From c87b8be1705119e2cc569ff71df87873b83b7822 Mon Sep 17 00:00:00 2001 From: mattsuffern Date: Wed, 2 Apr 2025 14:19:14 -0300 Subject: [PATCH 1/8] rebasing on main --- Cargo.lock | 4 ++ Cargo.toml | 3 +- .../Changing-Modulus-Norm-Checks.md | 38 +++++++++++++++++++ doc/falcon_labrador_docs/mainpage-doc.md | 20 ++++++++++ .../reformulating-constraints.md | 18 +++++++++ .../doc => doc/labrador_docs}/aggregation.md | 0 .../labrador_docs}/ajtai_commitment.md | 0 .../doc => doc/labrador_docs}/amortization.md | 0 .../arithmetic_circuit_translation.md | 0 .../labrador_docs}/hierarchical_commitment.md | 0 .../doc => doc/labrador_docs}/mainpage-doc.md | 0 .../doc => doc/labrador_docs}/projections.md | 0 falcon_labrador/Cargo.toml | 9 +++++ falcon_labrador/src/lib.rs | 25 ++++++++++++ labrador/src/lib.rs | 14 +++---- 15 files changed, 123 insertions(+), 8 deletions(-) create mode 100644 doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md create mode 100644 doc/falcon_labrador_docs/mainpage-doc.md create mode 100644 doc/falcon_labrador_docs/reformulating-constraints.md rename {labrador/doc => doc/labrador_docs}/aggregation.md (100%) rename {labrador/doc => doc/labrador_docs}/ajtai_commitment.md (100%) rename {labrador/doc => doc/labrador_docs}/amortization.md (100%) rename {labrador/doc => doc/labrador_docs}/arithmetic_circuit_translation.md (100%) rename {labrador/doc => doc/labrador_docs}/hierarchical_commitment.md (100%) rename {labrador/doc => doc/labrador_docs}/mainpage-doc.md (100%) rename {labrador/doc => doc/labrador_docs}/projections.md (100%) create mode 100644 falcon_labrador/Cargo.toml create mode 100644 falcon_labrador/src/lib.rs diff --git a/Cargo.lock b/Cargo.lock index 9f3d49d..d4dec01 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -26,6 +26,10 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +[[package]] +name = "falcon_labrador" +version = "0.1.0" + [[package]] name = "getrandom" version = "0.3.1" diff --git a/Cargo.toml b/Cargo.toml index 6286f33..3b8b926 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -5,8 +5,9 @@ repository = "https://github.com/NethermindEth/LaBRADOR-rs" license = "Apache-2.0" [workspace] -members = [ +members = [ "labrador", + "falcon_labrador", ] resolver = "2" default-members = ["labrador"] diff --git a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md new file mode 100644 index 0000000..2177dc1 --- /dev/null +++ b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md @@ -0,0 +1,38 @@ +# Changing the Modulus & Norm Checks + +Although Falcon and LaBRADOR were designed over a similar structure of a polynomial ring $\mathcal{R}\_{q} = Z_{q}\[ x \]/(x^{d}-1)$ of degree $d$ and modulus $q$, they both use different moduli. We will denote $q$ as the Falcon modulus and $q' > q$ as the LaBRADOR one. When using Falcon to sign a message $m$, the signer uses its secret key to obtain two small lattice vectors $(s_{1}, s_{2})$ such that: +$$s_{1}+hs_{2} = H(r,m) \mod q$$ +$$\lVert (s_{1}, s_{2}) \rVert_{2} \leq \beta$$ +Where $H()$ is a hash function, $h$ is the public key, and $r \in \\{0, 1\\}^{320}$ is a random salt. + +It's important to notice these equations are valid $\mod q$, which means they may not be valid $\mod q'$. So, in order to make an equivalent version of these constraints but in the LaBRADOR ring, we will find an equivalent restriction over $\mathcal{R}$. Since the validity of a restriction being equal to zero in $\mathcal{R}$ should still hold under some modulus wrapping in $\mathcal{R}\_{q^{'}}$. In order for the restrictions to hold in $\mathcal{R}$, we would like intuitively that $(s_{1}, s_{2})$ will be "small enough" that they would not wrap around over the $q'$ modulus. Since we are not in control of the size of $(s_{1}, s_{2})$, the main idea behind this will be to slightly modify the restrictions from Falcon so that we can guarantee that for a large enough $q'$, they will still be valid over this new ring. + +For the first restriction, we know from Falcon that it must be valid in $\mathcal{R}\_{q}$. This isn't necessarily valid in $\mathcal{R}$. In order to force it to be valid, we will add an extra witness $v_{i} \in \mathcal{R}\_{q'}$, leaving us with this restriction over $\mathcal{R}$: +$$s_{1}+hs_{2}+qv_{i} - H(r,m) = 0$$ + +Since adding multiples of $q$ to the restriction doesn't affect the original formulation $\mod q$, then this restriction continues to be valid in $\mathcal{R}\_{q}$. In order to answer how big $q'$ needs to be so that the witness vectors (including the new one) don't wrap around, we need to prove that the witnesses are small enough. + +Now, in order to find an equivalent restriction for the restriction on the size of the witnesses, we will rewrite $\lVert (s_{1}, s_{2}) \rVert_{2} \leq \beta$ as: +$$\lVert s_{1}\rVert^{2}+ \lVert s_{2}\rVert^{2} \leq \beta^{2}$$ +Where $\lVert . \rVert$ is still the Euclidean norm. Because we know that $\beta^{2} - \lVert s_{1}\rVert^{2} - \lVert s_{2}\rVert^{2}$ is non-negative, we can use Lagrange’s four-square theorem to rewrite it as a sum of four squared numbers $\epsilon_{0}^{2}, \epsilon_{1}^{2}, \epsilon_{2}^{2}, \epsilon_{3}^{2}$. + +Because all dot product constraints in LaBRADOR are of the form: +$$ +f(\mathbf{\bar{s}})=0 \text{ or } ct(f(\mathbf{\bar{s}})) = 0 +$$ +we can rewrite now the restriction on the size of the witnesses in the accepted format by writing $\epsilon_{0}, \epsilon_{1}X, \epsilon_{2}X^{2}, \epsilon_{3}X^{3} = \epsilon$ and: +$$ ct(\sigma_{-1}(\epsilon)\epsilon - (\beta^{2}-\sigma_{-1}(s_{1})s_{1}-\sigma_{-1}(s_{2})s_{2})) = 0 \mod q' $$ +where $\sigma_{-1}$ is the conjugation automorphism. The validity of this dot constraint over $q'$ tells us the bound is valid since the existence of the polynomial $\epsilon$ that follows such constraints implies that $\beta^{2} - \lVert s_{1}\rVert^{2} - \lVert s_{2}\rVert^{2}$ is non-negative. + +Besides this new dot constraint, in order to show that both the automorphisms and the epsilon polynomial were correctly calculated inside the constraint, we will need to add small extra dot product constraints. + +For the conjugated automorphism, since it involves a permutation of the polynomial's coefficients and a change of sign, it will suffice to check for each element that the permutation was done correctly as well as the sign change. In the case of the epsilon polynomial, one would only need to check the degree is at most $4$ by checking all other coefficients $\epsilon_{4} \dots \epsilon_{d-1}$ to be zero. For both cases, checking an element of a polynomial is equal to some element $b$ or to some element from another polynomial $c$ can be written as a dot product in this way: + +$$ct(\sigma_{-1}(X^{j})a -b) = 0 \mod q'$$ +$$ct(\sigma_{-1}(X^{j})a -\sigma_{-1}(X^{k})c) = 0 \mod q'$$ + + + + + + diff --git a/doc/falcon_labrador_docs/mainpage-doc.md b/doc/falcon_labrador_docs/mainpage-doc.md new file mode 100644 index 0000000..dfbc550 --- /dev/null +++ b/doc/falcon_labrador_docs/mainpage-doc.md @@ -0,0 +1,20 @@ +# Aggregating Falcon Signatures with LaBRADOR + +This is the code implementation of "Aggregating Falcon Signatures with LaBRADOR." A non-interactive version of LaBRADOR, utilizing the Fiat-Shamir heuristic, that allows for a significant reduction in proof sizes within a signature aggregation scheme, compared to a basic concatenation procedure, while still relying on the security of standard lattice problems. + +These notes serve as a friendly introduction to the protocol and a prototype for the documentation. They are based on the assumption that one has already implemented Falcon and the original interactive version of LaBRADOR. + +The main idea is to define a signature aggregation scheme (AS) for Falcon based on the use of a succinct non-interactive argument of knowledge (SNARK), where we can set the signatures as witnesses and the messages and public keys as statements. This would allow for a non-sequential signature aggregation scheme, allowing zero interaction between signers. Additionally, the succinctness of the SNARK is perfect for bandwidth bottleneck situations, such as in blockchain. This code is an adaptation of LaBRADOR to function with Falcon for AS. + +## Overview + +The implemented changes consist of the following steps: +- Changing the Modulus & Norm Checks +- Reformulating Constraints +- Working over Subring + + + + +## Notation +We will use an upper bar $\bar{s}$ for vectors, lowercase $s$ for scalars, uppercase $S$ for matrices, and boldface letters for elements $\mathbf{s} \in \mathbb{Z}_q\[x\] / (x^d + 1)$, unless explicitly noted. diff --git a/doc/falcon_labrador_docs/reformulating-constraints.md b/doc/falcon_labrador_docs/reformulating-constraints.md new file mode 100644 index 0000000..4499821 --- /dev/null +++ b/doc/falcon_labrador_docs/reformulating-constraints.md @@ -0,0 +1,18 @@ +# Reformulating Constraints +In order to achieve an improvement in computational complexity, witnesses will be rewritten via a padding scheme. This new format, although increasing both in size and in the number of dot product constraints that are required, will significantly reduce the need for garbage polynomials, thereby providing a general increase in speed. + +## Padding Scheme +In this padding scheme, witness elements $w_{1} \dots w_{N}$ $\in \mathcal{R}_{q\^{'}}$ along with other elements $w_{1}^{'} \dots w_{N}^{'} \in \mathcal{R}_{q\^{'}}$ are such that $\lVert w_{i} \rVert_{2}^{2} = ct(w_{i}' w_{i})$ + +(An example of $w_{i}'$ being the conjugate automorphism of $w_{i}$) can be rewritten as vectors of the form $\vec{u}_{1}, \dots, \vec{u}_{\lceil N/\rho \rceil} \in \mathcal{R}_{q'}^{N}$ and $\vec{u}_{1}', \dots, \vec{u}_{\lceil N/\rho \rceil}' \in \mathcal{R}_{q'}^{N}$ respectively, where $\rho = \lfloor \sqrt{N} \rfloor$. + +After following the padding equations described in the paper, we can think of each vector $\vec{u}_{i}$ as a vector filled with zeros except for some locations where the original witness polynomials will be located: $[0, 0, 0, \dots, w_{2\rho +1}, \dots, w_{3\rho}, \dots, 0, 0]$. We can access each old witness polynomial using the index functions of the form: +$$ index(i) = \lceil i/\rho \rceil $$ +$$ index'(i) = ((i-1) \mod \rho) + 1 $$ + +for $u_{i}$ and $u_{i}'$ respectively. From this, it follows that we can write $\lVert w_{i} \rVert_{2}^{2} = ct(w_{i}'w_{i}) = ct(\langle \vec{u}_{index'(i)}', \vec{u}_{index(i)} \rangle)$. + +Beyond adding dot product restrictions to check each zero element of the new witness vectors, we will also rewrite all the restrictions using the new witnesses as well as the index function. In order to rewrite the constraints, there will be extensive use of $\delta_{i} \in \mathcal{R}_{q'}^{N}$, the vector with the $i$-th entry as $1$ (the identity of the ring) and all other elements as $0$. +As an example, we can rewrite Falcon's restrictions as: +$$ \langle \delta_{i}, \vec{u}_{index(i)} \rangle + \langle h_{i} \delta_{i}, \vec{u}_{index(i)} \rangle + \langle q \delta_{i}, v \rangle - t_{i} = 0 $$ + diff --git a/labrador/doc/aggregation.md b/doc/labrador_docs/aggregation.md similarity index 100% rename from labrador/doc/aggregation.md rename to doc/labrador_docs/aggregation.md diff --git a/labrador/doc/ajtai_commitment.md b/doc/labrador_docs/ajtai_commitment.md similarity index 100% rename from labrador/doc/ajtai_commitment.md rename to doc/labrador_docs/ajtai_commitment.md diff --git a/labrador/doc/amortization.md b/doc/labrador_docs/amortization.md similarity index 100% rename from labrador/doc/amortization.md rename to doc/labrador_docs/amortization.md diff --git a/labrador/doc/arithmetic_circuit_translation.md b/doc/labrador_docs/arithmetic_circuit_translation.md similarity index 100% rename from labrador/doc/arithmetic_circuit_translation.md rename to doc/labrador_docs/arithmetic_circuit_translation.md diff --git a/labrador/doc/hierarchical_commitment.md b/doc/labrador_docs/hierarchical_commitment.md similarity index 100% rename from labrador/doc/hierarchical_commitment.md rename to doc/labrador_docs/hierarchical_commitment.md diff --git a/labrador/doc/mainpage-doc.md b/doc/labrador_docs/mainpage-doc.md similarity index 100% rename from labrador/doc/mainpage-doc.md rename to doc/labrador_docs/mainpage-doc.md diff --git a/labrador/doc/projections.md b/doc/labrador_docs/projections.md similarity index 100% rename from labrador/doc/projections.md rename to doc/labrador_docs/projections.md diff --git a/falcon_labrador/Cargo.toml b/falcon_labrador/Cargo.toml new file mode 100644 index 0000000..312e940 --- /dev/null +++ b/falcon_labrador/Cargo.toml @@ -0,0 +1,9 @@ +[package] +name = "falcon_labrador" +version.workspace = true +edition.workspace = true +repository.workspace = true +license.workspace = true + +[dependencies] + diff --git a/falcon_labrador/src/lib.rs b/falcon_labrador/src/lib.rs new file mode 100644 index 0000000..60bd388 --- /dev/null +++ b/falcon_labrador/src/lib.rs @@ -0,0 +1,25 @@ +// Documentation + +// Main Introduction + +#![forbid(unsafe_code)] +#![deny(clippy::as_conversions)] +#![doc = include_str!("../../doc/falcon_labrador_docs/mainpage-doc.md")] +#![doc = include_str!("../../doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md")] +#![doc = include_str!("../../doc/falcon_labrador_docs/reformulating-constraints.md")] + +///Example function +pub fn add(left: u64, right: u64) -> u64 { + left + right +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn it_works() { + let result = add(2, 2); + assert_eq!(result, 4); + } +} diff --git a/labrador/src/lib.rs b/labrador/src/lib.rs index 525f7f1..2bd2616 100644 --- a/labrador/src/lib.rs +++ b/labrador/src/lib.rs @@ -3,19 +3,19 @@ // Main Introduction #![forbid(unsafe_code)] #![deny(clippy::as_conversions)] -#![doc = include_str!("../doc/mainpage-doc.md")] +#![doc = include_str!("../../doc/labrador_docs/mainpage-doc.md")] // Arithmetic Circuit Translation -#![doc = include_str!("../doc/arithmetic_circuit_translation.md")] +#![doc = include_str!("../../doc/labrador_docs/arithmetic_circuit_translation.md")] // Ajtai Commitment -#![doc = include_str!("../doc/ajtai_commitment.md")] +#![doc = include_str!("../../doc/labrador_docs/ajtai_commitment.md")] // Hierarchical Commitment -#![doc = include_str!("../doc/hierarchical_commitment.md")] +#![doc = include_str!("../../doc/labrador_docs/hierarchical_commitment.md")] // Projections -#![doc = include_str!("../doc/projections.md")] +#![doc = include_str!("../../doc/labrador_docs/projections.md")] // Aggregation -#![doc = include_str!("../doc/aggregation.md")] +#![doc = include_str!("../../doc/labrador_docs/aggregation.md")] // Amortization -#![doc = include_str!("../doc/amortization.md")] +#![doc = include_str!("../../doc/labrador_docs/amortization.md")] pub mod rq; From 2ac6c592bba5f76c3d20b4e0a0e54ab8668265fe Mon Sep 17 00:00:00 2001 From: mattsuffern Date: Wed, 2 Apr 2025 18:09:05 -0300 Subject: [PATCH 2/8] latex fixed --- .../Changing-Modulus-Norm-Checks.md | 24 +++++++++---------- .../reformulating-constraints.md | 14 +++++------ 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md index 2177dc1..7683b4f 100644 --- a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md +++ b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md @@ -1,28 +1,28 @@ # Changing the Modulus & Norm Checks -Although Falcon and LaBRADOR were designed over a similar structure of a polynomial ring $\mathcal{R}\_{q} = Z_{q}\[ x \]/(x^{d}-1)$ of degree $d$ and modulus $q$, they both use different moduli. We will denote $q$ as the Falcon modulus and $q' > q$ as the LaBRADOR one. When using Falcon to sign a message $m$, the signer uses its secret key to obtain two small lattice vectors $(s_{1}, s_{2})$ such that: -$$s_{1}+hs_{2} = H(r,m) \mod q$$ -$$\lVert (s_{1}, s_{2}) \rVert_{2} \leq \beta$$ -Where $H()$ is a hash function, $h$ is the public key, and $r \in \\{0, 1\\}^{320}$ is a random salt. +Although Falcon and LaBRADOR were designed over a similar structure of a polynomial ring $\mathcal{R}\_{q} = Z_{q}\[ x \]/(x^{d}-1)$ of degree $d$ and modulus $q$, they both use different moduli. We will denote $q$ as the Falcon modulus and $q' > q$ as the LaBRADOR one. When using Falcon to sign a message $m$, the signer uses its secret key to obtain two small lattice vectors $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$ such that: +$$\mathbf{s}\_{i1}+\mathbf{hs}\_{i2} = H(r,m) \mod q$$ +$$\lVert (\mathbf{s}\_{i1}, \mathbf{s}\_{i2}) \rVert_{2} \leq \beta$$ +Where $H()$ is a hash function, $\mathbf{h}$ is the public key, and $r \in \\{0, 1\\}^{320}$ is a random salt. -It's important to notice these equations are valid $\mod q$, which means they may not be valid $\mod q'$. So, in order to make an equivalent version of these constraints but in the LaBRADOR ring, we will find an equivalent restriction over $\mathcal{R}$. Since the validity of a restriction being equal to zero in $\mathcal{R}$ should still hold under some modulus wrapping in $\mathcal{R}\_{q^{'}}$. In order for the restrictions to hold in $\mathcal{R}$, we would like intuitively that $(s_{1}, s_{2})$ will be "small enough" that they would not wrap around over the $q'$ modulus. Since we are not in control of the size of $(s_{1}, s_{2})$, the main idea behind this will be to slightly modify the restrictions from Falcon so that we can guarantee that for a large enough $q'$, they will still be valid over this new ring. +It's important to notice these equations are valid mod $q$, which means they may not be valid mod $q'$. So, in order to make an equivalent version of these constraints but in the LaBRADOR ring, we will find an equivalent restriction over $\mathcal{R}$. Since the validity of a restriction being equal to zero in $\mathcal{R}$ should still hold under some modulus wrapping in $\mathcal{R}\_{q^{'}}$. In order for the restrictions to hold in $\mathcal{R}$, we would like intuitively that $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$ will be "small enough" that they would not wrap around over the $q'$ modulus. Since we are not in control of the size of $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$, the main idea behind this will be to slightly modify the restrictions from Falcon so that we can guarantee that for a large enough $q'$, they will still be valid over this new ring. For the first restriction, we know from Falcon that it must be valid in $\mathcal{R}\_{q}$. This isn't necessarily valid in $\mathcal{R}$. In order to force it to be valid, we will add an extra witness $v_{i} \in \mathcal{R}\_{q'}$, leaving us with this restriction over $\mathcal{R}$: -$$s_{1}+hs_{2}+qv_{i} - H(r,m) = 0$$ +$$\mathbf{s}\_{i1}+\mathbf{hs}\_{i2}+qv_{i} - H(r,m) = 0$$ Since adding multiples of $q$ to the restriction doesn't affect the original formulation $\mod q$, then this restriction continues to be valid in $\mathcal{R}\_{q}$. In order to answer how big $q'$ needs to be so that the witness vectors (including the new one) don't wrap around, we need to prove that the witnesses are small enough. -Now, in order to find an equivalent restriction for the restriction on the size of the witnesses, we will rewrite $\lVert (s_{1}, s_{2}) \rVert_{2} \leq \beta$ as: -$$\lVert s_{1}\rVert^{2}+ \lVert s_{2}\rVert^{2} \leq \beta^{2}$$ -Where $\lVert . \rVert$ is still the Euclidean norm. Because we know that $\beta^{2} - \lVert s_{1}\rVert^{2} - \lVert s_{2}\rVert^{2}$ is non-negative, we can use Lagrange’s four-square theorem to rewrite it as a sum of four squared numbers $\epsilon_{0}^{2}, \epsilon_{1}^{2}, \epsilon_{2}^{2}, \epsilon_{3}^{2}$. +Now, in order to find an equivalent restriction for the restriction on the size of the witnesses, we will rewrite $\lVert (\mathbf{s}\_{i1}, \mathbf{s}\_{i2}) \rVert_{2} \leq \beta$ as: +$$\lVert \mathbf{s}\_{i1}\rVert^{2}+ \lVert \mathbf{s}\_{2}\rVert^{2} \leq \beta^{2}$$ +Where $\lVert . \rVert$ is still the Euclidean norm. Because we know that $\beta^{2} - \lVert \mathbf{s}\_{i1}\rVert^{2} - \lVert \mathbf{s}\_{i2}\rVert^{2}$ is non-negative, we can use Lagrange’s four-square theorem to rewrite it as a sum of four squared numbers $\epsilon_{0}^{2}, \epsilon_{1}^{2}, \epsilon_{2}^{2}, \epsilon_{3}^{2}$. Because all dot product constraints in LaBRADOR are of the form: $$ -f(\mathbf{\bar{s}})=0 \text{ or } ct(f(\mathbf{\bar{s}})) = 0 +f(\mathbf{\bar{\mathbf{s}}})=0 \text{ or } ct(f(\mathbf{\bar{\mathbf{s}}})) = 0 $$ we can rewrite now the restriction on the size of the witnesses in the accepted format by writing $\epsilon_{0}, \epsilon_{1}X, \epsilon_{2}X^{2}, \epsilon_{3}X^{3} = \epsilon$ and: -$$ ct(\sigma_{-1}(\epsilon)\epsilon - (\beta^{2}-\sigma_{-1}(s_{1})s_{1}-\sigma_{-1}(s_{2})s_{2})) = 0 \mod q' $$ -where $\sigma_{-1}$ is the conjugation automorphism. The validity of this dot constraint over $q'$ tells us the bound is valid since the existence of the polynomial $\epsilon$ that follows such constraints implies that $\beta^{2} - \lVert s_{1}\rVert^{2} - \lVert s_{2}\rVert^{2}$ is non-negative. +$$ ct(\sigma_{-1}(\epsilon)\epsilon - (\beta^{2}-\sigma_{-1}(\mathbf{s}\_{i1})\mathbf{s}\_{i1}-\sigma_{-1}(\mathbf{s}\_{i2})\mathbf{s}\_{i2})) = 0 \mod q' $$ +where $\sigma_{-1}$ is the conjugation automorphism. The validity of this dot constraint over $q'$ tells us the bound is valid since the existence of the polynomial $\epsilon$ that follows such constraints implies that $\beta^{2} - \lVert \mathbf{s}\_{i1}\rVert^{2} - \lVert \mathbf{s}\_{i2}\rVert^{2}$ is non-negative. Besides this new dot constraint, in order to show that both the automorphisms and the epsilon polynomial were correctly calculated inside the constraint, we will need to add small extra dot product constraints. diff --git a/doc/falcon_labrador_docs/reformulating-constraints.md b/doc/falcon_labrador_docs/reformulating-constraints.md index 4499821..bde83cb 100644 --- a/doc/falcon_labrador_docs/reformulating-constraints.md +++ b/doc/falcon_labrador_docs/reformulating-constraints.md @@ -2,17 +2,17 @@ In order to achieve an improvement in computational complexity, witnesses will be rewritten via a padding scheme. This new format, although increasing both in size and in the number of dot product constraints that are required, will significantly reduce the need for garbage polynomials, thereby providing a general increase in speed. ## Padding Scheme -In this padding scheme, witness elements $w_{1} \dots w_{N}$ $\in \mathcal{R}_{q\^{'}}$ along with other elements $w_{1}^{'} \dots w_{N}^{'} \in \mathcal{R}_{q\^{'}}$ are such that $\lVert w_{i} \rVert_{2}^{2} = ct(w_{i}' w_{i})$ +In this padding scheme, witness elements $w\_{1} \dots w\_{N}$ $\in \mathcal{R}\_{q\^{'}}$ along with other elements $w\_{1}\^{'} \dots w\_{N}\^{'} \in \mathcal{R}\_{q\^{'}}$ are such that $\lVert w\_{i} \rVert\_{2}\^{2} = ct(w\_{i}' w\_{i})$. -(An example of $w_{i}'$ being the conjugate automorphism of $w_{i}$) can be rewritten as vectors of the form $\vec{u}_{1}, \dots, \vec{u}_{\lceil N/\rho \rceil} \in \mathcal{R}_{q'}^{N}$ and $\vec{u}_{1}', \dots, \vec{u}_{\lceil N/\rho \rceil}' \in \mathcal{R}_{q'}^{N}$ respectively, where $\rho = \lfloor \sqrt{N} \rfloor$. +(An example of $w\_{i}'$ being the conjugate automorphism of $w\_{i}$) can be rewritten as vectors of the form $\vec{u}\_{1}, \dots, \vec{u}\_{\lceil N \rho \rceil} \in \mathcal{R}\_{q'}\^{N}$ and $\vec{u}\_{1}', \dots, \vec{u}\_{\lceil N \rho \rceil}' \in \mathcal{R}\_{q'}\^{N}$ respectively, where $\rho = \lfloor \sqrt{N} \rfloor$. -After following the padding equations described in the paper, we can think of each vector $\vec{u}_{i}$ as a vector filled with zeros except for some locations where the original witness polynomials will be located: $[0, 0, 0, \dots, w_{2\rho +1}, \dots, w_{3\rho}, \dots, 0, 0]$. We can access each old witness polynomial using the index functions of the form: -$$ index(i) = \lceil i/\rho \rceil $$ +After following the padding equations described in the paper, we can think of each vector $\vec{u}\_{i}$ as a vector filled with zeros except for some locations where the original witness polynomials will be located: $\[0, 0, 0, \dots, w_{2\rho +1}, \dots, w_{3\rho}, \dots, 0, 0\]$. We can access each old witness polynomial using the index functions of the form: +$$ index(i) = \lceil i \rho \rceil $$ $$ index'(i) = ((i-1) \mod \rho) + 1 $$ -for $u_{i}$ and $u_{i}'$ respectively. From this, it follows that we can write $\lVert w_{i} \rVert_{2}^{2} = ct(w_{i}'w_{i}) = ct(\langle \vec{u}_{index'(i)}', \vec{u}_{index(i)} \rangle)$. +for $u\_{i}$ and $u\_{i}'$ respectively. From this, it follows that we can write $\lVert w\_{i} \rVert\_{2}\^{2} = ct(w\_{i}'w\_{i}) = ct(\langle \vec{u}\_{index'(i)}', \vec{u}\_{index(i)} \rangle)$. -Beyond adding dot product restrictions to check each zero element of the new witness vectors, we will also rewrite all the restrictions using the new witnesses as well as the index function. In order to rewrite the constraints, there will be extensive use of $\delta_{i} \in \mathcal{R}_{q'}^{N}$, the vector with the $i$-th entry as $1$ (the identity of the ring) and all other elements as $0$. +Beyond adding dot product restrictions to check each zero element of the new witness vectors, we will also rewrite all the restrictions using the new witnesses as well as the index function. In order to rewrite the constraints, there will be extensive use of $\delta\_{i} \in \mathcal{R}\_{q'}\^{N}$, the vector with the $i$-th entry as $1$ (the identity of the ring) and all other elements as $0$. As an example, we can rewrite Falcon's restrictions as: -$$ \langle \delta_{i}, \vec{u}_{index(i)} \rangle + \langle h_{i} \delta_{i}, \vec{u}_{index(i)} \rangle + \langle q \delta_{i}, v \rangle - t_{i} = 0 $$ +$$ \langle \delta\_{i}, \vec{u}\_{index(i)} \rangle + \langle h\_{i} \delta\_{i}, \vec{u}\_{index(i)} \rangle + \langle q \delta\_{i}, v \rangle - t\_{i} = 0 $$ From f8acacbe8d47291814736dbd82dfb05f07c8a19e Mon Sep 17 00:00:00 2001 From: mattsuffern Date: Wed, 2 Apr 2025 19:13:43 -0300 Subject: [PATCH 3/8] latex space errors fixed --- doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md | 2 +- doc/falcon_labrador_docs/reformulating-constraints.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md index 7683b4f..5bac284 100644 --- a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md +++ b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md @@ -21,7 +21,7 @@ $$ f(\mathbf{\bar{\mathbf{s}}})=0 \text{ or } ct(f(\mathbf{\bar{\mathbf{s}}})) = 0 $$ we can rewrite now the restriction on the size of the witnesses in the accepted format by writing $\epsilon_{0}, \epsilon_{1}X, \epsilon_{2}X^{2}, \epsilon_{3}X^{3} = \epsilon$ and: -$$ ct(\sigma_{-1}(\epsilon)\epsilon - (\beta^{2}-\sigma_{-1}(\mathbf{s}\_{i1})\mathbf{s}\_{i1}-\sigma_{-1}(\mathbf{s}\_{i2})\mathbf{s}\_{i2})) = 0 \mod q' $$ +$$ct(\sigma_{-1}(\epsilon)\epsilon - (\beta^{2}-\sigma_{-1}(\mathbf{s}\_{i1})\mathbf{s}\_{i1}-\sigma_{-1}(\mathbf{s}\_{i2})\mathbf{s}\_{i2})) = 0 \mod q'$$ where $\sigma_{-1}$ is the conjugation automorphism. The validity of this dot constraint over $q'$ tells us the bound is valid since the existence of the polynomial $\epsilon$ that follows such constraints implies that $\beta^{2} - \lVert \mathbf{s}\_{i1}\rVert^{2} - \lVert \mathbf{s}\_{i2}\rVert^{2}$ is non-negative. Besides this new dot constraint, in order to show that both the automorphisms and the epsilon polynomial were correctly calculated inside the constraint, we will need to add small extra dot product constraints. diff --git a/doc/falcon_labrador_docs/reformulating-constraints.md b/doc/falcon_labrador_docs/reformulating-constraints.md index bde83cb..6232a4d 100644 --- a/doc/falcon_labrador_docs/reformulating-constraints.md +++ b/doc/falcon_labrador_docs/reformulating-constraints.md @@ -7,12 +7,12 @@ In this padding scheme, witness elements $w\_{1} \dots w\_{N}$ $\in \mathcal{R}\ (An example of $w\_{i}'$ being the conjugate automorphism of $w\_{i}$) can be rewritten as vectors of the form $\vec{u}\_{1}, \dots, \vec{u}\_{\lceil N \rho \rceil} \in \mathcal{R}\_{q'}\^{N}$ and $\vec{u}\_{1}', \dots, \vec{u}\_{\lceil N \rho \rceil}' \in \mathcal{R}\_{q'}\^{N}$ respectively, where $\rho = \lfloor \sqrt{N} \rfloor$. After following the padding equations described in the paper, we can think of each vector $\vec{u}\_{i}$ as a vector filled with zeros except for some locations where the original witness polynomials will be located: $\[0, 0, 0, \dots, w_{2\rho +1}, \dots, w_{3\rho}, \dots, 0, 0\]$. We can access each old witness polynomial using the index functions of the form: -$$ index(i) = \lceil i \rho \rceil $$ -$$ index'(i) = ((i-1) \mod \rho) + 1 $$ +$$index(i) = \lceil i \rho \rceil$$ +$$index'(i) = ((i-1) \mod \rho) + 1$$ for $u\_{i}$ and $u\_{i}'$ respectively. From this, it follows that we can write $\lVert w\_{i} \rVert\_{2}\^{2} = ct(w\_{i}'w\_{i}) = ct(\langle \vec{u}\_{index'(i)}', \vec{u}\_{index(i)} \rangle)$. Beyond adding dot product restrictions to check each zero element of the new witness vectors, we will also rewrite all the restrictions using the new witnesses as well as the index function. In order to rewrite the constraints, there will be extensive use of $\delta\_{i} \in \mathcal{R}\_{q'}\^{N}$, the vector with the $i$-th entry as $1$ (the identity of the ring) and all other elements as $0$. As an example, we can rewrite Falcon's restrictions as: -$$ \langle \delta\_{i}, \vec{u}\_{index(i)} \rangle + \langle h\_{i} \delta\_{i}, \vec{u}\_{index(i)} \rangle + \langle q \delta\_{i}, v \rangle - t\_{i} = 0 $$ +$$\langle \delta\_{i}, \vec{u}\_{index(i)} \rangle + \langle h\_{i} \delta\_{i}, \vec{u}\_{index(i)} \rangle + \langle q \delta\_{i}, v \rangle - t\_{i} = 0$$ From 80f6c785a39f4b1c5807ac246a0de8be82cdd5b5 Mon Sep 17 00:00:00 2001 From: mattsuffern Date: Fri, 4 Apr 2025 11:33:42 -0300 Subject: [PATCH 4/8] new markdown for working over subrings --- doc/falcon_labrador_docs/reformulating-constraints.md | 4 +--- doc/falcon_labrador_docs/working_over_subring.md | 3 +++ 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 doc/falcon_labrador_docs/working_over_subring.md diff --git a/doc/falcon_labrador_docs/reformulating-constraints.md b/doc/falcon_labrador_docs/reformulating-constraints.md index 6232a4d..6e0b484 100644 --- a/doc/falcon_labrador_docs/reformulating-constraints.md +++ b/doc/falcon_labrador_docs/reformulating-constraints.md @@ -2,9 +2,7 @@ In order to achieve an improvement in computational complexity, witnesses will be rewritten via a padding scheme. This new format, although increasing both in size and in the number of dot product constraints that are required, will significantly reduce the need for garbage polynomials, thereby providing a general increase in speed. ## Padding Scheme -In this padding scheme, witness elements $w\_{1} \dots w\_{N}$ $\in \mathcal{R}\_{q\^{'}}$ along with other elements $w\_{1}\^{'} \dots w\_{N}\^{'} \in \mathcal{R}\_{q\^{'}}$ are such that $\lVert w\_{i} \rVert\_{2}\^{2} = ct(w\_{i}' w\_{i})$. - -(An example of $w\_{i}'$ being the conjugate automorphism of $w\_{i}$) can be rewritten as vectors of the form $\vec{u}\_{1}, \dots, \vec{u}\_{\lceil N \rho \rceil} \in \mathcal{R}\_{q'}\^{N}$ and $\vec{u}\_{1}', \dots, \vec{u}\_{\lceil N \rho \rceil}' \in \mathcal{R}\_{q'}\^{N}$ respectively, where $\rho = \lfloor \sqrt{N} \rfloor$. +In this padding scheme, witness elements $w\_{1} \dots w\_{N}$ $\in \mathcal{R}\_{q\^{'}}$ along with other elements $w\_{1}\^{'} \dots w\_{N}\^{'} \in \mathcal{R}\_{q\^{'}}$ are such that $\lVert w\_{i} \rVert\_{2}\^{2} = ct(w\_{i}' w\_{i})$ (An example of $w\_{i}'$ being the conjugate automorphism of $w\_{i}$) can be rewritten as vectors of the form $\vec{u}\_{1}, \dots, \vec{u}\_{\lceil N \rho \rceil} \in \mathcal{R}\_{q'}\^{N}$ and $\vec{u}\_{1}', \dots, \vec{u}\_{\lceil N \rho \rceil}' \in \mathcal{R}\_{q'}\^{N}$ respectively, where $\rho = \lfloor \sqrt{N} \rfloor$. After following the padding equations described in the paper, we can think of each vector $\vec{u}\_{i}$ as a vector filled with zeros except for some locations where the original witness polynomials will be located: $\[0, 0, 0, \dots, w_{2\rho +1}, \dots, w_{3\rho}, \dots, 0, 0\]$. We can access each old witness polynomial using the index functions of the form: $$index(i) = \lceil i \rho \rceil$$ diff --git a/doc/falcon_labrador_docs/working_over_subring.md b/doc/falcon_labrador_docs/working_over_subring.md new file mode 100644 index 0000000..58998d5 --- /dev/null +++ b/doc/falcon_labrador_docs/working_over_subring.md @@ -0,0 +1,3 @@ +# Working over Subring + +In order to improve proof sizes even more, we will re formualte our constrains over a subring of smaller degree $d' = \frac{d}{c}$ for some appropiate $c$. We will call this subspace as $\mathbf(S)$. From f9a577f3320c33f1cbc375f72916d037cbd2e574 Mon Sep 17 00:00:00 2001 From: mattsuffern Date: Mon, 7 Apr 2025 22:10:40 -0300 Subject: [PATCH 5/8] Readme and typo fixed --- README.md | 8 +++++++- .../Changing-Modulus-Norm-Checks.md | 2 +- falcon_labrador/src/lib.rs | 16 ---------------- 3 files changed, 8 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 6bf1dde..e6bf76a 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,13 @@ Docs for `labrador`: ```sh RUSTDOCFLAGS="--html-in-header katex-header.html" cargo doc --no-deps -p labrador --open ``` +Docs for `falcon aggregation with labrador`: + +```sh +RUSTDOCFLAGS="--html-in-header katex-header.html" cargo doc --no-deps -p falcon_labrador --open +``` + ## License -Apache 2.0 \ No newline at end of file +Apache 2.0 diff --git a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md index 5bac284..b48d296 100644 --- a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md +++ b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md @@ -13,7 +13,7 @@ $$\mathbf{s}\_{i1}+\mathbf{hs}\_{i2}+qv_{i} - H(r,m) = 0$$ Since adding multiples of $q$ to the restriction doesn't affect the original formulation $\mod q$, then this restriction continues to be valid in $\mathcal{R}\_{q}$. In order to answer how big $q'$ needs to be so that the witness vectors (including the new one) don't wrap around, we need to prove that the witnesses are small enough. Now, in order to find an equivalent restriction for the restriction on the size of the witnesses, we will rewrite $\lVert (\mathbf{s}\_{i1}, \mathbf{s}\_{i2}) \rVert_{2} \leq \beta$ as: -$$\lVert \mathbf{s}\_{i1}\rVert^{2}+ \lVert \mathbf{s}\_{2}\rVert^{2} \leq \beta^{2}$$ +$$\lVert \mathbf{s}\_{i1}\rVert^{2}+ \lVert \mathbf{s}\_{i2}\rVert^{2} \leq \beta^{2}$$ Where $\lVert . \rVert$ is still the Euclidean norm. Because we know that $\beta^{2} - \lVert \mathbf{s}\_{i1}\rVert^{2} - \lVert \mathbf{s}\_{i2}\rVert^{2}$ is non-negative, we can use Lagrange’s four-square theorem to rewrite it as a sum of four squared numbers $\epsilon_{0}^{2}, \epsilon_{1}^{2}, \epsilon_{2}^{2}, \epsilon_{3}^{2}$. Because all dot product constraints in LaBRADOR are of the form: diff --git a/falcon_labrador/src/lib.rs b/falcon_labrador/src/lib.rs index 60bd388..f4e5d87 100644 --- a/falcon_labrador/src/lib.rs +++ b/falcon_labrador/src/lib.rs @@ -7,19 +7,3 @@ #![doc = include_str!("../../doc/falcon_labrador_docs/mainpage-doc.md")] #![doc = include_str!("../../doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md")] #![doc = include_str!("../../doc/falcon_labrador_docs/reformulating-constraints.md")] - -///Example function -pub fn add(left: u64, right: u64) -> u64 { - left + right -} - -#[cfg(test)] -mod tests { - use super::*; - - #[test] - fn it_works() { - let result = add(2, 2); - assert_eq!(result, 4); - } -} From 8542442edd26ec89bd5dc35bf281469685e54490 Mon Sep 17 00:00:00 2001 From: mattsuffern Date: Mon, 7 Apr 2025 22:13:30 -0300 Subject: [PATCH 6/8] deleted working over subring part --- doc/falcon_labrador_docs/working_over_subring.md | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 doc/falcon_labrador_docs/working_over_subring.md diff --git a/doc/falcon_labrador_docs/working_over_subring.md b/doc/falcon_labrador_docs/working_over_subring.md deleted file mode 100644 index 58998d5..0000000 --- a/doc/falcon_labrador_docs/working_over_subring.md +++ /dev/null @@ -1,3 +0,0 @@ -# Working over Subring - -In order to improve proof sizes even more, we will re formualte our constrains over a subring of smaller degree $d' = \frac{d}{c}$ for some appropiate $c$. We will call this subspace as $\mathbf(S)$. From be2f4f784baab6ab9cc8bf4374c178869c41cc42 Mon Sep 17 00:00:00 2001 From: Omid Bodaghi Date: Wed, 16 Apr 2025 17:27:30 -0700 Subject: [PATCH 7/8] Revise mainpage and changeing-modulus-norm-checks sections --- .../Changing-Modulus-Norm-Checks.md | 70 +++++++++++++------ doc/falcon_labrador_docs/mainpage-doc.md | 30 +++++--- 2 files changed, 72 insertions(+), 28 deletions(-) diff --git a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md index b48d296..8b0a7d9 100644 --- a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md +++ b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md @@ -1,35 +1,65 @@ # Changing the Modulus & Norm Checks -Although Falcon and LaBRADOR were designed over a similar structure of a polynomial ring $\mathcal{R}\_{q} = Z_{q}\[ x \]/(x^{d}-1)$ of degree $d$ and modulus $q$, they both use different moduli. We will denote $q$ as the Falcon modulus and $q' > q$ as the LaBRADOR one. When using Falcon to sign a message $m$, the signer uses its secret key to obtain two small lattice vectors $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$ such that: -$$\mathbf{s}\_{i1}+\mathbf{hs}\_{i2} = H(r,m) \mod q$$ -$$\lVert (\mathbf{s}\_{i1}, \mathbf{s}\_{i2}) \rVert_{2} \leq \beta$$ -Where $H()$ is a hash function, $\mathbf{h}$ is the public key, and $r \in \\{0, 1\\}^{320}$ is a random salt. +## Different Modulos +While Falcon and LaBRADOR are designed over a similar structure of a polynomial rings $\mathcal{R}\_{q} = Z_{q}[ x ]/(x^{d}-1)$, they use different modulies. Falcon uses modulo $q$ and LaBRADOR uses modulo $q'$, while $q' > q$. The reason is that nighther of the parameter sets of Falcon satisfy the condition for Johnson-Lindenstrauss projection of LaBRADOR. So we need to use a larger modulo. -It's important to notice these equations are valid mod $q$, which means they may not be valid mod $q'$. So, in order to make an equivalent version of these constraints but in the LaBRADOR ring, we will find an equivalent restriction over $\mathcal{R}$. Since the validity of a restriction being equal to zero in $\mathcal{R}$ should still hold under some modulus wrapping in $\mathcal{R}\_{q^{'}}$. In order for the restrictions to hold in $\mathcal{R}$, we would like intuitively that $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$ will be "small enough" that they would not wrap around over the $q'$ modulus. Since we are not in control of the size of $(\mathbf{s}\_{i1}, \mathbf{s}\_{i2})$, the main idea behind this will be to slightly modify the restrictions from Falcon so that we can guarantee that for a large enough $q'$, they will still be valid over this new ring. +#### Modulo in Falcon Signature Scheme +To sign a message $m$ in Falcon, the signer uses its secret key to obtain two small polynomials $(\mathbf{s}_{i_1}, \mathbf{s}_{i_2})$ such that: +$$\mathbf{s}_{i_1}+\mathbf{hs}_{i_2} = H(r,m) = \mathbf{t}_i \mod q \qquad (1)$$ -For the first restriction, we know from Falcon that it must be valid in $\mathcal{R}\_{q}$. This isn't necessarily valid in $\mathcal{R}$. In order to force it to be valid, we will add an extra witness $v_{i} \in \mathcal{R}\_{q'}$, leaving us with this restriction over $\mathcal{R}$: -$$\mathbf{s}\_{i1}+\mathbf{hs}\_{i2}+qv_{i} - H(r,m) = 0$$ +$$\qquad \| (\mathbf{s}_{i_1}, \mathbf{s}_{i_2}) \|_{2} \leq \beta, \qquad (2)$$ +Where $H()$ is a hash function, $\mathbf{h}$ is the public key, and $r \in \{0, 1\}^{320}$ is a random salt. -Since adding multiples of $q$ to the restriction doesn't affect the original formulation $\mod q$, then this restriction continues to be valid in $\mathcal{R}\_{q}$. In order to answer how big $q'$ needs to be so that the witness vectors (including the new one) don't wrap around, we need to prove that the witnesses are small enough. +It is important to notice these equations are valid mod $q$, and they are not neccesarily valid mod $q'$. -Now, in order to find an equivalent restriction for the restriction on the size of the witnesses, we will rewrite $\lVert (\mathbf{s}\_{i1}, \mathbf{s}\_{i2}) \rVert_{2} \leq \beta$ as: -$$\lVert \mathbf{s}\_{i1}\rVert^{2}+ \lVert \mathbf{s}\_{i2}\rVert^{2} \leq \beta^{2}$$ -Where $\lVert . \rVert$ is still the Euclidean norm. Because we know that $\beta^{2} - \lVert \mathbf{s}\_{i1}\rVert^{2} - \lVert \mathbf{s}\_{i2}\rVert^{2}$ is non-negative, we can use Lagrange’s four-square theorem to rewrite it as a sum of four squared numbers $\epsilon_{0}^{2}, \epsilon_{1}^{2}, \epsilon_{2}^{2}, \epsilon_{3}^{2}$. +#### Falcon Verification in LaBRADOR Modulo +To work with LaBRADOR, we need to work modulo $q'$, so we need to define an equivalent formula of Falcon signauture verification (equation (1)), but in moulo $q'$. -Because all dot product constraints in LaBRADOR are of the form: -$$ -f(\mathbf{\bar{\mathbf{s}}})=0 \text{ or } ct(f(\mathbf{\bar{\mathbf{s}}})) = 0 +However, equation (1) is not neccessarily valid in $\mathcal{R}$ or $\mathcal{R}_{q'}$. We know that is an equation is valid in $\mathcal{R}$, it is clearly valid in $\mathcal{R}_{q}$ and $\mathcal{R}_{q'}$, but it is not correct for the other side. + +The idea to resolve this issue is that, first convert the equation (1) to a valid equation holds in $\mathcal{R}$, then, by forcing small norms, there would be no wrap-around modulo $q'$, and the equation can bw represented in $\mathcal{R}_{q'}$. + +First, (1) is not neccesarily valid in $\mathcal{R}$. In order to force it to be valid, we will add an extra witness $v_i \in \mathcal{R}_{q'}$, and rewrite formula (1) as follow, which holds for any ring $\mathcal{R}$: +$$ \mathbf{s}_{i_1}+\mathbf{hs}_{i_2} + q\mathbf{v}_i - \mathbf{t}_i = \mathbf{0} \in \mathcal{R} \qquad (3) $$ + +LaBRADOR constraints are defined over $\mathcal{R}_{q'}$, and equation (3) is not neccesarily valid in $\mathcal{R}_{q'}$. +However, if these polynomial functions are so small that could never cause a wrap-around modulo $q'$, we can write (3) as: +$$ \mathbf{s}_{i_1}+\mathbf{hs}_{i_2} + q\mathbf{v}_i - \mathbf{t}_i = \mathbf{0} \in \mathcal{R}_{q'} \qquad (4) $$ + + +### Norm Checks +We need to show that: +1. norm check in (2) is satisfied, +2. Witnesses $\mathbf{s}_{i_1}, \mathbf{hs}_{i_2}, \mathbf{v}_{i}$ have small norms so that (3) and (4) are equivalent for these norms. + +So we proceed as follow: +1. we can rewrite $\| (\mathbf{s}_{i_1}, \mathbf{s}_{i_2}) \|_{2} \leq \beta$ as: +$$\| \mathbf{s}_{i_1}\|^{2}+ \| \mathbf{s}_{i_2}\|^{2} \leq \beta^{2} \implies \beta^{2} - \| \mathbf{s}_{i_1}\|^{2} - \| \mathbf{s}_{i_2}\|^{2}\ge 0$$ +Where $\| . \|$ is still the Euclidean norm. + +According to Lagrange's four-square theorem, any non-negative number can be written as sum of four square integers. +Therefore, as $\beta^{2} - \| \mathbf{s}_{i_1}\|^{2} - \| \mathbf{s}_{i_2}\|^{2} \ge 0$ , we can use Lagrange’s four-square theorem to rewrite it as a sum of four squared integers $\epsilon_{0}^{2}, \epsilon_{1}^{2}, \epsilon_{2}^{2}, \epsilon_{3}^{2}$: +$$\beta^{2} - \| \mathbf{s}_{i_1}\|^{2} - \| \mathbf{s}_{i_2}\|^{2} = \epsilon_{0}^{2} + \epsilon_{1}^{2} + \epsilon_{2}^{2} + \epsilon_{3}^{2} \qquad (5)$$ + +Let $$\epsilon_i = \epsilon_{0}^{2}+ \epsilon_{1}^{2}X + \epsilon_{2}^{2}X^2 + \epsilon_{3}^{2}X^3$$ + +To make them compatible with LaBRADOR's constraints, which are of the form: $$ -we can rewrite now the restriction on the size of the witnesses in the accepted format by writing $\epsilon_{0}, \epsilon_{1}X, \epsilon_{2}X^{2}, \epsilon_{3}X^{3} = \epsilon$ and: -$$ct(\sigma_{-1}(\epsilon)\epsilon - (\beta^{2}-\sigma_{-1}(\mathbf{s}\_{i1})\mathbf{s}\_{i1}-\sigma_{-1}(\mathbf{s}\_{i2})\mathbf{s}\_{i2})) = 0 \mod q'$$ -where $\sigma_{-1}$ is the conjugation automorphism. The validity of this dot constraint over $q'$ tells us the bound is valid since the existence of the polynomial $\epsilon$ that follows such constraints implies that $\beta^{2} - \lVert \mathbf{s}\_{i1}\rVert^{2} - \lVert \mathbf{s}\_{i2}\rVert^{2}$ is non-negative. +f(\mathbf{\bar{\mathbf{s}}})=0 \text{ or } ct(f(\mathbf{\bar{\mathbf{s}}})) = 0,$$ +we can rewrite (5) as: +$$ct(\sigma_{-1}(\epsilon_i)\epsilon_i - (\beta^{2}-\sigma_{-1}(\mathbf{s}_{i_1})\mathbf{s}_{i_1}-\sigma_{-1}(\mathbf{s}_{i_2})\mathbf{s}_{i_2})) = 0 \mod q' \qquad (9)$$ +where $\sigma_{-1}$ is the conjugation automorphism. The validity of this dot constraint over $q'$ tells us the bound is valid since the existence of the polynomial $\epsilon$ that follows such constraints implies that $\beta^{2} - \| \mathbf{s}_{i_1}\|^{2} - \| \mathbf{s}_{i_2}\|^{2}$ is non-negative. -Besides this new dot constraint, in order to show that both the automorphisms and the epsilon polynomial were correctly calculated inside the constraint, we will need to add small extra dot product constraints. +Besides this new dot constraint, in order to show that both the automorphisms and the epsilon polynomial were correctly calculated inside the constraint, we will need to add almost $4dn$ extra dot product constraints ($n$ signatures, $d$ coefficients, and 4 functions $\epsilon_i, \sigma_{-1}(\epsilon_i), \sigma_{-1}(\mathbf{s}_{i_1}), \sigma_{-1}(\mathbf{s}_{i_2})$). For the conjugated automorphism, since it involves a permutation of the polynomial's coefficients and a change of sign, it will suffice to check for each element that the permutation was done correctly as well as the sign change. In the case of the epsilon polynomial, one would only need to check the degree is at most $4$ by checking all other coefficients $\epsilon_{4} \dots \epsilon_{d-1}$ to be zero. For both cases, checking an element of a polynomial is equal to some element $b$ or to some element from another polynomial $c$ can be written as a dot product in this way: -$$ct(\sigma_{-1}(X^{j})a -b) = 0 \mod q'$$ -$$ct(\sigma_{-1}(X^{j})a -\sigma_{-1}(X^{k})c) = 0 \mod q'$$ +$$ct(\sigma_{-1}(X^{j})\mathbf{a} -b) = 0 \mod q'$$ + +$$ct(\sigma_{-1}(X^{j})\mathbf{a} -\sigma_{-1}(X^{k})\mathbf{c}) = 0 \mod q'$$ + + + diff --git a/doc/falcon_labrador_docs/mainpage-doc.md b/doc/falcon_labrador_docs/mainpage-doc.md index dfbc550..3960a47 100644 --- a/doc/falcon_labrador_docs/mainpage-doc.md +++ b/doc/falcon_labrador_docs/mainpage-doc.md @@ -1,20 +1,34 @@ # Aggregating Falcon Signatures with LaBRADOR +This repository contains the implementation of *[Aggregating Falcon Signatures with LaBRADOR](https://eprint.iacr.org/2024/311.pdf)*. -This is the code implementation of "Aggregating Falcon Signatures with LaBRADOR." A non-interactive version of LaBRADOR, utilizing the Fiat-Shamir heuristic, that allows for a significant reduction in proof sizes within a signature aggregation scheme, compared to a basic concatenation procedure, while still relying on the security of standard lattice problems. +The main goal of the paper—and of this implementation—is to aggregate Falcon signatures using a **non‑interactive** (via the Fiat–Shamir heuristic) version of LaBRADOR, a post‑quantum lattice‑based argument‑of‑knowledge scheme with short proofs. +The approach is to define a signature‑aggregation scheme (AS) for Falcon that relies on a LaBRADOR‑based succinct non‑interactive argument of knowledge (SNARK). +In this SNARK we treat the signatures as **witnesses** and the messages and public keys as **statements**. +The result is a non‑sequential aggregation scheme that requires zero interaction between signers, and, thanks to the succinct proofs, the scheme is well suited to bandwidth‑constrained settings such as blockchains. -These notes serve as a friendly introduction to the protocol and a prototype for the documentation. They are based on the assumption that one has already implemented Falcon and the original interactive version of LaBRADOR. - -The main idea is to define a signature aggregation scheme (AS) for Falcon based on the use of a succinct non-interactive argument of knowledge (SNARK), where we can set the signatures as witnesses and the messages and public keys as statements. This would allow for a non-sequential signature aggregation scheme, allowing zero interaction between signers. Additionally, the succinctness of the SNARK is perfect for bandwidth bottleneck situations, such as in blockchain. This code is an adaptation of LaBRADOR to function with Falcon for AS. +These notes serve as a friendly introduction to the protocol and a prototype for the documentation. +This implementation assumes Falcon signature scheme and interactive version of LaBRADOR are implemented. ## Overview - -The implemented changes consist of the following steps: +The implemented changes to LaBRADOR consist of the following steps: - Changing the Modulus & Norm Checks - Reformulating Constraints - Working over Subring +## Notation +Throughout this documentation let $q$ denote the modulus, and let $\mathbb{Z}_q$ be the ring of integers modulo $q$. +Define the polynomial rings $\mathcal{R} = \mathbb{Z}[X]/(X^d + 1)$ and $\mathcal{R}_q = \mathbb{Z}_q[X]/(X^d + 1).$ +We use the following conventions. +- **Non‑bold letters** (elements in $\mathbb{Z}_q$) + - $s \in \mathbb{Z}_q$: scalar + - $\vec{s} \in \mathbb{Z}_q^n$: vector of length $n$ + - $A \in \mathbb{Z}_q^{m \times n}$: matrix with $m$ rows and $n$ columns -## Notation -We will use an upper bar $\bar{s}$ for vectors, lowercase $s$ for scalars, uppercase $S$ for matrices, and boldface letters for elements $\mathbf{s} \in \mathbb{Z}_q\[x\] / (x^d + 1)$, unless explicitly noted. +- **Bold letters** (polynomial functions in $\mathcal{R}$ or $\mathcal{R}_q$) + - $\mathbf{s} \in \mathcal{R}$ or $\mathcal{R}_q$ + - $\vec{\mathbf{s}} \in (\mathcal{R}_q)^n$: vector of polynomials with length $n$ + - $\mathbf{A} \in (\mathcal{R}_q)^{m \times n}$: matrix of polynomials with $m$ rows and $n$ columns + +- $ct(\mathbf{f})$ denotes the constant term of the polynomial function $\mathbf{f} = a_0 + a_1X + \cdots + a_{d-1}X^{d-1},$ i.e. $ct(\mathbf{f}) = a_0$. From a8b0290067f908d9a9d057607b15fe2ef8ad2872 Mon Sep 17 00:00:00 2001 From: Omid Bodaghi Date: Fri, 18 Apr 2025 12:18:17 -0700 Subject: [PATCH 8/8] Revise mainpage and changing modulus documentations --- .../Changing-Modulus-Norm-Checks.md | 127 ++++++++++++------ doc/falcon_labrador_docs/mainpage-doc.md | 4 + 2 files changed, 91 insertions(+), 40 deletions(-) diff --git a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md index 8b0a7d9..c266054 100644 --- a/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md +++ b/doc/falcon_labrador_docs/Changing-Modulus-Norm-Checks.md @@ -1,68 +1,115 @@ # Changing the Modulus & Norm Checks +This document clarifies handling different moduli and verifying norm constraints in the process of adapting Falcon signatures for aggregation within the LaBRADOR proof system. -## Different Modulos -While Falcon and LaBRADOR are designed over a similar structure of a polynomial rings $\mathcal{R}\_{q} = Z_{q}[ x ]/(x^{d}-1)$, they use different modulies. Falcon uses modulo $q$ and LaBRADOR uses modulo $q'$, while $q' > q$. The reason is that nighther of the parameter sets of Falcon satisfy the condition for Johnson-Lindenstrauss projection of LaBRADOR. So we need to use a larger modulo. -#### Modulo in Falcon Signature Scheme -To sign a message $m$ in Falcon, the signer uses its secret key to obtain two small polynomials $(\mathbf{s}_{i_1}, \mathbf{s}_{i_2})$ such that: -$$\mathbf{s}_{i_1}+\mathbf{hs}_{i_2} = H(r,m) = \mathbf{t}_i \mod q \qquad (1)$$ +## Different Moduli +Falcon and LaBRADOR both operate over polynomial rings of the form $\mathcal{R}\_q = \mathbb{Z}\_q[X]/(X^d + 1)$, but they use different moduli: Falcon uses a smaller modulus $q$, while LaBRADOR requires a larger modulus $q' > q$. This difference arises because Falcon’s standard parameter sets do not meet the conditions for the Johnson-Lindenstrauss projection used in LaBRADOR. Therefore, we must lift Falcon signatures verification into a larger ring modulo $q'$, while ensuring compatibility and security. -$$\qquad \| (\mathbf{s}_{i_1}, \mathbf{s}_{i_2}) \|_{2} \leq \beta, \qquad (2)$$ -Where $H()$ is a hash function, $\mathbf{h}$ is the public key, and $r \in \{0, 1\}^{320}$ is a random salt. -It is important to notice these equations are valid mod $q$, and they are not neccesarily valid mod $q'$. +## Falcon Signature Scheme +In Falcon, a signer uses their secret key to generate a signature consisting of two small polynomials $\mathbf{s}\_{i\_1}, \mathbf{s}\_{i\_2} \in \mathcal{R}\_q$ for a message $m\_i$. For verification, the signature must satisfy two conditions: +1. Verification Equation: -#### Falcon Verification in LaBRADOR Modulo -To work with LaBRADOR, we need to work modulo $q'$, so we need to define an equivalent formula of Falcon signauture verification (equation (1)), but in moulo $q'$. +$$\mathbf{s}\_{i\_1} + \mathbf{h}\_i \mathbf{s}\_{i\_2} = \mathbf{t}\_i \mod q \qquad (1)$$ + +Here, $\mathbf{h}\_i$ is the public key (a polynomial in $\mathcal{R}\_q$), $\mathbf{t}\_i = H(r\_i, m\_i)$ is the hash of the message $m\_i$ and a random salt $r\_i \in \\{0, 1\\}^{320}$, and $H$ is a cryptographic hash function. -However, equation (1) is not neccessarily valid in $\mathcal{R}$ or $\mathcal{R}_{q'}$. We know that is an equation is valid in $\mathcal{R}$, it is clearly valid in $\mathcal{R}_{q}$ and $\mathcal{R}_{q'}$, but it is not correct for the other side. +2. Norm Bound: + +$$\\|(\mathbf{s}\_{i\_1}, \mathbf{s}\_{i\_2}) \\|\_2 = \sqrt{\\| \mathbf{s}\_{i\_1} \|\_2^2 + \\| \mathbf{s}\_{i\_2} \\|\_2^2} \leq \beta \ll q \qquad (2)$$ -The idea to resolve this issue is that, first convert the equation (1) to a valid equation holds in $\mathcal{R}$, then, by forcing small norms, there would be no wrap-around modulo $q'$, and the equation can bw represented in $\mathcal{R}_{q'}$. +The $\ell\_2$-norm bound $\beta$ ensures the signature is small, a critical property for Falcon’s security. -First, (1) is not neccesarily valid in $\mathcal{R}$. In order to force it to be valid, we will add an extra witness $v_i \in \mathcal{R}_{q'}$, and rewrite formula (1) as follow, which holds for any ring $\mathcal{R}$: -$$ \mathbf{s}_{i_1}+\mathbf{hs}_{i_2} + q\mathbf{v}_i - \mathbf{t}_i = \mathbf{0} \in \mathcal{R} \qquad (3) $$ +Note that (1) and (2) hold modulo $q$, but not necessarily modulo $q'$ or over the integers ($\mathcal{R}$). -LaBRADOR constraints are defined over $\mathcal{R}_{q'}$, and equation (3) is not neccesarily valid in $\mathcal{R}_{q'}$. -However, if these polynomial functions are so small that could never cause a wrap-around modulo $q'$, we can write (3) as: -$$ \mathbf{s}_{i_1}+\mathbf{hs}_{i_2} + q\mathbf{v}_i - \mathbf{t}_i = \mathbf{0} \in \mathcal{R}_{q'} \qquad (4) $$ +## Falcon Verification in LaBRADOR +To aggregate Falcon signatures in LaBRADOR, we need to adapt the verification process to work over $\mathcal{R}\_{q'} = \mathbb{Z}\_{q'}[X]/(X^d + 1)$. Since equation (1) is defined modulo $q$, we must rewrite it to be compatible with $q'$ while ensuring no wrap-around occurs. -### Norm Checks -We need to show that: -1. norm check in (2) is satisfied, -2. Witnesses $\mathbf{s}_{i_1}, \mathbf{hs}_{i_2}, \mathbf{v}_{i}$ have small norms so that (3) and (4) are equivalent for these norms. +### Rewriting Equation (1) for Modulo $q'$ +Equation (1) does not naturally hold over the integers $( \mathcal{R} )$ or modulo $q'$. To address this, we introduce an additional witness polynomial $\mathbf{v}\_i \in \mathcal{R}\_{q'}$ and reformulate (1) as: -So we proceed as follow: -1. we can rewrite $\| (\mathbf{s}_{i_1}, \mathbf{s}_{i_2}) \|_{2} \leq \beta$ as: -$$\| \mathbf{s}_{i_1}\|^{2}+ \| \mathbf{s}_{i_2}\|^{2} \leq \beta^{2} \implies \beta^{2} - \| \mathbf{s}_{i_1}\|^{2} - \| \mathbf{s}_{i_2}\|^{2}\ge 0$$ -Where $\| . \|$ is still the Euclidean norm. +$$\mathbf{s}\_{i\_1} + \mathbf{h}\_i \mathbf{s}\_{i\_2} + q \mathbf{v}\_i - \mathbf{t}\_i = \mathbf{0} \in \mathcal{R} \qquad (3) $$ -According to Lagrange's four-square theorem, any non-negative number can be written as sum of four square integers. -Therefore, as $\beta^{2} - \| \mathbf{s}_{i_1}\|^{2} - \| \mathbf{s}_{i_2}\|^{2} \ge 0$ , we can use Lagrange’s four-square theorem to rewrite it as a sum of four squared integers $\epsilon_{0}^{2}, \epsilon_{1}^{2}, \epsilon_{2}^{2}, \epsilon_{3}^{2}$: -$$\beta^{2} - \| \mathbf{s}_{i_1}\|^{2} - \| \mathbf{s}_{i_2}\|^{2} = \epsilon_{0}^{2} + \epsilon_{1}^{2} + \epsilon_{2}^{2} + \epsilon_{3}^{2} \qquad (5)$$ +This equation holds over the integers by construction, as $q \mathbf{v}\_i$ accounts for the difference modulo $q$. However, LaBRADOR operates over $\mathcal{R}\_{q'}$, so we need: -Let $$\epsilon_i = \epsilon_{0}^{2}+ \epsilon_{1}^{2}X + \epsilon_{2}^{2}X^2 + \epsilon_{3}^{2}X^3$$ +$$\mathbf{s}\_{i\_1} + \mathbf{h}\_i \mathbf{s}\_{i\_2} + q \mathbf{v}\_i - \mathbf{t}\_i = \mathbf{0} \in \mathcal{R}\_{q'} \qquad (4)$$ -To make them compatible with LaBRADOR's constraints, which are of the form: -$$ -f(\mathbf{\bar{\mathbf{s}}})=0 \text{ or } ct(f(\mathbf{\bar{\mathbf{s}}})) = 0,$$ -we can rewrite (5) as: -$$ct(\sigma_{-1}(\epsilon_i)\epsilon_i - (\beta^{2}-\sigma_{-1}(\mathbf{s}_{i_1})\mathbf{s}_{i_1}-\sigma_{-1}(\mathbf{s}_{i_2})\mathbf{s}_{i_2})) = 0 \mod q' \qquad (9)$$ -where $\sigma_{-1}$ is the conjugation automorphism. The validity of this dot constraint over $q'$ tells us the bound is valid since the existence of the polynomial $\epsilon$ that follows such constraints implies that $\beta^{2} - \| \mathbf{s}_{i_1}\|^{2} - \| \mathbf{s}_{i_2}\|^{2}$ is non-negative. +For (4) to be equivalent to (3), the coefficients of the left-hand side must not wrap around modulo $q'$. This requires the infinity norm of the sum to be less than $q'/2$: -Besides this new dot constraint, in order to show that both the automorphisms and the epsilon polynomial were correctly calculated inside the constraint, we will need to add almost $4dn$ extra dot product constraints ($n$ signatures, $d$ coefficients, and 4 functions $\epsilon_i, \sigma_{-1}(\epsilon_i), \sigma_{-1}(\mathbf{s}_{i_1}), \sigma_{-1}(\mathbf{s}_{i_2})$). +$$\\| \mathbf{s}\_{i\_1} + \mathbf{h}\_i \mathbf{s}\_{i\_2} + q \mathbf{v}\_i - \mathbf{t}\_i \\|\_\infty < \frac{q'}{2} $$ -For the conjugated automorphism, since it involves a permutation of the polynomial's coefficients and a change of sign, it will suffice to check for each element that the permutation was done correctly as well as the sign change. In the case of the epsilon polynomial, one would only need to check the degree is at most $4$ by checking all other coefficients $\epsilon_{4} \dots \epsilon_{d-1}$ to be zero. For both cases, checking an element of a polynomial is equal to some element $b$ or to some element from another polynomial $c$ can be written as a dot product in this way: +To ensure this, we impose bounds on each term: -$$ct(\sigma_{-1}(X^{j})\mathbf{a} -b) = 0 \mod q'$$ +$$\\| \mathbf{s}\_{i\_1} \\|\_\infty < \frac{q'}{6} \qquad +\\| \mathbf{h}\_i \mathbf{s}\_{i\_2} \\|\_\infty < \frac{q'}{6} \qquad +\\| q \mathbf{v}\_i \\|\_\infty < \frac{q'}{6}$$ -$$ct(\sigma_{-1}(X^{j})\mathbf{a} -\sigma_{-1}(X^{k})\mathbf{c}) = 0 \mod q'$$ +This implies +$$\\| \mathbf{s}\_{i\_1} \\|\_\infty < \frac{q'}{6} \qquad +\\| \mathbf{s}\_{i\_2} \\|\_\infty < \frac{q'}{6qd} \qquad +\\| q \mathbf{v}\_i \\|\_\infty < \frac{q'}{6q}$$ +These bounds ensure the total sum stays within $\frac{q'}{2}$, preventing wrap-around. In LaBRADOR, $\mathbf{s}\_{i\_1}, \mathbf{s}\_{i\_2}, \mathbf{v}\_i$ are witnesses, and we prove (4) holds. +## Verifying the Norm Bound in LaBRADOR +Falcon’s norm condition (2) must also be proven in LaBRADOR without revealing $\mathbf{s}\_{i\_1}$ or $\mathbf{s}\_{i\_2}$. We rewrite: +$$ \beta^2 - \\| \mathbf{s}\_{i\_1} \\|\_2^2 - \\| \mathbf{s}\_{i\_2} \\|\_2^2 \geq 0 $$ +By Lagrange’s four-square theorem, any non-negative integer is the sum of four squares. Thus, we introduce four integer witnesses $\epsilon\_{i,0}, \epsilon\_{i,1}, \epsilon\_{i,2}, \epsilon\_{i,3}$ such that: - +$$ \beta^2 - \\| \mathbf{s}\_{i\_1} \\|\_2^2 - \\| \mathbf{s}\_{i\_2} \\|\_2^2 = \epsilon\_{i,0}^2 + \epsilon\_{i,1}^2 + \epsilon\_{i,2}^2 + \epsilon\_{i,3}^2 \qquad (5)$$ +To fit LaBRADOR’s polynomial constraints, we represent each $\epsilon\_{i,j}$ as a polynomial of degree at most 3 + +$$ \mathbf{\epsilon}\_i = \epsilon\_{i,0} + \epsilon\_{i,1} X + \epsilon\_{i,2} X^2 + \epsilon\_{i,3} X^3 $$ + +The norm squared is computed using the conjugation automorphism $\sigma\_{-1}$, where $\\| \mathbf{v} \\|\_2^2 = \sigma\_{-1}(\mathbf{v}) \mathbf{v}$. We rewrite (5) as: + +$$ \sigma\_{-1}(\mathbf{\epsilon}\_i) \mathbf{\epsilon}\_i = \beta^2 - \sigma\_{-1}(\mathbf{s}\_{i\_1}) \mathbf{s}\_{i\_1} - \sigma\_{-1}(\mathbf{s}\_{i\_2}) \mathbf{s}\_{i\_2} \in \mathcal{R} $$ + +In LaBRADOR, this must hold modulo $q'$: + +$$ \sigma\_{-1}(\mathbf{\epsilon}\_i) \mathbf{\epsilon}\_i - (\beta^2 - \sigma\_{-1}(\mathbf{s}\_{i\_1}) \mathbf{s}\_{i\_1} - \sigma\_{-1}(\mathbf{s}\_{i\_2}) \mathbf{s}\_{i\_2}) = 0 \mod q' \qquad (6) $$ + +To avoid wrap-around, the infinity norm of the left-hand side must be less than $q'/2$: + +$$ \\| \sigma\_{-1}(\mathbf{\epsilon}\_i) \mathbf{\epsilon}\_i - (\beta^2 - \sigma\_{-1}(\mathbf{s}\_{i\_1}) \mathbf{s}\_{i\_1} - \sigma\_{-1}(\mathbf{s}\_{i\_2}) \mathbf{s}\_{i\_2}) \\|\_\infty < \frac{q'}{2} $$ + +This involves $2d + 4$ coefficients ( $2d$ from $\mathbf{s}\_{i\_1}$, $\mathbf{s}\_{i\_2}$, and 4 from $\mathbf{\epsilon}\_i $). Bounding each coefficient’s $\ell\_\infty$-norm by $\sqrt{\frac{q'}{2(2d + 4)}}$ ensures the sum stays within $q'/2$. + + +### Conjugation Automorphism Checks + +For a polynomial $\mathbf{f}(X) = a\_0 + a\_1 X + \cdots + a\_{d-1} X^{d-1}$, the conjugation automorphism is $\sigma\_{-1}(\mathbf{f}) = a\_0 + a\_1 X^{-1} + \cdots + a\_{d-1} X^{-(d-1)}$. In $\mathcal{R}\_{q'}$, $X^{-t}$ is computed modulo $X^d + 1$. We verify coefficients using dot product constraints: +1. Check the $j$-th coefficient equals a value $b$: + +$$ \sigma\_{-1}(X^j) \mathbf{a} = b \mod q'$$ + + +2. Check two coefficients $a\_j, c\_k$ match: + +$$ \sigma\_{-1}(X^j) \mathbf{a} = \sigma\_{-1}(X^k) \mathbf{c} \mod q'$$ + +For $\mathbf{\epsilon}\_i$, we ensure the degree is at most 3 by setting coefficients $\epsilon\_{i,4}, \ldots, \epsilon\_{i,d-1}$ to zero. For $\mathbf{s}\_{i\_1}, \mathbf{s}\_{i\_2}, \mathbf{\epsilon}\_i$, we verify the conjugation and coefficients match in (6). This requires approximately $4d n$ extra constraints for $n$ signatures. + + + +## Choosing the Modulus $q'$ +To satisfy all constraints, $q'$ must be sufficiently large. After computations for soundness and completeness: + +$$ q' > \frac{1024}{15} (d + 2) \beta^2 N$$ + +- Falcon-512: $q' > 2^{40.12} N$ +- Falcon-1024: $q' > 2^{42.16} N$ + +For $N = 2^{20}$ signatures: +- Falcon-512: $q' > 2^{60.12}$, so a 61-bit modulus suffices. +- Falcon-1024: $q' > 2^{62.16}$, so a 63-bit modulus is needed. + + +## Conclusion +This guide clarifies how to adapt Falcon signatures for LaBRADOR by changing the modulus and verifying norms. By rewriting the verification equation, introducing witnesses, and enforcing norm bounds, developers can implement a secure and correct aggregation system. \ No newline at end of file diff --git a/doc/falcon_labrador_docs/mainpage-doc.md b/doc/falcon_labrador_docs/mainpage-doc.md index 3960a47..6514827 100644 --- a/doc/falcon_labrador_docs/mainpage-doc.md +++ b/doc/falcon_labrador_docs/mainpage-doc.md @@ -15,6 +15,10 @@ The implemented changes to LaBRADOR consist of the following steps: - Reformulating Constraints - Working over Subring +## Assumption +We assume a user aims to aggregate $N$ signatures, with $i$ indexing each signature, message, and public key. +For instance, $m\_i$ denotes the $i$-th message to be signed, $(\mathbf{s}\_{i\_1}, \mathbf{s}\_{i\_2})$ represents its signatures, and $pk\_i$ is the corresponding public key. + ## Notation Throughout this documentation let $q$ denote the modulus, and let $\mathbb{Z}_q$ be the ring of integers modulo $q$.