Zero-Knowledge Interactive Proof Systems for New Lattice Problems

Zero-Knowledge Interactive Proof Systems for

New Lattice Problems

Claude Cr´epeau? _{and Raza Ali Kazmi}? McGiLL University

[email protected],[email protected]

Abstract. In this work we introduce a new hard problem in lattices calledIsometric Lattice Problem(ILP) and reduceLinear Code Equivalenceover prime fields andGraph Isomorphismto this prob-lem. We also show that this problem has an (efficient prover) perfect zero-knowledge interactive proof; this is the only hard problem in lattices that is known to have this property (with respect to malicious verifiers). Under the assumption that the polynomial hierarchy does not collapse, we also show thatILPcannot beNP-complete. We finally introduce a variant ofILPover the rationals radicands and provide similar results for this new problem.

1

Introduction

Zero-Knowledge interactive proof systemsZKIP[6] have numerous applications in cryptography such as Identification Schemes, Authentication Schemes, Mul-tiparty Computations, etc. Appart from cryptographic applications these proof systems play an important part in the study of complexity theory. The first IP

for lattice problems (coGapCVP_γ,coGapSVP_γ) was presented by Goldreich and Goldwasser [13]. However, these proofs are onlyhonest-verifierPerfect Zero-Knowledge and known to haveinefficient provers. Micciancio and Vadhan [10] presented Interactive Proofs forGapCVPγ and GapSVPγ. These proofs are Statistical Zero-Knowledge and have efficient provers1 as well. In this paper we introduce a new hard problem calledISOMETRIC LATTICE PROBLEM

(ILP). We present IP systems for the ILP. These proof systems are Perfect

Zero-Knowledge and haveefficientprovers. We show that a variant ofILPover the integers is at least as hard asGraph Isomorphism(GI) [4, 5] andLinear Code Equivalence(LCE) [7, 5]. This is the only hard problem problem known in lattices that have a (malicious-verifier) Perfect Zero-Knowledge IP system with anefficientprover. We also show thatILPis unlikely to beNP-complete. Finally we also introduce another variant ofILPover the rational-radicands and provide similar results for this problem.

?_{Supported in part by Qu´ebec’s FRQNT, Canada’s NSERC and CIFAR.}

1

2

Notations

For any matrixA, we denote its transpose byAt_{. Let O(n,}

R) ={Q∈Rn×n :

Q·Qt_{=I} denote the group ofn×northogonal matrices over}

R. LetGLk(Z)

denote the group ofk×kinvertible (unimodular) matrices over_Z. LetGLk(Fq) denote the set ofk×kinvertible matrices over the finite field_Fq. LetPn denote the set of n×n permutation matrices. Let σn be the set of all permutations of {1, . . . , n}. Forπ ∈σn, we denotePπ the correspondingn×npermutation matrix. P(n,Fq) denotes the set of n×n monomial matrices (there is exactly one nonzero entry in each row and each column) overFq.Dnis the set of diag-onal matricesD=diag(1, . . . , n), i =±1 fori= 1, . . . , n. For a real vector

v = (v1, . . . , vn) we denote its Euclidean norm by kvk = p

v2

1+· · ·+vn2 and max-norm kvk∞=maxni=1|vi| and for any matrix B= [b1|b2|. . .|bk]∈Rn×k

we define its norm by kBk=maxn_i=1kbik. For any ordered set of linearly inde-pendent vectors{b1,b2, . . . ,bk},we denote{˜b1,˜b2, . . . ,b˜k},its Gram-Schmidt orthogonalization.

2.1 Lattices

LetRn be ann-dimensional Euclidean space and letB∈Rn×k be a matrix of

rankk. A latticeL(B) is the set of all vectors

L(B) =

Bx:x∈Zk .

The integer n and k are called the dimension and rank of L(B). A lattice is called full dimensional ifk=n. Two latticesL(B1) andL(B2) are equivalent if

and only if there exists a unimodular matrixU∈_Zk×k _{such thatB1=UB2.}

2.2 q-ary Lattices

A lattice L is called q-ary, if it satisfies qZn ⊆ L ⊆ Zn for a positive integer

q. In other words, the membership of a vector v ∈ Lis given by vmodq. Let

G= [g1|. . .|gk]∈Zqn×kbe an×kmatrix of rankkoverZn×kq . We define below two important families ofq-ary lattices used in cryptography

Λq(G) ={y∈Zn:y≡G·s (modq),for some vectors∈Zk}

Λ>_q(G) ={y∈Zn :y·G≡0 (modq)}.

A basisBof Λq(G) is

B= [g1|. . .|gk|bk+1|. . .|bn]∈Zn×n

wherebj= (0, ..., q, ...,0)∈Znis a vector with itsj-th coordinate equal toqand

2.3 Discrete Gaussian distribution on Lattices

For anys >0,c∈Rn, we define a Gaussian function onRn centered atcwith

parameters.

∀x∈Rn, ρs,c(x) =e

−πkx−ck

s2 .

LetL be anyn dimensional lattice and ρs,c(L) = X

y∈L

ρs,c(y). We define a

Discrete Gaussiandistribution onL

∀x∈ L, Ds,c,L(x) =

ρs,c(x)

ρs,c(L)

.

Theorem 1 Given a basisB= [b1|. . .|bk]∈Rn×k of an n-dimensional lattice

L, a parameters≥ kB˜k ·ω(√logn)and a centerc∈Rn,the algorithmSampleD

([2], section 4.2 page 14)outputs a sample from a distribution that is statistically close to Ds,c,L.

Theorem 2 There is a deterministic polynomial-time algorithm that, given an arbitrary basis {b1, . . . ,bk} of an n-dimensional lattice L and a set of linearly

independent lattice vectors S= [s1|s2. . .|sk]∈ L with ordering ks1k ≤ ks2k ≤

· · · ≤ kskk,outputs a basis {r1. . .rk} ofL such thatk˜rik ≤ k˜sik for1≤i≤k.

2.4 Orthogonal Matrices and Givens Rotations

A Givens rotation is an orthogonaln×nmatrix of the form

G(i,j,θ)=



           

1· · · 0· · · 0 · · · 0 ..

. . .. ... ... ... 0· · · c· · · −s· · · 0 ..

. ... . .. ... ... 0· · · s· · · c · · · 0 ..

. ... ... . .. ... 0· · · 0· · · 0 · · · 1 

           

, i6=j

The non-zero elements of a Givens matrixG(i,j,θ)are given by gk,k= 1 fork6=i, j andgi,i=gj,j =c

gi,j=s=−gj,i fori < j wherec= cos(θ) ands= sin(θ).

The productG(i,j,θ)·vrepresents a counter-clockwise rotation of the vector v in the (i, j) plane by angle θ. Moreover, only the i-th and j-th entries of v

can be written as a product of n(n−₂ 1) Givens matrices and a diagonal matrix

D∈ Dn

Q=D G(1,2,θ1,2)· · · ·G(1,n,θ1,n)

· G(2,3,θ2,3)· · ·G(2,n,θ2,n)

· · · G(n−1,n,θn−1,n)

.

The anglesθi,j∈[0,2π],1≤i < j≤nare called angles of rotation.

2.5 Properties of Givens Matrices

1. Additivity: For anglesθ, φ∈[0,2π] and any vectorv∈Rn

G(i,j,φ)·G(i,j,θ)v=G(i,j,φ+θ)v.

2. Commutativity: For angles θi,j, θj,i, θy,z ∈[0,2π] and {i, j} ∩ {y, z}=∅ or

{i, j}={y, z}.

G(i,j,θi,j)·G(j,i,θj,i)v=G(j,i,θj,i)·G(i,j,θi,j)v

G(i,j,θi,j)·G(y,z,θy,z)v=G(y,z,θy,z)·G(i,j,θi,j)v. 3. Linearity: For any Givens matrix G(i,j,θi,j), any vector v ∈ R

n _{and any} permutationπ∈σn

G_{(π(i),π(j),θπ(i),π(j))}Pπ·v=PπG(i,j,θi,j)·v

Pπ is the corresponding permutation matrix ofπ.

2.6 The Set R

Computationally it is not possible to work over arbitrary real numbers as they require infinite precision. However, there are reals that can be represented finitely and one can add and multiply them without losing any precision. For example we can represent numbers √7 and √4

5 as <2,7> and<4,5>. In, general, a real numberrthat has the following form

r=a1

n11 r

x11+ n21

q

x21+· · ·+ nk1

√

xk1 + a2

n12 r

x12+ n22

q

x22+· · ·+ nk2

√

xk2

+· · ·+al n_1l

r

x1l+ n2l q

x2l+· · ·+ nkl

√

xkl. whereaj’s, nij’s∈Q, xij’s∈Q

+_{∪ {0}andl, k}

1· · ·kl∈N; can be represented as

r=a1< n11, x11+< n21, x21+· · ·+< nk1, xk1>>· · ·>+ a2< n12, x12+< n22, x22+· · ·+< nk2, xk2>>· · ·>+

· · ·+al< n1l, x1l+< n2l, x2l+· · ·+< nkl, xkl>>· · ·> .

We call such numbers rational radicands and denote the set of all rational radicands R.2

2

2.7 The Set O(n,R)

LetO(n,R) denote a set ofn×northogonal matrices overR. In this sub-section we will define a subsetO(n,R)⊂O(n,R) that has the following properties:

– Any orthogonal matrixQ∈O(n,R) has finite representation.

– IfQ∈O(n,R),thenQt_∈O(n,R).

– O(n,R) is a finite set.

Let P be any desired publicly known positive polynomial in the size of the input bases B1,B2 ∈ O(n,R) and δ = ₂πP. We denote the set of anglesC =

{0, δ,2δ, . . . , θ, . . . ,2π−δ}. We denoteO(n,R) to be the set ofn×northogonal matrices corresponding to C that can be written as a product of commuting Givens rotations. More, precisely

O(n,R) ={G(1,2,θ1)·G(3,4,θ2)· · ·G(x−1,x,θx/2):θi ∈C,1≤i≤x}.

where x=n ifn is even, otherwise x=n−1. Clearly O(n,R) is a finite set, sinceCis a finite set. Furthermore for any integer P ≥2,

sin ₂πP

=1₂<2,2−<2,2 +· · ·+<2,2>>· · ·>

| {z }

P−1

cos ₂πP

=1₂<2,2+<2,2 +· · ·+<2,2>>· · ·>

| {z }

P−1

.

For any integer 0≤ N ≤ 2P+1 _sin(N π

2P) and cos(N π₂P) can be computed in O(P) time (see appendix A). Let Q∈O(n,R),

Q=G(1,2,θ1)·G(3,4,θ2)· · ·G(x−1,x,θx/2)for someθ1, ..., θi, ..., θx/2∈C.

We will show thatQt_{∈O(n,R). Let}

Q0=G(1,2,2π−θ1)·G(3,4,2π−θ2)· · ·G(x−1,x,2π−θx/2).

Clearly ifθi∈C,then 2π−θi∈C. Therefore, it follows that Q0∈O(n,R).

Q·Q0= G(1,2,θ1)G(1,2,2π−θ1)

· G(3,4,θ2)G(3,4,2π−θ2)

· · ·G(x−1,x,θx/2)G(x−1,x,2π−θx/2)

=G(1,2,θ1+2π−θ1)·G(3,4,θ2+2π−θ2)· · ·G(x−1,x,θx/2+2π−θx/2) =G(1,2,2π)·G(3,4,2π)· · ·G(x−1,x,2π)

3

Isometric Lattices

Definition 1 LetB1,B2∈Rn×kbe two bases of rankk. We say that two lattices

L(B1)∼=L(B2)are isometric if there exists a matrixU ∈GLk(Z)and a matrix

Q∈O(n,R)such that B2=QB1U.

Decision Problem ILP: Given two matrices B1,B2 ∈Rn×k,decide whether

L(B1)∼=L(B2).

3.1 Variants of ILP

Let S(B1,B2) = {B ∈ R

n×k _{: L(B)} ∼_{= L(B1)} ∼_{= L(B2)} be the set of bases}

that are isometric to B1 and B2. The ILP seems to be very similar to LCE

[7, 5]. Therefore, it is natural to ask if one can obtain a PZKIP for ILP by mimicking theLCEproof system.3_{However, if we try to mimic the proof system}

for LCE we are faced with following problems. Recall that a proof system is zero-knowledge if there exists a probabilistic polynomial time simulator that can forge transcripts that are distributed identically (or statistically close to) real transcripts.

– In the LCE proof system the prover picks uniformly and independently invertible matrices fromFk×kq . In comparison the corresponding set (GLk(Z))

inILPis countably infinite. Therefore there exists no uniform distribution onGLk(Z).

– Computationally it is not possible to work over reals as they required infinite precision and almost all elements in O(n,_R), have infinite representation. Whereas in LCE every element in the corresponding set P(n,Fq) can be represented withO(n2_{logq) bits. Note that in theory the uniform}

distribu-tion exists onO(n,R) [14–16], but computationally it is not possible to pick

uniformly fromO(n,R) as this would require infinite computational power.

A natural solution would be to define some finite subsetsGLk(Z), O(n,R) of

GLk(Z), O(n,R) and pick uniformly from GLk(Z) and O(n,R). However, this

solution may not preserve the zero-knowledge property of the proof system. To see this letB2=QB1U ,be two isometric bases that can be represented finitely, whereQ∈O(n,R) andU ∈GLk(Z).

[B1] =nQ0B1U0:Q0∈O(n,R) andU0∈GLk(Z)

o

[B2] =nQ0B2U0 :Q0∈O(n,R) andU0∈GLk(Z)

o .

1. The prover picks uniformlyi∈ {1,2}.

2. The prover picks uniformlyB∈[Bi] and sendsBto the receiver. 3. The verifier uniformly picks j∈ {1,2} and sendsj to the prover.

3

Note that the zero-knowledge property requires that from B the verifier should not be able to learniexcept with probability1₂(for perfect zero-knowledge) or 1₂+negl (for statistical zero-knowledge). This implies that [B1] = [B2] (for

perfect zero-knowledge) or |[B1]∪[B2]| − |[B1]∩[B2]| = negl (for statistical zero-knowledge). Note that any B ∈ [B1] can only be in [B2] if and only if

Q0·Qt ∈ O(n,R) and U−

1

·U0 ∈ GLk(Z). Similarly, any B ∈ [B2] can only

be in [B1] if and only if Q0 ·Q ∈ O(n,R) and U ·U−1 ∈ GLk(Z). Therefore

setsO(n,R) andGLk(Z) must be a group under multiplication. But this seems

unlikely to happen in general. To see this lets try to construct a finite subgroup

O(n,Q)≤O(n,Q).

– LetQ∈O(n,Q). We addQinO(n,Q),thereforeO(n,Q)←O(n,Q)∪ {Q}.

– SinceO(n,Q) has to be a multiplicative group, we must addQ·Q andQt

to it. HenceO(n,Q)←O(n,Q)∪ {Q·Q} ∪ {Qt}.

– By the same argumentQ·Q·QandQt_·Qt _{must also be added toO(n,}

Q).

Hence, this process may never end andO(n,_Q) will become an infinite set. Similarly if we try to construct a finite subgroupGLk(Z)≤GLk(Z) we will

face the same problem.

In order to deal with these issues we will present two variants of isometric lattice problems. We will show that one of the variant are at least hard as GI

andLCE. We further show that both variants are unlikely to beNP-complete

unless the polynomial hierarchy collapses [18, 19].

3.2 Isometric Lattices over Z

Definition 2 LetB1,B2∈Zn×k be two bases of rankk. We say that two lattices

L(B1)∼=_ZL(B2)are isometric over integers if there exists a matrixU ∈GLk(Z)

and a matrixQ∈O(n,Z) such thatB2=QB1U.

Decision Problem ILP_Z: Given two matricesB1,B2∈Zn×k,decide whether

L(B1)∼=ZL(B2).

3.3 Isometric Lattices over R ⊂_R

Definition 3 Let B1,B2 ∈ Rn×k be two bases of rank k. We say that two

lattices L(B1) ∼=R L(B2) are isometric over R if there exists a matrix U ∈ GLk(Z)and a matrixQ∈O(n,R)such that B2=QB1U.

Decision Problem ILPR: Given two matricesB1,B2∈ Rn×k,decide whether

4

Interactive Proof System for ILP

The set ofn×northogonal matrices over integersO(n,Z) is finite and of

cardi-nality 2n·n!. In fact the set O(n,Z) is exactly equal to the set ofn×nsigned

permutation matrices. Therefore, any element Q ∈ O(n,Z) can be written as

a product Q = D·P for some D ∈ Dn and P ∈ Pn. Furthermore, for any matrixB∈Zk×n the Hermite normal formHNF(B) only depends on the

lat-tice L(B) generated by B and not on a particular lattice basis. Moreover, one can compute HNF(B0) from any basisB0 of L in polynomial time [17]. Since

HNF(B) =HNF(B0),the Hermite normal form does not give any information about the input basis. This will completely bypass the need for picking random elements from the setGLk(Z).

An Interactive Proof for ILP_Z – InputB1,B2∈Zn×k.

1. Repeat for l:=poly(kB1k+kB2k) rounds.

(a) Prover picks uniformly an orthogonal matrix Q0 ∈O(n,Z).

(b) Prover computesH←HNF(Q0B1) and sends it to the verifier. (c) Verifier randomly picks c∈ {1,2} and sends it to the prover. (d) Prover sends the verifier an orthogonal matrixP ∈O(n,Z).

i. ifc= 1 thenP =Q0. ii. ifc= 2 thenP =Q0Qt.

2. Verifier will accept the proof if for all lrounds H=HNF(PBc).

Theorem 3 The proof system for ILP_Z is a malicious verifier perfect-zero knowledge interactive proof with an efficient prover.

Proof:

Completeness: Clearly, if L(B1) and L(B2) are isometric lattices over the integers, then the prover will never fail convincing the verifier.

Soundness: IfL(B1) andL(B2) are not isometric over integers, then the only way for the prover to cheat is to guessccorrectly in each round. Since,cis chosen uniformly and independently from{1,2},the probability of prover guessingcin all round is 2−l. Note that verifier’s computations are done in polynomial time.

Efficient Prover: The steps 1a and 1d can be done efficiently. The Hermite normal forms can be computed in polynomial time using the algorithm presented in [17]. Therefore the expected running time of the prover is polynomial.

Zero-Knowledge: LetV∗ _{be any probabilistic polynomial time (possiblly} ma-licious) verifier. Let T(V∗_{) denote the set of all possible transcripts that could} be produced as a result of the prover P and V∗ carrying out the interactive proof with a yes instance (B1,B2) ofILPZ. LetS denote the simulator, which will produce the possible set of forged transcripts T(S). We denote PrV∗(T)

We will show that:

1. The expected running time ofS is polynomial.

2. PrV∗(T) =Pr_S(T) i.e. the two distributions are identical.

Input:B1,B2∈Zn×k such thatL(B1)∼=ZL(B2). 1. T = (B1,B2).

2. forj= 1to l=poly(kB1k+kB2k)do

(a) old state←state(V∗) (b) repeat

i. Pick uniformlyi∈ {1,2}. ii. Pick uniformlyQ0_j fromO(n,Z).

iii. ComputeH0

j ←HNF(Q0jBi). iv. CallV∗ with inputH0_j and obtainc0.

v. ifi=c0 then

– Concatenate H0_j, i, Q0_j

to the end ofT.

else

– Set state(V∗)←old state. vi. untili=c0

SimulatorS forILP_Z.

SinceV∗ runs in polynomial time and that the probabilityi=c0 is 1/2, on averageS will generate two triples H0

j, i, Q0j

for every triple it concatenates to the transcriptT and hence, the average running time ofS is polynomial .

Using induction we will show thatPrV∗(T) =Pr_S(T). LetPr_V∗(T_j) and PrS(Tj) denote the probability distributions on the partial set of transcripts that could occur at the end of thej-th round.

Base case: Ifj = 0,then in both caseT = (H1,H2),hence both probabilities are identical.

Inductive Step: Suppose both distributionsPrV∗(T_j−1) andPr_S(T_j−1) are

identical for somej≥1.

Now let’s go back and see what happens at thej-th round of our interactive proof forILP_Z. The probability that at this roundV∗picksc= 1 is some number 0≤p≤1 and the probability thatc= 2 is 1−p. Moreover, the prover picks an orthogonal matrixQ0 _{with probability} 1

2n_n!. This probability is independent of how the verifier picksc∈ {1,2}. Therefore the probability that at thej-th round

H0_j, i, Q0_j

is on the transcript of theIP ifc= 1 is ₂np_n! and ifc= 2 is

1−p

2n_n! The simulatorS in any round will pick an orthogonal matrixQ0

j with prob-ability ₂n1_n!. The probability thati= 1 and c0= 1 is

p

2

and the probabilityi= 2 andc0= 2 is 1−p₂ . In both cases the corresponding triple H0_j, i, Q0_j

H0_j,1, Q0_j

is written on the transcript in the j-th round is

p

2×(2n_n!)+

p

22_×(2n_n!)+...+

p

2m_×(2n_n!)+...

= p

2×(2n_n!)

1 +1 2 +

1 4 +...+

1

2m−1 +....

= p

2n_n!. Similarly the total probability that H0_j,2, Q0_j

is written on the transcript in thej-th round is ₂1n−p_n!. Hence, by induction, the two probability distributions are identicalPrV∗(T) =Pr_S(T).

5

Sampling a Lattice Basis in Zero-Knowledge and ILP

SupposeB∈Rn×k is a basis of some lattice L(B). Recall that B0 is a basis of

L(B) if and only ifB0 ∈ {BU :U ∈GLk(Z)}and that the algorithm SampleD [2]

takes an input basisB= [b1|b2|. . .|bk]∈Rn×k, an appropriate parameterss∈ Randc∈Rnand outputs a lattices pointv∈ L(B) that is distributed according

to the discrete Gaussian distributionDs,c,L [2]. SampleD is zero-knowledge in a sense that the output pointvleaks almost no information about the input basis

B except the bound s with overwhelming probability [2]. Furthermore, for an

n dimensional L if we pick V ={v1,v2, . . . ,vn2} lattice points independently according to Ds,L, then V contain a subset of k linearly independent vectors, except withnegl(n) probability ([12], Corollary 3.16).

LetB={b1,· · · ,bk}be a basis of a latticeLand supposeS={s1,· · · ,sk} is a set of linearly independent vectors that belong to L. There exists a deter-ministic polynomial time algorithm that will output a basisT={t1,· · ·,tk}of

Lsuch that ||ti||2≤ ||si||2for 1≤i≤k([1], page 129).

Using the above two algorithms we will present a probabilistic polynomial time algorithm SampleLthat will take an input basisB={b1, . . . ,bk}of some latticeL,c∈_Rn_{,a parameters≥ω(}√_{logn)· ||}

e

B||and outputs a basisT, such thatTleaks no information about the basisB, excepts(the bound on the norm ofB) with overwhelming probability.

Protocol 1 SampleL

Input B∈RnR×k, k, n, s

1. Sample V = {v1,v2, . . . ,vn2} points independently using the algorithm SampleD(B,0, s)).

2. PickS={s1,s2, . . . ,sk} ⊂V,such thatSis a set of linearly independent vectors.

3. Using the deterministic algorithm output the basisT, such thatL(T) =L(B).

It is easy to see that if B ∈ Rn×kR then so T ∈ R n×k

R . Since T and B are bases of the same lattice, there exists aU ∈GLk(Z) such that

6

An Interactive Proof for ILP

– InputB1,B2∈ Rn×k such thatL(B1)∼=R L(B2).

1. Prover set s= logn·max{kB1e k,kB2e k}. 2. fori= 1 tol=poly(kB1k+kB2k) rounds do.

(a) Prover picks uniformly an orthogonal matrix Q0_j ←O(n,R). (b) Prover picksB0_j←SampleL Q0_jB1, k, n, s

. (c) Prover sends the basisB0_j to the verifier.

(d) Verifier randomly pickscj ∈ {1,2}and sends it to the prover. (e) Prover sends the verifier an orthogonal matrixPj ∈O(n,R).

i. ifcj = 1,thenPj=Q0j.

ii. ifcj = 2 thenPj =Q0jQt, whereQ∈O(n,R) is such that

L(B2) =L(QB1).

3. Verifier will accept the proof if for all lrounds L(B) =L(PjBcj).

Theorem 4 The proof system forILPR is a statistical zero-knowledge

interac-tive proof with an efficient prover.

Proof:

Completeness: If L(B1) and L(B2) are isometric lattices, then B2 =QB1U

for someQ∈O(n,R) andU ∈GLk(Z). Clearly,

L(Q0jB1) =L(B) =L(Q0jQ t

B2)

sinceB0_j =Q0_jB1Uj0 and B0j =Q0jQtB2U Uj0 for someUj0 ∈GLk(Z). Therefore,

the prover will always be able to convince the verifier.

Soundness: IfL(B1) andL(B2) are not isometric overR, then the only way for the prover to deceive the verifier is for him to guess correctlycj in each round. Since cj is chosen uniformly from{1,2}, the probability of the prover guessing

cj in all rounds is 2−l. Hence, the protocol is sound.

Efficient Prover: Clearly the prover can perform steps 1, 2a,2cand 2ein ex-pected polynomial-time. In step 2bthe prover picks a lattice basis using SampleL,

which runs in expected polynomial time. Hence the total expected running time of the prover is polynomial.

Zero-Knowledge: Let V∗ _{be any probabilistic polynomial time (possibly} ma-licious) verifier. Let T(V∗_{) denote the set of all possible transcripts that could} be produced as a result ofP andV∗carrying out the interactive proof on ayes

instance (B1,B2) of ILPR. Let SR denote the simulator, which will produce the possible set of forged transcriptsT(SR). We denotePrV∗(T) the

probabil-ity distribution on T(V∗) and we denotePrSR(T) the probability distribution

onT(SR). We will prove that:

1. SR is polynomial.

Input:B1,B2∈ Rn×k _{such that L(B1)}∼₌

RL(B2). 1. Sets= logn·max{kB1e k,kB2e k}.

2. T = (B1,B2).

3. forj= 1to l=poly(kB1k+kB2k)do

(a) old state←state(V∗₎ (b) repeat

i. Pick uniformlyij∈ {1,2}.

ii. Pick uniformlyQ0_j from∈O(n,R). iii. ComputeH0

j ←SampleL Q0jBij, k, n, s

. iv. CallV∗ withH0_j and obtaini0.

v. ifij =i0 then

– Concatenate H0_j, ij, Q0j

to the end ofT.

else

– Set state(V∗)←old state. vi. untilij =i0.

SimulatorSR forILPR.

Running time of the simulator : What is the probability thatij =i0? In other words, on average how many triples H0_j, ij, Q0j

will the simulatorSR generate for every triple it concatenates toT? We note that Q0Qt _andQ0 _{are uniformly} distributed overO(n,R), andL(Q0B1) =L(Q0QtB2) therefore the probability

that the lattice L(H0_j) is obtained by rotating the lattice L(B1) is equal to the probability that it is obtain by rotatingL(B2). Furthermore the algorithm SampleLensures that as far as the parameters are chosen appropriately,H0_j will leak almost no information (apart from the bounds) about the input basis except with negligible probability. Hence, on the average the simulator will generate roughly 2 triples for every triple it adds to T. Therefore the expected running time of SR is roughly twice the running time of V∗. By definition V∗ runs in probabilistic polynomial time. Hence the running time of SR is also expected polynomial time.

We will prove that the two probability distributionsPrV∗(T) andPr_SR(T)

are statistically close as follows. We first prove that the two distributions are statistically close for one round (l= 1). Then we will invoke the sequential com-position lemma 4.3.11 on page 216 of [9], which implies that an interactive proof which is zero-knowledge for one round remains zero-knowledge for polynomially many rounds.

Case l = 1: Let (B0₁, c1, P₁0) denote a transcript produced as a result of an interactive proof and (H0₁, i1, Q0₁) denote a transcript produced by the simulator. In the interactive proofP picks uniformlyP₁0 overO(n,R) andSRalso picksQ01

uniformly overO(n,R). Hence bothP₁0 andQ0₁ are identically distributed. Also

B0₁ and H0₁ are computed by SampleL. Therefore they are almost identically distributed toDs,c,L and thus to each other.

howV∗ picksi0. Also givenH0₁,the probability that V∗ can guess the indexi1

is at most 1₂+negl. Therefore probability thatV∗ picksi0 = 1 is nearlypand

i0 = 2 is nearly 1−p respectively. This means thati1 and c1 have nearly the

same distributions.

Therefore, it follows that (B0₁, c1, P10) and (H01, i1, Q01) are statistically close.

Hence for one round the two distributions are statistically close. Hence, by lemma 4.3.11 for any polynomially many rounds we havePrV∗(T)∼Pr_S

R(T).

7

Isometric Lattice Problem is not Easy

In this section we will show thatILP_Z is at least as hard as Linear Code Equiv-alence problem over prime fieldsFp and Graph Isomorphism.

Theorem 5 ILP_Z is at least as hard as LCE(Linear Code Equivalence prob-lem)over prime fields_Fp.

Proof LetG= [g1|. . .|gk]∈Fn×kp be a basis of some [k, n] linear code C

ψ:C−→Λ2(G); G−→B

where Λ2(G) be the correspondingp-ary lattice. Recall from section 2 thatB=

[g1|. . .|gk|bk+1|. . .|bn]∈Zn×nis a basis ofΛp(G). Wherebj= (0, ..., p, ...,0)∈

Zn and the j-th coordinate is equal top, fork+ 1 ≤j ≤n. Clearly the map

ψ can be computed in polynomial time. Let G1 = [g11|. . .|g1k] ∈ Fn×kp and

G2= [g21|. . .|g2k]∈Fn×kp be two code generators.

=⇒SupposeG1andG2generate linearly equivalent codes i.eG2=PG1M

forM ∈GLk(Fp) and monomial matrixP0∈ P(n,Fq). Note that we can write

P0 as a product of a permutation matrix P ∈ Pn and an invertible diagonal matrixD ∈Fn×kp . Write G2 =PG01M, where G01 =DG1 and let Λp(G01) and

Λp(G2) be corresponding lattices.

For anyv∈Λp(G2)⇐⇒v≡G2·s (modp), for some s∈Zk

=⇒v≡PG0

1M·s (mod p)≡PG01·s0 (mod p),s0=Ms∈Zk

=⇒v∈Λp(PG01)

Hence, Λp(G2)⊆Λp(PG10). Since,PG01 =G2M−1, by the same argument

Λp(PG01) ⊆ Λp(G2), we have Λp(PG01) = Λp(G2). Therefore, there exists a

U ∈GLk(Z) such that

ψ(G2) =ψ(PG0₁)U =P ψ(G0₁)U

⇐= Now supposeG1andG2are not linearly equivalent and supposeψ(G2) = Qψ(G1)U forQ∈O(n,Z) andU ∈GLk(Z). Note we can write anyQ∈O(n,Z)

as Q = P D, for some D ∈ Dn and P ∈ Pn. But P

0 _{= P D}

(modp) is a monomial matrix. Further U is also non-singular over_Fp. Therefore, ψ(G2) =

G2=P0(G1)M modpfor some M ∈GLk(Fp) andM ≡U (mod p) This contradicts the assumption thatG1andG2are not linearly equivalent.

ThereforeILP_Z is at least as hard asLCE.

Theorem 6 ILP_Z is at least as hard as theGI(Graph Isomorphism)problem.

Proof Petrank and Roth [20] reducedGItoPCE(Permutation Code Equiv-alence). More precisely they provided a polynomial time mappingφfrom the set of all graphs to the set of generator matrices overF2 such that two graphsG1

and G2 are isomorphic if and only if φ(G1) andφ(G2) are permutation equiv-alent codes. We will prove thatILPis at least as hard asGI, by reducing the

PCE over F2 to ILP. Let G = [g1|. . .|gk] ∈ Fn×k2 be a basis of some [k, n]

linear codeC

ψ:C−→Λ2(G); G−→B

where Λ2(G) is the corresponding 2-ary lattice. Recall from section 2 thatB=

[g1|. . .|gk|bk+1|. . .|bn]∈Zn×nis a basis of Λ2(G). Wherebj= (0, ...,2, ...,0)∈

Zn and the j-th coordinate is equal to 2, fork+ 1 ≤j ≤n. Clearly the map

ψ can be computed in polynomial time. Let G1 = [g11|. . .|g1k] ∈ Fn×k2 and G2= [g21|. . .|g2k]∈Fn×k2 be two code generators and Λ2(G1) and Λ2(G2) be

corresponding lattices.

=⇒) SupposeG1 andG2 are permutation equivalent i.e. G2 =PG1M for

M ∈GLk(F2) andP∈ Pn. LetG01=PG1. Therefore we can writeG2=G01M.

By definition for anyv∈Λ2(G2),there exists ans∈Zk such that

v≡G2·s≡G01M ·s (mod 2).

=⇒v≡PG1·s0 (mod 2), wheres0=M·s∈Zk=⇒v∈Λ2(PG1).

Hence, Λ2(G2)⊆Λ2(PG1). Since,PtG2M−1=G1 by the same argument Λ2(PG1)⊆Λ2(G2). Hence, there exist aU ∈GLk(Z) such that

ψ(G2) =ψ(PG1)U =⇒B2=PB1U

⇐=) Now suppose G1 andG2 are not permutation equivalent and suppose

ψ(G2) = Qψ(G1)U for Q ∈ O(n,Z) and U ∈ GLk(Z). Note that Q ≡ P

(mod 2),for someP ∈ Pn. For everyv∈Λ2(G2) we have v≡G2u (mod 2) for someu∈Zk.

Since, Λ2(QG1) = Λ2(G2), we also have v ≡(QG1)u≡ (PG1)u (mod 2) for

some u∈_Zk_{. This means thatPG1 andG2 have the same span over}

F2. This

7.1 ILP is unlikely to be NP-complete

In this sub-section we show that ILP_S is unlikely to be NP-complete (where

S=Z orS =R see section 3.1). We do this by constructing a constant round

interactive proof for theNon-Isometric Lattice problem(co-ILP_S), i.e. the complementary problem ofILP_S. Then we invoke results from the field of com-plexity theory, implying that if the complement of a problemΠ has a constant round interactive proof and Π is NP-complete then the polynomial hierarchy collapses [18, 19]. It is widely believed that the polynomial hierarchy does not collapse, therefore we end up with the conclusion that ILP is unlikely to be NP-complete.

Constant Round IP for co-ILP_S – InputB1,B2∈Sn×k bases such that L(B1)SL(B2).

1. Verifier setsl=poly(|B1|+|B2|).

2. Verifier picks uniformlyj1, . . . , jl∈ {1,2}.

3. If S = Z then the verifier picks independent random orthogonal

matrices

Q1, . . . , Ql ∈O(n,Z).

Else verifier picks independently random orthogonal matrices

Q1, . . . , Ql∈O(n,R). 4. For 1≤i≤l,verifier computes a basisH0

ifor the latticeL(QiBji). If_S=_Z,thenH0

i←HNF(QiBji),otherwiseH 0

iis computed using algorithm SampleLfrom section 5.

5. For 1 ≤i ≤l,the all-powerful prover computes and sends j_i0 such that H0_i andBj0

i are isometric.

6. Verifier accepts the proof if ji=ji0 for all 1≤i≤l.

Completeness: Clearly, ifL(B1) andL(B2) are non-isometric lattices then the

prover will never fail convincing the verifier.

Soundness: Suppose L(B1) and L(B2) are isometric lattices. The probability that prover can guess (i1, ..., il) given (H01, ...,Hl0) is 2−lifS=Zand 2−l+negl ifS=R.

8

Conclusion and Acknowledgement

We conclude with an open problem related to our work. Construct a Malicious verifier statistical zero-knowledge proof system with an efficient prover for the Isometric Lattice Problem over rationals ILP_Q. We would also like to thank Professor Chris Peikert, for his help and patience, who always took time out of his busy schedule to answer our questions.

References

2. Craig Gentry, Chris Peikert and Vinod Vaikuntanathan.How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions. In STOC, pages 197 – 206 (2008).

3. David Cash, Dennis Hofheinz, Eike Kiltz and Chris Peikert.Bonsai trees, or how to delegate a lattice basis. In EUROCRYPT, pages 523 – 552 (2010).

4. Michael R. Garey and David S. Johnson.Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman & Company, 1990.

5. Raza Ali Kazmi Cryptography from Post-Quantum Assumptions. PhD Thesis, School of Computer Science, McGill University, 2015. Supervised by Claude Cr´epeau. https://eprint.iacr.org/2015/376.

6. Shafi Goldwasser, Silvio Micali and Charles Rackoff.The knowledge Complexity of Interactive Proof Systems. SIAM Journal on Computing, volume 18, issue 1, pages 186 – 208 (1989).

7. Nicolas Sendrier and Dimitris E. Simos.The Hardness of Code Equivalence overFq

and Its Application to Code-Based Cryptography. In Post-Quantum Cryptography, volume 7932 of LNCS, pages 203-216. Springer, 2013.

8. Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or a completeness theorem for protocols with honest majority. In STOC, pages 218 – 229 (1987).

9. Oded Goldreich.Foundations of Cryptography. Volume I & II. Cambridge Univer-sity Press, 2001 – 2004.

10. Daniele Micciancio and Salil P. Vadhan. Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More. In CRYPTO, pages 282 – 298 (2003). 11. Christopher Peikert and Vinod Vaikuntanathan. Noninteractive Statistical

Zero-Knowledge Proofs for Lattice Problems. In CRYPTO, pages 17 – 21 (2008). 12. Oded Regev.On lattices, learning with errors, random linear codes, and

cryptog-raphy. In STOC, pages 84 – 93 (2005).

13. Oded Goldreich and Shafi Goldwasser.On the Limits of Non-Approximability of Lattice Problems. In STOC, pages 23 – 26 (1998).

14. G.W. Stewart.The Efficient Generation of Random Orthogonal Matrices with an Application to Condition. SIAM Journal on Numerical Analysis, volume 17 Number 3 (1980).

15. George Marsaglia.Choosing a Point from the Surface of a Sphere. Annals of Math-ematical Statistics, volume 43, number 2, pages 645 – 647 (1972).

16. Eric Schmutz. Rational points on the unit sphere. Central European Journal of Mathematics, volume 6, issue 3, pages 482 – 487 (2008).

17. Cl´ement Pernet and William Stein.Fast Computation of Hermite Normal Forms of Random Integer Matrices. Journal of Number Theory, volume 130, issue 7, pages 1675 – 1683 (2010).

18. Shafi Goldwasser and Michael Sipser.Private coins versus public coins in interac-tive proof systems. In STOC, pages 59 – 68 (1986).

19. Ravi B. Boppana, Johan H˚astad and Stathis Zachos.Does co-NP have short inter-active proofs?Journal of Information Processing Letters, volume 25, issue 2, pages 127 – 132 (1987).

20. Erez Petrank and Ron M. Roth.Is code equivalence easy to decide?IEEE Trans-actions on Information Theory, volume 43, issue 5, pages 1602 – 1604 (1997). 21. Davis Cash, Dennis Hofheinz, Eike Kiltz and Christopher Peikert. Bonsai Trees,

or How to Delegate a Lattice Basis. In EUROCRYPT, pages 523 – 553 (2010). 22. Daniele Micciancio and Christopher Peikert. Trapdoors for Lattices: Simpler,

23. Oded Goldreich, Amit Sahai and Salil Vadhan. Honest-verifier statistical zero-knowledge equals general statistical zero-zero-knowledge. In STOC, pages 399 – 408 (1998).

24. Tanner and Thisted.Applied Statistics, pages 199 – 206 (1982).

25. Hans Liebeck and Anthony Osborne. The generation of all rational orthogonal matrices. American Mathematical Monthly, volume 98, issue 2, pages 131 – 133 (1991).

26. Daniel J Bernstein, Johannes A. Buchmann and Erik Dahmen. Post-Quantum Cryptography. Number Theory and Discrete Mathematics, Springer, ISBN 978-3-540-88701-0 (2008).

27. Michael Garey and David S. Johnson.Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman & Co, ISBN 0-7167-1045-5 (1990). 28. Robert J. McEliece. A public-key cryptosystem based on algebraic coding theory.

Technical memo, California Institute of Technology (1978).

A

Computing sine and cosine efficiently

Letp(n) be any desired publicly known positive polynomial. Recall that

sin π 2p(n)

= 1

2< 1 2,2−<

1

2,2 +· · ·+< 1

2,2>>· · ·>

| {z }

p(n)−1

cos π 2p(n)

= 1

2< 1 2,2+<

1

2,2 +· · ·+< 1

2,2>>· · ·>

| {z }

p(n)−1

.

Suppose we have to compute sin ₂p(n)l·π

for some 0≤l≤2p(n)_.

sin(α+β) = sin(α) cos(β) + sin(β) cos(α) cos(α+β) = cos(α) cos(β)−sin(α) sin(β)

Writel=Pk

i=0xi·2i, xi∈ {0,1}andk≤p(n). WLOG we can assume thatl is not even.

sin ₂l·πp(n)

= sin ₂p(n)π−k+· · ·+ π

2p(n)

= sin π

2p(n)−k

cos

[Pk−1 i=0xi2i]π

2p(n)

+ sin

[Pk−1 i=0xi2i]π

2p(n)

cos π

2p(n)−k

.

Note that sin ₂p(n)π−k

and cos ₂p(n)π−k

can be computed directly. Now we

can recursively compute cos

[Pk−1 i=0xi2i]π

2p(n)

and sin

[Pk−1 i=0xi2i]π

2p(n)

. But since

sin(θ)2_{= 1−cos}2_{(θ),in recursion we will only have to compute either cos}

[Pk−1

i=0xi2i]π

2p(n)

or sin

[Pk−1 i=0xi2i]π

2p(n)

.

Clearly depth of the recursion isk≤p(n) and for each recursive step we will have four values, with each value is of sizeO(p(n)). Hence in total running time is at most O(p(n)) operations. Similarly, one can show that cos ₂l·πp(n)