Amortization with Fewer Equations for Proving Knowledge of Small Secrets

For a linear function f , a vector x with small coefficients, and a vector y = f(x), we would like to be able to give a zero-knowledge proof for the knowledge of an x′ with small coefficients that satisfies f(x′) = y. This is a common scenario in lattice-based cryptography, and there is currently no satisfactory solution for this problem. All known protocols are built via the repetition of a basic protocol that only has constant (1/2 or 2/3) soundness error. This implies that the communication complexity of the final protocol will be at least a factor of k larger than that of the basic one, where k is the security parameter. One can do better if one considers simultaneously proving the knowledge of many instances of the above linear equation. The protocol that has the smallest amortized communication complexity while achieving close-to-optimal slack (i.e. the ratio between the coefficients in the secret and those that can be extracted from the proof) is due to Cramer et al. (Eurocrypt ’17) which builds on an earlier work of Baum et al. (Crypto ’16). The main downside of this protocol is that the amortization only kicks in when the number of equations is rather large – 4k. This means that for k = 128, it is only truly optimal when one has more than 2 equations to prove. The aforementioned work of Cramer et al. also shows how to achieve a protocol requiring o(k) samples, but it is only applicable for much larger values of k. The main result of our work is reducing the concrete minimal number of equations required for the amortization, while keeping the communication complexity almost unchanged. The cost of this is an increase in the running time of the zero-knowledge proof. More specifically, we show that one can decrease the required number of equations by a factor of Ω(log α) at the cost of increasing the running time by a factor of Ω(α). For example, increasing the running time by a factor of 8 allows us to decrease the required number of samples from 69000 to 4500 – a factor of 15. As a side benefit, the slack of our protocol decreases by a factor of logα as well. We also show that in the case that f is a function over the polynomial ring Z[X]/(X + 1) and we would like to give a proof of knowledge of an x′ with small coefficients such that f(x′) = 2y, then the number of samples needed for amortization is even lower. Without any trade-offs in the running time, our algorithm requires around 2200 samples, and for the same factor 8 increase in the running time, the requirement goes down to 850.