LUNA: Quasi-Optimally Succinct Designated-Verifier Zero-Knowledge Arguments from Lattices

Ron Steinfeld; Amin Sakzad; Muhammed F. Esgin; Veronika Kuchta; Mert Yassi; Raymond K. Zhao

Paper 2022/1690

LUNA: Quasi-Optimally Succinct Designated-Verifier Zero-Knowledge Arguments from Lattices

Ron Steinfeld

, Monash University

Amin Sakzad

, Monash University

Muhammed F. Esgin

, Monash University, CSIRO's Data61

Veronika Kuchta, Florida Atlantic University

Mert Yassi

, Monash University

Raymond K. Zhao

, CSIRO's Data61

Abstract

We introduce the first candidate Lattice-based designated verifier (DV) zero knowledge sUccinct Non-interactive Argument (ZK-SNARG) protocol, LUNA, with quasi-optimal proof length (quasi-linear in the security/privacy parameter). By simply relying on mildly stronger security assumptions, LUNA is also a candidate ZK-SNARK (i.e. argument of knowledge). LUNA achieves significant improvements in concrete proof sizes, reaching below 6 KB (compared to >32 KB in prior work) for 128-bit security/privacy level. To achieve our quasi-optimal succinct LUNA, we give a new regularity result for `private' re-randomization of Module LWE (MLWE) samples using discrete Gaussian randomization vectors, also known as a lattice-based leftover hash lemma with leakage, which applies with a discrete Gaussian re-randomization parameter that is polynomial in the statistical privacy parameter (avoiding exponential smudging), and hides the coset of the re-randomization vector support set. Along the way, we derive bounds on the smoothing parameter of the intersection of short integer solution (SIS), gadget, and Gaussian perp module lattices over the power of 2 cyclotomic rings. We then introduce a new candidate linear-only homomorphic encryption scheme called Module Half-GSW (HGSW), and apply our regularity theorem to provide smudging-free circuit-private homomorphic linear operations for Module HGSW. Our implementation and experimental performance evaluation show that, for typical instance sizes, Module HGSW provides favourable performance for ZK-SNARG applications involving lightweight verifiers. It enables significantly (around 5x) shorter proof lengths while speeding up CRS generation and encryption time by 4-16x and speeding up decryption time by 4.3x, while incurring just 1.2-2x time overhead in linear homomorphic proof generation operations, compared to a Regev encryption used in prior work in the ZK-SNARG context. We believe our techniques are of independent interest and will find application in other privacy-preserving applications of lattice-based cryptography.

Note: Compared to the prior version, the paper went through significant updates including title/author changes, improvements in the technical analyses, better parameter setting and performance results, new implementation results, etc. Please refer to the latest version.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Major revision. ACM CCS 2024
Keywords: Lattice Zero-Knowledge Proof Post-Quantum SNARK Leftover Hash
Contact author(s): ron steinfeld @ monash edu
amin sakzad @ monash edu
muhammed esgin @ monash edu
vkuchta @ fau edu
mert yassi @ monash edu
raymond zhao @ data61 csiro au
History: 2024-06-05: revised; 2022-12-06: received; See all versions
Short URL: https://ia.cr/2022/1690
License: CC BY

BibTeX

@misc{cryptoeprint:2022/1690,
      author = {Ron Steinfeld and Amin Sakzad and Muhammed F. Esgin and Veronika Kuchta and Mert Yassi and Raymond K. Zhao},
      title = {{LUNA}: Quasi-Optimally Succinct Designated-Verifier Zero-Knowledge Arguments from Lattices},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1690},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1690}
}