Short, Invertible Elements in Partially Splitting Cyclotomic Rings - - PowerPoint PPT Presentation

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs

Vadim Lyubashevsky Gregor Seiler

IBM Research – Zurich

April 30, 2018

Motivation: Lattice-Based Zero-Knowledge Proofs

Want to prove knowledge of a short vector s ∈ Rk such that

• A
• s
• =
• t
• where A ∈ Rm×k, t ∈ Rm are public

Motivation: Lattice-Based Zero-Knowledge Proofs

Want to prove knowledge of a short vector s ∈ Rk such that

• A
• s
• =
• t
• where A ∈ Rm×k, t ∈ Rm are public

Unfortunately, we don’t know how to do this efficiently for a single equation

Approximate Proofs

Prover: Verifier: y ← S w = Ay c ← C c z = y + cs z Az ? = w + ct

Approximate Proofs

Prover: Verifier: y ← S w = Ay c ← C c z = y + cs z Az ? = w + ct Soundness: Subtracting equations for two different challenges gives approximate solution A¯ z = ¯ ct Need large challenge set for small soundness error

Approximate Proofs

Prover: Verifier: y ← S w = Ay c ← C c z = y + cs z Az ? = w + ct Soundness: Subtracting equations for two different challenges gives approximate solution A¯ z = ¯ ct Need large challenge set for small soundness error Zero-knowledge: z becomes statistically independent of s through rejection sampling [Lyu09] Need small challenges for low rejection rate

Applications of Approximate Proofs

Why is it useful to prove A¯ z = ¯ ct?

Applications of Approximate Proofs

Why is it useful to prove A¯ z = ¯ ct? In Fiat-Shamir signatures: Approximate solution gives a SIS solution in rank +1

• A
• − t
• ¯

z ¯ c

• = 0

More Applications

More applications possible if ¯ c is invertible

More Applications

More applications possible if ¯ c is invertible Caveat: If ¯ c is invertible, A¯ c−1¯ z = t but we can not assume ¯ c−1¯ z to be short

More Applications

More applications possible if ¯ c is invertible Caveat: If ¯ c is invertible, A¯ c−1¯ z = t but we can not assume ¯ c−1¯ z to be short Commitment Schemes: Still binding [BDLPO16] Voting Schemes: Approximate proofs from the voters can be combined with exact amortized proofs from the authorities [PLNS17] Verifiable encryption [LN17]

The Optimal Challenge Set

To summarize, we need a large set of small polynomials such that all differences of two elements are invertible; ideally C ⊂ {c ∈ R | c∞ = 1}

The Optimal Challenge Set

To summarize, we need a large set of small polynomials such that all differences of two elements are invertible; ideally C ⊂ {c ∈ R | c∞ = 1} Goal: Prove that ¯ c∞ ≤ 2c∞ = 2 = ⇒ ¯ c is invertible

Computational Setting

We work in a cyclotomic ring modulo a prime number: R = Zq[X]/(Φm(X)) Φm is the m-th cyclotomic polynomial of degree n = ϕ(m)

Computational Setting

We work in a cyclotomic ring modulo a prime number: R = Zq[X]/(Φm(X)) Φm is the m-th cyclotomic polynomial of degree n = ϕ(m) In this talk only power-of-two cyclotomics R = Zq[X]/(X n + 1)

Splitting of Primes

Suppose X n + 1 factors modulo q as X n + 1 ≡ T1(X) . . . Tk(X) (mod q) Then, from the Chinese Remainder Theorem, R = Zq[X]/(X n + 1) = Zq[X]/(T1(X)) × · · · × Zq[X]/(Tk(X))

Splitting of Primes

Suppose X n + 1 factors modulo q as X n + 1 ≡ T1(X) . . . Tk(X) (mod q) Then, from the Chinese Remainder Theorem, R = Zq[X]/(X n + 1) = Zq[X]/(T1(X)) × · · · × Zq[X]/(Tk(X)) An element of R is invertible if and only if it is non-zero modulo all the factors of X n + 1

FFT-Multiplication

Counting argument: Challenge sets can have at most qn/k elements, otherwise there is a collision modulo one of the factors of X n + 1 of degree n/k

FFT-Multiplication

Counting argument: Challenge sets can have at most qn/k elements, otherwise there is a collision modulo one of the factors of X n + 1 of degree n/k We want to let X n + 1 split into as many factors as possible in order to take advantage

• f FFT-based multiplication

Main Result in the Power-of-Two Case

Theorem Let 1 < k ≤ n be powers of two and q a prime number such that q ≡ 1 + 2k (mod 4k). Then X n + 1 ≡

k

• i=1

(X n/k − ri) (mod q) and any y ∈ R \ {0} is invertible if either y∞ < 1 √ k q1/k

• r

y2 < q1/k

Main Result in the Power-of-Two Case

Theorem Let 1 < k ≤ n be powers of two and q a prime number such that q ≡ 1 + 2k (mod 4k). Then X n + 1 ≡

k

• i=1

(X n/k − ri) (mod q) and any y ∈ R \ {0} is invertible if either y∞ < 1 √ k q1/k

• r

y2 < q1/k Note: y∞ <

1 √nq1/k =

⇒ y2 < q1/k

Interpretation

Recall the infinity norm condition y∞ < 1 √ k q1/k = ⇒ y is invertible

Interpretation

Recall the infinity norm condition y∞ < 1 √ k q1/k = ⇒ y is invertible For k = 8 and q > 220 1 √ k q1/k > 2 and all ¯ c are invertible since ¯ c∞ ≤ 2 We can let X n + 1 split into 8 factors for standard parameters in zero-knowledge proof systems

Previous Works

Previously two approaches: Challenges of degree < n

k and consequently larger coefficients [BKLP15]

Optimal challenge set but X n + 1 only splitting into two factors [LN17]

Proof Method for l2-Norm

Suppose y ∈ R \ {0} is not invertible. Then it lies in an ideal lattice q =

• x ∈ Z[X]/(X n + 1)
• x ≡ 0

(mod X n/k − r, q)

Proof Method for l2-Norm

Suppose y ∈ R \ {0} is not invertible. Then it lies in an ideal lattice q =

• x ∈ Z[X]/(X n + 1)
• x ≡ 0

(mod X n/k − r, q)

• This lattice has determinant det(q) = qn/k and we have for the l2-length of the shortest

non-zero vectors λn

1 ≥ det(q) = qn/k

Proof Method for l2-Norm

Suppose y ∈ R \ {0} is not invertible. Then it lies in an ideal lattice q =

• x ∈ Z[X]/(X n + 1)
• x ≡ 0

(mod X n/k − r, q)

• This lattice has determinant det(q) = qn/k and we have for the l2-length of the shortest

non-zero vectors λn

1 ≥ det(q) = qn/k

Hence, y2 ≥ q1/k

Proof Idea for Infinity Norm

Express y in basis over subring of degree k

Proof Idea for Infinity Norm

Express y in basis over subring of degree k q splits completely in this subring

Proof Idea for Infinity Norm

Express y in basis over subring of degree k q splits completely in this subring The reduction of y modulo X n/k − r is nonzero if coefficients evaluated at r are nonzero

Proof Idea for Infinity Norm

Express y in basis over subring of degree k q splits completely in this subring The reduction of y modulo X n/k − r is nonzero if coefficients evaluated at r are nonzero It follows from analysis in the subring that this is the case

The General Case

Cyclotomic polynomial also splits into binomial polynomials modulo certain primes Necessary to use the embedding norm Going from l2-norm to embedding norm introduces singular value of the Vandermonde matrix

The General Case

Cyclotomic polynomial also splits into binomial polynomials modulo certain primes Necessary to use the embedding norm Going from l2-norm to embedding norm introduces singular value of the Vandermonde matrix Norm condition: y∞ < 1 s1(Vz)q1/ϕ(z) = ⇒ y is invertible

Vandermonde Matrix

Vz =      1 ζ1 ζ2

1

. . . ζk−1

1

1 ζ2 ζ2

2

. . . ζk−1

2

. . . . . . . . . . . . 1 ζk ζ2

k

. . . ζk−1

k

     For prime power cyclotomics where z = pe s1(Vz) =

• τ(z) =

z

2

z even √z m odd

Vandermonde Matrix

Vz =      1 ζ1 ζ2

1

. . . ζk−1

1

1 ζ2 ζ2

2

. . . ζk−1

2

. . . . . . . . . . . . 1 ζk ζ2

k

. . . ζk−1

k

     For prime power cyclotomics where z = pe s1(Vz) =

• τ(z) =

z

2

z even √z m odd We found experimentally for all cyclotomic rings relevant in practice s1(Vz) ≤

• τ(z)

We would be interested if someone knows if this true in general!

Questions?

Descending, Properly

Suppose y ∈ R is not invertible. Write y(X) = y0(X n/k) + y1(X n/k)X + · · · + yn/k−1(X n/k)X n/k−1

Descending, Properly

Suppose y ∈ R is not invertible. Write y(X) = y0(X n/k) + y1(X n/k)X + · · · + yn/k−1(X n/k)X n/k−1 By setting Y = X n/k it follows from y ≡ 0 (mod X n/k − r) that yi(Y ) ≡ 0 (mod Y − r)

Descending, Properly

Suppose y ∈ R is not invertible. Write y(X) = y0(X n/k) + y1(X n/k)X + · · · + yn/k−1(X n/k)X n/k−1 By setting Y = X n/k it follows from y ≡ 0 (mod X n/k − r) that yi(Y ) ≡ 0 (mod Y − r) yi is a non-invertible element in a cyclotomic ring of degree k where q splits completely. Now, y∞ ≥ yi∞ ≥ 1 √ k yi2 ≥ 1 √ k q1/k

Main Result

Theorem Let m =

i pei i

and z =

i pfi i with 1 ≤ fi ≤ ei. Let q be a prime number such that

q ≡ 1 (mod z) and ordm(q) = m/z. Then Φm factors as Φm(X) ≡

ϕ(z)

• i=1

(X m/z − ri) (mod q) and any y ∈ R is invertible if either y∞ < 1 s1(z)q1/ϕ(z)

• r

y2 < √n s1(m)q1/ϕ(z)

Counting Argument

Challenge sets can have at most qn/k elements, otherwise there is a collision modulo one

• f the factors of X n + 1

Counting Argument

Challenge sets can have at most qn/k elements, otherwise there is a collision modulo one

• f the factors of X n + 1

There are 3n polynomials c such that c∞ ≤ 1. Therefore we must have q1/k ≥ 3