020, last revised 25 Jun 2020

Contact author: gseiler at inf ethz ch

Available format(s): PDF | BibTeX Citation

Note: Full version of the Crypto paper

Version: 20200625:153030 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]