This commit is contained in:
Fabrice Mouhartem 2018-02-02 16:09:02 +01:00
parent 664fa6ccd8
commit d6adc217eb
2 changed files with 21 additions and 13 deletions

View File

@ -22,7 +22,7 @@ A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear comb
We can notice that this basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
In the following, we work with $q$-ary lattices, for some prime $q$.
\begin{definition} \label{de:qary-lattices}
\begin{definition} \label{de:qary-lattices} \index{Lattices}
Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define
\begin{align*}
\Lambda_q(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
@ -58,7 +58,7 @@ Which lead us to the $\SIVP$ problem, which is finding a set of sufficiently sho
As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
\begin{definition}[The SIS problem]
\begin{definition}[The SIS problem] \label{de:sis} \index{Lattices!Short Integer Solution}
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer
Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample
U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$
@ -68,7 +68,8 @@ As explained before, we will rely on the assumption that both algorithmic proble
If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,q,\beta}$ is at least as hard as
standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$
(see, e.g., \cite[Se.~9]{GPV08}).
\begin{definition}[The LWE problem]
\begin{definition}[The LWE problem] \label{de:lwe} \index{Lattices!Learning With Errors}
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
\end{definition}
@ -84,7 +85,7 @@ given a sufficiently short basis of the lattice.
\begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
\label{le:GPV}
There exists a $\PPT$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a
rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$,
and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
@ -96,7 +97,7 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
\begin{lemma}[{\cite[Th.~3.2]{AP09}}]
\label{le:TrapGen}
There exists a $\PPT$ algorithm $\TrapGen$ that takes as inputs $1^n$,
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$,
$1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and
outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a
basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such
@ -113,7 +114,7 @@ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ
submatrix is~$\mathbf{A}$.
\begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis}
There exists a $\PPT$ algorithm $\ExtBasis$ that takes as inputs a
There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a
matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times
@ -126,7 +127,7 @@ submatrix is~$\mathbf{A}$.
an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
\begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
There exists a $\PPT$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
\widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A
\cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted

View File

@ -5,13 +5,13 @@
Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
Multiple constructions and parameter sets coexist for pairings.
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}.
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
In the following, we rely on the black-box definition of cryptographic pairings as bilinear maps, and on the assumed hardness of a classical assumption over pairings, namely $\SXDH$.
%\subsection{Bilinear maps}
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings}
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} \index{Pairings}
A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
\begin{enumerate}[\quad (i)]
\item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$.
@ -22,17 +22,24 @@ In the following, we rely on the black-box definition of cryptographic pairings
For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups.
Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups,
%defined in Definition~\ref{de:DDH}.
defined as follows.
\begin{definition}[$\DDH$] \label{de:DDH}
\begin{definition}[$\DDH$] \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman}
Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
The DDH assumption is the intractability of the problem for any $\PPT$ algorithm.
The DDH assumption is the intractability of the problem for any $\ppt$ algorithm.
Let us now define the $\DDH$ language as
$L_\DDH = \bigl\{ (g, g^a, g^b, g^{c}) \in \GG^4 \mid c = a \cdot b \bigr\}.$
Thus the $\DDH$ problem is equivalently the question of whether $L_\DDH \in \mathsf{PP}$ or not.
\end{definition}
This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}]
\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}] \index{Pairings!Symmetric external Diffie-Hellman (SXDH)}
The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
\end{definition}