%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % \section{Lattice-Based Cryptography} % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \subsection{Lattices and Hard Lattice Problems} A (full-rank) lattice~$L$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i)_{i\leq n}$ belonging to some~$\RR^n$. We work with $q$-ary lattices, for some prime $q$. \begin{definition} \label{de:qary-lattices} Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define $\Lambda_q(\mathbf{A}) := \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \}$ as well as \begin{align*} \Lambda_q^{\perp} (\mathbf{A}) &:= \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \},& \Lambda_q^{\mathbf{u}} (\mathbf{A}) &:= \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \} \end{align*} For any $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$ so that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $ is a shift of $\Lambda_q^{\perp} (\mathbf{A})$. \end{definition} \noindent For a lattice~$L$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the function $\rho_{\sigma,\mathbf{c}}(\mathbf{x}) = \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$. The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as $D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$. We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. We will extensively use the fact that samples from~$D_{L,\sigma}$ are short with overwhelming probability. \begin{lemma}[{\cite[Le.~1.5]{Bana93}}] \label{le:small} For any lattice~$L \subseteq \RR^n$ and positive real number~$\sigma>0$, we have $\Pr_{\mathbf{b} \sample D_{L,\sigma}} [\|\mathbf{b}\| \leq \sqrt{n} \sigma] \geq 1-2^{-\Omega(n)}.$ \end{lemma} \subsection{Lattice Trapdoors} \noindent As shown by Gentry {\em et al.}~\cite{GPV08}, Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice. \begin{lemma}[{\cite[Le.~2.3]{BLPRS13}}] \label{le:GPV} There exists a $\PPT$ (probabilistic polynomial-time) algorithm $\textsf{GPVSample}$ that takes as inputs a basis~$\mathbf{B}$ of a lattice~$L \subseteq \ZZ^n$ and a rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$, and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$. \end{lemma} %We %use an algorithm that jointly samples a uniform~$\mathbf{A}$ and a short %basis of~$\Lambda_q^{\perp}(\mathbf{A})$. \begin{lemma}[{\cite[Th.~3.2]{AlPe09}}] \label{le:TrapGen} There exists a $\PPT$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$. \end{lemma} \noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MiPe12} recently proposed a more efficient approach for this combined task, which should be preferred in practice but, for the sake of simplicity, we present our schemes using~$\TrapGen$. We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B} \in \ZZ_q^{n \times m'}$ whose left~$n \times m$ submatrix is~$\mathbf{A}$. \begin{lemma}[{\cite[Le.~3.2]{CaHoKiPe10}}]\label{lem:extbasis} There exists a $\PPT$ algorithm $\ExtBasis$ that takes as inputs a matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times m$ submatrix of~$\mathbf{B}$, and outputs a basis~$\mathbf{T}_{\mathbf{B}}$ of~$\Lambda_q^{\perp}(\mathbf{B})$ with~$\|\widetilde{\mathbf{T}_{\mathbf{B}}}\| \leq \|\widetilde{\mathbf{T}_{\mathbf{A}}}\|$. \end{lemma} \noindent In our security proofs, analogously to \cite{Boy10,BHJKS15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB1} that implements an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting. %In other words we need the following algorithm: \begin{lemma}[{\cite[Th.~19]{ABB1}}]\label{lem:sampler} There exists a $\PPT$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$, a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \| \widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted lattice $\Lambda^\mathbf{u}_q \left( \left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \right)$. %$\{ \mathbf x \in \ZZ^{2 m} : \left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \cdot \mathbf x = \mathbf u \bmod q \}$. \end{lemma}