**A non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge**

*Jonathan Bootle and Vadim Lyubashevsky and Ngoc Khanh Nguyen and Gregor Seiler*

**Abstract: **Today's most compact zero-knowledge arguments are based on the hardness of the discrete logarithm problem and related classical assumptions. If one is interested in quantum-safe solutions, then all of the known techniques stem from the PCP-based framework of Kilian (STOC 92) which can be instantiated based on the hardness of any collision-resistant hash function. Both approaches produce asymptotically logarithmic sized arguments but, by exploiting extra algebraic structure, the discrete logarithm arguments are a few orders of magnitude more compact in practice than the generic constructions.

In this work, we present the first (poly)-logarithmic, potentially post-quantum zero-knowledge arguments that deviate from the PCP approach. At the core of succinct zero-knowledge proofs are succinct commitment schemes (in which the commitment and the opening proof are sub-linear in the message size), and we propose two such constructions based on the hardness of the (Ring)-Short Integer Solution (Ring-SIS) problem, each having certain trade-offs. For commitments to $N$ secret values, the communication complexity of our first scheme is $\tilde{O}(N^{1/c})$ for any positive integer $c$, and $O(\log^2 N)$ for the second. Both of these are a significant theoretical improvement over the previously best lattice construction by Bootle et al. (CRYPTO 2018) which gave $O(\sqrt{N})$-sized proofs.

**Category / Keywords: **public-key cryptography / Lattices, Zero-Knowledge Proofs, SNARKS

**Original Publication**** (with major differences): **IACR-CRYPTO-2020

**Date: **received 17 Jun 2020

**Contact author: **jonathan bootle at berkeley edu,vad@zurich ibm com,nkn@zurich ibm com,gseiler@inf ethz ch

**Available format(s): **PDF | BibTeX Citation

**Version: **20200618:154911 (All versions of this report)

**Short URL: **ia.cr/2020/737

[ Cryptology ePrint archive ]