Decreasing Proof Size of BLS Scheme

Abstract

Abstract Bootle et al. in CRYPTO 2019 proposed a zero knowledge proof for an $\mathrm{ISIS}_{m,n,q,\beta }$ instance $A\vec{s} = \vec{u} \bmod q$ with $\|\vec{s}\|_{\infty }\leq \beta $ (BLS scheme). It was implemented by transforming the instance into the form $A^{\prime }\vec{s}^{\prime } =\vec{u}\bmod q$, where the coefficients of $\vec{s}^{\prime}$ are in $\{0,1,2\}$, and proved the latter in an exact way. With the concrete parameters $m=1024,n=2048,\beta =1,q\approx 2^{32}$, their proof is of length 384.03KB. In this paper, we decrease the proof size of BLS scheme by two techniques. The first one takes effect on some special parameters. For these parameters, using the binary basic set instead of the ternary one results in a shorter proof. The second one deals with the repetition of the lower half in BLS scheme. Observing that what the lower half proves is of form $\mathbf{B}\vec{\mathbf{r}}=\vec{\mathbf{t}}$ with a short vector $\vec{\mathbf{r}}$ of polynomials, a variant of parallel repetition can be used to shorten the proof size. Combining these two techniques together, the proof size of the above-mentioned instance can be reduced to 220.01KB, only 57.3$\%$ of BLS scheme.