fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Modifications

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-01-27 21:27:06 +01:00
parent 2b0f6ddf53
commit 0598c398ad
6 changed files with 64 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
sec-lattices.tex
View File

@ -2,6 +2,12 @@
% \section{Lattice-Based Cryptography} %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography.
For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}. Lattice-based cryptography takes advantage of a simple mathematical structure (the lattices) in order to provide beyond encryption and signature cryptography. For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12}
have been extensively studied~\cite{ADRS15,HK17}
\subsection{Lattices and Hard Lattice Problems}
\label{sse:lattice-problems}
@ -21,8 +27,8 @@
}
\draw[very thick, green!80!black, ->] (v-9-4) -- (v-8-4);
\draw[very thick, green!80!black, ->] (v-9-4) -- (v-9-5);
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-15-5);
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-3);
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-19-2);
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-2);
\foreach \i in {0,1,...,10} {
\draw[dotted, color=black!70] (v-0-\i) -- (v-20-\i);
}
@ -41,9 +47,9 @@ In the following, we work with $q$-ary lattices, for some prime $q$.
\begin{definition} \label{de:qary-lattices}
Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define
\begin{align*}
\Lambda_q(\mathbf{A}) &\triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
\Lambda_q^{\perp} (\mathbf{A}) &\triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
\Lambda_q^{\mathbf{u}} (\mathbf{A}) &\triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}.
\Lambda_q(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
\Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
\Lambda_q^{\mathbf{u}} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}.
\end{align*}
For any lattice point $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$. Meaning that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $
@ -56,7 +62,7 @@ The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center
$D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$.
We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem ($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution ($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are are more suitable to design cryptographic schemes.
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes.
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).