47 research outputs found
On squares of cyclic codes
The square of a linear error correcting code is the linear code
spanned by the component-wise products of every pair of (non-necessarily
distinct) words in . Squares of codes have gained attention for several
applications mainly in the area of cryptography, and typically in those
applications one is concerned about some of the parameters (dimension, minimum
distance) of both and . In this paper, motivated mostly by the
study of this problem in the case of linear codes defined over the binary
field, squares of cyclic codes are considered. General results on the minimum
distance of the squares of cyclic codes are obtained and constructions of
cyclic codes with relatively large dimension of and minimum distance of
the square are discussed. In some cases, the constructions lead to
codes such that both and simultaneously have the largest
possible minimum distances for their length and dimensions.Comment: Accepted at IEEE Transactions on Information Theory. IEEE early
access version available at https://ieeexplore.ieee.org/document/8451926
Squares of matrix-product codes
The component-wise or Schur product of two linear error-correcting codes and over certain finite field is the linear code spanned by all component-wise products of a codeword in with a codeword in . When , we call the product the square of and denote it . Motivated by several applications of squares of linear codes in the area of cryptography, in this paper we study squares of so-called matrix-product codes, a general construction that allows to obtain new longer codes from several ``constituent'' codes. We show that in many cases we can relate the square of a matrix-product code to the squares and products of their constituent codes, which allow us to give bounds or even determine its minimum distance. We consider the well-known -construction, or Plotkin sum (which is a special case of a matrix-product code) and determine which parameters we can obtain when the constituent codes are certain cyclic codes. In addition, we use the same techniques to study the squares of other matrix-product codes, for example when the defining matrix is Vandermonde (where the minimum distance is in a certain sense maximal with respect to matrix-product codes).This work is supported by the Danish Council for IndependentResearch: grant DFF-4002-00367, theSpanish Ministry of Economy/FEDER: grant RYC-2016-20208 (AEI/FSE/UE), the Spanish Ministry of Science/FEDER: grant PGC2018-096446-B-C21, and Junta de CyL (Spain): grant VA166G
Torsion Limits and Riemann-Roch Systems for Function Fields and Applications
The Ihara limit (or -constant) has been a central problem of study in
the asymptotic theory of global function fields (or equivalently, algebraic
curves over finite fields). It addresses global function fields with many
rational points and, so far, most applications of this theory do not require
additional properties. Motivated by recent applications, we require global
function fields with the additional property that their zero class divisor
groups contain at most a small number of -torsion points. We capture this by
the torsion limit, a new asymptotic quantity for global function fields. It
seems that it is even harder to determine values of this new quantity than the
Ihara constant. Nevertheless, some non-trivial lower- and upper bounds are
derived. Apart from this new asymptotic quantity and bounds on it, we also
introduce Riemann-Roch systems of equations. It turns out that this type of
equation system plays an important role in the study of several other problems
in areas such as coding theory, arithmetic secret sharing and multiplication
complexity of finite fields etc. Finally, we show how our new asymptotic
quantity, our bounds on it and Riemann-Roch systems can be used to improve
results in these areas.Comment: Accepted for publication in IEEE Transactions on Information Theory.
This is an extended version of our paper in Proceedings of 31st Annual IACR
CRYPTO, Santa Barbara, Ca., USA, 2011. The results in Sections 5 and 6 did
not appear in that paper. A first version of this paper has been widely
circulated since November 200
Improved Bounds on the Threshold Gap in Ramp Secret Sharing
Producción CientíficaAbstract: In this paper we consider linear secret sharing schemes over a finite field Fq, where the secret is a vector in Fℓq and each of the n shares is a single element of Fq. We obtain lower bounds on the so-called threshold gap g of such schemes, defined as the quantity r−t where r is the smallest number such that any subset of r shares uniquely determines the secret and t is the largest number such that any subset of t shares provides no information about the secret. Our main result establishes a family of bounds which are tighter than previously known bounds for ℓ≥2. Furthermore, we also provide bounds, in terms of n and q, on the partial reconstruction and privacy thresholds, a more fine-grained notion that considers the amount of information about the secret that can be contained in a set of shares of a given size. Finally, we compare our lower bounds with known upper bounds in the asymptotic setting.Danish Council for Independent Research (grant DFF-4002- 00367)Ministerio de Economía, Industria y Competitividad (grants MTM2015-65764-C3-2-P / MTM2015-69138- REDT)RYC-2016-20208 (AEI/FSE/UE)Junta de Castilla y León (grant VA166G18
On Interactive Oracle Proofs for Boolean R1CS Statements
The framework of interactive oracle proofs (IOP) has been used with great success to construct a number of efficient transparent zk-SNARKs in recent years. However, these constructions are based on Reed-Solomon codes and can only be applied directly to statements given in the form of arithmetic circuits or R1CS over large fields since their soundness error is at least .
This motivates the question of what is the best way to apply these IOPs to statements that are naturally written as R1CS over small fields, and more concretely, the binary field . While one can just see the system as one over an extension field containing , this seems wasteful, as it uses bits to encode just one ``information\u27\u27 bit. In fact, the recent BooLigero has devised a way to apply the well-known Ligero while being able to encode bits into one element of .
In this paper, we introduce a new protocol for -R1CS which among other things relies on a more efficient embedding which (for practical parameters) allows to encode bits into an element of . Our protocol makes then black box use of lincheck and rowcheck protocols for the larger field. Using the lincheck and rowcheck introduced in Aurora and Ligero respectively we obtain smaller proofs for Aurora and for Ligero. We also estimate the reduction of prover time by a factor of for Aurora and between for Ligero without interactive repetitions.
Our methodology uses the notion of reverse multiplication friendly embeddings introduced in the area of secure multiparty computation, combined with a new IOPP to test linear statements modulo a subspace which may be of independent interest
Publicly Verifiable Secret Sharing over Class Groups and Applications to DKG and YOSO
Publicly Verifiable Secret Sharing (PVSS) allows a dealer to publish encrypted shares of a secret so that parties holding the corresponding decryption keys may later reconstruct it. Both dealing and reconstruction are non-interactive and any verifier can check their validity. PVSS finds applications in randomness beacons, distributed key generation (DKG) and in YOSO MPC (Gentry et al. CRYPTO\u2721), when endowed with suitable publicly verifiable re-sharing as in YOLO YOSO (Cascudo et al. ASIACRYPT\u2722).
We introduce a PVSS scheme over class groups that achieves similar efficiency to state-of-the art schemes that only allow for reconstructing a function of the secret, while our scheme allows the reconstruction of the original secret. Our construction generalizes the DDH-based scheme of YOLO YOSO to operate over class groups, which poses technical challenges in adapting the necessary NIZKs in face of the unknown group order and the fact that efficient NIZKs of knowledge are not as simple to construct in this setting.
Building on our PVSS scheme\u27s ability to recover the original secret, we propose two DKG protocols for discrete logarithm key pairs: a biasable 1-round protocol, which improves on the concrete communication/computational complexities of previous works; and a 2-round unbiasable protocol, which improves on the round complexity of previous works. We also add publicly verifiable resharing towards anonymous committees to our PVSS, so that it can be used to efficiently transfer state among committees in the YOSO setting. Together with a recent construction of MPC in the YOSO model based on class groups (Braun et al. CRYPTO\u2723), this results in the most efficient full realization (i.e without assuming receiver anonymous channels) of YOSO MPC based on the CDN framework with transparent setup
On Sigma-Protocols and (packed) Black-Box Secret Sharing Schemes
-protocols are a widely utilized, relatively simple and well understood type of zero-knowledge proofs. However, the well known Schnorr -protocol for proving knowledge of discrete logarithm in a cyclic group of known prime order, and similar protocols working over this type of groups, are hard to generalize to dealing with other groups. In particular with hidden order groups, due to the inability of the knowledge extractor to invert elements modulo the order.
In this paper, we introduce a universal construction of -protocols designed to prove knowledge of preimages of group homomorphisms for any abelian finite group. In order to do this, we first establish a general construction of a -protocol for -module homomorphism given only a linear secret sharing scheme over the ring , where zero knowledge and special soundness can be related to the privacy and reconstruction properties of the secret sharing scheme. Then, we introduce a new construction of 2-out-of- packed black-box secret sharing scheme capable of sharing elements of an arbitrary (abelian, finite) group where each share consists of group elements.
From these two elements we obtain a generic ``batch\u27\u27 -protocol for proving knowledge of preimages of elements via the same group homomorphism, which communicates elements of the group to achieve knowledge error.
For the case of class groups, we show that our -protocol improves in several aspects on existing proofs for knowledge of discrete logarithm and other related statements that have been used in a number of works.
Finally, we extend our constructions from group homomorphisms to the case of ZK-ready functions, introduced by Cramer and Damg\aa rd in Crypto 09, which in particular include the case of proofs of knowledge of plaintext (and randomness) for some linearly homomorphic encryption schemes such as Joye-Libert encryption. However, in the case of Joye-Libert, we show an even better alternative, using Shamir secret sharing over Galois rings, which achieves knowledge soundness by communicating ciphertexts to prove statements