Updates

sec-lattices.tex

@@ -10,7 +10,7 @@ For instance, fully homomorphic encryption~\cite{Gen09,GSW13} is only known to b
 In the context of provable security, lattice assumptions benefit from a worst-case-to-average-case reduction~\cite{Reg05,GPV08,MP12,AFG14}.
 Concurrently, worst-case lattice problems have been extensively analyzed in the last decade~\cite{ADS15,ADRS15,HK17}, both classically and quantumly.
 
-This gives us a good confidence in lattice assumptions (given the \emph{caveats} of Chapter~\ref{ch:proofs}) such as Learning-with-Errors ($\LWE$) and Short Integer Solutions ($\SIS$) which are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful tools that rely on \emph{lattice trapdoors}.
+This gives us a good confidence in lattice assumptions (given the \emph{caveats} of \cref{ch:proofs}) such as Learning-with-Errors ($\LWE$) and Short Integer Solutions ($\SIS$) which are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful tools that rely on \emph{lattice trapdoors}.
 
 \subsection{Lattices and Hard Lattice Problems}
 \label{sse:lattice-problems}
@@ -134,6 +134,7 @@ Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice
 \scbf{Recall.} Given a matrix $\mathbf{A}$, $\widetilde{\mathbf{A}}$ denotes the Gram-Schmidt orthogonalization of $\mathbf{A}$.
 
 \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
+  \index{Lattice Trapdoors!\GPVSample}
 \label{le:GPV}
 There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that inputs a
 basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a
@@ -149,6 +150,8 @@ The following Lemma states that it is possible to efficiently compute a statisti
 
 \begin{lemma}[{\cite[Th.~3.2]{AP09}}]
 \label{le:TrapGen}
+  \index{Lattice Trapdoors!\TrapGen}
+\label{le:GPV}
 There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$\U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$.
 \end{lemma}
 
@@ -157,6 +160,7 @@ There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and
 We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ for which a $m$-subset of its columns is $\mathbf{A}$. For the sake of simplicity we will consider the case where~$\mathbf{A}$ is the left~$n \times m$ submatrix of~$\mathbf{B}$.
 
 \begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis}
+  \index{Lattice Trapdoors!\ExtBasis}
   There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a
   matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
   span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
@@ -169,6 +173,7 @@ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ
 In some of our security proofs, analogously to \cite{Boy10,BHJ+15}, we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
 
 \begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
+  \index{Lattice Trapdoors!\SampleR}
   There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf{A}, \mathbf{C} \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf{R} \in \ZZ^{m \times m}$,
   a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf{u} \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
   \widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf{A} ~ &~ \mathbf{A}