fmouhart
/
thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Corrections stern

This commit is contained in:
Fabrice Mouhartem 2018-06-12 17:46:42 +02:00
parent 214d48cc40
commit bafc4d2420
1 changed files with 25 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
sec-stern.tex
View File

@ -3,24 +3,25 @@
% \label{sse:stern}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}.
Stern's protocol has originally been introduced in the context of code-base cryptography~\cite{Ste96}.
\index{Syndrome Decoding Problem}
Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf{M} \in \FF_2^{n \times m}$ and a syndrome $\mathbf{v} \in \FF_2^n$, the goal is to find a binary vector $\mathbf{w} \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf{M} \cdot \mathbf{w} = \mathbf{v} \bmod 2$.
Initially, it was designed for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf{M} \in \FF_2^{n \times m}$ and a syndrome $\mathbf{v} \in \FF_2^n$, the goal is to find a binary vector $\mathbf{w} \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf{M} \cdot \mathbf{w} = \mathbf{v} \bmod 2$.
This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf{x}$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
This problem bears similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraint on the norm of $\mathbf{x}$ is replaced by a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems).
These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc.
After the first work of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the results of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enable the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning proving knowledge of a solution to these problems).
These advances in the expressiveness of Stern-like protocols has been used to further improve them and therefore enable privacy-based primitives for which no constructions previously existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc.
Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf{w} \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf{w}$ satisfies these conditions if and only if $\pi(\mathbf{x})$ also does.
Therefore, the randomness of $\pi$ is used to verify these two constraints (being binary and the hamming weight) in a zero-knowledge fashion.
We can notice that this can be extended to vectors $\mathbf{w} \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
Unlike Schnorr-like proofs that we described in the previous section, Stern-like proofs are mainly combinatorial and rely on the fact that every permutation on a binary vector $\mathbf{w} \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf{w}$ satisfies these conditions if and only if $\pi(\mathbf{x})$ also does.
Therefore, the randomness of $\pi$ is used to verify these two constraints (being binary and having fixed Hamming weight) in a zero-knowledge fashion.
We can notice that this can be extended to vectors $\mathbf{w} \in \nbit^m$ having fixed numbers of $-1$ and $1$.
This property allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
In \cref{sse:stern-abstraction}, we describes these permutations while abstracting the set of ZK-provable statements as the set $\mathsf{VALID}$ that satisfies conditions~\eqref{eq:zk-equivalence}.
It is worth noticing that this argument on knowledge does not form a $\Sigma$-protocol, as the challenge space is ternary as described in \cref{sse:stern-abstraction}.
Thus standard theorems on $\Sigma$-protocols has to be adapted in this setting.
It is worth noticing that this argument on knowledge does not strictly follow the definition of a $\Sigma$-protocol in~\cref{de:sigma-protocol}. The challenge space is ternary as described in \cref{sse:stern-abstraction}, hence the protocol verifies $3$-special soundness.
Thus, standard theorems on $\Sigma$-protocols have to be adapted in this setting.
In this Section, we describe in a high-level view how Stern's protocol works, and then we detail it.
In this Section, we describe in a high-level manner the behavior of Stern-like protocols before detailing it.
\subsection{The Decomposition-Extension Framework} \label{sse:stern-dec-ext}
@ -54,17 +55,17 @@ The details of this proof is given in \cref{sse:stern-abstraction}, but it can b
There exists a statistical \textsf{ZKAoK} with perfect completeness and soundness error 2/3 to prove the knowledge of a secret vector $\mathbf{w} \in \bit^m$ that verifies relation~\eqref{eq:isis-stern-relation} for public input $(\mathbf{M}, \mathbf{v}) \in \Zq^{n \times m} \times \Zq^{n}$.
\end{lemma}
Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$.
Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} works in a straightforward manner to prove knowledge of a vector in $\nbit^m$.
%A method to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13,LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\cref{sse:stern}).
\index{Lattices!Inhomogeneous \SIS}
To prove the knowledge of an \ISIS preimage, i.e.
the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf{w}$ as $\bar{\mathbf{w}} = \mathbf{K} \cdot \mathbf{w} \bmod q$ with a public transfer matrix $\mathbf{K}$ such that $\bar{\mathbf{w}} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$.
the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf{w}$ as $\bar{\mathbf{w}} = \mathbf{K} \cdot \mathbf{w} \bmod q$ with a public transformation matrix $\mathbf{K}$ such that $\bar{\mathbf{w}} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for each $j \in \nbit$.
This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf{w}} \in \nbit^{m'}$ for public input $(\mathbf{M} \cdot \mathbf{K}, \mathbf{v})$.
To construct such a transfer matrix $\mathbf{K}$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf{x} \in [-B,B]^m$ as a vector $\tilde{\mathbf{x}} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf{x}} \in \mathsf{B}^3_{m \delta_B}$ leads to a new statement that can be proven using the~\cite{KTX08} variant of Stern's protocol.
The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf{0}^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf{I}_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$ for all $j \in \{1,\ldots,j\}$ can be computed from public parameters.
To construct such a transfer matrix $\mathbf{K}$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf{x} \in [-B,B]^m$ as a vector $\tilde{\mathbf{x}} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf{x}} \in \mathsf{B}^3_{m \delta_B}$ leads to a new statement that can be proven using the variant of Stern's protocol described in~\cite{KTX08}.
The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf{0}^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf{I}_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$, for all $j \in \{1,\ldots,j\}$, can be computed from public parameters.
\subsection{Abstraction of Stern's Protocol} \label{sse:stern-abstraction}
@ -74,14 +75,14 @@ The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf{0}^{m \
\small
\begin{enumerate}
\item \textbf{Commitment:} Prover samples $\mathbf{r}_w \leftarrow \U(\mathbb{Z}_q^D)$, $\phi \leftarrow \U(\mathcal{S})$ and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
Then he sends $\mathrm{CMT}= \big(C_1, C_2, C_3\big)$ to the verifier, where
Then, he sends $\mathrm{CMT}= \big(C_1, C_2, C_3\big)$ to the verifier, where
\begin{gather*}
C_1 = \mathsf{COM}(\phi, \mathbf{M}\cdot \mathbf{r}_w \bmod q; \rho_1), \hspace*{5pt}
C_2 = \mathsf{COM}(\Gamma_{\phi}(\mathbf{r}_w); \rho_2), \\
C_3 = \mathsf{COM}(\Gamma_{\phi}(\mathbf{w} + \mathbf{r}_w \bmod q); \rho_3).
\end{gather*}
\item \textbf{Challenge:} The verifier sends a challenge $Ch \leftarrow \U(\{1,2,3\})$ to the prover.
\item \textbf{Challenge:} The verifier sends a challenge $Ch \sample \U(\{1,2,3\})$ to the prover.
\item \textbf{Response:} Depending on $Ch$, the prover sends $\mathrm{RSP}$ computed as follows:
\smallskip
\begin{itemize}
@ -139,7 +140,7 @@ Note that, Stern's original protocol corresponds to the special case when the se
$\mathsf{VALID} = \{
\mathbf{w} \in \bit^D: \mathsf{wt}(\mathbf{w}) = k\}$, where $\mathsf{wt}(\cdot)$ denotes the Hamming weight and $k < D$ is a given integer, $\mathcal{S} = \permutations_D$ is the set of all permutations of~$D$ elements and $\Gamma_{\phi}(\mathbf{w}) = \phi(\mathbf{w})$.
The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow \U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow \U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$
The conditions in \eqref{eq:zk-equivalence} play a crucial role to prove in zero-knowledge that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow \U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow \U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$
The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{fig:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08} described in~\cref{de:sis-commitment}).
@ -157,10 +158,10 @@ The proof of the theorem relies on standard simulation and extraction techniques
Note that, by construction, the protocol is perfectly complete: if an honest prover follows the protocol, then he always gets accepted by the verifier. It is also easy to see that the communication cost is bounded by $\widetilde{\mathcal{O}}(D \cdot \log q)$.
We now will prove that the protocol is a statistical zero-knowledge argument of knowledge for the relation $\mathrm{R_{abstract}}$ and is given below.
We will now prove that the protocol is a statistical zero-knowledge argument of knowledge for the relation $\mathrm{R_{abstract}}$ and is given below.
\smallskip
\scbf{Zero-Knowledge Property. } We construct a \textsf{PPT} simulator $\mathsf{SIM}$ interacting with a (possibly dishonest) verifier $\widehat{\mathcal{V}}$, such that, given only the public input, $\mathsf{SIM}$ outputs with probability negligibly close to $2/3$ a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.
\scbf{Zero-Knowledge Property. } We construct a \textsf{PPT} simulator $\mathsf{SIM}$ interacting with a (possibly dishonest) verifier $\widehat{\mathcal{V}}$ such that, given only the public input, $\mathsf{SIM}$ outputs with probability negligibly close to $2/3$ a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.
The simulator first chooses a random $\overline{Ch} \in \{1,2,3\}$. This is a prediction of the challenge value that $\widehat{\mathcal{V}}$ will \emph{not} choose.
\smallskip
@ -169,7 +170,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
\item[\textsf{Case} $\overline{Ch}=1$]: Using basic linear algebra over $\mathbb{Z}_q$, $\mathsf{SIM}$ computes a vector $\mathbf{w}' \in \mathbb{Z}_q^D$ such that $\mathbf{M}\cdot \mathbf{w}' = \mathbf{v} \bmod q.$
Next, it samples $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
Then, it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
\begin{gather*}
C'_1 = \mathsf{COM}(\pi, \mathbf{M}\cdot \mathbf{r}; \rho_1), \qquad
C'_2 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{r}); \rho_2), \\
@ -187,7 +188,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
\item[\textsf{Case} $\overline{Ch}=2$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
Then, it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
\begin{gather*}
C'_1 = \mathsf{COM}(\pi, \mathbf{M}\cdot \mathbf{r}; \rho_1), \qquad
C'_2 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{r}); \rho_2), \\
@ -206,7 +207,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
\item[Case $\overline{Ch}=3$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
Then, it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
\[ C'_2 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{r}); \rho_2), \qquad C'_3 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{w}' + \mathbf{r}); \rho_3)\]
as in the previous two cases, while
\begin{eqnarray*}
@ -221,7 +222,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
\end{description}
\smallskip
We observe that, in all the above cases, since $\mathsf{COM}$ is statistically hiding, the distribution of the commitment $\mathrm{CMT}$ and the distribution of the challenge~$Ch$ from~$\widehat{\mathcal{V}}$ are statistically close to those in the real interaction. Hence, the probability that the simulator outputs~$\bot$ is negligibly close to~$1/3$. Moreover, one can check that whenever the simulator does not halt, it will provide an accepted transcript, the distribution of which is statistically close to that of the prover in the real interaction. In other words, we have designed a simulator that can successfully emulate the honest prover with probability negligibly far from~$2/3$.
We observe that, in all the above cases, since $\mathsf{COM}$ is statistically hiding, the distribution of the commitment $\mathrm{CMT}$ and the distribution of the challenge~$Ch$ from~$\widehat{\mathcal{V}}$ are statistically close to those in the real interaction. Hence, the probability that the simulator outputs~$\bot$ is negligibly close to~$1/3$. Moreover, one can check that whenever the simulator does not halt, it provides an accepted transcript, the distribution of which is statistically close to that of the prover in the real interaction. In other words, we have designed a simulator that can successfully emulate the honest prover with probability negligibly far from~$2/3$.
\medskip