Lattice-Based Polynomial Commitments: Towards Asymptotic and Concrete Efficiency

Abstract

Polynomial commitments schemes are a powerful tool that enables one party to commit to a polynomial p of degree d, and prove that the committed function evaluates to a certain value z at a specified point u, i.e. \(p(u) = z\), without revealing any additional information about the polynomial. Recently, polynomial commitments have been extensively used as a cryptographic building block to transform polynomial interactive oracle proofs (PIOPs) into efficient succinct arguments. In this paper, we propose a lattice-based polynomial commitment that achieves succinct proof size and verification time in the degree d of the polynomial. Extractability of our scheme holds in the random oracle model under a natural ring version of the BASIS assumption introduced by Wee and Wu (EUROCRYPT 2023). Unlike recent constructions of polynomial commitments by Albrecht et al. (CRYPTO 2022), and by Wee and Wu, we do not require any expensive preprocessing steps, which makes our scheme particularly attractive as an ingredient of a PIOP compiler for succinct arguments. We further instantiate our polynomial commitment, together with the Marlin PIOP (EUROCRYPT 2020), to obtain a publicly-verifiable trusted-setup succinct argument for Rank-1 Constraint System (R1CS). Performance-wise, we achieve \(17\)MB proof size for \(2^{20}\) constraints, which is \(15\)X smaller than currently the only publicly-verifiable lattice-based SNARK proposed by Albrecht et al.

1 Introduction

Due to the significant progress in building quantum computers by various industry leaders, e.g. IBM and Google, there has been a tremendous amount of interest in post-quantum cryptography. This is highly evidenced by the NIST PQC Competition for standardising quantum-safe key encapsulation mechanisms and signatures, where the vast majority of the selected algorithms are based on algebraic lattices. Indeed, not only do the lattice-based constructions offer relatively small key and signature sizes [28, 42, 48], but they are also renowned for their very fast implementation [71, 78]. Consequently, lattices seem to be a natural candidate to build more complex quantum-safe primitives, such as non-interactive zero-knowledge proofs (NIZKs).

The last several years have seen enormous progress in constructing practically efficient NIZKs for lattice relations [12, 44, 68] which can produce proofs of size a few dozen kilobytes. This has led to rather compact and practical constructions of privacy-preserving primitives, such as ring signatures [67], blind signatures [1] and anonymous credentials [27, 56]. Unfortunately, the aforementioned protocols suffer the following limitations—both the proof size and verification time are linear in the length of the witness. Hence, for proving more complex statements, efficient NIZKs with succinct proof size and verification complexity are desired, i.e. zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs).

Polynomial commitment schemes [58] have been getting more and more spotlight in the SNARKs community. The main reason is that, in combination with Polynomial Interactive Oracle Proofs (PIOPs) [31, 37], this cryptographic primitive can be used to obtain succinct arguments with concrete efficiency (see e.g. [23, 51, 79]). In a polynomial commitment scheme, one can commit to any polynomial \(f{:}{=} \sum ^d_{i=0} f_i\textsf {X} ^i\) of bounded degree d over a ring R, and then later prove that f evaluated at some public point \(u \in R\) is equal to a public image \(z \in R\), i.e.

$$\begin{aligned} f(u) = z \hspace{5.0pt}. \end{aligned}$$

(1)

In the context of PIOPs, we require both the proof \(\pi \) and the verification time to be succinct (i.e. polylogarithmic in the degree d), even if the evaluation point is chosen adaptively by a verifier. Further, to obtain a SNARK, we need \(\pi \) to be a proof of knowledge; thus we call such a polynomial commitment extractable.

Recently, various lattice-based polynomial commitments [3, 13, 35, 76, 83] were introduced¹, mainly as a direct application of functional commitments [64] over standard cyclotomic rings \(R{:}{=} \mathbb {Z}_q[X]/(X^N+1)\) where N is a power-of-two. Indeed, (1) can be seen as a degree-one multivariate polynomial

$$\begin{aligned} \begin{bmatrix} 1&u&u^2&\cdots&u^d\end{bmatrix} \begin{bmatrix} f_0 \\ f_1 \\ \vdots \\ f_d \end{bmatrix} = z \hspace{5.0pt}. \end{aligned}$$

(2)

Unfortunately, the aforementioned constructions suffer several limitations when applied in the context of PIOPs. Firstly, succinct verification requires a preprocessing step, meaning that the evaluation point u must be known when public parameters are generated and cannot be chosen adaptively. Further, only [3, 13] offer extractable polynomial commitments which unfortunately suffer from the following limitations: (i) they rely on a knowledge assumption, which now seems to be at least “morally” broken [82], (ii) message space can only consist of short vectors, and (iii) they only support linear functions with short coefficients. This makes proving relations as in (2) cumbersome for large degrees d. Even though one of the issues was circumvented by a promising recent work from Wee and Wu [83], which allows committing to vectors of arbitrarily large coefficients, their knowledge soundness analysis is left for future work. Therefore, constructing extractable polynomial commitments with succinct verification from lattices still remains an open problem.

1.1 Our Contributions

In this work we propose a lattice-based PIOP-friendly polynomial commitment scheme. Concretely, our construction supports committing to arbitrary polynomials \(f \in R[\textsf {X} ]\) of bounded degree d over R, and proving evaluations for any point \(u \in R\) with no preprocessing necessary. Extractability holds in the random oracle model via the Fiat–Shamir transformation [46] under a variant of the \(\textsf {BASIS} \) assumption defined recently by Wee and Wu [83], which we call \(\textsf {PowerBASIS} \).

At the core of our construction lie two split-and-fold interactive protocols for proving polynomial evaluations. The first one, which brings resemblance to lattice Bulletproofs [5, 8, 26], enjoys proof size and verification complexity polylogarithmic in the degree d. Unfortunately, due to certain restrictions on the challenge space, which are inherited from the aforementioned works, the protocol achieves only \(1/\textsf {poly} (\lambda )\) knowledge soundness error. Even though soundness can be amplified via parallel repetition [9] for the interactive protocol, this is not necessarily the case in the non-interactive setting when applying the Fiat–Shamir transformation, as discussed in [10]. To this end, we propose the second protocol, which achieves negligible soundness error in one-shot at the cost of quasi-polylogarithmic \(d^{O\left( 1/\log \log d\right) }\) proof size and verification runtime. Furthermore, the non-interactive version of the scheme can be proven secure in the random oracle using the framework by Attema et al. [10]. Last but not least, we show how to upgrade the evaluation proof to achieve zero-knowledge using the standard Fiat–Shamir-with-aborts paradigm [29, 65, 66]. As a downside, our constructions suffer (i) from having a trusted setup, with the common reference string (\(\textsf {crs} \)) size being quadratic in the degree d, and (ii) the committing time is also \(O(d^2)\). We summarise the efficiency of both schemes in Table 1.

Table 1 Efficiency overview of our polynomial commitment scheme

As a direct application, we combine our polynomial commitment scheme, which includes batch evaluation proofs, with the \(\textsf{Marlin}\) Polynomial IOP [37] to obtain a trusted-setup (zero-knowledge) succinct non-interactive arguments of knowledge for Rank-1 Constraint System (R1CS). Practically, for \(\approx 2^{20}\) constraints our construction achieves proofs of size \(17\)MB, which is around \(15\)X smaller than the only concretely instantiated lattice-based proof system with succinct verification by Albrecht et al. [3]. Moreover, we obtain a square-root improvement over [3] in terms of the prover runtime. In comparison with other lattice-based arguments which admit linear verification time, our scheme produces comparable proofs to the recent “square-root” protocol by Nguyen and Seiler [75] for bigger R1CS instances, such as \(2^{30}\) constraints, but still more than two orders of magnitude larger than the current state-of-the-art by Beullens and Seiler [20]. We refer to Table 2 for full comparison and Sect. 6 for more details on sizes.

Table 2 Comparison of lattice-based publicly verifiable proof systems for \(\textsf{NP}\) relations of size \(\ell \) with sublinear communication complexity

1.2 Technical Overview

We provide a brief overview of our techniques. Let \(\lambda \) be a security parameter, q be an odd prime, and N be a power-of-two. Define the polynomial rings \(\mathcal {R}{:}{=} \mathbb {Z}[X]/(X^N+1)\) and \(\mathcal {R}_q{:}{=} \mathbb {Z}_q[X]/(X^N+1)\). Let \(\mathcal {R}_q^\times \) be the set of invertible elements in \(\mathcal {R}_q\). For a base \(\delta \ge 2\) and \(n\ge 1\), we define the gadget matrix as \({\textbf {G}} _n {:}{=} \begin{bmatrix} 1&\delta&\cdots&\delta ^{\tilde{q}}\end{bmatrix} \otimes {\textbf {I}} _n \in \mathcal {R}_q^{n \times n{\tilde{q}}}\) where \({\tilde{q}}{:}{=} \lfloor \log _{\delta } q \rfloor + 1\). For simplicity, we omit the subscript n and write \({\textbf {G}} {:}{=} {\textbf {G}} _n\) when it is clear from the context. Further, for a fixed matrix \({\textbf {T}} \in \mathcal {R}_q^{n \times k}\) and matrix \({\textbf {A}} \in \mathcal {R}_q^{n \times m}\), we denote by \({\textbf {S}} \leftarrow {\textbf {A}} ^{-1}_\sigma ({\textbf {T}} )\) sampling \({\textbf {S}} \in \mathcal {R}_q^{m \times k}\) from the discrete Gaussian distribution with Gaussian parameter \(\sigma >0\) conditioned on \({\textbf {A}} {\textbf {S}} = {\textbf {T}} \) over \(\mathcal {R}_q\).

1.2.1 BASIS Commitment Scheme

Until lately, lattice-based commitment schemes were split into two disjoint classes: Hashed-Message Commitments [2] and Unbounded-Message Commitments [15]. The former one has the property that the sizes of commitments are almost independent of the sizes of the committed values, and thus the commitments are compressing. This comes at the cost of the restricted message space being only vectors of small norm. On the other hand, the main characteristic of the latter class is the unbounded message space, but the commitment size is linear in the size of the message.

Recently, Wee and Wu [83] proposed the first lattice-based commitment scheme which is compressing, and simultaneously supports arbitrarily large messages over \(\mathcal {R}_q\). The downside of the construction is a requirement on having a trusted setup, which was not necessary in prior works, as well as the quadratic committing time in the message length. In the following, we describe the main intuition behind the construction by Wee and Wu. To this end, we recall the \(\textsf {BASIS} \) assumption², which lies at the core of the binding property of the commitment.

\(\textsf {BASIS} \) assumption. As in the (Module-)SIS problem [61], the adversary’s final goal is to find a non-zero vector \({\textbf {s}} \) of small norm such that \({\textbf {A}} {\textbf {s}} = \textbf{0}\) for a uniformly random matrix \({\textbf {A}} \leftarrow \mathcal {R}_q^{n \times m}\). However, in the \(\textsf {BASIS} \) setting the adversary is given more information. Namely, let \(({\textbf {B}} ,\textsf {aux} ) \leftarrow \textsf{Samp}({\textbf {A}} )\) be an efficient algorithm, which given matrix \({\textbf {A}} \) as input, outputs another matrix \({\textbf {B}} \in \mathcal {R}_q^{n' \times m'}\) along with some auxiliary information \(\textsf {aux} \). Then, in addition to the challenge matrix \({\textbf {A}} \), the adversary is given a tuple \(({\textbf {B}} ,\textsf {aux} ,{\textbf {T}} )\), where \({\textbf {T}} \) is a trapdoor³ for \({\textbf {B}} \). In particular, \({\textbf {T}} \) can be used to efficiently emulate sampling from \({\textbf {B}} ^{-1}_\sigma ({\textbf {t}} )\) for any image \({\textbf {t}} \in \mathcal {R}_q^{n'}\) under certain conditions on the parameter \(\sigma >0\).

Note that hardness of the \(\textsf {BASIS} \) assumption heavily depends on the \(\textsf {Samp} \) algorithm. For instance, if \(\textsf {Samp} ({\textbf {A}} )\) is an identity function and simply outputs \({\textbf {B}} {:}{=} {\textbf {A}} \), then using the trapdoor \({\textbf {T}} \) we can find a short non-zero solution to \({\textbf {A}} \) by sampling \({\textbf {s}} \leftarrow {\textbf {B}} ^{-1}_\sigma (\textbf{0})\). In this paper, we consider the following three instantiations of the \(\textsf {Samp} \) algorithm:

\(\blacksquare \) \(\textsf{StructBASIS}\): The sampling algorithm \(\textsf {Samp} ({\textbf {A}} )\) first generates a row \({\textbf {a}} ^\intercal \leftarrow \mathcal {R}_q^{\ell }\) and sets

$$\begin{aligned} \mathbf {A^{\!\star }} {:}{=} \begin{bmatrix} {\textbf {a}} ^\intercal \\ {\textbf {A}} \end{bmatrix} \in \mathcal {R}_q^{(n+1) \times \ell } \hspace{5.0pt}. \end{aligned}$$

(3)

Next, it samples square matrices \({\textbf {W}} _1,\ldots ,{\textbf {W}} _\ell \in \mathcal {R}_q^{(n+1) \times (n+1)}\) and outputs

$$\begin{aligned} {\textbf {B}} _\ell {:}{=} \left[ \begin{array}{@{}ccc|c@{}} {\textbf {W}} _1\mathbf {A^{\!\star }} &{} &{} &{} -{\textbf {G}} _{n+1} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} _\ell \mathbf {A^{\!\star }} &{} -{\textbf {G}} _{n+1} \end{array}\right] \quad \text {and} \quad \textsf {aux} {:}{=} ({\textbf {W}} _1,\ldots ,{\textbf {W}} _\ell ) \hspace{5.0pt}. \end{aligned}$$

\(\blacksquare \) \(\textsf{PowerBASIS}\): \(\textsf {Samp} ({\textbf {A}} )\) generates a row \({\textbf {a}} ^\intercal \leftarrow \mathcal {R}_q^{\ell }\) and sets \(\mathbf {A^{\!\star }}\) as in (3). Then, it samples a single square matrix \({\textbf {W}} \leftarrow \mathcal {R}_q^{(n+1) \times (n+1)}\) and outputs

$$\begin{aligned} {\textbf {B}} _\ell {:}{=} \left[ \begin{array}{@{}ccc|c@{}} {\textbf {W}} ^0\mathbf {A^{\!\star }} &{} &{} &{} -{\textbf {G}} _{n+1} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{\ell -1} \mathbf {A^{\!\star }} &{} -{\textbf {G}} _{n+1} \end{array}\right] \quad \text {and} \quad \textsf {aux} {:}{=} {\textbf {W}} \hspace{5.0pt}. \end{aligned}$$

(4)

\(\blacksquare \) \(\textsf{PRISIS}\)⁴: \(\textsf {Samp} ({\textbf {A}} )\) samples a row \({\textbf {a}} ^\intercal \leftarrow \mathcal {R}_q^{\ell }\) and sets \(\mathbf {A^{\!\star }}\) as in (3). Then, it samples a uniformly random polynomial \(w \leftarrow \mathcal {R}_q\) and outputs

$$\begin{aligned} {\textbf {B}} _\ell {:}{=} \left[ \begin{array}{@{}ccc|c@{}} w^0\mathbf {A^{\!\star }} &{} &{} &{} -{\textbf {G}} _{n+1} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} w^{\ell -1} \mathbf {A^{\!\star }} &{} -{\textbf {G}} _{n+1} \end{array}\right] \quad \text {and} \quad \textsf {aux} {:}{=} w \hspace{5.0pt}. \end{aligned}$$

Observe that the only difference between these variants is how the square matrices \({\textbf {W}} _1,\ldots ,{\textbf {W}} _{\ell }\) are generated. For \(\textsf{StructBASIS}\) they are picked independently and uniformly at random, while for \(\textsf {PowerBASIS} \) (resp. \(\textsf{PRISIS}\)) each matrix \({\textbf {W}} _i\) is defined as \({\textbf {W}} _i {:}{=} {\textbf {W}} ^{i-1}\) for \(i \in [\ell ]\), where \({\textbf {W}} \leftarrow \mathcal {R}_q^{(n+1) \times (n+1)}\) (resp. \({\textbf {W}} {:}{=} w \cdot {\textbf {I}} _{n+1}\) for \(w \leftarrow \mathcal {R}_q\)). Not to mention the fact that the functional commitment from [83] can be built on top of all three \(\textsf {BASIS} \) instantiations⁵.

In this work, we analyse hardness of the three newly introduced assumptions for \(\ell = 2\). Concretely, we prove that under a certain parameter selection

Unfortunately, the techniques do not translate well for larger values of \(\ell \), as we argue in Sect. 3.2. Therefore, hardness of the \(\textsf {BASIS} \) assumption for \(\ell > 2\) is left as an open problem.

Commitment construction. We describe a commitment scheme based on the \(\textsf {PowerBASIS} \) assumption. Trivial modifications can be made in order to make the scheme secure under the \(\textsf{StructBASIS}\) or \(\textsf{PRISIS}\) assumptions.

Consider a message space of arbitrary vectors in \(\mathcal {R}_q^{d+1}\) of length \(d+1\). The setup algorithm generates a (pseudo-)random matrix \({\textbf {A}} \in \mathcal {R}_q^{n \times m}\), along with a uniformly random invertible matrix \({\textbf {W}} \in \mathcal {R}_q^{n \times n}\). Further, it computes a trapdoor \({\textbf {T}} \) for the matrix

$$\begin{aligned} {\textbf {B}} {:}{=} \left[ \begin{array}{@{}ccc|c@{}} {\textbf {W}} ^0{\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] \hspace{5.0pt}. \end{aligned}$$

(5)

Then, the common reference string is \(\textsf {crs} {:}{=} ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} )\).

In order to commit to a vector \({\textbf {f}} =(f_0,f_1,\ldots ,f_d) \in \mathcal {R}_q^{d+1}\), one uses the trapdoor \({\textbf {T}} \) to sample short \({\textbf {s}} _0,\ldots ,{\textbf {s}} _{d} \in \mathcal {R}_q^{m}\) and \(\hat{{\textbf {t}} } \in \mathcal {R}_q^{n{\tilde{q}}}\) as follows:

$$\begin{aligned} \begin{bmatrix} {\textbf {s}} _0 \\ \vdots \\ {\textbf {s}} _d \\ \hat{{\textbf {t}} } \end{bmatrix} \leftarrow {\textbf {B}} ^{-1}_\sigma \left( \begin{bmatrix} -f_0 {\textbf {W}} ^0{\textbf {e}} _1 \\ -f_1 {\textbf {W}} ^1{\textbf {e}} _1 \\ \vdots \\ -f_d {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix}\right) \end{aligned}$$

where \({\textbf {e}} _1 {:}{=} (1,0,\ldots ,0)^\intercal \in \mathcal {R}_q^{n}\). The commitment becomes \({\textbf {t}} {:}{=} {\textbf {G}} \hat{{\textbf {t}} }\), and the opening consists of \(({\textbf {s}} _i)_{i \in [0,d]}\). The opening algorithm, given the common reference string \(\textsf {crs} \), commitment \({\textbf {t}} \in \mathcal {R}_q^n\) and openings \(({\textbf {s}} _i)_{i \in [0,d]}\) as input, checks whether for all \(i=0,1,\ldots ,d\):

$$\begin{aligned} {\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} \quad \text {and} \quad \Vert {\textbf {s}} _i\Vert \le \beta \end{aligned}$$

for some norm parameter \(\beta >0\).

Security properties. In this paper, we consider the notion of relaxed binding [12]. Namely, we say that a relaxed opening for a commitment \({\textbf {t}} \) consists of (i) a vector of openings \({\textbf {s}} = ({\textbf {s}} _0,\ldots ,{\textbf {s}} _d)\), (ii) a message \({\textbf {f}} = (f_0,\ldots ,f_d) \in \mathcal {R}_q^{d+1}\), and (iii) a vector of relaxation factors \({\textbf {c}} {:}{=} (c_0,\ldots ,c_d) \in \mathcal {R}_q^{d+1}\), which together satisfy:

$$\begin{aligned} {\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} , \quad \Vert c_i \cdot {\textbf {s}} _i\Vert \le \beta , \quad \Vert c_i\Vert _1 \le \kappa \quad \text {and} \quad c_i \in \mathcal {R}_q^\times \end{aligned}$$

for \(i=0,1,\ldots ,d\) and some \(\kappa \ge 1\). In particular, vectors \({\textbf {s}} _i\) do not need to be short.

Now, we show that the commitment scheme is binding w.r.t. relaxed openings under the \(\textsf {PowerBASIS} \) assumption. Indeed, let \(\mathcal {B}\) be the following adversary for the \(\textsf {PowerBASIS} \) security game, which is given as input a tuple \(({\textbf {A}} ,{\textbf {B}} ,{\textbf {W}} ,{\textbf {T}} )\) from the challenger, where \({\textbf {B}} \) is defined as in (4) for \(\ell = d+1\), and \(\mathbf {A^{\!\star }}\) is constructed as in (3). First, \(\mathcal {B}\) aborts if \({\textbf {W}} \) is not invertible⁶. Otherwise, \(\mathcal {B}\) passes \(\textsf {crs} {:}{=} (\mathbf {A^{\!\star }},{\textbf {W}} ,{\textbf {T}} )\) to the adversary \(\mathcal {A}\) against the relaxed binding game. Suppose \(\mathcal {A}\) comes up with two relaxed openings \(({\textbf {s}} ,{\textbf {f}} ,{\textbf {c}} )\) and \(({\textbf {s}} ',{\textbf {f}} ',{\textbf {c}} ')\) for the same commitment \({\textbf {t}} \) and \({\textbf {f}} \ne {\textbf {f}} '\). Thus, for some index i we have \(f_i \ne f'_i\). Then, by definition of relaxed openings we have

$$\begin{aligned} \mathbf {A^{\!\star }}({\textbf {s}} _i - {\textbf {s}} '_i) + (f_i - f'_i){\textbf {e}} _1 = \textbf{0} \hspace{5.0pt}. \end{aligned}$$

Since \(f_i - f'_i \ne 0\), we must have \( \bar{{\textbf {s}} }_i {:}{=} {\textbf {s}} _i - {\textbf {s}} '_i \ne 0\). Hence by definition of \(\mathbf {A^{\!\star }}\), \( \bar{{\textbf {s}} }_i\) is a non-zero solution for the matrix \({\textbf {A}} \), but not necessarily a short one. To conclude the proof, note that \(c_ic'_i\bar{{\textbf {s}} }_i\) is still a non-zero vector, due to the invertibility property of \(c_i,c'_i\), and at the same time:

$$\begin{aligned} \Vert c_ic'_i\bar{{\textbf {s}} }_i\Vert \le \Vert c'_i(c_i{\textbf {s}} _i)\Vert + \Vert c_i(c'_i{\textbf {s}} '_i)\Vert \le 2\kappa \beta \hspace{5.0pt}. \end{aligned}$$

(6)

Thus, \(c_ic'_i\bar{{\textbf {s}} }_i\) is a valid solution for the \(\textsf {PowerBASIS} \) problem.

Finally, the statistical hiding property is directly inherited from the original construction of the \(\textsf {BASIS} \) commitment by Wee and Wu [83].

1.2.2 Framework for Proving Polynomial Evaluations

We use the construction above to build our polynomial commitment scheme. Namely, given a polynomial \(f \in \mathcal {R}_q[\textsf {X} ]\) of degree at most d over \(\mathcal {R}_q\), we commit to f by committing to its coefficient vector \({\textbf {f}} = (f_0,f_1,\ldots ,f_d) \in \mathcal {R}_q^{d+1}\), as described in Sect. 1.2.1, to obtain a commitment \({\textbf {t}} \in \mathcal {R}_q^n\) along with a short opening \(({\textbf {s}} _0,{\textbf {s}} _1,\ldots ,{\textbf {s}} _d)\), where each \({\textbf {s}} _i \in \mathcal {R}_q^m\).

An essential property of polynomial commitments is being able to prove that the committed polynomial was evaluated correctly, i.e. \(f(u) = z\) for public u and z in \(\mathcal {R}_q\). In the setting of our commitment scheme, we are interested in the following ternary relation⁷:

$$\begin{aligned} \textsf{R}_{d,\beta }&{:}{=} \left\{ \left( ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} ),({\textbf {t}} ,u,z),(f,({\textbf {s}} _i)_{0\le i\le d})\right) \right. \nonumber \\&\qquad \qquad \left. \bigg | \begin{array}{c} \forall 0\le i \le d, {\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} \wedge \Vert {\textbf {s}} _i\Vert \le \beta \\ \wedge \; f(u) = z \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

(7)

The key ingredient for proving such relations efficiently will be the compressed \(\Sigma \)-protocol in Fig. 1, which we will use recursively.

Fig. 1

Compressed \(\Sigma \)-protocol for the relation \(\textsf{R}_{d,\beta }\) from (7). Here, \(\textsf {crs} = ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} )\) is the common reference string for our polynomial commitment scheme and \(d +1 = k^h\). We denote \(d'{:}{=} (d+1)/k-1\) to be degree of the polynomial g, and \(\text {w}{:}{=} \max _{\varvec{\alpha }\in \mathcal {C}} \Vert \varvec{\alpha }\Vert _1\)

We take inspiration from a common split-and-fold technique used by prior works, e.g. FRI [17] and DARK [31]. Concretely, take \(k \in \mathbb {N}\) and suppose \(d+1 = k^h\) for some \(h \in \mathbb {N}\). Let us write the polynomial \(f(\textsf {X} ) = \sum ^d_{i=0} f_i \textsf {X} ^i\) as

$$\begin{aligned} f(\textsf {X} ) = \sum ^k_{t=1} f_t(\textsf {X} ^k)\textsf {X} ^{t-1}, \quad \text {where } f_t(\textsf {X} ) {:}{=} \sum ^{\frac{d+1}{k}-1}_{i=0} f_{ki + t - 1}\textsf {X} ^i \quad \text {for } t =1,2,\ldots ,k \hspace{5.0pt}. \end{aligned}$$

Then, we want to prove that \(f(u) = \sum ^k_{t=1}f_t(u^k)u^{t-1} = z\). To this end, we let the prover send these partial evaluations \(z_t {:}{=} f_t(u^k)\) for \(t \in [k]\), and the verifier manually checks whether

$$\begin{aligned} \sum ^k_{t=1} z_t u^{t-1} = z \hspace{5.0pt}. \end{aligned}$$

(8)

Further, the verifier returns a challenge \(\varvec{\alpha }{:}{=} (\alpha _1,\ldots ,\alpha _k)\) from a challenge space \(\mathcal {C}\subseteq \mathcal {R}_q^k\). We denote \(\text {w}{:}{=} \max _{\varvec{\alpha }\in \mathcal {C}} \Vert \varvec{\alpha }\Vert _1\). Later we will discuss concrete instantiations for \(\mathcal {C}\).

Now, consider the folded polynomial \(g(\textsf {X} ) = \sum ^k_{t=1} \alpha _t f_t(\textsf {X} )\) which is of degree at most \(d' {:}{=} (d+1)/k - 1 = k^{h-1} - 1\). The crucial observation here is that using the structure of the \(\textsf {PowerBASIS} \) commitment⁸ from Sect. 1.2.1 we get for every \(i=0,1,\ldots ,d'\):

$$\begin{aligned} ({\textbf {W}} ^{k})^{-i}\left( \sum ^k_{t=1}\alpha _t{\textbf {W}} ^{-(t-1)}\right) {\textbf {t}}&= \sum ^k_{t=1} \alpha _t {\textbf {W}} ^{-(ki+t-1)}{\textbf {t}} \\&= {\textbf {A}} \left( \sum ^k_{t=1}\alpha _i{\textbf {s}} _{ki+t-1}\right) + \left( \sum ^k_{t=1}\alpha _if_{ki+t-1}\right) {\textbf {e}} _1 \\&= {\textbf {A}} {\textbf {z}} _i + g_i{\textbf {e}} _1 \\ \end{aligned}$$

where \({\textbf {z}} _i {:}{=} \sum ^k_{t=1}\alpha _t{\textbf {s}} _{ki+t-1}\) satisfies \(\Vert {\textbf {z}} _i\Vert \le \beta ' {:}{=} \text {w}\beta \). In other words, \({\textbf {t}} ' {:}{=} (\sum ^k_{t=1}\alpha _t{\textbf {W}} ^{-(t-1)}) \cdot {\textbf {t}} \), which can be computed by the verifier in time O(k), is a commitment to the polynomial g with the opening \(({\textbf {z}} _j)_{j \in [0,d']}\) w.r.t. the new common reference string \(\textsf {crs} ' {:}{=} ({\textbf {A}} ,{\textbf {W}} ^k,{\textbf {T}} )\). Further, by definition of g:

$$\begin{aligned} g(u^k) = \sum ^k_{t=1} \alpha _t f_t(u^k) = \sum ^k_{t=1} \alpha _t z_t \hspace{5.0pt}. \end{aligned}$$

Thus, we can conclude that:

$$\begin{aligned} \left( ({\textbf {A}} ,{\textbf {W}} ^k,{\textbf {T}} ),\left( \sum ^k_{t=1}\alpha _t{\textbf {W}} ^{-(t-1)}{\textbf {t}} ,u^k, \sum ^k_{t=1} \alpha _t z_t\right) ,\left( g,({\textbf {z}} _i)_{i \in [0,d']}\right) \right) \in \textsf{R}_{d',\text {w}\beta } \hspace{5.0pt}. \end{aligned}$$

(9)

In our \(\Sigma \)-protocol, the prover directly outputs \(\left( g,({\textbf {z}} _i)_{j \in [0,d']}\right) \) to the verifier, who checks Eqs. (9) and (8). To achieve succinct proofs and verification, we let the prover recursively run the \(\Sigma \)-protocol on the new instance tuple (9) until the degree of the folded polynomial is zero⁹. Overall, the protocol has \(2h+1\) rounds and the last prover message is a pair of the form \((g,{\textbf {z}} ) \in \mathcal {R}_q\times \mathcal {R}_q^{m}\), where \(\Vert {\textbf {z}} \Vert \le \beta ' {:}{=} \text {w}^h \beta \). Performance-wise (excluding the \(\textsf {poly} (\lambda )\) factors), the prover sends O(hk) elements in \(\mathcal {R}_q\), while the verifier makes in total O(hk) operations in \(\mathcal {R}_q\).

We now focus on knowledge soundness. As common in the lattice setting, we aim to extract a witness with respect to the relaxed relation:

$$\begin{aligned} \tilde{\textsf{R}}_{d,\beta ,\kappa }&{:}{=} \left\{ \left( ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} ),({\textbf {t}} ,u,z),(f,({\textbf {s}} _i)_{0\le i\le d},(c_i)_{0\le i\le d})\right) \right. \\&\qquad \qquad \left. \Bigg | \begin{array}{c} \forall 0\le i \le d, {\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} \\ \wedge \Vert c_i \cdot {\textbf {s}} _i\Vert \le \beta \wedge \Vert c_i\Vert _1 \le \kappa \\ \wedge c_i \in \mathcal {R}_q^\times \wedge f(u) = z \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

In other words, the witness is now a relaxed opening for the commitment \({\textbf {t}} \). Note that the relation is still meaningful as long as the commitment scheme is binding w.r.t. relaxed openings.

The knowledge extraction strategy for \(\tilde{\textsf{R}}_{\beta ,\kappa }\) will strongly depend on the instantiation of the challenge space \(\mathcal {C}\). In this work, we consider two variants described below.

Construction 1: Monomial protocol. As the name suggests, we will make use of certain invertibility properties of the set of signed monomials in \(\mathcal {R}_q\), following the approach from lattice Bulletproofs [5, 8, 26]. Namely, we set \((k,h) = (2,\log (d+1))\) and define the challenge space

$$\begin{aligned} \mathcal {C}{:}{=} \left\{ (1,X^i) : i \in \mathbb {Z}\right\} \subseteq \mathcal {R}_q^k \hspace{5.0pt}. \end{aligned}$$

By construction, \(\text {w}= 2\) and \(|\mathcal {C}| = 2N\). Now, we show that for the challenge space \(\mathcal {C}\) above, the \(\Sigma \)-protocol in Fig. 1 is special sound w.r.t. the relaxed relation \(\tilde{\textsf{R}}\). The methodology can then be extended to show that our recursive protocol is \((2,\ldots ,2)\)-special sound. Thus, the general parallel repetition results [9], as well as security of the Fiat–Shamir transformation in the random oracle model [10] would directly apply here.

To this end, suppose we are given two transcripts

$$\begin{aligned} \textsf {tr} _j {:}{=} ((z_1,z_2), (1,\alpha _j) , (g_j,({\textbf {z}} _{j,i})_{i \in [0,d']})) \quad \text {for } j=0,1 \end{aligned}$$

with the same first message \((z_1,z_2)\) and two distinct challenges \((1,\alpha _0) \ne (1,\alpha _1)\) in \(\mathcal {C}\) such that

$$\begin{aligned} {\left\{ \begin{array}{ll} \left( ({\textbf {A}} ,{\textbf {W}} ^2,{\textbf {T}} ),\left( ({\textbf {I}} _n + \alpha _j{\textbf {W}} ^{-1}){\textbf {t}} ,u^2, z_1 + \alpha _j z_2 \right) ,\left( g_j,({\textbf {z}} _{j,i})_{i \in [0,d']}\right) \right) \in \textsf{R}_{d',\beta '}\\ z_1 + uz_2 = z \end{array}\right. } \end{aligned}$$

where \(\beta ' {:}{=} \text {w}\beta = 2\beta \). Observing that \(\alpha _0 - \alpha _1 \in \mathcal {R}_q^\times \), we define for \(i=0,1,\ldots ,d' {:}{=} (d-1)/2\)

$$\begin{aligned} \bar{f}_{2i+1} {:}{=} \frac{g_{0,i} - g_{1,i}}{\alpha _0 - \alpha _1}, \quad \bar{f}_{2i} {:}{=} \frac{\alpha _1g_{0,i} - \alpha _0 g_{1,i}}{\alpha _1 - \alpha _0} \end{aligned}$$

(10)

and similarly

$$\begin{aligned} \bar{{\textbf {s}} }_{2i+1} {:}{=} \frac{{\textbf {z}} _{0,i} - {\textbf {z}} _{1,i}}{\alpha _0 - \alpha _1}, \quad \bar{{\textbf {s}} }_{2i} {:}{=} \frac{\alpha _1{\textbf {z}} _{0,i} - \alpha _0 {\textbf {z}} _{1,i}}{\alpha _1 - \alpha _0} \hspace{5.0pt}. \end{aligned}$$

Denote \(\textbf{2} {:}{=} (2,\ldots ,2) \in \mathcal {R}_q^{d+1}\). We claim that

$$\begin{aligned} \left( ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} ),\left( {\textbf {t}} ,u,z\right) ,\left( \bar{f},(\bar{{\textbf {s}} }_i)_{i\in [0,d]},\textbf{2}\right) \right) \in \tilde{\textsf{R}}_{d,2N\beta ',2} \hspace{5.0pt}. \end{aligned}$$

Let us start with proving correctness of the relaxed opening. By careful inspection:

$$\begin{aligned} {\textbf {A}} \bar{{\textbf {s}} }_{2i+1} + \bar{f}_{2i+1} {\textbf {e}} _1&= \frac{1}{\alpha _0 - \alpha _1} \left( ({\textbf {A}} {\textbf {z}} _{0,i} + g_{0,i}{\textbf {e}} _1) - ({\textbf {A}} {\textbf {z}} _{1,i} + g_{1,i}{\textbf {e}} _1)\right) \\&= \frac{{\textbf {W}} ^{-2i}}{\alpha _0 - \alpha _1} \left( ({\textbf {I}} _n + \alpha _0{\textbf {W}} ^{-1}){\textbf {t}} - ({\textbf {I}} _n + \alpha _1{\textbf {W}} ^{-1}){\textbf {t}} \right) \\&= {\textbf {W}} ^{-(2i+1)}{\textbf {t}} \end{aligned}$$

and similarly \({\textbf {A}} \bar{{\textbf {s}} }_{2i} + \bar{f}_{2i} {\textbf {e}} _1 = {\textbf {W}} ^{-2i}{\textbf {t}} \). As for shortness, we use the result from [19] which says that \(\Vert \frac{2}{\alpha _0 - \alpha _1}\Vert _\infty = 1\) for any distinct \(\alpha _0,\alpha _1 \in \{ X^i : i \in \mathbb {Z}\}\). Thus, for any \(i \in [0,d']\) we have

$$\begin{aligned} \Vert 2 \cdot \bar{{\textbf {s}} }_{2i+1}\Vert \le \left\| \frac{2}{\alpha _0 - \alpha _1} \cdot ({\textbf {z}} _{0,i} - {\textbf {z}} _{1,i}) \right\| \le \left\| \frac{2}{\alpha _0 - \alpha _1} \right\| _1 \cdot \left\| {\textbf {z}} _{0,i} - {\textbf {z}} _{1,i} \right\| \le 2N\beta ' \end{aligned}$$

and similarly

$$\begin{aligned} \Vert 2 \cdot \bar{{\textbf {s}} }_{2i}\Vert \le \left\| \frac{2}{\alpha _1 - \alpha _0} \cdot (\alpha _1{\textbf {z}} _{0,i} - \alpha _0{\textbf {z}} _{1,i}) \right\| \le \left\| \frac{2}{\alpha _1 - \alpha _0} \right\| _1 \cdot \left\| \alpha _1{\textbf {z}} _{0,i} - \alpha _0{\textbf {z}} _{1,i} \right\| \le 2N\beta '. \end{aligned}$$

Finally, we need to prove that the extracted polynomial \(\bar{f}\) satisfies \(\bar{f}(u) = z\). From the verification equations we know that \(g_0(u^2) = z_1 + \alpha _0 z_2\) and \(g_1(u^2) = z_1 + \alpha _1 z_2\). Hence,

$$\begin{aligned} \bar{f}(u)&= \sum ^{d'}_{i=0} \bar{f}_{2i} u^{2i} + \sum ^{d'}_{i=0} \bar{f}_{2i+1} u^{2i+1} \\&=\sum ^{d'}_{i=0}\frac{\alpha _1g_{0,i} - \alpha _0g_{1,i}}{\alpha _1 - \alpha _0} \cdot u^{2i} + \sum ^{d'}_{i=0} \frac{g_{0,i} - g_{1,i}}{\alpha _0 - \alpha _1} \cdot u^{2i+1} \\ {}&= \frac{\alpha _1g_0(u^2) - \alpha _0g_1(u^2)}{\alpha _1 - \alpha _0} + \frac{g_0(u^2) - g_1(u^2)}{\alpha _0 - \alpha _1} \cdot u \\&= z_1 + uz_2 \\&= z \end{aligned}$$

which concludes the proof of the claim.

An almost identical strategy can be applied to our recursive protocol when given a general \((2,\ldots ,2)\)-tree of transcripts [8]. In this case, we can extract a relaxed opening \((\bar{f},(\bar{{\textbf {s}} }_i)_{i \in [0,d]}, \mathbf {2^h})\) to the commitment \({\textbf {t}} \) which satisfies

$$\begin{aligned} \left( ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} ),\left( {\textbf {t}} ,u,z\right) ,\left( \bar{f},(\bar{{\textbf {s}} }_i)_{i\in [0,d]},\mathbf {2^h}\right) \right) \in \tilde{\textsf{R}}_{d,(2N)^h\beta ',2^h} \end{aligned}$$

where \(\beta ' {:}{=} 2^h\beta \) and \(\mathbf {2^h} {:}{=} (2^h,\ldots ,2^h)\). In terms of performance, the communication complexity and the verifier runtime (in terms of operations in \(\mathcal {R}_q\)) are \(O(\log d)\).

Using the knowledge soundness result from [8], we deduce that the soundness error for our protocol is \(h/|\mathcal {C}| = h/(2N)\). Since \(N = \textsf {poly} (\lambda )\), we only manage to obtain an inverse-polynomial soundness error. Even though this can be further reduced via parallel repetition in the interactive case [9], such amplification does not combine with the Fiat–Shamir transformation [10]. Our second construction circumvents this issue by achieving negligible soundness error in one-shot.

Construction 2: Large sampling set protocol. In this scenario, we define the challenge space as

$$\begin{aligned} \mathcal {C}{:}{=} \left\{ (\alpha _1,\ldots ,\alpha _k) : \forall i \in [k], \Vert \alpha _i\Vert _\infty \le \beta _\mathcal {C}\right\} \end{aligned}$$

for some suitable parameter \(\beta _\mathcal {C}\ge 1\). Hence, by construction \(\text {w}\le k\beta _\mathcal {C}N\).

One could naively adapt the strategy from Construction 1 to prove knowledge soundness of the \(\Sigma \)-protocol as follows. To begin with, we aim to extract k accepting transcripts with k pairwise distinct challenges \(\varvec{\alpha }_j \in \mathcal {C}\) for \(j=1,\ldots ,k\). Further, we compute the extracted polynomial f by inverting the \(k \times k\) matrix \({\textbf {C}} \), where the j-th row corresponds to the challenge \(\varvec{\alpha }_j\) in the j-th transcript. Unfortunately, this approach contains a few critical issues. Firstly, it is unclear whether the matrix \({\textbf {C}} \) is invertible. But even if it is, the resulting polynomial f may contain large coefficients, or in the context of relaxed openings, there might be no sufficiently short element \(v \in \mathcal {R}_q\) such that \(v \cdot f_i\) is short for all coefficients \(f_i\).

We propose an alternative approach which relies on a notion, called coordinate-wise special soundness¹⁰ (CWSS). As in special soundness, it says that given \(k+1\) valid transcripts \(\textsf {tr} _j = (\textsf{a},\varvec{\alpha }_j,\textsf{z}_j) \text { for } j=0,1,\ldots ,d\), such that \(\varvec{\alpha }_0,\ldots ,\varvec{\alpha }_k \in \mathcal {C}\) satisfy a certain relation, then one can extract the witness. The relation is defined as follows: for every \(j \in [k]\), vectors \(\varvec{\alpha }_0 = (\alpha _{0,1},\ldots ,\alpha _{0,k})\) and \(\varvec{\alpha }_j = (\alpha _{j,1},\ldots ,\alpha _{j,k})\) differ exactly in the j-th coordinate, i.e. \(\forall i \in [k]\backslash \{j\}, \alpha _{j,i} = \alpha _{0,i}\) and \(\alpha _{j,j} \ne \alpha _{0,j}\) (see Fig. 2 for visualisation). We prove that for multi-round protocols, CWSS implies knowledge soundness both in the interactive and non-interactive setting where the Fiat–Shamir transformation is applied.

Fig. 2

Visualisation of the notion of coordinate-wise special soundness (CWSS) for \(k=4\) coordinates. Here, \(\alpha ^\star _i \ne \alpha _i\) for all \(i \in [4]\)

In the following, we show that our \(\Sigma \)-protocol satisfies CWSS. Suppose we are given \(k+1\) valid transcripts

$$\begin{aligned} \textsf {tr} _j {:}{=} \left( (z_1,\ldots ,z_k), \varvec{\alpha }_j = (\alpha _{j,1},\ldots ,\alpha _{j,k}) , (g_j,({\textbf {z}} _{j,i})_{i \in [0,d']})\right) \quad \text {for } j=0,1,\ldots ,k \hspace{5.0pt}. \end{aligned}$$

Let us fix \(j \in [k]\) and consider the transcripts \(\textsf {tr} _0\) and \(\textsf {tr} _j\). From the verification equations we have for \(i=0,\ldots ,d'\):

$$\begin{aligned} {\textbf {A}} {\textbf {z}} _{0,i} + g_{0,i}{\textbf {e}} _1&= {\textbf {W}} ^{-ki}\left( \sum ^k_{t=1} \alpha _{0,t} {\textbf {W}} ^{-(t-1)}\right) {\textbf {t}} \\ {\textbf {A}} {\textbf {z}} _{j,i} + g_{j,i}{\textbf {e}} _1&= {\textbf {W}} ^{-ki}\left( \sum ^k_{t=1} \alpha _{j,t} {\textbf {W}} ^{-(t-1)}\right) {\textbf {t}} . \end{aligned}$$

Since \(\varvec{\alpha }_0\) and \(\varvec{\alpha }_j\) are the same in all coordinates apart from the j-th one, by subtracting the two equations we obtain

$$\begin{aligned} {\textbf {A}} ({\textbf {z}} _{0,i} - {\textbf {z}} _{j,i}) + (g_{0,i} - g_{j,i}){\textbf {e}} _1 = (\alpha _{0,j} - \alpha _{j,j}){\textbf {W}} ^{-(ki+j-1)}{\textbf {t}} \hspace{5.0pt}. \end{aligned}$$

Now, by choosing parameters \(q,N,\beta _\mathcal {C}\) appropriately, and using the result by Lyubashevsky and Seiler that short elements in \(\mathcal {R}_q\) are invertible [70], we deduce that \(\alpha _{0,j} - \alpha _{j,j} \in \mathcal {R}_q^\times \) and thus can define the extracted openings

$$\begin{aligned} \bar{{\textbf {s}} }_{ki+j-1} {:}{=} \frac{{\textbf {z}} _{0,i} -{\textbf {z}} _{j,i}}{\alpha _{0,j} - \alpha _{j,j}} \quad \text {and} \quad \bar{f}_{ki+j-1} {:}{=} \frac{g_{0,i} - g_{j,i}}{\alpha _{0,j} - \alpha _{j,j}} \end{aligned}$$

and the partial vector of relaxation factors \({\textbf {c}} _j {:}{=} (\alpha _{0,j}-\alpha _{j,j},\ldots ,\alpha _{0,j}-\alpha _{j,j}) \in \mathcal {R}_q^{d'+1}\). Then, by construction we have \({\textbf {A}} \bar{{\textbf {s}} }_{ki+j-1} + \bar{f}_{ki+j-1}{\textbf {e}} _1 = {\textbf {W}} ^{-(ki+j-1)}{\textbf {t}} \), and further

$$\begin{aligned} \Vert (\alpha _{0,j} - \alpha _{j,j}) \cdot \bar{{\textbf {s}} }_{ki+j-1}\Vert \le 2\text {w}\beta \quad \text {and} \quad \Vert \alpha _{0,j} - \alpha _{j,j}\Vert \le 2\beta _\mathcal {C}N \hspace{5.0pt}. \end{aligned}$$

From the other verification checks we similarly conclude that \(\sum ^{d'}_{i=0} \bar{f}_{ki+j-1}u^{ki} = z_j\).

Eventually, by running the argument above for \(j=1,2,\ldots ,k\), we reconstruct a polynomial \(f \in \mathcal {R}_q^{\le d}[\textsf {X} ]\), along with \(({\textbf {s}} _i)_{i \in [0,d]}\), and the vector \({\textbf {c}} {:}{=} ({\textbf {c}} _1,\ldots ,{\textbf {c}} _k)\) of relaxation factors so that

$$\begin{aligned} \left( ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} ),\left( {\textbf {t}} ,u,z\right) ,\left( \bar{f},(\bar{{\textbf {s}} }_i)_{i\in [0,d]},{\textbf {c}} \right) \right) \in \tilde{\textsf{R}}_{d,2\text {w}\beta ,2\beta _\mathcal {C}N} \hspace{5.0pt}. \end{aligned}$$

In terms of security, we show that the knowledge soundness error of our \(\Sigma \)-protocol is bounded by \(k/(2\beta _\mathcal {C}+1)^N\), where \((2\beta _\mathcal {C}+1)^N\) is the number of all possible choices for a single coordinate in \(\mathcal {C}\). Consequently, by picking \(k,\beta _\mathcal {C}\ge 1\) and \(N=\textsf {poly} (\lambda )\) appropriately, we achieve negligible soundness error in one-shot.

This strategy can be further applied in our recursive protocol. That is, analogously as for special soundness, we first generalise the notion of coordinate-wise special soundness in the multi-round setting, and then prove that our protocol satisfies CWSS as above. By following the methodology from [8, 10], we obtain the knowledge soundness error equal to \(hk/(2\beta _\mathcal {C}+1)^N\), while the knowledge extractor runs the prover expected \((k+1)^h\) times, and outputs a relaxed opening \((\bar{f},(\bar{{\textbf {s}} }_i)_{i \in [0,d]},{\textbf {c}} )\) such that

$$\begin{aligned} \left( ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} ),\left( {\textbf {t}} ,u,z\right) ,\left( \bar{f},(\bar{{\textbf {s}} }_i)_{i\in [0,d]},{\textbf {c}} \right) \right) \in \tilde{\textsf{R}}_{d,\gamma , \xi } \end{aligned}$$

where \(\gamma {:}{=} (2^h (2\beta _\mathcal {C}N)^{2^h - h - 1}\text {w}^h) \cdot \beta \) and \(\xi {:}{=} 2\beta _\mathcal {C}(2\beta _\mathcal {C}N)^{2^h -2}N\). We highlight that the norm blow-up is much larger here than in the monomial case due to certain technical differences¹¹. As a result, we cannot pick \(k=2\) and \(h = O(\log d)\) since then one would require \(\log q = O(d)\) for relaxed binding to hold (c.f. Eq. (6)); thus making the proof size and verifier time polynomial in d. Instead, we instantiate the protocol by choosing \(k = O\left( d^{\frac{1}{\log \log d}}\right) \) and \(h = O(\log \log d)\). In this case, \(\log q = \textsf{polylog}(d)\), and the proof size and verifier complexity, in terms of operations over \(\mathcal {R}_q\), become \(O(d^{\frac{1}{\log \log d}}\log \log d) = d^{O(1/\log \log d)}\).

1.2.3 Polynomial Commitments over Finite Fields

Until now, we were focusing on polynomial commitments over the ring \(\mathcal {R}_q{:}{=} \mathbb {Z}_q[X]/ (X^N+1)\). Here, we sketch how to obtain a polynomial commitment over a finite field, which is required by Polynomial IOPs [31, 37] to compile into succinct arguments. The key ingredient, which allows us to do that is the ability to commit to arbitrarily large elements in \(\mathcal {R}_q\).

Let \(l \ge 1\) be a divisor of N. It is a well-known fact [70] that if \(q \equiv 2N/l +1 \pmod {4N/l+1}\), then there exists a ring isomorphism \(\varphi \) from \(\mathbb {F}^{N/l}\) to \(\mathcal {R}_q\), where \(\mathbb {F}\) is a finite field of size \(q^l\). Thus, we define a map \(\varphi _\mathbb {F}: \mathbb {F}\rightarrow \mathcal {R}_q\) as \(x \mapsto \varphi (x,0,\ldots ,0)\), and denote the image of \(\varphi _\mathbb {F}\) as \(\mathcal {S}_q\). We will make use of the fact that \(\mathcal {S}_q\) is an ideal of \(\mathcal {R}_q\).

Suppose we want to commit to a polynomial \(F \in \mathbb {F}^{\le d}[\textsf {X} ]\) and prove that \(F(x) = y\) for \(x,y \in \mathbb {F}\). Using the homomorphic property of \(\varphi _\mathbb {F}\), it is easy to see that this is equivalent to proving \(f(u) = z\) over \(\mathcal {R}_q\), where \(f[\textsf {X} ] {:}{=} \sum ^d_{i=0} \varphi _\mathbb {F}(F_i)\textsf {X} ^i \in \mathcal {S}_q[\textsf {X} ]\), \(u = \varphi _\mathbb {F}(x) \in \mathcal {S}_q\) and \(z = \varphi _\mathbb {F}(y) \in \mathcal {S}_q\). Therefore, we commit to the polynomial \(f \in \mathcal {R}_q[\textsf {X} ]\) and prove evaluation of u at the point z as before.

What we need to take care of is proving that all coefficients of f indeed lie in \(\mathcal {S}_q\). This allows us to extract the polynomial \(\bar{F} \in \mathbb {F}[\textsf {X} ]\) by taking the inverse of \(\varphi _\mathbb {F}\) coefficient-wise. Looking at our underlying \(\Sigma \) protocol in Fig. 1, the additional proof comes without any change on the prover’s side, while the verifier also checks whether \(g \in \mathcal {S}_q[\textsf {X} ]\), which is the case since \(\mathcal {S}_q\) is an ideal. To see why this modification is sufficient, consider the extraction strategy in Eq. (10). Since now \(g_{0,i}, g_{1,i} \in \mathcal {S}_q\), we again use the fact that \(\mathcal {S}_q\) is an ideal and conclude that \(\bar{f}_{2i+1} = (g_{0,i}-g_{1,i})/(\alpha _0 - \alpha _1)\) also lies in \(\mathcal {S}_q\). Identical reasoning follows for both Construction 1 and 2.

1.3 Related Works

The first lattice-based interactive proof with sublinear communication complexity for arithmetic \(\ell \)-gate circuit satisfiability was formally proposed by Baum et al. [14], where the authors achieve \(O(\sqrt{\ell })\) size proofs.

The construction was later generalised by Bootle et al. [26] who define so-called “levelled commitments” and give \(O(\ell ^{1/k})\) size proofs for proving knowledge of a commitment opening with \(k = O(1)\) levels. The main drawback of the scheme is that the modulus for the proof system increases exponentially in k and thus considering more than 2-3 levels seems impractical. Recently, Nguyen and Seiler [75] combined the square-root approach from [14] with the CRT-packing technique from [44] to obtain a practically efficient square-root NIZK, with 6MB proofs for circuits of size \(\ell =2^{20}\).

Bootle et al. [26] also proposed the first lattice adaptation of the Bulletproofs protocol [22, 30] over polynomial rings \(\mathcal {R}_q= \mathbb {Z}_q[X]/(X^N+1)\) which offers \(\text {polylog}(\ell )\) proof sizes. This approach was later improved independently by Attema et al. [8] and Albrecht and Lai [5] in terms of tighter soundness analysis, and also generalised to a more abstract setting by Bootle et al. [24]. While the split-and-fold strategy from Bulletproofs is very attractive in the discrete logarithm setting and keeps asymptotic efficiency in the lattice scenario, it does not mix well with the shortness condition required in lattice-based cryptography. Consequently, this leads to a concrete blow-up of the parameters as well as the proof size. Roughly speaking, for the knowledge soundness argument it must be possible to invert the folding in the extraction such that the extracted solution vector is still short. To this end, one needs a challenge space of the underlying compressed \(\Sigma \)-protocol to have a property that (a scaled) inverse of a difference of any two distinct challenges is still short - such sets are called subtractive. Hence, Bootle et al. [26] picked the challenge space to consist of monomial challenges \(\mathcal {C}{:}{=} \{ X^i : i \in \mathbb {Z}\} \subseteq \mathcal {R}_q\), which is indeed subtractive as shown in [19]. Since the \(\Sigma \)-protocol is 3-special sound, norm of the extracted solution vector grows by a factor of \(O(N^3)\) for every level of folding. Then, the parameters must be chosen such that Module-SIS is hard with respect to the norm of the extracted solution vector, resulting in the need for a huge modulus q. Note that a similar issue occurs in our Construction 1 (c.f. Sect. 5.2). However, since our underlying compressed \(\Sigma \)-protocol is only 2-special sound, norm of the extracted vector grows by only a factor of O(N) for each folding level (but at the price of having a trusted setup).

In addition to the norm growth of the extracted witness, the restriction on the challenges has a negative impact on the soundness error. Indeed, since the challenge space \(\mathcal {C}\) in [26] has size 2N, the soundness error becomes only \(1/\textsf {poly} (\lambda )\). Furthermore, it was proven by Albrecht and Lai [5] that all subtractive set over \(\mathcal {R}_q\) have size O(N). This becomes problematic especially in the non-interactive setting due to the result by Attema et al. [10], who showed that the Fiat–Shamir transformation of a parallel repetition of special sound protocols does not necessarily decrease the soundness error. A promising solution to circumvent this limitation was recently proposed by Bünz and Fisch [32], who suggested a new knowledge extraction strategy, i.e. the notion of almost special soundness, which does not require subtractive sets. Instead, the challenges are picked from the exponential-sized set of integers \([0,2^{\lambda -1})\). Unfortunately, the former issue with the norm growth for each folding level is still present in [32].

Recently, Beullens and Seiler [20] showed that by combining a split-and-fold approach with algebraic techniques introduced in linear-sized lattice-based NIZKs [68], it is possible to achieve negligible soundness error whilst controlling the norm growth. This is evidenced with impressive 50KB proofs for circuits of size \(\ell =2^{20}\).

Major downside of all the aforementioned works is a linear verification time, which can be the main efficiency bottleneck when proving satisfiability of large circuits. Until now, the only lattice-based publicly verifiable succinct argument of knowledge with efficient verification (excluding the preprocessing step) was proposed by Albrecht et al. [3]. The construction is obtained as a direct application of functional commitments [64] and soundness holds under a knowledge assumption. However, similar to our scheme, a trusted setup is required, and more importantly, the prover algorithm runs in time \(O(\ell ^4\log \ell )\) which makes it unappealing to implement in practice. Even more worryingly, the underlying assumption has been recently (at least morally) broken [82].

Prior to [3], all lattice-based zk-SNARKs were in the designated-verifier setting [49, 55, 81] . The constructions use the Linear-PCP compiler [21] to transform into succinct arguments. Notably, the most recent work by Steinfeld et al. [81] achieves proofs of size 6KB for \(\ell = 2^{20}\) constraints at the cost of very large \(\textsf {crs} \) (in the order of tens of gigabytes).

Naturally, there is a line of research focusing on the security of lattice-based zero-knowledge proofs against quantum adversaries [41, 59, 60]. Particularly, Lai et al. [60] show that any multi-round protocol, which satisfies special soundness and collapsing, is knowledge sound in the post-quantum setting. As a special case, they demonstrate that the lattice Bulletproofs protocol [26] is knowledge sound against quantum provers. Since our constructions not only satisfy (coordinate-wise) special soundness but also follow the split-and-fold strategy from [26], we believe that the general result from  [60] can be adapted to our setting.

Interestingly, lattice assumptions are not only used to build lattice-based commitments, but also to construct non-interactive arguments in the standard model, i.e. without the random oracle. For instance, there is a line of works [33, 53, 54] which focuses on instantiating the Fiat–Shamir transformation with a correlation intractable hash function [34], that itself can be built from the Learning with Errors (LWE) problem [53]. Following this template, Choudhuri, Jain and Jin [38] built a SNARG for languages in P only based on the LWE problem with polynomial modulus. Moreover, the LWE assumption can be used to construct non-interactive succinct (and batched) arguments without the Fiat–Shamir transformation, but via somewhere extractable hash functions [40, 57]. We believe that naturally, due to relying on more assumptions, constructions based on the random oracle model should perform much better in terms of concrete efficiency.

1.4 Concurrent and Subsequent Works

Recently, Bootle et al. [25] and Cini et al. [39] independently proposed variants of the lattice Bulletproofs protocol that achieve polylogarithmic verification time. The former work proposes a new delegation algorithm inspired from [62], which requires an additional pre-processing step. The latter one introduces more (power-like) structure on the Ajtai commitment [2] which allows for fast verification, at the cost of relying on a new assumption called Vanishing-SIS (vSIS). We note that there is a close similarity between vSIS and the \(\textsf{PRISIS}\), and we leave the concrete relationship between the two for the future work. Nevertheless, the aforementioned work inherit the issue from the original construction [26] that the soundness error is non-negligible and parallel repetitions are required.

Fisch et al. [47] recently presented a polynomial commitment scheme, as an application of their linear functional commitment. Following the work of [3], the construction relies on the knowledge k-M-ISIS assumption, which appears to be morally invalidated in [82].

As a subsequent work, Albrecht et al. [4] proposed a new polynomial commitment scheme with polylogarithmic communication and verification complexity under standard assumptions. To this end, the authors construct a new commitment scheme that combines our \(\textsf {PowerBASIS} \) construction together with the Merkle tree paradigm. Consequently, the committing runtime becomes quasilinear in the length of the message, while the size \(\textsf {crs} \) shrinks to only polylogarithmic. The binding property of the commitment relies on a “multi-instance” version of the \(\textsf{PRISIS}\) assumption. Finally, using the exact strategy from Lemma 3.7, security of the aforementioned assumption is further reduced to Module-SIS.

2 Preliminaries

Notation. We denote the security parameter by \(\lambda \), which is implicitly given to all algorithms unless specified otherwise. Further, we write \(\textsf {negl} (\lambda )\) (resp. \(\textsf {poly} (\lambda )\)) to denote an unspecified negligible function (resp. polynomial) in \(\lambda \). In this work, we implicitly assume that the vast majority of the key parameters, e.g. the ring dimension, and the dimensions of matrices and vectors, are \(\textsf {poly} (\lambda )\). However, the modulus used in this work may be super-polynomial in \(\lambda \).

For \(a, b \in \mathbb {N}\) with \(a < b\), write \([a, b] {:}{=} \{ a, a+1, \dots , b \}, [a] {:}{=} [1, a]\). For \(q \in \mathbb {N}\) write \(\mathbb {Z}_q\) for the integers modulo q. We denote vectors with lowercase boldface (i.e. \({\textbf {u}} , {\textbf {v}} \)) and matrices with uppercase boldface (i.e. \({\textbf {A}} , {\textbf {B}} \)). For a vector \({\textbf {x}} \) we write \(x_i\) or \({\textbf {x}} [i]\) for its i-th entry.

Norms. We define the \(\ell _p\) norm on \(\mathbb {C}^n\) as \(\left\| {\textbf {x}} \right\| _p = \left( \sum _i |x_i|^p\right) ^{1/p}\) for \(p < \infty \) and \(\left\Vert {{\textbf {x}} }\right\Vert _\infty {:}{=} \max _i |x_i|\). Unless otherwise specified, we use \(\left\| \cdot \right\| \) for the \(\ell _2\) norm. We let the norm of a matrix be defined as the norm taken over the concatenation of columns of the matrix.

Linear algebra. We let \({\textbf {e}} _i\) be the vector with 1 in its i-th entry, 0 everywhere else. For \({\textbf {B}} \in \mathbb {R}^{n \times m}\) we let \(s_1({\textbf {B}} ) = \sup \{ \left\| {\textbf {B}} {\textbf {v}} \right\| : {\textbf {v}} \in \mathbb {R}^m \wedge \left\| {\textbf {v}} \right\| = 1 \}\) be the spectral norm of \({\textbf {B}} \). We also denote by \(\tilde{{\textbf {B}} }\) the Gram-Schmidt orthonormalization of \({\textbf {B}} \). The Gram-Schmidt norm of \({\textbf {B}} \) is defined as

$$\begin{aligned} \Vert \tilde{{\textbf {B}} } \Vert {:}{=} \max _{i \in [m]} \Vert \tilde{{\textbf {b}} }_i\Vert \end{aligned}$$

where \(\tilde{{\textbf {b}} }_i\) is the i-th column of \(\tilde{{\textbf {B}} }\).

For a ring R, we define \(\textsf {GL} (n,R)\) to be the group of \(n\times n\) invertible matrices over R.

2.1 Lattices

A subset \(\Lambda \subseteq \mathbb {R}^m\) is a lattice if the following conditions hold:

• \(\textbf{0}\in \Lambda \), and for \({\textbf {x}} , {\textbf {y}} \in \Lambda \), \({\textbf {x}} + {\textbf {y}} \in \Lambda \).

• For every \({\textbf {x}} \in \Lambda \), there exists \(\epsilon > 0\) such that \(\{ {\textbf {y}} \in \mathbb {R}^m : \left\| {\textbf {x}} - {\textbf {y}} \right\| < \epsilon \} \cap \Lambda = \{ {\textbf {x}} \}\).

We say \({\textbf {B}} \in \mathbb {R}^{m \times k}\) is a basis for \(\Lambda \) if its columns are linearly independent and \(\Lambda = \mathcal {L}({\textbf {B}} ) {:}{=} \{ {\textbf {B}} {\textbf {z}} : {\textbf {z}} \in \mathbb {Z}^k \}\). If \(k = m\) then we say that \(\Lambda \) is full-rank. The span (as a vector space) of the basis of a lattice is the span of a lattice denoted as \(\text {Span}(\Lambda )\). We also let \(\Lambda ^*\) be the dual lattice defined as \(\Lambda ^* = \{ {\textbf {w}} \in \text {Span}(\Lambda ) : \langle \Lambda , {\textbf {w}} \rangle \subseteq \mathbb {Z}\}\). If \(\Lambda \subseteq \mathbb {Z}^m\), we call it an integral lattice. For I an ideal of \(\mathbb {R}^m\), we let \(I \cdot \Lambda = \{ i \cdot {\textbf {x}} : i \in I, {\textbf {x}} \in \Lambda \}\), which is also a lattice. For a lattice \(\Lambda \) we denote

$$\begin{aligned} \lambda _1(\Lambda ) {:}{=} \min _{0 \ne {\textbf {x}} \in \Lambda } \left\| {\textbf {x}} \right\| \quad \text {and} \quad \lambda _1^\infty (\Lambda ) {:}{=} \min _{0 \ne {\textbf {x}} \in \Lambda } \left\Vert {{\textbf {x}} }\right\Vert _\infty \hspace{5.0pt}. \end{aligned}$$

For \({\textbf {t}} \in \text {Span}(\Lambda )\), we also define the shifted lattice \({\textbf {t}} + \Lambda {:}{=} \{ {\textbf {t}} + {\textbf {x}} : {\textbf {x}} \in \Lambda \}\). We also consider q-ary lattices, namely those with \(q\mathbb {Z}\subseteq \Lambda \). For an arbitrary \({\textbf {A}} \in \mathbb {Z}_q^{n \times m}\) we define the full rank q-ary lattice

$$\begin{aligned} \Lambda ^\perp ({\textbf {A}} )&= \{ {\textbf {z}} \in \mathbb {Z}^m : {\textbf {A}} {\textbf {z}} = 0 \pmod q \} \\ \Lambda ({\textbf {A}} )&= \{ {\textbf {z}} \in \mathbb {Z}^m : \exists {\textbf {s}} \in \mathbb {Z}_q^n, {\textbf {A}} {\textbf {z}} = {\textbf {s}} \pmod q \} \end{aligned}$$

For any \({\textbf {u}} \in \mathbb {Z}_q^n\) such that there exists \({\textbf {x}} \) with \({\textbf {A}} {\textbf {x}} = {\textbf {u}} \), we define \(\Lambda ^\perp _{{\textbf {u}} }({\textbf {A}} ) {:}{=} \{ {\textbf {z}} \in \mathbb {Z}^m : {\textbf {A}} {\textbf {z}} = {\textbf {u}} \pmod q \} = \Lambda ^\perp ({\textbf {A}} ) + {\textbf {x}} \).

2.2 Power-of-Two Cyclotomic Rings

Let N be a power-of-two and \(\mathcal {K}= \mathbb {Q}[X]/(X^N+1)\) be the 2N-th cyclotomic field. Denote \(\mathcal {R}=\mathbb {Z}[X]/(X^{N}+1)\) to be the ring of integers of \(\mathcal {K}\). For an odd prime q, we write \(\mathcal {R}_q{:}{=} \mathcal {R}/(q)\). We denote \(\mathcal {R}_q^\times \) to be the set of invertible elements in \(\mathcal {R}_q\).

We recall the following well-known inequality, which allows to bound norms on products in the ring \(\mathcal {R}\).

Lemma 2.1

Let \(u,v \in R\). Then \(\Vert uv\Vert \le \Vert u\Vert _1 \cdot \Vert v\Vert \).

Proof

Let \(u {:=} u_0 + u_1X +\cdots + u_{N-1}X^{N-1} \in \mathcal {R}\). Then, by the triangle inequality we get

$$\begin{aligned} \Vert uv\Vert \le \sum ^{N-1}_{i=0} \Vert u_iv \cdot X^i \Vert = \sum ^{N-1}_{i=0} \Vert u_iv \Vert = \sum ^{N-1}_{i=0} | u_i| \cdot \Vert v\Vert = \Vert u\Vert _1 \cdot \Vert v\Vert \hspace{5.0pt}. \end{aligned}$$

\(\square \)

Coefficient embedding . For \(x \in \mathcal {K}\), we can consider the additive group isomorphism

$$\begin{aligned} \textsf {vec} : \mathcal {K}&\rightarrow \mathbb {Q}^N \\ a_0 + a_1 X + \cdots + a_{N-1} X^{N-1}&\mapsto (a_0, \dots , a_{N-1})^\top \end{aligned}$$

and we refer this as the coefficient embedding of \(\mathcal {K}\). Note that, for \(f, g \in \mathcal {K}\), \(\langle f, g \rangle = \langle \textsf {vec} (f), \textsf {vec} (g) \rangle \) and thus \(\left\| \textsf {vec} (f)\right\| = \left\| f\right\| \). Furthermore, \(\textsf {vec} \) restricts to an isomorphism between \(\mathcal {R}_q\cong \mathbb {Z}_q^N\) and \(\mathcal {R}\cong \mathbb {Z}^N\). We also extend this to a mapping \(\mathcal {K}^m \rightarrow \mathbb {Q}^{mN}\) by applying it component-wise. For \(f \in \mathcal {K}\), we let

$$\begin{aligned} \textsf {rot} (f) {:}{=} (\textsf {vec} (f), \textsf {vec} (X \cdot f), \dots , \textsf {vec} (X^{N-1} \cdot f)) \in \mathbb {Q}^{N \times N}\hspace{5.0pt}, \end{aligned}$$

noting that \(\textsf {rot} (f) \textsf {vec} (g) {:}{=} \textsf {vec} (f g)\) and \(\textsf {rot} (f) \textsf {rot} (g) = \textsf {rot} (f g)\). We extend this to matrices \({\textbf {B}} \in \mathcal {K}^{m \times n}\) by writing

$$\begin{aligned} \textsf {rot} ({\textbf {B}} ) {:}{=} \begin{bmatrix} \textsf {rot} (b_{1,1}) &{} \dots &{} \textsf {rot} (b_{1, n}) \\ \vdots &{} \ddots &{} \vdots \\ \textsf {rot} (b_{m,1}) &{} \dots &{} \textsf {rot} (b_{m, n}) \\ \end{bmatrix} \in \mathbb {Q}^{mN \times nN} \hspace{5.0pt}. \end{aligned}$$

Module lattices. For \({\textbf {A}} \in \mathcal {R}_q^{n \times m}\), \({\textbf {x}} \in \mathcal {R}_q^{m}\), \({\textbf {u}} = {\textbf {A}} {\textbf {x}} \), define

$$\begin{aligned} \Lambda ^\perp ({\textbf {A}} )&{:}{=} \{ {\textbf {z}} \in \mathcal {R}^m : {\textbf {A}} {\textbf {z}} = \textbf{0} \bmod q \} \\ \Lambda _{\textbf {u}} ^\perp ({\textbf {A}} )&{:}{=} \{ {\textbf {z}} \in \mathcal {R}^m : {\textbf {A}} {\textbf {z}} = {\textbf {u}} \bmod q \} = \Lambda ^\perp ({\textbf {A}} ) + {\textbf {x}} \hspace{5.0pt}. \\ \end{aligned}$$

Then, \(\Lambda ^\perp ({\textbf {A}} ) = \textsf {vec} ^{-1}(\Lambda ^\perp (\textsf {rot} ({\textbf {A}} )))\) and \(\Lambda _{\textbf {u}} ^\perp ({\textbf {A}} ) = \textsf {vec} ^{-1}(\Lambda _{\textsf {vec} ({\textbf {u}} )}^\perp (\textsf {rot} ({\textbf {A}} )))\).

Spectral norm. Let \(s_1({\textbf {R}} ) {:}{=} \sup \{ \left\| {\textbf {R}} {\textbf {v}} \right\| : {\textbf {v}} \in \mathcal {K}^{w} \wedge \left\| {\textbf {v}} \right\| = 1\}\) be the spectral norm of \({\textbf {R}} \in \mathcal {R}^{m \times w}\). Clearly, \(s_1(\textsf {rot} ({\textbf {R}} )) = s_1({\textbf {R}} )\), where the spectral norm of the left-hand side is over \(\mathbb {R}\). Here, we recall a simple bound.

Lemma 2.2

Let \({\textbf {R}} \in \mathcal {R}_q^{m \times t}\). Then \(s_1({\textbf {R}} ) \le \sqrt{N} \cdot \left\| {\textbf {R}} \right\| \).

Proof

Let \({\textbf {r}} _1, \dots , {\textbf {r}} _m\) be the rows of \({\textbf {R}} \). Note that by the Cauchy–Schwarz inequality, for any \({\textbf {u}} \) with \(\left\| {\textbf {u}} \right\| = 1\) we have that

$$\begin{aligned} \left\| \langle {\textbf {r}} _i, {\textbf {u}} \rangle \right\| ^2 \le \left( \sum _{j \in [t]} \Vert r_{i,j}s_j\Vert \right) ^2 \le N\left( \sum _{j \in [t]} \Vert r_{i,j}\Vert \cdot \Vert s_j\Vert \right) ^2 \le N \Vert {\textbf {r}} _i\Vert ^2 \cdot \Vert {\textbf {u}} \Vert ^2 \le N \Vert {\textbf {r}} _i\Vert ^2\hspace{5.0pt}. \end{aligned}$$

Thus, \(\Vert {\textbf {R}} {\textbf {u}} \Vert ^2 \le N\Vert {\textbf {R}} \Vert ^2\) which concludes the proof. \(\square \)

In this work we will work with \(q \equiv 5 \pmod 8\). In this setting, the probability that a uniformly random matrix is full-rank is overwhelming.

Lemma 2.3

(Appendix C.3 of [29]). Let \(q \equiv 5 \pmod 8\) be prime, \(N = O(\lambda )\) and \(m \ge n \ge 1\). Then, for a uniformly random matrix \({\textbf {A}} \leftarrow \mathcal {R}_q^{n \times m}\), the probability that \({\textbf {A}} \) is not full-rank is \(\textsf {negl} (\lambda )\).

2.3 Discrete Gaussian Distributions

Let \(\sigma > 0\) be a parameter and \(\Lambda \) be a m-dimensional lattice. We then define the discrete Gaussian distribution \(\mathcal {D}_{\sigma , {\textbf {c}} , \Lambda }\) over a lattice coset \({\textbf {c}} + \Lambda \) as follows.

$$\begin{aligned} \rho _{\sigma , {\textbf {c}} }({\textbf {z}} ) {:}{=} \exp \left( - \frac{\pi \left\| {\textbf {z}} - {\textbf {c}} \right\| ^2}{\sigma ^2} \right) \text { and } \mathcal {D}_{\sigma , {\textbf {c}} , \Lambda }({\textbf {z}} ) {:}{=} \frac{\rho _{\sigma , {\textbf {c}} }({\textbf {z}} )}{\sum _{{\textbf {x}} \in \Lambda } \rho _{\sigma , {\textbf {c}} }({\textbf {x}} )} \hspace{5.0pt}. \end{aligned}$$

When \({\textbf {c}} = \textbf{0}\) or \(\Lambda = \mathbb {Z}^m\), we will omit it from the notation. We naturally extend this notion for lattices over the ring of integers \(\mathcal {R}\), and for matrices by sampling column-wise.

Smoothing parameter. The smoothing parameter \(\eta _\epsilon (\Lambda )\) of a lattice is the smallest \(s > 0\) such that \(\rho _{1/s}(\Lambda ^*) \le 1 + \epsilon \). Below we recall the standard upper-bounds on the smoothing parameter [50, 73].

Lemma 2.4

Let \(\Lambda \subseteq \mathbb {R}^m\) be a lattice, and let \(\epsilon > 0\). Then,

$$\begin{aligned} \eta _{\epsilon }(\Lambda ) \le \frac{1}{\lambda ^\infty _1(\Lambda ^*)} \cdot \sqrt{\frac{\ln (2m(1 + 1/\epsilon ))}{\pi }} \end{aligned}$$

and in fact, for every basis \({\textbf {B}} \) of \(\Lambda \),

$$\begin{aligned} \eta _{\epsilon }(\Lambda ) \le \tilde{\left\| {\textbf {B}} \right\| } \cdot \sqrt{\frac{\ln (2m(1 + 1/\epsilon ))}{\pi }} \hspace{5.0pt}. \end{aligned}$$

We also recall the bound from [50, Lemma 5.3] and [83, Lemma 2.5] for the block-diagonal matrices. Here, we consider the ring setting which can be easily adapted from the aforementioned results.

Lemma 2.5

Let \(\ell , \delta > 1\) and suppose q is prime and \(m \ge 2n \log _\delta q\). Then, there exists a negligible function \(\varepsilon \) such that for all \({\textbf {A}} _2,\ldots ,{\textbf {A}} _\ell \in \mathcal {R}_q^{n \times m}\):

$$\begin{aligned} \Pr \left[ \eta _\varepsilon (\Lambda ^\perp (\textsf{diag} ({\textbf {A}} _1,{\textbf {A}} _2,\ldots ,{\textbf {A}} _\ell )) \le \delta \cdot \log (\ell m N) : {\textbf {A}} _1 \leftarrow \mathcal {R}_q^{n \times m } \right] \ge 1 - q^{-nN} \hspace{5.0pt}. \end{aligned}$$

Further, we recall the regularity lemma from [69].

Lemma 2.6

(Regularity Lemma). Let \(q \equiv 5 \pmod 8\) be a prime, \(N = \textsf {poly} (\lambda )\) and k, n be positive integers such that \(\textsf {poly} (\lambda )\ge m \ge n \). Take \(\mathfrak {s}> 2N \cdot q^{n/m + 2/(Nm)}\). Then, the following distributions are statistically close:

$$\begin{aligned} \left\{ ({\textbf {A}} , {\textbf {A}} {\textbf {x}} ) \Bigg | \begin{matrix} {\textbf {A}} \leftarrow \mathcal {R}_q^{n \times m} \\ {\textbf {x}} \leftarrow \mathcal {D}^{mN}_\mathfrak {s}\\ \end{matrix} \right\} \text { and } \left\{ ({\textbf {A}} ,{\textbf {u}} ) \Bigg | \begin{matrix} {\textbf {A}} \leftarrow \mathcal {R}_q^{n \times m} \\ {\textbf {u}} \leftarrow \mathcal {R}_q^n \end{matrix} \right\} \hspace{5.0pt}. \end{aligned}$$

This is slightly modified from the original result in [69, Corollary 7.5] and [29, Lemma 4.2] in a sense that \({\textbf {A}} \) might not be full-rank. However, Lemma 2.3 makes sure the event happens with negligible probability.

Tail bounds. When sampling over a sufficiently wide discrete Gaussian distribution, a small portion of the probability mass will be in the tail of the distribution, and thus with overwhelming probability the sampled lattice elements will have short norm. The following lemma from [73] formalises this intuition.

Lemma 2.7

For any \(0< \epsilon < 1\), lattice \(\Lambda \subseteq \mathbb {R}^m\), center \({\textbf {c}} \in \text {Span}(\Lambda )\) and \(\sigma > \eta _\epsilon (\Lambda )\),

$$\begin{aligned} \Pr \left[ \left\| {\textbf {z}} \right\| \ge \sigma \cdot \sqrt{m} : {\textbf {z}} \leftarrow \mathcal {D}_{\sigma , \Lambda , {\textbf {c}} } \right] \le \frac{1 + \epsilon }{1 - \epsilon } 2^{-m} \hspace{5.0pt}. \end{aligned}$$

We also recall the tail bounds for the regular discrete Gaussian distribution over integers [66].

Lemma 2.8

Let \({\textbf {z}} \leftarrow D^{m}_\mathfrak {s}\). Then \(\Pr \left[{\Vert {\textbf {z}} \Vert > t\cdot \mathfrak {s}\sqrt{\frac{m}{2\pi }}}\right] < \left( te^{\frac{1-t^2}{2}}\right) ^{m}.\)

By setting \(t = \sqrt{2\pi }\), the right-hand side can be upper-bounded by \(2^{-2m}\).

Preimage sampling for module lattices. Let \({\textbf {A}} \in \mathcal {R}_q^{n \times m}\) be a matrix over \(\mathcal {R}_q\) and take any \({\textbf {u}} \in \mathcal {R}_q^n\). We write \({\textbf {s}} \leftarrow {\textbf {A}} ^{-1}_\sigma ({\textbf {u}} )\) to denote sampling \({\textbf {s}} \leftarrow \mathcal {D}^{mN}_{\sigma }\) conditioned on \({\textbf {A}} {\textbf {s}} = {\textbf {u}} \). Assuming there is some \({\textbf {x}} \in \mathcal {R}_q^m\) which satisfies \({\textbf {A}} {\textbf {x}} = {\textbf {u}} \), this is the same as sampling \({\textbf {s}} \leftarrow \mathcal {D}_{\sigma , {\textbf {x}} , \Lambda ^\bot ({\textbf {A}} )}\).

We will need the following lemma from [83, Lemma 2.7] for proving hiding property of the commitment scheme.

Lemma 2.9

Let \(n,m,q>0\). Take any matrices \({\textbf {A}} \in \mathcal {R}_q^{n \times m}, {\textbf {B}} \in \mathcal {R}_q^{n \times \ell }\) where \(\ell = \textsf{poly}(n,\log q)\). Suppose the columns of \({\textbf {A}} \) generate \(\mathcal {R}_q\) and let \({\textbf {C}} {:}{=} [{\textbf {A}} \text { }|\text { }{\textbf {B}} ]\). Then, for every target vector \({\textbf {t}} \in \mathcal {R}_q^n\) and any \(\sigma \ge \eta _\epsilon (\Lambda ^\perp ({\textbf {A}} ))\) for some \(\epsilon =\textsf {negl} (\lambda )\), the following distributions are statistically close:

$$\begin{aligned} \left\{ {\textbf {v}} \Bigg | \begin{matrix} {\textbf {v}} \leftarrow {\textbf {C}} ^{-1}_\sigma ({\textbf {t}} ) \end{matrix} \right\} \text { and } \left\{ \begin{bmatrix} {\textbf {v}} _1 \\ {\textbf {v}} _2 \end{bmatrix} \Bigg | {\textbf {v}} _2 \leftarrow \mathcal {D}^{\ell N}_\sigma , {\textbf {v}} _1 \leftarrow {\textbf {A}} ^{-1}_\sigma ({\textbf {t}} - {\textbf {B}} {\textbf {v}} _2) \right\} . \end{aligned}$$

Module-SIS. We recall the standard lattice-based Module-SIS assumption [61]

Definition 2.10

(Module-SIS). Let \(q = q(\lambda )\), \(n = n(\lambda )\), \(m = m(\lambda )\), \(\beta = \beta (\lambda )\) and \(N = N(\lambda )\). We say that the \(\textsf {MSIS} _{n,m,N,q,\beta }\) assumption holds if for any PPT adversary \({\varvec{\mathcal {A}}}\), the following holds:

$$\begin{aligned} \Pr \left[{ \begin{array}{c} {\textbf {A}} {\textbf {s}} = \textbf{0}\wedge 0 < \left\| {\textbf {x}} \right\| \le \beta \end{array} }\,\Bigg \vert \,{ \begin{array}{c} {\textbf {A}} \leftarrow \mathcal {R}_q^{n \times m}\\ {\textbf {s}} \leftarrow {\varvec{\mathcal {A}}}({\textbf {A}} ) \end{array} }\right] \le \textsf {negl} (\lambda )\hspace{5.0pt}. \end{aligned}$$

2.4 NTRU Lattices

As defined before, let N be a power of two, q a positive integer and \(h \in \mathcal {R}_q\). The NTRU lattice associated to h is defined as

$$\begin{aligned} \Lambda _{h} {:}{=} \{(u,v) \in \mathcal {R}^2 : u + vh = 0 \bmod q \} \hspace{5.0pt}. \end{aligned}$$

Recall that there is an efficient algorithm \(\textsf {NTRU.TrapGen} \) [43, 48, 52, 80], which given modulus q, the ring dimension N and the parameter \(\mathfrak {s}\), outputs \(h \in \mathcal {R}_q\) and a short basis of \(\Lambda _{h}\). Below, we assume that \(X^N+1\) splits into two factors modulo q and we apply the main result of Stehlé and Steinfeld [80].

Lemma 2.11

(NTRU Trapdoor). Let \(q = \omega (N)\) be a prime such that \(q \equiv 5 \pmod {8}\). Take \(\epsilon \in (0,1/3)\) and \(\mathfrak {s}\ge \max (\sqrt{N\ln (8Nq)}\cdot q^{1/2 + \epsilon }, \omega (N^{3/2}\ln ^{3/2}N))\). Then, there is a PPT algorithm \(\textsf {NTRU.TrapGen} (q,N,\mathfrak {s})\) which with an overwhelming probability outputs \(h \in \mathcal {R}_q\) and a basis \({\textbf {T}} _\textsf {NTRU} \) of \(\Lambda _{h}\) such that \(\Vert \tilde{{\textbf {T}} }_\textsf {NTRU} \Vert \le N\mathfrak {s}\). Further, the statistical distance between the distribution of h and uniform over \(\mathcal {R}_q^\times \) is at most \(2^{10N}q^{-\lfloor \epsilon N \rfloor }\).

2.5 Gadget Trapdoors

In this section, we recall the notion of gadget trapdoors as in [72], reformulate them for the module setting and state the key results on efficient sampling preimages using trapdoors.

We say that a matrix \({\textbf {G}} \in \mathcal {R}_q^{n \times t}\) is primitive if its columns generate \(\mathcal {R}_q^n\), i.e. if \({\textbf {G}} \cdot \mathcal {R}^t = \mathcal {R}_q^n\). Note that if \({\textbf {G}} \) is primitive, then \(\textsf {rot} ({\textbf {G}} )\) also is w.r.t. \(\mathbb {Z}^{nN}_q\)(i.e. \(\textsf {rot} ({\textbf {G}} )\mathbb {Z}^{tN} = \mathbb {Z}_q^{nN}\)). We also recall the notion of a gadget trapdoor.

Definition 2.12

Let \({\textbf {A}} \in \mathcal {R}_q^{n \times m}, {\textbf {H}} \in \mathcal {R}_q^{n \times n}, {\textbf {G}} \in \mathcal {R}_q^{n \times t}\) with \(t \ge n\) and \({\textbf {H}} \) invertible over \(\mathcal {R}_q\). A \({\textbf {G}} \)-trapdoor for \({\textbf {A}} \) with tag \({\textbf {H}} \) is a matrix \({\textbf {R}} \in \mathcal {R}_q^{m \times t}\) with \({\textbf {A}} {\textbf {R}} = {\textbf {H}} {\textbf {G}} \). The quality of a trapdoor is \(s_1({\textbf {R}} )\).

When not specified, we set the tag \({\textbf {H}} {:}{=} {\textbf {I}} \). In fact, all the theorems in this section can be generalised with a tag.

In this work, we consider one particular primitive matrix that naturally represents \(\delta \)-base decomposition which we call the gadget matrix.

Definition 2.13

(Gadget Matrix). Let \(\delta \ge 2\). We set \({\tilde{q}}{:}{=} \lfloor \log _\delta q \rfloor + 1\), and \({\textbf {g}} ^\top = [1, \delta , \dots , \delta ^{{\tilde{q}}- 1}] \in \mathcal {R}_q^{1 \times {\tilde{q}}}\) and \({\textbf {G}} _n {:}{=} {\textbf {I}} _n \otimes {\textbf {g}} ^\top \in \mathcal {R}_q^{n \times n{\tilde{q}}}\). When the dimension are clear from context we simply write \({\textbf {G}} \). Write \({\textbf {G}} ^{-1}_n: \mathcal {R}_q^{n \times t} \rightarrow \mathcal {R}_q^{n{\tilde{q}}\times t}\) for the inverse function that takes a matrix of entries in \(\mathcal {R}_q\), and decomposes each entry w.r.t. the base \(\delta \). We also write \({\textbf {g}} ^{-1}\) for \({\textbf {G}} _1^{-1}\).

[72, Lemma 5.3] says that having a \({\textbf {G}} \)-trapdoor for some matrix \({\textbf {A}} \) enables to translate any nice basis of \({\textbf {G}} \)’s induced lattice into one for \({\textbf {A}} \)’s, whose shortness is proportional to the quality of the trapdoor.

Lemma 2.14

Let \({\textbf {A}} \in \mathcal {R}_q^{n \times m}\), \({\textbf {G}} \in \mathcal {R}_q^{n \times t}\) be the gadget matrix with decomposition base \(\delta \), and suppose there exists a \({\textbf {G}} \)-trapdoor \({\textbf {R}} \) for \({\textbf {A}} \). Then, there is a basis \({\textbf {S}} _{\textbf {A}} \) of \(\Lambda ^\perp ({\textbf {A}} )\) which satisfies \(\left\| \tilde{{\textbf {S}} }_{\textbf {A}} \right\| \le (s_1({\textbf {R}} ) + 1)\sqrt{\delta ^2+1}\). In particular, if \(\left\| {\textbf {R}} \right\| \le \beta \) then for \(\epsilon = \textsf {negl} (\lambda )\):

$$\begin{aligned} \eta _{\epsilon }(\Lambda ^\perp ({\textbf {A}} )) \le \beta \delta \cdot \omega (\sqrt{N\log (mN)}) \hspace{5.0pt}. \end{aligned}$$

We now give crucial properties about the trapdoor generation from [72].

Lemma 2.15

(Trapdoor Generation). Let \(q \equiv 5 \pmod 8\) be a prime, \(N,n>0, t = n{\tilde{q}}\) and \({\textbf {G}} _n \in \mathcal {R}_q^{n \times t}\) be the gadget matrix. Take \( m > t + n\). Then, there is a PPT algorithm \(\textsf {TrapGen} (n, m)\) that with an overwhelming probability returns two matrices \(({\textbf {A}} , {\textbf {R}} ) \in \mathcal {R}_q^{n \times m} \times \mathcal {R}_q^{m \times t}\) such that \({\textbf {A}} {\textbf {R}} = {\textbf {G}} _n\) and \(\Vert {\textbf {R}} \Vert \le \mathfrak {s}\sqrt{2t(m-t)N}\) where \(\mathfrak {s}> 2N \cdot q^{\frac{n}{m-t} + \frac{2}{N(m-t)}}\). Moreover, \({\textbf {A}} \) is statistically close to a uniformly random matrix in \(\mathcal {R}_q^{n \times m}\).

Proof

Let \(m' = m - t\). Consider the following algorithm [72, Alg 1]:

1. 1.

   Sample \(\bar{{\textbf {A}} } \leftarrow \mathcal {R}_q^{n \times m'}\).

2. 2.

   Sample a matrix \(\bar{{\textbf {R}} } \leftarrow \mathcal {D}^{m'N \times tN}_\mathfrak {s}\) from a discrete Gaussian distribution.

3. 3.

   Return \({\textbf {A}} {:}{=} [\bar{{\textbf {A}} } | {\textbf {G}} _n - \bar{{\textbf {A}} }\bar{{\textbf {R}} }]\) and \({\textbf {R}} {:}{=} \begin{bmatrix} \bar{{\textbf {R}} } \\ {\textbf {I}} _{t} \end{bmatrix}\)

First, \({\textbf {A}} {\textbf {R}} = {\textbf {G}} \) as desired and \(\Vert {\textbf {R}} \Vert \le \sqrt{t(\mathfrak {s}^2m'N +1)} \le \mathfrak {s}\sqrt{2t(m-t)N}\) with an overwhelming probability by Lemma 2.8 for \(t = \sqrt{2\pi }\). To argue pseudorandomness, we apply Lemma 2.6 and the hybrid argument to get that \(\bar{{\textbf {A}} }\bar{{\textbf {R}} }\) is statistically close to uniform over \(\mathcal {R}_q^{n \times t}\), and thus so is \({\textbf {A}} \). \(\square \)

The next lemma states that given a short \({\textbf {G}} \)-trapdoor matrix \({\textbf {R}} \) for \({\textbf {A}} \), one can efficiently sample preimages of \({\textbf {A}} \) according to the discrete Gaussian distribution.

Lemma 2.16

(Preimage Sampling). Let \(N,n,m>0\) and \(t = n{\tilde{q}}\). Then, there exists a PPT algorithm \(\textsf {SamplePre} ({\textbf {A}} ,{\textbf {R}} ,{\textbf {v}} ,\sigma )\) that takes as input a matrix \({\textbf {A}} \in \mathcal {R}_q^{n \times m}\), a \({\textbf {G}} _n\)-trapdoor \({\textbf {R}} \in \mathcal {R}_q^{m \times t}\) for \({\textbf {A}} \) with a tag \({\textbf {H}} \), a target vector \({\textbf {v}} \in \mathcal {R}_q^n\) in the column-span of \({\textbf {A}} \), and a Gaussian parameter \(\sigma \), and outputs a vector \({\textbf {s}} \in \mathcal {R}_q^m\) such that \({\textbf {A}} {\textbf {s}} ={\textbf {v}} \). Further, if \(\sigma \ge \delta s_1({\textbf {R}} ) \cdot \omega (\sqrt{\log nN})\), then the statistical distance between the following distributions is negligible:

$$\begin{aligned} \left\{ {\textbf {s}} \leftarrow \textsf {SamplePre} ({\textbf {A}} ,{\textbf {R}} ,{\textbf {v}} ,\sigma ) \right\} \text { and } \left\{ {\textbf {s}} \leftarrow {\textbf {A}} ^{-1}_\sigma ({\textbf {v}} ) \right\} \hspace{5.0pt}. \end{aligned}$$

We extend this algorithm for matrices, i.e. for a matrix \({\textbf {V}} \in \mathcal {R}_q^{n \times \ell }\) with columns \({\textbf {v}} _1,\ldots ,{\textbf {v}} _\ell \), we define \(\textsf {SamplePre} ({\textbf {A}} ,{\textbf {R}} ,{\textbf {V}} ,\sigma )\) to be the algorithm which returns a matrix \({\textbf {S}} \in \mathcal {R}_q^{m \times \ell }\), where the i-th column is the output of \(\textsf {SamplePre} ({\textbf {A}} ,{\textbf {R}} ,{\textbf {v}} _i,\sigma )\).

Subtractive sets for monomials. We recall the following widely-used result from [19], which says that the (scaled) inverse of two distinct monomials in \(\mathcal {R}\) has coefficients in \(\{-1,0,1\}\).

Lemma 2.17

Let \(\mathcal {C}{:}{=} \{X^i: i\in \mathbb {Z}\} \subseteq \mathcal {R}\). Then, for any two distinct \(x,y \in \mathcal {C}\), we have \(\Vert \frac{2}{x-y}\Vert _\infty = 1\).

Short elements are invertible. For \(\kappa >0\), we define \(S_\kappa {:}{=} \{ x \in \mathcal {R}_q: \Vert x\Vert _\infty \le \kappa \}\) to be the set of ring elements in \(\mathcal {R}_q\) with infinity norm at most \(\kappa \). We recall the following invertibility result by Lyubashevsky and Seiler [70].

Lemma 2.18

Let \(1\le l<N\) be a power-of-two and suppose \(q \equiv 2N/l + 1 \pmod {4N/l}\). Then, every non-zero element in \(S_\kappa \) is invertible over \(\mathcal {R}_q\) as long as \(\kappa <\sqrt{l/N} \cdot q^{l/N}\).

We will use this lemma for \(q \equiv 5 \pmod 8\) and thus \(\ell = N/2\).

Rejection sampling. A crucial component in proving the zero-knowledge property of lattice-based (non-interactive) arguments is a rejection sampling procedure [66]. We recall the generalised version introduced recently by Boschini et al. [29] (specifically, [29, Lemma 3.1] for \(t{:}{=}\alpha /\pi \)) for discrete Gaussian over arbitrary lattices (here we omit the case for ellipsoidal Gaussians).

Fig. 3

Rejection sampling [29]

Lemma 2.19

(Rejection Sampling [29]). Take any \(\alpha , T>0\) and \(\varepsilon \le 1/2\). Let \(\Lambda \subseteq \mathcal {R}^m\) be a lattice over \(\mathcal {R}\) and \(\sigma \ge \max (\alpha T, \eta _{\varepsilon }(\Lambda ))\) be a parameter. Let \(h: \mathcal {R}^m \times \mathcal {R}^m \rightarrow [0,1]\) be a probability distribution which returns \(({\textbf {u}} ,{\textbf {v}} )\) where the vector \({\textbf {v}} \) satisfies \(\Vert {\textbf {v}} \Vert \le T\). Further, define \(M {:}{=} \exp (\frac{\pi }{\alpha ^2} + 1)\) and \(\epsilon {:}{=} 2\frac{1+\varepsilon }{1-\varepsilon }\exp (-\alpha ^2 \cdot \frac{\pi -1}{\pi ^2})\). Then, the statistical distance between distributions \(\textsf{RejSamp}\) and \(\textsf{SimRS}\) defined in Fig. 3 is at most \(\frac{\epsilon }{2M} + \frac{2\varepsilon }{M}\). Moreover, the probability that \(\textsf{RejSamp}\) outputs something is at least \(\frac{1-\epsilon }{M}\left( 1-\frac{4\varepsilon }{(1+\varepsilon )^2}\right) \).

2.6 Commitment Scheme

We recall the notion of a commitment scheme, which is a crucial component of various proof systems. As folklore in lattice-based cryptography, we introduce the slack space, which has a role in the binding property.

Definition 2.20

Let \(\textsf {CM} = (\textsf {Setup} , \textsf {Commit} , \textsf {Open} )\) be a triple of PPT algorithms. We say that \(\textsf {CM} \) is a commitment scheme over \(\mathcal {M}\) with slack space \(\mathcal {S}\) if it has the following syntax:

• \(\textsf {Setup} (1^{\lambda }) \rightarrow \textsf {crs} \) takes a security parameter \(\lambda \) (specified in unary) and outputs a common reference string \(\textsf {crs} \).

• \(\textsf {Commit} (\textsf {crs} , m) \rightarrow (C, \textsf {st} )\) takes a common reference string \(\textsf {crs} \) a message \(m \in \mathcal {M}\) and outputs a commitment C and decommitment state \(\textsf {st} \).

• \(\textsf {Open} (\textsf {crs} , C, m, \textsf {st} , c)\) takes a common reference string \(\textsf {crs} \), a commitment C, a message \(m \in \mathcal {M}\), a decommitment state \(\textsf {st} \) and a relaxation factor¹²\(c \in \mathcal {S}\) and outputs a bit indicating whether C is a valid commitment to m under \(\textsf {crs} \).

We define the key properties of the commitment scheme: correctness, (relaxed) binding and hiding. In the following, we denote the message space as \(\mathcal {M}\) and the slack space as \(\mathcal {S}\).

Definition 2.21

(Completeness). We say that a commitment scheme \(\textsf {CM} = (\textsf {Setup} , \) \( \textsf {Commit} , \textsf {Open} )\) satisfies completeness if there exists a global relaxation factor \(c^* \in \mathcal {S}\) such that for every \(m \in \mathcal {M}\):

$$\begin{aligned} \Pr \left[ \textsf {Open} (\textsf {crs} , C, m, \textsf {st} , c^*) = 1 \Bigg | \begin{array}{c} \textsf {crs} \leftarrow \textsf {Setup} (1^{\lambda }) \\ C, \textsf {st} \leftarrow \textsf {Commit} (\textsf {crs} , m) \\ \end{array} \right] \ge 1 - \textsf {negl} (\lambda )\hspace{5.0pt}. \end{aligned}$$

Definition 2.22

(Relaxed Binding). A commitment scheme \(\textsf {CM} = (\textsf {Setup} , \textsf {Commit} , \textsf {Open} )\) satisfies relaxed binding if for every PPT adversary \({\varvec{\mathcal {A}}}\):

$$\begin{aligned} \Pr \left[ \begin{array}{c} m \ne m' \wedge m,m' \in \mathcal {M}\wedge \\ \textsf {Open} (\textsf {crs} , C, m, \textsf {st} , c) = 1 \; \wedge \\ \textsf {Open} (\textsf {crs} , C, m', \textsf {st} ', c') = 1 \end{array} \Bigg | \begin{array}{c} \textsf {crs} \leftarrow \textsf {Setup} (1^{\lambda }) \\ \left( C, \begin{array}{c} (m, \textsf {st} ,c), \\ (m', \textsf {st} ',c') \end{array}\right) \leftarrow {\varvec{\mathcal {A}}}(\textsf {crs} ) \\ \end{array} \right] = \textsf {negl} (\lambda )\hspace{5.0pt}. \end{aligned}$$

Definition 2.23

(Hiding). A commitment scheme \(\textsf {CM} = (\textsf {Setup} , \textsf {Commit} , \textsf {Open} )\) satisfies hiding if for every (stateful) PPT adversary \({\varvec{\mathcal {A}}}\):

$$\begin{aligned} \Pr \left[ b' = b \; \Bigg | \begin{array}{c} \textsf {crs} \leftarrow \textsf {Setup} (1^{\lambda }), (m_0,m_1) \leftarrow \mathcal {A}(\textsf {crs} ) \\ b \leftarrow \{0,1\} \\ C, \textsf {st} \leftarrow \textsf {Commit} (\textsf {crs} , m_b) \\ b' \leftarrow \mathcal {A}(C) \end{array} \right] \le \frac{1}{2} + \textsf {negl} (\lambda )\hspace{5.0pt}. \end{aligned}$$

2.7 Polynomial Commitment Scheme

We also recall the notion of polynomial commitment schemes [58]. Polynomial commitment schemes extend commitments with the ability to prove evaluations of the committed polynomial.

Definition 2.24

Let \(\textsf {PC} = (\textsf {Setup} , \textsf {Commit} , \textsf {Open} , \textsf {Eval} , \textsf {Verify} )\) be a tuple of algorithms. \(\textsf {PC} \) is a polynomial commitment scheme over a ring R with degree bound d and slack space \(\mathcal {S}\) if:

• \((\textsf {Setup} , \textsf {Commit} , \textsf {Open} )\) is a commitment scheme over

  $$\begin{aligned} \mathcal {M}{:}{=} \left\{ (f_0,f_1,\ldots ,f_d) \in R^{d+1} : \sum ^d_{i=0} f_i \textsf {X} ^i \in R[\textsf {X} ] \right\} \end{aligned}$$

  with slack space \(\mathcal {S}\).

• \(\textsf {Eval} (\textsf {crs} , C, u, \textsf {st} ) \rightarrow \pi \) takes a common reference string \(\textsf {crs} \), a commitment C, an evaluation point \(u \in R\), auxiliary state \(\textsf {st} \) and outputs an evaluation proof \(\pi \).

• \(\textsf {Verify} (\textsf {crs} , C, u, z, \pi ) \rightarrow 0/1\) takes a common reference string \(\textsf {crs} \), a commitment C, an evaluation point \(u \in \mathcal {R}\), a claimed image \(z \in R\), an evaluation proof \(\pi \), and outputs a bit indicating whether \(\pi \) is a valid evaluation proof that the polynomial committed to in C evaluates to z at the point u.

We also consider a setting in which \(\textsf {Eval} \) and \(\textsf {Verify} \) are replaced with an interactive two-party protocol between a prover and a verifier, and refer to that setting as an interactive polynomial commitment scheme.

Additionally, we require that the evaluations procedure satisfy some additional properties that we detail next. For simplicity, we give these definitions for non-interactive polynomial commitments, the interactive variant follows similarly.

Definition 2.25

(Evaluation Completeness). We say that a polynomial commitment scheme \(\textsf {PC} = (\textsf {Setup} , \textsf {Commit} , \textsf {Open} , \textsf {Eval} , \textsf {Verify} )\) satisfies completeness if for every polynomial \(f \in R^{\le d}[\textsf {X} ]\) and any evaluation point \(u \in R\):

$$\begin{aligned} \Pr \left[ \begin{array}{c} \textsf {Verify} (\textsf {crs} , C, u, f(u), \pi ) = 0 \end{array} \Bigg | \begin{array}{c} \textsf {crs} \leftarrow \textsf {Setup} (1^{\lambda }) \\ C, \textsf {st} \leftarrow \textsf {Commit} (\textsf {crs} , f) \\ \pi \leftarrow \textsf {Eval} (\textsf {crs} , C, u, \textsf {st} ) \\ \end{array} \right] = \textsf {negl} (\lambda )\hspace{5.0pt}. \end{aligned}$$

Definition 2.26

(Knowledge Soundness). We say that a polynomial commitment scheme \(\textsf {PC} = (\textsf {Setup} , \textsf {Commit} , \textsf {Open} , \textsf {Eval} , \textsf {Verify} )\) is knowledge sound with knowledge error \(\kappa \) if for all stateful PPT adversaries \(\mathcal {P}^*\), there exists an expected PPT extractor \(\mathcal {E}\) such that

$$\begin{aligned} \Pr \left[ b = 1 \wedge \left( \begin{array}{c} \textsf {Open} (\textsf {crs} , C, f, \textsf {st} , c) \ne 1 \vee \\ f(u) \ne z \\ \end{array} \right) \Bigg | \begin{array}{c} \textsf {crs} \leftarrow \textsf {Setup} (1^{\lambda }) \\ (C, u, z, \pi ) \leftarrow \mathcal {P}^*(\textsf {crs} ) \\ b = \textsf {Verify} (\textsf {crs} , C, u, z, \pi ) \\ (f, \textsf {st} , c) \leftarrow \mathcal {E}^{\mathcal {P}^*}(\textsf {crs} , C, u, z, \pi ) \\ \end{array} \right] \le \kappa (\lambda ) \hspace{5.0pt}. \end{aligned}$$

Here, the extractor \(\mathcal {E}\) has a black-box oracle access to the (malicious) prover \(\mathcal {P}^*\) and can rewind it to any point in the interaction.

2.8 Interactive Proofs

Let \( \textsf {R} \subseteq \{0,1\}^* \times \{0,1\}^* \times \{0,1\}^*\) be a ternary relation. If \((\mathbb {i},\mathbb {x},\mathbb {w}) \in \textsf {R} \), we say that \(\mathbb {i}\) is an index, \(\mathbb {x}\) is a statement and \(\mathbb {w}\) is a witness for \(\mathbb {x}\). We denote \( \textsf {R} (\mathbb {i},\mathbb {x}) = \{\mathbb {w}: \textsf {R} (\mathbb {i},\mathbb {x},\mathbb {w})=1\}\). In this work, we only consider NP relations \( \textsf {R} \) for which a witness w can be verified in time \(\textsf{poly}(|\mathbb {i}|,|\mathbb {x}|)\) for all \((\mathbb {i},\mathbb {x},\mathbb {w}) \in \textsf {R} \).

A proof system \(\Pi = (\textsf {Setup} ,\mathcal {P},\mathcal {V})\) for relation \(\textsf {R} \) consists of three PPT algorithms: the \(\textsf {Setup} \) algorithm, prover \(\mathcal {P}\), and the verifier \(\mathcal {V}\). The latter two are interactive and stateful. We write \((tr,b) \leftarrow \langle \mathcal {P}(\mathbb {i},\mathbb {x},\mathbb {w}), \mathcal {V}(\mathbb {i},\mathbb {x})\rangle \) for running \(\mathcal {P}\) and \(\mathcal {V}\) on inputs \(\mathbb {i}, \mathbb {x},\mathbb {w}\) and \(\mathbb {i},\mathbb {x}\) respectively and getting communication transcript tr and the verifier’s decision bit b. We use the convention that \(b=0\) means reject and \(b=1\) means accept the prover’s claim of knowing \(\mathbb {w}\) such that \((\mathbb {i},\mathbb {x},\mathbb {w}) \in R\). If tr contains a \(\bot \) then we say that \(\mathcal {P}\) aborts. Unless stated otherwise, we will assume that the first and the last message are sent from a prover. Hence, the protocol between \(\mathcal {P}\) and \(\mathcal {V}\) has an odd number of rounds. A \(\Sigma \)-protocol is a three-round protocol. Further, we say a protocol is public coin if the verifier’s challenges are chosen uniformly at random independently of the prover’s messages.

We recall a few basic properties of interactive proof systems: completeness and knowledge soundness.

Definition 2.27

(Completeness). A proof system \(\Pi = (\textsf {Setup} ,\mathcal {P},\mathcal {V})\) for the relation \(\textsf {R} \) has statistical completeness with correctness error \(\epsilon \) if for all adversaries \({\varvec{\mathcal {A}}}\),

$$\begin{aligned} \Pr \left[ b = 0 \wedge (\mathbb {i},\mathbb {x},\mathbb {w}) \in \textsf {R} \Bigg | \begin{array}{c} \mathbb {i}\leftarrow \textsf {Setup} (1^{\lambda }) \\ (\mathbb {x},\mathbb {w}) \leftarrow \mathcal {A}(\mathbb {i}) \\ (tr,b) \leftarrow \langle \mathcal {P}(\mathbb {i},\mathbb {x},\mathbb {w}), \mathcal {V}(\mathbb {i},\mathbb {x})\rangle \end{array} \right] \le \epsilon (\lambda ) \hspace{5.0pt}. \end{aligned}$$

Definition 2.28

(Knowledge Soundness). A proof system \(\Pi = (\textsf {Setup} ,\mathcal {P},\mathcal {V})\) for the relation \(\textsf {R} \) is knowledge sound with knowledge error \(\kappa \) if there exists an expected PPT extractor \(\mathcal {E}\) such that for any stateful PPT adversary \(\mathcal {P}^*\):

$$\begin{aligned} \Pr \left[ b = 1 \wedge (\mathbb {i},\mathbb {x},\mathbb {w}) \not \in \textsf {R} \Bigg | \begin{array}{c} \mathbb {i}\leftarrow \textsf {Setup} (1^{\lambda }) \\ (\mathbb {x},\textsf {st} ) \leftarrow \mathcal {P}^*(\mathbb {i}) \\ (tr,b) \leftarrow \langle \mathcal {P}^*(\mathbb {i},\mathbb {x},\textsf {st} ), \mathcal {V}(\mathbb {i},\mathbb {x})\rangle \\ \mathbb {w}\leftarrow \mathcal {E}^{\mathcal {P}^*}(\mathbb {i},\mathbb {x}) \end{array} \right] \le \kappa (\lambda ) \hspace{5.0pt}. \end{aligned}$$

Here, the extractor \(\mathcal {E}\) has a black-box oracle access to the (malicious) prover \(\mathcal {P}^*\) and can rewind it to any point in the interaction.

2.9 Coordinate-Wise Special Soundness

We generalise the notion of special soundness in the following way. Let S be a set and \(\ell ,k \in \mathbb {N}\). Namely, take two vectors \({\textbf {x}} {:}{=} (x_1,\ldots ,x_\ell ), {\textbf {y}} {:}{=} (y_1,\ldots ,y_\ell ) \in S^\ell \). Then, we define the following relation “\(\equiv _i\)” for fixed \(i \in [\ell ]\) as:

$$\begin{aligned} {\textbf {x}} \equiv _i {\textbf {y}} \iff x_i \ne y_i \wedge \forall j \in [\ell ] \backslash \{i\}, x_j = y_j \hspace{5.0pt}. \end{aligned}$$

That is, vectors \({\textbf {x}} \) and \({\textbf {y}} \) have the same values in all coordinates apart from the i-th one. For \(\ell = 1\), the relations boil down to checking whether two elements are distinct. Further, we can define the set

$$\begin{aligned} \textsf{SS}(S,\ell , k) {:}{=} \left\{ \left\{ {\textbf {x}} _1,\ldots ,{\textbf {x}} _{K}\right\} \subseteq (S^\ell )^{K} : \begin{array}{l} \exists e \in [K],\forall i \in [\ell ],\\ \exists J=\left\{ j_1,\ldots ,j_{k-1}\right\} \subseteq [K] \setminus \{e\},\\ \forall j\in J, {\textbf {x}} _e \equiv _i {\textbf {x}} _j \end{array} \right\} \hspace{5.0pt}, \end{aligned}$$

where \(K{:}{=} \ell (k-1) + 1\). To develop an intuition of the meaning of \(\textsf{SS}(S,\ell , k)\), consider a set \(X = \{{\textbf {x}} _1,\ldots ,{\textbf {x}} _{K}\} \in \textsf{SS}(S,\ell , k)\). There is a “central” vector \({\textbf {x}} _e \in X\) such that for each coordinate of \({\textbf {x}} _e\), there are \(k-1\) other vectors in X that differ from \({\textbf {x}} _e\) only in that coordinate. In other words, for each coordinate, there are k vectors in X that differ from each other only in that coordinate, and \({\textbf {x}} _e\) is always one of them. As a simple example,

$$\begin{aligned} \left\{ (2,0,0),(0,1,0),(0,0,0),(0,0,5),(0,0,4),(0,2,0),(3,0,0)\right\} \in \textsf{SS}(\mathbb {Z}_7,3,3) \end{aligned}$$

– the “central” vector (0, 0, 0) differs in, and only in, each coordinate from two other vectors in the set. Note that \(\textsf{SS}(S,1,k)\) simply contains k-sets of distinct elements in S.

We are ready to define the notion of coordinate-wise special soundness. We start with the case for \(\Sigma \)-protocols.

Definition 2.29

(CWSS for \(\Sigma \)-protocols). Let \(\Pi = (\textsf {Setup} ,\mathcal {P},\mathcal {V})\) be public-coin three-round interactive proof system for relation \(\textsf {R} \), and suppose the challenge space of \(\mathcal {V}\) is \(\mathcal {C}= S^\ell \). We say that \(\Pi \) is \(\ell \)-coordinate-wise k-special sound if there exists a polynomial time algorithm that on input an index \(\mathbb {i}\), statement \(\mathbb {x}\) and \(\ell (k-1)+1\) accepting transcripts \((a,{\textbf {c}} _i, z_i)_{i \in [\ell (k-1)+1]}\), with \(\{{\textbf {c}} _1,\ldots ,{\textbf {c}} _{\ell (k-1)+1}\} \in \textsf{SS}(S,\ell ,k)\) and common first message a, outputs a witness \(\mathbb {w}\in \textsf {R} (\mathbb {i},\mathbb {x})\).

Clearly, we obtain the standard k-special soundness property if \(\ell = 1\). Next, we extend this notion to multi-round protocols via a tree of transcripts. For simplicity, we assume that in each round the verifier picks challenge uniformly at random from the same challenge space \(S^\ell \), which will be the case for most of our protocols.

Definition 2.30

(CWSS for Multi-Round Protocols). Let \(\Pi = (\textsf {Setup} ,\mathcal {P},\mathcal {V})\) be public-coin \((2\mu +1)\)-round interactive proof system for relation \(\textsf {R} \), where in each round the verifier picks a uniformly random challenge from \(S^\ell \). A tree of transcripts is a set of \(K = (\ell (k-1)+1)^\mu \) arranged in the following tree structure. The nodes in the tree correspond to the prover’s messages and the edges correspond to the verifier’s challenges. Each node at depth i has exactly \(\ell (k-1)+1\) children corresponding to \(\ell (k-1)+1\) distinct challenges which, as a set of vectors, lie in \(\textsf{SS}(S,\ell ,k)\). Every transcript corresponds to exactly one path from the root to a leaf node.

We say that \(\Pi \) is \(\ell \)-coordinate-wise k-special sound if there is a polynomial time algorithm that given an index \(\mathbb {i}\), statement \(\mathbb {x}\) and the tree of transcripts, outputs a witness \(\mathbb {w}\in \textsf {R} (\mathbb {i},\mathbb {x})\).

In this paper, we only focus on \(\ell \)-coordinate-wise 2-special sound protocols, which we will call \(\ell \)-coordinate-wise special sound.

We prove in Sect. 7 that coordinate-wise special soundness implies knowledge soundness in the interactive setting.

Lemma 2.31

Let \(\Pi = (\textsf {Setup} ,\mathcal {P},\mathcal {V})\) be public-coin \((2\mu +1)\)-round interactive proof system for relation \(\textsf {R} \) and suppose the challenge space of \(\mathcal {V}\) in each round is \(S^\ell \). If \(\Pi \) is \(\ell \)-coordinate-wise k-special sound and \((\ell (k-1))^\mu = \textsf {poly} (\lambda )\), then it is knowledge sound with knowledge error \(\mu \ell (k-1) /|S|\).

The resulting knowledge extractor runs the malicious prover \((\ell (k-1)+1)^\mu \) times in expectation. Hence, in order to keep the knowledge extractor expected PPT, we need \((\ell (k-1))^\mu = \textsf {poly} (\lambda )\).

The result can be easily extended to the case, where in each i-th round the challenges from the verifier are picked from \(S^{\ell _i}\) for \(\ell _i > 0\). Then, the knowledge error becomes \((\ell _1+\ldots +\ell _\mu )(k-1)/|S|\) and the extractor runs the malicious prover at most \(\prod ^\mu _{i=1}(\ell _i(k-1)+1)\) times.

Finally, using the exact methodology as in [10], in Sect. 8 we show that coordinate-wise special soundness implies (adaptive) knowledge soundness of the Fiat–Shamir transformed protocol in the random oracle model.

Lemma 2.32

(Informal). Let \(\Pi = (\textsf {Setup} ,\mathcal {P},\mathcal {V})\) be public-coin \((2\mu +1)\)-round interactive proof system for relation \(\textsf {R} \) and suppose the challenge space of \(\mathcal {V}\) in each round is \(S^\ell \). If \(\Pi \) is \(\ell \)-coordinate-wise k-special sound and \((\ell (k-1))^\mu = \textsf {poly} (\lambda )\), then the Fiat–Shamir transformation of \(\Pi \) is knowledge sound in the random oracle model with knowledge error \((Q+1)\mu \ell (k-1)/|S|\), where Q is the number of random oracle queries made by an adversary.

3 Power-BASIS Assumption

Our construction of the polynomial commitment will rely on a new lattice-based assumption \(\textsf {PowerBASIS} \) which is a special case of the \(\textsf {BASIS} \) assumption¹³ introduced by Wee and Wu [83]. We begin by adapting the latter assumption to the ring setting. Recall that \({\textbf {G}} _n\) is a gadget matrix with base \(\delta \) as in Definition 2.13 and N is the ring dimension of \(\mathcal {R}\). We fix the prime modulus \(q \equiv 5 \pmod 8\) and set \({\tilde{q}}{:}{=} \lfloor \log _\delta q \rfloor +1\).

Definition 3.1

(BASIS). Let \(q,n,m,n',m',\ell ,N,\sigma ,\beta \) be lattice parameters. Let \(\textsf {Samp} \) be a PPT algorithm, which given a matrix \({\textbf {A}} \in \mathcal {R}_q^{n \times m}\), outputs a matrix \({\textbf {B}} \in \mathcal {R}_q^{n'\times m'}\) along with auxiliary information \(\textsf {aux} \). We say the \(\textsf {BASIS} _{n, m, n',m', N, q, \ell , \sigma , \beta }\) assumption holds w.r.t. \(\textsf {Samp} \) if for any PPT adversary \({\varvec{\mathcal {A}}}\):

$$\begin{aligned} \Pr \left[{ \begin{array}{c} {\textbf {A}} {\textbf {s}} = \textbf{0}\\ 0 < \left\| {\textbf {s}} \right\| \le \beta \end{array} }\,\Bigg \vert \,{ \begin{array}{c} {\textbf {A}} \leftarrow \mathcal {R}_q^{n \times m}, ({\textbf {B}} ,\textsf {aux} ) \leftarrow \textsf {Samp} ({\textbf {A}} ) \\ {\textbf {T}} \leftarrow {\textbf {B}} ^{-1}_{\sigma }({\textbf {G}} _{n'}) \\ {\textbf {s}} \leftarrow {\varvec{\mathcal {A}}}({\textbf {A}} , {\textbf {B}} , {\textbf {T}} , \textsf {aux} ) \end{array} }\right] \le \textsf {negl} (\lambda )\hspace{5.0pt}. \end{aligned}$$

Intuitively, the \(\textsf {BASIS} \) assumption says that it is hard to find a short solution for \({\textbf {A}} \), even when given a trapdoor for a matrix \({\textbf {B}} \) related to \({\textbf {A}} \). The trapdoor allows the adversary to sample preimages of \({\textbf {B}} \), and thus it is easy to break the assumption if \({\textbf {B}} \) contains too much information about \({\textbf {A}} \), e.g. when \({\textbf {B}} = {\textbf {A}} \).

Furthermore, we provide three concrete instantiations of the sampling algorithm \(\textsf {Samp} \).

Definition 3.2

(BASIS Instantiations). We consider three concrete instantiations of the \(\textsf {BASIS} \) assumption:

• \(\textsf{StructBASIS}_{n, m, N, q, \ell , \sigma , \beta }\): The sampling algorithm \(\textsf {Samp} ({\textbf {A}} )\) first generates a row \({\textbf {a}} ^\intercal \leftarrow \mathcal {R}_q^{m}\) and sets

  $$\begin{aligned} \mathbf {A^{\!\star }} {:}{=} \begin{bmatrix} {\textbf {a}} ^\intercal \\ {\textbf {A}} \end{bmatrix} \in \mathcal {R}_q^{(n+1) \times m} \hspace{5.0pt}. \end{aligned}$$

  (11)

  Further, it samples \({\textbf {W}} _i \leftarrow \textsf {GL} (n+1,\mathcal {R}_q)\) for all \(i \in [\ell ]\), and outputs

  $$\begin{aligned} {\textbf {B}} _\ell {:}{=} \left[ \begin{array}{@{}ccc|c@{}} {\textbf {W}} _1\mathbf {A^{\!\star }} &{} &{} &{} -{\textbf {G}} _{n+1} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} _\ell \mathbf {A^{\!\star }} &{} -{\textbf {G}} _{n+1} \end{array}\right] \quad \text {and} \quad \textsf {aux} {:}{=} ({\textbf {W}} _1,\ldots ,{\textbf {W}} _\ell ) \hspace{5.0pt}. \end{aligned}$$

• \(\textsf{PowerBASIS}_{n, m, N, q, \ell , \sigma , \beta }\): Here, \(\textsf {Samp} ({\textbf {A}} )\) generates a row \({\textbf {a}} ^\intercal \leftarrow \mathcal {R}_q^{\ell }\) and sets \(\mathbf {A^{\!\star }}\) as in (11). Then, it samples \({\textbf {W}} \leftarrow \textsf {GL} (n+1,\mathcal {R}_q)\), and outputs

  $$\begin{aligned} {\textbf {B}} _\ell {:}{=} \left[ \begin{array}{@{}ccc|c@{}} {\textbf {W}} ^0\mathbf {A^{\!\star }} &{} &{} &{} -{\textbf {G}} _{n+1} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{\ell -1} \mathbf {A^{\!\star }} &{} -{\textbf {G}} _{n+1} \end{array}\right] \quad \text {and} \quad \textsf {aux} {:}{=} {\textbf {W}} \hspace{5.0pt}. \end{aligned}$$

• \(\textsf{PRISIS}_{n, m, N, q, \ell , \sigma , \beta }\): \(\textsf {Samp} ({\textbf {A}} )\) samples a row \({\textbf {a}} ^\intercal \leftarrow \mathcal {R}_q^{\ell }\) and sets \(\mathbf {A^{\!\star }}\) as in (11). Then, it samples \(w \leftarrow \textsf {GL} (1,\mathcal {R}_q)\), and outputs

  $$\begin{aligned} {\textbf {B}} _\ell {:}{=} \left[ \begin{array}{@{}ccc|c@{}} w^0\mathbf {A^{\!\star }} &{} &{} &{} -{\textbf {G}} _{n+1} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} w^{\ell -1} \mathbf {A^{\!\star }} &{} -{\textbf {G}} _{n+1} \end{array}\right] \quad \text {and} \quad \textsf {aux} {:}{=} w \hspace{5.0pt}. \end{aligned}$$

Informally, the \(\textsf{StructBASIS}\) variant corresponds to the structured version of the \(\textsf {BASIS} \) assumption used to build functional commitments [83]. \(\textsf{PowerBASIS}\) is the special case, where instead of picking \(\ell \) uniformly random invertible matrices \({\textbf {W}} _i\), one takes a single invertible matrix, and sets \({\textbf {W}} _i {:}{=} {\textbf {W}} ^{i-1}\) for \(i \in [\ell ]\). Finally, \(\textsf{PRISIS}\) is the instance where each \({\textbf {W}} _i {:}{=} w^{i-1}{\textbf {I}} _{n+1}\) for \(i \in [\ell ]\) and \(w \in \mathcal {R}_q\) is an invertible element.

Intuitively, \(\textsf{StructBASIS}\) seems to be the hardest variant to break out of the three since it carries the least structure. Then, \(\textsf{PowerBASIS}\) should be an easier problem due to the very specific relation between matrices \({\textbf {W}} _i\). Finally, \(\textsf{PRISIS}\) carries a lot of structure, since it introduces commutativity between the matrices \({\textbf {W}} _i\) and \(\mathbf {A^{\!\star }}\), i.e. \(w^{i-1}\mathbf {A^{\!\star }} = \mathbf {A^{\!\star }} (w^{i-1} \cdot {\textbf {I}} _{m})\), which can somehow be useful for the adversary to break the assumption.

Remark 3.3

To simplify reductions in the paper, we explicitly require the matrices \({\textbf {W}} _i\) to be invertible (unlike in [83]). Note that this condition can be dropped by arguing that, depending on the parameters q and N, with overwhelming probability a uniformly random matrix \({\textbf {W}} \) is invertible over \(\mathcal {R}_q\) (cf. Lemma 2.3).

Remark 3.4

In the \(\textsf {PowerBASIS} \) assumption, an adversary is given a trapdoor to the structured matrix \({\textbf {B}} _\ell \). The most intuitive and standard way to attack lattice problems is to perform certain linear operations. In one way or another, here we would end up with obtaining (many) short solutions \({\textbf {s}} _1,\ldots ,{\textbf {s}} _\ell \) such that: \({\textbf {W}} ^{0}\mathbf {A^{\!\star }}{\textbf {s}} _1 + \ldots + {\textbf {W}} ^{\ell -1}\mathbf {A^{\!\star }} {\textbf {s}} _\ell = 0\). The intuition why this should not help to find a short non-zero solution to \(\mathbf {A^{\!\star }}\) (or \({\textbf {A}} \)) is two-fold. Firstly, since \({\textbf {W}} \) is an invertible matrix, the adversary is not able to use any commutative properties, e.g. \({\textbf {W}} \mathbf {A^{\!\star }} = \mathbf {A^{\!\star }}{\textbf {W}} \), thus limiting the adversary’s algebraic capabilities to find short solutions to \(\mathbf {A^{\!\star }}\). Even if this is the case (as in \(\textsf{PRISIS}\)), the matrix \({\textbf {W}} \) does contain arbitrarily large \(\mathcal {R}_q\) elements. Hence, obtaining a short non-zero solution to \(\mathbf {A^{\!\star }}\), which involves W, seems unlikely.

Falsifiable version of \(\textsf {PowerBASIS} \). Note that the challenger in the \(\textsf {PowerBASIS} \) game from Sect. 3 is not efficient since it needs to sample a random trapdoor \({\textbf {T}} \) according to a discrete Gaussian distribution. In order to make the assumption falsifiable, one could let the challenger sample efficiently using the \(\textsf {SamplePre} \) algorithm, e.g. as in the \(\textsf {Setup} \) algorithm of Fig. 4. Further, for efficiency we can ensure that the sampled matrix \({\textbf {A}} \) from \(({\textbf {A}} ,{\textbf {R}} ) \leftarrow \textsf {TrapGen} (n,m)\) is computationally indistinguishable from random¹⁴.

3.1 Hardness of BASIS for Low Dimensions

We analyse the relationship between the three newly introduced instantiations for the dimension \(\ell = 2\). To this end, we analyse the following technical lemma which will be used in all our results of this section. Intuitively, it says that if one can find a short solution to a specific linear equation, then one can also build a \(\textsf {BASIS} \) trapdoor.

Lemma 3.5

Let \(n,m, N> 0\) and \(\alpha \ge 1\). Denote \(t = n{\tilde{q}}\). Then, there exists an efficient deterministic algorithm, that given as input a matrix \(\mathbf {A^{\!\star }}\in \mathcal {R}_q^{n \times m}\), invertible \({\textbf {W}} _1,{\textbf {W}} _2,{\textbf {H}} \in \textsf {GL} (n,\mathcal {R}_q)\) and two matrices \({\textbf {T}} _1,{\textbf {T}} _2 \in \mathcal {R}_q^{m \times t}\), which satisfy \(\Vert ({\textbf {T}} _1,{\textbf {T}} _2)\Vert \le \alpha \) for \(i=1,2\) and

$$\begin{aligned} {\textbf {W}} _1\mathbf {A^{\!\star }}{\textbf {T}} _1 - {\textbf {W}} _2 \mathbf {A^{\!\star }}{\textbf {T}} _2 = {\textbf {H}} {\textbf {G}} _n \hspace{5.0pt}, \end{aligned}$$

outputs a tag \({\textbf {H}} ^*\in \textsf {GL} (2n,\mathcal {R}_q)\) and a \({\textbf {G}} _{2n}\)-trapdoor \({\textbf {S}} \) for the matrix \({\textbf {B}} \) defined as:

$$\begin{aligned} {\textbf {B}} {:}{=} \begin{bmatrix} {\textbf {W}} _1\mathbf {A^{\!\star }}&{} \textbf{0} &{} -{\textbf {G}} \\ \textbf{0} &{} {\textbf {W}} _2\mathbf {A^{\!\star }}&{} -{\textbf {G}} \\ \end{bmatrix} \end{aligned}$$

with a tag \({\textbf {H}} ^*\), where \(\Vert {\textbf {S}} \Vert \le \sqrt{2(\alpha ^2 + t^2N)}\).

Proof

Define the following matrices:

$$\begin{aligned}&{\textbf {S}} _{1,3} {:}{=} {\textbf {G}} ^{-1}({\textbf {W}} _1 \mathbf {A^{\!\star }}{\textbf {T}} _1 - {\textbf {H}} {\textbf {G}} _n) = {\textbf {G}} ^{-1}({\textbf {W}} _2 \mathbf {A^{\!\star }}{\textbf {T}} _2) \\&{\textbf {S}} _{2,3} {:}{=} {\textbf {G}} ^{-1}( -{\textbf {W}} _1 \mathbf {A^{\!\star }}{\textbf {T}} _2 - {\textbf {H}} {\textbf {G}} _n) = {\textbf {G}} ^{-1}(-{\textbf {W}} _1 \mathbf {A^{\!\star }}{\textbf {T}} _1). \end{aligned}$$

Then, by construction we get:

$$\begin{aligned} \begin{bmatrix} {\textbf {W}} _1\mathbf {A^{\!\star }}&{} \textbf{0} &{} -{\textbf {G}} \\ \textbf{0} &{} {\textbf {W}} _2\mathbf {A^{\!\star }}&{} -{\textbf {G}} \\ \end{bmatrix} \begin{bmatrix} {\textbf {T}} _{1} &{} -{\textbf {T}} _1 \\ {\textbf {T}} _{2} &{} -{\textbf {T}} _2 \\ {\textbf {S}} _{1,3} &{} {\textbf {S}} _{2,3} \\ \end{bmatrix} = \begin{bmatrix} {\textbf {H}} {\textbf {G}} &{}\textbf{0} \\ \textbf{0} &{} {\textbf {H}} {\textbf {G}} \\ \end{bmatrix} = \begin{bmatrix} {\textbf {H}} &{}\textbf{0} \\ \textbf{0} &{} {\textbf {H}} \\ \end{bmatrix} \cdot \begin{bmatrix} {\textbf {G}} &{}\textbf{0} \\ \textbf{0} &{} {\textbf {G}} \\ \end{bmatrix}. \end{aligned}$$

By setting

$$\begin{aligned} {\textbf {S}} {:}{=} \begin{bmatrix} {\textbf {T}} _{1} &{} -{\textbf {T}} _1 \\ {\textbf {T}} _{2} &{} -{\textbf {T}} _2 \\ {\textbf {S}} _{1,3} &{} {\textbf {S}} _{2,3} \\ \end{bmatrix} \quad \text {and} \quad {\textbf {H}} ^* {:}{=} \begin{bmatrix} {\textbf {H}} &{}\textbf{0} \\ \textbf{0} &{} {\textbf {H}} \\ \end{bmatrix} \hspace{5.0pt}, \end{aligned}$$

we observe that \({\textbf {S}} \) is a \({\textbf {G}} _{2n}\)-trapdoor for \({\textbf {B}} \) with a tag \({\textbf {H}} ^*\) and \(\Vert {\textbf {S}} \Vert ^2 \le 2\alpha ^2 + 2t^2N\), which concludes the proof. \(\square \)

Our first result says that \(\textsf{StructBASIS}\) and \(\textsf {PowerBASIS} \) are equivalent for the dimension \(\ell = 2\).

Lemma 3.6

(\(\textsf{StructBASIS} \iff \textsf {PowerBASIS} \)). Let \(n, N, \beta \ge 1\) and \(t {:}{=} (n+1){\tilde{q}}\). Suppose \(m > t + n \) and \(\mathfrak {s}> 2N \cdot q^{\frac{n+1}{m-t} + \frac{2}{N(m-t)}}\). If \(\sigma _0,\sigma _1\) satisfy the following inequalities:

$$\begin{aligned} \sigma _0 \ge \delta \mathfrak {s}N \cdot \omega (\sqrt{t(m-t)\log (mN)}), \quad \sigma _1 \ge \delta \sqrt{2tN( \sigma ^2_0 m' + t)} N \cdot \omega (\sqrt{\log nN}), \end{aligned}$$

where \(m' = 2m+t\), then the following statements are true:

1. 1.

   \(\textsf{StructBASIS}_{n,m,N,q,2,\sigma _0,\beta }\) assumption holds under the \(\textsf {PowerBASIS} _{n,m,N,q,2,\sigma _1,\beta }\) assumption.

2. 2.

   \(\textsf{PowerBASIS}_{n,m,N,q,2,\sigma _0,\beta }\) assumption holds under the \(\textsf{StructBASIS}_{n,m,N,q,2,\sigma _1,\beta }\) assumption.

Proof

We only show the first statement since the other direction follows identically. Let \(\mathcal {A}\) be a PPT adversary for the \(\textsf{StructBASIS}_{n,m,N,q,2,\sigma ,\beta }\) problem and suppose it wins with probability \(\epsilon \). We provide a PPT algorithm \(\mathcal {B}\) for solving \(\textsf {PowerBASIS} _{n,m,N,q,2,\sigma ,\beta }\) which does the following. First, \(\mathcal {B}\) is given a tuple \(({\textbf {A}} ,{\textbf {B}} , {\textbf {T}} , {\textbf {W}} )\) where

$$\begin{aligned} {\textbf {B}} {:}{=} \begin{bmatrix} \mathbf {A^{\!\star }} &{} \textbf{0} &{} -{\textbf {G}} \\ \textbf{0} &{} {\textbf {W}} \mathbf {A^{\!\star }} &{} -{\textbf {G}} \\ \end{bmatrix} \quad \text {and} \quad {\textbf {T}} {:}{=} \begin{bmatrix} {\textbf {T}} _{1,1} &{} {\textbf {T}} _{1,2} \\ {\textbf {T}} _{2,1} &{} {\textbf {T}} _{2,2} \\ {\textbf {T}} _{3,1} &{} {\textbf {T}} _{3,2} \\ \end{bmatrix}. \end{aligned}$$

First, we claim that the following probability is negligible:

$$\begin{aligned} \epsilon _{\textsf{smooth}} {:}{=} \Pr \left[ \sigma _0 < \eta _\epsilon (\Lambda ^\perp ({\textbf {B}} )) \bigg | \mathbf {A^{\!\star }} \leftarrow \mathcal {R}_q^{(n+1)\times m}\right] \hspace{5.0pt}. \end{aligned}$$

Indeed, note that by Lemma 2.15 we obtain:

$$\begin{aligned} \Pr \left[ \sigma _0 < \eta _\epsilon (\Lambda ^\perp ({\textbf {B}} )) \bigg | (\mathbf {A^{\!\star }},{\textbf {R}} ) \leftarrow \textsf {TrapGen} (n+1,m)\right] \ge \epsilon _{\textsf{smooth}} - \textsf {negl} (\lambda )\hspace{5.0pt}. \end{aligned}$$

If \((\mathbf {A^{\!\star }},{\textbf {R}} ) \leftarrow \textsf {TrapGen} (n+1,m)\) then the following matrix \({\textbf {R}} ^*\) is a \({\textbf {G}} _{2n}\)-trapdoor for \({\textbf {B}} \) with a tag \({\textbf {H}} ^*\), where:

$$\begin{aligned} {\textbf {R}} ^* {:}{=} \begin{bmatrix} {\textbf {R}} &{} \textbf{0} \\ \textbf{0} &{} {\textbf {R}} \\ \textbf{0} &{} \textbf{0} \\ \end{bmatrix} \quad \text {and} \quad {\textbf {H}} ^* {:}{=} \begin{bmatrix} {\textbf {I}} _{n+1} &{} \textbf{0} \\ \textbf{0} &{} {\textbf {W}} \end{bmatrix} \hspace{5.0pt}. \end{aligned}$$

Moreover, \(\Vert {\textbf {R}} ^* \Vert \le 2\mathfrak {s}\sqrt{t(m-t)N}\) with an overwhelming probability (cf. Lemma 2.7). If this is the case then by assumption \(\sigma _0 \ge \delta \cdot \Vert {\textbf {R}} ^*\Vert \cdot \omega (\sqrt{t(m-t)\log (mN)})\). Then, by combining Lemma 2.14 with Lemma 2.2, we obtain

$$\begin{aligned} \textsf {negl} (\lambda )= \Pr \left[ \sigma _0 < \eta _\epsilon (\Lambda ^\perp ({\textbf {B}} )) \bigg | (\mathbf {A^{\!\star }},{\textbf {R}} ) \leftarrow \textsf {TrapGen} (n+1,m)\right] \ge \epsilon _{\textsf{smooth}} - \textsf {negl} (\lambda )\end{aligned}$$

and thus \(\sigma _0 \ge \eta _\epsilon (\Lambda ^\perp ({\textbf {B}} ))\) with an overwhelming probability, where \({\textbf {B}} \) is the matrix received by \(\mathcal {B}\). Thus, we can apply Lemma 2.7 to deduce that with an overwhelming probability¹⁵

$$\begin{aligned} \left\| \begin{bmatrix} {\textbf {T}} _{1,1} \\ {\textbf {T}} _{1,2} \end{bmatrix}\right\| \le \alpha {:}{=} \sigma _0 \sqrt{m'tN} \hspace{5.0pt}. \end{aligned}$$

Further, by simple calculation we can deduce that

$$\begin{aligned} \mathbf {A^{\!\star }}{\textbf {T}} _{1,1} - {\textbf {W}} \mathbf {A^{\!\star }} {\textbf {T}} _{1,2} = {\textbf {G}} \hspace{5.0pt}. \end{aligned}$$

The reduction \(\mathcal {B}\) now samples a uniformly random \({\textbf {W}} _1 \leftarrow \textsf {GL} (n+1,\mathcal {R}_q)\) and defines \({\textbf {W}} _2 {:}{=} {\textbf {W}} _1{\textbf {W}} \). Thus

$$\begin{aligned} {\textbf {W}} _1\mathbf {A^{\!\star }} {\textbf {T}} _{1,1} - {\textbf {W}} _2\mathbf {A^{\!\star }} {\textbf {T}} _{1,2} = {\textbf {W}} _1{\textbf {G}} \hspace{5.0pt}. \end{aligned}$$

By applying Lemma 3.5, \(\mathcal {B}\) can obtain a \({\textbf {G}} _{2(n+1)}\)-trapdoor \({\textbf {S}} \) for

$$\begin{aligned} {\textbf {B}} ' {:}{=} \begin{bmatrix} {\textbf {W}} _1\mathbf {A^{\!\star }} &{} \textbf{0} &{} -{\textbf {G}} \\ \textbf{0} &{} {\textbf {W}} _2\mathbf {A^{\!\star }} &{} -{\textbf {G}} \\ \end{bmatrix} \end{aligned}$$

with the tag \({\textbf {H}} ^* {:}{=} {\textbf {I}} _2 \otimes {\textbf {W}} _1\) where \(\Vert {\textbf {S}} \Vert \le \sqrt{2(\alpha ^2 + t^2N)} \le \sqrt{2tN( \sigma ^2_0 m' + t)}\). Then, the algorithm \(\mathcal {B}\) runs \({\textbf {T}} ' \leftarrow \textsf {SamplePre} ({\textbf {B}} ',{\textbf {S}} ,{\textbf {G}} _{2(n+1)},\sigma _1)\). Finally, \(\mathcal {B}\) sends \(({\textbf {A}} ,{\textbf {B}} ',{\textbf {T}} ',\textsf {aux} ' {:}{=} ({\textbf {W}} _1,{\textbf {W}} _2))\) to \(\mathcal {A}\) and returns what \(\mathcal {A}\) outputs.

To argue correctness of the reduction, first note that \(\textsf {aux} '\) and \({\textbf {B}} '\) are correctly generated. Further, by assumption we have \(\sigma _1 \ge \delta \Vert {\textbf {S}} \Vert \cdot \omega (\sqrt{N\log nN})\) and thus by Lemma 2.16, the distribution of \(\textsf {SamplePre} ({\textbf {B}} ',{\textbf {S}} ,{\textbf {G}} _{2(n+1)},\sigma _1)\) is statistically close to \({\textbf {B}} '^{-1}_{\sigma _1} ({\textbf {G}} _{2(n+1)})\). Consequently, \(\mathcal {A}\) outputs a valid answer to \(\mathcal {B}\) with probability \(\epsilon - \textsf {negl} (\lambda )\). Finally, a valid solution for \(\textsf{StructBASIS}\) implies a valid solution for \(\textsf{PowerBASIS}\), which concludes the proof. \(\square \)

The next result focuses on the \(\textsf{PRISIS}\) variant. It turns out that the commutative property of the assumption allows to reduce to standard assumptions.

Lemma 3.7

(\(\textsf{PRISIS} \implies \textsf {MSIS} \)). Let \(n >0, m \ge n\) and denote \(t = (n+1){\tilde{q}}\). Let \(q = \omega (N)\). Take \(\epsilon \in (0,1/3)\) and \(\mathfrak {s}\ge \max (\sqrt{N\ln (8Nq)}\cdot q^{1/2 + \epsilon }, \omega (N^{3/2}\ln ^{3/2}N))\) such that \(2^{10N}q^{-\lfloor \epsilon N \rfloor }\) is negligible. Let

$$\begin{aligned} \sigma \ge \delta \sqrt{tN\cdot (N^2 \mathfrak {s}^2m + 2t)} \cdot \omega (\sqrt{N\log n N}). \end{aligned}$$

Then, \(\textsf{PRISIS}_{n,m,N,q,2,\sigma ,\beta }\) is hard under the \(\textsf {MSIS} _{n,m,N,q,\beta }\) assumption.

Proof

Suppose there is a PPT algorithm \(\mathcal {A}\) which wins \(\textsf{PRISIS}_{n,m,N,q,2,\sigma ,\beta }\) with probability \(\epsilon \). We revisit the \(\textsf{PRISIS}\) security game and introduce a single game hop. The purpose of the hybrid argument will be to plug in the NTRU trapdoor inside the auxiliary information w. We define \(\varepsilon _i\) to be the probability that \(\mathcal {A}\) wins \(\textsf{Game}\) i.

Game 1: This is the standard \(\textsf{PRISIS}\) security game. To recall, the challenger samples \({\textbf {a}} \leftarrow \mathcal {R}_q^{m}\), \({\textbf {A}} \leftarrow \mathcal {R}_q^{n \times m}\) and sets \(\mathbf {A^{\!\star }}\) as in (11). Then, it generates an invertible element \(w \leftarrow \mathcal {R}_q^\times \) and computes the matrix:

$$\begin{aligned} {\textbf {B}} {:}{=} \begin{bmatrix} \mathbf {A^{\!\star }} &{} \textbf{0} &{} -{\textbf {G}} \\ \textbf{0} &{} {\textbf {W}} \mathbf {A^{\!\star }} &{} -{\textbf {G}} \\ \end{bmatrix} \hspace{5.0pt}. \end{aligned}$$

where \({\textbf {W}} : = w \cdot {\textbf {I}} _{n+1}\). Then, it samples \({\textbf {T}} \leftarrow {\textbf {B}} ^{-1}_{\sigma _1}({\textbf {G}} _{2(n+1)})\) and outputs \(({\textbf {A}} ,{\textbf {B}} ,{\textbf {T}} ,w)\) to the adversary \(\mathcal {A}\). By definition, \(\varepsilon _1 = \epsilon \).

Game 2: In this game, we obtain w by running \((w,{\textbf {T}} _\textsf {NTRU} ) \leftarrow \textsf {NTRU.TrapGen} (q,N,\mathfrak {s})\) algorithm. By Lemma 2.11, \(\varepsilon _2 \ge \varepsilon _1 - 2^{10N}q^{- \lfloor \varepsilon N \rfloor }\).

Suppose there is an adversary which wins \(\textsf{Game}_2\). We now show how to build a \(\textsf{PRISIS}\) trapdoor \({\textbf {T}} \) given the Module-SIS matrix \({\textbf {A}} \) and the NTRU trapdoor \({\textbf {T}} _\textsf {NTRU} \). To this end, we will show how to find short matrices \({\textbf {S}} _1,{\textbf {S}} _2\) such that:

$$\begin{aligned} \mathbf {A^{\!\star }}{\textbf {S}} _1 - w\mathbf {A^{\!\star }}{\textbf {S}} _2 = {\textbf {G}} \hspace{5.0pt}. \end{aligned}$$

Let \({\textbf {g}} _i\) be the i-th column of \({\textbf {G}} \). Assuming that \(\mathbf {A^{\!\star }}\) is full-rank (cf. Lemma 2.3) and using linear algebra, we can find a (possibly large) vector \({\textbf {t}} \) such that \(\mathbf {A^{\!\star }}{\textbf {t}} = {\textbf {g}} _i\). Now, using the NTRU trapdoor \({\textbf {T}} _{\textsf {NTRU} }\) (such that \(\Vert \tilde{{\textbf {T}} }_{\textsf {NTRU} }\Vert \le N \mathfrak {s}\) by Lemma 2.11) and the nearest plane algorithm [63], we can find vectors \(({\textbf {s}} _{1,i},{\textbf {s}} _{2,i}) \in \mathcal {R}_q^{m} \times \mathcal {R}_q^{m}\) such that:

$$\begin{aligned} {\textbf {s}} _{1,i} - w{\textbf {s}} _{2,i} = {\textbf {t}} \text { and } \Vert ({\textbf {s}} _{1,i},{\textbf {s}} _{2,i})\Vert \le N\mathfrak {s}\sqrt{mN/2}. \end{aligned}$$

Therefore

$$\begin{aligned} \mathbf {A^{\!\star }}{\textbf {s}} _{1,i} - w\mathbf {A^{\!\star }}{\textbf {s}} _{2,i} = \mathbf {A^{\!\star }}({\textbf {s}} _{1,i} - w{\textbf {s}} _{2,i}) = \mathbf {A^{\!\star }}{\textbf {t}} = {\textbf {g}} _i \hspace{5.0pt}. \end{aligned}$$

Thus, we obtain the matrices \({\textbf {S}} _1,{\textbf {S}} _2\) by concatenation where

$$\begin{aligned} \left\| \begin{bmatrix}{\textbf {S}} _1 \\ {\textbf {S}} _2 \end{bmatrix}\right\| \le \alpha {:}{=} N\mathfrak {s}\sqrt{mtN/2} \hspace{5.0pt}. \end{aligned}$$

Consequently, by Lemma 3.5, we can build a \({\textbf {G}} _{2(n+1)}\)-trapdoor \({\textbf {S}} \) for \({\textbf {B}} \) such that

$$\begin{aligned} \Vert {\textbf {S}} \Vert \le \sqrt{2(\alpha ^2 + t^2N)} = \sqrt{tN\cdot (N^2 \mathfrak {s}^2m + 2t)} \hspace{5.0pt}. \end{aligned}$$

Hence, the reduction \(\mathcal {B}\) can construct the trapdoor \({\textbf {S}} \) as above and then randomise the trapdoor for \({\textbf {B}} \) by running \({\textbf {T}} \leftarrow \textsf {SamplePre} ({\textbf {B}} ,{\textbf {S}} ,{\textbf {G}} _{2(n+1)},\sigma )\). Finally it sends the tuple to \(\mathcal {A}\) and returns what it outputs. By Lemma 2.16, \(\mathcal {B}\) wins the Module-SIS game with probability at least \(\varepsilon _2 - \textsf {negl} (\lambda )\), which concludes the proof. \(\square \)

3.2 Higher Dimensions

One could hope that the techniques to analyse hardness of the \(\textsf {BASIS} \) assumption can be translated to higher dimensions. This could be promising especially for the \(\textsf{PRISIS}\) assumption, which we managed to reduce to standard lattice assumptions for the \(\ell = 2\) case. Unfortunately, the reduction falls flat when considering higher dimensions.

We showcase this for \(\ell = 3\). Following the approach for the smaller dimension, the goal is to find short matrices \({\textbf {S}} _1,{\textbf {S}} _2,{\textbf {S}} _3\) such that

$$\begin{aligned} \mathbf {A^{\!\star }} {\textbf {S}} _1 - w\mathbf {A^{\!\star }}{\textbf {S}} _2&= {\textbf {Z}} _1\nonumber \\ \mathbf {A^{\!\star }}{\textbf {S}} _2 - w \mathbf {A^{\!\star }}{\textbf {S}} _3&= {\textbf {Z}} _2 \end{aligned}$$

(12)

for any \({\textbf {Z}} _1,{\textbf {Z}} _2\) given the NTRU trapdoor for w. If this is possible, we could set \({\textbf {Z}} _1 = {\textbf {G}} \) and \({\textbf {Z}} _2 = \textbf{0}\) which would give us:

$$\begin{aligned} \mathbf {A^{\!\star }} {\textbf {S}} _1 - w\mathbf {A^{\!\star }}{\textbf {S}} _2&= {\textbf {G}} \\ w\mathbf {A^{\!\star }}{\textbf {S}} _2 - w^2 \mathbf {A^{\!\star }}{\textbf {S}} _3&= \textbf{0}. \end{aligned}$$

Set \({\textbf {S}} _4 {:}{=} {\textbf {G}} ^{-1}(\mathbf {A^{\!\star }}{\textbf {S}} _1 - {\textbf {G}} )\). Then, we have:

$$\begin{aligned} \begin{bmatrix} \mathbf {A^{\!\star }} &{} \textbf{0} &{} \textbf{0} &{} -{\textbf {G}} \\ \textbf{0} &{} w\mathbf {A^{\!\star }} &{} \textbf{0} &{} -{\textbf {G}} \\ \textbf{0} &{} \textbf{0} &{} w^2\mathbf {A^{\!\star }} &{} -{\textbf {G}} \\ \end{bmatrix} \begin{bmatrix} {\textbf {S}} _1 \\ {\textbf {S}} _2 \\ {\textbf {S}} _3 \\ {\textbf {S}} _4 \\ \end{bmatrix} = \begin{bmatrix} {\textbf {G}} \\ \textbf{0} \\ \textbf{0} \end{bmatrix} \hspace{5.0pt}. \end{aligned}$$

We proceed similarly for

$$\begin{aligned} ({\textbf {Z}} _1,{\textbf {Z}} _2) = (-{\textbf {G}} ,w^{-1}{\textbf {G}} ) \quad \text {and} \quad ({\textbf {Z}} _1,{\textbf {Z}} _2) = (\textbf{0},-w^{-1}{\textbf {G}} )\hspace{5.0pt}. \end{aligned}$$

Thus, we managed to build a \({\textbf {G}} _{3(n+1)}\)-trapdoor for \({\textbf {B}} \). What is left to do is to produce short \({\textbf {S}} _1,{\textbf {S}} _2,{\textbf {S}} _3\) which satisfy (12). To this end, consider the q-ary lattice

$$\begin{aligned} \Lambda = \left\{ (s_1,s_2,s_3) : \begin{bmatrix}1 &{} - w &{} 0 \\ 0 &{} w &{} -w^2 \end{bmatrix}\begin{bmatrix} s_1 \\ s_2 \\ s_3 \end{bmatrix} = \textbf{0} \bmod q \right\} \hspace{5.0pt}. \end{aligned}$$

Suppose we can build a short basis for \(\Lambda \) given the NTRU trapdoor for w. Let \({\textbf {z}} _{1,i},{\textbf {z}} _{2,i}\) be the i-th column of \({\textbf {Z}} _1\) and \({\textbf {Z}} _2\). Now, assuming that \(\mathbf {A^{\!\star }}\) is full-rank, we can find (possibly large) \({\textbf {t}} _1\) and \({\textbf {t}} _2\) such that \(\mathbf {A^{\!\star }}{\textbf {t}} _j = {\textbf {z}} _{j,i}\) for \(j=1,2\). Now, using the short basis for \(\Lambda \), we can sample short vectors \({\textbf {s}} _{1,i}, {\textbf {s}} _{2,i}, {\textbf {s}} _{3,i}\) such that:

$$\begin{aligned} {\textbf {s}} _{1,i} - w{\textbf {s}} _{2,i}&= {\textbf {t}} _1 \\ {\textbf {s}} _{2,i} - w{\textbf {s}} _{3,i}&= {\textbf {t}} _2. \end{aligned}$$

Hence,

$$\begin{aligned} \mathbf {A^{\!\star }}{\textbf {s}} _{1,i} - w\mathbf {A^{\!\star }}{\textbf {s}} _{2,i}&= \mathbf {A^{\!\star }}({\textbf {s}} _{1,i} - w{\textbf {s}} _{2,i}) = \mathbf {A^{\!\star }} {\textbf {t}} _1 = {\textbf {z}} _{1,i} \\ \mathbf {A^{\!\star }}{\textbf {s}} _{2,i} - w\mathbf {A^{\!\star }}{\textbf {s}} _{3,i}&= \mathbf {A^{\!\star }}({\textbf {s}} _{2,i} - w{\textbf {s}} _{3,i})= \mathbf {A^{\!\star }}{\textbf {t}} _2 = {\textbf {z}} _{2,i}. \end{aligned}$$

Therefore, we obtain the matrices \({\textbf {S}} _1,{\textbf {S}} _2,{\textbf {S}} _3\) by concatenation.

Unfortunately, we are only aware of the following two bases of \(\Lambda \):

$$\begin{aligned} \begin{bmatrix} w^2 &{} w &{} 1 \\ q &{} 0 &{} 0 \\ 0 &{} q &{} 0 \\ \end{bmatrix} \quad \text {and} \quad \begin{bmatrix} u^2 &{} uv &{} v^2 \\ \bar{u}^2 &{} \bar{u}\bar{v} &{} \bar{v}^2 \\ \bar{u}u &{} \bar{u}v &{} \bar{v}v \\ \end{bmatrix} \hspace{5.0pt}, \end{aligned}$$

where \({\textbf {T}} _\textsf {NTRU} {:}{=} ((u,v),(\bar{u},\bar{v}))\) is the short NTRU basis. Since \(\Vert u\Vert ,\Vert v\Vert \approx \sqrt{q}\), the latter basis cannot have short coefficients. We leave further analysis of this approach for future work.

4 Power-BASIS Commitment Scheme

In this section we define a compressing commitment scheme which stems from the vector commitment construction of Wee and Wu [83]. We inherit a crucial property from the aforementioned work that we support committing to arbitrarily large ring elements. Let \(\ell {:}{=} d+1\) be the length of the committed vectors over \(\mathcal {R}_q\). Thus, the message space is \(\mathcal {M}{:}{=} \mathcal {R}_q^{d+1}\). We let \(\gamma , \beta _s \) be the parameters controlling the norm of various vectors. Further, we define the slack space as the vector of short polynomials:

$$\begin{aligned} \mathcal {S}{:}{=} \{ (c_0,\ldots ,c_{d}) : \forall i\in [0,d], c_i \in \mathcal {R}_q^\times \wedge \Vert c_i\Vert _1 \le \beta _s \} \hspace{5.0pt}. \end{aligned}$$

Informally, we say that a slack is a single element \(c \in \mathcal {R}_q\) if \((c,\ldots ,c) \in \mathcal {S}\). Finally, we define \(t = n{\tilde{q}}\) and \({\textbf {G}} {:}{=} {\textbf {G}} _n \in \mathcal {R}_q^{n \times t}\).

Fig. 4

\(\textsf {PowerBASIS} \) commitment scheme for arbitrary messages in the message space \(\mathcal {M}= \mathcal {R}_q^{d+1}\) with the slack space \(\mathcal {S}{:}{=} \{ (c_0,\ldots ,c_{d}) : \forall i\in [0,d], c_i \in \mathcal {R}_q^\times \wedge \Vert c_i\Vert _\infty \le \beta _s \}\). Here, \({\textbf {G}} \in \mathcal {R}_q^{n \times n{\tilde{q}}}\) is the gadget matrix of height n

We now give intuition on the construction, and provide a formal description in Fig. 4. The setup algorithm uses the \(\textsf {TrapGen} \) and \(\textsf {SamplePre} \) algorithms defined in Sect. 2.5. Namely, it first generates the two matrices \(({\textbf {A}} ,{\textbf {R}} ) \leftarrow \textsf {TrapGen} (n,m)\) along with a uniformly random invertible \({\textbf {W}} \leftarrow \textsf {GL} (n,\mathcal {R}_q)\). Then, \({\textbf {A}} {\textbf {R}} = {\textbf {G}} \), where \(\Vert {\textbf {R}} \Vert \le \mathfrak {s}\sqrt{2t(m-t)N}\) and \(\mathfrak {s}> 2N \cdot q^{\frac{n}{m-t} + \frac{2}{N(m-t)}}\) (c.f. Lemma 2.15). Further, it computes \({\textbf {R}} _i {:}{=} {\textbf {R}} {\textbf {G}} ^{-1}({\textbf {W}} ^{-i}{\textbf {G}} )\) for \(i=0,1,\ldots ,d\). Note that

$$\begin{aligned} {\textbf {W}} ^{i}{\textbf {A}} {\textbf {R}} _i = {\textbf {W}} ^i{\textbf {A}} {\textbf {R}} {\textbf {G}} ^{-1}({\textbf {W}} ^{-i}{\textbf {G}} ) = {\textbf {W}} ^i{\textbf {G}} {\textbf {G}} ^{-1}({\textbf {W}} ^{-i}{\textbf {G}} ) = {\textbf {G}} \end{aligned}$$

and thus \({\textbf {R}} _i\) is a \({\textbf {G}} \)-trapdoor for \({\textbf {W}} ^i{\textbf {A}} \) and by Lemma 2.2:

$$\begin{aligned} \Vert {\textbf {R}} _i\Vert \le \Vert {\textbf {R}} \Vert \cdot N\sqrt{nt} \le \mathfrak {s}Nt \sqrt{2n(m-t)N}. \end{aligned}$$

Then, the algorithm computes the \(\textsf {PowerBASIS} \) matrix along with its trapdoor:

$$\begin{aligned} {\textbf {B}} {:}{=} \left[ \begin{array}{@{}ccc|c@{}} {\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] , \quad \tilde{{\textbf {R}} } {:}{=} \begin{bmatrix} {\textbf {R}} _{0} &{} &{} \\ &{} \ddots &{} \\ &{} &{} {\textbf {R}} _{d} \\ \hline &{} \textbf{0}&{} \end{bmatrix}\hspace{5.0pt}. \end{aligned}$$

(13)

Indeed, one can check that \({\textbf {B}} \tilde{{\textbf {R}} } = {\textbf {G}} _{n(d+1)}\) and \(\Vert \tilde{{\textbf {R}} }\Vert \le \mathfrak {s}Nt \sqrt{2(d+1)n(m-t)N}\). Finally, the setup algorithm re-randomises the trapdoor \(\tilde{{\textbf {R}} }\) by running

$$\begin{aligned} {\textbf {T}} \leftarrow \textsf {SamplePre} ({\textbf {B}} ,\tilde{{\textbf {R}} },{\textbf {G}} _{n(d+1)},\sigma _0)\hspace{5.0pt}, \end{aligned}$$

and thus \({\textbf {B}} {\textbf {T}} = {\textbf {G}} _{n(d+1)}\). Finally, the public parameters \(\textsf {crs} {:}{=} ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} )\) are returned.

Suppose we want to commit to a vector \((f_0,f_1,\ldots ,f_d)\) of length \(d+1\). To this end, we use \(\textsf {crs} \) to compute

$$\begin{aligned} \begin{bmatrix} {\textbf {s}} _0 \\ \vdots \\ {\textbf {s}} _d \\ \hat{{\textbf {t}} } \end{bmatrix} \leftarrow \textsf {SamplePre} \left( \left[ \begin{array}{@{}ccc|c@{}} {\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] , \begin{bmatrix} -f_0 {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -f_d {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix}, {\textbf {T}} , \sigma _1\right) \hspace{5.0pt}. \end{aligned}$$

By definition, this means that \({\textbf {s}} _0,{\textbf {s}} _1,\ldots ,{\textbf {s}} _d \in \mathcal {R}_q^{m}\) and \({\textbf {t}} {:}{=} {\textbf {G}} \hat{{\textbf {t}} }\) satisfy:

$$\begin{aligned} {\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} \quad \text {for } i=0,1,\ldots ,d \hspace{5.0pt}. \end{aligned}$$

(14)

The commitment and the decommitment state are \(C{:}{=} {\textbf {t}} \) and \(\textsf {st} {:}{=} ({\textbf {s}} _i)_{i \in [0,d]}\).

Finally, the opening function takes the public parameters \(\textsf {crs} \), the commitment \({\textbf {t}} \), a message vector \({\textbf {f}} {:}{=} (f_0,\ldots ,f_d)\), the decommitment state \(({\textbf {s}} _i)_{i \in [0,d]}\) and a relaxation factor \((c_0,\ldots ,c_d) \in \mathcal {S}\), and accepts if and only if (14) holds and \(\Vert c_i{\textbf {s}} _i\Vert \le \gamma \) for all \(i=0,1,\ldots ,d\).

4.1 Security Analysis

In the following, we show that the \(\textsf {PowerBASIS} \) commitment scheme satisfies completeness, relaxed binding and hiding. As before, we assume \(q \equiv 5 \pmod 8\) is a prime.

Lemma 4.1

(Completeness). Suppose \(n,N,\beta _s \ge 1\) and denote \(t{:}{=} n{\tilde{q}}\). Let \( m > t + n\), \(m' {:}{=} m(d+1)+n{\tilde{q}}\), \(n' {:}{=} n{\tilde{q}}(d+1)\) and \(t' {:}{=} \max (n',m')\). Take \(\mathfrak {s}> 2N \cdot q^{\frac{n}{m-t} + \frac{2}{N(m-t)}}\),

$$\begin{aligned} \sigma _0 \ge \delta \mathfrak {s}Nt \omega (\sqrt{2(d+1)n(m-t)N\log t'N}) \quad \text {and} \quad \sigma _1 \ge \delta \sigma _0N \cdot \omega (\sqrt{m'n'\log t'N}) \hspace{5.0pt}. \end{aligned}$$

If \(\gamma \ge \sigma _1 \sqrt{m'N}\) then the \(\textsf {PowerBASIS} \) commitment scheme satisfies completeness.

Proof

In the discussion above, we already showed that Eq. (14) is true. We will show that \(\Vert {\textbf {s}} _i\Vert \le \gamma \) for all i, and thus we can pick the global relaxation to be \((1,\ldots ,1) \in \mathcal {S}\).

First, note that the matrix \(\tilde{{\textbf {R}} } \in \mathcal {R}_q^{m' \times n'}\) satisfies \(\Vert \tilde{{\textbf {R}} }\Vert \le \mathfrak {s}Nt \sqrt{2(d+1)n(m-t)N}\) with high probability by Lemma 2.8. Hence \(\sigma _0 \ge \delta \Vert \tilde{{\textbf {R}} }\Vert \cdot \omega (\sqrt{N\log t'N})\) for \(t' =\max (n',m')\) and thus we can apply both Lemma 2.16 and Lemma 2.7 to deduce that with an overwhelming probability \(\Vert {\textbf {T}} \Vert \le \sigma _0 \sqrt{m'n'N}\). Similarly, we have \(\sigma _1 \ge \delta \Vert {\textbf {T}} \Vert \cdot \omega (\sqrt{N\log t'N})\) and thus \(\Vert {\textbf {s}} _i\Vert \le \sigma _1 \sqrt{m'N} \le \gamma \) with an overwhelming probability for all \(i=0,1,\ldots ,d\), which concludes the proof. \(\square \)

Based on the parameters above, we would require \(\sigma _0 = \tilde{O}(\sqrt{d})\) and \(\sigma _1 = \tilde{O}(d^{3/2})\), ignoring the polynomial factors related to the security parameter.

Lemma 4.2

(Relaxed Binding). Let \(t = n{\tilde{q}}\), \(m > t + n \) and \(n' = n{\tilde{q}}(d+1)\). Take \(\mathfrak {s}> 2N \cdot q^{\frac{n}{m-t} + \frac{2}{N(m-t)}}\). If \(\sigma _0 \ge \delta \mathfrak {s}Nt \omega (\sqrt{2(d+1)n(m-t)N\log n'N}) \) then under the \(\textsf {PowerBASIS} _{n-1,m,N,q,d+1,\sigma _0,2\beta _s\gamma }\) assumption, \(\textsf {PowerBASIS} \) commitment scheme satisfies relaxed binding.

Proof

Let \(\mathcal {A}\) be an adversary for the relaxed binding game which succeeds with probability \(\epsilon \). We prove the statement using an hybrid argument. We define \(\varepsilon _i\) to be the probability that \(\mathcal {A}\) wins \(\textsf{Game}\) i.

Game 0: This is the standard relaxed binding game. By definition \(\varepsilon _0 = \epsilon \).

Game 1: Here, we swap the \(\textsf {SamplePre} \) algorithm with sampling truly from a discrete Gaussian distribution. Since \(\sigma _0 \ge \delta \mathfrak {s}Nt \omega (\sqrt{2(d+1)n(m-t)N\log n'N})\), we can argue as in Lemma 4.1 that \(\varepsilon _1 \ge \varepsilon _0 - \textsf {negl} (\lambda )\).

Game 2: In this game we do not run \(\textsf {TrapGen} \) anymore, but instead the matrix \({\textbf {A}} \leftarrow \mathcal {R}_q^{n \times m}\) is selected uniformly at random. By Lemma 2.6, we deduce that \(\varepsilon _2 \ge \varepsilon _1 - \textsf {negl} (\lambda )\).

We claim that \(\varepsilon _2 = \textsf {negl} (\lambda )\) under the \(\textsf {PowerBASIS} \) assumption. First, by definition of the \(\textsf {PowerBASIS} \) assumption, our goal is to extract a short non-zero solution for the matrix \({\textbf {A}} ^*\), where

$$\begin{aligned} {\textbf {A}} {:}{=} \begin{bmatrix} {\textbf {a}} ^\top \\ \hline {\textbf {A}} ^* \end{bmatrix} \hspace{5.0pt}. \end{aligned}$$

Denote the tuple \(\mathcal {A}\) outputs as:

$$\begin{aligned} {\textbf {t}} , ({\textbf {f}} , ({\textbf {v}} _0 \dots , {\textbf {v}} _d), (c_0,\ldots ,c_d)),({\textbf {f}} ', ({\textbf {v}} '_0 \dots , {\textbf {v}} '_d), (c'_0,\ldots ,c'_d)). \end{aligned}$$

By definition, whenever \(\mathcal {A}\) wins, it must be that openings are valid and \({\textbf {f}} \ne {\textbf {f}} '\), which implies there is at least an index \(j\) with \(f_j\ne f'_j\). Thus, by subtracting the verification equations, we have that

$$\begin{aligned} {\textbf {A}} ({\textbf {v}} _{j} - {\textbf {v}} '_{j}) = \begin{bmatrix} f'_j- f_j\\ 0 \\ \vdots \\ 0 \end{bmatrix} \hspace{5.0pt}. \end{aligned}$$

Since \(f'_j- f_j\ne 0\), this implies that \(\bar{{\textbf {v}} } {:}{=} ({\textbf {v}} _{j} - {\textbf {v}} '_{j}) \ne \textbf{0}\). Consequently, \({\textbf {A}} ^* \bar{{\textbf {v}} } = \textbf{0}\). Now, \(\bar{{\textbf {v}} }\) might not be short. Hence, we consider \(c_jc'_j\bar{{\textbf {v}} }\) instead. Clearly, this is still a non-zero solution for \({\textbf {A}} ^*\) since \(c_j,c'_j\) are invertible. Further,

$$\begin{aligned} \Vert c_jc'_j\bar{{\textbf {v}} }\Vert \le \Vert c'_j(c_j{\textbf {v}} )\Vert +\Vert c_j(c'_j{\textbf {v}} ')\Vert \le 2\beta _s\gamma \hspace{5.0pt}. \end{aligned}$$

Therefore, \(c_jc'_j\bar{{\textbf {v}} }\) is a valid solution to \(\textsf {PowerBASIS} \). \(\square \)

Lemma 4.3

(Hiding). Suppose \(n,N \ge 1\) and denote \(t{:}{=} n{\tilde{q}}\). Let \(m > t + n \), \(m' {:}{=} m(d+1)+n{\tilde{q}}\), \(n' {:}{=} n{\tilde{q}}(d+1)\) and \(t' {:}{=} \max (n',m')\). Take

$$\begin{aligned} \sigma _0&\ge \delta \mathfrak {s}Nt \omega (\sqrt{2(d+1)n(m-t)N\log t'N}), \\ \sigma _1&\ge \delta \cdot \max \left( \log ((d+1)mN),\sigma _0N \cdot \omega (\sqrt{m'n'\log t'N})\right) . \end{aligned}$$

Then, the \(\textsf {PowerBASIS} \) commitment scheme satisfies hiding.

Proof

Take an unbounded adversary \(\mathcal {A}\) which wins the hiding game with probability \(\epsilon \). We prove the statement via a sequence of games, where in each game we change the algorithm of \( \textsf {Commit} \). Let \(\epsilon _i\) be the advantage of the adversary against \(\textsf{Game}\) i.

Game 1: This is the original hiding game where \(\textsf {Commit} \) is defined in Fig. 4. For the purpose of the proof, we assume \(\textsf {Commit} \) does not output \(\textsf {st} \). Then, by definition \(\epsilon _1 = \epsilon \).

Game 2: In this game, \(\textsf {Commit} \) (inefficiently) samples

$$\begin{aligned} \begin{bmatrix} {\textbf {s}} _0 \\ \vdots \\ {\textbf {s}} _d \\ \hat{{\textbf {t}} } \end{bmatrix} \leftarrow {\textbf {B}} ^{-1}_{\sigma _1}\left( \begin{bmatrix} -f_0 {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -f_d {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix}\right) \end{aligned}$$

and outputs \({\textbf {t}} {:}{=} {\textbf {G}} \hat{{\textbf {t}} }\). By our assumption on \(\sigma _0,\sigma _1\) we can argue similarly as in Lemma 4.1 to deduce that \(|\epsilon _2 - \epsilon _1| = \textsf {negl} (\lambda )\).

Game 3: Here we make use of the fact that \({\textbf {B}} {:}{=} [{\textbf {E}} \text { } | \text { } {\textbf {F}} ]\) where

$$\begin{aligned} {\textbf {E}} {:}{=} \left[ \begin{array}{@{}cccc@{}} {\textbf {A}} &{} &{} &{} \\ &{} \ddots &{} &{} \\ &{} &{} &{} {\textbf {W}} ^{d} {\textbf {A}} \end{array}\right] \quad \text {and} \quad {\textbf {F}} {:}{=} \begin{bmatrix} -{\textbf {G}} \\ \vdots \\ -{\textbf {G}} \end{bmatrix} \end{aligned}$$

Concretely, the \(\textsf {Commit} \) algorithm first samples \(\hat{{\textbf {t}} } \leftarrow \mathcal {D}^{tN}_{\sigma _1}\), sets

$$\begin{aligned} \begin{bmatrix} {\textbf {t}} \\ \vdots \\ {\textbf {t}} \end{bmatrix} {:}{=} {\textbf {F}} \hat{{\textbf {t}} } \end{aligned}$$

and then generates

$$\begin{aligned} \begin{bmatrix} {\textbf {s}} _1 \\ \vdots \\ {\textbf {s}} _d \end{bmatrix} \leftarrow {\textbf {E}} ^{-1}_{\sigma _1}\left( \begin{bmatrix} -f_0 {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -f_d {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix} - \begin{bmatrix} {\textbf {t}} \\ \vdots \\ {\textbf {t}} \end{bmatrix} \right) . \end{aligned}$$

Finally, the algorithm outputs \({\textbf {t}} \).

By Lemma 2.5, there is a negligible function \(\varepsilon \) such that \(\sigma _1 \ge \eta _\varepsilon (\Lambda ^\perp ({\textbf {E}} ))\). Further, by Lemma 2.3 the matrix \({\textbf {A}} \) is full-rank (and so is \({\textbf {E}} \)) with an overwhelming probability. Hence, we can apply Lemma 2.9 to conclude \(|\epsilon _3 - \epsilon _2| = \textsf {negl} (\lambda )\).

Game 4: The \(\textsf {Commit} \) algorithm simply samples \(\hat{{\textbf {t}} } \leftarrow \mathcal {D}^{tN}_{\sigma _1}\) and outputs \({\textbf {t}} {:}{=} {\textbf {G}} \hat{{\textbf {t}} }\). Clearly, there is no difference between the outputs of Game 3 and 4, thus \(\epsilon _4 = \epsilon _3\).

Finally, the output of \(\textsf {Commit} \) in Game 4 does not depend on the challenge messages \(m_0,m_1\) from \(\mathcal {A}\). Hence, we get that \(\epsilon _4 = 1/2\). By the hybrid argument we obtain \(\epsilon = 1/2 + \textsf {negl} (\lambda )\), which concludes the proof. \(\square \)

Efficiency. The main bottleneck of the \(\textsf {Commit} \) algorithm is the trapdoor sampling procedure, which asymptotically takes \(O(d^2)\) operations over \(\mathcal {R}_q\). On the other hand, the opening algorithm makes O(d) operations in \(\mathcal {R}_q\).

Remark 4.4

Wee and Wu [83] proposed an alternative approach, which allows for linear-time commitment generation. This comes at the cost of (i) losing the hiding property, and (ii) the message space inherently must only contain short vectors. Since both properties are important in our polynomial commitment scheme, we do not describe the more efficient method in this work and refer to [83, Remark 4.12] for more details.

5 Efficient Proofs of Polynomial Evaluation

In this section we illustrate how to prove evaluations of a polynomial that is committed using the \(\textsf {PowerBASIS} \) commitment scheme from Fig. 4. We start by presenting a general framework for proving polynomial evaluations in Sect. 5.1, and then we describe two distinct instantiations in Sects. 5.2 and 5.3. For clarity, we give an overview of frequently used parameters in Table 3. We implicitly assume that lattice dimension parameters, such as n, m, N, are \(\textsf {poly} (\lambda )\).

Table 3 Overview of parameters and notation

5.1 Framework for Proving Evaluations

The main intuition can be described as follows. We design a relation that captures statements of the form: “the commitment \({\textbf {t}} \) has an opening \(f \in \mathcal {R}_q^{d+1}\) (with respect to a given \(\textsf {crs} \)) such that \(f(u) = v\), where \(f \in \mathcal {R}_q^{\le d}[\textsf {X} ]\) is now interpreted as polynomial”. The core observation is that there exists a \(\varSigma \)-protocol that interactively reduces an instance of that relation to a related one, in which the size of the committed polynomial is decreased. This new relation is with respect to a different common reference string, that can be efficiently computed from the previous one. We then exploit this recursion to shrink to a commitment with a constant-size opening.

We formalise this discussion by introducing the opening relation below

$$\begin{aligned} \textsf {R} _{d, \beta } {:}{=} \left\{ \left( ({\textbf {A}} , {\textbf {W}} ),({\textbf {t}} , u, z),(f,({\textbf {s}} _i)_i) \right) \bigg | \begin{array}{c} f(u) = z \\ \forall i \in [0, d], {\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} \\ \wedge \left\| {\textbf {s}} _i\right\| \le \beta \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

(15)

We describe the \(\varSigma \)-protocol, upon which our main evaluation protocol is built, in Fig. 5. Roughly speaking, the prover divides the initial polynomial f of degree at most d into k polynomials \(g_1,\ldots ,g_k\) of degree at most \(d' {:}{=} (d+1)/k -1\) by writing

$$\begin{aligned} f(\textsf {X} ) {:}{=} \sum _{t \in [k]} \textsf {X} ^{t-1} g_t(\textsf {X} ^k) \hspace{5.0pt}. \end{aligned}$$

(16)

Then, it “commits” to the partial polynomials by providing their evaluations at the point u, say \(z_i {:}{=} g_i(u^k)\). Thus, by construction

$$\begin{aligned} z = f(u) = \sum _{t \in [k]} u^{t-1} g_t(u^k) = \sum ^k_{t=1} z_tu^{t-1} \hspace{5.0pt}. \end{aligned}$$

(17)

Next, the verifier outputs a challenge \((\alpha _1,\ldots ,\alpha _k) \leftarrow \mathcal {C}\subseteq \mathcal {R}_q^k\). Note that by considering the folded polynomial \(g = \sum ^k_{t=1} \alpha _tg_t\) of degree at most \(d'\), we obtain a new polynomial evaluation statement about g:

$$\begin{aligned} g(u^k) = \sum ^k_{t=1} \alpha _tz_t \hspace{5.0pt}. \end{aligned}$$

(18)

The main strength of the \(\textsf {PowerBASIS} \) commitment from Fig. 4 is that the commitment (resp. openings) to g can be efficiently computed from the commitment \({\textbf {t}} \) (resp. openings \({\textbf {s}} _i\)) of f given \(\alpha _1,\ldots ,\alpha _k\) in time O(k). This is the key idea for achieving succinct verification. Hence, the prover outputs the polynomial g in the clear, along with its opening vectors. The verifier eventually checks correctness of the openings with respect to the message g, as well as (17) and (18).

Fig. 5

The \(\varSigma \)-protocol \(\varSigma [d, k, \mathcal {C}, \beta ]\) for relation \(\textsf {R} _{d, \beta }\) in Equation (15). Here, \(d' {:}{=} (d+1)/k - 1\), \(\text {w}{:}{=} \max _{\varvec{\alpha }\in \mathcal {C}} \left\| \varvec{\alpha }\right\| _1\) and \({\textbf {s}} _{t,i} {:}{=} {\textbf {s}} _{ki+t-1}\) for \(i \in [0,d']\) and \(t \in [k]\)

We first prove that this protocol transforms an instance of \(\textsf {R} _{d, \beta }\) into a smaller one of \(\textsf {R} _{d', \beta '}\).

Lemma 5.1

(Completeness for \(\varSigma \)). Let \(\Pi {:}{=} \varSigma [d, k, \mathcal {C}, \beta ]\) as in Fig. 5. Then, \(\Pi \) is an interactive protocol with perfect completeness for \(\textsf {R} _{d, \beta }\).

Proof

Let \((\mathbb {i}, \mathbb {x}, \mathbb {w}) = (({\textbf {A}} , {\textbf {W}} ), ({\textbf {t}} , u, z), (f, ({\textbf {s}} _i)_{i \in [0, d]})) \in \textsf {R} _{d, \beta }\). Since \(f(u) = z\), the first verification check always succeeds by Equation (17). We are left to show that the new instance is valid. First, \(g(u^k) = \sum _{t \in [k]} \alpha _t g_t(u^k) = \sum _{t \in [k]} \alpha _t z_t\). Further, recall that for \(i \in [0, d']\) and \(t \in [k]\) we have

$$\begin{aligned} {\textbf {s}} _{t,i} = {\textbf {s}} _{ki+t-1} \quad \text {and} \quad g_{t,i} = f_{ki+t-1} \hspace{5.0pt}, \end{aligned}$$

where \(g_{t,i}\) is the i-th coefficient of the polynomial \(g_t\). Hence, the i-th coefficient of g satisfies \(g_i = \sum _{t \in [k]} \alpha _tg_{t,i} = \sum _{t \in [k]} \alpha _t f_{ki+t-1}\). Therefore,

$$\begin{aligned} {\textbf {A}} {\textbf {z}} _i + g_i {\textbf {e}} _1&= {\textbf {A}} \left( \sum _{t \in [k]} \alpha _t {\textbf {s}} _{t, i} \right) + \left( \sum _{t \in [k]} \alpha _i f_{ki+t-1} \right) \cdot {\textbf {e}} _1 \\&= \sum _{t \in [k]} \alpha _t \left( {\textbf {A}} {\textbf {s}} _{ki+t-1} + f_{ki+t-1} {\textbf {e}} _1 \right) \\&= \sum _{t \in [k]} \alpha _t \left( {\textbf {W}} ^{-(ki + t -1)} {\textbf {t}} \right) \\&= \left( \sum _{t \in [k]} \alpha _t {\textbf {W}} ^{-(ki + t -1)} \right) \cdot {\textbf {t}} \\&= ({\textbf {W}} ^{k})^{-i} \left( \sum _{t \in [k]}\alpha _t {\textbf {W}} ^{-(t-1)}\right) \cdot {\textbf {t}} . \end{aligned}$$

Finally, by Lemma 2.1 for \(\varvec{\alpha }\in \mathcal {C}\), \(\left\| {\textbf {z}} _i\right\| \le \sum _{t \in [k]} \left\| \alpha _t {\textbf {s}} _{t, i}\right\| \le \sum _{t \in [k]} \left\| \alpha _t\right\| _1 \cdot \beta \le \text {w}\beta \) where \(\text {w}{:}{=} \max _{\varvec{\alpha }\in \mathcal {C}} \left\| \alpha \right\| _1\). This shows that the new instance is in \(\textsf {R} _{d', \beta '}\), and thus the verifier accepts. \(\square \)

We now apply the \(\varSigma \)-protocol recursively h times, reducing the final opening size to \((d+1)/k^h\), while increasing the final norm for verification by a factor \(\text {w}^h\).

Construction 5.2

Let k, h be integers, and let \(\mathcal {C}\subseteq \mathcal {R}_q^{k}\). We let \(\textsf {Eval} [d, k, h, \mathcal {C}, \beta ] {:}{=} (\mathcal {P}, \mathcal {V})\) be the protocol that we describe in Fig. 6.

Fig. 6

The protocol \(\textsf {Eval} [d, k, h, \mathcal {C}, \beta ]\) for \(\textsf {R} _{d, \beta }\). As before, we denote \(\text {w}{:}{=} \max _{\varvec{\alpha }\in \mathcal {C}} \left\| \varvec{\alpha }\right\| _1\)

Completeness of the protocol is easily shown by applying Lemma 5.1h times.

Lemma 5.3

(Completeness for \(\textsf {Eval} \)). Let \(\Pi {:}{=} \textsf {Eval} [d, k, h, \mathcal {C}, \beta ]\). Then, \(\Pi \) is an interactive protocol with perfect completeness for \(\textsf {R} _{d, \beta }\).

Proof

Denote by \((\mathbb {i}_r, \mathbb {x}_r, \mathbb {w}_r) {:}{=} (({\textbf {A}} , {\textbf {W}} _r), ({\textbf {t}} _r, u_r, z_r), (f_r, ({\textbf {s}} _{r, i})_{i \in [d_r]}))\) for \(r \in [h]\). By Lemma 5.1, \((\mathbb {i}_r, \mathbb {x}_r, \mathbb {w}_r) \in \textsf {R} _{d_r, \beta _r}\) implies \((\mathbb {i}_{r+1}, \mathbb {x}_{r+1}, \mathbb {w}_{r+1}) \in \textsf {R} _{d_{r+1}, \beta _{r+1}}\) with probability 1. Since \((\mathbb {i}_0, \mathbb {x}_0, \mathbb {w}_0) \in \textsf {R} _{d, \beta _0}\), then \((\mathbb {i}_h, \mathbb {x}_h, \mathbb {w}_h) \in \textsf {R} _{d_h, \beta _h}\), and thus the verifier final checks accept. \(\square \)

Remark 5.4

The protocol that we have described has folding factor k constant across every round of interaction. In fact, we can gain more flexibility by allowing each round to use a different folding factor. This can be beneficial, for example, to obtain a constant polynomial in the last round of the protocol when the original degree is not a h-power.

We analyse the communication complexity of \(\textsf {Eval} [d, k, h, \mathcal {C}, \beta ]\) in the next lemma.

Lemma 5.5

(Efficiency for \(\textsf {Eval} \)). The total communication complexity of \(\textsf {Eval} [d, k,\) \( h, \mathcal {C}, \beta ]\) (in bits) can be bounded by

$$\begin{aligned} h \cdot (k N \lceil \log q \rceil + \lceil \log |\mathcal {C}| \rceil ) + \frac{d+1}{k^h}N \lceil \log q \rceil + \left( \frac{d+1}{k^h}+1\right) m N \lceil \log (2\text {w}^h \beta ) \rceil \hspace{5.0pt}. \end{aligned}$$

Further, the prover makes O(md) operations in \(\mathcal {R}_q\) while the verifier makes \(O\left( (n+m)^2\right. \left. (h k + d/k^h)\right) \) operations in \(\mathcal {R}_q\).

Proof

In each round the prover sends k elements of \(\mathcal {R}_q\) to the verifier, and the verifier sends 1 element of \(\mathcal {C}\). In the final round, the prover sends a polynomial with \(d_h = (d+1)/k^h\) coefficients, and \(d_h+1\) opening vectors, each of which has norm at most \(\beta _h\).

We turn to the prover complexity and first consider Step 2. Every r-th round out of [h], the prover makes \(O(mkd_r ) = O(md_{r-1})\) operations in \(\mathcal {R}_q\). Since \(d_0 = O(d)\) and in general \(d_r = O(d/k^r)\), the total runtime of the prover can be bounded by

$$\begin{aligned} O\left( \sum ^{h-1}_{r=0} m d_{r} \right) = O\left( m \sum ^{h-1}_{r=0} d/k^r \right) = O\left( md \cdot \frac{1-1/k^h}{1-1/k}\right) = O(md) \hspace{5.0pt}. \end{aligned}$$

We move to the verifier analysis. In Step 2, for every round \(r \in [h]\), the verifier makes at most \(O(kn^2)\) operations. Hence, the total cost of Step 2 is \(O(h k n^2)\). The rest of the algorithm takes \(O(d_h (nm + n^2))\) steps. Thus, the total runtime can be bounded by \(O\left( (n+m)^2(h k + d/k^h)\right) \) ring operations. \(\square \)

Next, we provide two instantiations of the protocol in Fig. 6 which will differ in the selection of the challenge space \(\mathcal {C}\). This has direct impact on the knowledge extraction strategy.

5.2 Monomial Protocol

In the following, we describe a so-called monomial variant of the protocol, where the name comes from the description of the challenge space \(\mathcal {C}\). Fix \(k {:}{=} 2\), and \(\mathcal {C}{:}{=} \{ 1 \} \times \{ X^i : i \in \mathbb {Z}\}\). Note that by definition \(\text {w}= 2\), and \(\varvec{\alpha }, \varvec{\alpha }' \in \mathcal {C}\) with \(\varvec{\alpha }\ne \varvec{\alpha }'\) implies that \(\alpha _2 - \alpha _2' \in \mathcal {R}_q^\times \). In this section, we also assume that \(2 \in \mathcal {R}_q^\times \) (which can be enforced if \(\gcd (2, q) = 1\)).

We aim to show that \(\Pi {:}{=} \textsf {Eval} [d, 2, h, \mathcal {C}, \beta ]\) is 2-special sound. In fact, we will not be able to show this exactly, as the extraction will introduce some slack. Rather we show that \(\Pi \) is special sound for the relaxed opening relation that we describe next:

$$\begin{aligned} \tilde{\textsf {R} }_{d, c, \gamma } {:}{=} \left\{ \left( ({\textbf {A}} , {\textbf {W}} ),({\textbf {t}} , u, z),(f,({\textbf {s}} _i)_{i \in [0, d]})\right) \bigg | \begin{array}{c} \forall i \in [0, d], {\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} \; \wedge \\ \wedge \; c \in \mathcal {R}_q^\times \wedge \; \left\| c \cdot {\textbf {s}} _i\right\| \le \gamma \\ \wedge \; f(u) = z \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

(19)

We will directly show that \(\textsf {Eval} \) is special sound, which also implies special soundness of the \(\varSigma \)-protocol by noting that the two protocols are equivalent when \(h = 1\). To argue soundness we will first prove that there exists an extractor that is able to extract witnesses of the higher layer of the transcript tree from the children.

Lemma 5.6

(Special Soundness for \(\Sigma \)). Let \(c \in \mathcal {R}_q^\times \), and let \(\mathbb {i}= ({\textbf {A}} , {\textbf {W}} )\), \(\mathbb {x}= ({\textbf {t}} , u, z)\). There exists an algorithm that, given two accepting transcripts \(\textsf {tr} _j\) of the following form

$$\begin{aligned} \textsf {tr} _j {:}{=} \left( (z_1, z_2), \varvec{\alpha }_j {:}{=} (1,\alpha _j) \in \mathcal {C}, \mathbb {w}'_j {:}{=} (g_j, ({\textbf {z}} _{j, i})_i) \right) \quad \text {for } j = 0,1 \end{aligned}$$

where \(\alpha _0 \ne \alpha _1\), outputs \(\mathbb {w}{:}{=} (\bar{f}, (\bar{{\textbf {s}} }_i)_i)\). Furthermore, let \(d', \mathbb {i}'\), \(\mathbb {x}'_0, \mathbb {x}'_1\) be obtained as in Fig. 5. If, for \(i \in \{0,1\}\), \((\mathbb {i}', \mathbb {x}'_i, \mathbb {w}'_i), \in \tilde{\textsf {R} }_{d', c, \beta }\), and \(z = z_1 + u z_2\), then \((\mathbb {i}, \mathbb {x}, \mathbb {w}) \in \tilde{\textsf {R} }_{d, 2c, \gamma }\) where \(\gamma {:}{=} 2N \beta \).

Remark 5.7

We highlight that the \(g_j\) contained \(\mathbb {w}'_j\) from the statement above are different from polynomials \(g_1,g_2\) defined in Fig. 5.

Proof

Consider the following algorithm:

• \(\underline{\mathcal {E}(\textsf {tr} _0, \textsf {tr} _1)}\):

  1. 1.

     Set \(\bar{{\textbf {s}} }_{2i} {:}{=} \frac{\alpha _1 {\textbf {z}} _{0, i} - \alpha _0 {\textbf {z}} _{1,i}}{\alpha _1 - \alpha _0}\), \(\bar{{\textbf {s}} }_{2i+1} {:}{=} \frac{{\textbf {z}} _{0,i} - {\textbf {z}} _{1,i}}{\alpha _0 - \alpha _1}\) for \(i \in [0, (d-1)/2]\).

  2. 2.

     Set \(\bar{f}_{1} {:}{=} \frac{\alpha _1 g_{0} - \alpha _0 g_{1}}{\alpha _1 - \alpha _0}\), \(\bar{f}_{2} {:}{=} \frac{g_{0} - g_{1}}{\alpha _0 - \alpha _1}\).

  3. 3.

     Set \(\bar{f} {:}{=} f_1(\textsf {X} ^2) + \textsf {X} \bar{f}_2(\textsf {X} ^2)\).

  4. 4.

     Return \(\bar{f}, (\bar{{\textbf {s}} }_i)_{i \in [0, d]}\).

Let now \((\bar{f}, (\bar{{\textbf {s}} }_i)_i) \leftarrow \mathcal {E}(\textsf {tr} )\). Note that

$$\begin{aligned} {\textbf {A}} \bar{{\textbf {s}} }_{2i} + \bar{f}_{2i} {\textbf {e}} _1&= {\textbf {W}} ^{-2i} {\textbf {t}} \\ {\textbf {A}} \bar{{\textbf {s}} }_{2i+1} + \bar{f}_{2i+1} {\textbf {e}} _1&= {\textbf {W}} ^{-(2i+1)} {\textbf {t}} \hspace{5.0pt}. \end{aligned}$$

Now, we have that:

$$\begin{aligned} \bar{f}(u)&= \bar{f}_1(u^2) + u \bar{f}_2(u^2) \\&= \frac{\alpha _1 g_0(u^2) - \alpha _0 g_1(u^2)}{\alpha _1 - \alpha _0} + u \frac{g_0(u^2) - g_1(u^2)}{\alpha _0 - \alpha _1} \\&= z_1 + u z_2 \\&= z \hspace{5.0pt}. \end{aligned}$$

Finally, we set \(c^* {:}{=} 2 c\). First, note that \(c^* \in \mathcal {R}_q^\times \) since \(2 \in \mathcal {R}_q^\times \). Now, for \(i \in [0, d']\), we have:

$$\begin{aligned} \left\| c^* \cdot \bar{{\textbf {s}} }_{2i}\right\|&= \left\| \frac{2}{\alpha _1 - \alpha _0} \cdot c \cdot (\alpha _1 {\textbf {z}} _{0, i} - \alpha _0 {\textbf {z}} _{1, i})\right\| \\&\le \left\Vert {\frac{2}{\alpha _1 - \alpha _0}}\right\Vert _\infty \left\| c (\alpha _1 {\textbf {z}} _{0, i} - \alpha _0 {\textbf {z}} _{1, i})\right\| _1 \\&= \left\| c (\alpha _1 {\textbf {z}} _{0, i} - \alpha _0 {\textbf {z}} _{1,i})\right\| _1 \\&\le \sqrt{N} (c\left\| \alpha _1 {\textbf {z}} _{0,i}\right\| + \left\| c \alpha _0 {\textbf {z}} _{1, i}\right\| ) \\&\le N (\left\| \alpha _1\right\| \cdot \left\| c {\textbf {z}} _{0,i}\right\| + \left\| \alpha _0\right\| \cdot \left\| c {\textbf {z}} _{1,i}\right\| ) \\&\le 2N\beta = \gamma \end{aligned}$$

where the second equality follows by Lemma 2.17 and the last inequality by \(\left\| \alpha \right\| = 1\) for \((1,\alpha ) \in \mathcal {C}\). Similarly, \(\left\| c^* \cdot \bar{{\textbf {s}} }_{2i+1}\right\| \le \gamma \). \(\square \)

Using this extractor, we show that \(\Pi \) is \((2, \dots , 2)\)-special sound. The new extractor will start from the leaves of the tree of transcripts, applying the extractor described in Lemma 5.6 to obtain witnesses¹⁶ for the upper layer.

Lemma 5.8

(Special Soundness for \(\textsf {Eval} \)). Let \(\mathcal {C}{:}{=} \{1\} \times \{ X^i : i \in \mathbb {Z}\}\) and let \(\Pi {:}{=} \textsf {Eval} [d, 2, h, \mathcal {C}, \beta ]\) be as in Construction 5.2. Set \(\gamma {:}{=} (2N)^{ h} \cdot \beta _h\). Then \(\Pi \) is a special sound proof system for \(\tilde{\textsf {R} }_{d, 2^h, \gamma }\).

Proof

Let \(\textsf {tr} \) be a tree of transcripts, which we index as follows.

• \(\alpha _{(r, j)}\) for \((r, j) \in [h] \times [2^{r}]\) is the j-th challenge in the r-th layer of the transcript.

• \((z_{(r, j), 1}, z_{(r, j), 2})\) for \((r, j) \in [0, h-1] \times [2^r]\) is the j-th response in the r-th layer of the transcript.

• \((\bar{f}_{(h, j)}, (\bar{{\textbf {s}} }_{(h, j), i})_i)\) for \(j \in [2^h]\) is the final message sent by the prover.

We introduce the following notation as in the verifier algorithm:

• \(d_0 {:}{=} d\), \(d_r {:}{=} d_{r-1}/2\) for \(r \in [h]\)

• \({\textbf {W}} _0 {:}{=} {\textbf {W}} \), \({\textbf {W}} _r {:}{=} {\textbf {W}} _{r-1}^2\) for \(r \in [h]\).

• \({\textbf {t}} _{(0, 1)} {:}{=} {\textbf {t}} \), \({\textbf {t}} _{(r, 2j-1)} {:}{=} (1 + \alpha _{(r, 2j-1)}{\textbf {W}} ^{-1}_{r-1}) {\textbf {t}} _{(r-1, j)}\), \({\textbf {t}} _{(r, 2j)} {:}{=} (1 + \alpha _{(r, 2j)} {\textbf {W}} ^{-1}_{r-1}) {\textbf {t}} _{(r-1, j)}\) for \((r, j) \in [h] \times [2^r]\).

• \(\beta _0 {:}{=} \beta \), \(\beta _r {:}{=} 2 N \cdot \beta _{r-1}\) for \(r \in [h]\).

• \(u_0 {:}{=} u\), \(u_r {:}{=} u^2_{r-1}\) for \(r \in [h]\).

• \(z_{(r, 2j-1)} {:}{=} z_{(r-1, j), 1} + \alpha _{(r, 2j-1)} z_{(r-1, j), 2}\), \(z_{(r, 2j)} {:}{=} z_{(r-1, j), 1} + \alpha _{(r, 2j)} z_{(r-1, j), 2}\) for \((r, j) \in [h] \times [2^r-1]\).

Denote with \(\mathcal {E}^{(1)}\) the extractor of Lemma 5.6.

• \(\underline{\mathcal {E}(\textsf {tr} )}\):

  1. 1.

     Set \(d_0 {:}{=} d\), \(d_r {:}{=} d_{r-1}/2\) for \(r \in [h]\).

  2. 2.

     For \(r {:}{=} h, \dots , 1\):

     1. (a)

        Set, for \(j \in [2^{r-1}]\),

        $$\begin{aligned} \textsf {tr} _{(r-1, j)} {:}{=} \left( (z_{(r-1, j),1}, z_{(r-1, j),2}), \begin{array}{c} \alpha _{(r, 2j-1)}, (\bar{f}_{(r, 2j-1)}, (\bar{{\textbf {s}} }_{(r, 2j-1), i})_i) \\ \alpha _{(r, 2j)}, (\bar{f}_{(r, 2j)}, (\bar{{\textbf {s}} }_{(r, 2j), i})_i) \end{array} \right) \hspace{5.0pt}. \end{aligned}$$
     2. (b)

        Compute \(\bar{f}_{(r - 1, j)}, (\bar{{\textbf {s}} }_{(r - 1, j), i})_{i \in [0, d_{r-1}]} \leftarrow \mathcal {E}^{(1)}(\textsf {tr} _{(r-1, j)})\) for \(j \in [2^{r - 1}]\)

  3. 3.

     Return \(\bar{f}_{(0, 1)}, (\bar{{\textbf {s}} }_{(0, 1), i})_{i \in [d]}\).

We prove that this extractor yields a valid witness by induction on r. First note that, by the verifier checks, for \((r, j) \in [h] \times [2^r]\)

$$\begin{aligned} z_{(r-1, j)} = z_{(r-1, j), 1} + u_{r-1} z_{(r-1, j), 2} \hspace{5.0pt}. \end{aligned}$$

Write \(\mathbb {i}_{(r, j)} {:}{=} ({\textbf {A}} , {\textbf {W}} _r)\), \(\mathbb {x}_{(r, j)} {:}{=} ({\textbf {t}} _{(r, j)}, u_{(r, j)}, z_{(r, j)})\), \(\mathbb {w}_{(r, j)} {:}{=} (\bar{f}_{(r, j)}, (\bar{{\textbf {s}} }_{(r, j), i})_i)\) for \((r, j) \in [h] \times [2^r]\). For \(r = h\), since the transcripts are accepting, \((\mathbb {i}_{(h, j)}, \mathbb {x}_{(h, j)}, \mathbb {w}_{(h, j)}) \in \textsf {R} _{d_h, \beta _h} = \tilde{\textsf {R} }_{d_h, 1, \beta _h}\) for \(j \in [2^h]\). Thus, by Lemma 5.6, \((\mathbb {i}_{(h-1, j)}, \mathbb {x}_{(h-1, j)}, \mathbb {w}_{(h-1, j)}) \in \tilde{\textsf {R} }_{d_{h-1}, 2, 2N \beta _h}\).

We can continue with the induction, and this yields that for the extracted witness \(\mathbb {w}_{(0, 1)} {:}{=} (\bar{f}_{(0, 1)}, (\bar{{\textbf {s}} }_{(0, 1),i})_{i \in [d]})\) we have that:

$$\begin{aligned} (\mathbb {i}_{(0, 1)}, \mathbb {x}_{(0, 1)}, \mathbb {w}_{(0, 1)}) \in \tilde{\textsf {R} }_{d, 2^h, (2N)^h \beta _h} \hspace{5.0pt}. \end{aligned}$$

Setting \(\gamma {:}{=} (2N)^h \beta _h\), and noting that \(2^h \in \mathcal {R}_q^\times \), this concludes our proof. \(\square \)

We can use \(\textsf {Eval} \) to construct a polynomial commitment scheme. We detail the construction in Theorem 5.9 and summarise the parameters and efficiency features in Table 4.

Table 4 Parameters for the interactive polynomial commitment scheme obtained from Fig. 4 and running the \(\ell \)-parallel repetition of \(\textsf {Eval} [d, 2, h, \mathcal {C}, \beta ]\) for proofs of evaluation

Theorem 5.9

Let \(\textsf {PC} = (\textsf {Setup} , \textsf {Commit} , \textsf {Open} , \mathcal {P}^\ell , \mathcal {V}^\ell )\) where \(\textsf {Setup} \), \(\textsf {Commit} \), \(\textsf {Open} \) are as in Fig. 4 and \(\mathcal {P}^\ell , \mathcal {V}^\ell \) are the \(\ell \)-parallel repetitions of the prover and verifier of \(\textsf {Eval} \). Then \(\textsf {PC} \) is an interactive polynomial commitment scheme with the efficiency properties and parameters shown in Table 4. In particular, when \(h = O(\log d)\) and \(\ell > \frac{\lambda }{\log N + 1 - \log h}\) we obtain an interactive polynomial commitment scheme with negligible knowledge soundness error, polylogarithmic communication complexity, and polylogarithmic verifier time.

Proof

Completeness and relaxed binding follow from Lemmata 4.1 and 4.2. Perfect evaluation completeness follows from Lemma 5.1. For evaluation knowledge soundness, we apply [9, Theorem 4] to Lemma 5.8. Communication complexity follows from Lemma 5.5. Additionally, claims about the prover and verifier runtime hold by Lemma 5.5 and the fact that both \(\log q\) and N are polynomial in \(\lambda \). \(\square \)

5.3 Large Sampling Set

We present a second instantiation which allows us to obtain negligible knowledge soundness error without parallel repetition, using coordinate-wise special soundness (c.f. Sect. 2.9) and a large challenge space. We let \(t, k \in \mathbb {N}\). Fix also \(\beta _\mathcal {C}> 0\). Recall that \(S_\kappa {:}{=} \{ \alpha \in \mathcal {R}_q: \Vert \alpha \Vert _\infty \le \kappa \}\). We define the challenge space and the slack space as

$$\begin{aligned} \mathcal {C}{:}{=} S^k_{\beta _\mathcal {C}} \quad \text {and} \quad \mathcal {S}_{t} {:}{=} \left\{ \prod _{i \in [t]} \alpha _{i} - \alpha _{i}' : \alpha _i, \alpha '_i \in S_{\beta _\mathcal {C}}, \alpha _i \ne \alpha '_i \right\} \hspace{5.0pt}. \end{aligned}$$

Note that \(|\mathcal {C}| = (2\beta _\mathcal {C}+1)^{kN}\) and \(\text {w}\le \beta _\mathcal {C}kN \). We also let \(\beta _{s, t} {:}{=} \max _{c \in \mathcal {S}_t} \left\Vert {c}\right\Vert _\infty \). Note that, for \(c \in \mathcal {S}_t\),

$$\begin{aligned} \left\Vert {c}\right\Vert _\infty \le \left\Vert {\prod _{i} (\alpha _i - \alpha _i')}\right\Vert _\infty \le \left\Vert {\alpha _1 - \alpha '_1}\right\Vert _\infty \cdot \prod _{i\ne 1} \left\| \alpha _i - \alpha _i'\right\| _1 \le 2\beta _{\mathcal {C}} \cdot (2\beta _{\mathcal {C}}N)^{t-1} \hspace{5.0pt}, \end{aligned}$$

and thus \(\left\| c\right\| _1 \le (2\beta _{\mathcal {C}}N)^{t}\).

We show a simple invertibility result that will be useful in the proof of soundness.

Lemma 5.10

Let \(1 \le l < N\) be a power of two, and suppose that \(q \equiv 2N/l + 1 \pmod {4N/l}\). If \(2 \beta _\mathcal {C}< \sqrt{l/N} q^{l/N}\), then for any \(t \ge 1\), \(\mathcal {S}_t \subseteq {\mathcal {R}_q^\times }\).

Proof

Let \(\alpha \ne \alpha ' \in S_{\beta _\mathcal {C}}\). Then, \(\alpha - \alpha ' \ne 0\), and \(\left\Vert {\alpha - \alpha '}\right\Vert _\infty \le 2 \beta _\mathcal {C}\). Thus, by Lemma 2.18, \(\alpha - \alpha ' \in \mathcal {R}_q^\times \). Elements of \(\mathcal {S}_t\) are products of elements of that form, and since the product of invertible elements is itself invertible, the result follows. \(\square \)

We will assume thereafter that we are in the regime in which Lemma 2.18 holds (as in Table 3).

We again aim to show that \(\textsf {Eval} [d, k, h, \mathcal {C}, \beta ]\) is knowledge sound. As before, we define an opening relation, which will differ from Equation (19) in that the relaxation factors will not be the same across openings, but rather will be included as part of the witness. This will reflect the fact that the extracted opening will have different slack derived from the challenges.

$$\begin{aligned} \tilde{\textsf {R} }_{d, \beta , t} {:}{=} \left\{ \left( ({\textbf {A}} , {\textbf {W}} ),({\textbf {t}} , u, z),(f,({\textbf {s}} _i)_i, (c_i)_i)\right) \Bigg | \begin{array}{c} \forall i \in [0, d], {\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} \; \wedge \\ \wedge c_i \in \mathcal {S}_t \wedge \left\| c_i \cdot {\textbf {s}} _i\right\| \le \beta \\ \wedge \; f(u) = z \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

(20)

As before, to argue that the protocol is knowledge sound, we will first show an extractor to be used to move between layers of the transcript tree. In this case however, we will argue using coordinate-wise special soundness instead of special soundness.

Lemma 5.11

(Coordinate-Wise Special Soundness for \(\Sigma \)). Let \(c \in \mathcal {R}_q^\times \), and let \(\mathbb {i}= ({\textbf {A}} , {\textbf {W}} )\), \(\mathbb {x}= ({\textbf {t}} , u, z)\). There exists an algorithm that, given \(k+1\) transcripts \((\textsf {tr} _j)_{j \in [0, k]}\) of the following form:

$$\begin{aligned} \textsf {tr} _j {:}{=} \left( \begin{array}{c} (z_1, \dots , z_k) \\ \varvec{\alpha }_j \\ (g_j, ({\textbf {s}} _{j, i})_{i \in [0,d']}) \end{array}\right) \text { with } (\varvec{\alpha }_j)_j \in \textsf{SS}(S_{\beta _C}, 2, k) \hspace{5.0pt}, \end{aligned}$$

and slack \((c_{j, i})_{j, i}\) outputs \(\mathbb {w}{:}{=} (\bar{f}, (\bar{{\textbf {s}} }_i)_i, (\bar{c}_i)_i)\). Furthermore, let \(\mathbb {i}'\), \((\mathbb {x}'_j)_{j \in [k]}\) be obtained as in Fig. 5 (where \(\mathbb {x}'_j\) is obtained from the j-th leaf of the transcript) and \(\mathbb {w}'_j {:}{=} (g_j, (s_{j, i})_i, (c_{j, i})_i)\). If, for \(i \in [0, k]\), \((\mathbb {i}', \mathbb {x}'_i, \mathbb {w}'_i), \in \tilde{\textsf {R} }_{d', \beta , t}\), and \(z = \sum _{t \in [k]} u^{t-1} z_t\), then \((\mathbb {i}, \mathbb {x}, \mathbb {w}) \in \tilde{\textsf {R} }_{d, \gamma , 2t + 1}\) where \(\gamma {:}{=} 2\beta \) if \(t=0\) and \(\gamma {:}{=} 2 N \beta _{s,t} \beta \) otherwise.

Proof

Assume, without loss of generality, that the transcripts are arranged so that, for \(j \in [k]\), \(\varvec{\alpha }_0 \equiv _j \varvec{\alpha }_j\). We thus can write \(\varvec{\alpha }_0 = (\alpha _1, \dots , \alpha _k)\) and \(\varvec{\alpha }_j {:}{=} (\alpha _1, \dots , \alpha '_j, \dots \alpha _k)\) with \(\alpha _j \ne \alpha '_j\). Consider the extractor

• \(\underline{\mathcal {E}(\textsf {tr} = (\textsf {tr} _0,\ldots ,\textsf {tr} _k), (\tilde{c}_{j, i})_{j, i})}\):

  1. 1.

     For \(j \in [k]\):

     1. (a)

        Set \(\bar{f}_j {:}{=} \frac{g_{0} - g_{j}}{\alpha _j - \alpha '_j}\).

     2. (b)

        For \(i \in [0, d']\):

        1. i.

           Set \(\bar{{\textbf {s}} }_{ki + j - 1} {:}{=} \frac{{\textbf {z}} _{0, i} - {\textbf {z}} _{j, i}}{\alpha _j - \alpha '_j}\).

        2. ii.

           Set \(\bar{c}_{ki + j - 1} {:}{=} (\alpha _j - \alpha '_j) c_{0, i} c_{j, i}\).

  2. 2.

     Set \(\bar{f} {:}{=} \sum _{j \in [k]} \textsf {X} ^{j-1} \bar{f}_j(\textsf {X} ^k)\).

  3. 3.

     Return \((\bar{f}, (\bar{{\textbf {s}} }_i)_{i \in [0, d]}), (\bar{c}_i)_{i \in [0, d]}\).

Since the transcript is accepting, for \(j \in [0, k], i \in [0, d']\) we have that

$$\begin{aligned} {\textbf {A}} {\textbf {z}} _{j, i} + g_{j, i} {\textbf {e}} _1 = ({\textbf {W}} ^k)^{-i} \left( \sum _{t \in [k]} \alpha _{j, t} {\textbf {W}} ^{t - 1} \right) {\textbf {t}} \hspace{5.0pt}. \end{aligned}$$

Subtracting the equation for \(j = 0\) from the equation for \(j \in [k]\) yields that, for \(i \in [0, d']\):

$$\begin{aligned} {\textbf {A}} \left( \frac{{\textbf {z}} _{0, i} - {\textbf {z}} _{j, i}}{\alpha _j - \alpha '_j} \right) + \left( \frac{g_{0, i} - g_{j , i}}{\alpha _j - \alpha '_j}\right) {\textbf {e}} _1 = {\textbf {W}} ^{-(ki + j -1)} {\textbf {t}} \hspace{5.0pt}. \end{aligned}$$

To show that the extracted \(\bar{f}\) evaluates to z at u, note that:

$$\begin{aligned} \bar{f}(u)&= \sum _{j \in [k]} u^{j-1} \bar{f}_j(u^k) \\&= \sum _{j \in [k]} u^{j-1} \frac{g_{0}(u^k) - g_j(u^k)}{\alpha _j - \alpha '_j} \\&= \sum _{j \in [k]} u^{j-1} \frac{\sum _{t \in [k]} (\alpha _{0, t} - \alpha _{j, t}) z_t}{\alpha _j - \alpha '_j} \\&= \sum _{j \in [k]} u^{j-1} z_j = z \hspace{5.0pt}. \end{aligned}$$

where in the third equality we have used that the verifier check accepts, and for the fourth \(\sum _{t \in [k]} (\alpha _{0, t} - \alpha _{j, t}) z_t = (\alpha _j - \alpha '_j) z_j\). We argue that the extracted \(\bar{{\textbf {s}} }_i\) are (relaxed) short.

$$\begin{aligned} \left\| \bar{c}_{ki + j - 1} \cdot \bar{{\textbf {s}} }_{ki + j - 1}\right\|&= \left\| (\alpha _j - \alpha '_j) c_{0, i} c_{j, i} \frac{{\textbf {z}} _{0, i} - {\textbf {z}} _{j, i}}{\alpha _j - \alpha '_j}\right\| \\&= \left\| c_{0, i} c_{j, i} ({\textbf {z}} _{0, i} - {\textbf {z}} _{j, i})\right\| \\&\le \left\| c_{j, i} c_{0, i} {\textbf {z}} _{0, i}\right\| + \left\| c_{0, i} c_{j, i} {\textbf {z}} _{j, i}\right\| \\&\le \sqrt{N} \beta _{s,t} (\left\| c_{0, i} {\textbf {z}} _{0, i}\right\| _1 + \left\| c_{j, i} {\textbf {z}} _{j, i}\right\| _1) \\&\le 2 N \beta _{s,t} \beta = \gamma \hspace{5.0pt}. \end{aligned}$$

If \(t=0\), then the slacks must have been 1, and thus \(\left\| \bar{c}_{ki + j - 1} \bar{{\textbf {s}} }_{ki + j - 1}\right\| \le \left\| {\textbf {z}} _{0, i} - {\textbf {z}} _{j, i}\right\| \le 2 \beta \) as desired. Finally, what is left to show is that the new slack is in the prescribed slack space. This is easy to show as the previous two slacks are a product of t differences of challenges, that we then multiply with a new difference, leading to a product of \(2 t + 1\) differences of challenges. Lemma 5.10 guarantees that this new slack is invertible as long as \(\beta _\mathcal {C}\) is small enough. \(\square \)

We then use this extractor recursively to show that \(\textsf {Eval} \) is coordinate-wise special sound.

Lemma 5.12

(Coordinate-Wise Special Soundness for \(\textsf {Eval} \)). Let \(k, h \in \mathbb {N}\), \(\beta _\mathcal {C}> 0\). Let \(\Pi {:}{=} \textsf {Eval} [d, k, h, \mathcal {C}, \beta ]\) be as in Construction 5.2. Then, \(\Pi \) is a k-coordinate-wise special sound proof system for the relation \(\tilde{\textsf {R} }_{d, \gamma , t}\) where

$$\begin{aligned} \gamma&{:}{=} 2^h \cdot (2 \beta _\mathcal {C}N)^{2^h - h - 1} \cdot \beta _h \\ t&{:}{=} 2^h - 1 \hspace{5.0pt}. \end{aligned}$$

Proof

We index the transcript as in Lemma 5.8. Denote by \(\mathcal {E}^{(1)}\) the extractor of Lemma 5.11. Consider the new extractor

• \(\underline{\mathcal {E}(\textsf {tr} )}\):

  1. 1.

     Set \(\bar{c}_{(h, j)} = 1\) for \(j \in [(k+1)^h]\).

  2. 2.

     For \(r {:}{=} h, \dots , 1\):

     1. (a)

        Set for \(j \in [(k+1)^{r-1}]\):

        $$\begin{aligned}&\textsf {tr} _{(r-1, j)} \\&\quad {:}{=} \left( (z_{(r-1, j), t})_{t \in [k]} \begin{array}{c} (\varvec{\alpha }_{(r, (j-1)(k+1) + 1)}, (\bar{f}_{(r, (j-1)(k+1) + 1)}, (\bar{{\textbf {s}} }_{(r, (j-1)(k+1) + 1), i})_{i})) \\ \vdots \\ (\varvec{\alpha }_{(r, j(k+1))}, (\bar{f}_{(r, j(k+1))}, (\bar{{\textbf {s}} }_{(r, j(k+1)), i})_{i})) \\ \end{array}\right) \hspace{5.0pt}. \end{aligned}$$
     2. (b)

        Compute \((\bar{f}_{(r - 1, j)}, (\bar{{\textbf {s}} }_{(r-1, j), i})_i, (\bar{c}_{(r-1, j), i})_i) \leftarrow \mathcal {E}^{(1)}(\textsf {tr} _{(r-1, j)}, \) \( (\bar{c}_{(r, (j-1)(k+1) + t), i})_{t, i})\).

  3. 3.

     Return \(\bar{f}_{(0, 1)}, (\bar{{\textbf {s}} }_{(0, 1), t}), (\bar{c}_{(0, 1), t})_t\).

We argue that the extractor yields a valid witness inductively. We again note that for \((r, j) \in [h] \times [(k+1)^r]\), since the transcripts are accepting,

$$\begin{aligned} z_{(r-1, j)} = \sum _{t \in [k]} u^{k-1}_{r-1} z_{(r-1, j), t} \hspace{5.0pt}. \end{aligned}$$

Write \(\mathbb {i}_{(r, j)} {:}{=} ({\textbf {A}} , {\textbf {W}} _r)\), \(\mathbb {x}_{(r, j)} {:}{=} ({\textbf {t}} _{(r, j)}, u_r, (z_{(r, j), i})_i)\) and \(\mathbb {w}_{(r, j)} {:}{=} (\bar{f}_{(r, j)}, (\bar{{\textbf {s}} }_{(r, j), i})_i, (\bar{c}_{(r, j), i})_i)\). Since the leaves are accepting (and the relaxed relation is equivalent to the exact one when the relaxation factors are one), \((\mathbb {i}_{(h, j)}, \mathbb {x}_{(h, j)}, \mathbb {w}_{(h, j)}) \in \tilde{\textsf {R} }_{d_h, \beta _h, 0}\). Thus, Lemma 5.11 (in the case \(t = 0\)) implies that \((\mathbb {i}_{(h-1, j)}, \mathbb {x}_{(h-1, j)}, \mathbb {w}_{(h-1, j)}) \in \tilde{\textsf {R} }_{d_{h-1}, 2\beta _h, 1}\). Now, we define the recurrence relations:

$$\begin{aligned} t_r {:}{=} {\left\{ \begin{array}{ll} 1 &{}\text {if } r = 1 \\ 2t_{r-1} + 1 &{}\text {otherwise} \end{array}\right. } \text { and } \gamma _r {:}{=} {\left\{ \begin{array}{ll} 2\beta &{}\text {if } r = 1 \\ 2N \beta _{s, t_{r-1}} \gamma _{r-1} &{}\text {otherwise} \end{array}\right. } \hspace{5.0pt}. \end{aligned}$$

Lemma 5.11 implies exactly that, if \((\mathbb {i}_{(r, j)}, \mathbb {x}_{(r, j)}, \mathbb {w}_{(r, j)}) \in \tilde{\textsf {R} }_{d_{r - i}, \gamma _r, t_r}\), then the extracted witness \((\mathbb {i}_{(r+1, j)}, \mathbb {x}_{(r+1, j)}, \mathbb {w}_{(r+1, j)}) \in \tilde{\textsf {R} }_{d_{k - r - 1}, \gamma _{r+1}, t_{r+1}}\). Unfolding the recurrence relations, we note that \(t_r = 2^{r} - 1\) and

$$\begin{aligned} \gamma _r&= 2^{r} N^{r-1} \left( \prod _{i = 1}^{r-1} \beta _{s, t_i}\right) \beta _h \\&\le 2^{r} N^{r-1} \left( \prod _{i = 1}^{r-1} 2\beta _{\mathcal {C}}(2\beta _\mathcal {C}N)^{2^{i}- 2}\right) \beta _h \\&= 2^{r} N^{r-1} (2\beta _{\mathcal {C}})^{r-1} (2\beta _\mathcal {C}N)^{\sum _{i=1}^{r-1} 2^{i}- 2} \cdot \beta _h \\&= 2^{j} N^{r-1} (2\beta _{\mathcal {C}})^{r-1} (2\beta _\mathcal {C}N)^{2^r -2r} \cdot \beta _h \\&= 2^{r} (2\beta _\mathcal {C}N)^{2^r -r - 1} \cdot \beta _h \end{aligned}$$

Taking this to its natural conclusion:

$$\begin{aligned} (\mathbb {i}_{(0, 1)}, \mathbb {x}_{(0, 1)}, \mathbb {w}_{(0, 1)}) \in \tilde{\textsf {R} }_{d, \gamma _h, t_h} \hspace{5.0pt}, \end{aligned}$$

and setting \(\gamma {:}{=} \gamma _h\), \(t {:}{=} t_h\) implies the result. \(\square \)

Again, we can use \(\textsf {Eval} \) to construct a polynomial commitment scheme.

Table 5 Parameters for the polynomial commitment scheme obtained from Fig. 4 and the Fiat–Shamir transform of \(\textsf {Eval} [d, k, h, \mathcal {C}, \beta ]\) for proofs of evaluation

Theorem 5.13

Let \(\textsf {PC} = (\textsf {Setup} , \textsf {Commit} , \textsf {Open} , \textsf {Eval} , \textsf {Verify} )\) where \(\textsf {Setup} , \textsf {Commit} , \textsf {Open} \) are as in Fig. 4 and \(\textsf {Eval} , \textsf {Verify} \) are obtained by applying the Fiat–Shamir transform to \(\textsf {Eval} [d, k, h, \mathcal {C}, \beta ]\) when \(k^h = \textsf {poly} (\lambda )[d]\). Then, \(\textsf {PC} \) is an polynomial commitment scheme with the efficiency properties and parameters shown in Table 5.

Proof

Completeness and relaxed binding follow from Lemmata 4.1 and 4.2. Perfect evaluation completeness follows from Lemma 5.1. Communication complexity and runtimes follow from Lemma 5.5. Knowledge soundness follows from Lemma 2.31 and Lemma 5.12, noting that when \(k^h = \textsf {poly} (\lambda )[d]\) and thus the extractor runs in expected polynomial time. \(\square \)

At this point, one might be tempted to instantiate the scheme in Theorem 5.13 with \(h = O(\log d)\) and \(k = O(1)\) to obtain a protocol with logarithmic communication complexity as in Theorem 5.9 and small soundness error. This unfortunately does not succeed, as the extracted norm in this case grows \(\text {exp}(d)\) and thus \(\log q \ge \text {poly}(d)\). The resulting protocol will communicate logarithmically many elements of \(\mathcal {R}_q\), but the overall communication complexity will thus be polynomial in d. Thus, h must be at most \(O(\log \log d)\). In fact, let \(0< \epsilon < 1\) be a constant and set \(h = 1/\epsilon = O(1)\), \(k = d^{\epsilon }\). It is easy to see from Table 5 that then the communication complexity will be \(O(d^{\epsilon })\) elements of \(\mathcal {R}_q\) and we can set \(\log q = \text {polylog}(d)\) to obtain overall sublinear communication complexity. Accordingly, the verifier time will also be sublinear. In fact, we can further improve on this. Set now \(h \approx \log \log d\), and \(k \approx d^{1/\log \log d}\). It can be easily verified that in this case we obtain

$$\begin{aligned} \log q = O\left( \frac{\log ^2 d}{\log \log d}\right) , \end{aligned}$$

and in terms of communication complexity: \(O((\log \log d) \cdot d^{1/\log \log d})\) elements of \(\mathcal {R}_q\) or \(\text {polylog}(d) \cdot d^{1/\log \log d}\) bits (similarly for the verifier complexity). As such, we can conclude that Theorem 5.13 gives rise to a quasi-polylogarithmic non-interactive polynomial commitment scheme from lattice assumptions.

5.4 Batching Evaluations

5.4.1 Multiple Evaluations at a Single Point

We show a simple approach to amortise the cost of proving evaluations of multiple evaluations at a single point. More concretely, we have a list of (committed) polynomials \(f_1, \dots , f_r\) and want to show that \(f_i(u) = z_i\). First we define the corresponding relation, namely:

$$\begin{aligned} \textsf {R} ^r_{d, \beta }&{:}{=} \left\{ ({\textbf {A}} , {\textbf {W}} ), (({\textbf {t}} _j)_j, u, (z_j)_j), ((f_j)_j, ({\textbf {s}} _{j,i})_{j, i}) \right. \\&\qquad \qquad \left. \Bigg | \begin{array}{c} \forall j \in [r], \\ (({\textbf {A}} , {\textbf {W}} ), ({\textbf {t}} _j, u, z_j), (f_j, ({\textbf {s}} _{j, i})_i)) \in \textsf {R} _{d, \beta } \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

The intuition of the protocol that we design is to take a random linear combinations of the polynomials \(f_1, \dots , f_r\), and prove that its evaluation at u is equal to the linear combination of the claimed evaluations. The protocol that we describe in Fig. 7 takes this idea and combines it with one round of Fig. 5, which is useful for better concrete efficiency.

Fig. 7

The protocol \(\textsf {multiEval} [d, r, k, \mathcal {C}, \beta ]\) for proving evaluations of r polynomials at a single point. In the above \(\text {w}{:}{=} \max _{\alpha \in \mathcal {C}} \left\| \alpha \right\| _1\). As before, we define \(d' {:}{=} (d+1)/k -1\) and \({\textbf {s}} _{\iota ,t, i} {:}{=} {\textbf {s}} _{\iota , ki+t-1}\) for \(\iota \in [r]\)

Lemma 5.14

(Completeness for \(\textsf {multiEval} \)). Let \(\Pi {:}{=} \textsf {multiEval} [d, r, k, \mathcal {C}, \beta ]\) be the protocol in Fig. 7. Then, \(\Pi \) is a \(\varSigma \)-protocol with perfect completeness for \(\textsf {R} ^r_{d, \beta }\).

Proof

It is easy to see that \(g(u^k) = \sum _{\iota , t} \alpha _{\iota , t} g_{\iota , t}(u^k) = \sum \alpha _{\iota , t} z_{\iota , t}\). Also, for \(i \in [0, d']\),

$$\begin{aligned} {\textbf {A}} {\textbf {z}} _i + g_i {\textbf {e}} _1&= \sum _{\iota ,t \in [r] \times [k]} \alpha _{\iota , t} \left( {\textbf {A}} {\textbf {s}} _{\iota , t, i} + g_{\iota , t, i}{\textbf {e}} _1\right) \\&= \sum _{\iota ,t \in [r] \times [k]} \alpha _{\iota , t} \left( {\textbf {A}} {\textbf {s}} _{\iota , ki+t-1} + g_{\iota , ki+t-1}{\textbf {e}} _1\right) \\&= \sum _{\iota , t \in [r] \times [k]} \alpha _{\iota , t} {\textbf {W}} ^{-(ki+t-1)} {\textbf {t}} _\iota . \end{aligned}$$

Finally, \(\left\| {\textbf {z}} _i\right\| = \left\| \sum _{\iota , t} \alpha _{\iota , t} {\textbf {s}} _{\iota ,t,i}\right\| \le \text {w}\beta = \beta '\) as desired. \(\square \)

As before, we define a relaxed opening relation (we use the definition of \(\tilde{\textsf {R} }\) from Equation (20)):

$$\begin{aligned} \tilde{\textsf {R} }^r_{d, \beta , t}&{:}{=} \left\{ \left( \begin{array}{c} ({\textbf {A}} , {\textbf {W}} ),\\ (({\textbf {t}} _\iota )_\iota , u, (z_\iota )_\iota ), \\ ((f_\iota )_\iota , ({\textbf {s}} _{\iota ,i})_{\iota , i}, (c_{\iota ,i})_{\iota , i})\\ \end{array}\right) \right. \\&\qquad \qquad \left. \Bigg | \begin{array}{c} \forall \iota \in [r], \\ (({\textbf {A}} , {\textbf {W}} ), ({\textbf {t}} _\iota , u, z_j), (f_\iota , ({\textbf {s}} _{\iota , i})_i), (c_{\iota , i})_i)) \in \tilde{\textsf {R} }_{d, \beta , t} \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

We now prove coordinate-wise special soundness for the set \(\mathcal {C}{:}{=} S^{rk}_{\beta _\mathcal {C}} \subseteq \mathcal {R}_q^{rk}\), where each element has rk coordinates. Then, it is easy to show (e.g. using the composition results as in [20, Section 3]) that composing \(\textsf {multiEval} \) with \(\textsf {Eval} \) yields a knowledge sound protocol for this relaxed relation.

Lemma 5.15

(Coordinate-Wise Special Soundness for \(\textsf {multiEval} \)). Let \(\Pi {:}{=} \textsf {multiEval} [d, r, k, \mathcal {C}, \beta ]\) be the protocol in Fig. 7. Let \(\mathbb {i}{:}{=} ({\textbf {A}} , {\textbf {W}} )\), \(\mathbb {x}{:}{=} (({\textbf {t}} _\iota )_\iota , u, (z_\iota )_\iota )\). There exists an algorithm that, given \(rk+1\) transcripts \((\textsf {tr} _j)_{j \in [0,rk]}\) of the following form:

$$\begin{aligned} \textsf {tr} _j {:}{=} \left( \begin{array}{c} (z_{\iota , t})_{\iota , t} \\ \varvec{\alpha }_j \\ (g_j, ({\textbf {z}} _{j, i})_{i \in [0, d]}) \end{array}\right) \text { with } (\varvec{\alpha }_j)_j \in \textsf{SS}(S_{\beta _\mathcal {C}}, rk) \hspace{5.0pt}, \end{aligned}$$

and relaxation factors \((c_{j, i})_{j, i}\), outputs \(\mathbb {w}{:}{=} ((\bar{f}_\iota )_{\iota }, (\bar{{\textbf {s}} }_{\iota , i})_{\iota , i}, (\bar{c}_{\iota , i})_{\iota , i})\). Now, set \(\mathbb {i}' {:}{=} ({\textbf {A}} , {\textbf {W}} ^k)\), \(\mathbb {x}_j {:}{=} (\sum _{\iota , t} \alpha _{j, \iota , t} {\textbf {t}} _\iota , u^k, \sum _{\iota , t} \alpha _{j, \iota , t} z_{\iota , t})\), \(\mathbb {w}_j {:}{=} (g_j, ({\textbf {z}} _{j, i})_{i}, (c_{j, i})_i)\). If for \(j \in [0, r]\), \((\mathbb {i}', \mathbb {x}_j, \mathbb {w}_j) \in \tilde{\textsf {R} }_{d, \beta , t}\), and \(z_\iota = \sum _{t \in [k]} u^{t-1} z_{\iota , t}\) for \(\iota \in [r]\), then \((\mathbb {i}, \mathbb {x}, \mathbb {w}) \in \tilde{\textsf {R} }^r_{d, \gamma , t'}\) where \(\gamma {:}{=} 2N\beta _{s,t} \beta \), \(t' {:}{=} 2 t + 1\).

Proof

Again, assume without loss of generality that \(\varvec{\alpha }_0 \equiv _j \varvec{\alpha }_j\) for \(j \in [rk]\). Now, reindex \(\varvec{\alpha }_1 \dots , \varvec{\alpha }_{rk}\) into a \(r \times k\) matrix \(\varvec{\alpha }_{1,1}, \dots , \varvec{\alpha }_{r,k}\). We write \(\varvec{\alpha }_0 = (\alpha ^*_{1,1}, \dots , \alpha ^*_{r,k})\) and thus assume that \(\varvec{\alpha }_{v, w} = (\alpha ^*_{1,1}, \dots , \alpha '_{v, w}, \dots , \alpha ^*_{r,k} )\) with \(\alpha '_{v, w} \ne \alpha ^*_{v, w}\). We also reindex \((g_j)_j, ({\textbf {z}} _{j, i})\) accordingly so that \(g_{v, w}\) corresponds the \(\varvec{\alpha }_{v, w}\) challenge (note that we skip the 0-th challenge \(\varvec{\alpha }_0\)).

With these conventions, we let the extractor be the following.

• \(\underline{\mathcal {E}(\textsf {tr} )}\):

  1. 1.

     For \(\iota \in [r], t \in [k]\):

     1. (a)

        Let \(\bar{f}_{\iota , t} {:}{=} \frac{g_0 - g_{\iota , t}}{\alpha ^*_{\iota , t} - \alpha '_{\iota , t}}\).

     2. (b)

        Let \(\bar{{\textbf {s}} }_{\iota , ki + t - 1} {:}{=} \frac{{\textbf {z}} _{0, i} - {\textbf {z}} _{\iota , t, i}}{\alpha ^*_{\iota , t} - \alpha '_{\iota , t}}\) for \(i \in [0, d']\).

     3. (c)

        Let \(\bar{c}_{l, ki + t - 1} {:}{=} (\alpha ^*_{\iota , t} - \alpha '_{\iota , t}) c_{0, i} c_{\iota , t, i}\) for \(i \in [0, d']\).

  2. 2.

     Set \(\bar{f}_\iota {:}{=} \sum _{t \in [k]} \textsf {X} ^{t-1} f_{\iota , t}\) for \(\iota \in [r]\).

  3. 3.

     Return \((\bar{f}_\iota )_\iota , ((\bar{{\textbf {s}} }_{\iota , i})_i)_\iota , ((\bar{c}_{\iota , i})_i)_\iota \).

First note that by assumption, \(g_0(u^k) = \sum _{\iota , t} \alpha ^*_{\iota , t} z_{\iota , t}\) and \(g_{v, w}(u^k) = \alpha '_{v, w} z_{v, w} + \sum _{(\iota , t) \ne (v, w)} \alpha ^*_{\iota , t} z_{\iota , t}\). Thus, \(\bar{f}_{v, w}(u^k) = \frac{g_0 - g_{v, w}}{\alpha ^*_{v, w} - \alpha '_{v, w}}(u^k) = z_{v, w}\). Thus, for \(\iota \in [r]\):

$$\begin{aligned} \bar{f}_\iota (u) = \sum _{t \in [k]} u^{t-1} \bar{f}_{\iota , t}(u^k) = \sum _{t \in [k]} u^{t-1} \frac{g_0 - g_{\iota , t}}{\alpha _{\iota , t} - \alpha '_{\iota , t}}(u^k) = \sum _{t \in [k]} u^{t-1} z_{\iota , t} = z_\iota \hspace{5.0pt}. \end{aligned}$$

Now, also by assumption:

$$\begin{aligned} {\textbf {A}} {\textbf {z}} _{0, i} + g_{0, i} {\textbf {e}} _1&= {\textbf {W}} ^{-i} \left( \sum _{(\iota , t)} \alpha ^*_{\iota , t} {\textbf {t}} _{\iota } \right) \\ {\textbf {A}} {\textbf {z}} _{v, w, i} + g_{v, w, i} {\textbf {e}} _1&= {\textbf {W}} ^{-i} \left( \alpha '_{v, w} {\textbf {t}} _v + \sum _{(\iota , t) \ne (v, w)} \alpha ^*_{\iota , t} {\textbf {t}} _{\iota } \right) \\&\Downarrow \\ {\textbf {A}} \left( \frac{{\textbf {z}} _{0, i} - {\textbf {z}} _{v, w, i}}{\alpha ^*_{v, w} - \alpha '_{v, w}} \right) + \left( \frac{g_{0, i} - g_{v, w, i}}{\alpha ^*_{v, w} - \alpha '_{v, w}} \right) \cdot {\textbf {e}} _1&= {\textbf {W}} ^{-(ki + w - 1)} {\textbf {t}} _v \\&\Downarrow \\ {\textbf {A}} \bar{{\textbf {s}} }_{v, ki + w - 1} + \bar{f}_{v, ki + w - 1}{\textbf {e}} _1&= {\textbf {W}} ^{-(ki + w - 1)} {\textbf {t}} _v \hspace{5.0pt}. \end{aligned}$$

Finally, note that \(\left\| \bar{c}_{\iota , i} \bar{{\textbf {s}} }_{\iota , i}\right\| \le 2 N \beta _{s, t} \beta \) by exactly the same reasoning as in Lemma 5.11. \(\square \)

5.4.2 Multiple Evaluations at Distinct Points

Next, we consider the dual problem, namely amortising proving many statements of the form \(f_\iota (u_\iota ) = z_\iota \) for \(\iota \in [r]\) where \(u_1,\ldots ,u_r\) can be potentially distinct. Looking at Lemma 5.5, a large part of the communication complexity is represented by the last round, where the prover has to send openings \({\textbf {s}} _0, \dots , {\textbf {s}} _{d_h}\). We amortise this by taking a random linear combination of these openings. As before, for concrete efficiency reasons, we integrate this within a round of compression.

The relation that we consider is the following:

$$\begin{aligned} \textsf {R} ^r_{d, \beta } {:}{=} \left\{ \left( \begin{array}{c} ({\textbf {A}} , {\textbf {W}} ), \\ ({\textbf {t}} _\iota , u_\iota , z_\iota )_\iota \\ (f_\iota , {\textbf {s}} _{\iota , i})_{\iota , i} \end{array}\right) \Bigg | \begin{array}{c} \forall \iota \in [r] \\ (({\textbf {A}} , {\textbf {W}} ), ({\textbf {t}} _\iota , u_\iota , z_\iota ), (f_\iota , {\textbf {s}} _{_\iota , i})_{_\iota ,i}) \in \textsf {R} _{d, \beta } \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

The protocol is then described in Fig. 8. Now, we show \(\textsf {evalMulti} \) has perfect completeness..

Fig. 8

The protocol \(\textsf {evalMulti} [d, r, k, \mathcal {C}, \beta ]\) for proving evaluations of multiple polynomials at multiple points. In the above \(\text {w}{:}{=} \max _{\varvec{\alpha }\in \mathcal {C}} \left\| \varvec{\alpha }\right\| _1\) and \(d' {:}{=} (d+1)/k -1\)

Lemma 5.16

(Completeness for \(\textsf {evalMulti} \)). Let \(\Pi {:}{=} \textsf {evalMulti} [d, r, k, \mathcal {C}, \beta ]\). Then \(\Pi \) is a \(\varSigma \)-protocol with perfect completeness for \(\textsf {R} ^r_{d, \beta }\).

Proof

For the first verifier check,

$$\begin{aligned} z_\iota = f_\iota (u_\iota ) = \sum _{t \in [k]} u_\iota ^{t-1} h_{\iota , t}(u_\iota ^k) = \sum _{t \in [k]} u_\iota ^{t-1} z_{\iota , t} \hspace{5.0pt}. \end{aligned}$$

Next, we check that \(g_\iota \) evaluates to the correct value.

$$\begin{aligned} g_\iota (u_\iota ^k) = \sum _{t \in [k]} \alpha _{\iota , t} h_{\iota , t}(u_\iota ^k) = \sum _{t \in [k]} \alpha _{\iota , t} z_{\iota , t} \hspace{5.0pt}. \end{aligned}$$

Checking validity of the openings is similarly straightforward:

$$\begin{aligned} {\textbf {A}} {\textbf {z}} _{i} + \left( \sum _{\iota } g_{\iota , i} \right) {\textbf {e}} _1&= {\textbf {A}} \left( \sum _{\iota , t} \alpha _{\iota , t} {\textbf {s}} _{\iota , t, i} \right) + \left( \sum _{\iota , t} \alpha _{\iota , t} h_{\iota , t, i} \right) {\textbf {e}} _1 \\&= \sum _{\iota , t} \alpha _{\iota , t} \left( {\textbf {A}} {\textbf {s}} _{\iota , t, i} + h_{\iota , t, i} {\textbf {e}} _1 \right) \\&= \sum _{\iota , t} \alpha _{\iota , t} \left( {\textbf {A}} {\textbf {s}} _{\iota , ki + t - 1} + f_{\iota , ki + t - 1} {\textbf {e}} _1 \right) \\&= \sum _{\iota , t} \alpha _{\iota , t} \left( {\textbf {W}} ^{-(ki + t - 1)} {\textbf {t}} _\iota \right) \\&= ({\textbf {W}} ^{k})^{-i} \cdot \left( \sum _{\iota , t} \alpha _{\iota , t} {\textbf {W}} ^{-(t - 1)} {\textbf {t}} _\iota \right) \hspace{5.0pt}. \end{aligned}$$

Finally, \(\left\| {\textbf {z}} _i\right\| = \left\| \sum _{\iota , t} \alpha _{\iota , t} {\textbf {s}} _{\iota , t, i}\right\| \le \text {w}\beta \). \(\square \)

For knowledge soundness, we again define a relaxed opening relation, namely:

$$\begin{aligned} \tilde{\textsf {R} }^r_{d, \beta } {:}{=} \left\{ \left( \begin{array}{c} ({\textbf {A}} , {\textbf {W}} ), \\ ({\textbf {t}} _\iota , u_\iota , z_\iota )_\iota \\ (f_\iota , {\textbf {s}} _{\iota , i}, c_{\iota , i})_{\iota , i} \end{array}\right) \Bigg | \begin{array}{c} \forall \iota \in [r] \\ (({\textbf {A}} , {\textbf {W}} ), ({\textbf {t}} _\iota , u_\iota , z_\iota ), (f_\iota , {\textbf {s}} _{\iota , i}, c_{\iota , i})_{\iota ,i}) \in \tilde{\textsf {R} }_{d, \beta , 1} \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

Lemma 5.17

(Coordinate-Wise Special Soundness for \(\textsf {multiEval} \)). Let \(\Pi {:}{=} \textsf {multiEval} \) \( [d, r, k, \mathcal {C}, \beta ]\) be the protocol in Fig. 7. Then, \(\Pi \) is a rk-coordinate-wise knowledge sound proof system for \(\tilde{\textsf {R} }^r_{d, 2\beta }\).

Proof

For \(j \in [0, rk]\), consider transcripts of the following form:

$$\begin{aligned} \textsf {tr} _j {:}{=} \left( \begin{array}{c} (z_{\iota , t})_{\iota , t} \\ \varvec{\alpha }_j \\ ((g_{j, \iota })_\iota , ({\textbf {z}} _{j, i})_i) \end{array}\right) \text { with } (\varvec{\alpha }_j)_j \in \textsf{SS}(S_{\beta _\mathcal {C}}, rk) \hspace{5.0pt}, \end{aligned}$$

and again assume, without loss of generality, that the transcripts are arranged so that, for \(j \in [r]\), \(\varvec{\alpha }_0 \equiv _j \varvec{\alpha }_j\). Reindex and arrange the challenges as in the proof of Lemma 5.15.

Consider the following extractor:

• \(\underline{\mathcal {E}(\textsf {tr} _0, \dots , \textsf {tr} _{rk})}\):

  1. 1.

     For \(\iota \in [r], t \in [k]\):

     1. (a)

        Set \(\bar{f}_{\iota , t} {:}{=} \frac{g_{0} - g_{\iota , t}}{\alpha ^*_{\iota , t} - \alpha '_{\iota , t}}\).

     2. (b)

        Set \(\bar{{\textbf {s}} }_{\iota , ki + t - 1} {:}{=} \frac{{\textbf {z}} _{0, i} - {\textbf {z}} _{\iota , t, i}}{\alpha ^*_{\iota , t} - \alpha '_{\iota , t}}\) for \(i \in [0, d']\).

     3. (c)

        Set \(\bar{c}_{\iota , ki + t - 1} {:}{=} \alpha ^*_{\iota , t} - \alpha '_{\iota , t}\) for \(i \in [0, d']\).

  2. 2.

     Set \(\bar{f}_\iota {:}{=} \sum _{t \in [k]} \textsf {X} ^{t-1} \bar{f}_{\iota , t}\) for \(\iota \in [r]\).

  3. 3.

     Return \((\bar{f}_\iota )_\iota , (\bar{{\textbf {s}} }_{\iota , i})_{\iota , i}, (\bar{c}_{\iota , i})_{\iota , i}\).

Since the transcripts are accepting, we have that \(z_\iota = \sum _{t \in [k]} u_\iota ^{t-1} z_{\iota , t}\) for \(\iota \in [r]\). Also, \(g_{0, \iota }(u_\iota ^k) = \sum _{t \in [k]} \alpha ^*_{\iota , t} z_{\iota , t}\) and \(g_{v, w, \iota }(u_\iota ^k) = \alpha '_{v, w} z_{v, w} + \sum _{t \ne w} \alpha ^*_{\iota , t} z_{\iota , t}\). Thus, \(\frac{g_{0, \iota } - g_{v, w}}{\alpha ^*_{v, w} - \alpha '_{v,w}}(u_\iota ^k) = z_{v, w}\). Now,

$$\begin{aligned} \bar{f}_\iota (u_\iota ) = \sum _{t \in [k]} u_\iota ^{t-1} \bar{f}_{\iota , t}(u_\iota ^k) = \sum _{t \in [k]} u_\iota ^{t-1} \frac{g_{0} - g_{\iota , t}}{\alpha ^*_{\iota , t} - \alpha '_{\iota , t}}(u_\iota ^k) = \sum _{t \in [k]} u_\iota ^{t-1} z_{\iota , t} = z_\iota \hspace{5.0pt}. \end{aligned}$$

We also have that

$$\begin{aligned} {\textbf {A}} {\textbf {z}} _{0, i} + \left( \sum _{\iota } g_{0, \iota , i}\right) {\textbf {e}} _1&= {\textbf {W}} ^{-ki} \left( \sum _{\iota , t} \alpha ^*_{\iota , t} {\textbf {W}} ^{-(t-1)} {\textbf {t}} _\iota \right) \\ {\textbf {A}} {\textbf {z}} _{v, w, i} + \left( \sum _{\iota } g_{v, w, \iota , i}\right) {\textbf {e}} _1&= {\textbf {W}} ^{-ki} \left( \alpha '_{v, w} {\textbf {W}} ^{-(w-1)} {\textbf {t}} _v + \sum _{\iota , t \ne (v, w)} \alpha ^*_{\iota , t} {\textbf {W}} ^{-(t-1)} {\textbf {t}} _\iota \right) \\&\Downarrow \\ {\textbf {A}} \left( \frac{{\textbf {z}} _{0, i} - {\textbf {z}} _{v, w, i}}{\alpha ^*_{v, w} - \alpha '_{v, w}} \right) + \bar{f}_{v, w, i}{\textbf {e}} _1&= {\textbf {W}} ^{-ki} \left( {\textbf {W}} ^{-(w-1)} {\textbf {t}} _v \right) \\&\Downarrow \\ {\textbf {A}} \bar{{\textbf {s}} }_{v, ki + w - 1} + \bar{f}_{v, ki + w - 1}{\textbf {e}} _1&= {\textbf {W}} ^{-(ki + w - 1)} {\textbf {t}} _v \hspace{5.0pt}. \end{aligned}$$

Finally, \(\left\| \bar{c}_{\iota , ki + t - 1} \bar{{\textbf {s}} }_{\iota , ki + t - 1}\right\| \le \left\| {\textbf {z}} _{0, i}\right\| + \left\| {\textbf {z}} _{\iota , t, i}\right\| \le 2\beta \) as desired. \(\square \)

We can combine these two newly presented protocols with \(\textsf {Eval} \) to obtain a protocol for multiple evaluations. Let \(u_1, \dots , u_r \in \mathcal {R}_q\), and suppose we want to show that \(f_{\iota , m}(u_\iota ) = z_{\iota , m}\) for \(\iota \in [r], m \in [r_\iota ]\) for committed polynomials \((f_{\iota , m})_{\iota , m}\). Write \(\text {w}_s {:}{=} \max _{\varvec{\alpha }\leftarrow S^s_{\beta _\mathcal {C}}} \left\| \varvec{\alpha }\right\| _1\). The combined protocol runs (in parallel) \(\textsf {multiEval} [d, r_\iota , k , S_{\beta _\mathcal {C}}^{r_\iota \cdot k}, \beta ]\) with input \((f_{\iota , m})_{m \in [r_i]}\) for \(\iota \in [r]\). This outputs r claims, which we handle by running \(\textsf {Eval} [d/k, k, S_{\beta _\mathcal {C}}^k, \text {w}_{r_\iota k} \cdot \beta ]\) r-times into parallel. Finally, we run a single instance of \(\textsf {multiEval} [d/k^{h+1}, r, k, S_{\beta _\mathcal {C}}^{r k}, (\max _\iota \text {w}_{r_\iota k}) \cdot \text {w}_k^{h}\beta ]\). The final complexity of this protocol is summarised in Table 6.

Table 6 Parameters and complexity of the multi-evaluation protocol

5.5 Honest-Verifier Zero-Knowledge

We provide a linear-sized \(\Sigma \)-protocol for the relation \(\textsf {R} _{d,\beta }\) (c.f. Equation (15)) which satisfies honest-verifier zero-knowledge. Combined with the recursive methodology described above, we can achieve zero-knowledge succinct proofs of polynomial evaluation. The strategy can identically be applied when proving knowledge of multiple polynomials at the same query point, which brings resemblance to [14].

Recall that we want to prove knowledge of the polynomial \(f \in \mathcal {R}_q[\textsf {X} ]\) of degree at most d, and the openings \(({\textbf {s}} _i)_{i \in [0,d]}\) such that \(f(u) = z\) and \({\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} \) and \(\Vert {\textbf {s}} _i\Vert \le \beta \) for \(i=0,1,\ldots ,d\). In addition to the public matrices \(({\textbf {A}} \in \mathcal {R}_q^{n \times m},{\textbf {W}} \in \mathcal {R}_q^{n \times n})\), this time the index \(\mathbb {i}\) contains a short basis \({\textbf {T}} \) such that \({\textbf {B}} {\textbf {T}} = {\textbf {G}} _{n(d+1)}\) where¹⁷

$$\begin{aligned} {\textbf {B}} {:}{=} \left[ \begin{array}{@{}ccc|c@{}} {\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] \quad \text {and} \quad \Vert {\textbf {T}} \Vert \le \beta _T \hspace{5.0pt}. \end{aligned}$$

(21)

This is the case when generating the \(\textsf {PowerBASIS} \) commitment in Sect. 4 since the public parameters are indeed of the form \(\textsf {crs} {:}{=} ({\textbf {A}} ,{\textbf {W}} ,{\textbf {T}} )\).

We present the protocol in Fig. 9. The strategy follows the Fiat–Shamir with Aborts paradigm [65] using the generalised rejection sampling from [29]. That is, the prover starts by sampling uniformly random masking vector \({\textbf {g}} {:}{=} (g_0,\ldots ,g_d) \leftarrow \mathcal {R}_q^{d+1}\), which corresponds to coefficients of a uniformly random polynomial \(g \in \mathcal {R}_q[\textsf {X} ]\) of degree at most d. Then, the prover runs the \(\textsf {PowerBASIS} \) commitment algorithm for \({\textbf {g}} \) (c.f. Fig. 4). Namely, it samples

$$\begin{aligned} \begin{bmatrix} {\textbf {y}} _0 \\ \vdots \\ {\textbf {y}} _d \\ \hat{{\textbf {t}} }_y \end{bmatrix} \leftarrow \textsf {SamplePre} ({\textbf {B}} , {\textbf {u}} , {\textbf {T}} , \sigma ), \quad \text {where } {\textbf {u}} {:}{=} \begin{bmatrix} -g_0 {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -g_d {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix} \hspace{5.0pt}, \end{aligned}$$

and sets \({\textbf {t}} _y {:}{=} {\textbf {G}} \hat{{\textbf {t}} }_y\). The first message sent by the prover is \(({\textbf {t}} _y , v)\) where \(v {:}{=} \sum ^d_{i=0} g_i u^i\) is the evaluation of g at the point u. Then, the verifier picks a challenge \(\alpha \) from the challenge space \(\mathcal {C}{:}{=} S_{\beta _\mathcal {C}}\) of short polynomials of infinity norm at most \(\beta _\mathcal {C}\).

Next, given a challenge \(\alpha \leftarrow \mathcal {C}\) from the verifier, the prover computes

$$\begin{aligned} {\textbf {z}} _i {:}{=} {\textbf {y}} _i + \alpha {\textbf {s}} _i \quad \text {and} \quad h_i {:}{=} g_i + \alpha f_i \quad \text {for } i=0,1,\ldots ,d \hspace{5.0pt}, \end{aligned}$$

and outputs \(({\textbf {z}} _i,h_i)\) after performing the rejection sampling procedure. Note that the distribution of \({\textbf {z}} _i\) can be written alternatively as:

$$\begin{aligned} \begin{bmatrix} {\textbf {z}} _0 \\ \vdots \\ {\textbf {z}} _d \\ \hat{{\textbf {t}} }_z \end{bmatrix} = \begin{bmatrix} {\textbf {y}} _0 \\ \vdots \\ {\textbf {y}} _d \\ \hat{{\textbf {t}} }_y \end{bmatrix} + \alpha \begin{bmatrix} {\textbf {s}} _0 \\ \vdots \\ {\textbf {s}} _d \\ \hat{{\textbf {t}} } \end{bmatrix} \end{aligned}$$

(22)

where

$$\begin{aligned} \begin{bmatrix} {\textbf {y}} _0 \\ \vdots \\ {\textbf {y}} _d \\ \hat{{\textbf {t}} }_y \end{bmatrix} \leftarrow \textsf {SamplePre} \left( \left[ \begin{array}{@{}ccc|c@{}} {\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] , \begin{bmatrix} -g_0 {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -g_d {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix}, {\textbf {T}} , \sigma \right) \end{aligned}$$

(23)

and \(\hat{{\textbf {t}} } = {\textbf {G}} ^{-1}({\textbf {t}} )\). Hence, this vector comes from a shifted discrete Gaussian distribution (over a coset of \(\Lambda ^\perp ({\textbf {B}} )\)), where the norm of the shifted vector can be bounded by:

$$\begin{aligned} \left\| \alpha \begin{bmatrix} {\textbf {s}} _0 \\ \vdots \\ {\textbf {s}} _d \\ \hat{{\textbf {t}} } \end{bmatrix} \right\| \le \beta _\mathcal {C}N \cdot \sqrt{(d+1)\beta ^2 + n{\tilde{q}}N} \hspace{5.0pt}. \end{aligned}$$

(24)

This interpretation will be useful when analysing the rejection sampling algorithm.

Finally, the verifier checks whether

$$\begin{aligned}&{\textbf {A}} {\textbf {z}} _i +{\textbf {h}} _i {\textbf {e}} _1 = {\textbf {W}} ^{-i}({\textbf {t}} _y + \alpha {\textbf {t}} ) \quad \text {for } i=0,1,\ldots ,d \\&\left\| z_i\right\| \le \beta _z \quad \text {for } i=0,1,\ldots ,d \\&\sum ^d_{i=0} h_i u^i = v + \alpha z. \end{aligned}$$

In the following, we give a brief reasoning about completeness, special soundness and honest-verifier zero-knowledge.

Fig. 9

The honest-verifier zero-knowledge \(\varSigma \)-protocol for \(\textsf {R} _{d, \beta }\). Here, \(m' {:}{=} (d+1)m + n{\tilde{q}}\) is the width of the matrix \({\textbf {B}} \) in (21)

Completeness. By careful inspection, we can deduce from the third verification check:

$$\begin{aligned} \sum ^d_{i=0} h_i u^i = \sum ^d_{i=0} g_i u^i + \alpha \sum ^d_{i=0} f_i u^i = v + \alpha z \hspace{5.0pt}, \end{aligned}$$

and from the second verification check:

$$\begin{aligned} {\textbf {A}} {\textbf {z}} _i + {\textbf {h}} _i{\textbf {e}} _1 = {\textbf {A}} {\textbf {y}} _i + {\textbf {g}} _i{\textbf {e}} _1 + \alpha ({\textbf {A}} {\textbf {s}} _i + {\textbf {f}} _i{\textbf {e}} _1) = {\textbf {W}} ^{-i}{\textbf {t}} _y + \alpha {\textbf {W}} ^{-i}{\textbf {t}} = {\textbf {W}} ^{-i}({\textbf {t}} _y + \alpha {\textbf {t}} ). \end{aligned}$$

What we have left to show is shortness of \({\textbf {z}} _i\). Take the standard deviation

$$\begin{aligned} \sigma \ge \max \left( O(\sqrt{\lambda }) \cdot \beta _\mathcal {C}N \cdot \sqrt{(d+1)\beta ^2 + n{\tilde{q}}N}, \beta _T \cdot \omega (\sqrt{N\log tN})\right) \end{aligned}$$

(25)

where \(t = \max (n,m)\). By Lemma 2.16, we can swap the \(\textsf {SamplePre} \) algorithm with truly sampling from a discrete Gaussian. Further, since \(\sigma \) is larger than the shifted vector in (24) by a factor of \(O(\sqrt{\lambda })\), using rejection sampling (c.f. Lemma 2.19) we enforce the distribution of \(({\textbf {z}} _0,\ldots ,{\textbf {z}} _d,\hat{{\textbf {t}} }_z)\) from (22) to be from a discrete Gaussian on \(\Lambda ^\perp _{\textbf {u}} ({\textbf {B}} )\) where

$$\begin{aligned} {\textbf {u}} {:}{=} \begin{bmatrix} -(g_0 + \alpha f_0) {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -(g_d + \alpha f_d) {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix} \hspace{5.0pt}. \end{aligned}$$

Thus, by Lemma 2.8, we can set \(\beta _z {:}{=} \sigma \sqrt{(d+1)mN + n{\tilde{q}}N}\). The correctness error becomes \( \approx 1/M\).

Special soundness. Given two valid transcripts \(({\textbf {t}} _y,v,\alpha ,(z_i,h_i)),({\textbf {t}} _y,v,\alpha ',(z'_i,h'_i))\) with distinct challenges \(\alpha ,\alpha ' \in \mathcal {C}\), we can define

$$\begin{aligned} \bar{{\textbf {s}} }_i {:}{=} \frac{{\textbf {z}} _i - {\textbf {z}} '_i}{\alpha - \alpha '} \quad \text {and} \quad \bar{f}_i {:}{=} \frac{h_i - h'_i}{\alpha - \alpha '} \quad \text {for } i=0,1,\ldots ,d \hspace{5.0pt}. \end{aligned}$$

Note that \(\Vert \alpha - \alpha '\Vert _\infty \le 2\beta _\mathcal {C}\). If \(\beta _\mathcal {C}\) is chosen according to Lemma 2.18 then we deduce that the difference is invertible over \(\mathcal {R}_q\). Further, by construction

$$\begin{aligned} \bar{f}(u) = \sum ^d_{i=0} \bar{f}_i u^i = \frac{1}{\alpha - \alpha '}\sum ^d_{i=0} (h_i - h'_i)u^i = \frac{\alpha z -\alpha ' z }{\alpha - \alpha '} = z \hspace{5.0pt}. \end{aligned}$$

Furthermore, for \(i=0,1,\ldots ,d\) we have \(\Vert (\alpha -\alpha '){\textbf {s}} _i\Vert \le 2\beta _z\) and

$$\begin{aligned} {\textbf {A}} \bar{{\textbf {s}} }_i + \bar{f}_i{\textbf {e}} _1= & {} \frac{1}{\alpha - \alpha '} \left( {\textbf {A}} {\textbf {z}} _i + h_i{\textbf {e}} _1 - ({\textbf {A}} {\textbf {z}} '_i + h'_i{\textbf {e}} _1)\right) \\= & {} \frac{1}{\alpha - \alpha '} \left( \alpha {\textbf {W}} ^{-i}{\textbf {t}} - \alpha '{\textbf {W}} ^{-i}{\textbf {t}} \right) = {\textbf {W}} ^{-i}{\textbf {t}} \hspace{5.0pt}. \end{aligned}$$

Thus, \((\bar{{\textbf {s}} }_0,\ldots ,\bar{{\textbf {s}} }_d)\) along with the message \((\bar{f}_0,\ldots ,\bar{f}_d)\) is a relaxed opening for the \(\textsf {PowerBASIS} \) commitment \({\textbf {t}} \) with the relaxation factor \(\alpha - \alpha '\). Hence, we can extract the witness for the relaxed relation \(\tilde{\textsf {R} }_{d, 2\beta _z,1}\) in (20).

Honest-verifier zero-knowledge. We show how to simulate the transcripts when the verifier behaves honestly. To this end, we prove the following lemma which is almost analogous to [29, Lemma B.8].

Fig. 10

Simulating the transcripts from the \(\Sigma \)-protocol described in Fig. 10

Lemma 5.18

(Honest-Verifier Zero-Knowledge). Let \(\sigma \) be chosen as in (25) where \(t = \max (n,m)\). Then, the output distributions of \(\mathcal {T}\) and \(\mathcal {S}\) in Fig. 10 are statistically indistinguishable.

Proof

We prove the statement via a standard hybrid argument.

• \(\textsf{Hyb}_0\) is identical to \(\mathcal {T}\) as in Fig. 10.

• \(\textsf{Hyb}_1\) is identical to \(\textsf{Hyb}_0\), but now we define \(\hat{{\textbf {t}} }_z {:}{=} \hat{{\textbf {t}} }_y + \alpha \hat{{\textbf {t}} }\), where \(\hat{{\textbf {t}} } {:}{=} {\textbf {G}} ^{-1}({\textbf {t}} )\), and compute \({\textbf {t}} _y {:}{=} {\textbf {G}} \hat{{\textbf {t}} }_z - \alpha {\textbf {t}} \). By construction, the output distribution of \(\textsf{Hyb}_1\) is identical to \(\textsf{Hyb}_0\) and

  $$\begin{aligned}{} & {} \begin{bmatrix} {\textbf {z}} _0 \\ \vdots \\ {\textbf {z}} _d \\ \hat{{\textbf {t}} }_z \end{bmatrix} = \begin{bmatrix} {\textbf {y}} _0 \\ \vdots \\ {\textbf {y}} _d \\ \hat{{\textbf {t}} }_y \end{bmatrix} + \alpha \begin{bmatrix} {\textbf {s}} _0 \\ \vdots \\ {\textbf {s}} _d \\ \hat{{\textbf {t}} } \end{bmatrix} \quad \text {where } \begin{bmatrix} {\textbf {y}} _0 \\ \vdots \\ {\textbf {y}} _d \\ \hat{{\textbf {t}} }_y \end{bmatrix}\\{} & {} \quad \leftarrow \textsf {SamplePre} \left( \left[ \begin{array}{@{}ccc|c@{}} {\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] , \begin{bmatrix} -g_0 {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -g_d {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix}, {\textbf {T}} , \sigma \right) \hspace{5.0pt}. \end{aligned}$$

• \(\textsf{Hyb}_2\) is identical to \(\textsf{Hyb}_1\), but now we compute

  $$\begin{aligned}{} & {} \begin{bmatrix} {\textbf {z}} _0 \\ \vdots \\ {\textbf {z}} _d \\ \hat{{\textbf {t}} }_z \end{bmatrix} = \begin{bmatrix} {\textbf {y}} _0 \\ \vdots \\ {\textbf {y}} _d \\ \hat{{\textbf {t}} }_y \end{bmatrix} + \alpha \begin{bmatrix} {\textbf {s}} _0 \\ \vdots \\ {\textbf {s}} _d \\ \hat{{\textbf {t}} } \end{bmatrix} \quad \text {where } \begin{bmatrix} {\textbf {y}} _0 \\ \vdots \\ {\textbf {y}} _d \\ \hat{{\textbf {t}} }_y \end{bmatrix} \\{} & {} \quad \leftarrow \left[ \begin{array}{@{}ccc|c@{}} {\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] ^{-1}_\sigma \left( \begin{bmatrix} -g_0 {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -g_d {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix}\right) \hspace{5.0pt}. \end{aligned}$$

  By Lemma 2.16, \(\textsf{Hyb}_1\) and \(\textsf{Hyb}_2\) are statistically close.

• \(\textsf{Hyb}_3\) is identical to \(\textsf{Hyb}_2\), but here we directly sample

  $$\begin{aligned} \begin{bmatrix} {\textbf {z}} _0 \\ \vdots \\ {\textbf {z}} _d \\ \hat{{\textbf {t}} }_z \end{bmatrix} \leftarrow \left[ \begin{array}{@{}ccc|c@{}} {\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] ^{-1}_\sigma \left( \begin{bmatrix} -(g_0+ \alpha f_0) {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -(g_d+ \alpha f_d) {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix}\right) \end{aligned}$$

  and with probability \(1-1/M\) we output \({\textbf {z}} {:}{=} \bot \). By the generalised rejection sampling (c.f. Lemma 2.19), \(\textsf{Hyb}_3\) and \(\textsf{Hyb}_2\) are statistically close.

• \(\textsf{Hyb}_4\) is identical to \(\textsf{Hyb}_3\), except now we efficiently sample:

  $$\begin{aligned} \begin{bmatrix} {\textbf {z}} _0 \\ \vdots \\ {\textbf {z}} _d \\ \hat{{\textbf {t}} }_z \end{bmatrix} \leftarrow \textsf {SamplePre} \left( \left[ \begin{array}{@{}ccc|c@{}} {\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] , \begin{bmatrix} -(g_0+ \alpha f_0) {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -(g_d+ \alpha f_d) {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix}, {\textbf {T}} , \sigma \right) \hspace{5.0pt}. \end{aligned}$$

  As before, by Lemma 2.16 we deduce that \(\textsf{Hyb}_4\) and \(\textsf{Hyb}_3\) are statistically close.

• \(\textsf{Hyb}_5\) is identical to \(\textsf{Hyb}_4\), except now we define \(h_i {:}{=} g_i + \alpha f_i\) for \(i=0,1,\ldots ,d\). Thus,

  $$\begin{aligned} \begin{bmatrix} {\textbf {z}} _0 \\ \vdots \\ {\textbf {z}} _d \\ \hat{{\textbf {t}} }_z \end{bmatrix} \leftarrow \textsf {SamplePre} \left( \left[ \begin{array}{@{}ccc|c@{}} {\textbf {A}} &{} &{} &{} -{\textbf {G}} \\ &{} \ddots &{} &{} \vdots \\ &{} &{} {\textbf {W}} ^{d} {\textbf {A}} &{} -{\textbf {G}} \end{array}\right] , \begin{bmatrix} -h_0 {\textbf {W}} ^0 {\textbf {e}} _1 \\ \vdots \\ -h_d {\textbf {W}} ^d {\textbf {e}} _1 \end{bmatrix}, {\textbf {T}} , \sigma \right) \hspace{5.0pt}. \end{aligned}$$

  Furthermore, we set \(v {:}{=} h(v) - \alpha z\). Clearly, the output distributions of \(\textsf{Hyb}_5\) and \(\textsf{Hyb}_4\) are identical.

• \(\textsf{Hyb}_6\) is identical to \(\textsf{Hyb}_5\), but now we sample each \(h_i \leftarrow \mathcal {R}_q\) uniformly at random. Since in \(\textsf{Hyb}_5\) each \(g_i\) was sampled uniformly at random from \(\mathcal {R}_q\), we conclude that the output distributions of \(\textsf{Hyb}_6\) and \(\textsf{Hyb}_5\) are identical.

Finally, the output distribution of \(\textsf{Hyb}_6\) is identical to the one by \(\mathcal {S}\) which ends the proof. \(\square \)

Remark 5.19

We obtain a succinct zero-knowledge proof of evaluation by modifying the \(\Sigma \)-protocol from Fig. 9, where instead of sending the last message \((z_i,h_i)_{i \in [0,d]}\) in the clear, we prove knowledge of the last message which satisfies the verification equations of the aforementioned protocol using the methodology from Sect. 5.1.

Remark 5.20

Similarly as in Sect. 5.4, we can combine the HVZK protocol with one round of folding to minimise the total round complexity, and thus the extracted norm growth. This yields an almost identical protocol as in [14].

5.6 Polynomial Commitments over Finite Fields

So far we showed how to commit and prove evaluations of polynomials over the cyclotomic ring \(\mathcal {R}_q\). We now present how to build polynomial commitments over finite fields of specific form. This will be useful when combining with Polynomial IOPs to obtain succinct arguments of knowledge.

Suppose q is a prime which satisfies \(q \equiv 2N/l+1 \pmod {4N/l}\) for some positive divisor l of N. Then by [70, Corollary 1.2], the polynomial \(X^N+1\) factors as:

$$\begin{aligned} X^N + 1 \equiv \prod ^{N/l}_{i=1} (X^{l} - r_i) \pmod {q} \end{aligned}$$

for distinct \(r_i \in \mathbb {Z}_q^*\) where all \(X^{l}-r_i\) are irreducible in the ring \(\mathbb {Z}_q[X]\). Further, by the Chinese Remainder Theorem, there exists a ring isomorphism \(\varphi : \mathbb {F}^{N/l} \rightarrow \mathcal {R}_q\) where \(\mathbb {F}\) is a finite field of size \(q^{l}\). Consider the restricted function:

$$\begin{aligned} \varphi _\mathbb {F}: \mathbb {F}&\rightarrow \mathcal {R}_q\\ x&\mapsto \varphi (x,0,\ldots ,0). \end{aligned}$$

By construction, the image of \(\varphi _\mathbb {F}\) can be described as

$$\begin{aligned} \mathcal {S}_q {:}{=} \textsf{Im}(\varphi _\mathbb {F}) = \{\varphi (x,0,\ldots ,0) : x \in \mathbb {F}\} \hspace{5.0pt}. \end{aligned}$$

The following simple lemma states that \(\mathcal {S}_q\) is an ideal of \(\mathcal {R}_q\).

Lemma 5.21

The set \(\mathcal {S}_q \subseteq \mathcal {R}_q\) defined above is an ideal.

Proof

The fact that \(\mathcal {S}_q\) is an additive subgroup of \(\mathcal {R}_q\) follows directly from the additively homomorphic properties of \(\varphi \). Now let \(a \in \mathcal {S}_q\), i.e. \(\varphi (x,0,\ldots ,0) = a\) for some \(x \in \mathbb {F}\). Further, take arbitrary \(\gamma \in \mathcal {R}_q\) and let \((\gamma _1,\ldots ,\gamma _{N/l}) {:}{=} \varphi ^{-1}(\gamma )\). Then, by the multiplicative homomorphism of \(\varphi \) we get

$$\begin{aligned} \gamma \cdot a = \varphi (\gamma _1,\ldots ,\gamma _{N/l}) \cdot \varphi (x,0,\ldots ,0) = \varphi (\gamma _1 x,0,\ldots ,0) = \varphi _\mathbb {F}(\gamma _1 x) \in \mathcal {S}_q \hspace{5.0pt}, \end{aligned}$$

which concludes the proof. \(\square \)

Suppose we want to commit to a polynomial \(F {:}{=} \sum ^d_{i=0} F_i\textsf {X} ^i \in \mathbb {F}[\textsf {X} ]\) of degree at most d, and prove evaluation \(F(x)=y\) for \(x,y \in \mathbb {F}\). By the homomorphic property of \(\varphi _\mathbb {F}\), this is equivalent to proving \(f(u) = z\) over \(\mathcal {R}_q\) where

$$\begin{aligned} {\left\{ \begin{array}{ll} f[\textsf {X} ] = \sum ^d_{i=0} \varphi _\mathbb {F}(F_i) \textsf {X} ^i \in \mathcal {S}_q[\textsf {X} ] \\ u = \varphi _\mathbb {F}(x) \in \mathcal {S}_q \\ z = \varphi _\mathbb {F}(y) \in \mathcal {S}_q \end{array}\right. }\hspace{5.0pt}. \end{aligned}$$

Hence, we can commit to the polynomial \(f \in \mathcal {R}_q[\textsf {X} ]\) and prove evaluation of u at the point z as before. What is new is that we additionally need to prove that coefficients of f indeed lie in \(\mathcal {S}_q\). Therefore, we are interested in a stronger relation:

$$\begin{aligned} \left\{ \left( ({\textbf {A}} , {\textbf {W}} ),({\textbf {t}} , u, z),(f,({\textbf {s}} _i)_i) \right) \bigg | \begin{array}{c} f(u) = z \wedge f \in \mathcal {S}_q[\textsf {X} ]\\ \forall i \in [0, d], {\textbf {A}} {\textbf {s}} _i + f_i{\textbf {e}} _1 = {\textbf {W}} ^{-i}{\textbf {t}} \\ \wedge \left\| {\textbf {s}} _i\right\| \le \beta \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

(26)

We show how to modify the protocol in Fig. 6 to accommodate for this change. Actually, the interaction between the prover and the verifier stays the same but the verifier additionally performs a check whether the final polynomial \(f_h \in \mathcal {R}_q[\textsf {X} ]\) sent by the prover has coefficients in \(\mathcal {S}_q\).

Completeness follows by induction. We start with the initial polynomial \(f_0 {:}{=} f \in \mathcal {S}_q[\textsf {X} ]\). Then for each \(r \in [h]\), the prover computes the polynomial \(f_r \in \mathcal {R}_q[\textsf {X} ]\) as a linear combination of “partial terms” of \(f_{r-1}\):

$$\begin{aligned} f_r {:}{=} \sum _{t \in [k]} \alpha _{r, t} f_{r-1, t} \hspace{5.0pt}. \end{aligned}$$

If \(f_{r-1} \in \mathcal {S}_q[\textsf {X} ]\), then by Lemma 5.21 we deduce that \(f_{r} \in \mathcal {S}_q[\textsf {X} ]\).

To argue (coordinate-wise) special soundness, consider the extractor in the proof of Lemma 5.6. The coefficients of the extracted polynomial f are computed as

$$\begin{aligned} f_{2i} {:}{=} \frac{\alpha _1 g_{0, i} - \alpha _0 g_{1, i}}{\alpha _1 - \alpha _0},\quad f_{2i+1} {:}{=} \frac{g_{0, i} - g_{1, i}}{\alpha _0 - \alpha _1} \quad \text {for } i \in [0, d/2] \hspace{5.0pt}. \end{aligned}$$

If polynomials \(g_0\) and \(g_1\) have coefficients in \(\mathcal {S}_q\), then again by Lemma 5.21 we can deduce that \(f \in \mathcal {S}_q[\textsf {X} ]\). Identical argument holds when analysing Lemma 5.11.

Finally, to support honest-verifier zero-knowledge in Fig. 9, we let the prover pick uniformly random elements \(g_i\) from \(\mathcal {S}_q\) instead of \(\mathcal {R}_q\) in order to fully mask the coefficients \(f_i\). Thus, by construction and Lemma 5.21, \(h_i = g_i + \alpha f_i \in \mathcal {S}_q\) for all \(i=0,\ldots ,d\). Hence, the verifier additionally performs the check whether coefficients \(h_i\) lie in \(\mathcal {S}_q\).

Remark 5.22

This technique can be extended to simultaneously prove \(N/\ell \) polynomial evaluations and it was recently used in [25, Section 7].

6 Concrete Instantiation and Applications to Marlin

As described in Sect. 2, we pick a prime modulus \(q \equiv 5 \pmod 8\), and thus \(\ell = N/2\).

Hardness of \(\textsf {PowerBASIS} \). In parameter selection, we make a heuristic assumption that \(\textsf {PowerBASIS} \) is exactly as hard as \(\textsf {MSIS} \). Hence, one should treat our computed sizes only as intuition on how practical the polynomial commitment is.

In the literature, hardness of the \(\textsf {MSIS} \) problems is often analysed identically as the plain SIS since, so far, the best known attacks do not make use of the algebraic structure of the polynomial ring [6]. We follow the methodology from Dilithium [42, Appendix C]. That is, \(\textsf {MSIS} _{n,m,N,q,\beta }\) for matrix \({\textbf {A}} \) is equivalent to finding a non-trivial vector of norm smaller than \(\beta \) in the lattice \(\Lambda {:}{=} \Lambda ^\perp ({\textbf {A}} )\). In order to find short non-trivial vectors in \(\Lambda \), we apply the Block-Korkine-Zolotarev algorithm (BKZ) [36, 77]. As a subroutine, BKZ uses an algorithm for the shortest vector problem (SVP) in lattices of dimension b, where b is called the block size. If we apply the best known algorithm for solving SVP with no memory constraints by Becker et al. [16], the time required by BKZ to run on the mN-dimensional lattice \(\Lambda \) with block size b is given by \(8mN\cdot 2^{0.292b+16.4}\) (one also considers a more conservative variant with runtime \(2^{0.292b}\)). The algorithm outputs a vector of norm \(\delta ^{mN}_{\textsf{rhf}}\det (\Lambda )^{\frac{1}{mN}}\) where \(\delta _{\textsf{rhf}}\) is the root Hermite factor and it is given by

$$\begin{aligned} \delta _{\textsf{rhf}} = \left( \frac{b(\pi b)^{1/b}}{2\pi e}\right) ^{\frac{1}{2(b-1)}} \hspace{5.0pt}. \end{aligned}$$

(27)

For our usual parameter selection, the probability that a random matrix \({\textbf {A}} \in \mathcal {R}_q^{n\times m}\) is of full rank is overwhelming (see [45, Appendix C]) and thus \(\det (\Lambda ) = q^{nN}.\) Next, Micciancio and Regev [74] show that

$$\begin{aligned} \delta ^{mN}_{\textsf{rhf}}\det (\Lambda )^{\frac{1}{mN}} = \delta ^{mN}_{\textsf{rhf}}q^{\frac{nN}{mN}} \ge 2^{2\sqrt{nN \log q \log \delta }} \end{aligned}$$

and the equality holds when \(mN = \sqrt{nN\log q/\log \delta }\). Hence, given a bound \(\beta < q\) we compute \(\delta _{\textsf{rhf}}\) from the equation \(\beta = 2^{2\sqrt{nN \log q \log \delta }}\). Next, we calculate the minimum block size b from Equation (27), and thus we get the total time for BKZ to solve \(\textsf{MSIS}_{n,m,N,q,\beta }\). Hereafter, we will refer to the “aggressive strategy” to set \(\textsf {PowerBASIS} \) as the one using the estimate from Becker et al. [16], and to the the “conservative strategy” as the one using \(2^{0.292b}\).

Parameters. Using a combination of randomised and exhaustive search, we found parameters for the schemes in Theorem 5.9 and Theorem 5.13. In Table 7 we detail the parameters obtained for the scheme presented in Theorem 5.13 and in Table 8 for that in Theorem 5.9. We also make use of the techniques in [4, Sec 5.5, Sec 6] to further optimise the parameters. Namely, we use the transformation therein to convert our polynomial commitment scheme to one that supports prime order fields, and we use deterministic preimage sampling (since in this section we are not concerned with zero-knowledge). All the tables use the “aggressive strategy” to set parameters. We stress that these parameters are presented to give the reader an indication of the concrete efficiency of the scheme. The commitments have sizes on the order of hundreds of kilobytes, while evaluation proofs are on the order of a few megabytes, and so are larger than desirable in most applications. We also emphasise that the assumption that the hardness of \(\textsf {PowerBASIS} \) is as hard as \(\textsf {MSIS} \) is an heuristic, and thus, until this heuristic is backed or disproved by sufficient cryptanalysis, the sizes should be considered as an optimistic lower bound.

Table 7 Parameters and concrete sizes for the polynomial commitment described in Theorem 5.13

Table 8 Parameters and concrete sizes for the interactive polynomial commitment in Theorem 5.9

Applications to Polynomial IOPs. Marlin [37] is a widely deployed preprocessing zkSNARK. As many modern constructions, Marlin is constructed by combining two ingredients:

• a polynomial interactive oracle proof (PIOP) (therein a algebraic holographic proof);

• and a polynomial commitment scheme.

An interactive oracle proof (IOP) is a generalisation of both probabilistically checkable proofs and interactive proofs. Informally, they are interactive protocols between a prover and a verifier, in which the prover sends oracle messages, which the verifier is allowed to not read in their entirety. A PIOP is simply an IOP where the prover messages are guaranteed to be (low degree) polynomials. IOPs and PIOPs are information theoretic object, and as such inherit a number of efficiency limitations (for example, IOP proof length are required to be at least linear in the size of the instance), but can be compiled using cryptography (see [18]) to obtain arguments that are both asymptotically and concretely efficient. Informally, to compile a PIOP into an interactive argument, the prover can commit to each polynomial oracle using a polynomial commitment scheme, and then prove to the verifier that the evaluations (at points chosen by the verifier) are as claimed. Then, to obtain a NARK, we can apply the Fiat–Shamir transformation to this interactive protocol. We can thus aim to use our polynomial commitment scheme in Theorem 5.13 as an ingredient of Marlin to obtain a zkSNARK for R1CS. Let d denote the size of the R1CS instance that we aim to prove. As detailed in [37, Section 9], Marlin after compilation has commitments to 19 total polynomials of degree at most 6d. The prover has then to produce 19 evaluations proofs for these polynomials, at three distinct points. We can thus apply the techniques in Sect. 5.4 to batch evaluations together and amortise the cost of the last round. In Table 9 we compute parameters for Marlin instantiated using our polynomial commitment scheme and the PIOP therein described. Again, these sizes are meant to give a rough estimate of the concrete efficiency of the scheme, and the same caveats apply as with the polynomial commitment scheme. We also note that Marlin operates over fields with a large multiplicative (or additive) subgroup with smooth order, which imposes an additional requirement on the size of q. Since our moduli are again quite large, this additional requirement is immaterial.

Table 9 Parameters and concrete sizes for Marlin when instantiated with the commitment described in Theorem 5.13 with amortisation as in Table 6

7 Coordinate-Wise Special Soundness Implies Knowledge Soundness

In this section we show that coordinate-wise special soundness implies knowledge soundness for multi-round protocols by extending the techniques presented in [7, 8] (cf. Lemma 2.31). We also show that our knowledge extractor is exponentially more efficient than the generic extractor introduced by Attema et al. [11]. The intuition behind this efficiency is that the extractor samples challenges in a certain way that is the most plausible for having a monotone structure. For reference, we will use identical terminology as in [7, Section 6.4]. We always use \(\ell \) to denote the number of coordinates, and we define a challenge space \(\mathcal {C}{:}{=} S^\ell \) for this and the following section.

7.1 \(\Sigma \)-Protocols

We start by considering three-round public coin interactive proofs, i.e. \(\Sigma \)-protocols. Namely, let \(\mathcal {A}: \mathcal {C}\rightarrow \{0,1\}^*\) be an arbitrary (probabilistic) algorithm, and \(V: \mathcal {C}\times \{0,1\}^* \rightarrow \{0,1\}\) be the verification function. Then, \(\mathcal {A}\) has naturally defined success probability:

$$\begin{aligned} \epsilon ^V(\mathcal {A}) {:}{=} \Pr _{{\textbf {c}} \leftarrow \mathcal {C}}[V({\textbf {c}} ,\mathcal {A}({\textbf {c}} )) = 1]. \end{aligned}$$

The standard interpretation is that \(\mathcal {A}\) is a malicious prover, which tries to convince the verifier of the underlying \(\Sigma \)-protocol.

The following lemma describes how to extract from CWSS \(\Sigma \)-protocols. The proof methodology is identical to [7, Lemma 6.5].

Lemma 7.1

Let \(k,\ell \in \mathbb {N}\), and S be a finite set of cardinality N. Define \(\mathcal {C}{:}{=} S^\ell \) and take any verification function \(V: \mathcal {C}\times \{0,1\}^* \rightarrow \{0,1\}\). Then there exists an oracle algorithm \(\mathcal {E}\) with the following properties: the algorithm \(\mathcal {E}^\mathcal {A}\), given oracle access to a (probabilistic) algorithm \(\mathcal {A}: \mathcal {C}\rightarrow \{0,1\}^*\), requires an expected number of at most \(\ell (k-1)+1\) queries to \(\mathcal {A}\) and with probability at least

$$\begin{aligned} \epsilon ^V(\mathcal {A}) - \frac{\ell (k-1)}{N} \end{aligned}$$

outputs \(\ell (k-1)+1\) pairs \(({\textbf {c}} _0,y_0),\ldots ,({\textbf {c}} _{\ell (k-1)},y_{\ell (k-1)})\) such that \(V({\textbf {c}} _i,y_i)=1\) for all \(i \in [0,\ell (k-1)]\) and \(\{{\textbf {c}} _0,\ldots ,{\textbf {c}} _{\ell (k-1)}\} \in \textsf{SS}(S,\ell ,k)\).

Proof

The extractor \(\mathcal {E}^\mathcal {A}\) is defined in Fig. 11. We denote by \({\textbf {C}} _0{:}{=} (C_{0,1},\ldots ,C_{0,\ell })\) the random variable for the first challenge sampled by \(\mathcal {E}\). Also, we denote \(\Gamma = V({\textbf {C}} _0,\mathcal {A}({\textbf {C}} _0))\). In particular, \(\Pr [\Gamma = 1] = \epsilon ^V(\mathcal {A})\).

Fig. 11

Knowledge extractor for the proof of Lemma 7.1

Let T be the number of \(\mathcal {A}\)-queries made by \(\mathcal {E}\). For \(i \in [\ell ]\), define \(T_i\) to be the number of queries made during the i-th iteration of the loop. By linearity of expectation, we have \(\mathbb {E}\left[{T}\right] = 1 + \sum ^\ell _{i=1} \mathbb {E}\left[{T_i}\right]\). Also, if \(\Gamma = 0\) then \(T_i = 0\). Moreover, to bound \(\mathbb {E}\left[{T_i}\right]\), we reuse the results from [7] and write \(\mathbb {E}\left[{T_i}\right] \le k - 1\). Therefore, \(\mathbb {E}\left[{T}\right] \le 1 + \ell (k-1)\).

We now move to the success probability of \(\mathcal {E}^\mathcal {A}\). Define the random variable \(X_i {:}{=} | \{x \in S : V({\textbf {C}} _i(x), \mathcal {A}({\textbf {C}} _i(x)) = 1\}|\), where \({\textbf {C}} _i(x) {:}{=} (C_{0,1},\ldots ,C_{0,i-1},x,C_{0,i+1},\ldots ,C_{0,\ell })\). Note that the extractor succeeds with probability \( \Pr [\Gamma = 1 \wedge (\wedge ^\ell _{i=1} X_i \ge k)]\). Now, by the union bound we have

$$\begin{aligned} \Pr [\Gamma = 1 \wedge (\wedge ^\ell _{i=1} X_i \ge k)]&= \Pr [\Gamma =1] - \Pr [\Gamma =1 \wedge (\vee ^\ell _{i=1} X_i \le k-1)] \\&\ge \Pr [\Gamma =1] - \sum ^\ell _{i=1} \Pr [\Gamma = 1 \wedge X_i \le k-1] \\&\ge \Pr [\Gamma =1] - \sum ^\ell _{i=1} \Pr \left[{\Gamma = 1}\,\Bigg \vert \,{X_i \le k-1}\right]\cdot \Pr \left[{X_i \le k - 1}\right] \\&\ge \Pr [\Gamma =1] - \frac{\ell (k-1)}{N}. \end{aligned}$$

The statement follows by recalling that \(\Pr [\Gamma = 1] = \epsilon ^V(\mathcal {A})\). \(\square \)

7.2 Multi-Round Protocols

Next, we move on to \((2\mu +1)\)-round interactive proofs. To this end, we consider an arbitrary probabilistic algorithm \(\mathcal {A}: \mathcal {C}\times \cdots \times \mathcal {C}\rightarrow \{0,1\}^*\), and a verification function \(V : \mathcal {C}\times \cdots \times \mathcal {C}\times \{0,1\}^* \rightarrow \{0,1\}\). Similarly as before, we define

$$\begin{aligned} \epsilon ^V(\mathcal {A}) {:}{=} \Pr \left[ V(\bar{{\textbf {c}} },\mathcal {A}(\bar{{\textbf {c}} }))\right] , \end{aligned}$$

where \(\bar{{\textbf {c}} } \leftarrow \mathcal {C}^\mu \).

Now, the goal of the extractor is, given oracle access to \(\mathcal {A}\), to efficiently extract a tree of transcripts, as in Definition 2.30. We will follow the footsteps of [7, Lemma 6.6] and recursively use Lemma 7.1 for the \(\Sigma \)-protocol case.

Lemma 7.2

Let \(k, \ell , \mu \in \mathbb {N}\), and S be a finite set of cardinality N. Define \(\mathcal {C}{:}{=} S^\ell \) and take any verification function \(V: \mathcal {C}\times \cdots \times \mathcal {C}\times \{0,1\}^* \rightarrow \{0,1\}\). Then there exists an oracle algorithm \(\mathcal {E}\) with the following properties: the algorithm \(\mathcal {E}^\mathcal {A}\), given oracle access to a (probabilistic) algorithm \(\mathcal {A}: \mathcal {C}\times \cdots \times \mathcal {C}\rightarrow \{0,1\}^*\), requires an expected number of at most \(K {:}{=} (\ell (k-1)+1)^\mu \) queries to \(\mathcal {A}\) and with probability at least

$$\begin{aligned} \epsilon ^V(\mathcal {A}) - \mu \cdot \frac{\ell (k-1)}{N} \end{aligned}$$

outputs K pairs \(({\textbf {c}} _i,y_i)_{i \in [K]}\) such that \(V({\textbf {c}} _i,y_i)=1\) for all \(i \in [K]\) and \(({\textbf {c}} _i)_{i \in [K]}\) form a tree of challenges as described in Definition 2.30.

Proof

We prove the statement by induction on \(\mu \ge 1\). For \(\mu =1\), we can apply Lemma 7.1. Hence, assume the lemma holds for \(\mu = M \ge 1\) and focus on the case \(\mu = M+1\).

For \({\textbf {c}} \in \mathcal {C}\), we define \(\mathcal {A}_{\textbf {c}} \) to be the algorithm, which takes input \(({\textbf {c}} ^{(2)},\ldots ,{\textbf {c}} ^{(\mu )}) \in \mathcal {C}^{\mu -1}\), and outputs \(\mathcal {A}({\textbf {c}} ,{\textbf {c}} ^{(2)},\ldots ,{\textbf {c}} ^{(\mu )})\). We similarly define a verification function \(V_{\textbf {c}} \) as \(V_{\textbf {c}} ({\textbf {c}} ^{(2)},\ldots ,{\textbf {c}} ^{(\mu )},y) {:}{=} V({\textbf {c}} ,{\textbf {c}} ^{(2)},\ldots ,{\textbf {c}} ^{(\mu )},y)\). By the induction hypothesis, there exists an extractor \(\mathcal {E}^{\mathcal {A}_{\textbf {c}} }_{\mu -1}\), that given oracle access to \(\mathcal {A}_{\textbf {c}} \), outputs a set \(\mathcal {Y}\) of \(K' {:}{=} (\ell (k-1)+1)^{\mu -1}\) pairs \(({\textbf {c}} _i,y_i) \in \mathcal {C}^{\mu -1} \times \{0,1\}^*\), such that \(V_{\textbf {c}} ({\textbf {c}} _i,y_i) = 1\) for all \(i \in [K']\) and \(({\textbf {c}} _i)_{i \in [K']}\) form a tree of challenge vectors of level \(\mu -1\), with probability at least

$$\begin{aligned} \epsilon ^{V_{\textbf {c}} }(\mathcal {A}_{\textbf {c}} ) - (\mu -1) \cdot \frac{\ell (k-1)}{N}, \end{aligned}$$

and makes at most \(K'\) queries to \(\mathcal {A}_{\textbf {c}} \). Now, we define \(W : \mathcal {C}\times \{0,1\}^* \rightarrow \{0,1\}\) as \(W({\textbf {c}} ,\mathcal {Y})=1\) if and only if \(\mathcal {Y}\) satisfies all the properties above. Further, define \(\mathcal {B}^\mathcal {A}: \mathcal {C}\rightarrow \{0,1\}^*\) to be the algorithm, which takes as input \({\textbf {c}} \in \mathcal {C}\), and runs \(\mathcal {E}^{\mathcal {A}_{\textbf {c}} }_{\mu -1}\). By Lemma 7.1, there is an extractor \(\mathcal {E}^{\mathcal {B}^\mathcal {A}}_1\) that aims to output \(\ell (k-1)+1\) pairs \(({\textbf {c}} ^{(1)}_0,\mathcal {Y}_0), \ldots , ({\textbf {c}} ^{(1)}_{\ell (k-1)},\mathcal {Y}_{\ell (k-1)})\) such that \(W({\textbf {c}} ^{(1)}_i,\mathcal {Y}_i)=1\) for \(i \in [0,\ell (k-1)]\) and \(({\textbf {c}} ^{(1)}_i)_{i \in [0,\ell (k-1)]} \in \textsf{SS}(S,\ell ,k)\). Note that such a set of \(\ell (k-1)+1\) trees of challenges is also a tree of challenges of level \(\mu \). Thus, we define the extractor \(\mathcal {E}^\mathcal {A}\) to simply run \(\mathcal {E}^{\mathcal {B}^\mathcal {A}}_1\).

We first discuss the expected number of queries to \(\mathcal {A}\) made by \(\mathcal {E}\). By Lemma 7.1, \(\mathcal {E}^{\mathcal {A}_{\textbf {c}} }_{\mu -1}\) makes at most \(\ell (k-1)+1\) queries to \(\mathcal {B}^\mathcal {A}\) in expectation. Then, by induction hypothesis, \(\mathcal {B}^\mathcal {A}\) makes at most \(K'\) calls to \(\mathcal {A}\) in expectation. Hence, the total expected number of \(\mathcal {A}\)-queries is at most \((\ell (k-1)+1)K' = (\ell (k-1)+1)^\mu \). As for the success probability, we know from Lemma 7.1 and induction hypothesis that \(\mathcal {E}^{\mathcal {B}^\mathcal {A}}_1\) succeeds with probability at least \(\epsilon '\) where

$$\begin{aligned} \epsilon '&\ge \epsilon ^W(\mathcal {B}^\mathcal {A}) - \frac{\ell (k-1)}{N} \\&\ge \mathbb {E}_{\textbf {c}} \left[ \Pr [\mathcal {E}^{\mathcal {A}_{\textbf {c}} }_{\mu -1} \ne \bot ]\right] - \frac{\ell (k-1)}{N} \\&\ge \mathbb {E}_{\textbf {c}} \left[ \epsilon ^{V_{\textbf {c}} }(\mathcal {A}_{\textbf {c}} ) - (\mu -1)\frac{\ell (k-1)}{N}\right] - \frac{\ell (k-1)}{N} \\&\ge \epsilon ^{V}(\mathcal {A}) - \mu \frac{\ell (k-1)}{N}, \end{aligned}$$

which concludes the proof. \(\square \)

Finally, Lemma 2.31 follows straightforwardly from Lemma 7.2.

7.3 Comparison with the Generic Extractor

The notion of coordinate-wise special soundness is a specific case of general notion of \(\varGamma \)-out-of-\(\mathcal {C}\) special soundness introduced by Attema et al. [11]. We refer to their notation and definitions in this section. In their work, a generic knowledge extractor for \(\varGamma \)-out-of-\(\mathcal {C}\) special-sound protocols is presented. As they note, as long as the expected runtime of the generic knowledge extractor is polynomial, \(\varGamma \)-out-of-\(\mathcal {C}\) special soundness implies knowledge soundness. Although the generic extractor can be useful in many settings, we show that, for a set S and \(\ell ,k \in \mathbb {N}, \ell > 1\), when the generic extractor runs to get a set of accepting challenges \(C \in \varGamma \subseteq 2^{\mathcal {C}}\), where challenge set \(\mathcal {C}{:}{=} S^\ell \) and

$$\begin{aligned} \varGamma {:}{=} \left\{ C :\exists X \in \textsf{SS}(S,\ell ,k), X \subseteq C \right\} \hspace{5.0pt}, \end{aligned}$$

it is not guaranteed that the generic extractor can output the witness in expected polynomial time. Notice that \(\varGamma \) denotes the monotone structure here.

To that end, let us first recall two crucial definitions from [11]: the set of useful elements and t-value. Then, we prove a lower bound on t-value, which shows the upper bound on the expected runtime of the generic extractor fails to be useful in the proof of knowledge soundness.

Definition 7.3

(Useful Elements, [11]). For a monotone structure \((\varGamma , \mathcal {C})\), we define the following function:

$$\begin{aligned} U_\varGamma :2^\mathcal {C}\rightarrow 2^\mathcal {C}, X \mapsto \left\{ c \in \mathcal {C}\setminus X :\exists A \in \varGamma \;s.t.\; X \subset A \wedge A \setminus \left\{ c\right\} \notin \varGamma \right\} \hspace{5.0pt}. \end{aligned}$$

Definition 7.4

(t-value, [11]). Let \((\varGamma , \mathcal {C})\) be a monotone structure and \(S\subseteq \mathcal {C}\). Then

$$\begin{aligned} t_\varGamma (X) {:}{=} \max \left\{ t \in \mathbb {N}_0 :\begin{array}{c} \exists c_1,\ldots ,c_t \in \mathcal {C}\; s.t.\\ \forall i, c_i \in U_\varGamma (X \cup \left\{ c_1,\ldots ,c_{i-1}\right\} ) \end{array} \right\} \hspace{5.0pt}. \end{aligned}$$

Further,

$$\begin{aligned} t_\varGamma {:}{=} t_\varGamma (\emptyset )\hspace{5.0pt}. \end{aligned}$$

We aim to find a bound for \(t_\varGamma \) since Lemma 5 from [11] states that the expected runtime of the generic extractor is upper bounded by \(2t_\varGamma - 1\). For simplicity, let \(k=2\). We claim that \(t_\varGamma \ge |S|^{\ell - 1} + 1\).

For \(d, d'\in S, d\ne d',\) and \({\textbf {v}} = (v_2, \ldots , v_\ell ) \in S^{\ell -1}\), consider the sets

$$\begin{aligned} \mathcal {A}_d {:}{=} \left\{ d\right\} \times S^{\ell - 1} \text { and } \mathcal {B}_{d',{\textbf {v}} } {:}{=} \left\{ (d', {\textbf {v}} )\right\} \hspace{5.0pt}. \end{aligned}$$

Although \(\mathcal {B}_{d',{\textbf {v}} }\) has only one member, it is convenient for our proof to use set notation. Now, notice that \(t_\varGamma \) is defined on the longest possible sequence of challenges such that each challenge is in the set of useful elements of all the previous ones. We argue that, for \(d, d'\in S, d\ne d',\) and \({\textbf {v}} = (v_2, \ldots , v_\ell ) \in S^{\ell -1}\), the challenge sequence

$$\begin{aligned} {\textbf {c}} _1, \ldots , {\textbf {c}} _t, \quad \forall i \in [t-1], \; {\textbf {c}} _i \in \mathcal {A}_d, \quad {\textbf {c}} _t \in \mathcal {B}_{d',{\textbf {v}} }, \end{aligned}$$

fulfills the mentioned conditions, where \(t {:}{=} |\mathcal {A}_d| + 1 \). This implies that \(t_\varGamma \ge |\mathcal {A}_d| + 1 = |S|^{\ell - 1} + 1 \ge \frac{|\mathcal {C}|}{|S|}\). We are left to prove that the specified sequence meets the constraint in the definition of \(t_\varGamma \). First, observe that,

$$\begin{aligned} \forall d,d'\in S, d\ne d', \forall (d, {\textbf {v}} ) \in \mathcal {A}_d \implies \mathcal {A}_d \cup \mathcal {B}_{d',{\textbf {v}} } \in \varGamma \wedge \mathcal {A}_d \cup \mathcal {B}_{d',{\textbf {v}} } \setminus \{(d, {\textbf {v}} )\} \notin \varGamma \hspace{5.0pt}. \end{aligned}$$

Hence, \(\mathcal {A}_d \subseteq U_\varGamma (\emptyset )\). Similarly, for any \(T \subseteq \mathcal {A}_d\),

$$\begin{aligned} \forall d,d'\in S, d\ne d', \forall (d, {\textbf {v}} ) \in \mathcal {A}_d \setminus T \implies \mathcal {A}_d \cup \mathcal {B}_{d',{\textbf {v}} } \in \varGamma \wedge \mathcal {A}_d \cup \mathcal {B}_{d',{\textbf {v}} } \setminus \{(d, {\textbf {v}} )\} \notin \varGamma \hspace{5.0pt}. \end{aligned}$$

So, \(\mathcal {A}_d\setminus T \subseteq U_\varGamma (T)\). Finally, given that \(|\mathcal {B}_{d',{\textbf {v}} }| = 1\), for any \({\textbf {v}} \in S^{\ell -1}\),

$$\begin{aligned} \forall d,d'\in S, d\ne d', \forall {\textbf {v}} \in S^{\ell -1} \implies \mathcal {A}_d \cup \mathcal {B}_{d',{\textbf {v}} } \in \varGamma \wedge \mathcal {A}_d \notin \varGamma \hspace{5.0pt}. \end{aligned}$$

Therefore, \(\mathcal {B}_{d',{\textbf {v}} } \subseteq U_\varGamma (\mathcal {A}_d)\). So, a sequence of all members of \(\mathcal {A}_d\) (with any order) followed by the only member of \(\mathcal {B}_{d',{\textbf {v}} }\) is a valid sequence for \(t_\varGamma \).

In summary, we proved that the expected runtime of the generic extractor can be almost as big as the challenge space for a coordinate-wise special-sound protocol (and thus it could be super-polynomial in the security parameter). Consequently, we cannot argue knowledge soundness for the protocol by leveraging \(\varGamma \)-out-of-\(\mathcal {C}\) special soundness and the generic extractor.

8 Knowledge Soundness of a Fiat–Shamir-Transformed Coordinate-Wise Special-Sound Multi-round Protocol

In this section, we show there is an efficient knowledge extractor for the non-interactive protocol obtained by applying Fiat–Shamir transformation on a \(\ell \)-coordinate-wise k-special-sound multi-round protocol.

In the following, we leverage the approach presented by Attema et al. [10]. Namely, we define and analyze an abstract sampling game where the extractor plays the role of a sampler who tries to find “good” entries. In the meantime, we elaborate on how this game relates to knowledge extraction. For reference, we use notation from [10]. Furthermore, we prove a slightly different version of Lemmata 2 and 5 from [10] for our specific reprogramming of the random oracle. As Lemmata 3 and 6 from [10] are independent of how the random oracle gets reprogrammed, we only use them as they are.

8.1 Analysis of the Abstract Sampling Game

Figure 12 shows the mentioned sampling game. Similar to [10], the sequence of \(j_1,\ldots , j_U \in \{1,\ldots ,N\}^\ell \) specifies the function table of the random oracle. Notice that the cardinality of the input space of the random oracle is U. Each entry of M determines what the first message chosen by the deterministic prover would be and if it would be an accepting transcript. For a given sequence of \(j_1,\ldots ,j_U\), we can extract when the following happens. First, \(M(j_1,\ldots ,j_U) = (1, i)\) for some \(i \in \{1,\ldots ,U\}\), and second, by reprogramming \(j_i\) to some \(j'_i\) (which is different from \(j_i\) coordinate-wisely) for enough many times, \(M(j_1,\ldots ,j'_i,\ldots ,j_U)=(1,i)\). In other words, the prover chooses the same first message when given each of these different functional tables of the random oracle, and by coordinate-wise special soundness, it is feasible to extract.

Fig. 12

Abstract sampling game

Similar to [10], we define the functions \(a_{i}, a_{i,l}: \left( \{1,\ldots ,N\}^\ell \right) ^U \rightarrow \mathbb {N}_{\ge 0}\) where

$$\begin{aligned} a_{i,l}&: j \mapsto \left| \left\{ j': \left( \forall (i',l')\in [U]\times [\ell ]\setminus \{(i,l)\}, j'_{i',l'} = j_{i',l'}\right) \wedge M(j') = (1,i) \right\} \right| \hspace{5.0pt}\text {and} \end{aligned}$$

(28)

$$\begin{aligned} a_{i}&: j \mapsto \left| \left\{ j': \left( \forall (i',l')\in [U]\times [\ell ],i'\ne i, j'_{i',l'} = j_{i',l'}\right) \wedge M(j') = (1,i) \right\} \right| \hspace{5.0pt}. \end{aligned}$$

(29)

The value of \(a_{i,l}(j)\) shows how many “good” entries there are on a 1-dimensional subarray of M where only \(j_{i,l}\) is not fixed. Similarly, \(a_{i}(j)\) determines how many “good” entries there are on a \(\ell \)-dimensional subarray of M where the entire tuple of \(j_i\) is not fixed. Having these two functions, in the following lemma, we find two essential properties of this game: the probability of “success” and the expected runtime (i.e., number of samples).

Remark 8.1

We essentially reuse the techniques from [10]. As it is not trivial how one can plug those techniques in, Lemmata 8.2 and 8.3 try to reduce the problem to the problems tackled in [10].

Lemma 8.2

(Abstract Sampling Game). Consider the game in Fig. 12. Let \(J = \left( J_1,...,J_U\right) \) be uniformly distributed in \(\left( \{1,\ldots ,N\}^\ell \right) ^U\), indicating the first entry sampled, and let \((V,I) = M(J_1,\ldots ,J_U)\). Further, for all \(1 \le i \le U\) and \(1 \le l \le \ell \), let \(A_{i,l} = a_{i,l}(J)\) and \(A_{i} = a_{i}(J)\). Moreover, let X be the number of entries of the form (1, i) with \(i=I\) sampled (including the first one), and let \(\varLambda \) be the total number of entries sampled in this game. Then,

$$\begin{aligned} \mathbb {E}\left[{\varLambda }\right]\le & {} 1 + \ell (k - 1) P \;\;\; \text {and}\\ \Pr \left[{X=k}\right]\ge & {} \frac{N}{N-k+1} \left( \Pr \left[{V=1}\right] - P\cdot \frac{\ell (k-1)}{N}\right) \hspace{5.0pt}, \end{aligned}$$

where \(P = \sum _{i=1}^U \Pr \left[{A_i > 0}\right]\).

Proof (of Lemma 8.2)

Expected Number of Samples. Let us first derive the upper bound on the expected value of \(\varLambda \). To this end, let \(X_l'\) be the number of sampled entries of the form (1, i) with \(i=I\) in the \(l^{th}\) iteration of the for loop. Similarly, let \(Y_l'\) denote the number of sampled entries of the form (v, i) with \(v=0\) or \(i\ne I\), again in the \(l^{th}\) iteration. Then \(\varLambda = 1 + \sum _{l=1}^\ell X_l' + \sum _{l=1}^\ell Y_l'\) and for all \(1\le l \le \ell \)

$$\begin{aligned} \Pr \left[{X_l' = 0}\,\Bigg \vert \,{V=0}\right] = \Pr \left[{Y_l'=0}\,\Bigg \vert \,{V=0}\right] = 1\hspace{5.0pt}. \end{aligned}$$

Hence, for all \(1\le l \le \ell \), \(\mathbb {E}\left[{X_l'}\,\Bigg \vert \,{V=0}\right] = \mathbb {E}\left[{Y_l'}\,\Bigg \vert \,{V=0}\right] = 0\). Let us consider the expected value \(\mathbb {E}\left[{Y_l'}\,\Bigg \vert \,{V=1}\right]\) for any \(1\le l \le \ell \). Notice that, conditioned on the event \(V=1 \wedge I=i \wedge A_{i,l} = a\) with \(a > 0\), \(Y_l'\) follows a negative hypergeometric distribution with parameters \(N-1\), \(a-1\), and \(k-1\). Hence, using Lemma 1 from [10],

$$\begin{aligned} \mathbb {E}\left[{Y_l'}\,\Bigg \vert \,{V=1 \wedge I =i \wedge A_{i,l} = a}\right] \le (k-1)\frac{N-a}{a}\hspace{5.0pt}, \end{aligned}$$

and thus, using that \(\Pr \left[{X_l' \le k-1 \vert V=1}\right] = 1\),

$$\begin{aligned} \mathbb {E}\left[{X_l' + Y_l'}\,\Bigg \vert \,{V =1 \wedge I =i \wedge A_{i,l} = a}\right] \le (k-1) + (k-1)\frac{N-a}{a} = (k-1)\frac{N}{a}\hspace{5.0pt}. \end{aligned}$$

On the other hand,

$$\begin{aligned} \Pr \left[{V=1 \wedge I = i}\,\Bigg \vert \,{A_{i,l} = a}\right] = \frac{a}{N}\hspace{5.0pt}, \end{aligned}$$

and thus,

$$\begin{aligned} \Pr \left[{V=1 \wedge I =i \wedge A_{i,l} = a}\right] = \Pr \left[{A_{i,l} = a}\right] \frac{a}{N}\hspace{5.0pt}. \end{aligned}$$

(30)

Since \(\Pr \left[{V=1 \wedge I=i \wedge A_{i,l} = 0}\right] = 0,\) we write

$$\begin{aligned} \Pr \left[{V=1}\right]\cdot \mathbb {E}\left[{X_l'+Y_l'}\,\Bigg \vert \,{V=1}\right]&= \sum _{i=1}^U\sum _{a=1}^N \Pr \left[{V=1 \wedge I = i \wedge A_{i,l} = a}\right] \\&\qquad \qquad \cdot \mathbb {E}\left[{X_l'+Y_l'}\,\Bigg \vert \,{V=1 \wedge I=i \wedge A_{i,l}=a}\right]\\&\le \sum _{i=1}^U\sum _{a=1}^N \Pr \left[{A_{i,l} = a}\right](k-1)\\&= (k-1)\sum _{i=1}^U\Pr \left[{A_{i,l} > 0}\right]\hspace{5.0pt}. \end{aligned}$$

Consequently,

$$\begin{aligned} \mathbb {E}\left[{\varLambda }\right]&= \mathbb {E}\left[{1+\sum _{l=1}^\ell (X_l'+Y_l')}\right]\\&= 1 + \sum _{l=1}^\ell \left( \Pr \left[{V=0}\right]\cdot \mathbb {E}\left[{X_l'+Y_l'}\,\Bigg \vert \,{V=0}\right]+ \Pr \left[{V=1}\right]\cdot \mathbb {E}\left[{X_l'+Y_l'}\,\Bigg \vert \,{V=1}\right]\right) \\&\le 1 + (k-1)\sum _{l=1}^\ell \sum _{i=1}^U\Pr \left[{A_{i,l}> 0}\right]\\&\le 1 + \ell (k-1) \sum _{i=1}^U\Pr \left[{A_{i} > 0}\right]\\&\le 1 + \ell (k-1)P\hspace{5.0pt}, \end{aligned}$$

where we used the fact that for all \(1\le l \le \ell \), \(\Pr \left[{A_{i,l}> 0}\right] \le \Pr \left[{A_{i} > 0}\right]\). Hence, the claimed upper bound on \(\mathbb {E}\left[{\varLambda }\right]\) is proven.

Success Probability. Success happens when for all \(1\le l \le \ell ,\) we have \(X_l'=k-1\). For all \(1\le l \le \ell \), let \(X_l\) be the number of sampled entries of the form (1, i) in the \(l^{th}\) iteration of for loop and the single sampled entry outside of the loop. Notice that if \(V=1\), for all \(1\le l \le \ell ,\) we have \(X_l \ge 1\) even if we do not sample any other entries of the form (1, i) in the for loop. We are interested in finding a lower bound for \(\Pr \left[{\bigwedge _{l=1}^\ell X_l=k}\right]\).

For all \(1\le l \le \ell \), \(V=0\) implies \(X_l = 0\). Therefore, using \(k>0\), for all \(1\le l \le \ell \), we write \(\Pr \left[{X_l=k}\right] = \Pr \left[{X_l=k \wedge V=1}\right]\) and \(\Pr \left[{\bigwedge _{l=1}^\ell X_l=k}\right] = \Pr \left[{\bigwedge _{l=1}^\ell X_l=k \wedge V=1}\right]\). Therefore, we have

$$\begin{aligned} \Pr \left[{\bigwedge _{l=1}^\ell X_l=k}\,\Bigg \vert \,{V=1}\right]&= \frac{\Pr \left[{\bigwedge _{l=1}^\ell X_l=k}\right]}{\Pr \left[{V=1}\right]} \qquad \text {and}\nonumber \\ \Pr \left[{X_l = k}\,\Bigg \vert \,{V = 1}\right]&= \frac{\Pr \left[{X_l = k}\right]}{\Pr \left[{V=1}\right]}\hspace{5.0pt}. \end{aligned}$$

(31)

Furthermore, since we sample at most \(k-1\) entries of the form (1, i) in each iteration, we can write

$$\begin{aligned} \Pr \left[{\bigwedge _{l=1}^\ell X_l=k}\,\Bigg \vert \,{V=1}\right]&= \left( 1 - \Pr \left[{\bigvee _{l=1}^\ell X_l<k}\,\Bigg \vert \,{V=1}\right]\right) \nonumber \\&\ge \left( 1 - \sum _{l=1}^\ell \Pr \left[{X_l < k}\,\Bigg \vert \,{V=1}\right]\right) \nonumber \\&=\left( 1 - \sum _{l=1}^\ell \left( 1 - \Pr \left[{X_l = k}\,\Bigg \vert \,{V=1}\right]\right) \right) \nonumber \\&= \left( 1 - \sum _{l=1}^\ell \left( 1 - \frac{\Pr \left[{X_l = k}\right]}{\Pr \left[{V=1}\right]}\right) \right) \hspace{5.0pt}, \end{aligned}$$

(32)

where we obtain the first inequality by using a union bound. We need to find a lower bound on \(\Pr \left[{X_l = k}\right]\) for all \(1\le l \le \ell \). Since we have Equation (30), we can reuse the bound shown by Attema et al. [10]. Hence,

$$\begin{aligned} \Pr \left[{X_l=k}\right] \ge \frac{N}{N-k+1}\left( \Pr \left[{V=1}\right] - P_l\cdot \frac{k-1}{N}\right) \hspace{5.0pt}, \end{aligned}$$

where \(P_l = \sum _{i=1}^U\Pr \left[{A_{i,l} > 0}\right]\). By putting this bound back into Equation (32), we obtain

$$\begin{aligned} \Pr \left[{\bigwedge _{l=1}^\ell X_l=k}\,\Bigg \vert \,{V=1}\right]&\ge \left( 1 - \sum _{l=1}^\ell \left( \frac{P_l\cdot (k-1)}{\Pr \left[{V=1}\right]\cdot (N-k+1)} - \frac{k-1}{N-k+1}\right) \right) \\&\ge \left( \frac{N+(\ell -1)(k-1)}{N-k+1} - \frac{\ell \cdot P\cdot (k-1)}{\Pr \left[{V=1}\right]\cdot (N-k+1)}\right) \\&\ge \left( \frac{N}{N-k+1} - \frac{\ell \cdot P\cdot (k-1)}{\Pr \left[{V=1}\right]\cdot (N-k+1)}\right) \\&\ge \frac{N}{N-k+1}\left( 1 - P\frac{\ell (k-1)}{\Pr \left[{V=1}\right]\cdot N}\right) \hspace{5.0pt}, \end{aligned}$$

where \(P = \sum _{i=1}^U\Pr \left[{A_{i} > 0}\right]\). To get the second inequality, we use that for all \(1\le l \le \ell \), \(\Pr \left[{A_{i,l}> 0}\right] \le \Pr \left[{A_{i} > 0}\right]\), and consequently, \(P_l \le P\). Also, \((\ell -1)(k-1) \ge 0\) leads us to the third inequality. Using Equation (31), we have

$$\begin{aligned} \Pr \left[{\bigwedge _{l=1}^\ell X_l=k}\right] \ge \frac{N}{N-k+1}\left( \Pr \left[{V=1}\right] - P\frac{\ell (k-1)}{N}\right) \hspace{5.0pt}, \end{aligned}$$

which completes the proof. \(\square \)

Lemma 8.2 states bounds that are sufficient for bounding the knowledge error and the runtime of the knowledge extractor in the case of a Fiat–Shamir-transformed \(\varSigma \)-protocol. However, as noted by Attema et al. [10], to show the knowledge extractor of a Fiat–Shamir-transformed multi-round protocol runs in expected polynomial time, we need a refined analysis of expected runtime of the game. The sub-tree knowledge extractor may have an expensive runtime \(\varGamma \) or a cheap runtime \(\gamma \). We now prove a better bound on runtime for the weighted version of this game which models the cost of sub-tree extractors.

Lemma 8.3

(Abstract Sampling Game - Weighted Version). Consider the game in Fig. 12, as well a cost function \(\varGamma : \left( \{1,\ldots ,N\}^\ell \right) ^U \rightarrow \mathbb {R}_{\ge 0}\) and a constant cost \(\gamma \in \mathbb {R}_{\ge 0}\). Let \(J = \left( J_1,...,J_U\right) \) be uniformly distributed in \(\left( \{1,\ldots ,N\}^\ell \right) ^U\), indicating the first entry sampled, and let \((V,I) = M(J)\). Further, for all \(1 \le i \le U\), let \(A_i = a_i(J)\), where the function \(a_i\) is as defined in Equation (29).

We define the cost of sampling an entry \(M(j) = (v,i)\) with \(i=I\) to be \(\varGamma (j)\) and the cost of an entry \(M(j) = (v,i)\) with \(i\ne I\) to be \(\gamma \). Let \(\varDelta \) be the total cost of playing this game. Then

$$\begin{aligned} \mathbb {E}\left[{\varDelta }\right] \le \left( 1 + \ell (k-1)\right) \cdot \mathbb {E}\left[{\varGamma (J)}\right] + \ell (k-1)\cdot T\cdot \gamma \hspace{5.0pt}, \end{aligned}$$

where \(T = \sum _{i=1}^U \Pr \left[{I\ne i \wedge A_i > 0}\right] \le P\).

Proof

Let us break the cost \(\varDelta \) down to \(\varDelta _{1}\), \(\varDelta _{2}\), and \(\varDelta _{3}\), defined as follows. \(\varDelta _{1}\) denotes cost of sampling entries of the form (1, i) with \(i=I\), and \(X_l\) denotes the number of such entries in the \(l^{th}\) iteration. Similarly, \(\varDelta _{2}\) denotes cost of sampling entries of the form (0, i) with \(i=I\), and \(Y_l\) denotes the number of such entries in the \(l^{th}\) iteration. Finally, \(\varDelta _{3}\) denotes cost of (v, i) where \(i\ne I\), and \(Z_l\) denotes the number of such entries in the \(l^{th}\) iteration. We use \(\varDelta '_{1,l}\) (resp. \(\varDelta '_{2,l}\)) for denoting the part of \(\varDelta _{1}\) (resp. \(\varDelta _{2}\)) that is added during the \(l^{th}\) iteration. Clearly, \(\varDelta = \varDelta _1 + \varDelta _2 + \varDelta _3\).

For \(1 \le i \le U\) and \(1 \le l \le \ell \), let us write

$$\begin{aligned} J_{i}^* = \left( J_1, \ldots , J_{i-1}, J_{i+1},\ldots ,J_U\right) \text { and }J_{i,l}^\dag = \left( J_{i,1}, \ldots , J_{i,l-1}, J_{i,l+1},\ldots ,J_{i,\ell }\right) \hspace{5.0pt}, \end{aligned}$$

which are respectively uniformly random with support \(\{1,\ldots ,N\}^{(U-1)\ell }\) and \(\{1,\ldots , N\}^{\ell -1}\). Moreover, for all \(1 \le i \le U\), \(1\le l\le \ell \),

$$\begin{aligned} j^*&= (j_1^*, \ldots , j_{i-1}^*, j_{i+1}^*,\ldots ,j_U^*) \in \{1,\ldots ,N\}^{(U-1)\ell }\hspace{5.0pt}, \text { and}\\ j^\dag&= (j_1^\dag , \ldots , j_{l-1}^\dag , j_{l+1}^\dag ,\ldots ,j_\ell ^\dag ) \in \{1,\ldots ,N\}^{\ell -1\hspace{5.0pt}}, \end{aligned}$$

let \(\varLambda (i,j^*)\) denote the event

$$\begin{aligned} \varLambda (i,j^*)= [I=i\wedge J_{i}^*=j^*] \end{aligned}$$

and \(\varTheta (i,j^*,j^\dag )\) denote the event

$$\begin{aligned} \varTheta (i,j^*,j^\dag )= [\varLambda (i,j^*)\wedge J^\dag _{i,l} = j^\dag ]\hspace{5.0pt}. \end{aligned}$$

Notice that conditioned on the event \(\varLambda (i,j^*),\) all samples are picked from subarray

$$\begin{aligned} M\left( j_1^*, \ldots , j_{i-1}^*, \cdot , j_{i+1}^*,\ldots ,j_U^*\right) \hspace{5.0pt}; \end{aligned}$$

the first one uniformly at random subject to the index I being i, and the remaining ones (if \(V=1\)) uniformly at random (without replacement) for each coordinate. Similarly, conditioned on the event \(\varTheta (i,j^*,j^\dag ),\) the sampling process follows the same criteria, with samples drawn from subarray

$$\begin{aligned} M\left( j_1^*, \ldots , j_{i-1}^*, \left( j_1^\dag , \ldots , j_{l-1}^\dag ,\cdot , j_{l+1}^\dag ,\ldots ,j_\ell ^\dag \right) , j_{i+1}^*,\ldots ,j_U^*\right) \hspace{5.0pt}. \end{aligned}$$

Let us first look into \(\mathbb {E}\left[{\varDelta _{1}}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\). We notice that for all i,  and \(j^*\) with \(\Pr \left[{\varLambda (i,j^*)}\right] > 0\),

$$\begin{aligned} \mathbb {E}\left[{\varDelta _1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]&= \Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varDelta _1}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right] \nonumber \\&\quad + \Pr \left[{V=0}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varDelta _1}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=0}\right]\nonumber \\&= \Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varDelta _1}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\nonumber \\&=\Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\sum _l \varDelta '_{1,l}}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\nonumber \\&\quad +\Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\nonumber \\&=\sum _l \left( \Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\right) \nonumber \\&\quad +\Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\nonumber \\&=\sum _l \mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\nonumber \\&\quad +\Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\hspace{5.0pt}. \end{aligned}$$

(33)

In the above, we use linearity of expectation and \(\mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=0}\right] = 0.\) Moreover, by conditioning on the value of \(X_l\), we have

$$\begin{aligned} \mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] = \sum _{x_l=0}^{N-1}\Pr \left[{X_l=x_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge X_l=x_l}\right]\hspace{5.0pt}. \end{aligned}$$

(34)

Also,

$$\begin{aligned}&\mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge X_l=x_l}\right] \nonumber \\&\quad =\sum _{j^\dag }\Pr \left[{J_{i,l}^\dag = j^\dag }\,\Bigg \vert \,{\varLambda (i,j^*)\wedge X_l=x_l}\right]\cdot \mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varTheta (i,j^*,j^\dag )\wedge X_l=x_l}\right]\hspace{5.0pt}. \end{aligned}$$

(35)

Let us try to understand \(\mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varTheta (i,j^*,j^\dag )\wedge X_l=x_l}\right]\). The condition means that we are sampling only on coordinate l, the rest of the tuple is fixed on \(j^\dag \), and we sample \(x_l\) entries of the form (1, i). In other words, we are looking for a subset of entries of the form (1, i) with size \(x_l\), and also, since J is not fixed, the sampling process is uniform among such entries. Notice that the probability of choosing any of them is \(x_l\) times bigger than the probability of choosing the same entry when the size of subset was one. Therefore, the expected total cost is \(x_l\) times the expected cost of sampling only one such entry. We can write the expected cost of only one such entry as \(\mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varTheta (i,j^*,j^\dag )\wedge V=1}\right]\). So, we have

$$\begin{aligned} \mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varTheta (i,j^*,j^\dag )\wedge X_l=x_l}\right] = \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varTheta (i,j^*,j^\dag )\wedge V=1}\right] \cdot x_l \hspace{5.0pt}. \end{aligned}$$

Putting this expression back into Equation (35) and Equation (34), we get

$$\begin{aligned} \mathbb {E}\left[{ \varDelta '_{1,l}}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] = \mathbb {E}\left[{X_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\hspace{5.0pt}. \end{aligned}$$

(36)

Similarly, for \(\varDelta _2\), we have

$$\begin{aligned} \mathbb {E}\left[{\varDelta _2}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]&=\sum _l \mathbb {E}\left[{\varDelta '_{2,l}}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\nonumber \\&\quad +\Pr \left[{V=0}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=0}\right]\quad \text {and} \end{aligned}$$

(37)

$$\begin{aligned} \mathbb {E}\left[{ \varDelta '_{2,l}}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]&= \mathbb {E}\left[{Y_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=0}\right]\hspace{5.0pt}. \end{aligned}$$

(38)

Now, our goal is to upper bound \(\mathbb {E}\left[{X_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\) and \(\mathbb {E}\left[{Y_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\). Knowing that \(V=0\) implies \(X_l=0\) and \(V=1\) implies \(X_l \le k\), we write

$$\begin{aligned} \mathbb {E}\left[{X_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]&= \Pr \left[{V=0}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{X_l}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=0}\right]\\&\quad +\Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{X_l}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\\&\le (k-1)\cdot \Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\hspace{5.0pt}. \end{aligned}$$

Hence, and using Equation (33) and Equation (36), we have

$$\begin{aligned} \mathbb {E}\left[{\varDelta _1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]&\le \sum _l (k-1)\cdot \Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\nonumber \\&\quad +\Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\nonumber \\&\le (1+\ell (k-1))\cdot \Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=1}\right]\hspace{5.0pt}. \end{aligned}$$

(39)

Bounding \(\mathbb {E}\left[{Y_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\) is more involved and we need to leverage the functions defined in Equation (28) and Equation (29). For the fixed choice of the index \(1\le i \le U\) and of \(j^* = (j_1^*,\ldots ,j_{i-1}^*,j_{i+1}^*,\ldots , j_{U}^*) \in \{1,\ldots ,N\}^{\ell (U-1)}\), and for all \(1\le l \le \ell \) and \(j^\dag \in \{1,\dots , N\}^{\ell -1}\), we define new parameters

$$\begin{aligned} a&{:}{=} \left| \left\{ j:(v_j,i_j)=M(j_1^*, \ldots , j_{i-1}^*, j,j_{i+1}^*,\ldots ,j_U^*)=(1,i)\right\} \right| \hspace{5.0pt},\nonumber \\ b&{:}{=} \left| \left\{ j:(v_j,i_j)=M(j_1^*, \ldots , j_{i-1}^*, j,j_{i+1}^*,\ldots ,j_U^*)=(0,i)\right\} \right| \hspace{5.0pt},\nonumber \\ a_{l,j^\dag }&{:}{=} \left| \left\{ j:(v_j,i_j)=M\left( \begin{array}{l} j_1^*, \ldots , j_{i-1}^*,\\ \left( \begin{array}{l} j^\dag _1,\ldots ,j^\dag _{l-1},\\ j,\\ j^\dag _{l+1},\ldots ,j^\dag _{\ell } \end{array}\right) \\ ,j_{i+1}^*,\ldots ,j_U^* \end{array}\right) =(1,i)\right\} \right| \hspace{5.0pt}, \text { and}\nonumber \\ b_{l,j^\dag }&{:}{=} \left| \left\{ j:(v_j,i_j)=M\left( \begin{array}{l} j_1^*, \ldots , j_{i-1}^*,\\ \left( \begin{array}{l} j^\dag _1,\ldots ,j^\dag _{l-1},\\ j,\\ j^\dag _{l+1},\ldots ,j^\dag _{\ell } \end{array}\right) \\ ,j_{i+1}^*,\ldots ,j_U^* \end{array}\right) =(0,i)\right\} \right| \hspace{5.0pt}. \end{aligned}$$

(40)

Notice that \(\Pr \left[{V=1}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] = \frac{a}{a+b}\) and \(\Pr \left[{V=0}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] = \frac{b}{a+b}\) for all i and \(j^*\) with \(\Pr \left[{\varLambda (i,j^*)}\right] > 0\). Observe that if we condition on the event \(V=1 \wedge \varLambda (i,j^*)\) (resp. \(V=1 \wedge \varTheta (i,j^*,j^\dag )\)), we implicitly assume that \(a >0\) (resp. \(a_{l,j^\dag } > 0\)). Moreover, \(\sum _{j^\dag } a_{l,j^\dag } = a\) and \(\sum _{j^\dag } b_{l,j^\dag } = b\). Using the fact that \(\mathbb {E}\left[{Y_l}\,\Bigg \vert \,{V=0 \wedge \varLambda (i,j^*)}\right] = 0,\) we have

$$\begin{aligned} \mathbb {E}\left[{Y_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] = \frac{a}{a+b}\cdot \mathbb {E}\left[{Y_l}\,\Bigg \vert \,{V=1 \wedge \varLambda (i,j^*)}\right]\hspace{5.0pt}. \end{aligned}$$

Conditioned on \(V=1\wedge \varTheta (i,j^*,j^\dag )\), \(Y_l\) follows a negative hypergeometric distribution with parameters \(a+b-1\), \(a-1\), and \(k-1\). We write

$$\begin{aligned} \mathbb {E}\left[{Y_l}\,\Bigg \vert \,{V=1 \wedge \varLambda (i,j^*)}\right]&= \sum _{j^\dag } \Pr \left[{J^\dag _{i,l}=j^\dag }\,\Bigg \vert \,{V=1 \wedge \varLambda (i,j^*)}\right]\\&\quad \cdot \mathbb {E}\left[{Y_l}\,\Bigg \vert \,{V=1\wedge \varTheta (i,j^*,j^\dag )}\right]\\&=\sum _{j^\dag } \frac{a_{l,j^\dag }}{a}\cdot \mathbb {E}\left[{Y_l}\,\Bigg \vert \,{V=1\wedge \varTheta (i,j^*,j^\dag )}\right]\\&\le \sum _{j^\dag } \frac{a_{l,j^\dag }}{a}\cdot (k-1)\frac{b_{l,j^\dag }}{a_{l,j^\dag }}\hspace{5.0pt}\text {(by [10, Lemma 1])}\\&=(k-1)\frac{b}{a}\hspace{5.0pt}. \end{aligned}$$

This implies that

$$\begin{aligned} \mathbb {E}\left[{Y_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] \le (k-1)\cdot \Pr \left[{V=0}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\hspace{5.0pt}. \end{aligned}$$

Using Equation (37) and Equation (38), we have

$$\begin{aligned} \mathbb {E}\left[{\varDelta _2}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]&\le \sum _l (k-1)\cdot \Pr \left[{V=0}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=0}\right]\\&\quad +\Pr \left[{V=0}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=0}\right]\\&\le (1+\ell (k-1))\cdot \Pr \left[{V=0}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)\wedge V=0}\right]. \end{aligned}$$

Combining with Equation (39), we have

$$\begin{aligned} \mathbb {E}\left[{\varDelta _{1} + \varDelta _{2}}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] \le (1+\ell (k-1))\cdot \mathbb {E}\left[{\varGamma (J)}\,\Bigg \vert \,{\varLambda (i,j^*)}\right]\hspace{5.0pt}. \end{aligned}$$

We can remove the condition \(\varLambda (i,j^*)\) since this inequality holds for all i and \(j^*\) with \(\Pr \left[{\varLambda (i,j^*)}\right] > 0\). Therefore,

$$\begin{aligned} \mathbb {E}\left[{\varDelta _{1} + \varDelta _{2}}\right] \le \left( 1+\ell (k-1)\right) \cdot \mathbb {E}\left[{\varGamma (J)}\right]\hspace{5.0pt}. \end{aligned}$$

The final step is to show \(\mathbb {E}\left[{\varDelta _3}\right] \le \ell (k-1) T \gamma \), or equivalently, \(\mathbb {E}\left[{Z}\right] \le \ell (k-1) T\), where \(Z = \sum _l Z_l\). Again, we follow the approach we used previously. We fix a choice of i and \(j^*\) and set the parameters \(a,b,a_{l,j^\dag },\) and \(b_{l,j^\dag }\) as defined in Equation (40). Consequently, we observe that conditioning on the event \(V=1\wedge \varTheta (i,j^*,j^\dag )\), \(Z_l\) follows a negative hypergeometric distribution with parameters \(N-b-1\), \(a-1\), and \(k-1\). Therefore, using the bound in Lemma 1 from [10], we have

$$\begin{aligned}&\mathbb {E}\left[{Z_l}\,\Bigg \vert \,{V=1 \wedge \varLambda (i,j^*)}\right] \\&\quad =\sum _{j^\dag } \Pr \left[{J^\dag _{i,l}=j^\dag }\,\Bigg \vert \,{V=1 \wedge \varLambda (i,j^*)}\right] \cdot \mathbb {E}\left[{Z_l}\,\Bigg \vert \,{V=1\wedge \varTheta (i,j^*,j^\dag )}\right]\\&\quad =\sum _{j^\dag } \frac{a_{l,j^\dag }}{a}\cdot \mathbb {E}\left[{Y_l}\,\Bigg \vert \,{V=1\wedge \varTheta (i,j^*,j^\dag )}\right]\\&\quad \le \sum _{j^\dag } \frac{a_{l,j^\dag }}{a}\cdot (k-1)\frac{N-a_{l,j^\dag }-b_{l,j^\dag }}{a_{l,j^\dag }}\\&\quad =(k-1)\frac{N-a-b}{a}\hspace{5.0pt}. \end{aligned}$$

Also, since \(\mathbb {E}\left[{Z_l}\,\Bigg \vert \,{V=0 \wedge \varLambda (i,j^*)}\right] = 0,\) we write

$$\begin{aligned} \mathbb {E}\left[{Z_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] \le \frac{a}{a+b}\cdot \mathbb {E}\left[{Z_l}\,\Bigg \vert \,{V=1 \wedge \varLambda (i,j^*)}\right] = (k-1)\frac{N-a-b}{a+b}\hspace{5.0pt}. \end{aligned}$$

Using \(\Pr \left[{I=i}\,\Bigg \vert \,{J_i^*=j^*}\right] = \frac{a+b}{N},\) we have

$$\begin{aligned} \mathbb {E}\left[{Z_l}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] \le (k-1)\cdot \left( \frac{\Pr \left[{I\ne i\wedge J_i^* = j^*}\right]}{\Pr \left[{\varLambda (i,j^*)}\right]}\right) \hspace{5.0pt}, \end{aligned}$$

and since \(Z = \sum _l Z_l\),

$$\begin{aligned} \mathbb {E}\left[{\varDelta _3}\,\Bigg \vert \,{\varLambda (i,j^*)}\right] \le \ell (k-1)\gamma \cdot \left( \frac{\Pr \left[{I\ne i\wedge J_i^* = j^*}\right]}{\Pr \left[{\varLambda (i,j^*)}\right]}\right) \hspace{5.0pt}. \end{aligned}$$

From this point, using the exact same argument by Attema et al. [10, Lemma 5], we have \(\mathbb {E}\left[{\varDelta _3}\right] \le \ell (k-1)\cdot \gamma \cdot T,\) and the proof is complete. \(\square \)

Now, the analysis of the game is complete, and we move forward to knowledge extraction.

8.2 The Knowledge Extractor

This section introduces our knowledge extractor for a Fiat–Shamir-transformed \(\ell \)-coordinate-wise k-special-sound \(\varSigma \)-protocol. One can generalize this extractor for multi-round protocols as done by Attema et al. [10, Section 6]. In the following, we use the notation of Section 4 from [10]. Figure 13 demonstrates our knowledge extractor \(\mathcal {E}\). Instead of, for example, answering the query on the first message with a fresh random value in \(\mathcal {C}{:}{=} S^\ell \), \(\mathcal {E}\) uses new values coordinate by coordinate. Notice that this manner of answering query on the first message is analogous to our abstract sampling game in Fig. 12.

Fig. 13

Knowledge Extractor \(\mathcal {E}\)

Having Lemmata 8.2 and 8.3 along with [10, Lemmata 3 and 6] at hand, and using the bounds in Sect. 7, we deduce that the knowledge error and the expected runtime of the extractor for a \(\ell \)-coordinate-wise k-special-sound multi-round protocol degrades by a factor of \(Q+1\) after applying Fiat–Shamir transformation, and it is independent from the number of rounds.

We note that one can easily generalize this conclusion for a \((\ell _1,\ldots ,\ell _\mu )\)-coordinate-wise \((k_1,\ldots ,k_\mu )\)-special-sound \((2\mu +1)\)-move protocol and the corresponding Fiat–Shamir-transformed protocol. We omit the details here because they do not contain any novel aspects.