Commitments with Efficient Zero-Knowledge Arguments from Subset Sum Problems

Abstract

We present a cryptographic string commitment scheme that is computationally hiding and binding based on (modular) subset sum problems. It is believed that these NP-complete problems provide post-quantum security contrary to the number theory assumptions currently used in cryptography. Using techniques recently introduced by Feneuil, Maire, Rivain and Vergnaud, this simple commitment scheme enables an efficient zero-knowledge proof of knowledge for committed values as well as proofs showing Boolean relations amongst the committed bits. In particular, one can prove that committed bits \(m_0, m_1, ..., m_\ell \) satisfy \(m_0 = C(m_1, ..., m_\ell )\) for any Boolean circuit C (without revealing any information on those bits). The proof system achieves good communication and computational complexity since for a security parameter \(\lambda \), the protocol’s communication complexity is \(\tilde{O}(|C| \lambda + \lambda ^2)\) (compared to \(\tilde{O}(|C| \lambda ^2)\) for the best code-based protocol due to Jain, Krenn, Pietrzak and Tentes).

1 Introduction

A commitment scheme [7] is a cryptographic protocol that enables one party to commit to a value (or set of values) without revealing it, while ensuring that this value cannot be modified. In constructing sophisticated cryptographic protocols, it can be necessary to prove some property of a committed message without revealing anything more than the property itself. This is usually achieved through the use of zero-knowledge proofs of knowledge [14]. This commit-and-prove paradigm [11, 20] is used in many areas of applied cryptography (anonymous credentials, blockchains, electronic voting, ...).

In 1994, Shor [26] introduced a quantum algorithm that could break cryptosystems based on the hardness of factoring large integers or solving discrete logarithm problems. This has emphasized the need for new cryptographic systems, leading to the emergence of a new field, known as post-quantum cryptography, which focuses on creating cryptographic algorithms that are secure against quantum (and classical) computers.

The (modular) subset sum problem is to find, given integers t and q, a subset of given integers \(\gamma _1,\dots ,\gamma _n\), whose sum is t modulo q. This NP-complete problem was used in the 1980 s, following [22], for the construction of several public-key encryption schemes. The majority of those schemes were broken using lattice-based techniques (see [23]), but the problem itself remains unsolvable for specific parameters and is even thought to be intractable for quantum computers. A plethora of cryptographic constructions have been proposed whose security is based on the difficulty of the subset sum problem [1, 15, 21]. In a celebrated paper, Impagliazzo and Naor [15] presented in particular a pseudo-random generator and an elegant bit commitment scheme. We extend the latter to a simple string commitment scheme and provide efficient zero-knowledge proofs for any relation amongst committed values using the recent zero-knowledge proof system proposed by Feneuil, Maire, Rivain, and Vergnaud and based on the MPC-in-the-head paradigm.

Contributions of the Paper

Commitment scheme. We first present a modified version of the bit-commitment based on the subset sum problem proposed in [15]. This new scheme enables commitments to bit-strings and is related to the one from [15] in a similar manner to how the well-known Pedersen commitment scheme [24] is related to preliminary discrete-logarithm based bit-commitments from [9, 10].

The design principle is simple but seems to have been overlooked for more than 30 years (even if similar ideas have been used in lattice-based cryptography). For a security level \(\lambda \in \mathbb {N}\) (i.e. against an adversary making \(2^\lambda \) bit-operations using a \(2^{\lambda /2}\)-bits memory), it enables to commit to bit-strings of length \(\ell \le 2\lambda \) using a \(2\lambda \)-bits modulus q and \((\ell + 2\lambda )\) integers smaller than q. The setup thus requires \(O(\lambda ^2)\) random or pseudo-random bits that can be generated easily using a so-called extendable-output function (XOF). A commitment is a sum of a (randomized) subset of these integers modulo q; therefore, it is of optimal bit-length \(2\lambda \) and can be computed in \(O(\lambda ^2)\) binary operations. The hiding property (i.e. one cannot learn anything about the committed message from the commitment) relies on the hardness of the subset-sum problem, while its binding property (i.e. one cannot open a commitment to two different messages) relies on the hardness of the related weighted knapsack problem. With the proposed parameters, both problems are believed to be resistant to a quantum adversary that makes at most \(2^{\lambda /2}\) qubits operations.

Zero-Knowledge Protocols. Very recently, Feneuil, Maire, Rivain, and Vergnaud [13] proposed zero-knowledge arguments for the subset sum problem. They introduced the idea of artificial abort to the so-called MPC-in-the-head paradigm [16] and achieved an asymptotic improvement by producing arguments of size \(O(\lambda ^2)\). Their protocol readily gives a way to prove knowledge of the committed bit-string without revealing anything about it.

We extend their work to prove that a committed triple \((b_1,b_2,b_3) \in \{0,1\}^3\) satisfy a Boolean relation (e.g. \(b_1 \wedge b_2 = b_3\) or \(b_1 \oplus b_2 = b_3\)) without revealing any additional information about them. The bits can be in arbitrary positions in the same or in different commitments and the proof of the Boolean relation does not add any overhead compared to the basic opening proof. This flexibility allows proving that committed bits \(m_0, m_1, ..., m_\ell \) satisfy \(m_0 = C(m_1, ..., m_\ell )\) for any Boolean circuit C with good communication and computational complexity. Indeed, by packing the commitments of bits on the circuit wires, we obtain a protocol with communication complexity \(\tilde{O}(|C| \lambda + \lambda ^2)\) where \(\vert C \vert \) denotes the number of AND/XOR gates of C. This has to be compared with the code-based protocol due to Jain, Krenn, Pietrzak, and Tentes [17]. They provide a commitment scheme with zero-knowledge proofs from the LPN-assumption (or hardness of decoding a random linear code). This scheme has \(\tilde{O}(|C| \lambda ^2)\) communication complexity and allows only proving Boolean relations bit-wise on binary strings (which may result in a large overhead depending on the circuit considered). There also exist lattice-based constructions of commitment schemes with zero-knowledge proofs [2, 3, 6] but the messages committed are small integers. They can be used to prove the satisfiability of arithmetic circuits but proving the satisfiability of a Boolean circuit with these schemes results in an important overhead in communication and computation.

2 Preliminaries

2.1 Notations

All logarithms are in base 2. We denote the security parameter by \(\lambda \), which is given to all algorithms in the unary form \(1^\lambda \). Unless otherwise stated, algorithms are randomized, and “PPT” stands for “probabilistic polynomial-time” in the security parameter. Random sampling from a finite set X according to the uniform distribution is denoted by \(x \xleftarrow {\$} X\). The symbol \(\xleftarrow {\$}\) is also used for assignments from randomized algorithms, and the symbol \(\leftarrow \) is used for assignments from deterministic algorithms and calculations. For the sake of simplicity, we denote the set of integers \(\{1,\dots ,N\}\) by [1, N].

We denote integer vectors in bold print. A vector composed only of 1’s or 0’s is denoted as \(\boldsymbol{1}\) or \(\boldsymbol{0}\) respectively (its length will be clear within the context). Given two integer vectors of the same length \(\boldsymbol{\gamma }\) and \(\boldsymbol{x}\), \(\langle \boldsymbol{\gamma },\boldsymbol{x} \rangle \) denotes their inner-product. For two bit-strings \(\boldsymbol{x} \in \{0,1\}^n\) and \(\boldsymbol{y} \in \{0,1\}^m\), \((\boldsymbol{x} \Vert \boldsymbol{y}) \in \{0,1\}^{n+m}\) denotes the concatenation of \(\boldsymbol{x}\) and \(\boldsymbol{y}\), and \(\boldsymbol{x}\cdot \boldsymbol{y}\) denotes the component-wise product.

Two distributions \(\{D_\lambda \}_\lambda \) and \(\{\tilde{D}_\lambda \}_\lambda \) are deemed \((t,\epsilon )\)-indistinguishable if, for any algorithm \(\mathcal {A}\) running in time at most \(t(\lambda )\), we have

$$ |\text {Pr}[\mathcal {A}(1^\lambda ,x) = 1 \; | \; x \xleftarrow {\$} D_\lambda ] - \text {Pr}[\mathcal {A}(1^\lambda ,x) = 1 \; | \; x \xleftarrow {\$} \tilde{D}_\lambda ]| \le \epsilon (\lambda ).$$

A \((\ell ,t,\epsilon )\)-pseudo-random generator (PRG) is a deterministic algorithm G that, for all \(\lambda \in \mathbb {N}\), on input a bit-string \(\boldsymbol{x} \in \{0,1\}^\lambda \) outputs \(G(\boldsymbol{x}) \in \{0,1\}^{\ell (\lambda )}\) with \(\ell (\lambda )>\lambda \) such that the distributions \(\{G(\boldsymbol{x}) \; | \; x \xleftarrow {\$}\{0,1\}^\lambda \}_\lambda \) and \(\{\boldsymbol{r} \;| \; \boldsymbol{r} \xleftarrow {\$} \{0,1\}^{\ell (\lambda )}\}_\lambda \) are \((t,\epsilon )\)-indistinguishable. From such a generator, with \(\ell (\lambda ) = 2 \lambda \), it is possible to construct a tree PRG [19], which takes a root \(\boldsymbol{x} \in \{0,1\}^\lambda \) as input and generates \(N = 2^t\) pseudo-random \(\lambda \)-bit strings in a structured fashion as follows: \(\boldsymbol{x}\) is the label of the root of a depth-t complete binary tree in which the right/left child of each node is labeled with the \(\lambda \) most/least significant bits of the output of the PRG applied to the root label. This structure allows revealing \(N-1\) pseudo-random values of the leaves by revealing only \(\log (N)\) labels of the tree (by revealing the labels on the siblings of the paths from the root to this leaf).

2.2 Commitments

Definition 1

(Commitment scheme). A commitment scheme is a triple of PPT algorithms \((\textsf {Setup}, \textsf {Com}, \textsf {Ver})\) such that:

• Setup\((1^\lambda ) \rightarrow \textsf {pp}\). On input \(\lambda \), the setup algorithm outputs the public parameters \(\textsf {pp}\) containing a description of the message space \(\mathcal {M}\).

• \(\textsf {Com}(\textsf {pp},m)\rightarrow (c,\textsf {aux})\). On input \(\textsf {pp}\) and \(m \in \mathcal {M}\), the commit algorithm outputs a commitment-opening pair \((c,\textsf {aux})\).

• \(\textsf {Ver}(\textsf {pp},m,c,\textsf {aux}) \rightarrow b \in \{0,1\}\). On input \(\textsf {pp}\), \(m \in \mathcal {M}\) and \((c,\textsf {aux})\), the verifying (or opening) algorithm outputs a bit \(b \in \{0,1\}\).

Moreover, it satisfies the following correctness property: we have for all \(\lambda \in \mathbb {N}\),

$$\Pr [\textsf {Ver}(\textsf {pp},m,c,\textsf {aux}) = 1 \, \vert \, \textsf {pp} \xleftarrow {\$}\textsf {Setup}(1^\lambda ), m \xleftarrow {\$}\mathcal {M}, (c,\textsf {aux}) \xleftarrow {\$}\textsf {Com}(\textsf {pp},m) ] = 1.$$

There are two security notions underlying a commitment scheme.

Definition 2

Let \(t : \mathbb {N} \rightarrow \mathbb {N}\) and \(\epsilon : \mathbb {N} \rightarrow [0,1]\). A commitment scheme \((\textsf {Setup}, \textsf {Com}, \textsf {Ver})\) is said:

• \((t,\epsilon )\)-computationally hiding if for all two-phases algorithm \(\mathcal {A} = (\mathcal {A}_1,\mathcal {A}_2)\), we have for all \(\lambda \in \mathbb {N}\):

  $$ \Pr \left[ b = b' \, \left| \, \begin{array}{l} \textsf {pp} \xleftarrow {\$}\textsf {Setup}(1^\lambda ), (m_0,m_1,s) \xleftarrow {\$}\mathcal {A}_1(\textsf {pp}), b \xleftarrow {\$}\{0,1\} \\ (c,\textsf {aux}) \xleftarrow {\$}\textsf {Com}(\textsf {pp},m_b), b' \xleftarrow {\$}\mathcal {A}_2(c,s) \end{array} \right. \right] \le \frac{1}{2} + \epsilon (\lambda ) $$

  when \(\mathcal {A}\) runs in time at most \(t(\lambda )\) in this probabilistic computational game.

• \((t,\epsilon )\)-computationally binding if for all algorithm \(\mathcal {A}\), we have for all \(\lambda \in \mathbb {N}\):

  $$ \Pr \left[ \begin{array}{c} m_1 \ne m_2 \\ \textsf {Ver}(pp,m_1,c,aux_1)=1 \\ \textsf {Ver}(pp,m_2,c,aux_2)=1 \end{array} \, \left| \, \begin{array}{l} \textsf {pp} \xleftarrow {\$}\textsf {Setup}(1^\lambda ), \\ (m_1,m_2,\mathsf {aux_1},\mathsf {aux_2},c) \xleftarrow {\$}\mathcal {A}(1^\lambda ,\textsf{pp})\}\end{array} \right. \right] \le \epsilon (\lambda ) $$

  when \(\mathcal {A}\) runs in time at most \(t(\lambda )\) in this probabilistic computational game.

2.3 Zero-Knowledge Arguments

A zero-knowledge protocol for a polynomial-time decidable binary relation \(\mathcal {R}\) is defined by two interactive algorithms, a prover \(\mathcal {P}\) and a verifier \(\mathcal {V}\). Both algorithms are given a common input x, and \(\mathcal {P}\) is given an additional witness w such that \((x,w) \in \mathcal {R}\). The two algorithms then exchange messages until \(\mathcal {V}\) outputs a bit b, with \(b=1\) meaning \(\mathcal {V}\) accepts \(\mathcal {P}\)’s claim and \(b=0\) meaning \(\mathcal {V}\) rejects it. This sequence of messages and the answer b is referred to as a transcript and denoted \(\textrm{View}(\mathcal {P}(x,w),\tilde{\mathcal {V}}(x))\). In this paper, we consider zero-knowledge argument of knowledge which are protocols that allow a PPT prover to convince a PPT verifier that they knows a witness w. There are three security notions underlying a zero-knowledge argument of knowledge.

Definition 3

Let \(t : \mathbb {N} \rightarrow \mathbb {N}\), \(\epsilon ,\alpha , \zeta : \mathbb {N} \rightarrow [0,1]\), and \(\mathcal {R}\) be a polynomial-time decidable binary relation. A zero-knowledge argument \((\mathcal {P},\mathcal {V})\) for \(\mathcal {R}\) achieves:

• \(\alpha \)-completeness, if for all \(\lambda \in \mathbb {N}\) and all \((x,w) \in \mathcal {R}\), with \(x \in \{0,1\}^\lambda \), \(\Pr [\textrm{View}(\mathcal {P}(x,w),\mathcal {V}(x))=1] \ge 1 - \alpha (\lambda )\) (i.e. \(\mathcal {P}\) succeeds in convincing \(\mathcal {V}\), except with probability \(\alpha \)).

• \(\epsilon \)-(special) soundness, if for all PPT algorithm \(\tilde{\mathcal {P}}\) such that for all \(\lambda \in \mathbb {N}\) and all \(x \in \{0,1\}^\lambda \), \(\tilde{\epsilon }(\lambda ):=\text { Pr }[\textrm{View}(\tilde{\mathcal {P}}(x),\mathcal {V}(x))=1]>\epsilon (\lambda ),\) there exists a PPT algorithm \(\mathcal {E}\) (called the extractor) which, given rewindable black-box access to \(\tilde{\mathcal {P}}\) outputs a witness w such that \((x,w) \in \mathcal {R}\) in time \( \textsf {poly}(\lambda , (\tilde{\epsilon }-\epsilon )^{-1})\) with probability at least 1/2.

• \((t,\zeta )\)-zero-knowledge, if for every PPT algorithm \(\tilde{\mathcal {V}}\), there exists a PPT algorithm \(\mathcal {S}\) (called the simulator) which, given the input statement \(x \in \{0,1\}^\lambda \) and rewindable black-box access to \(\tilde{\mathcal {V}}\), outputs a simulated transcript whose distribution is \((t,\zeta )\)-indistinguishable from \(\textrm{View}(\mathcal {P}(x,w),\tilde{\mathcal {V}}(x))\).

2.4 Subset Sum Problems

We define hereafter two variants of the subset sum problem on which the security of our commitment scheme relies. The first one is the standard subset sum problem mentioned in the introduction, while the second one is a slightly stronger assumption that has already been used in cryptography (see, e.g. [5, 27]).

Definition 4

Let \(t : \mathbb {N} \rightarrow \mathbb {N}\) and \(\epsilon : \mathbb {N} \rightarrow [0,1]\). Let \(\ell , m: \mathbb {N} \rightarrow \mathbb {N}\) and \(\textsf {modulus}\) be an algorithm which given \(\lambda \in \mathbb {N}\) outputs an integer q of bit-length \(m(\lambda )\). We consider the two following assumptions:

• \((t,\epsilon )\)-(decision) subset-sum assumption for \((\ell ,m,\textsf {modulus})\): for every algorithm \(\mathcal {A}\), we have for all \(\lambda \in \mathbb {N}\):

  $$ \Pr \left[ \begin{array}{c} b = b' \end{array} \, \left| \, \begin{array}{l} q \xleftarrow {\$}\textsf {modulus}(1^\lambda ), \boldsymbol{\gamma } \xleftarrow {\$}[0,q-1]^{\ell (\lambda )}, \boldsymbol{x} \xleftarrow {\$}\{0,1\}^{\ell (\lambda )}, \\ t_0 = \langle \boldsymbol{\gamma }, \boldsymbol{x} \rangle \bmod q, t_1 \xleftarrow {\$}[0,q-1], b \xleftarrow {\$}\{0,1\}, \\ b' \xleftarrow {\$}\mathcal {A}(1^\lambda ,q,\boldsymbol{\gamma },t_b) \end{array} \right. \right] \le \frac{1}{2} + \epsilon (\lambda ) $$

  when \(\mathcal {A}\) runs in time at most \(t(\lambda )\) in this probabilistic computational game.

• \((t,\epsilon )\)-weighted knapsack assumption for \((\ell ,m,\textsf {modulus})\): for every algorithm \(\mathcal {A}\), we have for all \(\lambda \in \mathbb {N}\):

  $$ \Pr \left[ \begin{array}{c} \langle \boldsymbol{\gamma },\boldsymbol{y} \rangle = 0 \bmod q \\ \boldsymbol{y} \ne \boldsymbol{0} \in \{-1,0,1\}^{\ell (\lambda )} \end{array} \, \left| \, \begin{array}{l} q \xleftarrow {\$}\textsf {modulus}(1^\lambda ), \boldsymbol{\gamma } \xleftarrow {\$}[0,q-1]^{\ell (\lambda )}, \\ \boldsymbol{y} \xleftarrow {\$}\mathcal {A}(1^\lambda ,q,\boldsymbol{\gamma }) \end{array} \right. \right] \le \epsilon (\lambda ) $$

  when \(\mathcal {A}\) runs in time at most \(t(\lambda )\) in this probabilistic computational game.

The search version of the subset sum assumption is polynomial-time equivalent to the decision version stated above. The hardness of these problems depends greatly on the density defined as \(d(\lambda ) = \ell (\lambda )/m(\lambda ).\) If the density is too small (e.g. \(d(\lambda ) < 1/\ell (\lambda )\)) or too large (e.g. \(d(\lambda ) > \ell (\lambda )\)) then both problems can be solved in polynomial time (see e.g. [12] and references therein). Coster, Joux, LaMacchia, Odlyzko, Schnorr, and Stern [12] proved that the subset sum problem can be solved in polynomial-time with a single call to an oracle that can find the shortest vector in a special lattice of dimension \(\ell (\lambda )+1\) if \(d(\lambda ) < 0.9408\) and Li and Ma proved a similar result for the weighted knapsack problem if \(d(\lambda ) < 0.488\). It is worth mentioning that these results do not break the assumptions in polynomial time since the best algorithm for finding the shortest vector in these lattices has computational complexity \(2^{\varTheta (\ell (\lambda ))}\) (and cryptographic protocols relying on these problems with much smaller densities have been proposed, e.g. [21]).

In our construction, we will consider instances of these problems with density \(d(\lambda ) \simeq 1\) (i.e. \(q \simeq 2^{\ell (\lambda )}\)) for the subset sum problem since they are arguably the hardest ones [15]. This will result in instances for the weighted knapsack problem with density \(d(\lambda ) > 1\) and for conservative security, we will restrict ourselves to \(d(\lambda ) \le 2\). In this case, lattice-based algorithms do not work and the best-known algorithms use very clever time-memory tradeoffs with the best algorithm due to Bonnetain, Bricout, Schrottenloher, and Shen [8] having time and memory complexities \(\tilde{O}(2^{0.283 \ell (\lambda )})\). These algorithms neglect the cost to access an exponential memory but even with this optimistic assumption, for \(\ell (\lambda )=256\), all known algorithms require at least a time complexity lower-bounded by \(2^{128}\) operations or a memory of size at least \(2^{64}\) bits. There also exists a vast literature on quantum algorithms for solving these problems (see [8] and references therein) and for \(\ell (\lambda )=256\), the best quantum algorithm requires about \(2^{64}\) quantum operations and quantum memory.

3 String Commitments from Subset Sum Problems

3.1 Design Principle

In this section, we present our modified version of the bit-commitment based on the subset sum problem proposed in [15]. This new scheme enables commitments to bit-strings.

In [10], Brassard, Chaum, and Crépeau introduced the notion of blob, which is very similar to bit commitment, and presented an elegant construction based on the discrete-logarithm problem in groups of known prime order q (see also [9]). The commitment of a single bit consists of a group element (see Fig. 1 (a) for an equivalent form of their commitment). Shortly afterward, Pedersen [24] introduced his celebrated commitment scheme that enables committing to an integer in \(\mathbb {Z}_{q}\) with a single group element (see Fig. 1 (c)). Impagliazzo and Naor [15] proposed a bit-commitment whose hiding and binding security properties rely on the subset sum problem. It has many similarities with the discrete-logarithm-based blob from [9, 10] (see Fig. 1 (b)).

Fig. 1.

Illustration of the Similarities between Commitment Schemes

To build our string commitment scheme, we push this analogy and propose a variant of Pedersen’s protocol based on the subset sum (see Fig. 1 (d)). The design principle is simple and maybe folklore but does not seem to have been published in this form (even if similar ideas have been used in lattice-based cryptography).

3.2 Formal Description and Security Analysis

Let \(\ell , n,m: \mathbb {N} \rightarrow \mathbb {N}\) and let \(\textsf {modulus}\) be an algorithm which given \(\lambda \in \mathbb {N}\) outputs an integer q of bit-length \(m(\lambda )\). Typically, \(\textsf {modulus}\) outputs a random \(m(\lambda )\)-bit prime number or the unique integer \(q=2^{m(\lambda )-1}\). The function \(\ell \) defines the message length while the function n defines the randomness length.

• Setup\((1^\lambda ) \rightarrow \textsf {pp}\). On input \(\lambda \), the setup algorithm generates a modulus q by running \(\textsf {modulus}(1^\lambda )\) and picks uniformly at random \(\boldsymbol{w} \in \mathbb {Z}_{q}^{\ell (\lambda )}\) and \(\boldsymbol{s} \in \mathbb {Z}_{q}^{n(\lambda )}\). It outputs the public parameters \(\textsf {pp} = (q,\boldsymbol{w},\boldsymbol{s})\) and the message space is \(\mathcal {M} = \{0,1\}^{\ell (\lambda )}\).

• \(\textsf {Com}(\textsf {pp},m)\rightarrow (c,\textsf {aux})\). On input \(\textsf {pp}\) and \(\boldsymbol{m} \in \mathcal {M}\), the commit algorithm picks \(\textsf {aux} = \boldsymbol{r} \in \{0,1\}^{n(\lambda )}\) uniformly at random, computes \(c\!=\!\langle \boldsymbol{w},\boldsymbol{m} \rangle \!+\!\langle \boldsymbol{s},\boldsymbol{r} \rangle \!\bmod \!q\) and outputs \((c,\textsf {aux})\).

• \(\textsf {Ver}(\textsf {pp},\boldsymbol{m},c,\textsf {aux}) \rightarrow b \in \{0,1\}\). On input \(\textsf {pp}\), \(\boldsymbol{m} \in \mathcal {M}\) and \((c,\textsf {aux})\), the verifier outputs 1 if \(c = \langle \boldsymbol{w},\boldsymbol{m} \rangle + \langle \boldsymbol{s},\boldsymbol{r} \rangle \bmod q\) where \( \boldsymbol{r} = \textsf {aux} \in \{0,1\}^{n(\lambda )}\), and 0 otherwise.

We prove that our commitment scheme is hiding and binding assuming the hardness of the subset sum and the weighted knapsack problems (respectively) for different lengths in the subset sum problems.

Theorem 1

Let \(\ell , n,m: \mathbb {N} \rightarrow \mathbb {N}\) and let \(\textsf {modulus}\) be an algorithm which given \(\lambda \in \mathbb {N}\) outputs an integer of bit-length \(m(\lambda )\). This commitment scheme above is:

1. 1.

   \((t,\epsilon )\)-computationally hiding if the \((t+O(\ell (\lambda ) m(\lambda )),\epsilon )\)- subset-sum assumption holds for \((\ell ,m,\textsf {modulus})\);

2. 2.

   \((t,\epsilon )\)-computationally binding if the \((t+O(\ell (\lambda )+n(\lambda )),\epsilon )\)-weighted knapsack assumption holds for \((\ell +n,m,\textsf {modulus})\).

Proof

Both security reductions are simple.

1. 1.

   Let \(\mathcal {A}\) be a \((t,\epsilon )\)-adversary against the hiding property of the commitment scheme. We construct a \((t+O(\ell (\lambda ) m(\lambda )),\epsilon )\) adversary \(\mathcal {B}\) breaking the decision subset sum assumption as follows. The algorithm \(\mathcal {B}\) is given as inputs \((q,\boldsymbol{\gamma },t)\) where \(\boldsymbol{\gamma } \in \mathbb {Z}_{q}^{n(\lambda )}\). The algorithm \(\mathcal {B}\) picks uniformly at random \(\boldsymbol{w} \in \mathbb {Z}_{q}^{\ell (\lambda )}\), sets \(\boldsymbol{s} = \boldsymbol{\gamma }\), and runs \(\mathcal {A}_1\) on input \(\textsf {pp} = (q,\boldsymbol{w},\boldsymbol{s})\). When \(\mathcal {A}_1\) outputs two messages \(\boldsymbol{m_0},\boldsymbol{m_1} \in \{0,1\}^{\ell (\lambda )}\) and some state information s, the algorithm \(\mathcal {B}\) picks uniformly at random a bit \(b \in \{0,1\}\) and runs \(\mathcal {A}_2\) on \(c = \langle \boldsymbol{w},\boldsymbol{m_b}\rangle + t \bmod q\) and s. Eventually, when \(\mathcal {A}_2\) outputs some bit \(b'\), \(\mathcal {B}\) outputs 0 if \(b' = b\) and 1 otherwise. A routine argument shows that the advantage of \(\mathcal {B}\) for the decision subset sum problem is identical to the one of \(\mathcal {A}\) for breaking the hiding property.

2. 2.

   Let \(\mathcal {A}\) be a \((t,\epsilon )\)-adversary against the binding property of the commitment scheme. We construct a \((t+O(\ell (\lambda )+n(\lambda )),\epsilon )\) adversary \(\mathcal {B}\) breaking the weighted knapsack assumption as follows. The algorithm \(\mathcal {B}\) is given as inputs \((q,\boldsymbol{\gamma })\) where \(\boldsymbol{\gamma } \in \mathbb {Z}_{q}^{\ell (\lambda )+n(\lambda )}\). It sets \(\boldsymbol{w} = (\gamma _1,\dots ,\gamma _{\ell (\lambda )}) \in \mathbb {Z}_{q}^{\ell (\lambda )}\) and \(\boldsymbol{s} = (\gamma _{\ell (\lambda )+1},\dots ,\gamma _{\ell (\lambda )+n(\lambda )}) \in \mathbb {Z}_{q}^{n(\lambda )}\) and runs \(\mathcal {A}\) on input \(\textsf {pp} = (q,\boldsymbol{w},\boldsymbol{s})\). When \(\mathcal {A}\) outputs \((\boldsymbol{m_1},\boldsymbol{m_2},\mathsf {aux_1},\mathsf {aux_2},c)\), we have \(\boldsymbol{m_1} \ne \boldsymbol{m_2} \) and \(\textsf {Ver}(pp,m_1,c,aux_1)=\textsf {Ver}(pp,m_2,c,aux_2)=1\) with probability \(\epsilon (\lambda )\). In this case, since \(\boldsymbol{m_1} \ne \boldsymbol{m_2}\) and \((\boldsymbol{m_1},\mathsf {aux_1}), (\boldsymbol{m_2},\mathsf {aux_2}),\in \{0,1\}^{\ell (\lambda )+n(\lambda )}\), if \(\mathcal {B}\) outputs the vector \(\boldsymbol{y} = (\boldsymbol{m_1},\mathsf {aux_1}) - (\boldsymbol{m_2},\mathsf {aux_2})\) (where the substraction is done coordinate-wise), it belongs to \(\{-1,0,1\}^{\ell (\lambda )+n(\lambda )}\), is non-zero and satisfies \(\langle \boldsymbol{\gamma },\boldsymbol{y} \rangle = 0 \bmod q\) (and is thus a solution to the weighted knapsack problem \((q,\boldsymbol{\gamma })\)).

   \(\square \)

The hiding property thus relies on the hardness of the subset sum problem with density \(n(\lambda )/m(\lambda )\) while its binding property on the hardness of the weighted knapsack problem with density \((\ell (\lambda )+n(\lambda ))/m(\lambda )\). In the following, to simplify the protocols, we consider the case where \(n(\lambda ) = m(\lambda )\) (i.e. density 1 subset sum) and \( \ell (\lambda ) = n(\lambda )\) (i.e. density 2 weighted knapsack). To lighten the notations, we henceforth denote \(n = n(\lambda ) = \ell (\lambda )\).

3.3 Zero-Knowledge Arguments for Our Commitment

In this section, we present a zero-knowledge argument of knowledge for our string commitment. We apply readily the protocol recently proposed by Feneuil et al. [13] for the subset sum problem. It is based on the MPC-in-the-Head paradigm and is described in Protocol 1. We provide an explicit description of the protocol as we use it in the following sections but refer to [13] for details and precise security analysis.

Context. We consider the binary relation \(\mathcal {R} = \{(q,\boldsymbol{w},\boldsymbol{s},t),(\boldsymbol{m},\boldsymbol{r})) \, \vert \, \langle \boldsymbol{w},\boldsymbol{m} \rangle + \langle \boldsymbol{s},\boldsymbol{r} \rangle = t \bmod q \}\) where \(q \in \mathbb {N}\), \(\boldsymbol{w},\boldsymbol{s} \in \mathbb {Z}_{q}^n\), \(t \in \mathbb {Z}_{q}\), and \(\boldsymbol{m},\boldsymbol{r} \in \{0,1\}^n\). Both the prover \(\mathcal {P}\) and the verifier \(\mathcal {V}\) know \((q,\boldsymbol{w},\boldsymbol{s},t)\) and \(\mathcal {P}\) knows \((\boldsymbol{m},\boldsymbol{r})\) and wants to convince the verifier of this fact. The protocol makes use of a PRG, a tree PRG [19], a commitment scheme \((\textsf {Setup}, \textsf {Com}, \textsf {Ver})\) (the one proposed in the previous section or any other efficient scheme) and two collision-resistant hash functions \(\mathcal {H}_1\) and \(\mathcal {H}_2\). The protocol involves two integer parameters A and a prime \(q'\) (that depends on n) that are known by \(\mathcal {P}\) and \(\mathcal {V}\).

MPC-in-the-Head. Feneuil et al.’s protocol [13] relies on the MPC-in-the-head paradigm [16]. The binary relation \(\mathcal {R}\) defines an NP language and the membership of \((q,\boldsymbol{w},\boldsymbol{s},t)\) can be checked easily thanks to the knowledge of \((\boldsymbol{m},\boldsymbol{r})\) by verifying the relations (1) \(\langle \boldsymbol{w},\boldsymbol{m} \rangle + \langle \boldsymbol{s},\boldsymbol{r} \rangle = t \bmod q\) and (2) \(\boldsymbol{m},\boldsymbol{r} \in \{0,1\}^n\). To convince \(\mathcal {V}\), \(\mathcal {P}\) emulates “in their head” a \((N-1)\)-private multi-party computation (MPC) protocol with N parties for the relations (1) and (2) where the witness \((\boldsymbol{m},\boldsymbol{r})\) is shared among the N parties (for some parameter \(N \in \mathbb {N}\)).

To shorten the communication, shares and random coins used in the protocol are generated using the Tree PRG: \(\mathcal {P}\) randomly and uniformly chooses a master seed mseed and constructs a tree of depth \(\lceil \log N \rceil \) by expanding mseed into N subseeds as explained in Sect. 2. From these N subseeds \(\textsf {seed}_1,\dots ,\textsf {seed}_N\), \(\mathcal {P}\) constructs some additive integer secret sharing with shares in \([0,A-1]\) denoted as \(\llbracket \cdot \rrbracket \) for the sharing itself and \(\llbracket \cdot \rrbracket _i\) for the share of the i-th virtual player (i.e. a secret integer x is shared as \(\llbracket x\rrbracket = (\llbracket x\rrbracket _1,\dots ,\llbracket x\rrbracket _N) \in [0,A-1]^N\) such that \(\llbracket x\rrbracket _1 + \cdots + \llbracket x\rrbracket _N = x\)). Computation is done over \(\mathbb {Z}_{q'}\) where \(q'\) is the smallest prime larger than A.

The verifier \(\mathcal {V}\) challenges \(\mathcal {P}\) to reveal the views of a random subset of \((N-1)\) parties by sending a challenge \(i^* \in [1,N]\) to \(\mathcal {P}\) who reveals all-but-one subseeds corresponding to parties \(i \ne i^*\). In Feneuil et al.’s protocol [13], the integer secret sharing may reveal information and to avoid this \(\mathcal {P}\) may abort but with probability at most \((1-1/A)^n\) (when sharing a n-coordinates vector). The size of A (and thus of \(q'\)) has to be properly chosen to make this probability small in practice. Eventually, \(\mathcal {V}\) recomputes the MPC protocol to check the views of the parties \(i \ne i^*\) and the commitments. If all tests pass, \(\mathcal {V}\) accepts the proof and the soundness error is close to 1/N. To decrease it to a soundness error less than \(2^{-\lambda }\), the protocol is simply repeated about \(\tau \approx \lambda /\log (N)\) times.

The verification of (1) is linear modulo \(q'\) and is therefore free but proving (2) requires performing some multiplications in the MPC protocol (using the simple fact that \(x \in \{0,1\}\) if and only if \(x (1-x) = 0 \mod q'\)). The verification of these multiplications can be realized following [4]. This implies a communication cost of \(2 \log (q')\) bits to prove one multiplication. Using a batched version of this verification protocol [18], one gets a communication cost of \((n+1)\log _2 q'\) for n multiplications. The soundness error of this protocol follows from the Schwartz-Zippel Lemma [25, 28].

Security analysis. The following theorem from [13] states the completeness, soundness and zero-knowledge of Protocol 1.

Theorem 2

(Protocol 1). Let the PRG used in Protocol 1 be \((t,\varepsilon _\text {PRG})\)-secure and the commitment scheme \(\textsf {Com}\) be \((t,\varepsilon _\text {Com})\)-hiding. Protocol 1 is a zero-knowledge proof of knowledge for the relation \(\mathcal {R}\) with \(\left( 1-1/A\right) ^{2n}\)-completeness, \(1/q' + 1/N - 1/Nq'\) soundness and \((t,\varepsilon _\text {PRG}+\varepsilon _\text {Com})\)-zero-knowledge.

Communication complexity. The communication cost (in bits) of the Protocol 1 with \(\tau \) repetitions is

$$ 4\lambda + \tau \left[ 2n(\log _2(A-1)+\log _2(q'))+ \log _2(q') + \lambda \log _2 N + 2\lambda \right] .$$

Since the rejection rate after \(\tau \) repetitions (i.e. that any of the \(\tau \) repetition aborts) is given by \(1-(1-1/A)^{2n\tau } \simeq 2n\tau /A\) where the approximation is tight when A is sufficiently large. Thus by taking \(A=\varTheta (n\tau )\), we get a (small) constant rejection probability.

Remark 1

Feneuil et al.’s [13] proposed a second approach to prove (2) using “cut-and-choose”. It can be used to prove the knowledge of a commitment opening but does not adapt well for proving Boolean relations of committed values.

Remark 2

It is worth mentioning that our commitment and argument of knowledge of opening can be easily generalized to a proof of partial opening by revealing bits of the committed message, modifying the value of the commitment accordingly and proving the knowledge of the remaining hidden bits. This enables to provide a range proof of the committed message at no additional cost.

4 Zero-Knowledge Arguments for Boolean Relations

Using a batched version of the verification protocol [4, 18] for multiplications of the form \(xy=c\) with \(x,y,c \in \mathbb {Z}_{q'}\) and c a public value, one gets a communication cost of \((n+1)\log _2 q'\) bits for n multiplications. In the following, we deal with multiplications of the form \(xy=z\), where z is a linear combination of shared elements, and the communication cost remains \((n+1)\log _2 q'\) bits for n multiplications.

4.1 AND Gate

Coordinate-wise AND Gates. We first consider the case where three n-bits vectors \(\boldsymbol{m^1},\boldsymbol{m^2},\boldsymbol{m^3}\) are committed and \(\mathcal {P}\) wants to prove that \(\boldsymbol{m^1} \cdot \boldsymbol{m^2}=\boldsymbol{m^3}\). Note that proving that \(\boldsymbol{m^1}\) and \(\boldsymbol{m^2}\) are binary and that \(\boldsymbol{m^1} \cdot \boldsymbol{m^2}=\boldsymbol{m^3} \mod q'\) implies that \(\boldsymbol{m^3}\) is binary and \(\boldsymbol{m^1} \cdot \boldsymbol{m^2} = \boldsymbol{m^3}\). In addition, \(\mathcal {P}\) has to prove that the three random vectors \(\boldsymbol{r^1},\boldsymbol{r^2},\boldsymbol{r^3}\) used in the commitment are all binary (since no relation is proved between them). Using this approach, \(\mathcal {P}\) has to prove 6n multiplications and therefore the argument requires sending \(6n+1\) integers in \(\mathbb {Z}_{q'}\) via [4, 18].

Actually, it is possible to batch some verification equations and reduce this number from \(6n+1\) to \(5n+1\). Indeed, checking \(\boldsymbol{m^1} \cdot \boldsymbol{m^2}=\boldsymbol{m^3} \mod q'\) and (for instance) the binarity of \(\boldsymbol{m^2}\) is equivalent (with a small soundness error coming from the Schwartz-Zippel Lemma) to check that

$$\begin{aligned} \lambda _1 \boldsymbol{m^2} \cdot (\boldsymbol{1}-\boldsymbol{m^2}) + \lambda _2 \boldsymbol{m^1}\cdot \boldsymbol{m^2} =\lambda _2 \boldsymbol{m^3} \mod q' \end{aligned}$$

(1)

for \(\lambda _1,\lambda _2 \in \mathbb {Z}_{q'}\) random elements chosen by \(\mathcal {V}\). Hence, we can batch all the multiplications checking by verifying the component-wise product

$$\begin{aligned} (\boldsymbol{m^1}||\boldsymbol{r^1}||\boldsymbol{r^2}||\boldsymbol{r^3}||\boldsymbol{m^2})\cdot ((\boldsymbol{1}-(\boldsymbol{m^1}||\boldsymbol{r^1}||\boldsymbol{r^2}||\boldsymbol{r^3}))||\lambda _1(\boldsymbol{1}-\boldsymbol{m^2})+\lambda _2\boldsymbol{m^1}) =(\boldsymbol{0}||\lambda _2\boldsymbol{m^3}) \end{aligned}$$

and obtain Protocol 2.

Arbitrary AND Gates. Protocol 2 is similar to the protocols from [2, 3, 6, 17] since it can be used only to prove multiplication coordinate-wise. We generalize it to obtain a more flexible protocol able to prove relations such as \(m^1_i \wedge m^2_j = m^3_k\) for arbitrary coordinates \(i,j,k \in [1,n]\).

Assume \(\mathcal {P}\) has to prove the satisfiability of \(K \ge 1\) AND gates with components belonging to \(L \ge 1\) committed vectors \(\{\boldsymbol{m^\ell }\}_{1 \le \ell ^ \le L}\in \{0,1\}^n\). Suppose that there are \(M\le K\) AND gates such that each of them has at least one coordinate of a fixed committed vector \(\boldsymbol{m^\ell }\) as input (for some \(\ell \in [1,L]\)). Assume these M gates are of the form \(m_{x_k}^\ell \wedge m_{y_k}^{\ell _k}=m_{z_k}^{\ell '_k}\) for \(k \in [1,M], \ell _k,\ell _k' \in [1,L], x_k,y_k,z_k \in [1,n]\) (again, we fix the vector \(\boldsymbol{m^\ell }\)). Moreover, as seen previously to check that \(\boldsymbol{m^\ell }\) is binary, \(\mathcal {V}\) can verify \(\boldsymbol{m^\ell }\circ (\boldsymbol{1}-\boldsymbol{m^\ell }) = 0 \mod q'\). Then we can batch these verifications as

$$\begin{aligned} \boldsymbol{m^\ell } \cdot [-\lambda _0 \boldsymbol{m^\ell } + \sum _{k=1}^{M} \lambda _k m_{y_k}^{\ell _k}\boldsymbol{e_{x_k}}] = -\lambda _0 \boldsymbol{m^\ell } + \sum _{k=1}^{M} \lambda _k m_{z_k}^{\ell '_k}\boldsymbol{e_{x_k}} \mod q' \end{aligned}$$

(2)

where \(\boldsymbol{e_{i}}\) is the i-th vector of the canonical basis of \(\mathbb {Z}_{q'}^n\) and \(\{\lambda _k\}_{0 \le k \le M} \in \mathbb {Z}_{q'}\) are random elements chosen by \(\mathcal {V}\). Thus, \(\mathcal {P}\) can batch all the gates’ evaluation checking satisfying that at least one input for each of these gates belongs to the same committed vector. This batching can include the binary verification of this specific vector. In other words, the number of equations does not depend anymore on the number of gates (i.e. is independent of the distribution of AND gates over the committed bits). We obtain the generalized Protocol 3 as a direct extension of Protocol 2 (essentially the batching part is slightly different) which can be found in Appendix A.

Security analysis. The following theorems state the completeness, soundness, and zero-knowledge of Protocol 2 and Protocol 3. The proofs are similar to those in [13] and are omitted due to lack of space.

Theorem 3

(Protocol 2). Let the PRG used in Protocol 1 be \((t,\varepsilon _\text {PRG})\)-secure and the commitment scheme \(\textsf {Com}\) be \((t,\varepsilon _\text {Com})\)-hiding. Protocol 2 is a zero-knowledge proof of knowledge for the relation \(\mathcal {R}\) with \(\left( 1-1/A\right) ^{6n}\)-completeness, \(1/q' + 1/N - 1/Nq'\) soundness and \((t,\varepsilon _\text {PRG}+\varepsilon _\text {Com})\)-zero-knowledge.

Theorem 4

(Protocol 3). Let the PRG used in Protocol 1 be \((t,\varepsilon _\text {PRG})\)-secure and the commitment scheme \(\textsf {Com}\) be \((t,\varepsilon _\text {Com})\)-hiding. Protocol 3 is a zero-knowledge proof of knowledge for the relation \(\mathcal {R}\) with \(\left( 1-1/A\right) ^{2L n}\)-completeness, \(1/q' + 1/N - 1/Nq'\) soundness and \((t,\varepsilon _\text {PRG}+\varepsilon _\text {Com})\)-zero-knowledge.

Remark 3

Note that Protocol 2 and 3 have the same soundness as Protocol 1. This follows from the Schwartz-Zippel Lemma, since the underlying multinomial still has the same degree after batching, and so it does not impact the soundness error.

The communication cost (in bits) of Protocols 2 and 3 are respectively:

$$ 4\lambda + \tau \left[ n(6\log _2(A-1)+5\log _2(q')) + \log _2(q') + \lambda \log _2 N + 2\lambda \right] , $$

$$ 4\lambda + \tau \left[ 2L n(\log _2(A-1)+\log _2(q')) + \log _2(q') + \lambda \log _2 N + 2\lambda \right] . $$

We notice that it does not depend on the number K of AND gates to prove.

4.2 XOR Gate

Coordinate-wise XOR Gates. We first consider, as above, the case where three n-bits vectors \(\boldsymbol{m^1},\boldsymbol{m^2},\boldsymbol{m^3}\) are committed and \(\mathcal {P}\) wants to prove that \(\boldsymbol{m^1} \oplus \boldsymbol{m^2}=\boldsymbol{m^3}\) (coordinate-wise).

Let f be the polynomial \(f(x)=2x-x^2\) defined over \(\mathbb {Z}_{q'}\) with \(q' \ge 3\) a prime number. One can easily check that if \(\boldsymbol{m^1}\) and \(\boldsymbol{m^2}\) are binary vectors, then \(f(\boldsymbol{m^1}+\boldsymbol{m^2}) \bmod q'=\boldsymbol{m^1} \oplus \boldsymbol{m^2} \in \{0,1\}\). Thus, proving that \(f(\boldsymbol{m^1}+\boldsymbol{m^2})=\boldsymbol{m^3} \mod q'\) in conjunction with the argument of knowledge of opening of the corresponding commitments, implies \(\boldsymbol{m^1} \oplus \boldsymbol{m^2} = \boldsymbol{m^3}\).

Arbitrary XOR Gates. Again, this protocol is not enough flexible and can not be used to prove relations such as \(m^1_i \oplus m^2_j = m^3_k\) for arbitrary \(i,j,k \in [1,n]\), but we outline how to generalize it.

Assume that \(\mathcal {P}\) has to prove the satisfiability of K XOR gates with inputs/output belonging to L committed vectors \(\{\boldsymbol{m^\ell }\}_{1 \le \ell ^ \le L}\in \{0,1\}^n\). As for the AND gates, suppose that there are \(M\le K\) gates of the form \(m_{x_k}^\ell \oplus m_{y_k}^{\ell _k}=m_{z_k}^{\ell '_k}\) for \(k \in [1,M]\), \(\ell _k,\ell _k' \in [1,L], x_k,y_k,z_k \in [1,n]\). We assume the binarity of each committed vector is checked during the protocol, so that

$$f(m_{x_k}^\ell + m_{y_k}^{\ell _k})= 2(m_{x_k}^\ell + m_{y_k}^{\ell _k}) - (m_{x_k}^\ell + m_{y_k}^{\ell _k})^2 =m_{x_k}^\ell \oplus m_{y_k}^{\ell _k}=m_{z_k}^{\ell '_k} \mod q'.$$

Moreover, as seen previously, to check that \(\boldsymbol{m^\ell }\) is binary, \(\mathcal {V}\) can verify \(\boldsymbol{m^\ell }\cdot (\boldsymbol{1}-\boldsymbol{m^\ell }) = 0 \mod q'\). If the binarity of \(\boldsymbol{m^{\ell _k}}\) and \(\boldsymbol{m^\ell }\) is proven elsewhere, \(\mathcal {V}\) is convinced that \(m_{y_k}^{\ell _k} m_{y_k}^{\ell _k} = m_{y_k}^{\ell _k} \bmod q'\) and \(m_{x_k}^{\ell } m_{x_k}^{\ell } = m_{x_k}^{\ell } \bmod q'\). Hence, the batching equation becomes

$$\begin{aligned} &\boldsymbol{m^\ell } \cdot [-\lambda _0 \boldsymbol{m^\ell } - 2\sum _{k=1}^{M} \lambda _k m^{\ell _k}_{y_k} \boldsymbol{e_{x_k}}] \nonumber \\ &\qquad \qquad \qquad \qquad = -\lambda _0 \boldsymbol{m^\ell } + \sum _{k=1}^{M} \lambda _k \left( m_{z_k}^{\ell '_k}-m_{y_k}^{\ell _k}-m_{x_k}^\ell \right) \boldsymbol{e_{x_k}} \mod q', \end{aligned}$$

(3)

where \(\boldsymbol{e_{i}}\) is the i-th vector of the canonical basis of \(\mathbb {Z}_{q'}^n\) and \(\{\lambda _k\}_{0 \le k \le M} \in \mathbb {Z}_{q'}\) are random elements chosen by \(\mathcal {V}\).

Security analysis. The theorems stating the completeness, soundness and zero-knowledge of the protocol for the bit-wise XOR and its generalization are the same as Theorems 3 and 4 (respectively). This follows directly from Remark 3.

The communication complexity (in bits) of the protocol for arbitrary XOR gates with \(\tau \) repetitions is:

$$ 4\lambda + \tau \left[ 2L n(\log _2(A-1)+\log _2(q')) + \log _2(q') + \lambda \log _2 N + 2\lambda \right] , $$

while the one for the bit-wise XOR is a subcase when \(L=3\). We notice that the size is the same as Protocol 3 and is independent of K.

4.3 Instantiation and Performances

We present sets of parameters for an instantiation of our commitment scheme with \(m(\lambda ) = \ell (\lambda ) = n(\lambda ) = 256\) (i.e. with security based on density 1 subset-sum and density 2 weighted knapsack). We present performances for the component-wise protocols for AND and XOR gates. To decrease the rejection rate, we use a strategy introduced in [13] that consists in allowing \(\mathcal {P}\) to abort in \(0 \le \eta < \tau \) out of the \(\tau \) iterations and \(\mathcal {V}\) accepts the proof if the prover can answer to \(\tau -\eta \) challenges among the \(\tau \) iterations. This relaxed proof has a significantly lower rejection rate (at the cost of a small increase of the soundness error) (Table 1).

Table 1. Comparison of performances with \(n=256\) and \(q \approx 2^{256}\).

5 Verification of Circuit Evaluation

Let C be a Boolean circuit with \(\vert C \vert \) gates (AND or XOR) and T input bits. Let \(\boldsymbol{m}\in \{0,1\}^T\) and \(v_1,\dots ,v_{|C|}\in \{0,1\}\) be committed elements such that \(\boldsymbol{m}\) is an input that satisfy C and the v’s are the outputs of each gates of C when evaluated on \(\boldsymbol{m}\), i.e. \(C(m_1,\dots ,m_T)=v_{|C|}=1\). The prover \(\mathcal {P}\) wants to prove that \(\boldsymbol{m}\) indeed satisfies C. For this purpose, we will use protocols that have been presented in the previous sections. For simplicity, we assume without loss of generality that \(T \le n\). Since n bits can be committed via the same commitment (n is the size of the subset-sum instance), we need \(|C|/n+1\) string commitments. We introduce the following notation to simplify the batching equation: for \(k\in [0,|C|/n]\), \(\boldsymbol{v^0} = (\boldsymbol{m}||v_1||\dots ||v_{n-T}), \dots , \boldsymbol{v^{|C|/n}} = (v_{|C|-T+1}||\dots ||v_{|C|}||\boldsymbol{0}).\) Following the batching from Equation (12) and Equation (3), we can set \(\boldsymbol{x},\boldsymbol{y},\boldsymbol{z}\) as follows so that the circuit satisfiability verification consists in checking that \(\boldsymbol{x}\cdot \boldsymbol{y} = \boldsymbol{z}\):

$$\boldsymbol{y}=(\boldsymbol{v^0}||\dots ||\boldsymbol{v^{|C|/n}}||\boldsymbol{r^0}||\dots ||\boldsymbol{r^{|C|/n}}),$$

$$\begin{aligned} &\boldsymbol{x}=\left( -\lambda _0 \boldsymbol{v^0}+\sum _{i=1}^n\sum _{j=0}^{|C|/n}\sum _{k=1}^n \lambda _{v^j_k} \left( \delta _{0,i,j,k} v^j_k -2\zeta _{0,i,j,k} v^j_k \right) \boldsymbol{e_i} || \dots \right. \\ &\qquad || -\lambda _{|C|/n} \boldsymbol{v^{|C|/n}}+\sum _{i=1}^n\sum _{j=0}^{|C|/n}\sum _{k=1}^n \lambda _{v^j_k} \left( \delta _{|C|/n,i,j,k} v^j_k -2\zeta _{|C|/n,i,j,k} v^j_k \right) \boldsymbol{e_i} \\ &\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad || \boldsymbol{1}-\boldsymbol{r^1}||\dots ||\boldsymbol{1}-\boldsymbol{r^{|C|/n}}\Big ) \end{aligned}$$

where \(\boldsymbol{r^0},\dots ,\boldsymbol{r^{|C|/n}}\) is the randomness used in the commitment and the vector \(\boldsymbol{z}\) can be computed as a linear combination of \(\boldsymbol{v^0},\dots ,\boldsymbol{v^{|C|/n}}\). As above, \(\boldsymbol{e_i}\) is the i-th vector of the canonical basis of \(\mathbb {Z}_{q'}^n\), \(\lambda \)’s are random public values chosen by the verifier \(\mathcal {V}\), and the binary elements \(\zeta \) and \(\delta \) depend on the circuit structure, i.e. \(\delta _{\ell ,i,j,k}=1\) if and only if \(v^\ell _i \wedge v^j_k = v^u_p\) for some \(u \in [0, |C|/n]\) and \(v \in [1,n]\) (and \(\zeta _{\ell ,i,j,k}=1\) if and only if \(v^\ell _i \oplus v^j_k = v^u_p\)). Hence, \(\mathcal {V}\) has to check \(\boldsymbol{x}\cdot \boldsymbol{y} = \boldsymbol{z}\) to be convinced of the binarity of the vectors, and of the satisfiability of the circuit. The full protocol is given as Protocol 4 in Appendix A.

Theorem 5

(Protocol 4). Let the PRG used in Protocol 4 be \((t,\varepsilon _\text {PRG})\)-secure and the commitment scheme \(\textsf {Com}\) be \((t,\varepsilon _\text {Com})\)-hiding. The protocol 4 is a zero-knowledge proof of knowledge for the relation \(\mathcal {R}\) with \(\left( 1-1/A\right) ^{2(|C|+n)}\)-completeness, \(1/q' + 1/N - 1/Nq'\) soundness and \((t,\varepsilon _\text {PRG}+\varepsilon _\text {Com})\)-zero-knowledge.

The communication cost (in bits) of Protocol 4 with \(\tau \) repetitions is:

$$ 4 \lambda + \tau \left[ 2(|C|+n)(\log (A-1)+\log (q')) + \log (q') + \lambda \log N + 2\lambda \right] . $$

With \(n = 2\lambda \) and \(A=\varTheta ((|C|+n)\tau )\) (for a small constant rejection probability), its asymptotic complexity is \(\varTheta \left( \frac{\lambda (|C|+\lambda )}{\log N}\log \left( \frac{\lambda (|C|+\lambda )}{\log N}\right) +\lambda ^2\right) \). With \(N = \varTheta (\lambda )\) to minimize, we get asymptotic complexity \(\tilde{\varTheta }(\lambda |C|+\lambda ^2)\) to be compared with \(\tilde{\varTheta }(|C|\lambda ^2)\) in [17] (which can only prove Boolean relations bit-wise on binary strings and may result in a large overhead depending on the circuit considered).

A Description of Protocols 3 and 4

In order to describe the circuit during Protocol 3, we set \(S \leftarrow \emptyset \). Then construct S as follows: if \(m_{x_k}^\ell \wedge m_{y_k}^{\ell _k}=m_{z_k}^{\ell '_k}\) for \(k \in [1,M], \{\ell ,\ell _k,\ell _k'\} \in [1,L]^3, \{x_k,y_k,z_k\} \in [1,n]^3\), then \(S=S\cup \{(\ell ,x_k;\ell _k,y_k;\ell '_k,z_k)\}\).