diff --git a/chap-ZK.tex b/chap-ZK.tex index 38efa4c..e3c937d 100644 --- a/chap-ZK.tex +++ b/chap-ZK.tex @@ -188,7 +188,7 @@ For the sake of completeness, we can also mention $\NIZK$ in the standard model, \label{fig:schnorr-dlog} \end{figure} -Schnorr's methodology to construct proofs are based on the $\Sigma$-protocol technique to design zero-knowledge proofs. +Schnorr's methodology to construct proofs is based on the $\Sigma$-protocol technique to design zero-knowledge proofs. It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorr-dlog}. This methodology can be interpreted as follows. Given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in fixing the randomness used in the commitment scheme $r$ \emph{via} $\rho$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$. Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$. @@ -197,7 +197,10 @@ In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commi Given its effiency, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}. -This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct zero-knowledge proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}. In this description $D_y$ and $D_c$ are the distributions from which $\mathbf y_1, \mathbf y_2$ and $\mathbf c$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf z_1, \mathbf z_2$ in order not to leak informations about $\mathbf s_1, \mathbf s_2$. +This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct zero-knowledge proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}. +In this description $D_y$ and $D_c$ are the distributions from which $\mathbf y_1, \mathbf y_2$ and $\mathbf c$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf z_1, \mathbf z_2$ in order not to leak informations about $\mathbf s_1, \mathbf s_2$. +The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf z_1, \mathbf z_2$ will not leak any information about $\mathbf s_1, \mathbf s_2$ to V. +This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}. \begin{figure} \textbf{Common input:} A public element $\mathbf a \in R$ where $R = \ZZ_p[\mathbf x]/\langle \mathbf x^n + 1 \rangle$. @@ -230,15 +233,9 @@ One can notice that this is not \textit{stricly} a $\Sigma$-protocol as the know However, this method suffers from \textit{expressivity} issues: the relations that can be proved with this proof system are limited to be knowledge of a Ring-SIS secret, which is not sufficient to prove for instance the knowledge of a signature for a committed message. Moreover, the gap in the extraction makes it hard, yet possible, to prove that an underlying message under an encryption is binary~\cite{dPLNS17}. + \section{Stern-like Proofs} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves à la Stern} \label{sse:stern} -On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}. -\index{Syndrome Decoding Problem} -Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf P \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf x$ with fixed hamming weight $w$ such that $\mathbf P \cdot \mathbf x = \mathbf v \bmod 2$. - -This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$. - -After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems). -This advance in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, e-cash~\cite{LLNW17}, +\input sec-stern diff --git a/sec-lattices.tex b/sec-lattices.tex index ac6dca5..96c23cb 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -54,7 +54,8 @@ For any lattice~$\Lambda \subseteq \RR^{n}_{}$ and positive real number~$\sigma> $\Pr_{\mathbf{b} \sample D_{\Lambda,\sigma}} \left[ \|\mathbf{b}\| \leq \sigma \sqrt{n} \right] \geq 1-2^{-\Omega(n)}.$ \end{lemma} -In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the \textit{Shortest Independent Vectors Problem}~($\SIVP$). +In order to work with lattices in cryptography, hard lattice problems have to be defined~\cite{Ajt96}. +In the following we state the \textit{Shortest Independent Vectors Problem}~($\SIVP$). This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later in \cref{le:sis-hard} and~\ref{le:lwe-hard}. These links are important as those are ``worst-case to average-case'' reductions. diff --git a/sec-stern.tex b/sec-stern.tex new file mode 100644 index 0000000..fa83906 --- /dev/null +++ b/sec-stern.tex @@ -0,0 +1,113 @@ +% \section{Stern-like Proofs} +% \addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves à la Stern} +% \label{sse:stern} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}. +\index{Syndrome Decoding Problem} +Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf P \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf x \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf P \cdot \mathbf x = \mathbf v \bmod 2$. + +The proof is mainly combinatorial and relies on the fact that applying a permutation on a binary vector leaves its Hamming weight invariant. +% TODO + +This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$. + +After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems). +These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc. + +In this Section, we describe in a high-level view how Stern's protocol works, and then we detail it. + +\subsection{Abstraction of Stern's Protocol} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Abstraction du protocole de Stern} + +%%%% TODO + + +Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq 2$, and let $\mathsf{VALID}$ be a subset of $\mathbb{Z}^D$. Suppose that $\mathcal{S}$ is a finite set such that every $\phi \in \mathcal{S}$ can be associated with a permutation $\Gamma_\phi$ of $D$ elements satisfying the following conditions: +\begin{eqnarray}\label{eq:zk-equivalence} +\begin{cases} +\mathbf{w} \in \mathsf{VALID} \hspace*{2.5pt} \Longleftrightarrow \hspace*{2.5pt} \Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}, \\ +\text{If } \mathbf{w} \in \mathsf{VALID} \text{ and } \phi \text{ is uniform in } \mathcal{S}, \text{ then } \Gamma_\phi(\mathbf{w}) \text{ is uniform in } \mathsf{VALID}.~~~~~ +\end{cases} +\end{eqnarray} +We aim to construct a statistical \textsf{ZKAoK} for the following abstract relation: +\begin{eqnarray*} +\mathrm{R_{abstract}} = \big\{ \big((\mathbf{M}, \mathbf{v}), \mathbf{w} \big) \in \mathbb{Z}_q^{K \times D} \times \mathbb{Z}_q^D \times \mathsf{VALID}: \mathbf{M}\cdot \mathbf{w} = \mathbf{v} \bmod q.\big\} +\end{eqnarray*} + +Note that, Stern's original protocol corresponds to the special case when $\mathsf{VALID} = \{ +\mathbf{w} \in \{0,1\}^D: \mathsf{wt}(\mathbf{w}) = k\}$, where $\mathsf{wt}(\cdot)$ denotes the Hamming weight and $k < D$ is a given integer, $\mathcal{S} = \mathcal{S}_D$ is the set of all permutations of~$D$ elements and $\Gamma_{\phi}(\mathbf{w}) = \phi(\mathbf{w})$. + +The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$ + + +The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{Figure:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08}). + + +\begin{figure}[!htbp] + + \small + \begin{enumerate} + \item \textbf{Commitment:} Prover samples $\mathbf{r}_w \leftarrow U(\mathbb{Z}_q^D)$, $\phi \leftarrow U(\mathcal{S})$ and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$. + Then he sends $\mathrm{CMT}= \big(C_1, C_2, C_3\big)$ to the verifier, where + \begin{gather*} + C_1 = \mathsf{COM}(\phi, \mathbf{M}\cdot \mathbf{r}_w \bmod q; \rho_1), \hspace*{5pt} + C_2 = \mathsf{COM}(\Gamma_{\phi}(\mathbf{r}_w); \rho_2), \\ + C_3 = \mathsf{COM}(\Gamma_{\phi}(\mathbf{w} + \mathbf{r}_w \bmod q); \rho_3). + \end{gather*} + + \item \textbf{Challenge:} The verifier sends a challenge $Ch \leftarrow U(\{1,2,3\})$ to the prover. + \item \textbf{Response:} Depending on $Ch$, the prover sends $\mathrm{RSP}$ computed as follows: + \smallskip + \begin{itemize} + \item $Ch = 1$: Let $\mathbf{t}_{w} = \Gamma_{\phi}(\mathbf{w})$, $\mathbf{t}_{r} = \Gamma_{\phi}(\mathbf{r}_w)$, and $\mathrm{RSP} = (\mathbf{t}_w, \mathbf{t}_r, \rho_2, \rho_3)$. \smallskip + + \item $Ch = 2$: Let $\phi_2 = \phi$, $\mathbf{w}_2 = \mathbf{w} + \mathbf{r}_w \bmod q$, and + $\mathrm{RSP} = (\phi_2, \mathbf{w}_2, \rho_1, \rho_3)$. \smallskip + \item $Ch = 3$: Let $\phi_3 = \phi$, $\mathbf{w}_3 = \mathbf{r}_w$, and + $\mathrm{RSP} = (\phi_3, \mathbf{w}_3, \rho_1, \rho_2)$. + \end{itemize} + \end{enumerate} + \textbf{Verification:} Receiving $\mathrm{RSP}$, the verifier proceeds as follows: + \smallskip +%\vspace{-0.25cm} + \begin{itemize}%[leftmargin=0.2cm,itemindent=.2cm,labelwidth=\itemindent,labelsep=0.2cm,align=left] + \item $Ch = 1$: Check that + \begin{gather*} + \mathbf{t}_w \in \mathsf{VALID},\\ + C_2 = \mathsf{COM}(\mathbf{t}_r; \rho_2), \qquad + {C}_3 = \mathsf{COM}(\mathbf{t}_w + \mathbf{t}_r \bmod q; \rho_3). + \end{gather*} + + \item $Ch = 2$: Check that + \[ + C_1 = \mathsf{COM}(\phi_2, \mathbf{M}\cdot \mathbf{w}_2 - \mathbf{v} \bmod q; \rho_1),\qquad + {C}_3 = \mathsf{COM}(\Gamma_{\phi_2}(\mathbf{w}_2); \rho_3). + \] + + \item $Ch = 3$: Check that + \[ + C_1 = \mathsf{COM}(\phi_3, \mathbf{M}\cdot \mathbf{w}_3; \rho_1), \qquad + C_2 = \mathsf{COM}(\Gamma_{\phi_3}(\mathbf{w}_3); \rho_2). + \] + + \end{itemize} + In each case, the verifier outputs $1$ if and only if all the conditions hold. +%\rule{0pt}{3ex} + \caption{Stern-like \textsf{ZKAoK} for the relation $\mathrm{R_{abstract}}$.} + \label{Figure:Interactive-Protocol} +\end{figure} +%The properties of the given protocol are summarized in Theorem~\ref{Theorem:zk-protocol}. + +\begin{theorem}\label{Theorem:zk-protocol} +The protocol in Figure~\ref{Figure:Interactive-Protocol} is a statistical \emph{\textsf{ZKAoK}} with perfect completeness, soundness error~$2/3$, and communication cost~$\mathcal{O}(D\log q)$. Namely: +\begin{itemize} +\item There exists a polynomial-time simulator that, on input $(\mathbf{M}, \mathbf{v})$, outputs an accepted transcript statistically close to that produced by the real prover. +\item There exists a polynomial-time knowledge extractor that, on input a commitment $\mathrm{CMT}$ and $3$ valid responses $(\mathrm{RSP}_1,\mathrm{RSP}_2,\mathrm{RSP}_3)$ to all $3$ possible values of the challenge $Ch$, outputs $\mathbf{w}' \in \mathsf{VALID}$ such that $\mathbf{M}\cdot \mathbf{w}' = \mathbf{v} \bmod q.$ +\end{itemize} +\end{theorem} +The proof of the theorem relies on standard simulation and extraction techniques for Stern-like protocols~\cite{KTX08,LNSW13,LLM+16}. +\vspace{-0.1 cm} + + +%%%% END TODO