Algebraic Techniques for Short(er) Exact Lattice-Based Zero-Knowledge Proofs

A key component of many lattice-based protocols is a zeroknowledge proof of knowledge of a vector (s) over right arrow with small coefficients satisfying A (s) over right arrow = (u) over right arrow mod q. While there exist fairly efficient proofs for a relaxed version of this equation which prove the knowledge of (s) over right arrow' and c satisfying A (s) over right arrow' = (u) over right arrowc where parallel to(s) over right arrow'parallel to >> parallel to(s) over right arrow parallel to and c is some small element in the ring over which the proof is performed, the proofs for the exact version of the equation are considerably less practical. The best such proof technique is an adaptation of Stern's protocol (Crypto '93), for proving knowledge of nearby codewords, to larger moduli. The scheme is a Sigma-protocol, each of whose iterations has soundness error 2/3, and thus requires over 200 repetitions to obtain soundness error of 2(-128), which is the main culprit behind the large size of the proofs produced. In this paper, we propose the first lattice-based proof system that significantly outperforms Stern-type proofs for proving knowledge of a short (s) over right arrow satisfying A (s) over right arrow = (u) over right arrow mod q. Unlike Stern's proof, which is combinatorial in nature, our proof is more algebraic and uses various relaxed zero-knowledge proofs as sub-routines. The main savings in our proof system comes from the fact that each round has soundness error of 1/n, where n is the number of columns of A. For typical applications, n is a few thousand, and therefore our proof needs to be repeated around 10 times to achieve a soundness error of 2(-128). For concrete parameters, it produces proofs that are around an order of magnitude smaller than those produced using Stern's approach.