Add french TOC and ZK part
This commit is contained in:
@ -14,6 +14,7 @@ This gives us a good confidence in the lattice-based assumptions (given the \emp
|
||||
|
||||
\subsection{Lattices and Hard Lattice Problems}
|
||||
\label{sse:lattice-problems}
|
||||
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Réseaux euclidiens et problèmes difficiles}
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
@ -57,7 +58,7 @@ In order to work with lattices in cryptography, hard lattice problems have to be
|
||||
This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later.
|
||||
These links are important as those are ``worst-case to average-case'' reductions.
|
||||
|
||||
In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs.
|
||||
In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to construct new cryptographic designs.
|
||||
On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable to design cryptographic schemes.
|
||||
|
||||
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
|
||||
@ -74,7 +75,7 @@ This leads us to the $\SIVP$ problem, which is finding a set of sufficiently sho
|
||||
For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$.
|
||||
\end{definition}
|
||||
|
||||
As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting.
|
||||
As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting, which are illustrated in Figure~\ref{fig:lwe-sis}.
|
||||
In other words, it means that no polynomial time algorithms can solve those problems with non-negligible probability and non-negligible advantage given that $\SIVP$ is hard.
|
||||
%As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
|
||||
|
||||
@ -93,6 +94,13 @@ For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribut
|
||||
The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\input fig-lwe-sis
|
||||
\caption{Illustration of the LWE and SIS problems.}
|
||||
\label{fig:lwe-sis}
|
||||
\end{figure}
|
||||
|
||||
If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}).
|
||||
% (see~\cite{Pei09,BLPRS13} for classical analogues).
|
||||
|
||||
@ -101,17 +109,18 @@ If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\m
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
\subsection{Lattice Trapdoors}
|
||||
\label{sse:lattice-trapdoors}
|
||||
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Trappes d'un réseau euclidien}
|
||||
|
||||
In this section, we state the different algorithms that use ``\textit{lattice trapdoors}''.
|
||||
A trapdoor for lattice $\Lambda$ is a \textit{short} basis of this lattice.
|
||||
The knowledge of such a basis allows to sample elements in $D_{\Lambda, \sigma}$ within some restrictions given in~\cref{le:GPV}.
|
||||
The existence of this sampler permits to solve hard lattice problems such as $\SIS$, which is assumed to be intractable in polynomial time.
|
||||
Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$.
|
||||
Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (statistically close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$.
|
||||
Thus, a vector sampled in $D_{\Lambda^\perp_{q}(\mathbf{A}), \sigma}$, which is short with overwhelming probabilities according to~\cref{le:small}, is a solution to $\SIS_{n,m,q,\sigma \sqrt{n}}$.
|
||||
|
||||
Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice.
|
||||
|
||||
\scbf{Notation.} Given a matrix $\mathbf{A}$, let $\widetilde{\mathbf{A}}$ be the Gram-Schmidt orthogonalization of $\mathbf{A}$.
|
||||
\scbf{Recall.} Given a matrix $\mathbf{A}$, $\widetilde{\mathbf{A}}$ denotes the Gram-Schmidt orthogonalization of $\mathbf{A}$.
|
||||
|
||||
\begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
|
||||
\label{le:GPV}
|
||||
|
||||
Reference in New Issue
Block a user