Add sigmasig
This commit is contained in:
@ -5,16 +5,16 @@
|
||||
|
||||
On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}.
|
||||
\index{Syndrome Decoding Problem}
|
||||
Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf M \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf w \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf M \cdot \mathbf w = \mathbf v \bmod 2$.
|
||||
Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf{M} \in \FF_2^{n \times m}$ and a syndrome $\mathbf{v} \in \FF_2^n$, the goal is to find a binary vector $\mathbf{w} \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf{M} \cdot \mathbf{w} = \mathbf{v} \bmod 2$.
|
||||
|
||||
This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
|
||||
This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf{x}$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
|
||||
|
||||
After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems).
|
||||
These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc.
|
||||
|
||||
Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf w \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf w$ satisfies these conditions if and only if $\pi(\mathbf x)$ also does.
|
||||
Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf{w} \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf{w}$ satisfies these conditions if and only if $\pi(\mathbf{x})$ also does.
|
||||
Therefore, the randomness of $\pi$ is used to verify these two constraints (being binary and the hamming weight) in a zero-knowledge fashion.
|
||||
We can notice that this can be extended to vectors $\mathbf w \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
|
||||
We can notice that this can be extended to vectors $\mathbf{w} \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
|
||||
In \cref{sse:stern-abstraction}, we describes these permutations while abstracting the set of ZK-provable statements as the set $\mathsf{VALID}$ that satisfies conditions~\eqref{eq:zk-equivalence}.
|
||||
|
||||
It is worth noticing that this argument on knowledge does not form a $\Sigma$-protocol, as the challenge space is ternary as described in \cref{sse:stern-abstraction}.
|
||||
@ -31,8 +31,8 @@ In this Section, we describe in a high-level view how Stern's protocol works, an
|
||||
%%%%%%%%%%%%%%%%%%%%%
|
||||
\begin{figure}[h]
|
||||
\begin{itemize}
|
||||
\item $\mathsf B^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$.
|
||||
\item $\mathsf B^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$.
|
||||
\item $\mathsf{B}^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$.
|
||||
\item $\mathsf{B}^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$.
|
||||
\end{itemize}
|
||||
\caption{Notations for Stern-like protocols.}
|
||||
\label{fig:stern-notations}
|
||||
@ -40,7 +40,7 @@ In this Section, we describe in a high-level view how Stern's protocol works, an
|
||||
|
||||
The original Stern protocol was designed to prove knowledge of a SDP preimage. That is, to prove the knowledge of a vector $\mathbf{w} \in \bit^m$ that verifies
|
||||
\begin{equation} \label{eq:sdp-statement}
|
||||
\mathbf M \cdot \mathbf{w} = \mathbf v \bmod 2.
|
||||
\mathbf{M} \cdot \mathbf{w} = \mathbf{v} \bmod 2.
|
||||
\end{equation}
|
||||
|
||||
A first improvement by~\cite{KTX08} was to extend this protocol using a statistically hiding SIS-based commitment scheme as described in~\ref{fig:Interactive-Protocol} to prove in (statistical) zero-knowledge that
|
||||
@ -51,7 +51,7 @@ A first improvement by~\cite{KTX08} was to extend this protocol using a statisti
|
||||
The details of this proof is given in \cref{sse:stern-abstraction}, but it can be summarized in the following Lemma.
|
||||
|
||||
\begin{lemma}[{\cite[Se. 4]{KTX08}}] \label{le:zk-ktx}
|
||||
There exists a statistical \textsf{ZKAoK} with perfect completeness and soundness error 2/3 to prove the knowledge of a secret vector $\mathbf{w} \in \bit^m$ that verifies relation~\eqref{eq:isis-stern-relation} for public input $(\mathbf M, \mathbf v) \in \Zq^{n \times m} \times \Zq^{n}$.
|
||||
There exists a statistical \textsf{ZKAoK} with perfect completeness and soundness error 2/3 to prove the knowledge of a secret vector $\mathbf{w} \in \bit^m$ that verifies relation~\eqref{eq:isis-stern-relation} for public input $(\mathbf{M}, \mathbf{v}) \in \Zq^{n \times m} \times \Zq^{n}$.
|
||||
\end{lemma}
|
||||
|
||||
Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$.
|
||||
@ -59,12 +59,12 @@ Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of
|
||||
A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}).
|
||||
|
||||
\index{Lattices!Inhomogeneous \SIS}
|
||||
To prove the knowledge of an \ISIS preimage, i.e.
|
||||
the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf w$ as $\bar{\mathbf w} = \mathbf K \cdot \mathbf w \bmod q$ with a public transfer matrix $\mathbf K$ such that $\bar{\mathbf w} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$.
|
||||
This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf w} \in \nbit^{m'}$ for public input $(\mathbf M \cdot \mathbf K, \mathbf v)$.
|
||||
To prove the knowledge of an \ISIS preimage, i.e.
|
||||
the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf{w}$ as $\bar{\mathbf{w}} = \mathbf{K} \cdot \mathbf{w} \bmod q$ with a public transfer matrix $\mathbf{K}$ such that $\bar{\mathbf{w}} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$.
|
||||
This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf{w}} \in \nbit^{m'}$ for public input $(\mathbf{M} \cdot \mathbf{K}, \mathbf{v})$.
|
||||
|
||||
To construct such a transfer matrix $\mathbf K$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf x \in [-B,B]^m$ as a vector $\tilde{\mathbf x} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf x} \in \mathsf B^3_{m \delta_B}$ leads to a new statement that can be proven using the~\cite{KTX08} variant of Stern's protocol.
|
||||
The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf 0^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf I_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$ for all $j \in \{1,\ldots,j\}$ can be computed from public parameters.
|
||||
To construct such a transfer matrix $\mathbf{K}$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf{x} \in [-B,B]^m$ as a vector $\tilde{\mathbf{x}} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf{x}} \in \mathsf{B}^3_{m \delta_B}$ leads to a new statement that can be proven using the~\cite{KTX08} variant of Stern's protocol.
|
||||
The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf 0^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf{I}_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$ for all $j \in \{1,\ldots,j\}$ can be computed from public parameters.
|
||||
|
||||
|
||||
\subsection{Abstraction of Stern's Protocol} \label{sse:stern-abstraction}
|
||||
@ -189,7 +189,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
|
||||
|
||||
\noindent
|
||||
\item[\textsf{Case} $\overline{Ch}=2$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
|
||||
|
||||
|
||||
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
|
||||
\begin{gather*}
|
||||
C'_1 = \mathsf{COM}(\pi, \mathbf{M}\cdot \mathbf{r}; \rho_1), \qquad
|
||||
@ -209,7 +209,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
|
||||
|
||||
\noindent
|
||||
\item[Case $\overline{Ch}=3$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
|
||||
|
||||
|
||||
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
|
||||
\[ C'_2 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{r}); \rho_2), \qquad C'_3 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{w}' + \mathbf{r}); \rho_3)\]
|
||||
as in the previous two cases, while
|
||||
@ -231,7 +231,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
|
||||
\medskip
|
||||
|
||||
\noindent
|
||||
\scbf{Argument of Knowledge.} Let us assume that
|
||||
\scbf{Argument of Knowledge.} Let us assume that
|
||||
\begin{gather*}
|
||||
\mathrm{RSP}_1 = (\mathbf{t}_x, \mathbf{t}_r, \rho_{2}^{(1)}, \rho_{3}^{(1)}), \qquad
|
||||
\mathrm{RSP}_2 = (\phi_2, \mathbf{y}, \rho_{1}^{(2)}, \rho_{3}^{(2)}),\\
|
||||
|
||||
Reference in New Issue
Block a user