Lattice-Based Non-Interactive Argument Systems
Total Page:16
File Type:pdf, Size:1020Kb
LATTICE-BASED NON-INTERACTIVE ARGUMENT SYSTEMS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY David J. Wu August 2018 c Copyright by David J. Wu 2018 All Rights Reserved ii I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Dan Boneh) Principal Adviser I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Omer Reingold) I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Mary Wootters) Approved for the Stanford University Committee on Graduate Studies iii Abstract Non-interactive argument systems are an important building block in many cryptographic protocols. In this work, we begin by studying non-interactive zero-knowledge (NIZK) arguments for general NP languages. In a NIZK argument system, a prover can convince a verifier that a statement is true without revealing anything more about the statement. Today, NIZK arguments can be instantiated from random oracles, or, in the common reference string (CRS) model, from trapdoor permutations, pairings, or indistinguishability obfuscation. Notably absent from this list are constructions from lattice assumptions, and realizing NIZKs (for general NP languages) from lattices has been a long- standing open problem. In this work, we make progress on this problem by giving the first construction of a multi-theorem NIZK argument from standard lattice assumptions in a relaxed model called the preprocessing model, where we additionally assume the existence of a trusted setup algorithm that generates a proving key (used to construct proofs) and a verification key (used to verify proofs). Moreover, by basing hardness on lattice assumptions, our construction gives the first candidate that plausibly resists quantum attacks. We then turn our attention to constructing succinct non-interactive arguments (SNARGs) for general NP languages. SNARGs enable verifying computations with substantially lower complexity than that required for classic NP verification. Prior to this work, all SNARG constructions relied on random oracles, pairings, or indistinguishability obfuscation. This work gives the first lattice- based SNARG candidates. In fact, we show that one of our new candidates satisfy an appealing property called \quasi-optimality," which means that the SNARG simultaneously minimizes both the prover complexity and the proof size (up to polylogarithmic factors). This is the first quasi-optimal SNARG from any concrete cryptographic assumption. Again, because of our reliance on lattice-based techniques, all of our new candidates resist quantum attacks (in contrast to existing pairing-based constructions). iv Acknowledgments Neither my journey into cryptography nor this thesis would have happened without the support and mentoring of my advisor, Dan Boneh. Six years ago, while I was still a starry-eyed undergrad at Stanford, I had the fortune of taking Dan's Introduction to Cryptography course. Dan's boundless energy and infectious enthusiasm for not only cryptography, but also research and life, was what first drew me into this field. Over the years, I can say without doubt that Dan has shown by example the sheer excitement and joy of research. As I now prepare for the next step of my own academic journey, I will strive to emulate the qualities of the ideal researcher that Dan so brilliantly exemplifies. I would like to say a special word of thanks to Yuval Ishai and Amit Sahai for all of the insights, advice, and guidance they have provided me in the last few years. I can easily say that my three visits to UCLA in the last two years have been some of the most exciting (and productive!) weeks of my PhD, and I am grateful to both of them for being such wonderful and generous hosts. It has been an absolute pleasure and privilege to collaborate with them on multiple projects (several of which are featured in this thesis), and I look forward to many more. The numerous discussions we had have certainly shaped how I think about and approach research. Over the years, I have also had the luxury of working with and learning from all of the students in the Stanford Applied Crypto group. I would like to thank all of them for patiently hearing out my half-baked ideas, kindly critiquing my papers, and sharing with me their cool ideas. I consider myself very lucky to be in the company of such a talented group of researchers. I especially would like to thank all of my student co-authors: Henry Corrigan-Gibbs, Sam Kim, Kevin Lewi, Hart Montgomery, and Joe Zimmerman. I thank Joe for teaching me how to reason precisely about abstract concepts and how to communicate my ideas with technical rigor. I thank Kevin for introducing me to the marvelous world of theoretical cryptography and for keeping me motivated and optimistic through all the times we got stuck on problems. I thank Hart for always being willing to share his ideas and for providing a healthy dose of skepticism for my ill-contrived constructions. I thank Henry for not only being an amazing officemate, but also for being so willing to share with me his deep insights into both cryptography and computer security; I am always impressed by the breadth of his knowledge and the depth of his intuition. Finally, I thank Sam for our many fruitful collaborations in the last few years. I cannot count how many hours we have now spent talking about cryptography and life. v And of course, I thank him for patiently bringing me up to speed on lattice-based cryptography. It has truly been an honor and a pleasure. One of the greatest joys of research is having the opportunity to collaborate with brilliant individuals spanning a wide range of disciplines (and time zones). I would like to thank all of my wonderful collaborators from the last five years: Shashank Agrawal, Gill Bejerano, Bonnie Berger, Johannes Birgmeier, Dan Boneh, Nathan Chenette, Hyunghoon Cho, Henry Corrigan-Gibbs, Tony Feng, Yuval Ishai, Karthik Jagadeesh, Sam Kim, Kristin Lauter, Kevin Lewi, Avradip Mandal, John Mitchell, Hart Montgomery, Michael Naehrig, Alain Passel`egue,J´er´emy Planul, Arnab Roy, Amit Sahai, Asim Shankar, Ankur Taly, Steve Weis, and Joe Zimmerman. I thank them for making my time in grad school so enjoyable and for always reminding me why I chose to pursue research. I would also like to thank the members of my thesis committee for all of the helpful feedback they have provided to improve this work: Dan Boneh, Moses Charikar, Brian Conrad, Omer Reingold, and Mary Wootters. Finally, I would like to thank my friends and family who have stood with me over all these years. I will forever be grateful for their support and encouragement. After all, this quixotic quest for truth and understanding would be a lot less exciting if I could not share the joy with all of them. This work was supported in part by an NSF Graduate Research Fellowship. vi Contents Abstract iv Acknowledgments v 1 Introduction 1 1.1 Non-Interactive Zero-Knowledge Arguments.......................2 1.2 Succinct Non-Interactive Arguments...........................4 1.3 Why Lattices?.......................................5 1.4 Works Contained in this Thesis..............................7 2 Preliminaries 8 2.1 Background on Lattice-Based Cryptography....................... 10 3 Non-Interactive Zero-Knowledge Arguments 14 3.1 Construction Overview................................... 14 3.1.1 Additional Related Work............................. 18 3.2 Homomorphic Signatures................................. 19 3.2.1 Selectively-Secure Homomorphic Signatures................... 28 3.2.2 From Selective Security to Adaptive Security.................. 31 3.3 Preprocessing NIZKs from Homomorphic Signatures.................. 35 3.4 Blind Homomorphic Signatures.............................. 42 3.4.1 The Universal Composability Framework.................... 42 3.4.2 The Blind Homomorphic Signature Functionality................ 46 3.4.3 Constructing Blind Homomorphic Signatures.................. 49 3.5 Universally-Composable Preprocessing NIZKs...................... 53 3.5.1 Applications to MPC............................... 55 3.6 Proofs from this Chapter................................. 59 3.6.1 Proof of Theorem 3.26............................... 59 3.6.2 Proof of Theorem 3.36............................... 62 vii 3.6.3 Proof of Theorem 3.40............................... 78 3.7 Chapter Summary..................................... 85 4 Succinct Non-Interactive Arguments (SNARGs) 86 4.1 Summary of Results and Technical Overview...................... 88 4.2 Succinct Non-Interactive Arguments........................... 90 4.3 Linear PCPs........................................ 92 4.3.1 Constructing Linear PCPs with Strong Soundness............... 94 4.4 SNARGs from Linear-Only Vector Encryption...................... 97 4.4.1 Linear-Only Vector Encryption.......................... 98 4.4.2 From Linear-Only Vector Encryption to Preprocessing SNARGs....... 100 4.4.3 Multi-Theorem Designated-Verifier SNARGs.................. 102 4.5 Constructing Lattice-Based SNARGs........................... 103 4.5.1 The Peikert-Vaikuntanathan-Waters Encryption Scheme...........