Aggregating Falcon Signatures with LaBRADOR Documentation#47
Aggregating Falcon Signatures with LaBRADOR Documentation#47mattsuffern wants to merge 8 commits into
Conversation
mattsuffern
requested review from
NiDimi,
Yue-Zhou1,
maksimryndin,
pycckuu and
v0-e
| $$\lVert (\mathbf{s}\_{i1}, \mathbf{s}\_{i2}) \rVert_{2} \leq \beta$$ | ||
| Where $H()$ is a hash function, $\mathbf{h}$ is the public key, and $r \in \\{0, 1\\}^{320}$ is a random salt. | ||
|
|
||
| It's important to notice these equations are valid mod $q$, which means they may not be valid mod $q'$. So, in order to make an equivalent version of these constraints but in the LaBRADOR ring, we will find an equivalent restriction over $\mathcal{R}$. Since the validity of a restriction being equal to zero in $\mathcal{R}$ should still hold under some modulus wrapping in $\mathcal{R}\_{q^{'}}$. In order for the restrictions to hold in $\mathcal{R}$, we would like intuitively that $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$ will be "small enough" that they would not wrap around over the $q'$ modulus. Since we are not in control of the size of $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$, the main idea behind this will be to slightly modify the restrictions from Falcon so that we can guarantee that for a large enough $q'$, they will still be valid over this new ring. |
There was a problem hiding this comment.
we would like intuitively that
$(\mathbf{s}_{i1}, \mathbf{s}_{i2})$ will be "small enough" that they would not wrap around over the$q'$ modulus
Explain this a bit better
|
|
||
| Because all dot product constraints in LaBRADOR are of the form: | ||
| $$ | ||
| f(\mathbf{\bar{\mathbf{s}}})=0 \text{ or } ct(f(\mathbf{\bar{\mathbf{s}}})) = 0 |
| For the first restriction, we know from Falcon that it must be valid in $\mathcal{R}\_{q}$. This isn't necessarily valid in $\mathcal{R}$. In order to force it to be valid, we will add an extra witness $v_{i} \in \mathcal{R}\_{q'}$, leaving us with this restriction over $\mathcal{R}$: | ||
| $$\mathbf{s}\_{i1}+\mathbf{hs}\_{i2}+qv_{i} - H(r,m) = 0$$ | ||
|
|
||
| Since adding multiples of $q$ to the restriction doesn't affect the original formulation $\mod q$, then this restriction continues to be valid in $\mathcal{R}\_{q}$. In order to answer how big $q'$ needs to be so that the witness vectors (including the new one) don't wrap around, we need to prove that the witnesses are small enough. |
There was a problem hiding this comment.
I would say be more specificic with the how big q' needs to be
To prevent a wrap around we need to ensure that the coeffs in Rq remain small enough that their norms and sums don't exceed q/2. Basically this is the reason that Falcon choose beta such that
| @@ -0,0 +1,38 @@ | |||
| # Changing the Modulus & Norm Checks | |||
|
|
|||
| Although Falcon and LaBRADOR were designed over a similar structure of a polynomial ring $\mathcal{R}\_{q} = Z_{q}\[ x \]/(x^{d}-1)$ of degree $d$ and modulus $q$, they both use different moduli. We will denote $q$ as the Falcon modulus and $q' > q$ as the LaBRADOR one. When using Falcon to sign a message $m$, the signer uses its secret key to obtain two small lattice vectors $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$ such that: | |||
There was a problem hiding this comment.
What does
There was a problem hiding this comment.
Originally, I used the
There was a problem hiding this comment.
Since our implementation likely requires this
| $$\mathbf{s}\_{i1}+\mathbf{hs}\_{i2} = H(r,m) \mod q$$ | ||
| $$\lVert (\mathbf{s}\_{i1}, \mathbf{s}\_{i2}) \rVert_{2} \leq \beta$$ |
There was a problem hiding this comment.
- I suggest adding
$\beta \ll q$ . - These two could be separated by a comma for better visualization.
| @@ -0,0 +1,38 @@ | |||
| # Changing the Modulus & Norm Checks | |||
|
|
|||
| Although Falcon and LaBRADOR were designed over a similar structure of a polynomial ring $\mathcal{R}\_{q} = Z_{q}\[ x \]/(x^{d}-1)$ of degree $d$ and modulus $q$, they both use different moduli. We will denote $q$ as the Falcon modulus and $q' > q$ as the LaBRADOR one. When using Falcon to sign a message $m$, the signer uses its secret key to obtain two small lattice vectors $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$ such that: | |||
There was a problem hiding this comment.
I suggest adding some explanation about why
NiDimi
left a comment
NiDimi
left a comment
There was a problem hiding this comment.
Latest changes looks good
4 participants
Documentation
This is the documentation for Aggregating Falcon Signatures with LaBRADOR.
Main Changes
labrador_docsfor all LaBRADOR related documentation andfalcon_labrador_docsfor the new documentation.(closes Documentation for Aggregating Falcon Signatures with LaBRADOR #28)