fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Lattices and pairings

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-01-23 15:34:23 +01:00
parent 95c0b5d407
commit 0e434c1e98
2 changed files with 100 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
sec-lattices.tex
View File

@ -3,37 +3,94 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Lattices and Hard Lattice Problems} \subsection{Lattices and Hard Lattice Problems}
\label{sse:lattice-problems}
\begin{figure}
\centering
\begin{tikzpicture}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Comment or uncomment crop %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\clip[use as bounding box]
%\draw[thick, black]
(2,3) rectangle (10,8);
\foreach \i in {0,1,...,20} {
\foreach \j in {0,1,..., 10} {
\draw[fill=black] (.2*\j + .5*\i, \j + .1*\i) circle (1pt) coordinate (v-\i-\j);
}
}
\draw[very thick, green!80!black, ->] (v-9-4) -- (v-8-4);
\draw[very thick, green!80!black, ->] (v-9-4) -- (v-9-5);
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-15-5);
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-3);
\foreach \i in {0,1,...,10} {
\draw[dotted, color=black!70] (v-0-\i) -- (v-20-\i);
}
\foreach \i in {0,1,...,20} {
\draw[dotted, color=black!70] (v-\i-0) -- (v-\i-10);
}
\end{tikzpicture}
\caption{A lattice $\Lambda$ with two different basis.}
\label{fig:lattice-basis}
\end{figure}
A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i)_{i\leq n}$ belonging to some~$\RR^n$.
We can notice that this basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
In the following, we work with $q$-ary lattices, for some prime $q$.
A (full-rank) lattice~$L$ is defined as the set of all integer linear
combinations of some linearly independent basis
vectors~$(\mathbf{b}_i)_{i\leq n}$ belonging to some~$\RR^n$. We work with $q$-ary lattices, for some prime $q$.
\begin{definition} \label{de:qary-lattices} \begin{definition} \label{de:qary-lattices}
Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define
$\Lambda_q(\mathbf{A}) := \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \}$ as well as
\begin{align*} \begin{align*}
\Lambda_q^{\perp} (\mathbf{A}) &:= \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \},& \Lambda_q(\mathbf{A}) &\triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
\Lambda_q^{\mathbf{u}} (\mathbf{A}) &:= \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \} \Lambda_q^{\perp} (\mathbf{A}) &\triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
\Lambda_q^{\mathbf{u}} (\mathbf{A}) &\triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}.
\end{align*} \end{align*}
For any $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$ so that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $
For any lattice point $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$. Meaning that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $
is a shift of $\Lambda_q^{\perp} (\mathbf{A})$. is a shift of $\Lambda_q^{\perp} (\mathbf{A})$.
\end{definition} \end{definition}
\noindent For a lattice~$\Lambda$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the distribution function
\noindent For a lattice~$L$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the function $\rho_{\sigma,\mathbf{c}}(\mathbf{x}) \triangleq \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$.
$\rho_{\sigma,\mathbf{c}}(\mathbf{x}) = \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$.
The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as
$D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$. $D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$.
We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
We will extensively use the fact that samples
from~$D_{L,\sigma}$ are short with overwhelming probability.
\begin{lemma}[{\cite[Le.~1.5]{Bana93}}] In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem ($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution ($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are are more suitable to design cryptographic schemes.
\label{le:small}
For any lattice~$L \subseteq In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
\RR^n$ and positive real number~$\sigma>0$,
we have $\Pr_{\mathbf{b} \sample D_{L,\sigma}} [\|\mathbf{b}\| \begin{definition}[Successive minima] \label{de:lattice-lambda}
\leq \sqrt{n} \sigma] \geq 1-2^{-\Omega(n)}.$ For a lattice $\Lambda$ of dimension $n$, let us define for $i \in \{1,\ldots,n\}$ the $i$-th successive minimum as
\end{lemma} \[ \lambda_i(\Lambda) = \inf \bigl\{ r \mid \dim \left( \Span\left(\lambda \cap \mathcal B\left(\mathbf 0, r \right) \right) \right) \geq i \bigr\}, \]
where $\mathcal B(\mathbf c, r)$ denotes the ball of radius $r$ centered in $\mathbf c$.
\end{definition}
Which lead us to the $\SIVP$ problem, which is finding a set of sufficiently short linearly independent vectors given a lattice basis.
\begin{definition}[$\SIVP$] \label{de:sivp}
For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$.
\end{definition}
As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
\begin{definition}[The SIS problem]
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer
Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample
U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$
with~$0 < \|\mathbf{x}\| \leq \beta$.
\end{definition}
If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,q,\beta}$ is at least as hard as
standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$
(see, e.g., \cite[Se.~9]{GPV08}).
\begin{definition}[The LWE problem]
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
\end{definition}
If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}).
% (see~\cite{Pei09,BLPRS13} for classical analogues).
\subsection{Lattice Trapdoors} \subsection{Lattice Trapdoors}
@ -41,9 +98,9 @@ For any lattice~$L \subseteq
distributions with lattice support can be sampled efficiently distributions with lattice support can be sampled efficiently
given a sufficiently short basis of the lattice. given a sufficiently short basis of the lattice.
\begin{lemma}[{\cite[Le.~2.3]{BLPRS13}}] \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
\label{le:GPV} \label{le:GPV}
There exists a $\PPT$ (probabilistic polynomial-time) algorithm $\textsf{GPVSample}$ that takes as inputs a There exists a $\PPT$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
basis~$\mathbf{B}$ of a lattice~$L \subseteq \ZZ^n$ and a basis~$\mathbf{B}$ of a lattice~$L \subseteq \ZZ^n$ and a
rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$, rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$,
and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$. and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
@ -53,7 +110,7 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
%use an algorithm that jointly samples a uniform~$\mathbf{A}$ and a short %use an algorithm that jointly samples a uniform~$\mathbf{A}$ and a short
%basis of~$\Lambda_q^{\perp}(\mathbf{A})$. %basis of~$\Lambda_q^{\perp}(\mathbf{A})$.
\begin{lemma}[{\cite[Th.~3.2]{AlPe09}}] \begin{lemma}[{\cite[Th.~3.2]{AP09}}]
\label{le:TrapGen} \label{le:TrapGen}
There exists a $\PPT$ algorithm $\TrapGen$ that takes as inputs $1^n$, There exists a $\PPT$ algorithm $\TrapGen$ that takes as inputs $1^n$,
$1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and
@ -64,13 +121,14 @@ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq
\bigO(\sqrt{n \log q})$. \bigO(\sqrt{n \log q})$.
\end{lemma} \end{lemma}
\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MiPe12} recently proposed a more efficient \noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient
approach for this combined task, which should be preferred in practice but, for the sake of simplicity, we present our schemes using~$\TrapGen$. approach for this combined task, which should be preferred in practice but, for the sake of simplicity,
schemes are presented using~$\TrapGen$ in this thesis.
We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$
submatrix is~$\mathbf{A}$. submatrix is~$\mathbf{A}$.
\begin{lemma}[{\cite[Le.~3.2]{CaHoKiPe10}}]\label{lem:extbasis} \begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis}
There exists a $\PPT$ algorithm $\ExtBasis$ that takes as inputs a There exists a $\PPT$ algorithm $\ExtBasis$ that takes as inputs a
matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$ span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
@ -80,11 +138,10 @@ submatrix is~$\mathbf{A}$.
\leq \|\widetilde{\mathbf{T}_{\mathbf{A}}}\|$. \leq \|\widetilde{\mathbf{T}_{\mathbf{A}}}\|$.
\end{lemma} \end{lemma}
\noindent In our security proofs, analogously to \cite{Boy10,BHJKS15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB1} that implements \noindent In our security proofs, analogously to \cite{Boy10,BHJ+15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements
an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting. an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
%In other words we need the following algorithm:
\begin{lemma}[{\cite[Th.~19]{ABB1}}]\label{lem:sampler} \begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
There exists a $\PPT$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$, There exists a $\PPT$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \| a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
\widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A \widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A

15
sec-pairings.tex Normal file
View File

@ -0,0 +1,15 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \section{Pairing-Based Cryptography} %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Bilinear maps}
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings}
A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
\begin{enumerate}[\quad (i)]
\item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$.
\item non-degeneracy: $e(g,\hat{g}) = 1_{\GT} \iff g = 1_{\GG}$ or $\hat{g} = 1_{\Gh}$.
\item the map is computable in polynomial time in the size of the input.
\end{enumerate}
\end{definition}
In practice, pairings are computed over