Short, Invertible Elements in Partially Splitting Cyclotomic Rings - PowerPoint PPT Presentation

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs Vadim Lyubashevsky Gregor Seiler IBM Research – Zurich April 30, 2018

Motivation: Lattice-Based Zero-Knowledge Proofs Want to prove knowledge of a short vector s ∈ R k such that � �� � � � A s = t where A ∈ R m × k , t ∈ R m are public

Motivation: Lattice-Based Zero-Knowledge Proofs Want to prove knowledge of a short vector s ∈ R k such that � �� � � � A s = t where A ∈ R m × k , t ∈ R m are public Unfortunately, we don’t know how to do this efficiently for a single equation

Approximate Proofs Prover: Verifier: w = Ay y ← S c c ← C z z = y + c s Az ? = w + c t

Approximate Proofs Prover: Verifier: w = Ay y ← S c c ← C z z = y + c s Az ? = w + c t Soundness: Subtracting equations for two different challenges gives approximate solution A¯ z = ¯ c t Need large challenge set for small soundness error

Approximate Proofs Prover: Verifier: w = Ay y ← S c c ← C z z = y + c s Az ? = w + c t Soundness: Subtracting equations for two different challenges gives approximate solution A¯ z = ¯ c t Need large challenge set for small soundness error Zero-knowledge: z becomes statistically independent of s through rejection sampling [Lyu09] Need small challenges for low rejection rate

Applications of Approximate Proofs Why is it useful to prove A¯ z = ¯ c t ?

Applications of Approximate Proofs Why is it useful to prove A¯ z = ¯ c t ? In Fiat-Shamir signatures: Approximate solution gives a SIS solution in rank +1 � � �� � ¯ z � A � − t = 0 � ¯ c �

More Applications More applications possible if ¯ c is invertible

More Applications More applications possible if ¯ c is invertible c − 1 ¯ c − 1 ¯ Caveat: If ¯ c is invertible, A ¯ z = t but we can not assume ¯ z to be short

More Applications More applications possible if ¯ c is invertible c − 1 ¯ c − 1 ¯ Caveat: If ¯ c is invertible, A ¯ z = t but we can not assume ¯ z to be short Commitment Schemes: Still binding [BDLPO16] Voting Schemes: Approximate proofs from the voters can be combined with exact amortized proofs from the authorities [PLNS17] Verifiable encryption [LN17]

The Optimal Challenge Set To summarize, we need a large set of small polynomials such that all differences of two elements are invertible; ideally C ⊂ { c ∈ R | � c � ∞ = 1 }

The Optimal Challenge Set To summarize, we need a large set of small polynomials such that all differences of two elements are invertible; ideally C ⊂ { c ∈ R | � c � ∞ = 1 } Goal: Prove that � ¯ c � ∞ ≤ 2 � c � ∞ = 2 = ⇒ ¯ c is invertible

Computational Setting We work in a cyclotomic ring modulo a prime number: R = Z q [ X ] / (Φ m ( X )) Φ m is the m -th cyclotomic polynomial of degree n = ϕ ( m )

Computational Setting We work in a cyclotomic ring modulo a prime number: R = Z q [ X ] / (Φ m ( X )) Φ m is the m -th cyclotomic polynomial of degree n = ϕ ( m ) In this talk only power-of-two cyclotomics R = Z q [ X ] / ( X n + 1)

Splitting of Primes Suppose X n + 1 factors modulo q as X n + 1 ≡ T 1 ( X ) . . . T k ( X ) (mod q ) Then, from the Chinese Remainder Theorem, R = Z q [ X ] / ( X n + 1) = Z q [ X ] / ( T 1 ( X )) × · · · × Z q [ X ] / ( T k ( X ))

Splitting of Primes Suppose X n + 1 factors modulo q as X n + 1 ≡ T 1 ( X ) . . . T k ( X ) (mod q ) Then, from the Chinese Remainder Theorem, R = Z q [ X ] / ( X n + 1) = Z q [ X ] / ( T 1 ( X )) × · · · × Z q [ X ] / ( T k ( X )) An element of R is invertible if and only if it is non-zero modulo all the factors of X n + 1

FFT-Multiplication Counting argument: Challenge sets can have at most q n / k elements, otherwise there is a collision modulo one of the factors of X n + 1 of degree n / k

FFT-Multiplication Counting argument: Challenge sets can have at most q n / k elements, otherwise there is a collision modulo one of the factors of X n + 1 of degree n / k We want to let X n + 1 split into as many factors as possible in order to take advantage of FFT-based multiplication

Main Result in the Power-of-Two Case Theorem Let 1 < k ≤ n be powers of two and q a prime number such that q ≡ 1 + 2 k (mod 4 k ) . Then k X n + 1 ≡ ( X n / k − r i ) � (mod q ) i =1 and any y ∈ R \ { 0 } is invertible if either 1 q 1 / k � y � ∞ < √ k or � y � 2 < q 1 / k

Main Result in the Power-of-Two Case Theorem Let 1 < k ≤ n be powers of two and q a prime number such that q ≡ 1 + 2 k (mod 4 k ) . Then k X n + 1 ≡ ( X n / k − r i ) � (mod q ) i =1 and any y ∈ R \ { 0 } is invertible if either 1 q 1 / k � y � ∞ < √ k or � y � 2 < q 1 / k √ n q 1 / k = 1 ⇒ � y � 2 < q 1 / k Note: � y � ∞ <

Interpretation Recall the infinity norm condition 1 q 1 / k = √ � y � ∞ < ⇒ y is invertible k

Interpretation Recall the infinity norm condition 1 q 1 / k = √ � y � ∞ < ⇒ y is invertible k For k = 8 and q > 2 20 1 q 1 / k > 2 √ k and all ¯ c are invertible since � ¯ c � ∞ ≤ 2 We can let X n + 1 split into 8 factors for standard parameters in zero-knowledge proof systems

Previous Works Previously two approaches: Challenges of degree < n k and consequently larger coefficients [BKLP15] Optimal challenge set but X n + 1 only splitting into two factors [LN17]

Proof Method for l2-Norm Suppose y ∈ R \ { 0 } is not invertible. Then it lies in an ideal lattice x ∈ Z [ X ] / ( X n + 1) (mod X n / k − r , q ) � x ≡ 0 � � � q =

Proof Method for l2-Norm Suppose y ∈ R \ { 0 } is not invertible. Then it lies in an ideal lattice x ∈ Z [ X ] / ( X n + 1) (mod X n / k − r , q ) � x ≡ 0 � � � q = This lattice has determinant det( q ) = q n / k and we have for the l2-length of the shortest non-zero vectors λ n 1 ≥ det( q ) = q n / k

Proof Method for l2-Norm Suppose y ∈ R \ { 0 } is not invertible. Then it lies in an ideal lattice x ∈ Z [ X ] / ( X n + 1) (mod X n / k − r , q ) � x ≡ 0 � � � q = This lattice has determinant det( q ) = q n / k and we have for the l2-length of the shortest non-zero vectors λ n 1 ≥ det( q ) = q n / k Hence, � y � 2 ≥ q 1 / k

Proof Idea for Infinity Norm Express y in basis over subring of degree k

Proof Idea for Infinity Norm Express y in basis over subring of degree k q splits completely in this subring

Proof Idea for Infinity Norm Express y in basis over subring of degree k q splits completely in this subring The reduction of y modulo X n / k − r is nonzero if coefficients evaluated at r are nonzero

Proof Idea for Infinity Norm Express y in basis over subring of degree k q splits completely in this subring The reduction of y modulo X n / k − r is nonzero if coefficients evaluated at r are nonzero It follows from analysis in the subring that this is the case

The General Case Cyclotomic polynomial also splits into binomial polynomials modulo certain primes Necessary to use the embedding norm Going from l2-norm to embedding norm introduces singular value of the Vandermonde matrix

The General Case Cyclotomic polynomial also splits into binomial polynomials modulo certain primes Necessary to use the embedding norm Going from l2-norm to embedding norm introduces singular value of the Vandermonde matrix Norm condition: 1 s 1 ( V z ) q 1 /ϕ ( z ) = � y � ∞ < ⇒ y is invertible

Vandermonde Matrix ζ k − 1 ζ 2   1 ζ 1 . . . 1 1 ζ 2 ζ k − 1 1 ζ 2 . . .   2 2 V z =  . . . .  . . . .   . . . .   ζ 2 ζ k − 1 1 ζ k . . . k k For prime power cyclotomics where z = p e �� z z even � 2 s 1 ( V z ) = τ ( z ) = √ z m odd

Vandermonde Matrix ζ k − 1 ζ 2   1 ζ 1 . . . 1 1 ζ 2 ζ k − 1 1 ζ 2 . . .   2 2 V z =  . . . .  . . . .   . . . .   ζ 2 ζ k − 1 1 ζ k . . . k k For prime power cyclotomics where z = p e �� z z even � 2 s 1 ( V z ) = τ ( z ) = √ z m odd We found experimentally for all cyclotomic rings relevant in practice � s 1 ( V z ) ≤ τ ( z ) We would be interested if someone knows if this true in general!

Questions?

Descending, Properly Suppose y ∈ R is not invertible. Write y ( X ) = y 0 ( X n / k ) + y 1 ( X n / k ) X + · · · + y n / k − 1 ( X n / k ) X n / k − 1

Descending, Properly Suppose y ∈ R is not invertible. Write y ( X ) = y 0 ( X n / k ) + y 1 ( X n / k ) X + · · · + y n / k − 1 ( X n / k ) X n / k − 1 By setting Y = X n / k it follows from y ≡ 0 (mod X n / k − r ) that y i ( Y ) ≡ 0 (mod Y − r )

Descending, Properly Suppose y ∈ R is not invertible. Write y ( X ) = y 0 ( X n / k ) + y 1 ( X n / k ) X + · · · + y n / k − 1 ( X n / k ) X n / k − 1 By setting Y = X n / k it follows from y ≡ 0 (mod X n / k − r ) that y i ( Y ) ≡ 0 (mod Y − r ) y i is a non-invertible element in a cyclotomic ring of degree k where q splits completely. Now, 1 1 q 1 / k � y � ∞ ≥ � y i � ∞ ≥ √ � y i � 2 ≥ √ k k