Index
This commit is contained in:
@ -22,7 +22,7 @@ A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear comb
|
||||
We can notice that this basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
|
||||
In the following, we work with $q$-ary lattices, for some prime $q$.
|
||||
|
||||
\begin{definition} \label{de:qary-lattices}
|
||||
\begin{definition} \label{de:qary-lattices} \index{Lattices}
|
||||
Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define
|
||||
\begin{align*}
|
||||
\Lambda_q(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
|
||||
@ -58,7 +58,7 @@ Which lead us to the $\SIVP$ problem, which is finding a set of sufficiently sho
|
||||
|
||||
As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
|
||||
|
||||
\begin{definition}[The SIS problem]
|
||||
\begin{definition}[The SIS problem] \label{de:sis} \index{Lattices!Short Integer Solution}
|
||||
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer
|
||||
Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample
|
||||
U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$
|
||||
@ -68,7 +68,8 @@ As explained before, we will rely on the assumption that both algorithmic proble
|
||||
If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,q,\beta}$ is at least as hard as
|
||||
standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$
|
||||
(see, e.g., \cite[Se.~9]{GPV08}).
|
||||
\begin{definition}[The LWE problem]
|
||||
|
||||
\begin{definition}[The LWE problem] \label{de:lwe} \index{Lattices!Learning With Errors}
|
||||
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
|
||||
\end{definition}
|
||||
|
||||
@ -84,7 +85,7 @@ given a sufficiently short basis of the lattice.
|
||||
|
||||
\begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
|
||||
\label{le:GPV}
|
||||
There exists a $\PPT$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
|
||||
There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
|
||||
basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a
|
||||
rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$,
|
||||
and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
|
||||
@ -96,7 +97,7 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
|
||||
|
||||
\begin{lemma}[{\cite[Th.~3.2]{AP09}}]
|
||||
\label{le:TrapGen}
|
||||
There exists a $\PPT$ algorithm $\TrapGen$ that takes as inputs $1^n$,
|
||||
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$,
|
||||
$1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and
|
||||
outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a
|
||||
basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such
|
||||
@ -113,7 +114,7 @@ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ
|
||||
submatrix is~$\mathbf{A}$.
|
||||
|
||||
\begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis}
|
||||
There exists a $\PPT$ algorithm $\ExtBasis$ that takes as inputs a
|
||||
There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a
|
||||
matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
|
||||
span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
|
||||
of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times
|
||||
@ -126,7 +127,7 @@ submatrix is~$\mathbf{A}$.
|
||||
an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
|
||||
|
||||
\begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
|
||||
There exists a $\PPT$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
|
||||
There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
|
||||
a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
|
||||
\widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A
|
||||
\cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted
|
||||
|
||||
Reference in New Issue
Block a user