Rewriting
This commit is contained in:
parent
79cc6c5806
commit
d74450ebac
@ -23,11 +23,12 @@ This gives us a good confidence in the lattice-based assumptions (given the \emp
|
|||||||
\end{figure}
|
\end{figure}
|
||||||
|
|
||||||
A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i^{})^{}_{1\leq i \leq n}$ belonging to some~$\RR^n_{}$.
|
A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i^{})^{}_{1\leq i \leq n}$ belonging to some~$\RR^n_{}$.
|
||||||
A lattice's basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
|
The integer~$n$ denotes the \emph{dimension} of the lattice.
|
||||||
In the following, we work with $q$-ary lattices, for some prime $q$.
|
A lattice basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis} with a dimension $2$ lattice.
|
||||||
|
In the following, we work with $q$-ary lattices, for some prime number $q$, defined as follows.
|
||||||
|
|
||||||
\begin{definition} \label{de:qary-lattices} \index{Lattices}
|
\begin{definition}[$q$-ary lattices] \label{de:qary-lattices} \index{Lattices}
|
||||||
Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define
|
Let two integers~$m \geq n \geq 1$, a prime~$q \geq 2$, a matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ and a vector~$\mathbf{u} \in \ZZ_q^n$, define
|
||||||
\begin{align*}
|
\begin{align*}
|
||||||
\Lambda_q^{}(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m_{} \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T_{} \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
|
\Lambda_q^{}(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m_{} \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T_{} \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
|
||||||
\Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
|
\Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
|
||||||
@ -38,13 +39,20 @@ For any lattice point $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, it h
|
|||||||
is a shift of $\Lambda_q^{\perp} (\mathbf{A})$.
|
is a shift of $\Lambda_q^{\perp} (\mathbf{A})$.
|
||||||
\end{definition}
|
\end{definition}
|
||||||
|
|
||||||
\noindent For a lattice~$\Lambda$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the distribution function
|
\begin{definition}[Gaussian distribution over a lattice] \index{Lattices!Gaussian distribution}
|
||||||
|
For a lattice~$\Lambda$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the distribution function
|
||||||
$\rho_{\sigma,\mathbf{c}}(\mathbf{x}) \triangleq \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$.
|
$\rho_{\sigma,\mathbf{c}}(\mathbf{x}) \triangleq \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$.
|
||||||
The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as
|
The discrete Gaussian distribution of support~$\Lambda$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as
|
||||||
$D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$.
|
$D_{\Lambda,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(\Lambda)$ for any $\mathbf{y} \in \Lambda$.
|
||||||
We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
|
We denote by $D_{\Lambda,\sigma}(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
|
||||||
|
\end{definition}
|
||||||
|
|
||||||
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``worst-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes.
|
In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the shortest Independent Vectors Problem~($\SIVP$).
|
||||||
|
This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later.
|
||||||
|
These links are important as those are ``worst-case to average-case'' reductions.
|
||||||
|
|
||||||
|
In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs.
|
||||||
|
On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable for designing cryptographic schemes.
|
||||||
|
|
||||||
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
|
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
|
||||||
|
|
||||||
@ -54,15 +62,17 @@ In order to define the $\SIVP$ problem and assumption, let us first define the s
|
|||||||
where $\mathcal B(\mathbf c, r)$ denotes the ball of radius $r$ centered in $\mathbf c$.
|
where $\mathcal B(\mathbf c, r)$ denotes the ball of radius $r$ centered in $\mathbf c$.
|
||||||
\end{definition}
|
\end{definition}
|
||||||
|
|
||||||
Which lead us to the $\SIVP$ problem, which is finding a set of sufficiently short linearly independent vectors given a lattice basis.
|
Which leads us to the $\SIVP$ problem, which is finding a set of sufficiently short linearly independent vectors given a lattice basis.
|
||||||
|
|
||||||
\begin{definition}[$\SIVP$] \label{de:sivp}
|
\begin{definition}[$\SIVP$] \label{de:sivp}
|
||||||
For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$.
|
For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$.
|
||||||
\end{definition}
|
\end{definition}
|
||||||
|
|
||||||
As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
|
As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting.
|
||||||
|
In other words, it means that no polynomial time algorithms can solve those problems with non-negligible probability and non-negligible advantage given that $\SIVP$ is hard.
|
||||||
|
%As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
|
||||||
|
|
||||||
\begin{definition}[The SIS problem] \label{de:sis} \index{Lattices!Short Integer Solution}
|
\begin{definition}[The $\SIS$ problem] \label{de:sis} \index{Lattices!Short Integer Solution}
|
||||||
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer
|
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer
|
||||||
Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample
|
Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample
|
||||||
U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$
|
U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$
|
||||||
@ -73,7 +83,7 @@ If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,
|
|||||||
standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$
|
standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$
|
||||||
(see, e.g., \cite[Se.~9]{GPV08}).
|
(see, e.g., \cite[Se.~9]{GPV08}).
|
||||||
|
|
||||||
\begin{definition}[The LWE problem] \label{de:lwe} \index{Lattices!Learning With Errors}
|
\begin{definition}[The $\LWE$ problem] \label{de:lwe} \index{Lattices!Learning With Errors}
|
||||||
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
|
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
|
||||||
\end{definition}
|
\end{definition}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user