Intro Lattice Trapdoors
This commit is contained in:
parent
021b6f1d6a
commit
b419c65bf1
|
|
@ -47,12 +47,12 @@ In the following, we work with $q$-ary lattices, for some prime number $q$, defi
|
|||
We denote by $D_{\Lambda,\sigma}(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
|
||||
\end{definition}
|
||||
|
||||
In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the shortest Independent Vectors Problem~($\SIVP$).
|
||||
This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later.
|
||||
In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the \textit{Shortest Independent Vectors Problem}~($\SIVP$).
|
||||
This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later.
|
||||
These links are important as those are ``worst-case to average-case'' reductions.
|
||||
|
||||
In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs.
|
||||
On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable for designing cryptographic schemes.
|
||||
On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable to design cryptographic schemes.
|
||||
|
||||
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
|
||||
|
||||
|
|
@ -82,7 +82,9 @@ standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO
|
|||
(see, e.g., \cite[Se.~9]{GPV08}).
|
||||
|
||||
\begin{definition}[The $\LWE$ problem] \label{de:lwe} \index{Lattices!Learning With Errors}
|
||||
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
|
||||
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$.
|
||||
For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$.
|
||||
The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
|
||||
\end{definition}
|
||||
|
||||
If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}).
|
||||
|
|
@ -91,9 +93,9 @@ If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\m
|
|||
|
||||
\subsection{Lattice Trapdoors}
|
||||
|
||||
\noindent As shown by Gentry {\em et al.}~\cite{GPV08}, Gaussian
|
||||
distributions with lattice support can be sampled efficiently
|
||||
given a sufficiently short basis of the lattice.
|
||||
As shown by Gentry {\em et al.}~\cite{GPV08}, Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice.
|
||||
|
||||
We saw in the previous section that vectors sampled from a Gaussian distribution have bounded norm with overwhelming probability.
|
||||
|
||||
\begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
|
||||
\label{le:GPV}
|
||||
|
|
@ -109,18 +111,10 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
|
|||
|
||||
\begin{lemma}[{\cite[Th.~3.2]{AP09}}]
|
||||
\label{le:TrapGen}
|
||||
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$,
|
||||
$1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and
|
||||
outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a
|
||||
basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such
|
||||
that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$
|
||||
to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq
|
||||
\bigO(\sqrt{n \log q})$.
|
||||
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$.
|
||||
\end{lemma}
|
||||
|
||||
\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient
|
||||
approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity,
|
||||
schemes are presented using~$\TrapGen$ in this thesis.
|
||||
\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using~$\TrapGen$ in this thesis.
|
||||
|
||||
We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$
|
||||
submatrix is~$\mathbf{A}$.
|
||||
|
|
@ -130,7 +124,7 @@ submatrix is~$\mathbf{A}$.
|
|||
matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
|
||||
span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
|
||||
of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times
|
||||
m$ submatrix of~$\mathbf{B}$, and outputs a basis~$\mathbf{T}_{\mathbf{B}}$
|
||||
m$ submatrix of~~$\mathbf{B}$, and outputs a basis~$\mathbf{T}_{\mathbf{B}}$
|
||||
of~$\Lambda_q^{\perp}(\mathbf{B})$ with~$\|\widetilde{\mathbf{T}_{\mathbf{B}}}\|
|
||||
\leq \|\widetilde{\mathbf{T}_{\mathbf{A}}}\|$.
|
||||
\end{lemma}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user