We provide lattice-based protocols allowing to prove relations among committed integers. While the most general zero-knowledge proof techniques can handle arithmetic circuits in the lattice setting, adapting them to prove statements over the integers is non-trivial, at least if we want to handle exponentially large integers while working with a polynomial-size modulus q. For a polynomial L, we provide zero-knowledge arguments allowing a prover to convince a verifier that committed L-bit bitstrings x, y and z are the binary representations of integers X, Y and Z satisfying Z = X + Y over Z. The complexity of our arguments is only linear in L. Using them, we construct arguments allowing to prove inequalities X < Z among committed integers, as well as arguments showing that a committed X belongs to a public interval [α, β], where α and β can be arbitrarily large. Our range arguments have logarithmic cost (i.e., linear in L) in the maximal range magnitude. Using these tools, we obtain zero-knowledge arguments showing that a committed element X does not belong to a public set S using O(n · log |S|) bits of communication, where n is the security parameter. We finally give a protocol allowing to argue that committed L-bit integers X, Y and Z satisfy multiplicative relations Z = XY over the integers, with communication cost subquadratic in L. To this end, we use our protocol for integer addition to prove the correct recursive execution of Karat-suba's multiplication algorithm. The security of our protocols relies on standard lattice assumptions with polynomial modulus and polynomial approximation factor.
展开▼
机译:我们提供基于格的协议,可以证明承诺的整数之间的关系。尽管最通用的零知识证明技术可以处理晶格设置中的算术电路,但至少要在处理多项式大小模数q时要处理指数大的整数时,才能使它们适应整数的证明并非易事。 。对于多项式L,我们提供零知识参数,使证明者可以说服验证者证明提交的L位比特串x,y和z是整数X,Y和Z的二进制表示形式,满足Z = X + Y超过Z.我们的参数的复杂度仅在L中是线性的。使用它们,我们构造了可以证明承诺整数之间的不等式X 展开▼
