From b419c65bf1b524c0b1ecdde9228c5b4af62e112d Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Fri, 16 Mar 2018 14:08:04 +0100 Subject: [PATCH] Intro Lattice Trapdoors --- sec-lattices.tex | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/sec-lattices.tex b/sec-lattices.tex index e280bdc..02f159c 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -47,12 +47,12 @@ In the following, we work with $q$-ary lattices, for some prime number $q$, defi We denote by $D_{\Lambda,\sigma}(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. \end{definition} -In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the shortest Independent Vectors Problem~($\SIVP$). -This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. +In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the \textit{Shortest Independent Vectors Problem}~($\SIVP$). +This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important as those are ``worst-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs. -On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable for designing cryptographic schemes. +On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable to design cryptographic schemes. In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice). @@ -82,7 +82,9 @@ standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO (see, e.g., \cite[Se.~9]{GPV08}). \begin{definition}[The $\LWE$ problem] \label{de:lwe} \index{Lattices!Learning With Errors} -Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$. +Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. +For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. +The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$. \end{definition} If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}). @@ -91,9 +93,9 @@ If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\m \subsection{Lattice Trapdoors} -\noindent As shown by Gentry {\em et al.}~\cite{GPV08}, Gaussian -distributions with lattice support can be sampled efficiently -given a sufficiently short basis of the lattice. +As shown by Gentry {\em et al.}~\cite{GPV08}, Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice. + +We saw in the previous section that vectors sampled from a Gaussian distribution have bounded norm with overwhelming probability. \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}] \label{le:GPV} @@ -109,18 +111,10 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$. \begin{lemma}[{\cite[Th.~3.2]{AP09}}] \label{le:TrapGen} -There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, -$1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and -outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a -basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such -that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ -to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq -\bigO(\sqrt{n \log q})$. +There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$. \end{lemma} -\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient -approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, -schemes are presented using~$\TrapGen$ in this thesis. +\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using~$\TrapGen$ in this thesis. We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$ submatrix is~$\mathbf{A}$. @@ -130,7 +124,7 @@ submatrix is~$\mathbf{A}$. matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times - m$ submatrix of~$\mathbf{B}$, and outputs a basis~$\mathbf{T}_{\mathbf{B}}$ + m$ submatrix of~~$\mathbf{B}$, and outputs a basis~$\mathbf{T}_{\mathbf{B}}$ of~$\Lambda_q^{\perp}(\mathbf{B})$ with~$\|\widetilde{\mathbf{T}_{\mathbf{B}}}\| \leq \|\widetilde{\mathbf{T}_{\mathbf{A}}}\|$. \end{lemma}