From df47d3b441978b00332a98ded697b370839c110c Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Fri, 16 Feb 2018 15:54:03 +0100 Subject: [PATCH] chap: -> ch: --- chap-proofs.tex | 4 ++-- chap-structures.tex | 2 +- sec-lattices.tex | 16 ++++++++++------ 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/chap-proofs.tex b/chap-proofs.tex index 45eeea6..aa203af 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -1,4 +1,4 @@ -\chapter{Security Proofs in Cryptography} \label{chap:proofs} +\chapter{Security Proofs in Cryptography} \label{ch:proofs} Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model. To illustrate this notion, let us take the example of public-key encryption schemes. @@ -111,7 +111,7 @@ an attack is successful if the probability that it succeed is noticeable. Once that we define the notions related to the core of the proof, we have to define the objects on what we work on. Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''. -The details of the hardness assumptions we use are given in Chapter~\ref{chap:structures}. +The details of the hardness assumptions we use are given in Chapter~\ref{ch:structures}. Nevertheless, some notions are common to these and are evoked here. The confidence one can put in a hardness assumption depends on many criteria. diff --git a/chap-structures.tex b/chap-structures.tex index 51e468d..522c36b 100644 --- a/chap-structures.tex +++ b/chap-structures.tex @@ -1,5 +1,5 @@ \chapter{Underlying Structures} -\label{chap:structures} +\label{ch:structures} In the previous chapter, we saw that theoretical cryptography has to rely on \emph{computational hardness assumptions}. Beside \emph{information theory-base cryptography}, most hardness assumptions are built on top of algebraic structures. diff --git a/sec-lattices.tex b/sec-lattices.tex index ad5488b..62160ed 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -3,10 +3,14 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography. -For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}. Lattice-based cryptography takes advantage of a simple mathematical structure (the lattices) in order to provide beyond encryption and signature cryptography. For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now. +For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}. +Lattice-based cryptography takes advantage of a simple mathematical structure, the so-called lattices, in order to provide beyond encryption and signature cryptography. +For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now. -In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12}. -Worst-case lattice problems have been extensively studied in the last past years~\cite{ADRS15,HK17}. +In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12,AFG14}. +Concurrently, worst-case lattice problems have been extensively analysed in the last decade~\cite{ADS15,ADRS15,HK17}, both classically and quantumly. + +This gives us a good confidence in the lattice-based assumptions (given the \emph{caveats} of Chapter~\ref{ch:proofs}) such as Learning with Errors ($\LWE$) and Short Integer Solutions ($\SIS$) that are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful algorithms that relies on \emph{lattice trapdoors}. \subsection{Lattices and Hard Lattice Problems} \label{sse:lattice-problems} @@ -18,8 +22,8 @@ Worst-case lattice problems have been extensively studied in the last past years \label{fig:lattice-basis} \end{figure} -A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i)_{i\leq n}$ belonging to some~$\RR^n_{}$. -We can notice that this basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}. +A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i^{})^{}_{1\leq i \leq n}$ belonging to some~$\RR^n_{}$. +A lattice's basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}. In the following, we work with $q$-ary lattices, for some prime $q$. \begin{definition} \label{de:qary-lattices} \index{Lattices} @@ -40,7 +44,7 @@ The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center $D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$. We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. -In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes. +In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``worst-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes. In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).