Polytopes in the Fiat-Shamir with Aborts Paradigm

Henry Bambury; Hugo Beguinet; Thomas Ricosset; Eric Sageloli

Paper 2024/411

Polytopes in the Fiat-Shamir with Aborts Paradigm

Henry Bambury, École Normale Supérieure - PSL, French Institute for Research in Computer Science and Automation, Direction Générale de l'Armement, Centre National de la Recherche Scientifique

Hugo Beguinet, École Normale Supérieure - PSL, Thales (France), Centre National de la Recherche Scientifique, French Institute for Research in Computer Science and Automation

Thomas Ricosset

, Thales (France)

Eric Sageloli

, École Normale Supérieure - PSL, Thales (France), French Institute for Research in Computer Science and Automation, Centre National de la Recherche Scientifique, École Polytechnique

Abstract

The Fiat-Shamir with Aborts paradigm (FSwA) uses rejection sampling to remove a secret’s dependency on a given source distribution. Recent results revealed that unlike the uniform distribution in the hypercube, both the continuous Gaussian and the uniform distribution within the hypersphere minimise the rejection rate and the size of the proof of knowledge. However, in practice both these distributions suffer from the complexity of their sampler. So far, those three distributions are the only available alternatives, but none of them offer the best of all worlds: competitive proof of knowledge size and rejection rate with a simple sampler. We introduce a new generic framework for FSwA using polytope based rejection sampling to enable a wider variety of constructions. As a matter of fact, this framework is the first to generalise these results to integral distributions. To complement the lack of alternatives, we also propose a new polytope construction, whose uniform sampler approaches in simplicity that of the hypercube. At the same time, it provides competitive proof of knowledge size compared to that obtained from the Gaussian distribution. Concurrently, we share some experimental improvements of our construction to further reduce the proof size. Finally, we propose a signature based on the FSwA paradigm using both our framework and construction. We prove it to be competitive with Haetae in signature size and with Dilithium on sampler simplicity.

Note: - small corrections. - tighter signature proof.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint.
Keywords: Zero-Knowledge Proofs Lattice-based Cryptography Fiat-Shamir with Aborts Rejection Sampling
Contact author(s): henry bambury @ ens fr
hugo beguinet @ gmail com
thomas ricosset @ thalesgroup com
eric sageloli @ thalesgroup com
History: 2024-04-05: revised; 2024-03-07: received; See all versions
Short URL: https://ia.cr/2024/411
License: CC BY

BibTeX

@misc{cryptoeprint:2024/411,
      author = {Henry Bambury and Hugo Beguinet and Thomas Ricosset and Eric Sageloli},
      title = {Polytopes in the Fiat-Shamir with Aborts Paradigm},
      howpublished = {Cryptology ePrint Archive, Paper 2024/411},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/411}},
      url = {https://eprint.iacr.org/2024/411}
}