thesis/sec-lattices.tex

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \section{Lattice-Based Cryptography} %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\subsection{Lattices and Hard Lattice Problems}

A (full-rank) lattice~$L$ is defined as the set of all integer linear
combinations of some linearly independent basis
vectors~$(\mathbf{b}_i)_{i\leq n}$ belonging to some~$\RR^n$. We work with $q$-ary lattices, for some prime $q$.
\begin{definition} \label{de:qary-lattices}
  Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and   $\mathbf{u} \in \ZZ_q^n$, define
$\Lambda_q(\mathbf{A}) := \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \}$ as well as
\begin{align*}
  \Lambda_q^{\perp} (\mathbf{A}) &:= \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \},&
  \Lambda_q^{\mathbf{u}} (\mathbf{A}) &:=  \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}
\end{align*}
For any $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$,  $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$ so that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $
is a shift of   $\Lambda_q^{\perp} (\mathbf{A})$.
\end{definition}


\noindent For a lattice~$L$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the function
$\rho_{\sigma,\mathbf{c}}(\mathbf{x}) = \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$.
The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as
 $D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$.
We denote by  $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
We will extensively use the fact that samples
from~$D_{L,\sigma}$ are short with overwhelming probability.

\begin{lemma}[{\cite[Le.~1.5]{Bana93}}]
\label{le:small}
For any lattice~$L \subseteq
  \RR^n$ and positive real number~$\sigma>0$,
  we have  $\Pr_{\mathbf{b} \sample D_{L,\sigma}} [\|\mathbf{b}\|
    \leq \sqrt{n} \sigma] \geq 1-2^{-\Omega(n)}.$
\end{lemma}

\subsection{Lattice Trapdoors}

\noindent As shown by Gentry {\em et al.}~\cite{GPV08}, Gaussian
distributions with lattice support can be sampled efficiently
given a sufficiently short basis of the lattice.

\begin{lemma}[{\cite[Le.~2.3]{BLPRS13}}]
\label{le:GPV}
There exists a $\PPT$ (probabilistic polynomial-time) algorithm $\textsf{GPVSample}$ that takes as inputs a
basis~$\mathbf{B}$ of a lattice~$L \subseteq \ZZ^n$ and a
rational~$\sigma \geq  \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$,
and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
\end{lemma}

%We
%use an algorithm that jointly samples a uniform~$\mathbf{A}$ and a short
%basis of~$\Lambda_q^{\perp}(\mathbf{A})$.

\begin{lemma}[{\cite[Th.~3.2]{AlPe09}}]
\label{le:TrapGen}
There exists a $\PPT$ algorithm $\TrapGen$ that takes as inputs $1^n$,
$1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and
outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a
basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such
that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$
to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq
\bigO(\sqrt{n \log q})$.
\end{lemma}

\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MiPe12} recently proposed a more efficient
approach for this combined task, which should be preferred in practice but, for the sake of simplicity, we present our schemes using~$\TrapGen$.

We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$
submatrix is~$\mathbf{A}$.

\begin{lemma}[{\cite[Le.~3.2]{CaHoKiPe10}}]\label{lem:extbasis}
  There exists a $\PPT$ algorithm $\ExtBasis$ that takes as inputs a
  matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
  span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
  of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times
  m$ submatrix of~$\mathbf{B}$, and outputs a basis~$\mathbf{T}_{\mathbf{B}}$
  of~$\Lambda_q^{\perp}(\mathbf{B})$ with~$\|\widetilde{\mathbf{T}_{\mathbf{B}}}\|
  \leq \|\widetilde{\mathbf{T}_{\mathbf{A}}}\|$.
\end{lemma}

\noindent In our security proofs, analogously to \cite{Boy10,BHJKS15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB1} that implements
an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
%In other words we need the following algorithm:

\begin{lemma}[{\cite[Th.~19]{ABB1}}]\label{lem:sampler}
  There exists a $\PPT$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
  a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
  \widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A
  \cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted
  lattice $\Lambda^\mathbf{u}_q \left( \left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \right)$.
  %$\{ \mathbf x \in \ZZ^{2 m} : \left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \cdot \mathbf x = \mathbf u \bmod q \}$.
\end{lemma}