shockingly simple crystals-dilithium zk proofs

⚓ General 📅 2025-01-17 👤 chance 👁️ 114

Warning

This post was published 75 days ago. The information described in this article may have changed.

Considerations when implementing zk proofs of crystals-dilithium signatures.

crystals-dilithium simplified

We’ll consider only the simplified scheme as described above. Discussion should be applicable to the full scheme.

Proving signature

With crystals-dilithium we must contend with a variable length signing procedure. Specifically we have to rejection sample based on the value of $y$ , and generate a ball polynomial $c$ based on a hash. Both of these operations are non-deterministic. e.g. it’s expected that they must be retried (specifically the authors target 4-7 iterations).

Inside a zk circuit we can avoid variable length execution by doing the rejection sampling at witness generation time and providing a suitable $y$ as an input. The circuit does not need to range check the $z$ value inside the proof. Outputting a value outside the range leaks the secret key, so it’s important that the witness calculation function operates correctly. In fact, we don’t need to constrain the calculation of the $c$ value either.

The verification procedure is robust and allows us to constrain relatively little of the signing procedure. Specifically we can take $c$ , $y$ , and $s_{1}$ as inputs directly.

We must constrain only the following:

$z = y + c s_{1}$ ( $ℓ$ polynomial additions and $ℓ$ polynomial multiplications) ( $ℓ \approx 5$ )

unconstrained $w_{1}$ and $c$ calculation

The verifier calculates $A z - c t$ . We can substitute $z$ and $t$ in this equation to get

$A (y + c s_{1}) - c (A s_{1} + s_{2}) = A y + A c s_{1} - A c s_{1} - c s_{2}$

The middle terms cancel leaving $A y - c s_{2}$

$c$ and $s_{2}$ are both of small norm and are filtered out by decomposing into the high bits of the coefficients yielding ${w^{'}}_{1}$ . Because the verifier calculates the ${w^{'}}_{1}$ value, it’s able to ensure that $c$ was hashed appropriately even without explicit constraints in the zk circuit.

misc notes

Polynomials are in a ring with modulus $X^{256} + 1$ with coefficients in a field with scalar modulus $\approx 2^{23}$ .

Depending on the architecture of the execution system we can do lazy reduction for the scalar operations. This is a compiler level optimization that is particularly relevant in systems with large native types (e.g. $\approx 2^{256}$ ) that can’t efficiently support montgomery/crt representation.

🏷️ lattice, zk, signature

👍 󠁮󠁮󠁮󠁮 1 👎 󠁮󠁮󠁮󠁮

chance 2025-01-17 👍 1 👎 [op]

hackmd link with proper bold characters in formulas

CPerezz 2025-01-24 👍 👎

Have to take a deeper look to this. Please @chance forward this to the PQ team!! You should also check in with Antonio Sanso from EF.

On a sidenote, the high-bits/low-bits split happens, you need to be sure that the distribution is randomly sampled. Otherwise, you’re at the risk of a significant security drop. At least this happens with regular ZKP world schemes.

Proving signature

unconstrained w1 and c calculation

misc notes

unconstrained $w_{1}$ and $c$ calculation