MozZ2karella: Efficient Vector-OLE and Zero-Knowledge Proofs over Z2k

Carsten Baum; Lennart Braun; Alexander Munch-Hansen; Peter Scholl

doi:10.1007/978-3-031-15985-5_12

MozZ2karella: Efficient Vector-OLE and Zero-Knowledge Proofs over Z2k

Carsten Baum, Lennart Braun^*, Alexander Munch-Hansen, Peter Scholl

^*Corresponding author for this work

Department of Computer Science

Research output: Contribution to book/anthology/report/proceeding › Article in proceedings › Research › peer-review

15 Citations (Scopus)

Abstract

Zero-knowledge proof systems are usually designed to support computations for circuits over $\mathbb{F}_2$ or $\mathbb{F}_p$ for large $p$, but not for computations over $\mathbb{Z}_{2^k}$, which all modern CPUs operate on. Although $\mathbb{Z}_{2^k}$-arithmetic can be emulated using prime moduli, this comes with an unavoidable overhead. Recently, Baum et al.\ (CCS 2021) suggested a candidate construction for a designated-verifier zero-knowledge proof system that natively runs over $\mathbb{Z}_{2^k}$. Unfortunately, their construction requires preprocessed random vector oblivious linear evaluation (VOLE) to be instantiated over $\mathbb{Z}_{2^k}$. Currently, it is not known how to efficiently generate such random VOLE in large quantities.

In this work, we present a maliciously secure, VOLE extension protocol that can turn a short seed-VOLE over $\mathbb{Z}_{2^k}$ into a much longer, pseudorandom VOLE over the same ring. Our construction borrows ideas from recent protocols over finite fields, which we non-trivially adapt to work over $\mathbb{Z}_{2^k}$. Moreover, we show that the approach taken by the QuickSilver zero-knowledge proof system (Yang et al.\ CCS 2021) can be generalized to support computations over $\mathbb{Z}_{2^k}$. This new VOLE-based proof system, which we call \Quarksilver, yields better efficiency than the previous zero-knowledge protocols suggested by Baum et al. Furthermore, we implement both our VOLE extension and our zero-knowledge proof system, and show that they can generate \numrange[range-phrase=--]{13}{50} million VOLEs per second for \SIrange{64}{256}{\bit} rings, and evaluate \num{1.3}~million \SI{64}{\bit} multiplications per second in zero-knowledge.

Original language	English
Title of host publication	Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings
Editors	Yevgeniy Dodis, Thomas Shrimpton
Number of pages	30
Publisher	Springer
Publication date	Oct 2022
Pages	329-358
ISBN (Print)	978-3-031-15984-8
ISBN (Electronic)	978-3-031-15985-5
DOIs	https://doi.org/10.1007/978-3-031-15985-5_12
Publication status	Published - Oct 2022
Event	42nd Annual International Cryptology Conference, CRYPTO 2022 - Santa Barbara, United States Duration: 15 Aug 2022 → 18 Aug 2022

Conference

Conference	42nd Annual International Cryptology Conference, CRYPTO 2022
Country/Territory	United States
City	Santa Barbara
Period	15/08/2022 → 18/08/2022

Series	Lecture Notes in Computer Science
Volume	13510
ISSN	0302-9743

Keywords

zero-knowledge
vector ole

Access to Document

10.1007/978-3-031-15985-5_12

https://eprint.iacr.org/2022/819Licence: CC BY

Library access?

Check availability with the Royal Danish Library

Cite this

Baum, Carsten ; Braun, Lennart ; Munch-Hansen, Alexander et al. / MozZ2karella : Efficient Vector-OLE and Zero-Knowledge Proofs over Z2k. Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. editor / Yevgeniy Dodis ; Thomas Shrimpton. Springer, 2022. pp. 329-358 (Lecture Notes in Computer Science, Vol. 13510).

@inproceedings{47e39ea035eb4cdb85bac2c1f0243eb2,

title = "MozZ2karella: Efficient Vector-OLE and Zero-Knowledge Proofs over Z2k",

abstract = "Zero-knowledge proof systems are usually designed to support computations for circuits over \$\textbackslash{}mathbb\{F\}\_2\$ or \$\textbackslash{}mathbb\{F\}\_p\$ for large \$p\$, but not for computations over \$\textbackslash{}mathbb\{Z\}\_\{2\textasciicircum{}k\}\$, which all modern CPUs operate on. Although \$\textbackslash{}mathbb\{Z\}\_\{2\textasciicircum{}k\}\$-arithmetic can be emulated using prime moduli, this comes with an unavoidable overhead. Recently, Baum et al.\textbackslash{} (CCS 2021) suggested a candidate construction for a designated-verifier zero-knowledge proof system that natively runs over \$\textbackslash{}mathbb\{Z\}\_\{2\textasciicircum{}k\}\$. Unfortunately, their construction requires preprocessed random vector oblivious linear evaluation (VOLE) to be instantiated over \$\textbackslash{}mathbb\{Z\}\_\{2\textasciicircum{}k\}\$. Currently, it is not known how to efficiently generate such random VOLE in large quantities. In this work, we present a maliciously secure, VOLE extension protocol that can turn a short seed-VOLE over \$\textbackslash{}mathbb\{Z\}\_\{2\textasciicircum{}k\}\$ into a much longer, pseudorandom VOLE over the same ring. Our construction borrows ideas from recent protocols over finite fields, which we non-trivially adapt to work over \$\textbackslash{}mathbb\{Z\}\_\{2\textasciicircum{}k\}\$. Moreover, we show that the approach taken by the QuickSilver zero-knowledge proof system (Yang et al.\textbackslash{} CCS 2021) can be generalized to support computations over \$\textbackslash{}mathbb\{Z\}\_\{2\textasciicircum{}k\}\$. This new VOLE-based proof system, which we call \textbackslash{}Quarksilver, yields better efficiency than the previous zero-knowledge protocols suggested by Baum et al. Furthermore, we implement both our VOLE extension and our zero-knowledge proof system, and show that they can generate \textbackslash{}numrange[range-phrase=--]\{13\}\{50\} million VOLEs per second for \textbackslash{}SIrange\{64\}\{256\}\{\textbackslash{}bit\} rings, and evaluate \textbackslash{}num\{1.3\}\textasciitilde{}million \textbackslash{}SI\{64\}\{\textbackslash{}bit\} multiplications per second in zero-knowledge.",

keywords = "zero-knowledge, vector ole",

author = "Carsten Baum and Lennart Braun and Alexander Munch-Hansen and Peter Scholl",

year = "2022",

month = oct,

doi = "10.1007/978-3-031-15985-5\_12",

language = "English",

isbn = "978-3-031-15984-8",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "329--358",

editor = "Yevgeniy Dodis and Thomas Shrimpton",

booktitle = "Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings",

address = "Netherlands",

note = "42nd Annual International Cryptology Conference, CRYPTO 2022 ; Conference date: 15-08-2022 Through 18-08-2022",

}

Baum, C, Braun, L, Munch-Hansen, A & Scholl, P 2022, MozZ2karella: Efficient Vector-OLE and Zero-Knowledge Proofs over Z2k. in Y Dodis & T Shrimpton (eds), Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. Springer, Lecture Notes in Computer Science, vol. 13510, pp. 329-358, 42nd Annual International Cryptology Conference, CRYPTO 2022, Santa Barbara, United States, 15/08/2022. https://doi.org/10.1007/978-3-031-15985-5_12

MozZ2karella: Efficient Vector-OLE and Zero-Knowledge Proofs over Z2k. / Baum, Carsten; Braun, Lennart; Munch-Hansen, Alexander et al.
Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. ed. / Yevgeniy Dodis; Thomas Shrimpton. Springer, 2022. p. 329-358 (Lecture Notes in Computer Science, Vol. 13510).

Research output: Contribution to book/anthology/report/proceeding › Article in proceedings › Research › peer-review

TY - GEN

T1 - MozZ2karella

T2 - 42nd Annual International Cryptology Conference, CRYPTO 2022

AU - Baum, Carsten

AU - Braun, Lennart

AU - Munch-Hansen, Alexander

AU - Scholl, Peter

PY - 2022/10

Y1 - 2022/10

N2 - Zero-knowledge proof systems are usually designed to support computations for circuits over $\mathbb{F}_2$ or $\mathbb{F}_p$ for large $p$, but not for computations over $\mathbb{Z}_{2^k}$, which all modern CPUs operate on. Although $\mathbb{Z}_{2^k}$-arithmetic can be emulated using prime moduli, this comes with an unavoidable overhead. Recently, Baum et al.\ (CCS 2021) suggested a candidate construction for a designated-verifier zero-knowledge proof system that natively runs over $\mathbb{Z}_{2^k}$. Unfortunately, their construction requires preprocessed random vector oblivious linear evaluation (VOLE) to be instantiated over $\mathbb{Z}_{2^k}$. Currently, it is not known how to efficiently generate such random VOLE in large quantities. In this work, we present a maliciously secure, VOLE extension protocol that can turn a short seed-VOLE over $\mathbb{Z}_{2^k}$ into a much longer, pseudorandom VOLE over the same ring. Our construction borrows ideas from recent protocols over finite fields, which we non-trivially adapt to work over $\mathbb{Z}_{2^k}$. Moreover, we show that the approach taken by the QuickSilver zero-knowledge proof system (Yang et al.\ CCS 2021) can be generalized to support computations over $\mathbb{Z}_{2^k}$. This new VOLE-based proof system, which we call \Quarksilver, yields better efficiency than the previous zero-knowledge protocols suggested by Baum et al. Furthermore, we implement both our VOLE extension and our zero-knowledge proof system, and show that they can generate \numrange[range-phrase=--]{13}{50} million VOLEs per second for \SIrange{64}{256}{\bit} rings, and evaluate \num{1.3}~million \SI{64}{\bit} multiplications per second in zero-knowledge.

AB - Zero-knowledge proof systems are usually designed to support computations for circuits over $\mathbb{F}_2$ or $\mathbb{F}_p$ for large $p$, but not for computations over $\mathbb{Z}_{2^k}$, which all modern CPUs operate on. Although $\mathbb{Z}_{2^k}$-arithmetic can be emulated using prime moduli, this comes with an unavoidable overhead. Recently, Baum et al.\ (CCS 2021) suggested a candidate construction for a designated-verifier zero-knowledge proof system that natively runs over $\mathbb{Z}_{2^k}$. Unfortunately, their construction requires preprocessed random vector oblivious linear evaluation (VOLE) to be instantiated over $\mathbb{Z}_{2^k}$. Currently, it is not known how to efficiently generate such random VOLE in large quantities. In this work, we present a maliciously secure, VOLE extension protocol that can turn a short seed-VOLE over $\mathbb{Z}_{2^k}$ into a much longer, pseudorandom VOLE over the same ring. Our construction borrows ideas from recent protocols over finite fields, which we non-trivially adapt to work over $\mathbb{Z}_{2^k}$. Moreover, we show that the approach taken by the QuickSilver zero-knowledge proof system (Yang et al.\ CCS 2021) can be generalized to support computations over $\mathbb{Z}_{2^k}$. This new VOLE-based proof system, which we call \Quarksilver, yields better efficiency than the previous zero-knowledge protocols suggested by Baum et al. Furthermore, we implement both our VOLE extension and our zero-knowledge proof system, and show that they can generate \numrange[range-phrase=--]{13}{50} million VOLEs per second for \SIrange{64}{256}{\bit} rings, and evaluate \num{1.3}~million \SI{64}{\bit} multiplications per second in zero-knowledge.

KW - zero-knowledge

KW - vector ole

U2 - 10.1007/978-3-031-15985-5_12

DO - 10.1007/978-3-031-15985-5_12

M3 - Article in proceedings

SN - 978-3-031-15984-8

T3 - Lecture Notes in Computer Science

SP - 329

EP - 358

BT - Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings

A2 - Dodis, Yevgeniy

A2 - Shrimpton, Thomas

PB - Springer

Y2 - 15 August 2022 through 18 August 2022

ER -

Baum C, Braun L, Munch-Hansen A, Scholl P. MozZ2karella: Efficient Vector-OLE and Zero-Knowledge Proofs over Z2k. In Dodis Y, Shrimpton T, editors, Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. Springer. 2022. p. 329-358. (Lecture Notes in Computer Science, Vol. 13510). doi: 10.1007/978-3-031-15985-5_12