Subtractive Sets over Cyclotomic Rings Limits of Schnorr-Like Arguments over Lattices

We study when (dual) Vandermonde systems of the form V-T((T)) . z = s . w admit a solution z over a ring R, where V-T is the Vandermonde matrix defined by a set T and where the "slack" s is a measure of the quality of solutions. To this end, we propose the notion of (s, t)-subtractive sets over a ring R, with the property that if S is (s, t)-subtractive then the above (dual) Vandermonde systems defined by any t-subset T subset of S are solvable over R. The challenge is then to find large sets S while minimising (the norm of) s when given a ring R. By constructing families of (s, t)-subtractive sets S of size n = poly(lambda) over cyclotomic rings R = Z[zeta(pl)] for prime p, we construct Schnorr-like lattice-based proofs of knowledge for the SIS relation A . x = s . y mod q with O(1/n) knowledge error, and s = 1 in case p = poly(lambda). Our technique slots naturally into the lattice Bulletproof framework from Crypto'20, producing lattice-based succinct arguments for NP with better parameters. We then give matching impossibility results constraining n relative to s, which suggest that our Bulletproof-compatible protocols are optimal unless fundamentally new techniques are discovered. Noting that the knowledge error of lattice Bulletproofs is Omega(log k/n) for witnesses in R-k and subtractive set size n, our result represents a barrier to practically efficient lattice-based succinct arguments in the Bulletproof framework. Beyond these main results, the concept of (s, t)-subtractive sets bridges group-based threshold cryptography to lattice settings, which we demonstrate by relating it to distributed pseudorandom functions.