**A Compressed $\Sigma$-Protocol Theory for Lattices**

*Thomas Attema and Ronald Cramer and Lisa Kohl*

**Abstract: **We show a lattice-based solution for commit-and-prove transparent circuit zero-knowledge (ZK) with polylog-communication, the first not depending on PCPs.

We start from compressed $\Sigma$-protocol theory (CRYPTO 2020), which is built around basic $\Sigma$-protocols for opening an arbitrary linear form on a long secret vector that is compactly committed to. These protocols are first compressed using a recursive ``folding-technique'' adapted from Bulletproofs, at the expense of logarithmic rounds. Proving in ZK that the secret vector satisfies a given constraint -- captured by a circuit -- is then by (blackbox) reduction to the linear case, via arithmetic secret-sharing techniques adapted from MPC. Commit-and-prove is also facilitated, i.e., when commitment(s) to the secret vector are created ahead of any circuit-ZK proof. On several platforms (incl.\ DL) this leads to logarithmic communication. Non-interactive versions follow from Fiat-Shamir.

This abstract modular theory strongly suggests that it should somehow be supported by a lattice-platform as well. However, when going through the motions and trying to establish low communication (on an SIS-platform), a certain significant lack in current understanding of multi-round protocols is exposed.

Namely, as opposed to the DL-case, the basic $\Sigma$-protocol in question typically has poly-small challenge space. Taking into account the compression-step -- which yields non-constant rounds -- and the necessity for parallelization to reduce error, there is no known tight result that the compound protocol admits an efficient knowledge extractor. We resolve the state of affairs here by a combination of two novel results which are fully general and of independent interest. The first gives a tight analysis of efficient knowledge extraction in case of non-constant rounds combined with poly-small challenge space, whereas the second shows that parallel repetition indeed forces rapid decrease of knowledge error.

Moreover, in our present context, arithmetic secret sharing is not defined over a large finite field but over a quotient of a number ring and this forces our careful adaptation of how the linearization techniques are deployed.

We develop our protocols in an abstract framework that is conceptually simple and can be flexibly instantiated. In particular, the framework applies to arbitrary rings and norms.

**Category / Keywords: **cryptographic protocols / Zero Knowledge, Circuit ZK, Lattices, Sigma-Protocols, Compression, Short Integer Solution Problem

**Date: **received 8 Mar 2021, last revised 14 Oct 2021

**Contact author: **thomas attema at tno nl, cramer at cwi nl, lisa kohl at cwi nl

**Available format(s): **PDF | BibTeX Citation

**Note: **Change log w.r.t. Version 2 - March 13, 2021: Minor (local) correction of the proof of Lemma 5. More precisely, adjusted the conditioning in the expected value of the run time random variable.

**Version: **20211014:112406 (All versions of this report)

**Short URL: **ia.cr/2021/307

[ Cryptology ePrint archive ]