Abstract. We construct a practical lattice-based zero-knowledge argument for proving multiplicative
relations between committed values. The underlying commitment scheme that we use is the currently
most efficient one of Baum et al. (SCN 2018), and the size of our multiplicative proof (9KB) is only
slightly larger than the 7KB required for just proving knowledge of the committed values. We additionally expand on the work of Lyubashevsky and Seiler (Eurocrypt 2018) by showing that the
above-mentioned result can also apply when working over rings Zq[X]=(X
d + 1) where X
d + 1 splits
into low-degree factors, which is a desirable property for many applications (e.g. range proofs, multiplications over Zq) that take advantage of packing multiple integers into the NTT coefficients of the
committed polynomial
标签:Product,knowledge,over,proving,Practical,Lattice,2018,committed,into From: https://blog.51cto.com/u_14897897/8379828