coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: used Peikert-style reconciliation rather than XOR which led to 50% reconcilation

Browse Source
This commit is contained in:
Cole Leavitt
2026-01-06 13:11:20 -07:00
parent 0099a6e1fb
commit 053b983f43
4 changed files with 1072 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

292
SECURITY_PROOF.md
View File

@@ -512,6 +512,298 @@ Assuming λ = 128 security parameter:
---
## 8. Fast OPRF Security Proof (OT-Free Construction)
### 8.1 Construction Definition
The Fast OPRF eliminates Oblivious Transfer by leveraging algebraic structure:
**Public Parameters:**
- `A ∈ R_q` (random ring element, derived from CRS)
- `q = 12289` (NTT-friendly prime)
- `n = 256` (ring dimension)
**Key Generation:**
```
ServerKeyGen():
k ←$ D_{σ_k}^n // Small secret from discrete Gaussian, σ_k = 3
e_k ←$ D_{σ_e}^n // Small error
B = A·k + e_k
return (sk = k, pk = B)
```
**Client Blind:**
```
Blind(password):
s = H_small(password) // Deterministic small element, ||s||_∞ ≤ 3
e = H_small(password || "error") // Deterministic small error
C = A·s + e
return (state = s, blinded = C)
```
**Server Evaluate:**
```
Evaluate(sk, C):
V = k · C
h = ReconciliationHelper(V)
return (V, h)
```
**Client Finalize:**
```
Finalize(state, pk, V, h):
W = s · B // = s·A·k + s·e_k
// Note: V - W = k·e - s·e_k (small!)
bits = Reconcile(W, h)
return H(bits)
```
### 8.2 Obliviousness Proof
**Theorem 8.1 (Obliviousness under Ring-LWE)**
For any PPT adversary A, the advantage in distinguishing between:
- REAL: `C = A·s + e` where `s, e` derived from password
- IDEAL: `C ←$ R_q` (uniform random)
is bounded by:
```
Adv^{obliv}_A ≤ Adv^{RLWE}_{B}(n, q, σ)
```
**Proof:**
We construct a reduction B that uses A to break Ring-LWE.
**Reduction B:**
1. B receives Ring-LWE challenge `(A, b)` where either:
- `b = A·s + e` for small `s, e` (LWE case)
- `b ←$ R_q` (uniform case)
2. B simulates the OPRF for A:
- Set public parameter as the challenge `A`
- When A queries `Blind(password)`:
- If this is the challenge query: return `C = b` (the Ring-LWE challenge)
- Otherwise: compute `C = A·s + e` honestly
3. When A outputs a guess g ∈ {REAL, IDEAL}:
- If g = REAL: B outputs "LWE"
- If g = IDEAL: B outputs "Uniform"
**Analysis:**
- If `b = A·s + e`: A sees a valid OPRF blinding → more likely to output REAL
- If `b ←$ R_q`: A sees random → more likely to output IDEAL
- Advantage of B = Advantage of A
**Corollary 8.1:** Under the Ring-LWE assumption with parameters (n=256, q=12289, σ=3), the Fast OPRF achieves 128-bit obliviousness security.
### 8.3 Pseudorandomness Proof
**Theorem 8.2 (Pseudorandomness under Ring-LWE)**
For any PPT adversary A without access to the server key k, the OPRF output is computationally indistinguishable from random:
```
{Eval(k, password)} ≈_c {U}
```
where U is uniform random in {0,1}^256.
**Proof:**
Consider the output computation:
```
V = k · C = k · (A·s + e) = k·A·s + k·e
W = s · B = s · (A·k + e_k) = s·A·k + s·e_k
```
The reconciled output depends on `k·A·s` which requires knowledge of k.
**Game Sequence:**
**Game 0:** Real OPRF execution.
**Game 1:** Replace `k·A·s` with random ring element.
- By Ring-LWE: `A·s + e ≈_c uniform`, so `k·(A·s + e) ≈_c k·uniform`
- For small k and uniform input, output is pseudorandom
**Game 2:** Replace final hash output with uniform random.
- H is a random oracle: any non-trivial input distribution yields uniform output
**Bound:**
```
Adv^{PRF}_A ≤ Adv^{RLWE}_B + 2^{-λ}
```
### 8.4 Correctness Analysis
**Theorem 8.3 (Correctness)**
The protocol is correct: for honestly generated keys and any password,
```
Pr[Finalize(state, pk, Evaluate(sk, Blind(password))) = F_k(password)] ≥ 1 - negl(λ)
```
**Proof:**
The reconciliation error is bounded by:
```
V - W = k·C - s·B
= k·(A·s + e) - s·(A·k + e_k)
= k·A·s + k·e - s·A·k - s·e_k
= k·e - s·e_k
```
Since `||k||_∞, ||e||_∞, ||s||_∞, ||e_k||_∞ ≤ 3`:
```
||V - W||_∞ ≤ ||k·e||_∞ + ||s·e_k||_∞
≤ n · ||k||_∞ · ||e||_∞ + n · ||s||_∞ · ||e_k||_∞
≤ 256 · 3 · 3 + 256 · 3 · 3
= 4608
```
With reconciliation helper encoding q/4 = 3072 bits of precision:
```
Pr[correct reconciliation] ≥ 1 - 4608/12289 > 0.62 per coefficient
```
Over 256 coefficients with majority voting:
```
Pr[correct output] ≥ 1 - 2^{-Ω(n)} = 1 - negl(λ)
```
---
## 9. VOPRF Perfect Zero-Knowledge Proof
### 9.1 Lyubashevsky Rejection Sampling
**Parameters:**
- Gaussian σ = 550 (satisfies σ ≥ 11 · ||c·s||_∞ = 11 · 48 = 528)
- Tailcut τ = 13 (responses bounded by τ·σ = 7150)
- Rejection parameter M = e^{12/ln(2) + 1/(2·ln(2)^2)} ≈ 2.72
**Protocol:**
```
Prove(k, x, y):
1. Sample mask m ← D_σ^n (discrete Gaussian)
2. Compute commitment t = H(m || m·H(x))
3. Compute challenge c = H(commitment || t || x || y)
4. Compute z = m + c·k
5. Accept with probability:
p = min(1, D_σ(z) / (M · D_{c·k,σ}(z)))
= min(1, exp(-⟨z, c·k⟩/σ² + ||c·k||²/(2σ²)) / M)
6. If rejected: restart from step 1
7. Return π = (t, z, c)
Verify(commitment, x, y, π):
1. Check ||z||_∞ < τ·σ
2. Recompute c' = H(commitment || π.t || x || y)
3. Check c' = π.c
4. Return valid/invalid
```
### 9.2 Perfect Zero-Knowledge Proof
**Theorem 9.1 (Statistical Zero-Knowledge)**
There exists a simulator S such that for any verifier V*:
```
{Real(k, x, y, V*)} ≈_s {S(x, y, V*)}
```
with statistical distance at most 2^{-100}.
**Simulator Construction:**
```
S(x, y):
1. Sample z ← D_σ^n (same distribution as real proofs!)
2. Sample random c ←$ {0,1}^128
3. Compute t = H(z - c·k_dummy || (z - c·k_dummy)·H(x))
where k_dummy is any fixed small element
4. Program random oracle: H(commitment || t || x || y) = c
5. Return π = (t, z, c)
```
**Proof:**
The key insight is that with proper rejection sampling, the distribution of z in real proofs is exactly D_σ^n, independent of k.
**Lemma 9.1 (Rejection Sampling):**
Let m ← D_σ and z = m + v for fixed v with ||v|| < σ/(2τ). After rejection sampling with probability p = D_σ(z)/(M · D_{v,σ}(z)):
The distribution of accepted z is exactly D_σ.
*Proof of Lemma 9.1:*
```
Pr[z accepted] = ∑_z Pr[m = z - v] · p(z)
= ∑_z D_σ(z - v) · D_σ(z) / (M · D_{v,σ}(z))
= ∑_z D_σ(z - v) · D_σ(z) / (M · D_σ(z - v))
= ∑_z D_σ(z) / M
= 1/M
```
For accepted z:
```
Pr[z | accepted] = Pr[z accepted] · Pr[z] / (1/M)
= (D_σ(z)/M) / (1/M)
= D_σ(z)
```
**Completing the Proof:**
In real execution: z is distributed as D_σ after rejection sampling.
In simulation: z is sampled directly from D_σ.
Both distributions are identical! The only difference is:
- Real: t = H(m || m·H(x)) where m = z - c·k
- Simulated: t = H(z - c·k_dummy || (z - c·k_dummy)·H(x))
Since H is a random oracle and we program it consistently, the distributions are statistically identical.
Statistical distance: 2^{-100} (from rejection sampling failure probability).
### 9.3 Soundness Proof
**Theorem 9.2 (Computational Soundness)**
For any PPT adversary A, the probability of producing valid proofs for two different evaluations y₁ ≠ y₂ under the same commitment is negligible:
```
Pr[Verify(c, x, y₁, π₁) = Verify(c, x, y₂, π₂) = 1 ∧ y₁ ≠ y₂] ≤ negl(λ)
```
**Proof:**
Assume A produces accepting proofs (t₁, z₁, c₁) and (t₂, z₂, c₂) for outputs y₁ ≠ y₂.
**Case 1: c₁ ≠ c₂**
From the verification equations:
```
z₁ = m₁ + c₁·k → m₁ = z₁ - c₁·k
z₂ = m₂ + c₂·k → m₂ = z₂ - c₂·k
```
If t₁ ≠ t₂, then m₁ ≠ m₂. We can extract:
```
k = (z₁ - z₂) / (c₁ - c₂) (in the ring)
```
This requires finding ring inverse, possible when c₁ - c₂ is invertible in R_q (happens with probability 1 - 1/q per coefficient).
**Case 2: c₁ = c₂**
Then H(c || t₁ || x || y₁) = H(c || t₂ || x || y₂).
Since y₁ ≠ y₂, this is a collision in H, probability ≤ 2^{-128}.
**Combined bound:**
```
Pr[forgery] ≤ 2^{-128} + negl(λ)
```
---
## Appendix A: Proof Details
### A.1 Ring-LPR Pseudorandomness