diff --git a/sec-lattices.tex b/sec-lattices.tex index f3bbdc3..ac6dca5 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -55,7 +55,7 @@ $\Pr_{\mathbf{b} \sample D_{\Lambda,\sigma}} \left[ \|\mathbf{b}\| \leq \sigma \ \end{lemma} In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the \textit{Shortest Independent Vectors Problem}~($\SIVP$). -This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. +This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later in \cref{le:sis-hard} and~\ref{le:lwe-hard}. These links are important as those are ``worst-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to construct new cryptographic designs. @@ -79,19 +79,24 @@ As explained before, the hardness of this assumption for worst-case lattices imp In other words, it means that no polynomial time algorithms can solve those problems with non-negligible probability and non-negligible advantage given that $\SIVP$ is hard. %As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively. -\begin{definition}[The $\SIS$ problem] \label{de:sis} \index{Lattices!Short Integer Solution} +\begin{definition}[The $\SIS$ and $\ISIS$ problem] \label{de:sis} \index{Lattices!Short Integer Solution} \index{Lattices!Inhomogeneous \SIS} Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. - The Short Integer Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$. + The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$. + + The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample U(\Zq^{n \times m})$ and $\mathbf u \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf u}(\mathbf A)$ with~$0 < \| \mathbf x \| \leq \beta$. \end{definition} -If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,q,\beta}$ is at least as hard as -standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$ -(see, e.g., \cite[Se.~9]{GPV08}). +Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the following Lemma, which reduced these problems from $\SIVP$. + +\begin{lemma}[{\cite[Se.~9]{GPV08}}] \label{le:sis-hard} + If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,q,\beta}$ and $\ISIS_{n,m,q,\beta}$ problems are both at least as hard as + standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$. +\end{lemma} \begin{definition}[The $\LWE$ problem] \label{de:lwe} \index{Lattices!Learning With Errors} -Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. -For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. -The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$. + Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. + For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. + The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$. \end{definition} \begin{figure} @@ -101,7 +106,11 @@ The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$ \label{fig:lwe-sis} \end{figure} -If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}). +The worst-case to average-case reduction for $\LWE$ is stated by the following Lemma. + +\begin{lemma}[{\cite{Reg05,Pei09,BLP+13}}] \label{le:lwe-hard} + If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$. +\end{lemma} % (see~\cite{Pei09,BLPRS13} for classical analogues). %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%