Martin has written a gentle introduction of the k-R-ISIS (of Knowledge) assumptions, and Aravind has written about cool things that one could do with our lattice-based SNARKs. In this post, I want to walk you through the construction of our lattice-based SNARKs.

Succinct non-interactive argument of knowledge (SNARK) allows a prover to convince a verifier about the veracity of statements of an NP-complete language by writing down very short proofs. Our NP-complete language of choice is the satisfiability of systems of quadratic (constant degree in general) equations with bounded coefficients and bounded solutions over certain ring . More formally, the language is of the form

where is a tuple of degree- multivariate homogeneous (i.e. no constant term) polynomials with small coefficients in and is a short vector over . For concreteness, think of as being the ring of integers of some cyclotomic field.

Instead of building a SNARK, we actually build something even more powerful — a vector commitment (VC) scheme with openings to quadratic polynomials, also known as functional commitments. Such a VC scheme allows the prover to produce a succinct commitment of , and “open” it to any tuple of quadratic polynomials by producing a short proof . Given , , , and , the verifier could be convinced that indeed whatever that is committed in should satisfy . The tuple is thus a SNARK proof for . More on the precise security requirements of the VC later.

In the following, we construct a basic VC which supports openings to a single polynomial (instead of a tuple).

First, a trusted setup generates a random vectors and over for some modulus , together with a SIS trapdoor for . Such a trapdoor allows the setup to further generate short vectors over satisfying , for all rational functions for some set which will be specified later. The setup then publishes , , and the ‘s as public parameters.

To commit to a short vector over which has the same dimension as , the prover simply computes and outputs the inner product .

Before describing the opening algorithm, we first look at the verification algorithm instead. All we need to know about an opening proof for now is that it is a short vector over which has the same dimension as .

To verify against , the verifier defines the a quadratic polynomial as follows:

- Parse as .
- Define .

Then, it checks that are indeed short and satisfy .

From the verification equation, we can reverse engineer that the opening proof should be computed as

where the rational functions and are contained in . (Hence we have specified .) Since the coefficients of , the vector , and the vectors are short, the opening proof is also short, as desired.

We show that the above basic construction satisfies a security notion called weak binding, meaning that it is infeasible for a prover to produce valid opening proofs for and for , based on the following kRISIS assumption: Given , , and generated as in the setup, it is hard to find a short vector and a short element satisfying .

To see why this is the case, suppose an efficient adversary produces valid opening proofs satisfying for , by setting and , we have . Since are short, and are also short. We thus have an efficient algorithm for the above kRISIS problem, which we assumed to be hard.

As the name suggests, the weak binding property is weak. In particular, it is insufficient to give a SNARK. What we need instead is extractability, meaning that if a prover is able to produce a valid opening proof of against , then it is guaranteed that the prover must “know” a satisfying such that is a commitment of and . To achieve extractability, we augment the basic construction as follows.

- Setup: The setup further generates another random vector over together with its SIS trapdoor, as well as a random element such that the ideal generated by has exponentially many elements yet only covers a negligible fraction of . Using the trapdoor of , the setup generates short vectors satisfying for each entry of . The public parameters now further consist of , , and the ‘s.
- Commit: Unchanged.
- Open: The prover further outputs .
- Verify: The verifier further checks that is short and satisfies .

We show that the modified construction satisfies extractability based on the following knowledge kRISIS assumption: Given , , , and the ‘s generated as in the setup, if an efficient algorithm is able to produce a short vector satisfying for some , then the algorithm is guaranteed to “know” a short vector such that .

Clearly, by the above knowledge kRISIS assumption, if a prover is able to produce a valid opening proof of against , then it must know a short vector such that is a commitment of . Now suppose that . We can run the opening algorithm to produce a valid opening proof of against . However, this means we can obtain valid opening proofs of against both and , which contradicts weak binding.

It remains to further upgrade the construction so as to support opening to not only one but a tuple of polynomials. For this, we further modify our construction as follows.

- Setup: Pick a moderate size modulus which is small compared to but still large compared to “short” vectors. The public parameters additionally contain a random vector over whose dimension is equal to the number of polynomials to be opened.
- Commit: Unchanged.
- Open: To open to , define and and run the previous opening algorithm to open to .
- Verify: To verify an opening proof against , define and and run the previous verification algorithm to verify .

We show that the third construction remains to be extractable based on the SIS assumption over . To recall, the SIS assumption states that for a random it is hard to find a short non-zero vector such that .

Suppose if a prover is able to produce a valid opening proof of against . Define and . By the extractability of the second scheme, the prover must know a short vector satisfying . Expanding the expression and reducing modulo gives . Note that is short for all . Therefore, if for some , we obtain a short non-zero vector such that , violating the SIS assumption.

Last Updated on 21/07/2022.

]]>Year | Scheme | Size | Trans | Preproc | Algebraic | PQ | Published | Reference | Note |
---|---|---|---|---|---|---|---|---|---|

2018 | Bulletproof (Group) | polylog | Yes | No | No | No | SP18 | link | |

2020 | Lakonia | polylog | Yes | No | No | No | – | link | |

2019 | Sonic | 1 | No | Yes | No | No | CCS19 | link | Universal updatable CRS |

2020 | Marlin | 1 | No | Yes | No | No | EC20 | link | Universal updatable CRS |

2020 | Spartan | sqrt | Yes | Yes | No | No | C20 | link | |

2020 | SuperSonic | polylog | Yes | Yes | No | No | EC20 | link | |

2020 | Kopis | polylog | Yes | Yes | No | No | – | link | |

2020 | Xiphos | polylog | Yes | Yes | No | No | – | link | |

2016 | Groth16 | 1 | No | Yes | Yes | No | EC16 | link | |

2018 | GKMMM18 | 1 | No | Yes | Yes | No | C18 | link | Universal updatable CRS |

2020 | Bulletproof (Lattice) | polylog | Yes | No | No | Yes | C20,C21 | BLNS20,AL21,ACK21 | |

2017 | Ligero | sqrt | Yes | No | No | Yes | CCS17 | link | |

2019 | Aurora | polylog | Yes | No | No | Yes | EC19 | link | |

2021 | Brakedown | sqrt | Yes | Yes | No | Yes | – | link | |

2021 | Shockwave | sqrt | Yes | Yes | No | Yes | – | link | |

2020 | Fractal | polylog | Yes | Yes | No | Yes | EC20 | link |

Size: Proof size as a function of statement size, fixed multiplicative factor polynomial in security parameter omitted

Trans: Transparent setup, i.e. lack of a trusted setup

Preproc: Verifier can preprocess the statement to make verification time sublinear in statement size

Algebraic: Only uses low-degree algebraic operations over the underlying group/ring/field, does not use random oracles or hash functions (which could be seen as high-degree operations)

PQ: Post-quantum in the most liberal sense, i.e. as long as it is not based on groups

Last Updated on 11/07/2022.

]]>In group-based cryptography, we often find ourselves working over the ring where is most often a prime or a product of a few large primes (in the setting of composite-order groups). Either way, most elements in the ring are invertible — a fact that is quite convenient for constructing knowledge extractors in -protocols and performing polynomial interpolation.

In lattice-based cryptography, however, our playground has been switched to , the ring of integers of the -th cyclotomic field, which we call a cyclotomic ring for short. After some experimentation, one can be easily convinced that most elements of are not invertible over , i.e. they are not units. Furthermore, even if we pick a modulus such that most elements in are invertible over , the inverses of short elements are often not short. This issue makes many techniques that we take for granted in group-based cryptography inapplicable in the lattice setting.

Long story short, suppose we have a set , which could be the challenge set of a -protocol or the set of evaluation points of a Shamir secret sharing scheme. Let be any -subset of . It would be great if we can solve the following (dual) Vandermonde systems

over for given some and a vector . Here, the matrix is the Vandermonde matrix defined by the set . That is, if , then

The element in the above equations, called the slack, is a measure of how good the solution is (if it exists). On one hand, we want (the norm of) to be as close to as possible. On the other hand, we would like the size to be as large as possible since it is inversely-proportional to the soundness error of the -protocol using as a challenge set, and equals to the number of parties to whom we can share our secret. (We might want to be large for secret sharing as well as it corresponds to the recovery threshold.)

Motivated by the above, we define the notion of -subtractive set as a sufficient condition of the solvability of the above (dual) Vandermonde systems. We say that a set is -subtractive, if for any -subset , it holds that for all . It is a sufficient condition in the sense that, if a set is -subtractive, then any (dual) Vandermonde system defined by the slack , any target vector , and any -subset is solvable over .

Note that in the special case where is invertible over for any distinct , then is a -subtractive set for any . In this case we simply call a subtractive set.

In the above definition of -subtractive sets, the notation denotes the ideal generated by the element . That is, . Another way of seeing is that it contains all the elements in which are divisible by . So, saying that is the same as saying that is divisible by .

Much of the results presented in this work are ultimately due to the presence or absence of certain ideals in . To get a more concrete feeling about the ideals in , the following observation might be useful.

We observe that, over , the ring of rational integers, the element is one of the two smallest primes (with the other being ). Another way of saying this is that is the “smallest” prime ideal, where the “smallness” is measured by the algebraic norm which measures the number of cosets of , which is . Since is a rational prime, it would be hopeless to find a large -subtractive set over , since only a handful of elements, and , divide .

The situation is quite different in when is a power of . There, the ideal is not prime but actually splits completely into factors. Indeed, we have

That is to say, there are quite a lot of elements in that divide , which is a good start.

Unlike in the paper, we first deal with the easy case. That is to present subtractive sets over prime-power cyclotomic rings, i.e. where is a power of a prime . These sets are simply

where . Note that is of size , and is therefore most interesting when and .

Although the proof of the above claim is straightforward, I find it somewhat cute and plausibly insightful. Therefore I decided to include it here.

First, we notice that for , the element

is a unit. Indeed, it is called a cyclotomic unit and its inverse is given by

where .

Next, we notice that can be written as a prefix sum of the sequence of powers of . Consequently, for , we have

which is invertible.

If all the world cares about is prime-power cyclotomic rings, then we would have been done. However, power-of- cyclotomic rings are more preferable in implementations due to convenient tools such as the number theoretic transform (NTT). To be clear, these rings are where is a power of .

For the purpose of constructing lattice-based Bulletproof over power-of- cyclotomic rings, we are interested in constructing large -subtractive sets over . In this blog post, we pick as an example, and prove that

is -subtractive. Note that in the above I wrote for .

First, we note that we get the element in the set for free, since all other elements are units. It therefore suffices to prove that

is -subtractive. To this end, consider any -subset

where we assume without loss of generality that

We want to show that

To do this, we first note that

since is a unit. Next, by some routine calculation, we can see that

where denotes the even part of , i.e. the largest power of which divides . To proceed, we perform some more routine calculation to be convinced that

Finally, we observe that and therefore

We conclude this blog post by showing that one cannot find -subtractive sets that are much better than those constructed above.

For the impossibility result, it would be convenient to introduce the notion of weak -subtractive sets, which are sets such that, for any -subset , it holds that . Here, the set is defined as

and is the ideal generated by the elements in the set . From the definitions of (weak) -subtractive sets, one can immediately see that an -subtractive set is also weakly -subtractive. Therefore, if we can rule out the existence of certain weakly -subtractive sets, we would also be able to rule out the existence of certain -subtractive sets.

We first consider power-of- cyclotomic rings where is a power of . Suppose that is a prime (which is called a Fermat prime, with known examples being , , , ), then splits into factors each having algebraic norm . That is, each factor of has cosets.

Fix one of these factors . Suppose is a weakly -subtractive set of size greater than , we can partition such that each subset contains elements belonging to the same coset of , with one of the subset containing at least elements by the pigeonhole principle. However, since all elements in belong to the same coset of , we have . Since is weakly -subtractive, we have and hence . This however is a contradiction because is clearly not in (since the latter has norm which is coprime with ).

From the above, we conclude that, for any , it is impossible to construct a family (parameterised by ) of -subtractive sets each of size greater than . We note that, however, this result only rules out families of constructions but not individual constructions. That is, it might still happen that there exists a -subtractive set of size in the -th cyclotomic ring.

We finish by considering prime-power cyclotomic rings where is a power of a prime . Here, we notice that the ideal has algebraic norm — it has cosets — and . Thus, by the same argument as above, we can conclude that there is no subtractive set of size greater than over prime-power cyclotomic rings. In other words, the constructions that we gave above are in a sense optimal.

Last Updated on 11/07/2022.

]]>