### Zero-Knowledge Protocols for the Subset Sum Problem from MPC-in-the-Head with Rejection

##### Abstract

We propose zero-knowledge arguments for the modular subset sum problem. Given a set of integers, this problem asks whether a subset adds up to a given integer $t$ modulo a given integer $q$. This NP-complete problem is considered since the 1980s as an interesting alternative in cryptography to hardness assumptions based on number theory and it is in particular believed to provide post-quantum security. Previous combinatorial approaches, notably one due to Shamir, yield arguments with cubic communication complexity (in the security parameter). More recent methods, based on the MPC-in-the-head technique, also produce arguments with cubic communication complexity. We improve this approach by using a secret-sharing over small integers (rather than modulo $q$) to reduce the size of the arguments and remove the prime modulus restriction. Since this sharing may reveal information on the secret subset, we introduce the idea of rejection to the MPC-in-the-head paradigm. Special care has to be taken to balance completeness and soundness and preserve zero-knowledge of our arguments. We combine this idea with two techniques to prove that the secret vector (which selects the subset) is well made of binary coordinates. Our new techniques have the significant advantage to result in arguments of size independent of the modulus $q$. Our new protocols for the subset sum problem achieve an asymptotic improvement by producing arguments of quadratic size (against cubic size for previous proposals). This improvement is also practical: for a 256-bit modulus $q$, the best variant of our protocols yields 13KB arguments while previous proposals gave 1180KB arguments, for the best general protocol, and 122KB, for the best protocol restricted to prime modulus. Our techniques can also be applied to vectorial variants of the subset sum problem and in particular the inhomogeneous short integer solution (ISIS) problem for which they provide an efficient alternative to state-of-the-art protocols when the underlying ring is not small and NTT-friendly. We also show the application of our protocol to build efficient zero-knowledge arguments of plaintext and/or key knowledge in the context of fully-homomorphic encryption. When applied to the TFHE scheme, the obtained arguments are more than 20 times smaller than those obtained with previous protocols. Eventually, we use our technique to construct an efficient digital signature scheme based on a pseudo-random function due to Boneh-Halevi-Howgrave-Graham.

Note: This version presents a new digital signature scheme based on the pseudo-random function due to Boneh-Halevi-Howgrave-Graham.

Available format(s)
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in ASIACRYPT 2022
Keywords
zero-knowledge subset sum post-quantum cryptography
Contact author(s)
damien vergnaud @ lip6 fr
History
2022-11-23: revised
See all versions
Short URL
https://ia.cr/2022/223

CC BY

BibTeX

@misc{cryptoeprint:2022/223,
author = {Thibauld Feneuil and Jules Maire and Matthieu Rivain and Damien Vergnaud},
title = {Zero-Knowledge Protocols for the Subset Sum Problem from MPC-in-the-Head with Rejection},
howpublished = {Cryptology ePrint Archive, Paper 2022/223},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/223}},
url = {https://eprint.iacr.org/2022/223}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.