 Hello, I'm Russell Lai. Welcome to my talk on subtractive sets over psychotomic rings, limits of schnoll-like arguments over lattices. This is a joint work with Martin Albrecht. This work is about the relationship between the mathematical objects called subtractive sets and lattice-based schnoll-like arguments. Since you are watching this video, you are probably interested in lattice-based schnoll-like arguments in general. Therefore, I recommend checking out these concurrent works which are also appearing in this year's crypto. Let me begin with this slide that every other lattice top needs. That is the slide about the short integer solution problem, or the SIS problem. The SIS problem is parametrized by a modulus q and a norm bound beta, and a problem instance is given by a matrix A and a vector y, and it asks us to find a short vector x so that A times x equals to y, modulus q, and the norm of x is bounded by beta. Usually, the SIS problem is considered over the integer ring, that is, the matrix A, the vector y, and x are all vectors and matrices over the ring of rational integers. But in this work, we are considering the SIS problem over general ring R, that is, a mathematical object that allows you to perform addition, subtraction, multiplication, but not always division. The motivating problem of this work is that of proving the knowledge of an SIS witness x. To be more concrete, let me introduce this generalized SIS relation, which is parametrized by a ring element s, a norm bound beta, and also the modulus q, which is omitted. The relation takes as input a statement, which is specified by a matrix A and a vector y, and also another vector, a witness vector x, and checks if A times x equals to S times y, modulus q, and the norm of x is bounded by beta. Notice that the vector x doesn't necessarily satisfy A x equals y exactly, but instead there is an element s called a slack here. If the slack s equals 1, then we say that the witness x satisfies the statement ay with no slack, otherwise we say that the vector x satisfies the statement ay with slack s. Generally speaking, an argument system for proving the SIS relation involves two entities, the prover and the verifier. The prover inputs the SIS relation ay as well as the witness x, while the verifier only inputs the statement ay. The prover and the verifier may interact for several rounds, and eventually the verifier will output a bit b, which is either 0 or 1, deciding whether or not it believes that the prover p knows of a witness x that satisfies ay. An argument system could satisfy several properties, and in this work we are going to focus on the completeness property and the soundness property. We say that the argument system is complete for the relation r1 beta. If whenever the witness x satisfies the statement ay with no slack, then the prover is able to convince the verifier to output 1. On the other hand, we say that the argument system has kappa knowledge soundness for the relation rS beta prime, where kappa here is known as the knowledge error. If there exists an efficient knowledge extractor e, such that if the prover convinces v to accept the statement ay with some probability rho which is strictly greater than kappa, then the extractor, when given oracle access to the prover, should extract some kind of witness x tilde that satisfies the relation rS beta prime, with probability rho minus kappa. A recurring challenge when designing argument systems for the sIS relation is to design the prover and the verifier such that the knowledge error kappa and the slack s are both minimized. Of course, one would also like to minimize the difference between beta prime and beta, which we call the stretch in this work, but I will not go into detail in this talk. With this background, let me overview the existing argument systems for the sIS relation. Prior to the year 2019, there were basically three types of argument systems for the sIS relation. The first kind of systems are based on PCP or probabilistically checkable proofs, which is a kind of information theoretic proof systems. These constructions usually start from a PCP for proving statements from a certain MP complete language, such as R1CS, and compile it with a commitment scheme into an argument system. These constructions typically achieve logarithmic proof size and can prove the sIS relation without any slack and stretch. However, to achieve negligible knowledge error, a super polynomial size module skew is usually needed, which impacts efficiency. The second type of argument systems for the sIS relation are called Stern-like systems. These are combinatorial systems based on the classic cut-and-choose technique. Like the PCP-based proof systems, these Stern-like systems can prove the sIS relation without any slack and stretch. However, due to the combinatorial nature, they often require linear size proofs and can only achieve constant knowledge error, which means that the argument needs to be repeated lambda times where lambda is the security parameter to achieve negligible knowledge error. Finally, the third type of arguments are schnoll-like arguments. These are algebraic arguments which can achieve inverse polynomial knowledge error, and therefore only lambda over log lambda repetition is needed to achieve negligible knowledge error. A distinctive feature of the schnoll-like systems is their linearity, which could be exploited for recursive composition using a technique called bulletproof folding to achieve logarithmic size proofs. On the negative side, schnoll-like systems could only prove the sIS relation with both slack and stretch, which is significant because these get amplified when performing recursive composition. After the year 2019, there was an effort in combining the best of both the Stern and Schnoll worlds by introducing extra nonlinear constraints to the schnoll-like systems. Like the schnoll-like systems, these new systems can achieve inverse polynomial knowledge error, and like the Stern-like systems, they can prove the sIS relation without slack and stretch. However, due to the extra nonlinear constraints, these new systems are no longer compatible with the bulletproof folding technique, and therefore it is unclear how to produce logarithmic size proofs from them. Given this state of affair, a natural question is therefore, can we keep the linearity and inverse polynomial knowledge error of schnoll-like systems, but at the same time reduce the slack and stretch? To answer this question, let us take a closer look at some existing schnoll-like systems. Our first example is the lattice analog of the textbook schnoll protocol for proving discrete logarithm. In this protocol, the prover first sample a short vector u and compute a vector v, which is equal to a times u, and send v over to the verifier. In turn, the verifier would sample a challenge c from the challenge set big c, and send c over to the prover. Finally, the prover computes the vector x hat, which is equal to u plus c times x, and the verifier checks that x hat is indeed computed correctly. A point to note from this simple protocol is that the knowledge error copper is inversely proportional to the size of the challenge set. Therefore, to achieve inverse polynomial knowledge error, we would need to instantiate this protocol with a polynomial-sized challenge set. Next, let us examine how a knowledge extractor could be constructed for this schnoll-like argument. First, we recall the verification equation, which looks like this. We construct an extractor such that it runs the prover twice on two different challenges, c0 and c1, to get two different communication transcripts, both of which satisfy the verification equation. And in matrix form, they can be written as shown on the screen right now. Next, the extractor would try to solve the following dual-venomon system for a vector z over the ring r. I call this a dual-venomon system because this system of linear equations is defined by the transpose of a venomon system defined by c0 and c1. Suppose the extractor is successful in solving the dual-venomon system for the vector z, then it can compute the extractor witness like this. Let us look at the second example of schnoll-like arguments, which is the lattice bulletproof system proposed in crypto 20. For this system, we make additional structural assumptions about the statement ay and the vector x, so that the matrix a can be split into two parts a0 and a1 of equal dimensions. And similarly, the witness x can be split into two parts x0 and x1 of equal dimensions. In this way, if the vector x indeed satisfies the statement ay with no slack, then y can be written as ax, which is equal to a0 times x0 plus a1 times x1 modulo q. Given these assumptions, the lattice bulletproof system goes as follows. First, the prover computes the cross terms between the matrix a and the vector x. That is, it computes the vector y01, which is equal to a0 times x1, and the vector y10, which is equal to a1 times x0. After receiving the vectors y01 and y10, the verifier would again sample a challenge c from the challenge set big c, and send this challenge to the prover. Finally, the prover would respond with x hat, which is computed as a linear combination of x0 and x1. Notice that the set of verification equations checked by the verifier is nothing but another SIS relation. But here, the witness x hat is of dimension half that of the original witness x. Therefore, by recursively composing this protocol a logarithmic number of times, one would obtain an argument system for the SIS relation with only logarithmic communication costs. Like in the first example, we noticed that the knowledge error of this protocol is again inversely proportional to the size of the challenge set. Therefore, if we want to achieve inverse polynomial knowledge error, we again want to use a polynomial size challenge set. As before, let us look at how a knowledge extractor can be constructed for the lattice bullet proof. First, recall the verification equation shown on the screen right now. This time, our knowledge extractor would run the prover p three times instead of two times on three different challenges c0, c1, and c2 to obtain three different accepting communication transcripts. In matrix form, these communication transcripts would satisfy the verification equation shown on the screen right now. Then the knowledge extractor would try to solve the following three-dimensional dual-vendaman system, again for a vector z over the ring r. If it is successful for finding such a vector z, it can compute the witness extruder as shown on the screen now. You might have already observed a pattern that the knowledge extractor is always going to solve a dual-vendaman system of a certain dimension. Therefore, a natural question to ask is, for what challenges c0 up to ct minus 1 and slack s is the following dual-vendaman system solvable over the ring r? Our observation is that, if for all i from 0 to t minus 1, the slack s is divisible by the product of ci minus cj for all j not equal to i, then the dual-vendaman system is solvable over r. This motivates us to define the notion of st-subjective set. We say that a set c, which is a subset of the ring, is st subtractive. If for any t-subset big t, which is equal to c0 up to ct minus 1, it holds that, for all i from 0 to t minus 1, the slack s is divisible by the product of ci minus cj, with j running through 0 to t minus 1 except for i. Furthermore, if the slack s equals to 1, we simply say that the set c is subtractive. Before I move on, let me say a few things about the relationship between subtractive sets and secret sharing. We notice that if c is an st subtractive set, then for any t-subset big t of c, not only is the dual-vendaman system defined by t solvable over r, but also the vendaman system, which is exactly the system of linear equations that one would solve when performing polynomial interpolation. Therefore, it is natural to see that if the set c is st-subjective, then one can use c as a set of evaluation points when constructing t out of n secret sharing over the ring arm. To summarize, here are some sample implications of st-subjective sets. First, if we have an s-free subtractive set of size n, then we can construct a lattice bullet proof with slack s and knowledge error 2 over n. On the other hand, if we have an st subtractive set of size n, then we could construct lattice-based t out of n threshold primitives. At this point, hopefully you are convinced that st-subjective sets are some useful objects. Therefore, the remaining challenge is to construct large st-subjective sets, and by large I mean polynomial size, with small slack s over some interesting ring arm. For example, in lattice-based cryptography, a popular choice of r would be a cyclotomic ring, which is the set of rational integers c adjoined with a primitive m-fruit of unity, c to m, where m is polynomial size. To sum up, here are our results of subtractive sets over cyclotomic rings. First, for power of two cyclotomic rings, that is when m is a power of two, we can construct a family of st-subjective sets of size n for a wide range of s, t, and n. For example, we can construct two free subtractive sets of size m over two plus one, which use a bullet proof with slack two. On the negative side, we show that it is impossible to construct a family of two t subtractive sets, where the family is parametrized by m, such that the mth set, cm, is of size strictly greater than m plus one. Moving over to prime power cyclotomic rings, that is when m is equal to a power of a prime p, we can construct a family of subtractive sets without slack of size p, which yields bullet proof with no slack. On the negative side, we prove a matching impossibility result, which says that there is no subtractive set c of size strictly greater than p. If we instantiate the lattice bullet proof system with the st-subjective sets constructed above, we obtain lattice bullet proofs with better parameters. The improved parameters are partly due to the use of better subtractive sets and partly due to a more careful analysis. On the negative side, we show that for schnollike protocols, it is impossible to have both small knowledge error and small slack. We see this as a technical barrier for constructing better lattice-based argument systems. Finally, we also demonstrate how st-subjective sets can be used to construct threshold primitives, using distributed pseudo-random functions as an example. Before going to the technical detail, let me lay down some mathematical background and intuition. In essence, the results in this paper critically rely on the presence and absence of ideals in the ring R, and therefore I should briefly talk about ideals. For a ring element c, the ideal generated by c, written as bracket c, is the set of all ring elements which can be written as a product between c and another ring element. In other words, the ideal generated by c is the set of all ring elements divisible by c. Using the language of ideals, the definition of st-subjective sets can be rewritten as follows. We say that a set c is st-subjective. If for any t subset, big t of c, and any element, c in big t, we have that the slack s belongs to the ideal generated by the product between the differences between c and c prime, for all c prime in t which is different from c. Let us think about intuitively how hard is it to construct large st-subjective sets for a small slack s. Notice that to construct such a set, we want lots of elements to divide the small slack s. Suppose our ring R is the ring of rational integers, z, it is going to be difficult because of the following observations. For example, if s is equal to 1, we notice that the only invertible elements in z are negative 1 and 1. These are the only elements that divides s, which is 1. Suppose that s is slightly bigger, namely that s is equal to 2, still the only factors of 2 are negative 2, negative 1, 1 and 2. Over a cyclotomic ring, however, the situation is a little bit different. For example, in a power of 2 cyclotomic ring of order 2 to the l, the element 1 minus c to the power k is the factor of 2 whenever 2 to the l does not divide k. Similarly, over a prime power cyclotomic ring of order p to the l, the element 1 minus c to the k over 1 minus c is invertible whenever p and k are co-prime. With these observations, we see that it is quite a bit easier to construct st-subjective sets over a cyclotomic ring than in the ring of rational integers. With these intuitions, let me present to you a flavor of our technical results. We first focus on the simpler setting of prime power cyclotomic rings, that is when the order of the ring is p to the l. Consider the ring element mu k, which is defined by 1 minus c to the power k over 1 minus c, as introduced in the previous slide. We show that the set c, which consists of mu 0, mu 1 up to mu p minus 1 is subtractive. To see this, let us recall that the element mu k is invertible over the ring r whenever p and k are co-prime. Next, we realize that for i smaller than j, the difference between mu j and mu i can be written as c to the power i times mu j minus i. Since both ceta and mu j minus i are invertible over r, the product of them is also invertible over r. On the negative side, we show that there is no subtractive set c of size strictly greater than p. To see this, we first realize that the ideal generated by 1 minus ceta has p cosets and the element 1 does not belong to this ideal. Suppose there exists a subtractive set c of size strictly greater than p, then by the pigeonhole principle, there must exist distinct c0 and c1 in the set c, such that the difference between c0 and c1 belongs to the ideal generated by 1 minus ceta. However, by assumption, we know that c is subtractive, which means that c0 minus c1 is invertible, which implies the element 1 belongs to the ideal generated by 1 minus ceta, which is a contradiction. Next, we move to the setting of power of two psychotomic rings, where I would like to show you the following theorem. But since there are too many variables to worry about, let us consider the following special case, which says that the following set c is 2-3 subtractive, and the set c consists of the element 0, 1, ceta, c2 up to ceta to the power Euler phi of m minus 1, where since m is a power of 2, Euler phi of m is simply m over 2. To prove this theorem, we first notice that the element 0 is given to us for 3 because all the other elements in the set c are invertible, and therefore the differences between them and 0 are invertible as well. Next, without loss of generality, let us consider a set t of 3 elements, which can be written as ceta to the A, ceta to the B, and ceta to the C, where A is smaller than B and B smaller than C. Next, we want to show that the element 2 belongs to the ideal generated by the product, ceta to the A minus ceta to the B, times ceta to the A minus ceta to the C. And for convenience, we call this ideal I. First, we notice that ceta to the A is invertible, and therefore the ideal I is equal to the ideal generated by the product, 1 minus ceta to the B minus A, times 1 minus ceta to the C minus A. Next, by some routine calculation, we show that the exponents B minus A and C minus A can be taken out so that the ideal I is equal to the ideal generated by 1 minus ceta to the power of the even part of B minus A plus the even part of C minus A, where the even part of B minus A is the largest power of 2 which divides B minus A. Finally, we make two observations. The first is that the element 2 belongs to the ideal generated by 1 minus ceta to the power phi of M. And second, the sum of the even parts of B minus A and C minus A is at most phi of M. And therefore the ideal that the element 2 belongs to is just a subset of the ideal I. Therefore, we conclude that 2 is also in the ideal I. As the final result in this talk, let me show you that there is no family of 2T subtractive sets parametrized by M such that the M set is of size strictly greater than M plus 1. To show that there is no such family, it suffices to find one single M such that there is no 2T subtractive set of size strictly greater than M plus 1. For this purpose, let M to be a power of 2 greater than 4 such that M plus 1 is a prime. These primes are called fermat primes and currently known examples include 517, 257 and 65537. For any of these M, we notice that any factor ideal I of the ideal generated by M plus 1 has exactly M plus 1 cosets and the element 2 does not belong to the ideal I. Suppose that C is a 2T subtractive set and the size of C is strictly greater than M plus 1. Then by the pigeonhole principle again, there must exist two distinct elements C0 and C1 of big C so that the difference between C0 and C1 belongs to the ideal I. However, by assumption, we have that C is 2T subtractive and therefore the element 2 is divisible by the difference between C0 and C1, which means that 2 belongs to the ideal I, which is a contradiction. To conclude, in this work, we formalized the notion of ST subtractive sets. We applied them to schnolleg arguments and threshold C per sharing. We constructed polynomial-sized ST subtractive sets over cyclotomic rings with almost matching impossibility results. We obtained improved lattice bulletproofs by instantiating the construction with better ST subtractive sets and finally we showed that there is a trade-off between knowledge error and slack for schnolleg arguments. For the full technical details of our results, I encourage you to check out our paper which is available on e-print or if you find the paper a bit too overwhelming, you can also check out the blog post.