Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs

When constructing practical zero-knowledge proofs based on the hardness of the Ring-LWE or the Ring-SIS problems over polynomial rings $Z_p[X]/(X^n+1)$, it is often necessary that the challenges come from a set $\mathcal{C}$ that satisfies three properties: the set should be large (around $2^{256}$), the elements in it should have small norms, and all the non-zero elements in the difference set $\mathcal{C}-\mathcal{C}$ should be invertible. The first two properties are straightforward to satisfy, while the third one requires us to make efficiency compromises. We can either work over rings where the polynomial $X^n+1$ only splits into two irreducible factors modulo $p$, which makes the speed of the multiplication operation in the ring sub-optimal; or we can limit our challenge set to polynomials of smaller degree, which requires them to have (much) larger norms. In this work we show that one can use the optimal challenge sets $\mathcal{C}$ and still have the polynomial $X^n+1$ split into more than two factors. This comes as a direct application of our more general result that states that all non-zero polynomials with ``small\u27\u27 coefficients in the cyclotomic ring $Z_p[X]/(\Phi_m(X))$ are invertible (where ``small\u27\u27 depends on the size of $p$ and how many irreducible factors the $m^{th}$ cyclotomic polynomial $\Phi_m(X)$ splits into). We furthermore establish sufficient conditions for $p$ under which $\Phi_m(X)$ will split in such fashion. For the purposes of implementation, if the polynomial $X^n+1$ splits into $k$ factors, we can run FFT for $\log{k}$ levels until switching to Karatsuba multiplication. Experimentally, we show that increasing the number of levels from one to three or four results in a speedup by a factor of $\approx 2$ -- $3$. We point out that this improvement comes completely for free simply by choosing a modulus $p$ that has certain algebraic properties. In addition to the speed improvement, having the polynomial split into many factors has other applications -- e.g. when one embeds information into the Chinese Remainder representation of the ring elements, the more the polynomial splits, the more information one can embed into an element

A note on short invertible ring elements and applications to cyclotomic and trinomials number fields

Ring-SIS based $\Sigma$-protocols require a challenge set $\mathcal{C}$ in some ring $R$, usually an order in a number field $L$. These $\Sigma$-protocols impose various requirements on the subset $\mathcal{C}$, and finding a good, or even optimal, challenge set is a non-trivial task that involves making various trade-offs. Ring-SIS based $\Sigma$-protocols require a challenge set $\mathcal{C}$ in some ring $R$, usually an order in a number field $L$. These $\Sigma$-protocols impose various requirements on the subset $\mathcal{C}$, and finding a good, or even optimal, challenge set is a non-trivial task that involves making various trade-offs. In particular, (1) the set $\mathcal{C}$ should be `large', (2) elements in $\mathcal{C}$ should be `small', and (3) differences of distinct elements in $\mathcal{C}$ should be invertible modulo a rational prime $p$. Moreover, for efficiency purposes, it is desirable that (4) the prime $p$ is small, and that (5) it splits in many factors in the number field $L$. These requirements on $\mathcal{C}$ are subject to certain trade-offs, e.g., between the splitting behavior of the prime $p$ and its size. Lyubashevsky and Seiler (Eurocrypt 2018) have studied these trade-offs for subrings of cyclotomic number fields. Cyclotomic number fields possess convenient properties and as a result most Ring-SIS based protocols are defined over these specific fields. However, recent attacks have shown that, in certain protocols, these convenient properties can be exploited by adversaries, thereby weakening or even breaking the cryptographic protocols. In this work, we revisit the results of Lyubashevsky and Seiler and show that they follow from standard Galois theory, thereby simplifying their proofs. Subsequently, this approach leads to a natural generalization from cyclotomic to arbitrary number fields. We apply the generalized results to construct challenge sets in trinomial number fields of the form $\mathbb{Q}[X]/(f)$ with $f=X^n+aX^k+b \in \mathbb{Z}[X]$ irreducible. Along the way we prove a conjectured result on the practical applicability for cyclotomic number fields and prove the optimality of certain constructions. Finally, we find a new construction for challenge sets resulting in smaller prime sizes at the cost of slightly increasing the $\ell_2$-norm of the challenges

Lattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability

We present a group signature scheme, based on the hardness of lattice problems, whose outputs are more than an order of magnitude smaller than the currently most efficient schemes in the literature. Since lattice-based schemes are also usually non-trivial to efficiently implement, we additionally provide the first experimental implementation of lattice-based group signatures demonstrating that our construction is indeed practical -- all operations take less than half a second on a standard laptop. A key component of our construction is a new zero-knowledge proof system for proving that a committed value belongs to a particular set of small size. The sets for which our proofs are applicable are exactly those that contain elements that remain stable under Galois automorphisms of the underlying cyclotomic number field of our lattice-based protocol. We believe that these proofs will find applications in other settings as well. The motivation of the new zero-knowledge proof in our construction is to allow the efficient use of the selectively-secure signature scheme (i.e. a signature scheme in which the adversary declares the forgery message before seeing the public key) of Agrawal et al. (Eurocrypt 2010) in constructions of lattice-based group signatures and other privacy protocols. For selectively-secure schemes to be meaningfully converted to standard signature schemes, it is crucial that the size of the message space is not too large. Using our zero-knowledge proofs, we can strategically pick small sets for which we can provide efficient zero-knowledge proofs of membership

On the Non-Existence of Short Vectors in Random Module Lattices

Recently, Lyubashevsky & Seiler (Eurocrypt 2018) showed that small polynomials in the cyclotomic ring $Z_q[X]/(X^n+1)$, where $n$ is a power of two, are invertible under special congruence conditions on prime modulus $q$. This result has been used to prove certain security properties of lattice-based constructions against unbounded adversaries. Unfortunately, due to the special conditions, working over the corresponding cyclotomic ring does not allow for efficient use of the Number Theoretic Transform (NTT) algorithm for fast multiplication of polynomials and hence, the schemes become less practical. In this paper, we present how to overcome this limitation by analysing zeroes in the Chinese Remainder (or NTT) representation of small polynomials. Concretely, we follow the proof techniques from Stehlé and Steinfeld (Eprint 2013/004) and provide upper bounds on the probabilities related to the (non)-existence of a short vector in a random module lattice with no assumptions on the prime modulus. Then, we apply these results, along with the generic framework by Kiltz et al. (Eurocrypt 2018), to a number of lattice-based Fiat-Shamir signatures so they can both enjoy tight security in the quantum random oracle model and support fast multiplication algorithms (at the cost of slightly larger public keys and signatures), such as the Bai-Galbraith signature scheme (CT-RSA 2014), Dilithium-QROM (Kiltz et al., Eurocrypt 2018) and qTESLA (Alkim et al., PQCrypto 2017). These techniques can also be applied to prove that recent commitment schemes by Baum et al. (SCN 2018) are statistically binding with no additional assumptions on $q$

Round-optimal Verifiable Oblivious Pseudorandom Functions from Ideal Lattices

timestamp: Fri, 07 May 2021 15:40:46 +0200 biburl: https://dblp.org/rec/conf/pkc/AlbrechtDDS21.bib bibsource: dblp computer science bibliography, https://dblp.orgstatus: publishe

Aggregating Falcon Signatures with LaBRADOR

Several prior works have suggested to use non-interactive arguments of knowledge with short proofs to aggregate signatures of Falcon, which is part of the first post-quantum signatures selected for standardization by NIST. Especially LaBRADOR, based on standard structured lattice assumptions and published at CRYPTO’23, seems promising to realize this task. However, no prior work has tackled this idea in a rigorous way. In this paper, we thoroughly prove how to aggregate Falcon signatures using LaBRADOR. First, we improve LaBRADOR by moving from a low-splitting to a high-splitting ring, allowing for faster computations. This modification leads to some additional technical challenges for proving the knowledge soundness of LaBRADOR. Moreover, we provide the first complete knowledge soundness analysis for the non-interactive version of LaBRADOR. Here, the multi-round and recursive nature of LaBRADOR requires a complex and thorough analysis. For this purpose, we introduce the notion of predicate special soundness (PSS). This is a general framework for evaluating the knowledge error of complex Fiat-Shamir arguments of knowledge protocols in a modular fashion, which we believe to be of independent interest. Lastly, we explain the exact steps to take in order to adapt the LaBRADOR proof system for aggregating Falcon signatures and provide concrete estimates for proof sizes. Additionally, we formalize the folklore approach of obtaining aggregate signatures from the class of hash-then-sign signatures through arguments of knowledge

Lattice-Based Succinct Arguments for NP with Polylogarithmic-Time Verification

Succinct arguments that rely on the Merkle-tree paradigm introduced by Kilian (STOC 92) suffer from larger proof sizes in practice due to the use of generic cryptographic primitives. In contrast, succinct arguments with the smallest proof sizes in practice exploit homomorphic commitments. However these latter are quantum insecure, unlike succinct arguments based on the Merkle-tree paradigm. A recent line of works seeks to address this limitation, by constructing quantum-safe succinct arguments that exploit lattice-based commitments. The eventual goal is smaller proof sizes than those achieved via the Merkle-tree paradigm. Alas, known constructions lack succinct verification. In this paper, we construct the first interactive argument system for NP with succinct verification that, departing from the Merkle-tree paradigm, exploits the homomorphic properties of lattice-based commitments. For an arithmetic circuit with N gates, our construction achieves verification time polylog(N) based on the hardness of the Ring Short-Integer-Solution (RSIS) problem. The core technique in our construction is a delegation protocol built from commitment schemes based on leveled bilinear modules, a new notion that we deem of independent interest. We show that leveled bilinear modules can be realized from pre-quantum and from post-quantum cryptographic assumptions

Practical product proofs for lattice commitments

We construct a practical lattice-based zero-knowledge argument for proving multiplicative relations between committed values. The underlying commitment scheme that we use is the currently most efficient one of Baum et al. (SCN 2018), and the size of our multiplicative proof (9 KB) is only slightly larger than the 7 KB required for just proving knowledge of the committed values. We additionally expand on the work of Lyubashevsky and Seiler (Eurocrypt 2018) by showing that the above-mentioned result can also apply when working over rings Zq[X]/(Xd+1) where Xd+1 splits into low-degree factors, which is a desirable property for many applications (e.g. range proofs, multiplications over

Improved Lattice-Based Mix-Nets for Electronic Voting

Mix-networks were first proposed by Chaum in the late 1970s -- early 1980s as a general tool for building anonymous communication systems. Classical mix-net implementations rely on standard public key primitives (e.g. ElGamal encryption) that will become vulnerable when a sufficiently powerful quantum computer will be built. Thus, there is a need to develop quantum-resistant mix-nets. This paper focuses on the application case of electronic voting where the number of votes to be mixed may reach hundreds of thousands or even millions. We propose an improved architecture for lattice-based post-quantum mix-nets featuring more efficient zero-knowledge proofs while maintaining established security assumptions. Our current implementation scales up to 100000 votes, still leaving a lot of room for future optimisation