Explanations

This commit is contained in:
Fabrice Mouhartem 2018-03-19 17:30:35 +01:00
parent b419c65bf1
commit efc1b73fed

View File

@ -30,7 +30,7 @@ In the following, we work with $q$-ary lattices, for some prime number $q$, defi
\begin{definition}[$q$-ary lattices] \label{de:qary-lattices} \index{Lattices} \begin{definition}[$q$-ary lattices] \label{de:qary-lattices} \index{Lattices}
Let two integers~$m \geq n \geq 1$, a prime~$q \geq 2$, a matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ and a vector~$\mathbf{u} \in \ZZ_q^n$, define Let two integers~$m \geq n \geq 1$, a prime~$q \geq 2$, a matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ and a vector~$\mathbf{u} \in \ZZ_q^n$, define
\begin{align*} \begin{align*}
\Lambda_q^{}(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m_{} \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T_{} \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\ \Lambda_q^{}(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m_{} \mid \exists~\mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T_{} \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
\Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\ \Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
\Lambda_q^{\mathbf{u}} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}. \Lambda_q^{\mathbf{u}} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m_{} \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}.
\end{align*} \end{align*}
@ -47,6 +47,12 @@ In the following, we work with $q$-ary lattices, for some prime number $q$, defi
We denote by $D_{\Lambda,\sigma}(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. We denote by $D_{\Lambda,\sigma}(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
\end{definition} \end{definition}
\begin{lemma}[{\cite[Le.~1.5]{Ban93}}]
\label{le:small}
For any lattice~$\Lambda \subseteq \RR^{n}_{}$ and positive real number~$\sigma>0$, we have
$\Pr_{\mathbf{b} \sample D_{\Lambda,\sigma}} \left[ \|\mathbf{b}\| \leq \sigma \sqrt{n} \right] \geq 1-2^{-\Omega(n)}.$
\end{lemma}
In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the \textit{Shortest Independent Vectors Problem}~($\SIVP$). In order to work with lattices in cryptography, hard lattice problems have to be defined. In the following we state the \textit{Shortest Independent Vectors Problem}~($\SIVP$).
This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later.
These links are important as those are ``worst-case to average-case'' reductions. These links are important as those are ``worst-case to average-case'' reductions.
@ -93,18 +99,25 @@ If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\m
\subsection{Lattice Trapdoors} \subsection{Lattice Trapdoors}
As shown by Gentry {\em et al.}~\cite{GPV08}, Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice. In this section, we state the different algorithms that use ``\textit{lattice trapdoors}''.
A trapdoor for lattice $\Lambda$ is a \textit{short} basis of this lattice.
The knowledge of such a basis allows to sample elements in $D_{\Lambda, \sigma}$ within some restrictions given in~\cref{le:GPV}.
The existence of this sampler permits to solve hard lattice problems such as $\SIS$, which is assumed to be intractable in polynomial time.
Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$.
Thus, a vector sampled in $D_{\Lambda^\perp_{q}(\mathbf{A}), \sigma}$, which is short with overwhelming probabilities according to~\cref{le:small}, is a solution to $\SIS_{n,m,q,\sigma \sqrt{n}}$.
We saw in the previous section that vectors sampled from a Gaussian distribution have bounded norm with overwhelming probability. Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice.
\begin{lemma}[{\cite[Le.~2.3]{BLP+13}}] \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
\label{le:GPV} \label{le:GPV}
There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a
rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$, rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$,
and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$. and outputs vectors~$\mathbf{b} \in \Lambda$ with distribution~$D_{\Lambda,\sigma}$.
\end{lemma} \end{lemma}
The following Lemma states that it is possible to efficiently compute a uniform~$\mathbf{A}$ along with a short basis of its orthogonal lattice $\Lambda^{\perp}_q(\mathbf{A})$.
%We %We
%use an algorithm that jointly samples a uniform~$\mathbf{A}$ and a short %use an algorithm that jointly samples a uniform~$\mathbf{A}$ and a short
%basis of~$\Lambda_q^{\perp}(\mathbf{A})$. %basis of~$\Lambda_q^{\perp}(\mathbf{A})$.
@ -114,10 +127,9 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$. There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$.
\end{lemma} \end{lemma}
\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using~$\TrapGen$ in this thesis. \noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using $\TrapGen$ and $\GPVSample$ in this thesis.
We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$ submatrix is~$\mathbf{A}$.
submatrix is~$\mathbf{A}$.
\begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis} \begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis}
There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a
@ -129,8 +141,7 @@ submatrix is~$\mathbf{A}$.
\leq \|\widetilde{\mathbf{T}_{\mathbf{A}}}\|$. \leq \|\widetilde{\mathbf{T}_{\mathbf{A}}}\|$.
\end{lemma} \end{lemma}
\noindent In our security proofs, analogously to \cite{Boy10,BHJ+15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements In some of our security proofs, analogously to \cite{Boy10,BHJ+15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
\begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler} \begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$, There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,