From efc1b73feddf9f1c64261554a3f4ce9a5ae0e9b0 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Mon, 19 Mar 2018 17:30:35 +0100 Subject: [PATCH] Explanations --- sec-lattices.tex | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/sec-lattices.tex b/sec-lattices.tex index 02f159c..4d112a8 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -30,7 +30,7 @@ In the following, we work with $q$-ary lattices, for some prime number $q$, defi \begin{definition}[$q$-ary lattices] \label{de:qary-lattices} \index{Lattices} Let two integers~$m \geq n \geq 1$, a prime~$q \geq 2$, a matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ and a vector~$\mathbf{u} \in \ZZ_q^n$, define \begin{align*} - \Lambda_q^{}(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m_{} \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T_{} \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\ + \Lambda_q^{}(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m_{} \mid \exists~\mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T_{} \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\ \Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\ \Lambda_q^{\mathbf{u}} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}. \end{align*} @@ -47,6 +47,12 @@ In the following, we work with $q$-ary lattices, for some prime number $q$, defi We denote by $D_{\Lambda,\sigma}(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. \end{definition} +\begin{lemma}[{\cite[Le.~1.5]{Ban93}}] +\label{le:small} +For any lattice~$\Lambda \subseteq \RR^{n}_{}$ and positive real number~$\sigma>0$, we have +$\Pr_{\mathbf{b} \sample D_{\Lambda,\sigma}} \left[ \|\mathbf{b}\| \leq \sigma \sqrt{n} \right] \geq 1-2^{-\Omega(n)}.$ +\end{lemma} + In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the \textit{Shortest Independent Vectors Problem}~($\SIVP$). This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important as those are ``worst-case to average-case'' reductions. @@ -93,18 +99,25 @@ If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\m \subsection{Lattice Trapdoors} -As shown by Gentry {\em et al.}~\cite{GPV08}, Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice. +In this section, we state the different algorithms that use ``\textit{lattice trapdoors}''. +A trapdoor for lattice $\Lambda$ is a \textit{short} basis of this lattice. +The knowledge of such a basis allows to sample elements in $D_{\Lambda, \sigma}$ within some restrictions given in~\cref{le:GPV}. +The existence of this sampler permits to solve hard lattice problems such as $\SIS$, which is assumed to be intractable in polynomial time. +Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$. +Thus, a vector sampled in $D_{\Lambda^\perp_{q}(\mathbf{A}), \sigma}$, which is short with overwhelming probabilities according to~\cref{le:small}, is a solution to $\SIS_{n,m,q,\sigma \sqrt{n}}$. -We saw in the previous section that vectors sampled from a Gaussian distribution have bounded norm with overwhelming probability. +Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice. \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}] \label{le:GPV} There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$, -and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$. +and outputs vectors~$\mathbf{b} \in \Lambda$ with distribution~$D_{\Lambda,\sigma}$. \end{lemma} +The following Lemma states that it is possible to efficiently compute a uniform~$\mathbf{A}$ along with a short basis of its orthogonal lattice $\Lambda^{\perp}_q(\mathbf{A})$. + %We %use an algorithm that jointly samples a uniform~$\mathbf{A}$ and a short %basis of~$\Lambda_q^{\perp}(\mathbf{A})$. @@ -114,10 +127,9 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$. There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$. \end{lemma} -\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using~$\TrapGen$ in this thesis. +\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using $\TrapGen$ and $\GPVSample$ in this thesis. -We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$ -submatrix is~$\mathbf{A}$. +We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$ submatrix is~$\mathbf{A}$. \begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis} There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a @@ -129,8 +141,7 @@ submatrix is~$\mathbf{A}$. \leq \|\widetilde{\mathbf{T}_{\mathbf{A}}}\|$. \end{lemma} -\noindent In our security proofs, analogously to \cite{Boy10,BHJ+15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements -an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting. +In some of our security proofs, analogously to \cite{Boy10,BHJ+15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting. \begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler} There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,