Paper 2024/1972

RoK, Paper, SISsors – Toolkit for Lattice-based Succinct Arguments

Michael Klooß, ETH Zurich
Russell W. F. Lai, Aalto University
Ngoc Khanh Nguyen, King's College London
Michał Osadnik, Aalto University
Abstract

Lattice-based succinct arguments allow to prove bounded-norm satisfiability of relations, such as $f(\vec{s}) = \vec{t} \bmod q$ and $\|\vec{s}\|\leq \beta$, over specific cyclotomic rings $\mathcal{O}_\mathcal{K}$, with proof size polylogarithmic in the witness size. However, state-of-the-art protocols require either 1) a super-polynomial size modulus $q$ due to a soundness gap in the security argument, or 2) a verifier which runs in time linear in the witness size. Furthermore, construction techniques often rely on specific choices of $\mathcal{K}$ which are not mutually compatible. In this work, we exhibit a diverse toolkit for constructing efficient lattice-based succinct arguments: (i) We identify new subtractive sets for general cyclotomic fields $\mathcal{K}$ and their maximal real subfields $\mathcal{K}^+$, which are useful as challenge sets, e.g. in arguments for exact norm bounds. (ii) We construct modular, verifier-succinct reductions of knowledge for the bounded-norm satisfiability of structured-linear/inner-product relations, without any soundness gap, under the vanishing SIS assumption, over any $\mathcal{K}$ which admits polynomial-size subtractive sets. (iii) We propose a framework to use twisted trace maps, i.e. maps of the form $\tau(z) = \frac{1}{N} \cdot \mathsf{Trace}_{\mathcal{K}/\mathbb{Q}}( \alpha \cdot z )$, to embed $\mathbb{Z}$-inner-products as $\mathcal{R}$-inner-products for some structured subrings $\mathcal{R} \subseteq \mathcal{O}_\mathcal{K}$ whenever the conductor has a square-free odd part. (iv) We present a simple extension of our reductions of knowledge for proving the consistency between the coefficient embedding and the Chinese Remainder Transform (CRT) encoding of $\vec{s}$ over any cyclotomic field $\mathcal{K}$ with a smooth conductor, based on a succinct decomposition of the CRT map into automorphisms, and a new, simple succinct argument for proving automorphism relations. Combining all techniques, we obtain, for example, verifier-succinct arguments for proving that $\vec{s}$ satisfying $f(\vec{s}) = \vec{t} \bmod q$ has binary coefficients, without soundness gap and with polynomial-size modulus $q$.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in ASIACRYPT 2024
Keywords
lattice-based cryptographysuccinct argument
Contact author(s)
klooss @ mail informatik kit edu
russell lai @ aalto fi
ngoc_khanh nguyen @ kcl ac uk
michal osadnik @ aalto fi
History
2024-12-13: last of 2 revisions
2024-12-05: received
See all versions
Short URL
https://ia.cr/2024/1972
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1972,
      author = {Michael Klooß and Russell W. F. Lai and Ngoc Khanh Nguyen and Michał Osadnik},
      title = {{RoK}, Paper, {SISsors} – Toolkit for Lattice-based Succinct Arguments},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1972},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1972}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.