Index
This commit is contained in:
parent
664fa6ccd8
commit
d6adc217eb
|
|
@ -22,7 +22,7 @@ A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear comb
|
|||
We can notice that this basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
|
||||
In the following, we work with $q$-ary lattices, for some prime $q$.
|
||||
|
||||
\begin{definition} \label{de:qary-lattices}
|
||||
\begin{definition} \label{de:qary-lattices} \index{Lattices}
|
||||
Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define
|
||||
\begin{align*}
|
||||
\Lambda_q(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
|
||||
|
|
@ -58,7 +58,7 @@ Which lead us to the $\SIVP$ problem, which is finding a set of sufficiently sho
|
|||
|
||||
As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
|
||||
|
||||
\begin{definition}[The SIS problem]
|
||||
\begin{definition}[The SIS problem] \label{de:sis} \index{Lattices!Short Integer Solution}
|
||||
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer
|
||||
Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample
|
||||
U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$
|
||||
|
|
@ -68,7 +68,8 @@ As explained before, we will rely on the assumption that both algorithmic proble
|
|||
If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,q,\beta}$ is at least as hard as
|
||||
standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$
|
||||
(see, e.g., \cite[Se.~9]{GPV08}).
|
||||
\begin{definition}[The LWE problem]
|
||||
|
||||
\begin{definition}[The LWE problem] \label{de:lwe} \index{Lattices!Learning With Errors}
|
||||
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
|
||||
\end{definition}
|
||||
|
||||
|
|
@ -84,7 +85,7 @@ given a sufficiently short basis of the lattice.
|
|||
|
||||
\begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
|
||||
\label{le:GPV}
|
||||
There exists a $\PPT$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
|
||||
There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
|
||||
basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a
|
||||
rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$,
|
||||
and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
|
||||
|
|
@ -96,7 +97,7 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
|
|||
|
||||
\begin{lemma}[{\cite[Th.~3.2]{AP09}}]
|
||||
\label{le:TrapGen}
|
||||
There exists a $\PPT$ algorithm $\TrapGen$ that takes as inputs $1^n$,
|
||||
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$,
|
||||
$1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and
|
||||
outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a
|
||||
basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such
|
||||
|
|
@ -113,7 +114,7 @@ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ
|
|||
submatrix is~$\mathbf{A}$.
|
||||
|
||||
\begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis}
|
||||
There exists a $\PPT$ algorithm $\ExtBasis$ that takes as inputs a
|
||||
There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a
|
||||
matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
|
||||
span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
|
||||
of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times
|
||||
|
|
@ -126,7 +127,7 @@ submatrix is~$\mathbf{A}$.
|
|||
an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
|
||||
|
||||
\begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
|
||||
There exists a $\PPT$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
|
||||
There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
|
||||
a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
|
||||
\widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A
|
||||
\cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted
|
||||
|
|
|
|||
|
|
@ -5,13 +5,13 @@
|
|||
Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
|
||||
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
|
||||
Multiple constructions and parameter sets coexist for pairings.
|
||||
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}.
|
||||
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
|
||||
|
||||
In the following, we rely on the black-box definition of cryptographic pairings as bilinear maps, and on the assumed hardness of a classical assumption over pairings, namely $\SXDH$.
|
||||
|
||||
|
||||
%\subsection{Bilinear maps}
|
||||
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings}
|
||||
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} \index{Pairings}
|
||||
A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
|
||||
\begin{enumerate}[\quad (i)]
|
||||
\item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$.
|
||||
|
|
@ -22,17 +22,24 @@ In the following, we rely on the black-box definition of cryptographic pairings
|
|||
|
||||
For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
|
||||
|
||||
Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups.
|
||||
Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups,
|
||||
%defined in Definition~\ref{de:DDH}.
|
||||
defined as follows.
|
||||
|
||||
\begin{definition}[$\DDH$] \label{de:DDH}
|
||||
\begin{definition}[$\DDH$] \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman}
|
||||
Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
|
||||
Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
|
||||
The DDH assumption is the intractability of the problem for any $\PPT$ algorithm.
|
||||
|
||||
The DDH assumption is the intractability of the problem for any $\ppt$ algorithm.
|
||||
|
||||
Let us now define the $\DDH$ language as
|
||||
$L_\DDH = \bigl\{ (g, g^a, g^b, g^{c}) \in \GG^4 \mid c = a \cdot b \bigr\}.$
|
||||
Thus the $\DDH$ problem is equivalently the question of whether $L_\DDH \in \mathsf{PP}$ or not.
|
||||
\end{definition}
|
||||
|
||||
This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
|
||||
|
||||
\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}]
|
||||
\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}] \index{Pairings!Symmetric external Diffie-Hellman (SXDH)}
|
||||
The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
|
||||
\end{definition}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user