Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs

When constructing practical zero-knowledge proofs based on the hardness of the Ring-LWE or the Ring-SIS problems over polynomial rings $Z_p[X]/(X^n+1)$, it is often necessary that the challenges come from a set $\mathcal{C}$ that satisfies three properties: the set should be large (around $2^{256}$), the elements in it should have small norms, and all the non-zero elements in the difference set $\mathcal{C}-\mathcal{C}$ should be invertible. The first two properties are straightforward to satisfy, while the third one requires us to make efficiency compromises. We can either work over rings where the polynomial $X^n+1$ only splits into two irreducible factors modulo $p$, which makes the speed of the multiplication operation in the ring sub-optimal; or we can limit our challenge set to polynomials of smaller degree, which requires them to have (much) larger norms. In this work we show that one can use the optimal challenge sets $\mathcal{C}$ and still have the polynomial $X^n+1$ split into more than two factors. This comes as a direct application of our more general result that states that all non-zero polynomials with ``small\u27\u27 coefficients in the cyclotomic ring $Z_p[X]/(\Phi_m(X))$ are invertible (where ``small\u27\u27 depends on the size of $p$ and how many irreducible factors the $m^{th}$ cyclotomic polynomial $\Phi_m(X)$ splits into). We furthermore establish sufficient conditions for $p$ under which $\Phi_m(X)$ will split in such fashion. For the purposes of implementation, if the polynomial $X^n+1$ splits into $k$ factors, we can run FFT for $\log{k}$ levels until switching to Karatsuba multiplication. Experimentally, we show that increasing the number of levels from one to three or four results in a speedup by a factor of $\approx 2$ -- $3$. We point out that this improvement comes completely for free simply by choosing a modulus $p$ that has certain algebraic properties. In addition to the speed improvement, having the polynomial split into many factors has other applications -- e.g. when one embeds information into the Chinese Remainder representation of the ring elements, the more the polynomial splits, the more information one can embed into an element

Об ARX-подобных шифрсистемах на базе различных кодировок неабелевых регулярных 2-групп с циклической подгруппой индекса 2

В большинстве блочных шифрсистем операции наложения ключа описываются с помощью преобразований из аддитивной группы векторного пространства (Vm, +) над полем GF(2), аддитивной группы , +) кольца вычетов , либо их комбинации. В шифрсистемах типа ARX одновременно используются преобразования трёх типов, где дополнительно введена операция циклического сдвига. В работе обсуждается возможность использования для этих целей неабелевых групп. Рассматриваются подстановочные свойства неабелевых 2-групп с циклической подгруппой индекса 2, т. е. близких к подстановочному представлению группы (Z2m, +) и перспективных с точки зрения синтеза блочных шифрсистем. С целью сокращения числа различных групп, используемых в одной шифрсистеме, целесообразно вместе с группой применять различные её вариации (естественные кодировки элементов, правые и левые регулярные представления). Описываются свойства групп, порождённых такими вариациями, включая условия их импримитивности, а также совпадения с симметрической группой. A large number of block ciphers are based on easily and efficiently implemented group operations on 2-groups such as the additive group of the residue ring , the additive group of the vector space ^^(2) over GF(2) and their combination. ARX-like ciphers use the operations of cyclic shifts and additions in , ^^(2). For developing techniques of building and analysing new symmetric-key block ciphers, we study group properties of m-bit ARX-like ciphers based on regular groups generated by (0,1,..., 2m — 1) and different codings of permutation representations of nonabelian 2-groups with a cyclic subgroup of index 2. There are exactly four isomorphism classes of the nonabelian 2-groups such as the dihedral group D2m, the generalized quaternion group Q2m, the quasidihedral group SD2m and the modular maximal-cyclic group M2m. For such groups, we get imprimitivity criterions and give conditions on codings in order that the group of the ARX-like cipher should be equal to the symmetric group S2m. We also provide examples of three natural codings and their group properties

Постквантовое электронное голосование на основе решеток при участии нескольких кандидатов

В последние годы появляется множество эффективных криптографических схем на основе решёток, среди которых стоит отметить (полностью) гомоморфное шифрование и протокол конфиденциального вычисления. Такие схемы на решётках интересны тем, что являются стойкими к атакам квантового компьютера. В работе реализована схема электронного голосования, эффективно поддерживающая нескольких кандидатов, за которых можно голосовать. Возможны два варианта голосования: голос за единственного кандидата или голоса для любого подмножества кандидатов. В схеме присутствует множество администраций, конфиденциальность голосов сохраняется в случае, когда хотя бы одна администрация остаётся честной. Схема направлена на соблюдение конфиденциальности голосов и про- верямости результатов; для соблюдения других часто рассматриваемых свойств безопасности электронного голосования используются различные предположения, например, что у каждой администрации есть открытые ключи всех допущенных к голосованию лиц. В основе устройства схемы лежат доказательства с нулевым разглашением и схема обязательства с гомоморфными по сложению свойствами. Благодаря доказательствам с нулевым разглашением, проверить результаты голосования может любой участник схемы. In recent years, many effective lattice-based cryptographic schemes have emerged, including (fully) homomorphic encryption and a multi-party computation. Such lattice-based schemes are interesting because they are resistant to attacks by a quantum computer. In this paper, an electronic voting scheme is implemented that can efficiently work for multiple voting candidates. Moreover, two voting options are possible: a vote for a single candidate or a vote for any subset of candidates. There are many authorities in the scheme, the vote privacy is preserved in the case when at least one authority remains honest. The scheme is aimed at maintaining the vote privacy and verifiability of the results, therefore, various assumptions are used to comply with other often considered security features of electronic voting, e.g. each authority has the public keys of all admitted voters. The scheme is based on zero-knowledge proofs and a commitment scheme with homomorphic properties. Due to the zero-knowledge proofs, any member of the scheme can verify the voting results

Accountable Tracing Signatures from Lattices

Group signatures allow users of a group to sign messages anonymously in the name of the group, while incorporating a tracing mechanism to revoke anonymity and identify the signer of any message. Since its introduction by Chaum and van Heyst (EUROCRYPT 1991), numerous proposals have been put forward, yielding various improvements on security, efficiency and functionality. However, a drawback of traditional group signatures is that the opening authority is given too much power, i.e., he can indiscriminately revoke anonymity and there is no mechanism to keep him accountable. To overcome this problem, Kohlweiss and Miers (PoPET 2015) introduced the notion of accountable tracing signatures (ATS) - an enhanced group signature variant in which the opening authority is kept accountable for his actions. Kohlweiss and Miers demonstrated a generic construction of ATS and put forward a concrete instantiation based on number-theoretic assumptions. To the best of our knowledge, no other ATS scheme has been known, and the problem of instantiating ATS under post-quantum assumptions, e.g., lattices, remains open to date. In this work, we provide the first lattice-based accountable tracing signature scheme. The scheme satisfies the security requirements suggested by Kohlweiss and Miers, assuming the hardness of the Ring Short Integer Solution (RSIS) and the Ring Learning With Errors (RLWE) problems. At the heart of our construction are a lattice-based key-oblivious encryption scheme and a zero-knowledge argument system allowing to prove that a given ciphertext is a valid RLWE encryption under some hidden yet certified key. These technical building blocks may be of independent interest, e.g., they can be useful for the design of other lattice-based privacy-preserving protocols.Comment: CT-RSA 201