Non-interactive zero-knowledge proof scheme from RLWE-based key exchange

Shaofen Xie; Wang Yao; Faguo Wu; Zhiming Zheng

doi:10.1371/journal.pone.0256372

Abstract

Lattice-based non-interactive zero-knowledge proof has been widely used in one-way communication and can be effectively applied to resist quantum attacks. However, lattice-based non-interactive zero-knowledge proof schemes have long faced and paid more attention to some efficiency issues, such as proof size and verification time. In this paper, we propose the non-interactive zero-knowledge proof schemes from RLWE-based key exchange by making use of the Hash function and public-key encryption. We then show how to apply the proposed schemes to achieve the fixed proof size and rapid public verification. Compared with previous approaches, our schemes can realize better effectiveness in proof size and verification time. In addition, the proposed schemes are secure from completeness, soundness, and zero-knowledge.

Citation: Xie S, Yao W, Wu F, Zheng Z (2021) Non-interactive zero-knowledge proof scheme from RLWE-based key exchange. PLoS ONE 16(8): e0256372. https://doi.org/10.1371/journal.pone.0256372

Editor: Hua Wang, Victoria University, AUSTRALIA

Received: May 10, 2021; Accepted: August 4, 2021; Published: August 20, 2021

Copyright: © 2021 Xie et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the manuscript and its Supporting information files.

Funding: This work was supported by the National Key Research and Development Program of China under Grant 2020YFB1005702 and the Science and Technology Innovation 2030-Key Project under Grant 2020AAA0108200. https://service.most.gov.cn/.

Competing interests: The authors have declared that no competing interests exist.

Introduction

With the development of information networks, the concern about privacy of personal data is growing. Users tend to communicate on the Internet without revealing individual data [1–7], such as users’ passwords, personal assets information, personal health condition, and so on. According to cryptography theory, the zero-knowledge(ZK) proof [8] is an essential technique for preserving information protection. In the 1880s, Goldwasser et al. proposed the interactive zero-knowledge proof for the first time. Subsequently, Blum et al. [9] first proposed the non-interactive zero-knowledge proof, which is characterized by only one-time communication between the prover and the verifier. Andre et al. [10] designed the protocol which was based on the public-key cryptosystem RSA-encryption for the proof of ownership. Siamak et al. pointed that the significance of credential ownership proofs and gave the proof by the RSA signature scheme [11]. Over the past three decades, extensive research has been conducted on zero-knowledge proofs in terms of algorithm safety and operational efficiency [12–14]. And it is used in various fields such as authentication, ownership, etc. [15–17].

Since the non-interactive zero-knowledge proof is suitable for offline operations, it will have more application scenarios. Usually, there are two methods for interactive zero-knowledge proof to achieve non-interactive zero-knowledge proof: Fiat-Shamir heuristic and CRS(Common Reference Strings) model. For the Fiat-Shamir heuristic, it demands to include a random oracle to generate a uniformly random output. For the CRS model, it needs to rely on a trusted third-party or secure multi-party computing to obtain the common reference string. There has been a series of corresponding studies using the Fiat-Shamir heuristic. Lindell et al. [18] and Ciampi et al. [19] have redesigned the scheme to improve security and efficiency based on Fiat-Shamir transform. With the rapid application of cryptocurrency, after Groth [20] proposed the scheme of constant-size proofs, the first zero-knowledge succinct non-interactive argument of knowledge (ZK-SNARK) based on the assumption of a trusted third-party has also been widely studied. The zero-knowledge proof schemes of traditional encryption have been widely used. And they have made great contributions in efficiency, security, and so on. However, researchers have paid less attention to zero-knowledge proof schemes that can resist quantum attacks.

With the surprising development of quantum computers, a series of post-quantum cryptographic algorithms have been studied [21]. The lattice-based cryptographic algorithm could effectively resist quantum attacks. After Ajtai et al. [22] introduced lattice cryptography and gave strict proof from the average case to the worst case for the first time. Due to the security and applicability of lattice-based cryptographic algorithms, extensive research has been conducted. In 2010, RLWE(Ring Learning with Errors), proposed by Lyubashevsky et al. [23], significantly shortened the key length and improved the efficiency of the signature. Lattice-based cryptography theories have also begun extensive research and application. Subsequently, lattice-based zero-knowledge proofs have begun to develop gradually.

Related works

In 2012, Vadim Lyubashevsky used Fiat-Shamir with Aborts technology to design a zero-knowledge proof scheme [24], which proves that s satisfies As = t mod q without revealing the secret value s. The signature size is 16500 bits which can be modified to shorten using the compression technique, where the scheme relies on SIS(Small Integer Solution) problem and LWE(Learning with Errors) problem. The scheme was then applied and extended by Vadim Lyubashevsky and Gregory Neven to a ciphertext-verifiable scheme [25]. At the same time, Fabrice Benhamouda et al. [26] used zero-knowledge to prove that the secret value s satisfies p = as + e and was used in group signature authentication to protect the anonymity of group members. However, the security is based on a lattice-based assumption and the discrete-logarithm problem. Then we should consider how to construct an effective zero-knowledge proof system in terms of the proof size and the security to promote its application.

Most studies on commitment schemes are quite effective practice for zero-knowledge proof, such as [27–33]. Fabrice Benhamouda et al. [27] constructed a simple efficient string commitment scheme based on RLWE and the zero-knowledge proofs of knowledge for linear relations and multiplicative relations, where the communication complexity is . In order to achieve a negligible soundness error, the protocol demands run M rounds. Vadim Lyubashevsky et al. [28] proposed splitting the polynomial into multiple factors. This method can improve the computation and more information will be hidden. Baum et al. [29] constructed a novel zero-knowledge proof of preimages scheme which would become a tool against malicious adversaries. Muhammed et al. [30] used the one-shot proof technique for non-linear polynomial relations to improve computing and communication performance. Baum et al. designed the zero-knowledge argument based on the short integer solution assumption for specific languages. The communication complexity of this scheme is , where m is the number of gates [31]. The proof size of Bootle et al. proposed scheme [32] is better than that of Stern type proof, but the efficiency of verification time still needs to be improved. Baum et al. [33] constructed a practical zero-knowledge proof of opening knowledge which is an improvement of the scheme of Fabrice Benhamouda et al. [27]. It has shown that prover does not need to send more proof for part of the calculation process. Obviously, the disadvantage of all these previous commitment schemes is that the commitments also consume calculation and communication in the interactive. Meanwhile, considering that the interactive property and the proof size, the commitment schemes are no longer suitable for the publicly-verifiable scheme. We would adopt non-interactive zero-knowledge proof to design a publicly-verifiable scheme with more short proof size and verification time.

Subsequently, related research has also improved in terms of efficiency and safety [34, 35]. Among them, Rafael et al. [34] proposed a scheme that could reduce the proof size. The main idea of this method is to reduce the number of equations in the protocol by increasing the running time of the proof. It is also an interactive scheme that is different from the non-interactive that we would discuss. The non-interactive zero-knowledge proof of LWE based on the SSP (Square Span Programs) in ZK-SNARKs was proposed by Rosario Gennaro et al. [35] and is considered post-quantum secure, and which would be used in the anonymous cryptocurrency Zerocash. The proof size of this scheme is constant which just consists of 5 LWE encodings. Rosario Gennaro et. al. mainly focused on designated-verifier proofs, but we would study the publicly-verifiable proofs. Ding has used the signal function from the RLWE key exchange to design an effective interactive zero-knowledge authentication protocol [36]. They pointed out that the design of the RLWE-based non-interactive zero-knowledge authentication scheme will be future work. Based on the above comparative analysis, we would construct the new non-interactive zero-knowledge proof protocols that can prove ownership with small proof size and high efficiency.

Motivation

Your protected private data can be used in a variety of scenarios, for example, you have a private key, or you have enough money to pay for the transaction, or you know the solution to the problem. In other words, prover should generate the proof for the verifier to prove the secret value for ownership, account balance, Sudoku, etc. Because of the convenience of one-time communication, we study the lattice-based non-interactive zero-knowledge proof against quantum attacks. Considering the wide application of scenarios, the scheme is extended from designated-verifier verification to publicly-verifiable. Because we do not completely trust the trusted third-party, and we want nobody to know our secret value. Therefore, we introduce the semi-trusted third-party assumption, that is, the third-party can only prove the secret value but know nothing about it. This assumption can further enhance the protection of the secret and ensure the security of the scheme.

Contributions

The main contributions in this paper are as follows:

We design a non-interactive zero-knowledge proof scheme to ensure that the proof size is constant for the designated-verifier. Then, we prove that this scheme is secure in terms of completeness, soundness, and zero-knowledge.
In order to satisfy the fixed proof size and improve verification efficiency, we combine public-key encryption with a semi-trusted third-party assumption to construct a publicly-verifiable scheme and prove the security of the scheme.
Compared with the previous scheme with efficiency advantage, we achieve better effectiveness schemes in zero-knowledge proof size and verification time.

Organization

The rest of this paper is organized as follows. In Section 2, we show the essential preliminary for the schemes. In Section 3, we construct a zero-knowledge proof scheme based on key-exchange in designated-verifier and provide the security analysis of the scheme. In Section 4, we construct the non-interactive zero-knowledge proof for publicly-verifiable and also give the security analysis. In Section 5, we compare the efficiency of our schemes with the previous existing protocols. In Section 6, we give a summary of this paper.

Preliminaries

Notations

Throughout the paper, following notations would be used in Table 1.

Download:

Table 1. Description of notations.

https://doi.org/10.1371/journal.pone.0256372.t001

Non-interactive zero-knowledge proof

Definition 1 Non-Interactive Zero-Knowledge Proof: (P,V) is a non-Interactive zero-knowledge proof system for a language L, where s is secret value, should satisfy the following properties [9]:

Completeness.

If the statement is true, the honest verifier will be convinced of this fact by an honest prover. That means, for , if the prover has the secret value s, then

Soundness.

If the statement is false, none prover as the adversary can convince the honest verifier that it is true, except with negligible probability. That means, for , if the prover has no secret value s, then

Zero-knowledge.

If the statement is true, the verifier will learn nothing about the secret but the fact that the statement is true.

That is, there is a polynomial-time simulator, for all and secret value s, the following two distributions are computationally indistinguishable, where Exp_ZK−real = 1 represents the algorithm of the real system and [Exp_ZK−sim = 1] represents the algorithm of the simulation system.

Non-interactive.

The prover only has one-way communication to the verifiers during the proof phase.

Ring learning with error

Here, we recall informally the Ring Learning with Error assumption, which is a classical hard problem on lattice defined by Regev [37]. And the security of our quantum-resistant schemes rely on the hardness assumption that has been previously used in the literature as follows.

Definition 2 Discrete Gaussian: For , the center of Discrete Gaussian Distribution c, and defined as the N-dimensional Gaussian function: Then the Discrete Gaussian Distribution can be defined as .

Lemma 1 ([38]). Let , for any a, b ∈ R, we have and ‖a ⋅ b‖_∞ ≤ ‖a‖_∞ ⋅ ‖b‖_∞.

Lemma 2 ([39]). For any , then we have Definition 3 RLWE Problem [36, 37]: Let be a power of 2 and q be positive integers, and let χ_α be the Discrete Gaussian distribution onR_q. For a uniformly chosen element s of the polynomial ring R_q, let be the distribution of the pair (a, as + 2e) ∈ R_q × R_q, where a ← R_q is uniformly chosen and e ← χ_α is independent of a. Then the is computationally indistinguishable from the uniform distribution on R_q × R_q for any probabilistic polynomial time(PPT).

Assumption 1 [36] The security of our schemes rely on the Ring-LWE assumption stating that the distribution of (h_i, h_i s + e_i), where h_i is random in R_q and s, e_i are small polynomials, is indistinguishable from uniform. The search version of Ring-LWE is to modify the above definition by requiring the PPT algorithm to find s rather than distinguish the two distributions.

Signal function

Given is , we introduce the signal function [38] to eliminate the errors caused by Mod₂ function in R_q.

Definition 4 Signal Function Let and , then the signal function as the following: Definition 5 The function was defined as Lemma 3 ([40]). Let q > 8 and be an odd prime, such that and a = Char(x). Then Proof 0.1 Known , let x = y + 2ε, , Note that . From the Char function as we defined, , because , , Perform mod₂ on both sides of the above equation, then .

Then, signal function and mod₂ function were extended to polynomial ring x ∈ R_q by applying them for each coefficient . Clearly, the result in Lemma 3 still holds when extending to polynomial ring elements. In the following, we use the extend signal function and mod₂ function in the polynomial ring .

As far as we know, Ding et al. [41] in 2017 pointed out that signal function may leak the secret key when RLWE public-key is reused for the long term. But it does not mean that the signal function cannot be used forever. Gao et al. [42] used a key reuse mode by adding the user ID and a fresh public error against this attack in 2018.

Designated-verifier non-interactive zero-knowledge Proof based on RLWE key exchange

DVNIZK scheme

Firstly, we describe the designated-verifier non-interactive zero-knowledge proof scheme (DVNIZK) which is based on RLWE key exchange. As we know, only the designated-verifier can effectively check the proof in the DVNIZK scheme. This scheme is just a one-time proof. That is to say, a new session will be built for the different designated-verifier. At the same time, the prover will generate fresh errors for different verifiers. Therefore, this scheme can against signal function leakage attacks.

This scheme involves two objects: prover and verifier. Prover generates the proof for the verifier to prove the user of secret value for ownership, account balance, Sudoku, etc, which is illustrated in Fig 1.

Download:

Fig 1. The designated-verifier scheme architecture.

https://doi.org/10.1371/journal.pone.0256372.g001

In the first scheme, we provide the security model for the designated-verifier non-interactive zero-knowledge proof using the random oracle model, similar to the security model proposed in [36]. Our first scheme is composed of three algorithms: Setup, Proof, Verify. Specifically, we demonstrate it as follows, shown in Fig 2.

Download:

Fig 2. Designated-verifier non-interactive zero-knowledge based on RLWE key exchange.

https://doi.org/10.1371/journal.pone.0256372.g002

1.Setup:

The public parameters q, n, α be generated, where q > 8 is prime.
Let M be a uniformly random matrix .
Let H: {0, 1}^{n × n} → {0, 1}ⁿ be a random oracle.
P has P_A = M ⋅ S_A + 2e_A mod q where S_A is secret information and S_A, e_A ← χ_α are n × n dimensional. Namely, S_A consists of n elements in a polynomial ring (i.e. S_A = (S₁, S₂, ⋯, S_n)^T, where S_i = (s_i1, s_i2, ⋯, s_in)∈R_q, , which i and j range from 1 to n). s_ij is sampled from the Discrete Gaussian distribution with parameter σ. Clearly, S_A can be expressed as a n × n dimensional matrix. And e_A is the same as above S_A. It is stated here that all the multiplication operations of the elements in the polynomial ring must undergo modulo q and modulo the irreducible polynomial xⁿ + 1 operations.
V has P_B = M ⋅ S_B + 2e_B mod q where S_B, e_B ← χ_α are also n × n dimensional. S_B and e_B are also same as above S_A.

2.Proof:

Let , P computes ω = Char(x) and W ← Mod₂(x, ω) as the zero-knowledge proof.
P computes K = H(W).
P sends K, ω to V.

3.Verify:

Upon receiving K, ω, only verifier could do the following:
Let , V computes J ← Mod₂(y, ω) firstly.
V checks if . Accept if K = H(J), otherwise reject.

Security analysis

Security is the most important factor of the zero-knowledge proof schemes. The first scheme for designated-verifier only can be used as the one-time proof. It satisfies the properties of the zero-knowledge proof: Completeness, Soundness, Zero-knowledge. We will supply a simple security analysis in the following.

Lemma 4 Let q > 16σ² n^α3/2, then Mod₂(x, ω) = Mod₂(y, ω), except with negligible probability.

Proof 0.2 Firstly, we know that and .

Considering that , then we just show that by Lemma 3, where i, j ∈ {1, ⋯, q}. After simplification, combining with Lemma 1 and Lemma 2, we have that By lemma 3, we obtain .

Then, q > 16σ² n^α3/2 with probability 1 − 2⁻ⁿ.

1) Completeness.

The form of the proof is shown as follows:

As we know K = H(W), where W = Mod₂(x, ω).

The verifier owns S_B, P_A, K, ω after receiving the proof, it will follow from straightforward calculations H(J) where J = Mod₂(y, ω).

If S_A is true, by the lemma 4, Mod₂(x, ω) = Mod₂(y, ω). That means W = J. Finally, K = H(W) will be equal to H(J). Then the verifier will be convinced that the prover owns the secret.

2) Soundness.

Assuming that P would be a adversary and as an oracle that generate the valid proof for the honest verifier with non-negligible probability in the following.

Game₀: this game is the original scheme. According to the scheme, P_A = M ⋅ S_A + 2e_A mod q, P_B = M^T ⋅ S_B + 2e_B mod q, then W, ω, K, J is generated, and output b_d which is the determination of the verifier. Among which b_d = 1 means the verifier accepts and b_d = 0 respects he rejects.

Game₁: this game is equal to Game₀ except that P_A is chosen uniformly. cannot generate the valid proofs for the chosen uniform P_A with negligible probability.

Lemma 5 If prover as the adversary who could generate a valid proof for P_A = M ⋅ S_A + 2e_A mod q without the secret of S_A to convince the honest verifier with non-negligible probability, then there is a distinguisher for P_A from uniform with the same probability.

Proof 0.3 Assuming that be a RLWE distinguisher. Considering that interaction between and as the role of honest verifier. When sends the challenge (M, P_A) from the RLWE challenger to , would do the following. If P_A = M ⋅ S_A + 2e_A mod q, the interaction between and is equal to Game₀, then outputs 1. If P_A is chosen uniformly, the interaction between and is equal to Game₁, then outputs 0.

Suppose can generate a valid proof for the chosen uniform P_A with non-negligible probability, then would not be successful from the above defined. That means the adversary can solve the search version of the Ring-LWE problem with the same probability. Suppose can generate K and ω which are accepted by the honest verifier for P_A without the secret of S_A. In our first scheme, the crucial verify are J = Mod₂(y, ω). It means that the valid proof only could be obtained by guessed or correctly calculated Char(y) and Mod₂(y, Char(y)).

On the one hand, the valid proof that the probability of being brutally guessed is negligible. On the other hand, the adversary wants to calculate Char(y) and Mod₂(y, Char(y)) correctly. Considering that this scheme is used as a one-time proof, there is no sign function leakage attack that makes the secret value leak. Therefore, in order to calculate the correct Char(y) and Mod₂(y, Char(y)), needs to know the secret value S_B. However, if knows the secret value S_B, it means that it can solve the search version of the Ring-LWE problem. In fact, the search version of Ring-LWE is to modify the above definition by requiring the PPT algorithm to find s rather than distinguish the two distributions in Assumption 1. Therefore, the adversary can generate a valid proof for the chosen uniform P_A and would be accepted by the designated-verifier with the same probability which can solve the search version of the Ring-LWE problem.

In summary, in DVNIZK-KE Scheme, the adversary cannot convince the verifier to believe him with negligible probability without knowing the secret value. Then the soundness error of our is negligible.

3) Honest-verifier zero-knowledge.

Lemma 6 Honest-verifier Zero-knowledge [26] means that there be a probabilistic polynomial-time simulator taking P_A and as input, that outputs (K′, ω′) is indistinguishable from an accepting protocol transcript generated by a real scheme run.

Proof 0.4 Then we assume a probabilistic polynomial-time simulator would access to the random oracle . Then we construct Exp_ZK−sim to make zero-knowledge proof in the random oracle model. Let Exp_ZK−real = 1 denotes the output of the interactive scheme between the real prover and the designated-verifier. Exp_ZK−sim = 1 means the simulator’s output. The simulator for our first scheme described in Fig 1 is constructed: query the random oracle with input and output which .

According to the construction, we claim that the outputs from a probabilistic polynomial-time simulator are indistinguishable from an accepting protocol transcript generated by a real scheme run.

Considering the scheme of expandability, the prover would send K = H(W) and ω encrypted with a symmetric key K_PV between prover and verifier. So no one can get the proof and the secret from the proof, except for the designated-verifier. At the same time, the verifier cannot obtain secret information except proof. We send K = H(W) and ω with encryption in security communication for resisting the replay attack and man-in-the-middle attack.

Publicly-verifiable non-interactive zero-knowledge proof based on RLWE key exchange

Syntax

We consider zero-knowledge proof in publicly-verifiable scenario for ownership with three participants: the third-party(T) who is curious-but-honest, prover(P) who provides the proof without revealing the secret, verifier(V) who verifies the prove in Fig 3.

Download:

Fig 3. The publicly-verifiable scheme architecture.

https://doi.org/10.1371/journal.pone.0256372.g003

A non-interactive zero-knowledge scheme based key exchange from lattice includes a set of five polynomial-time algorithms(Setup, Register, Proof, Verify, Update). Then we briefly describe the process followed by five polynomial-time algorithms, shown in Fig 4.

Setup (1^p) → P: The setup algorithms takes as the security parameters p, everyone could choose uniformly random matrix M and obtain the secret vector S which is satisfying Discrete Gaussian Distribution, and outputs the public key P.
Register (M, P_A, P_C)→(I, J): The register algorithm takes as input the parameters M, public key of P is P_A, public key of T for P is P_B, the corresponding public key P_C, signal function ω and υ for eliminating the errors, and outputs I, W and J. T would save P_A, I, W and open P_A, J and ID_P which is the identity of prover.
Proof (S_A, P_B, P_C, ω) → K: Given S_A, P_B, P_C, ω, P would obtain the zero-knowledge proof K. Then P should send the public key P_A and the zero-knowledge proof K to verifier without encryption.
Verify (K)→{0, 1}: After receiving the proof, V would find J by P_A from the third-party. Then V would verify if H(K) is equal to J.
Update J → J, J₁: Given the P_A, I₁, P_D, ω₁, T should verify whether I₁ is equal to I or not firstly. If they were equal, then T would open P_A, J, J₁, ID_P and .

Download:

Fig 4. Publicly-verifiable non-interactive zero-knowledge based on key exchange.

https://doi.org/10.1371/journal.pone.0256372.g004

Security model

In this subsection, we provide the security model for the publicly-verifiable non-interactive zero-knowledge proof Although the definition of non-interactive zero-knowledge remains unchanged, a semi-trusted third-party is introduced. Our security model is based on the curious-but-honest model and a random oracle model in federated learning [36, 43]. The semi-trusted third-party is curious-but-honest which means it does not deviate from the defined but tends to obtain all possible information from the legitimately received messages. In other words, the semi-trusted third-party only attempts to know the secret key of the prover, but he will not deceive other users with the proof he knows. Therefore, we can divide potential adversaries into the following:

An external adversary who is able to obtain public information. He attempts to give valid proof before the semi-trusted party issue.
The semi-trusted party as an internal adversary not only obtain the information from the phase of Register and Proof, but also possess the update key for all signers in the system.

In our second scheme, for the prover, he cannot forge an effective proof to deceive the semi-trusted third party and verifiers. For a semi-trusted third-party, he cannot obtain the secret key of the prover. For the verifier, he can neither obtain the secret key nor forge the proof of the secret value. Through the above analysis, it is clear that the security can be guaranteed if and only if the scheme satisfies the definition of zero-knowledge.

The scheme in detail

The system first generates the public parameters q, n, α, where q > 8 is an odd prime. Let M be a uniformly random matrix . Let H₁: {0, 1}^n×n → {0, 1}ⁿ and H₂: {0, 1}^n×n → {0, 1}ⁿ be random oracles. The secret information owner P has P_A = M ⋅ S_A + 2e_A mod q where S_A, e_A ← χ_α are n × n dimensional same as above mentioned and S_A is secret information. Meanwhile, its public key is P_C = M ⋅ S_C + 2e_C mod q where S_C, e_C ← χ_α are n × n dimensional and S_B is its secret key. Similarly for the third-party T, its public key for P is P_B = M^T ⋅ S_B + 2e_B mod q while S_B is its secret key. P_A, S_A, P_B, S_B, P_C, S_C are used to create the zero-knowledge proof for verifiers V. Otherwise, T has a list for public and a symmetric key K_PT between prover and verifier.

The second scheme is composed of four algorithms except Setup algorithm: Register, Proof, Verify and Update. We specify it in full detail:

1.Register:

The secret information owner P does the following:

Let , P computes , where ω = Char(x) and υ = Char(x).
P sends C to T.

Upon receiving C, T does the following:

T computes .
T checks if P_A ∈ list, reject. If P_A ∉ list and P is a certified legal user by T, T adds it to the list.
Let , T computes I ← Mod₂(y, υ) and W ← H₁(Mod₂(Y, ω)).
T computes J ← H₂(W).
T saves (P_A, I, W) and opens (P_A, P_B, J, ID_P) Where ID_P is the identity of prover.

2.Proof:

T computes K ← H₁(Mod₂(X, ω)) as the zero-knowledge proof. In fact, Mod₂(X, ω) could be computed in the Register algorithm. The Proof algorithm only needs to calculate a hash operation.
T opens (P_A, K).

3.Verify:

Upon receiving (P_A, K, J), everyone could do the following especially verifiers:

After checking information is issued by ID_P, then it computes H₂(K) firstly.
V checks if . Accept if H₂(K) = J, otherwise reject.

4.Update:

The secret information owner P₁ does the following:

P computes .
P samples S_D, e_D ← χ_α and computes P_D = M ⋅ S_D + 2e_D mod q.
Let , P computes ω₁ = Char(X₁) and .
P sends C₁ to T.

Upon receiving C₁, T does the following:

T computes .
Let , T checks if I′ is equal to I. If they are equal, then it outputs W₁ ← H₁(Mod₂(Y₁, ω)) and J₁ ← H₂(W₁).
T saves (P_A, I, W, W₁) and opens .