Stern
This commit is contained in:
parent
26dd440889
commit
5b9cdfdd1b
186
sec-stern.tex
186
sec-stern.tex
@ -5,16 +5,16 @@
|
|||||||
|
|
||||||
On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}.
|
On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}.
|
||||||
\index{Syndrome Decoding Problem}
|
\index{Syndrome Decoding Problem}
|
||||||
Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf P \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf x \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf P \cdot \mathbf x = \mathbf v \bmod 2$.
|
Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf M \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf w \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf M \cdot \mathbf w = \mathbf v \bmod 2$.
|
||||||
|
|
||||||
This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
|
This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
|
||||||
|
|
||||||
After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems).
|
After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems).
|
||||||
These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc.
|
These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc.
|
||||||
|
|
||||||
Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf x \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf x$ satisfies these conditions if and only if $\pi(\mathbf x)$ also does.
|
Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf w \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf w$ satisfies these conditions if and only if $\pi(\mathbf x)$ also does.
|
||||||
Therefore, the randomness of $\pi$ is used to verify these two constraints (being binary and the hamming weight) in a zero-knowledge fashion.
|
Therefore, the randomness of $\pi$ is used to verify these two constraints (being binary and the hamming weight) in a zero-knowledge fashion.
|
||||||
We can notice that this can be extended to vectors $\mathbf x \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
|
We can notice that this can be extended to vectors $\mathbf w \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
|
||||||
In \cref{sse:stern-abstraction}, we describes these permutations while abstracting the set of ZK-provable statements as the set $\mathsf{VALID}$ that satisfies conditions~\eqref{eq:zk-equivalence}.
|
In \cref{sse:stern-abstraction}, we describes these permutations while abstracting the set of ZK-provable statements as the set $\mathsf{VALID}$ that satisfies conditions~\eqref{eq:zk-equivalence}.
|
||||||
|
|
||||||
It is worth noticing that this argument on knowledge does not form a $\Sigma$-protocol, as the challenge space is ternary as described in \cref{sse:stern-abstraction}.
|
It is worth noticing that this argument on knowledge does not form a $\Sigma$-protocol, as the challenge space is ternary as described in \cref{sse:stern-abstraction}.
|
||||||
@ -23,15 +23,56 @@ Thus standard theorems on $\Sigma$-protocols has to be adapted in this setting.
|
|||||||
In this Section, we describe in a high-level view how Stern's protocol works, and then we detail it.
|
In this Section, we describe in a high-level view how Stern's protocol works, and then we detail it.
|
||||||
|
|
||||||
|
|
||||||
|
\subsection{The Decomposition-Extension Framework} \label{sse:stern-dec-ext}
|
||||||
|
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Méthode de décomposition-extension}
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%%% Recap Table %%%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
\begin{figure}[h]
|
||||||
|
\begin{itemize}
|
||||||
|
\item $\mathsf B^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$.
|
||||||
|
\item $\mathsf B^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$.
|
||||||
|
\end{itemize}
|
||||||
|
\caption{Notations for Stern-like protocols.}
|
||||||
|
\label{fig:stern-notations}
|
||||||
|
\end{figure}
|
||||||
|
|
||||||
|
The original Stern protocol was designed to prove knowledge of a SDP preimage. That is, to prove the knowledge of a vector $\mathbf{w} \in \bit^m$ that verifies
|
||||||
|
\begin{equation} \label{eq:sdp-statement}
|
||||||
|
\mathbf M \cdot \mathbf{w} = \mathbf v \bmod 2.
|
||||||
|
\end{equation}
|
||||||
|
|
||||||
|
A first improvement by~\cite{KTX08} was to extend this protocol using a statistically hiding SIS-based commitment scheme as described in~\ref{fig:Interactive-Protocol} to prove in (statistical) zero-knowledge that
|
||||||
|
\begin{equation} \label{eq:isis-stern-relation}
|
||||||
|
\mathbf{M} \cdot \mathbf{w} = \mathbf{v} \bmod q.
|
||||||
|
\end{equation}
|
||||||
|
|
||||||
|
The details of this proof is given in \cref{sse:stern-abstraction}, but it can be summarized in the following Lemma.
|
||||||
|
|
||||||
|
\begin{lemma}[{\cite[Se. 4]{KTX08}}] \label{le:zk-ktx}
|
||||||
|
There exists a statistical \textsf{ZKAoK} with perfect completeness and soundness error 2/3 to prove the knowledge of a secret vector $\mathbf{w} \in \bit^m$ that verifies relation~\eqref{eq:isis-stern-relation} for public input $(\mathbf M, \mathbf v) \in \Zq^{n \times m} \times \Zq^{n}$.
|
||||||
|
\end{lemma}
|
||||||
|
|
||||||
|
Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$.
|
||||||
|
|
||||||
|
A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}).
|
||||||
|
|
||||||
|
To prove the knowledge of an \ISIS preimage, i.e.
|
||||||
|
the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf w$ as $\bar{\mathbf w} = \mathbf K \cdot \mathbf w \bmod q$ with a public transfer matrix $\mathbf K$ such that $\bar{\mathbf w} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$.
|
||||||
|
This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf w} \in \nbit^{m'}$ for public input $(\mathbf M \cdot \mathbf K, \mathbf v)$.
|
||||||
|
|
||||||
|
To construct such a transfer matrix $\mathbf K$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf x \in [-B,B]^m$ as a vector $\tilde{\mathbf x} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf x} \in \mathsf B^3_{m \delta_B}$ leads to a new statement that can be proven using the~\cite{KTX08} variant of Stern's protocol.
|
||||||
|
The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf 0^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf I_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$ for all $j \in \{1,\ldots,j\}$ can be computed from public parameters.
|
||||||
|
|
||||||
|
|
||||||
\subsection{Abstraction of Stern's Protocol} \label{sse:stern-abstraction}
|
\subsection{Abstraction of Stern's Protocol} \label{sse:stern-abstraction}
|
||||||
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Abstraction du protocole de Stern}
|
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Abstraction du protocole de Stern}
|
||||||
|
|
||||||
%%%% TODO
|
|
||||||
\begin{figure}[t]
|
\begin{figure}[t]
|
||||||
|
|
||||||
\small
|
\small
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item \textbf{Commitment:} Prover samples $\mathbf{r}_w \leftarrow U(\mathbb{Z}_q^D)$, $\phi \leftarrow U(\mathcal{S})$ and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
|
\item \textbf{Commitment:} Prover samples $\mathbf{r}_w \leftarrow \U(\mathbb{Z}_q^D)$, $\phi \leftarrow \U(\mathcal{S})$ and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
|
||||||
Then he sends $\mathrm{CMT}= \big(C_1, C_2, C_3\big)$ to the verifier, where
|
Then he sends $\mathrm{CMT}= \big(C_1, C_2, C_3\big)$ to the verifier, where
|
||||||
\begin{gather*}
|
\begin{gather*}
|
||||||
C_1 = \mathsf{COM}(\phi, \mathbf{M}\cdot \mathbf{r}_w \bmod q; \rho_1), \hspace*{5pt}
|
C_1 = \mathsf{COM}(\phi, \mathbf{M}\cdot \mathbf{r}_w \bmod q; \rho_1), \hspace*{5pt}
|
||||||
@ -39,7 +80,7 @@ In this Section, we describe in a high-level view how Stern's protocol works, an
|
|||||||
C_3 = \mathsf{COM}(\Gamma_{\phi}(\mathbf{w} + \mathbf{r}_w \bmod q); \rho_3).
|
C_3 = \mathsf{COM}(\Gamma_{\phi}(\mathbf{w} + \mathbf{r}_w \bmod q); \rho_3).
|
||||||
\end{gather*}
|
\end{gather*}
|
||||||
|
|
||||||
\item \textbf{Challenge:} The verifier sends a challenge $Ch \leftarrow U(\{1,2,3\})$ to the prover.
|
\item \textbf{Challenge:} The verifier sends a challenge $Ch \leftarrow \U(\{1,2,3\})$ to the prover.
|
||||||
\item \textbf{Response:} Depending on $Ch$, the prover sends $\mathrm{RSP}$ computed as follows:
|
\item \textbf{Response:} Depending on $Ch$, the prover sends $\mathrm{RSP}$ computed as follows:
|
||||||
\smallskip
|
\smallskip
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
@ -76,11 +117,11 @@ In this Section, we describe in a high-level view how Stern's protocol works, an
|
|||||||
\end{itemize}
|
\end{itemize}
|
||||||
In each case, the verifier outputs $1$ if and only if all the conditions hold.
|
In each case, the verifier outputs $1$ if and only if all the conditions hold.
|
||||||
\caption{Stern-like \textsf{ZKAoK} for the relation $\mathrm{R_{abstract}}$.}
|
\caption{Stern-like \textsf{ZKAoK} for the relation $\mathrm{R_{abstract}}$.}
|
||||||
\label{Figure:Interactive-Protocol}
|
\label{fig:Interactive-Protocol}
|
||||||
\end{figure}
|
\end{figure}
|
||||||
|
|
||||||
|
|
||||||
Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq 2$, and let $\mathsf{VALID}$ be a subset of $\mathbb{Z}^D$. Suppose that $\mathcal{S}$ is a finite set such that every $\phi \in \mathcal{S}$ can be associated with a permutation $\Gamma_\phi \in \permutations_D$ satisfying the following conditions:
|
Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq 2$, and let $\mathsf{VALID}$ be a subset of $\mathbb{Z}^D$. Suppose that $\mathcal{S}$ is a finite set such that every element $\phi \in \mathcal{S}$ can be associated with a permutation $\Gamma_\phi \in \permutations_D$ satisfying the following conditions:
|
||||||
\begin{eqnarray}\label{eq:zk-equivalence}
|
\begin{eqnarray}\label{eq:zk-equivalence}
|
||||||
\begin{cases}
|
\begin{cases}
|
||||||
\mathbf{w} \in \mathsf{VALID} ~ \iff ~ \Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}, \\
|
\mathbf{w} \in \mathsf{VALID} ~ \iff ~ \Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}, \\
|
||||||
@ -89,45 +130,132 @@ Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq 2$, and let $
|
|||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
We aim to construct a statistical Zero-Knowledge Argument of Knowledge (\textsf{ZKAoK}) for the following abstract relation:
|
We aim to construct a statistical Zero-Knowledge Argument of Knowledge (\textsf{ZKAoK}) for the following abstract relation:
|
||||||
\begin{eqnarray*}
|
\begin{eqnarray*}
|
||||||
\mathrm{R_{abstract}} = \big\{ \big((\mathbf{M}, \mathbf{v}), \mathbf{w} \big) \in \mathbb{Z}_q^{K \times D} \times \mathbb{Z}_q^D \times \mathsf{VALID}: \mathbf{M}\cdot \mathbf{w} = \mathbf{v} \bmod q.\big\}
|
\mathrm{R_{abstract}} = \big\{ \big((\mathbf{M}, \mathbf{v}), \mathbf{w} \big) \in \mathbb{Z}_q^{K \times D} \times \mathbb{Z}_q^K \times \mathsf{VALID}: \mathbf{M}\cdot \mathbf{w} = \mathbf{v} \bmod q.\big\}
|
||||||
\end{eqnarray*}
|
\end{eqnarray*}
|
||||||
|
|
||||||
Note that, Stern's original protocol corresponds to the special case when the set
|
Note that, Stern's original protocol corresponds to the special case when the set
|
||||||
$\mathsf{VALID} = \{
|
$\mathsf{VALID} = \{
|
||||||
\mathbf{w} \in \{0,1\}^D: \mathsf{wt}(\mathbf{w}) = k\}$, where $\mathsf{wt}(\cdot)$ denotes the Hamming weight and $k < D$ is a given integer, $\mathcal{S} = \mathcal{S}_D$ is the set of all permutations of~$D$ elements and $\Gamma_{\phi}(\mathbf{w}) = \phi(\mathbf{w})$.
|
\mathbf{w} \in \bit^D: \mathsf{wt}(\mathbf{w}) = k\}$, where $\mathsf{wt}(\cdot)$ denotes the Hamming weight and $k < D$ is a given integer, $\mathcal{S} = \permutations_D$ is the set of all permutations of~$D$ elements and $\Gamma_{\phi}(\mathbf{w}) = \phi(\mathbf{w})$.
|
||||||
|
|
||||||
The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$
|
The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow \U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow \U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$
|
||||||
|
|
||||||
|
|
||||||
The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{Figure:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08}).
|
The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{fig:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08}).
|
||||||
|
|
||||||
\begin{theorem}\label{Theorem:zk-protocol}
|
\begin{theorem}\label{Theorem:zk-protocol}
|
||||||
The protocol in Figure~\ref{Figure:Interactive-Protocol} is a statistical \emph{\textsf{ZKAoK}} with perfect completeness, soundness error~$2/3$, and communication cost~$\mathcal{O}(D\log q)$. Namely:
|
The protocol in Figure~\ref{fig:Interactive-Protocol} is a statistical \emph{\textsf{ZKAoK}} with perfect completeness, soundness error~$2/3$, and communication cost~$\mathcal{O}(D \cdot \log q)$. Namely:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item There exists a polynomial-time simulator that, on input $(\mathbf{M}, \mathbf{v})$, outputs an accepted transcript statistically close to that produced by the real prover.
|
\item There exists a polynomial-time simulator that, on input $(\mathbf{M}, \mathbf{v})$, outputs an accepted transcript statistically close to that produced by the real prover.
|
||||||
\item There exists a polynomial-time knowledge extractor that, on input a commitment $\mathrm{CMT}$ and $3$ valid responses $(\mathrm{RSP}_1,\mathrm{RSP}_2,\mathrm{RSP}_3)$ to all $3$ possible values of the challenge $Ch$, outputs $\mathbf{w}' \in \mathsf{VALID}$ such that $\mathbf{M}\cdot \mathbf{w}' = \mathbf{v} \bmod q.$
|
\item There exists a polynomial-time knowledge extractor that, on input a commitment $\mathrm{CMT}$ and $3$ valid responses $(\mathrm{RSP}_1,\mathrm{RSP}_2,\mathrm{RSP}_3)$ to all $3$ possible values of the challenge $Ch$, outputs $\mathbf{w}' \in \mathsf{VALID}$ such that $\mathbf{M}\cdot \mathbf{w}' = \mathbf{v} \bmod q.$
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
The proof of the theorem relies on standard simulation and extraction techniques for Stern-like protocols~\cite{KTX08,LNSW13,LLM+16}.
|
The proof of the theorem relies on standard simulation and extraction techniques for Stern-like protocols~\cite{KTX08,LNSW13,LLM+16}.
|
||||||
\vspace{-0.1 cm}
|
|
||||||
|
\begin{proof}
|
||||||
|
Note that, by construction, the protocol is perfectly complete: if an honest prover follows the protocol, then he always gets accepted by the verifier. It is also easy to see that the communication cost is bounded by $\widetilde{\mathcal{O}}(D \cdot \log q)$.
|
||||||
|
|
||||||
|
|
||||||
%%%% END TODO
|
We now will prove that the protocol is a statistical zero-knowledge argument of knowledge for the relation $\mathrm{R_{abstract}}$ and is given below.
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%
|
\smallskip
|
||||||
%%%% Recap Table %%%%
|
\noindent
|
||||||
%%%%%%%%%%%%%%%%%%%%%
|
\scbf{Zero-Knowledge Property. } We construct a \textsf{PPT} simulator $\mathsf{SIM}$ interacting with a (possibly dishonest) verifier $\widehat{\mathcal{V}}$, such that, given only the public input, $\mathsf{SIM}$ outputs with probability negligibly close to $2/3$ a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.
|
||||||
\begin{figure}
|
|
||||||
|
The simulator first chooses a random $\overline{Ch} \in \{1,2,3\}$. This is a prediction of the challenge value that $\widehat{\mathcal{V}}$ will \emph{not} choose.
|
||||||
|
\smallskip
|
||||||
|
|
||||||
|
\noindent
|
||||||
|
\begin{description}
|
||||||
|
\item[\textsf{Case} $\overline{Ch}=1$]: Using basic linear algebra over $\mathbb{Z}_q$, $\mathsf{SIM}$ computes a vector $\mathbf{w}' \in \mathbb{Z}_q^D$ such that $\mathbf{M}\cdot \mathbf{w}' = \mathbf{v} \bmod q.$
|
||||||
|
Next, it samples $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
|
||||||
|
|
||||||
|
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
|
||||||
|
\begin{gather*}
|
||||||
|
C'_1 = \mathsf{COM}(\pi, \mathbf{M}\cdot \mathbf{r}; \rho_1), \qquad
|
||||||
|
C'_2 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{r}); \rho_2), \\
|
||||||
|
C'_3 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{w}' + \mathbf{r}); \rho_3).
|
||||||
|
\end{gather*}
|
||||||
|
Receiving a challenge $Ch$ from $\widehat{\mathcal{V}}$, the simulator responds as follows:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item $\mathsf B^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$.
|
\item If $Ch=1$: Output $\bot$ and abort.
|
||||||
\item $\mathsf B^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$.
|
\item If $Ch=2$: Send $\mathrm{RSP} = \big(\pi, \mathbf{w}' + \mathbf{r}, \rho_1, \rho_3 \big)$.
|
||||||
|
\item If $Ch=3$: Send $\mathrm{RSP} = \big(\pi, \mathbf{r}, \rho_1, \rho_2\big)$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\caption{Notations for Stern-like protocols.}
|
|
||||||
\label{fig:stern-notations}
|
|
||||||
\end{figure}
|
|
||||||
|
|
||||||
\subsection{The Decomposition-Extension Framework}
|
|
||||||
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Méthode de décomposition-extension}
|
|
||||||
|
|
||||||
A method used in~\cite{LNSW13} to prove knowledge of an \ISIS preimage consists in first \textit{decomposing} the secret $\mathbf{x} = (x_1, \ldots, x_m) \in [-B,B]^m$ into a vector $\tilde{\mathbf x}$ of $\nbit^{m \delta_B}$ such that $\tilde{\mathbf x} = [ \tilde{\mathbf u}_1^{T} \mid \cdots \mid \tilde{\mathbf u}_{\delta_B}^T]^T$ and for all $j \in \{1, \ldots, m\}$, $(1, 2, \ldots, 2^{\delta_B - 1})^T \cdot \tilde{\mathbf u}_j^{} = x_j$.
|
\smallskip
|
||||||
Once that is done, we fix the hamming weight of the resulting vector by \textit{extending} its components $\tilde{\mathbf u}_j^{}$ into $\mathbf u_j \in \mathsf B^3_{m}$.
|
|
||||||
|
\noindent
|
||||||
|
\item[\textsf{Case} $\overline{Ch}=2$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
|
||||||
|
|
||||||
|
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
|
||||||
|
\begin{gather*}
|
||||||
|
C'_1 = \mathsf{COM}(\pi, \mathbf{M}\cdot \mathbf{r}; \rho_1), \qquad
|
||||||
|
C'_2 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{r}); \rho_2), \\
|
||||||
|
C'_3 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{w}' + \mathbf{r}); \rho_3)
|
||||||
|
\end{gather*}
|
||||||
|
as previously.
|
||||||
|
|
||||||
|
Receiving a challenge $Ch$ from $\widehat{\mathcal{V}}$, the simulator responds as follows:
|
||||||
|
\begin{itemize}
|
||||||
|
\item If $Ch=1$: Send $\mathrm{RSP} = \big(\Gamma_\pi(\mathbf{w}'), \Gamma_\pi(\mathbf{r}), \rho_2, \rho_3\big)$.
|
||||||
|
\item If $Ch=2$: Output $\bot$ and abort.
|
||||||
|
\item If $Ch=3$: Send $\mathrm{RSP} = \big(\pi, \mathbf{r}, \rho_1, \rho_2\big)$.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\smallskip
|
||||||
|
|
||||||
|
\noindent
|
||||||
|
\item[Case $\overline{Ch}=3$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
|
||||||
|
|
||||||
|
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
|
||||||
|
\[ C'_2 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{r}); \rho_2), \qquad C'_3 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{w}' + \mathbf{r}); \rho_3)\]
|
||||||
|
as in the previous two cases, while
|
||||||
|
\begin{eqnarray*}
|
||||||
|
C'_1 = \mathsf{COM}(\pi, \mathbf{M}\cdot (\mathbf{w}'+ \mathbf{r}) - \mathbf{v}; \rho_1), \hspace*{5pt}
|
||||||
|
\end{eqnarray*}
|
||||||
|
Receiving a challenge $Ch$ from $\widehat{\mathcal{V}}$, it responds as follows:
|
||||||
|
\begin{itemize}
|
||||||
|
\item If $Ch=1$: Send $\mathrm{RSP}$ computed as in the case $(\overline{Ch}=2, Ch=1)$.
|
||||||
|
\item If $Ch=2$: Send $\mathrm{RSP}$ computed as in the case $(\overline{Ch}=1, Ch=2)$.
|
||||||
|
\item If $Ch=3$: Output $\bot$ and abort.
|
||||||
|
\end{itemize}
|
||||||
|
\end{description}
|
||||||
|
\smallskip
|
||||||
|
|
||||||
|
\noindent
|
||||||
|
We observe that, in all the above cases, since $\mathsf{COM}$ is statistically hiding, the distribution of the commitment $\mathrm{CMT}$ and the distribution of the challenge~$Ch$ from~$\widehat{\mathcal{V}}$ are statistically close to those in the real interaction. Hence, the probability that the simulator outputs~$\bot$ is negligibly close to~$1/3$. Moreover, one can check that whenever the simulator does not halt, it will provide an accepted transcript, the distribution of which is statistically close to that of the prover in the real interaction. In other words, we have designed a simulator that can successfully emulate the honest prover with probability negligibly far from~$2/3$.
|
||||||
|
|
||||||
|
\medskip
|
||||||
|
|
||||||
|
\noindent
|
||||||
|
\scbf{Argument of Knowledge.} Let us assume that
|
||||||
|
\begin{gather*}
|
||||||
|
\mathrm{RSP}_1 = (\mathbf{t}_x, \mathbf{t}_r, \rho_{2}^{(1)}, \rho_{3}^{(1)}), \qquad
|
||||||
|
\mathrm{RSP}_2 = (\phi_2, \mathbf{y}, \rho_{1}^{(2)}, \rho_{3}^{(2)}),\\
|
||||||
|
\mbox{and }\mathrm{RSP}_3 = (\phi_3, \mathbf{w}_3, \rho_{1}^{(3)}, \rho_{2}^{(3)})
|
||||||
|
\end{gather*}
|
||||||
|
are $3$ valid responses to the same commitment $\mathrm{CMT} = (C_1, C_2, C_3)$, with respect to all $3$ possible values of the challenge. The validity of these responses implies that:
|
||||||
|
\[
|
||||||
|
\begin{cases}
|
||||||
|
\mathbf{t}_x \in \mathsf{VALID}; \\[2.5pt]
|
||||||
|
C_1 = \mathsf{COM}(\phi_2, \mathbf{M}\cdot \mathbf{w}_2 - \mathbf{v}; \rho_1^{(2)}) = \mathsf{COM}(\phi_3, \mathbf{M}\cdot \mathbf{w}_3; \rho_1^{(3)}); \\[2.5pt]
|
||||||
|
C_2 = \mathsf{COM}(\mathbf{t}_r; \rho_2^{(1)}) = \mathsf{COM}(\Gamma_{\phi_3}(\mathbf{w}_3); \rho_2^{(3)}); \\[2.5pt]
|
||||||
|
{C}_3 = \mathsf{COM}(\mathbf{t}_x + \mathbf{t}_r; \rho_3^{(1)}) = \mathsf{COM}(\Gamma_{\phi_2}(\mathbf{w}_2); \rho_3^{(2)}).
|
||||||
|
\end{cases}
|
||||||
|
\]
|
||||||
|
Since \textsf{COM} is computationally binding, we can deduce that:
|
||||||
|
\[
|
||||||
|
\begin{cases}
|
||||||
|
\mathbf{t}_x \in \mathsf{VALID}; \\
|
||||||
|
\phi_2 = \phi_3; \\
|
||||||
|
\mathbf{t}_r = \Gamma_{\phi_3}(\mathbf{w}_3);\\
|
||||||
|
\mathbf{t}_x + \mathbf{t}_r = \Gamma_{\phi_2}(\mathbf{w}_2); \\
|
||||||
|
\mathbf{M}\cdot \mathbf{w}_2 - \mathbf{v} = \mathbf{M}\cdot \mathbf{w}_3 \bmod q.
|
||||||
|
\end{cases}
|
||||||
|
\]
|
||||||
|
Let $\mathbf{w}' = \mathbf{w}_2 - \mathbf{w}_3$, then we have $\Gamma_{\phi_2}(\mathbf{w}') = \mathbf{t}_x \in \mathsf{VALID}$ which implies that $\mathbf{w}' \in \mathsf{VALID}$. Furthermore, we have $\mathbf{M}\cdot \mathbf{w}' = \mathbf{M}\cdot (\mathbf{w}_2 - \mathbf{w}_3) = \mathbf{v} \bmod q.$
|
||||||
|
|
||||||
|
This concludes the proof.
|
||||||
|
\end{proof}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user