Paper 2023/150

More Efficient Zero-Knowledge Protocols over ${\mathbb{Z}}_{2^k}$ via Galois Rings

Abstract

A recent line of works on zero-knowledge (ZK) protocols with a vector oblivious linear function evaluation (VOLE)-based offline phase provides a new paradigm for scalable ZK protocols featuring fast proving and small prover memory. Very recently, Baum et al. (Crypto'23) proposed the VOLE-in-the-head technique, allowing such protocols to become publicly verifiable. Many practically efficient protocols for proving circuit satisfiability over any Galois field are implemented, while protocols over rings $$ are significantly lagging behind, with only a proof-of-concept pioneering work called Appenzeller to Brie (CCS'21) and a first proposal called Moz$$arella (Crypto'22). The ring $$ or $$, though highly important (it captures computation in real-life programming and the computer architectures such as CPU words), presents non-trivial difficulties because, for example, unlike Galois fields $$, the fraction of units in $$ is $$. In this work, we first construct ZK protocols over a high degree Galois ring extension of $$ (fraction of units close to $$) and then convert them to $$ efficiently using amortization techniques. Our results greatly change the landscape of ZK protocols over~$$. (1) We propose a competing ZK protocol that has many advantages over the state-of-the-art Moz$$arella. We remove the undesirable dependence of communication complexity on the security parameter, and achieve communication complexity {\em strictly} linear in the circuit size. Furthermore, our protocol has better concrete efficiency. For $$ bits soundness on circuits over $$ and $$, we offer $$--$$ improvements in communication. (2) Inspired by the recently proposed interactive message authentication code technique (Weng et al., CCS'22), we construct a constant round ZK protocol over $$ with sublinear (in the circuit size) communication complexity, which was previously achieved only over fields. (3) We show that the pseudorandom correlation generator approach can be adapted to efficiently implement VOLE over Galois rings, with analysis of the hardness of underlying LPN assumptions over Galois rings. (4) We adapt the VOLE-in-the-head technique to make it work for $$, yielding {\em publicly verifiable} non-interactive ZK protocols over $$ which preserve most of the efficiency metrics of the VOLE-based ZK protocols.