Continue Stern part

2018-04-10 09:20:19 +02:00 · 2018-04-10 09:20:19 +02:00 · 3b2ad6a2fd
commit 3b2ad6a2fd
parent dd7b3a5fde
3 changed files with 57 additions and 34 deletions
--- a/macros.tex
+++ b/macros.tex
@ -20,7 +20,7 @@
 %% Common
 \newcommand{\Setup}{\ensuremath{\mathsf{Setup}}\xspace}
 \newcommand{\Keygen}{\ensuremath{\mathsf{Keygen}}\xspace}
-  \newcommand{\param}{\ensuremath{\mathsf{par}}\xspace}
+\newcommand{\param}{\ensuremath{\mathsf{par}}\xspace}
 %% ZK
 \newcommand{\trans}{\textsf{trans}\xspace}
 \newcommand{\cmt}{\textsf{cmt}\xspace}
@ -73,6 +73,8 @@
 \newcommand{\QQ}{\xspace\ensuremath{\mathbb{Q}}\xspace}
 \newcommand{\Zq}{\xspace\ensuremath{\mathbb{Z}_q}\xspace}
 \newcommand{\bit}{\xspace\ensuremath{\{0,1\}}\xspace}
 \newcommand{\nbit}{\xspace\ensuremath{\{-1,0,1\}}\xspace}
 \newcommand{\permutations}{\ensuremath{\mathfrak S}\xspace}
 %% Pairings
 \newcommand{\Zp}{\xspace\ensuremath{\mathbb{Z}_p}\xspace}
 \newcommand{\GG}{\xspace\ensuremath{\mathbb{G}}\xspace}
--- a/sec-stern.tex
+++ b/sec-stern.tex
@ -7,44 +7,27 @@ On the other hand, Stern's protocol has been originally introduced in the contex
 \index{Syndrome Decoding Problem}
 Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf P \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf x \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf P \cdot \mathbf x = \mathbf v \bmod 2$.
 The proof is mainly combinatorial and relies on the fact that applying a permutation on a binary vector leaves its Hamming weight invariant.
 % TODO
 This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
 After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems).
 These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc.
 Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf x \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf x$ satisfies these conditions if and only if $\pi(\mathbf x)$ also does.
 Therefore, the randomness of $\pi$ is used to verify these two constraints (being binary and the hamming weight) in a zero-knowledge fashion.
 We can notice that this can be extended to vectors $\mathbf x \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
 In \cref{sse:stern-abstraction}, we describes these permutations while abstracting the set of ZK-provable statements as the set $\mathsf{VALID}$ that satisfies conditions~\eqref{eq:zk-equivalence}.
 It is worth noticing that this argument on knowledge does not form a $\Sigma$-protocol, as the challenge space is ternary as described in \cref{sse:stern-abstraction}.
 Thus standard theorems on $\Sigma$-protocols has to be adapted in this setting.
 In this Section, we describe in a high-level view how Stern's protocol works, and then we detail it.
-\subsection{Abstraction of Stern's Protocol}
+
 \subsection{Abstraction of Stern's Protocol} \label{sse:stern-abstraction}
 \addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Abstraction du protocole de Stern}
 %%%% TODO
-
+\begin{figure}[t]
 Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq 2$, and let $\mathsf{VALID}$ be a subset of $\mathbb{Z}^D$. Suppose that $\mathcal{S}$ is a finite set such that   every $\phi \in \mathcal{S}$ can be associated with a permutation $\Gamma_\phi$ of $D$ elements  satisfying the following conditions:
 \begin{eqnarray}\label{eq:zk-equivalence}
 \begin{cases}
 \mathbf{w} \in \mathsf{VALID} \hspace*{2.5pt} \Longleftrightarrow \hspace*{2.5pt} \Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}, \\
 \text{If } \mathbf{w} \in \mathsf{VALID} \text{ and } \phi \text{ is uniform in } \mathcal{S}, \text{ then }  \Gamma_\phi(\mathbf{w}) \text{ is uniform in } \mathsf{VALID}.~~~~~
 \end{cases}
 \end{eqnarray}
 We aim to construct a statistical \textsf{ZKAoK} for the following abstract relation:
 \begin{eqnarray*}
 \mathrm{R_{abstract}} = \big\{ \big((\mathbf{M}, \mathbf{v}), \mathbf{w} \big) \in \mathbb{Z}_q^{K \times D} \times \mathbb{Z}_q^D \times \mathsf{VALID}: \mathbf{M}\cdot \mathbf{w} = \mathbf{v} \bmod q.\big\}
 \end{eqnarray*}
 Note that, Stern's original protocol corresponds to the special case when $\mathsf{VALID} = \{
 \mathbf{w} \in \{0,1\}^D: \mathsf{wt}(\mathbf{w}) = k\}$, where $\mathsf{wt}(\cdot)$ denotes the Hamming weight and $k < D$ is a given integer, $\mathcal{S} = \mathcal{S}_D$ is  the set of all permutations of~$D$ elements and $\Gamma_{\phi}(\mathbf{w}) = \phi(\mathbf{w})$.
 The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$
 The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{Figure:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08}).
 \begin{figure}[!htbp]
  \small
  \begin{enumerate}
@ -70,8 +53,7 @@ The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is descr
  \end{enumerate}
  \textbf{Verification:}  Receiving $\mathrm{RSP}$, the verifier proceeds as follows:
  \smallskip
-%\vspace{-0.25cm}
+  \begin{itemize}
  \begin{itemize}%[leftmargin=0.2cm,itemindent=.2cm,labelwidth=\itemindent,labelsep=0.2cm,align=left]
    \item $Ch = 1$: Check that
      \begin{gather*}
        \mathbf{t}_w \in \mathsf{VALID},\\
@ -93,11 +75,31 @@ The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is descr
  \end{itemize}
  In each case, the verifier outputs $1$ if and only if all the conditions hold.
 %\rule{0pt}{3ex}
  \caption{Stern-like \textsf{ZKAoK} for the relation $\mathrm{R_{abstract}}$.}
  \label{Figure:Interactive-Protocol}
 \end{figure}
-%The properties of the given protocol are summarized in Theorem~\ref{Theorem:zk-protocol}.
+
 Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq 2$, and let $\mathsf{VALID}$ be a subset of $\mathbb{Z}^D$. Suppose that $\mathcal{S}$ is a finite set such that   every $\phi \in \mathcal{S}$ can be associated with a permutation $\Gamma_\phi \in \permutations_D$ satisfying the following conditions:
 \begin{eqnarray}\label{eq:zk-equivalence}
 \begin{cases}
 \mathbf{w} \in \mathsf{VALID} ~ \iff ~ \Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}, \\
 \text{If } \mathbf{w} \in \mathsf{VALID} \text{ and } \phi \text{ is uniform in } \mathcal{S}, \text{ then }  \Gamma_\phi(\mathbf{w}) \text{ is uniform in } \mathsf{VALID}. \quad
 \end{cases}
 \end{eqnarray}
 We aim to construct a statistical Zero-Knowledge Argument of Knowledge (\textsf{ZKAoK}) for the following abstract relation:
 \begin{eqnarray*}
 \mathrm{R_{abstract}} = \big\{ \big((\mathbf{M}, \mathbf{v}), \mathbf{w} \big) \in \mathbb{Z}_q^{K \times D} \times \mathbb{Z}_q^D \times \mathsf{VALID}: \mathbf{M}\cdot \mathbf{w} = \mathbf{v} \bmod q.\big\}
 \end{eqnarray*}
 Note that, Stern's original protocol corresponds to the special case when the set
 $\mathsf{VALID} = \{
 \mathbf{w} \in \{0,1\}^D: \mathsf{wt}(\mathbf{w}) = k\}$, where $\mathsf{wt}(\cdot)$ denotes the Hamming weight and $k < D$ is a given integer, $\mathcal{S} = \mathcal{S}_D$ is  the set of all permutations of~$D$ elements and $\Gamma_{\phi}(\mathbf{w}) = \phi(\mathbf{w})$.
 The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$
 The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{Figure:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08}).
 \begin{theorem}\label{Theorem:zk-protocol}
 The protocol in Figure~\ref{Figure:Interactive-Protocol} is a statistical \emph{\textsf{ZKAoK}} with perfect completeness, soundness error~$2/3$, and communication cost~$\mathcal{O}(D\log q)$. Namely:
@ -111,3 +113,21 @@ The proof of the theorem relies on standard simulation and extraction techniques
 %%%% END TODO
 %%%%%%%%%%%%%%%%%%%%%
 %%%% Recap Table %%%%
 %%%%%%%%%%%%%%%%%%%%%
 \begin{figure}
  \begin{itemize}
    \item $\mathsf B^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$.
    \item $\mathsf B^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$.
  \end{itemize}
  \caption{Notations for Stern-like protocols.}
  \label{fig:stern-notations}
 \end{figure}
 \subsection{The Decomposition-Extension Framework}
 \addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Méthode de décomposition-extension}
 A method used in~\cite{LNSW13} to prove knowledge of an \ISIS preimage consists in first \textit{decomposing} the secret $\mathbf{x} = (x_1, \ldots, x_m)  \in [-B,B]^m$ into a vector $\tilde{\mathbf x}$ of $\nbit^{m \delta_B}$ such that $\tilde{\mathbf x} = [ \tilde{\mathbf u}_1^{T} \mid \cdots \mid \tilde{\mathbf u}_{\delta_B}^T]^T$ and for all $j \in \{1, \ldots, m\}$, $(1, 2, \ldots, 2^{\delta_B - 1})^T \cdot \tilde{\mathbf u}_j^{} = x_j$.
 Once that is done, we fix the hamming weight of the resulting vector by \textit{extending} its components $\tilde{\mathbf u}_j^{}$ into $\mathbf u_j \in \mathsf B^3_{m}$.
--- a/symbols.tex
+++ b/symbols.tex
@ -8,8 +8,9 @@
  $\ppt$     & Probabilistic Polynomial Time            \\
  $\epsilon$ & empty word                               \\
  $\mathbf A$ & bold uppercase letters represent matrices\\
-  $\mathbf b$ & bold lowercase letters represent vectors\\
+  $\mathbf b$ & bold lowercase letters represent column vectors\\
  $\widetilde{\mathbf A}$ & Gram-Schmidt orthogonalization of matrix $\mathbf A$\\
  $\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively\\
  [1ex] \multicolumn{2}{l}{\scbf{Usual sets}}           \\
  $\QQ$      & the set of rational numbers              \\
  $\RR$      & the set of real numbers                  \\