Compressed Sigma-Protocols for bilinear circuits and applications to logarithmic-sized transparent Threshold Signature Schemes

Recently, there has been a great development in communication-efficient zero-knowledge (ZK) protocols for arithmetic circuit relations. Since any relation can be translated into an arithmetic circuit relation, these primitives are extremely powerful and widely applied. However, this translation often comes at the cost of losing conceptual simplicity and modularity in cryptographic protocol design.For this reason, Lai et al. (CCS 2019), show how Bulletproof’s communication-efficient circuit zero-knowledge protocol (Bootle et al., EUROCRYPT 2016 and Bünz et al., S&P 2018) can be generalized to work for bilinear group arithmetic circuits directly, without requiring these circuits to be translated into arithmetic circuits. For many natural relations their approach is actually more efficient than the indirect circuit ZK approach. We take a different approach and show that the arithmetic circuit model can be generalized to any circuit model in which (a) all wires take values in (possibly different) Zq-modules and (b) all gates have fan-in2and are either linear or bilinear mappings. We follow a straightforward generalization of Compressed Σ-Protocol Theory (CRYPTO 2020). We compress the communication complexity of a basic Σ-protocol for proving linear statements down to logarithmic. Then, we describe a linearization strategy to handle non-linearities. Besides its conceptual simplicity our approach also has practical advantages; we reduce the constant of the logarithmic component in the communication complexity of the CCS 2019 approach from 16 down to 6 and that of the linear component from 3 down to 1. Moreover, the generalized commitment scheme required for bilinear circuit relations is also advantageous to standard arithmetic circuit ZK protocols, since its application immediately results in a square root reduction of public parameters size. The implications of this improvement can be significant, because many application scenarios result in very large sets of public parameters. As an application of our compressed protocol for proving linear statements we construct the first k-out-of-n threshold signature scheme (TSS) with both transparent setup and threshold signatures of size O(κlog(n)) bits for security parameter κ. Each individual signature is of a so-called BLS type, the threshold signature hides the identities of the k signers and the threshold k can be dynamically chose n at aggregation time. Prior TSSs either result in sub-linear size signatures at the cost of requiring a trusted setup or the cost of the transparent setup amounts to linear (ink) size signatures.</p

Brief announcement: Malicious security comes for free in consensus with leaders

We consider consensus protocols in the model that is most commonly considered for use in state machine replication, as initiated by Dwork-Lynch-Stockmeyer, then by Castro-Liskov in 1999 with "PBFT."Such protocols guarantee, assuming n players out of which t < n/3 are maliciously corrupted, that the honest players output the same valid value within a finite number of messages, after the (unknown) point in time where both: the network becomes synchronous, and a designated player (the leader) is honest. The state of the art (Hotstuff, PODC'19), achieves linear communication complexity, but at the cost of additional latency, due to one more round-trip with the leader. Furthermore, it relies on constant-size threshold signatures schemes (TSS), for which all prior-known constructions require a costly interactive (or trusted) setup. We remove all of these limitations. The communication bottleneck of PBFT lies in the subprotocol, denoted as "view change,"in which the leader forwards 2t+1 signed messages to each player. Then, each player checks that these 2t+1 messages satisfy some predicate, which we denote "non-supermajority''. We replace this with a responsive subprotocol, with linear communication complexity, that enables players to check this predicate. Its construction is elementary, since it requires only black box use of any TSS. In the full version of our paper \citemalicious2 we achieve three things. Firstly, we further optimize this subprotocol from succinct arguments of many signed messages, which we instantiate from Attema-Cramer-Rambaud \cite[2021-3-9 version]ACR20. As an introduction to these methods, we discuss here the simplest case, which is the construction in \citeACR20 of the first logarithmic-sized TSS with transparent setup. Second, we also address another complexity challenge pointed in Hotstuff, namely, that protocols with fast termination in favorable runs, have so far quadratic complexity, due to an even more complex view change. Third, we enable halting in finite time with (amortized) linear complexity, which was an unsolved question so far when external validity is required

Asymptotically Good Multiplicative LSSS over Galois Rings and Applications to MPC over Z/ pkZ

We study information-theoretic multiparty computation (MPC) protocols over rings Z/ pkZ that have good asymptotic communication complexity for a large number of players. An important ingredient for such protocols is arithmetic secret sharing, i.e., linear secret-sharing schemes with multiplicative properties. The standard way to obtain these over fields is with a family of linear codes C, such that C, C⊥ and C2 are asymptotically good (strongly multiplicative). For our purposes here it suffices if the square code C2 is not the whole space, i.e., has codimension at least 1 (multiplicative). Our approach is to lift such a family of codes defined over a finite field F to a Galois ring, which is a local ring that has F as its residue field and that contains Z/ pkZ as a subring, and thus enables arithmetic that is compatible with both structures. Although arbitrary lifts preserve the distance and dual distance of a code, as we demonstrate with a counterexample, the multiplicative property is not preserved. We work around this issue by showing a dedicated lift that preserves self-orthogonality (as well as distance and dual distance), for p≥ 3. Self-orthogonal codes are multiplicative, therefore we can use existing results of asymptotically good self-dual codes over fields to obtain arithmetic secret sharing over Galois rings. For p= 2 we obtain multiplicativity by using existing techniques of secret-sharing using both C and C⊥, incurring a constant overhead. As a result, we obtain asymptotically good arithmetic secret-sharing schemes over Galois rings. With these schemes in hand, we extend existing field-based MPC protocols to obtain MPC over Z/ pkZ, in the setting of a submaximal adversary corrupting less than a fraction 1 / 2 - ε of the players, where ε&gt; 0 is arbitrarily small. We consider 3 different corruption models. For passive and active security with abort, our protocols communicate O(n) bits per multiplication. For full security with guaranteed output delivery we use a preprocessing model and get O(n) bits per multiplication in the online phase and O(nlog n) bits per multiplication in the offline phase. Thus, we obtain true linear bit complexities, without the common assumption that the ring size depends on the number of players

Asymptotically-good arithmetic secret sharing over Z/ pℓZ with strong multiplication and Its applications to efficient MPC

This paper studies information-theoretically secure multiparty computation (MPC) over rings Z/ pℓZ. In the work of [Abs+19a, TCC’19], a protocol based on the Shamir secret sharing over Z/ pℓZ was presented. As in the field case, its limitation is that the share size grows as the number of players increases. Then several MPC protocols were developed in [Abs+20, Asiacrypt’20] to overcome this limitation. However, (i) their offline multiplication gate has super-linear communication complexity in the number of players; (ii) the share size is doubled for the most important case, namely over Z/ 2 ℓZ due to infeasible lifting of self-orthogonal codes from fields to rings; (iii) most importantly, the BGW model could not be applied via the secret sharing given in [Abs+20, Asiacrypt’20] due to lack of strong multiplication. In this paper we overcome all the drawbacks mentioned above. Of independent interest, we establish an arithmetic secret sharing with strong multiplication, which is the most important primitive in the BGW model. Incidentally, our solution to (i) has some advantages over the concurrent one of [PS21, EC’21], since it is direct, is only one-page long, and furthermore carries over Z/ pℓZ. Finally, we lift Reverse Multiplication Friendly Embeddings (RMFE) from fields to rings, with same (linear) complexity. Note that RMFE has become a standard technique for communication complexity in MPC in the regime over many instances of the same circuit, as in [Cas+18, Crypto’18] and [DLN19, Crypto’19]. We thus recover the same amortized complexity of MPC over Z/ 2 ℓZ than over fields. To obtain our theoretical results, we use the existence of lifts of curves over rings, then use the known results stating that Riemann-Roch spaces are free modules. To make our scheme practical, we start from good algebraic geometry codes over finite fields obtained from existing computational techniques. Then we present, and implement, an efficient algorithm to Hensel-lift the generating matrix of the code, such that the multiplicative conditions are preserved over rings. On the other hand, a random lifting of codes over rings does not preserve multiplicativity in general. Finally we provide efficient methods for sharing and reconstruction over rings

Compressed Σ -Protocols for bilinear group arithmetic circuits and application to logarithmic transparent threshold signatures

Lai et al. (CCS 2019) have shown how Bulletproof’s arithmetic circuit zero-knowledge protocol (Bootle et al., EUROCRYPT 2016 and Bünz et al., S&P 2018) can be generalized to work for bilinear group arithmetic circuits directly, i.e., without requiring these circuits to be translated into arithmetic circuits. In a nutshell, a bilinear group arithmetic circuit is a standard arithmetic circuit augmented with special gates capturing group exponentiations or pairings. Such circuits are highly relevant, e.g., in the context of zero-knowledge statements over pairing-based languages. As expressing these special gates in terms of a standard arithmetic circuit results in a significant overhead in circuit size, an approach to zero-knowledge via standard arithmetic circuits may incur substantial additional costs. The approach due to Lai et al. shows how to avoid this by integrating additional zero-knowledge techniques into the Bulletproof framework so as to handle the special gates very efficiently. We take a different approach by generalizing Compressed Σ -Protocol Theory (CRYPTO 2020) from arithmetic circuit relations to bilinear group arithmetic circuit relations. Besides its conceptual simplicity, our approach has the practical advantage of reducing the communication costs of Lai et al.’s protocol by roughly a multiplicative factor 3. Finally, we show an application of our results which may be of independent interest. We construct the first k-out-of-n threshold signature scheme (TSS) that allows for transparent setup and that yields threshold signatures of size logarithmic in n. The threshold signature hides the identities of the k signers and the threshold k can be dynamically chosen at aggregation time

Optical modelling and analysis of the Q and U bolometric interferometer for cosmology

Remnant radiation from the early universe, known as the Cosmic Microwave Background (CMB), has been redshifted and cooled, and today has a blackbody spectrum peaking at millimetre wavelengths. The QUBIC (Q&U Bolometric Interferometer for Cosmology) instrument is designed to map the very faint polaristion structure in the CMB. QUBIC is based on the novel concept of bolometric interferometry in conjunction with synthetic imaging. It will have a large array of input feedhorns, which creates a large number of interferometric baselines. The beam from each feedhorn is passed through an optical combiner, with an off-axis compensated Gregorian design, to allow the generation of the synthetic image. The optical-combiner will operate in two frequency bands (150 and 220 GHz with 25% and 18.2 % bandwidth respectively) while cryogenically cooled TES bolometers provide the sensitivity required at the image plane. The QUBIC Technical Demonstrator (TD), a proof of technology instrument that contains 64 input feed-horns, is currently being built and will be installed in the Alto Chorrillos region of Argentina. The plan is then for the full QUBIC instrument (400 feed-horns) to be deployed in Argentina and obtain cosmologically significant results. In this paper we will examine the output of the manufactered feed-horns in comparison to the nominal design. We will show the results of optical modelling that has been performed in anticipation of alignment and calibration of the TD in Paris, in particular testing the validity of real laboratory environments. We show the output of large calibrator sources (50 ° full width haf max Gaussian beams) and the importance of accurate mirror definitions when modelling large beams. Finally we describe the tolerance on errors of the position and orientation of mirrors in the optical combiner

Thermal architecture for the QUBIC cryogenic receiver

QUBIC, the QU Bolometric Interferometer for Cosmology, is a novel forthcoming instrument to measure the B-mode polarization anisotropy of the Cosmic Microwave Background. The detection of the B-mode signal will be extremely challenging; QUBIC has been designed to address this with a novel approach, namely bolometric interferometry. The receiver cryostat is exceptionally large and cools complex optical and detector stages to 40 K, 4 K, 1 K and 350 mK using two pulse tube coolers, a novel 4He sorption cooler and a double-stage 3He/4He sorption cooler. We discuss the thermal and mechanical design of the cryostat, modelling and thermal analysis, and laboratory cryogenic testing

QUBIC: the Q and U bolometric interferometer for cosmology

QUBIC, the Q & U Bolometric Interferometer for Cosmology, is a novel ground-based instrument that has been designed to measure the extremely faint B-mode polarisation anisotropy of the cosmic microwave background at intermediate angular scales (multipoles o

Simulations and performance of the QUBIC optical beam combiner

QUBIC, the Q & U Bolometric Interferometer for Cosmology, is a novel ground-based instrument that aims to measure the extremely faint B-mode polarisation anisotropy of the cosmic microwave background at intermediate angular scales (multipoles o

Performance of NbSi transition-edge sensors readout with a 128 MUX factor for the QUBIC experiment

QUBIC (the Q and U Bolometric Interferometer for Cosmology) is a ground-based experiment which seeks to improve the current constraints on the amplitude of primordial gravitational waves. It exploits the unique technique, among Cosmic Microwave Background experiments, of bolometric interferometry, combining together the sensitivity of bolometric detectors with the control of systematic effects typical of interferometers. QUBIC will perform sky observations in polarization, in two frequency bands centered at 150 and 220 GHz, with two kilo-pixel focal plane arrays of NbSi Transition-Edge Sensors (TES) cooled down to 350 mK. A subset of the QUBIC instrument, the so called QUBIC Technological Demonstrator (TD), with a reduced number of detectors with respect to the full instrument, will be deployed and commissioned before the end of 2018. The voltage-biased TES are read out with Time Domain Multiplexing and an unprecedented multiplexing (MUX) factor equal to 128. This MUX factor is reached with two-stage multiplexing: a traditional one exploiting Superconducting QUantum Interference Devices (SQUIDs) at 1K and a novel SiGe Application-Specific Integrated Circuit (ASIC) at 60 K. The former provides a MUX factor of 32, while the latter provides a further 4. Each TES array is composed of 256 detectors and read out with four modules of 32 SQUIDs and two ASICs. A custom software synchronizes and manages the readout and detector operation, while the TES are sampled at 780 Hz (100kHz/128 MUX rate). In this work we present the experimental characterization of the QUBIC TES arrays and their multiplexing readout chain, including time constant, critical temperature, and noise properties