Rewriting

This commit is contained in:
Fabrice Mouhartem 2018-02-28 18:02:30 +01:00
parent 79cc6c5806
commit d74450ebac

View File

@ -23,28 +23,36 @@ This gives us a good confidence in the lattice-based assumptions (given the \emp
\end{figure} \end{figure}
A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i^{})^{}_{1\leq i \leq n}$ belonging to some~$\RR^n_{}$. A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i^{})^{}_{1\leq i \leq n}$ belonging to some~$\RR^n_{}$.
A lattice's basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}. The integer~$n$ denotes the \emph{dimension} of the lattice.
In the following, we work with $q$-ary lattices, for some prime $q$. A lattice basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis} with a dimension $2$ lattice.
In the following, we work with $q$-ary lattices, for some prime number $q$, defined as follows.
\begin{definition} \label{de:qary-lattices} \index{Lattices} \begin{definition}[$q$-ary lattices] \label{de:qary-lattices} \index{Lattices}
Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define Let two integers~$m \geq n \geq 1$, a prime~$q \geq 2$, a matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ and a vector~$\mathbf{u} \in \ZZ_q^n$, define
\begin{align*} \begin{align*}
\Lambda_q^{}(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m_{} \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T_{} \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\ \Lambda_q^{}(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m_{} \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T_{} \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
\Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\ \Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
\Lambda_q^{\mathbf{u}} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}. \Lambda_q^{\mathbf{u}} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}.
\end{align*} \end{align*}
For any lattice point $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$. Meaning that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $ For any lattice point $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$. Meaning that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $
is a shift of $\Lambda_q^{\perp} (\mathbf{A})$. is a shift of $\Lambda_q^{\perp} (\mathbf{A})$.
\end{definition} \end{definition}
\noindent For a lattice~$\Lambda$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the distribution function \begin{definition}[Gaussian distribution over a lattice] \index{Lattices!Gaussian distribution}
$\rho_{\sigma,\mathbf{c}}(\mathbf{x}) \triangleq \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$. For a lattice~$\Lambda$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the distribution function
The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as $\rho_{\sigma,\mathbf{c}}(\mathbf{x}) \triangleq \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$.
$D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$. The discrete Gaussian distribution of support~$\Lambda$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as
We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. $D_{\Lambda,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(\Lambda)$ for any $\mathbf{y} \in \Lambda$.
We denote by $D_{\Lambda,\sigma}(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
\end{definition}
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``worst-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes. In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the shortest Independent Vectors Problem~($\SIVP$).
This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later.
These links are important as those are ``worst-case to average-case'' reductions.
In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs.
On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable for designing cryptographic schemes.
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice). In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
@ -54,15 +62,17 @@ In order to define the $\SIVP$ problem and assumption, let us first define the s
where $\mathcal B(\mathbf c, r)$ denotes the ball of radius $r$ centered in $\mathbf c$. where $\mathcal B(\mathbf c, r)$ denotes the ball of radius $r$ centered in $\mathbf c$.
\end{definition} \end{definition}
Which lead us to the $\SIVP$ problem, which is finding a set of sufficiently short linearly independent vectors given a lattice basis. Which leads us to the $\SIVP$ problem, which is finding a set of sufficiently short linearly independent vectors given a lattice basis.
\begin{definition}[$\SIVP$] \label{de:sivp} \begin{definition}[$\SIVP$] \label{de:sivp}
For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$. For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$.
\end{definition} \end{definition}
As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively. As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting.
In other words, it means that no polynomial time algorithms can solve those problems with non-negligible probability and non-negligible advantage given that $\SIVP$ is hard.
%As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
\begin{definition}[The SIS problem] \label{de:sis} \index{Lattices!Short Integer Solution} \begin{definition}[The $\SIS$ problem] \label{de:sis} \index{Lattices!Short Integer Solution}
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer
Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample
U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$
@ -73,7 +83,7 @@ If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,
standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$ standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$
(see, e.g., \cite[Se.~9]{GPV08}). (see, e.g., \cite[Se.~9]{GPV08}).
\begin{definition}[The LWE problem] \label{de:lwe} \index{Lattices!Learning With Errors} \begin{definition}[The $\LWE$ problem] \label{de:lwe} \index{Lattices!Learning With Errors}
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$. Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
\end{definition} \end{definition}