Upload
denton-buck
View
20
Download
2
Embed Size (px)
DESCRIPTION
Cryptosystems from unique-SVP lattices Ajtai-Dwork’97/07, Regev’03. Many slides borrowed from Oded Regev, denoted by. Shai Halevi, MIT, August 2009. . 1. f(n). . f(n)-unique-SVP. Promise: the shortest vector u is shorter by a factor of f(n) - PowerPoint PPT Presentation
Citation preview
11
Cryptosystems from Cryptosystems from unique-SVP latticesunique-SVP latticesAjtai-Dwork’97/07, Regev’03Ajtai-Dwork’97/07, Regev’03
Many slides borrowed from Oded Regev, denoted byMany slides borrowed from Oded Regev, denoted by
Shai Halevi, MIT, August 2009Shai Halevi, MIT, August 2009
22
Promise: the shortest Promise: the shortest vector u is shorter by a vector u is shorter by a factor of f(n) factor of f(n)
Algorithm for 2Algorithm for 2nn-unique -unique SVP [LLL82,Schnorr87]SVP [LLL82,Schnorr87]
Believed to be hard for Believed to be hard for any polynomial nany polynomial ncc
f(n)-unique-SVPf(n)-unique-SVP
1 f(n)
1 2n
believed hard easy
nc
33
“Worst-caseDistinguisher”
Wavy-vs-Uniform
Worst-caseDecisionu-SVP
BasicIntuition
AD97 PKEbit-by-bit
n-dimensional
Leftover hash lemma
Worst-caseSearchu-SVP
Regev03:“Hensel lifting”
AD97:Geometric
Ajtai-Dwork & Regev’03 PKEsAjtai-Dwork & Regev’03 PKEs
AD07 PKEO(n)-bits
n-dimensional
Regev03 PKEbit-by-bit
1-dimensional
Projectingto a line
Amortizing byadding dimensions
Nea
rly-t
rivia
lw
orst
-cas
e/av
erag
e-ca
sere
duct
ions
44
n-dimensional n-dimensional distributionsdistributions
?
Wavy Uniform
Distinguish between the distributions:Distinguish between the distributions:
(In a random direction)
55
Given a lattice L, the dual lattice is Given a lattice L, the dual lattice is LL* * = { x | = { x | for all for all yyL, <x,y>L, <x,y>Z }Z }
Dual LatticeDual Lattice
0
1/5
L L*
0
5
66
LL** - the dual of L - the dual of L
0
L
0
n1/n
n
L*
0
n
Case 1
Case 2
77
Input: a basis B* for L*Input: a basis B* for L* Produce a distribution that is:Produce a distribution that is:
Wavy if L has unique shortest vector (|u|Wavy if L has unique shortest vector (|u|1/n)1/n) Uniform (on P(B*)) if Uniform (on P(B*)) if 11(L) > (L) > nn
Choose a point from a Gaussian of radius Choose a point from a Gaussian of radius n, and reduce mod P(B*)n, and reduce mod P(B*) Conceptually, a “random L* point” with a Conceptually, a “random L* point” with a
Gaussian(Gaussian(n) perturbationn) perturbation
ReductionReduction
88
Creating the DistributionCreating the DistributionL*
0
n
L*+ perturb
Case 1
Case 2
99
Theorem: (using [Banaszczyk’93])Theorem: (using [Banaszczyk’93])The distribution obtained above depends only The distribution obtained above depends only on the points in L of distance on the points in L of distance n from the n from the originorigin
(up to an exponentially small error)(up to an exponentially small error)
Therefore, Therefore, Case 1: Determined by Case 1: Determined by multiples of umultiples of u
wavywavy on hyperplanes orthogonal to on hyperplanes orthogonal to u u
Case 2: Determined by Case 2: Determined by the originthe origin
uniformuniform
Analyzing the DistributionAnalyzing the Distribution
1010
For a set A in RFor a set A in Rnn,, define:define:
Poisson Summation Formula implies:Poisson Summation Formula implies:
Banaszczyk’s theorem:Banaszczyk’s theorem:
For any lattice L,For any lattice L,
Proof of TheoremProof of Theorem
Ax
xeA2
)(
Lx
yxi xeLdLyLPy })({)()(),( ,2**
)(2)( )(n
nn BnLBnL
1111
In Case 2, the distribution obtained is In Case 2, the distribution obtained is very close to uniform:very close to uniform:
Because:Because:
Proof of Theorem (cont.)Proof of Theorem (cont.)
Lx
yxi xeLdLyLPy })({)()(),( ,2**
)(})({1)(}0{
,2 LdxeLdLx
yxi
}0{}0{
,2 })({})({LxLx
yxi xxe
)(})0{( nBnLL )()( 2)(2 n
nn BnL
1212
next“Worst-case
Distinguisher”Wavy-vs-Uniform
Worst-caseDecisionu-SVP
BasicIntuition
Worst-caseSearchu-SVP
Regev03:“Hensel lifting”
AD97:Geometric
Ajtai-Dwork & Regev’03 PKEsAjtai-Dwork & Regev’03 PKEs
1313
Reminder: L* lives in hyperplanesReminder: L* lives in hyperplanes
We want to identify u We want to identify u Using an oracle that distinguishes wavy Using an oracle that distinguishes wavy
distributions from uniform in P(B*)distributions from uniform in P(B*)
u
H0
H1
H-1
DistinguishDistinguishSearch, AD97Search, AD97
1414
The planThe plan
1.1. Use the oracle to distinguish points close Use the oracle to distinguish points close to Hto H00 from points close to H from points close to H11
2.2. Then grow very long vectors that are Then grow very long vectors that are rather close to Hrather close to H00
3.3. This gives a very good approximationThis gives a very good approximationfor u, then we use it to find u exactlyfor u, then we use it to find u exactly
1515
Distinguishing HDistinguishing H00 from H from H11
Input: basis B* for L*, ~length of u, point xInput: basis B* for L*, ~length of u, point x And access to wavy/uniform distinguisherAnd access to wavy/uniform distinguisher
Decision: Decision: Is x 1/poly(n) close to HIs x 1/poly(n) close to H00 or to H or to H11??
Choose y from a wavy distribution near L*Choose y from a wavy distribution near L* y = Gaussian(y = Gaussian()* with )* with < 1/2|u| < 1/2|u|
Pick Pick RR[0,1], set z = [0,1], set z = x + y mod P(B*)x + y mod P(B*)
Ask oracle if z is drawn from wavy or Ask oracle if z is drawn from wavy or uniform distributionuniform distribution
* Gaussian(): variance 2 in each coordinate
1616
Distinguishing HDistinguishing H00 from H from H11 (cont.) (cont.)
x
Case 1: x close to HCase 1: x close to H00
x also close to Hx also close to H0 0
x + y mod P(B*) close to L*, wavyx + y mod P(B*) close to L*, wavy
H0
1717
Distinguishing HDistinguishing H00 from H from H11 (cont.) (cont.)
x
Case 2: x close to HCase 2: x close to H11
x “in the middle” between Hx “in the middle” between H0 0 and Hand H11
Nearly uniform component in the u directionNearly uniform component in the u direction x + y mod P(B*) nearly uniform in P(B*)x + y mod P(B*) nearly uniform in P(B*)
H0
H1
1818
Repeat poly(n) times, take majorityRepeat poly(n) times, take majority Boost the advantage to near-certaintyBoost the advantage to near-certainty
Below we assume a “perfect distinguisher”Below we assume a “perfect distinguisher” Close to HClose to H0 0 always says NO always says NO
Close to HClose to H1 1 always says YES always says YES Otherwise, there are no guaranteesOtherwise, there are no guarantees
• Except halting in polynomial timeExcept halting in polynomial time
Distinguishing HDistinguishing H00 from H from H11 (cont.) (cont.)
1919
Growing Large VectorsGrowing Large Vectors
Start from some xStart from some x00 between H between H-1-1 and H and H+1+1
e.g. a random vector of length 1/|u|e.g. a random vector of length 1/|u|
In each step, choose xIn each step, choose xii s.t. s.t. |x|xii| ~ 2|x| ~ 2|xi-1i-1||
xxii is somewhere between H is somewhere between H-1-1 and H and H+1+1
Keep going for poly(n) stepsKeep going for poly(n) steps Result is x* between HResult is x* between H11 with |x*|=N/|u| with |x*|=N/|u|
Very large N, e.g., N=2Very large N, e.g., N=2nn
we’ll see how in a minute
2
2020
From xFrom xi-1i-1 to x to xii
Try poly(n) many candidates:Try poly(n) many candidates: Candidate w = 2xCandidate w = 2xi-1 i-1 + Gaussian(1/|u|)+ Gaussian(1/|u|)
For j = 1,…, m=poly(n)For j = 1,…, m=poly(n) wwjj = j/m · w = j/m · w
Check if wCheck if wjj is near H is near H00 or near H or near H11
If none of the wIf none of the wjj’s is near H’s is near H1 1 then accept w then accept w
and set xand set xii = w = w
Else try another candidate Else try another candidate
w=wm
w1
w2
2121
From xFrom xi-1i-1 to x to xii: Analysis: Analysis
xxi-1i-1 between H between H11 w is between H w is between Hnn
Except with exponentially small probabilityExcept with exponentially small probability
w is NOT between Hw is NOT between H11 some w some wjj near H near H11
So w will be rejectedSo w will be rejected So if we make progress, we know that we So if we make progress, we know that we
are on the right trackare on the right track
2222
From xFrom xi-1i-1 to x to xii: Analysis (cont.): Analysis (cont.)
With probability 1/poly(n), w is close to HWith probability 1/poly(n), w is close to H00
The component in the u direction is GaussianThe component in the u direction is Gaussianwith mean < 2/|u| and variance 1/|u|with mean < 2/|u| and variance 1/|u|22
2xi-1
H0
H1
noise
2323
From xFrom xi-1i-1 to x to xii: Analysis (cont.): Analysis (cont.)
With probability 1/poly, w is close to HWith probability 1/poly, w is close to H00
The component in the u direction is GaussianThe component in the u direction is Gaussianwith mean < 2/|u| and standard deviation 1/|u|with mean < 2/|u| and standard deviation 1/|u|
w is close to Hw is close to H00, all w, all wjj’s are close to H’s are close to H00
So w will be acceptedSo w will be accepted After polynomially many candidates, we After polynomially many candidates, we
will make progress whpwill make progress whp
2424
Finding uFinding u
Find n-1 x*’sFind n-1 x*’s x*x*t+1t+1 is chosen orthogonal to x* is chosen orthogonal to x*11,…,x*,…,x*tt
By choosing the Gaussians in that subspace By choosing the Gaussians in that subspace
Compute uCompute u’’ {x* {x*11,…,x*,…,x*n-1n-1}, with |u}, with |u’’|=1|=1 uu’ ’ is exponentially close to u/|u|is exponentially close to u/|u|
• u/|u| = (uu/|u| = (u’’+e), |e|=1/N+e), |e|=1/N• Can make N Can make N 2 2n n (e.g., N=2(e.g., N=2n n ))
Diophantine approximation to solve for uDiophantine approximation to solve for u
2
(slide 60)
2525
“Worst-caseDistinguisher”
Wavy-vs-Uniform
Worst-caseDecisionu-SVP
BasicIntuition
AD97 PKEbit-by-bit
n-dimensional
Worst-case/average-case+leftover hash lemma
Worst-caseSearchu-SVP
Regev03:“Hensel lifting”
AD97:Geometric
Ajtai-Dwork & Regev’03 PKEsAjtai-Dwork & Regev’03 PKEs
next
(slide 36)
2626
Average-case DistinguisherAverage-case Distinguisher Intuition: lattice only matters via the direction of uIntuition: lattice only matters via the direction of u Security parameter n, other parameters N,Security parameter n, other parameters N, A random u in n-dim. unit sphere defines A random u in n-dim. unit sphere defines DDuu(N,(N,))
= disceret-Gaussian(N) in one dimension= disceret-Gaussian(N) in one dimension• Defines a vector x=Defines a vector x=·u/<u,u>, namely x·u/<u,u>, namely xu and <x,u>=u and <x,u>=
y = Gaussian(N) in the other n-1 dimensionsy = Gaussian(N) in the other n-1 dimensions e = Gaussian(e = Gaussian() in all n dimensions) in all n dimensions Output x+y+eOutput x+y+e
The average-case problemThe average-case problem Distinguish Distinguish DDuu(N,(N,) from ) from GG(N,(N,)=Gaussian(N)+Gaussian()=Gaussian(N)+Gaussian()) For a noticeable fraction of u’sFor a noticeable fraction of u’s
2727
Worst-case/average-case (cont.)Worst-case/average-case (cont.)
Thm: Distinguishing Thm: Distinguishing DDuu(N,(N,) from Uniform ) from Uniform
Distinguishing Wavy Distinguishing WavyB* B* from Uniformfrom UniformB*B* for all B* for all B* When L(B) is unique-SVP, we know When L(B) is unique-SVP, we know 11(L(B)) upto (L(B)) upto
(1+1/poly(n)(1+1/poly(n)-factor, for params N = 2-factor, for params N = 2(n)(n), , =n=n-4-4
Pf: Given B*, scale it s.t. Pf: Given B*, scale it s.t. 11(L(B)) (L(B)) [1,1+1/poly) [1,1+1/poly)
Also apply random rotationAlso apply random rotation Given samples x (from UniformGiven samples x (from UniformB*B* / Wavy / WavyB*B*))
Sample y=discrete-GaussianSample y=discrete-GaussianB*B*(N)(N)• Can do this for large enough NCan do this for large enough N
Output z=x+yOutput z=x+y
““Clearly” z is close to Clearly” z is close to GG(N)(N) //DDuu(N)(N) respectivelyrespectively
2828
The AD97 CryptosystemThe AD97 Cryptosystem
Secret key: a random u Secret key: a random u unit sphere unit sphere Public key: n+m+1 vectors (m=8n log n)Public key: n+m+1 vectors (m=8n log n)
bb11,…b,…bnn DDuu(2(2nn,n,n-4-4), v), v00,v,v11,…,v,…,vm m DDuu(n2(n2nn,n,n-3-3))
• So <bSo <bii,u>, <v,u>, <vii,u> ~ integer,u> ~ integer
• We insist on <vWe insist on <v00,u> ~ odd integer,u> ~ odd integer
Will use P(bWill use P(b11,…b,…bnn) for encryption) for encryption Need P(bNeed P(b11,…b,…bnn) with “width” > 2) with “width” > 2nn/n/n
2929
The AD97 Cryptosystem (cont.)The AD97 Cryptosystem (cont.)
Encryption(Encryption():): cc’’ random-subset-sum(v random-subset-sum(v11,…v,…vmm) + ) + vv00/2/2
output c = (coutput c = (c’’+Gaussian(n+Gaussian(n-4-4)) mod P(B))) mod P(B)
Decryption(c)Decryption(c):: If <u,c> is closer than ¼ to integer say 0, If <u,c> is closer than ¼ to integer say 0,
else say 1else say 1
Correctness due to <bCorrectness due to <bii,u>,<v,u>,<vjj,u>~integer,u>~integer and width of P(B)and width of P(B)
3030
AD97 SecurityAD97 Security
The bThe bii’s, v’s, vii’s chosen from ’s chosen from DDuu(something)(something)
By hardness assumption, can’t distinguish By hardness assumption, can’t distinguish from from GGuu(something)(something)
Claim: if they were from Claim: if they were from GGuu(something), (something),
c would have no information on the bit c would have no information on the bit Proven by leftover hash lemma + smoothingProven by leftover hash lemma + smoothing
Note: vNote: vii’s have variance n’s have variance n22 larger than b larger than bii’s’s
In the In the GGuu case v case vii mod P(B) is nearly uniform mod P(B) is nearly uniform
3131
AD97 Security (cont.)AD97 Security (cont.)
Partition P(B) to qPartition P(B) to qnn cells, q~n cells, q~n77
For each point vFor each point v ii, consider, considerthe cell where it liesthe cell where it lies rrii is the corner of that cell is the corner of that cell
SSvvii mod P(B) = mod P(B) = SSrrii mod P(B) + n mod P(B) + n-5-5 “error” “error” S is our random subsetS is our random subset
SSrrii mod P(B) is a nearly-random cell mod P(B) is a nearly-random cell We’ll show this using leftover hashWe’ll show this using leftover hash
The Gaussian(nThe Gaussian(n-4-4) in c drowns the error term) in c drowns the error term
q
q
3232
Leftover HashingLeftover Hashing
Consider hash function HConsider hash function HRR:{0,1}:{0,1}mm [q] [q]nn The key is R=[rThe key is R=[r11,…,r,…,rmm]] [q] [q]nnmm
The input is a bit vector b=[The input is a bit vector b=[11,…,,…,mm]]TT{0,1}{0,1}mm
HHRR(b) = Rb mod q(b) = Rb mod q H is “pairwise independent” (well, almost..)H is “pairwise independent” (well, almost..)
Yay, let’s use the leftover hash lemmaYay, let’s use the leftover hash lemma <R,H<R,HRR(b)>, <R,(b)>, <R,UU> statistically close> statistically close
For random RFor random R [q] [q]nnmm, b, b{0,1}{0,1}mm, , UU[q][q]n n
Assuming m Assuming m n log q n log q
3333
AD97 Security (cont.)AD97 Security (cont.) We proved We proved SSrrii mod P(B) is nearly-random mod P(B) is nearly-random
Recall:Recall: cc00 = = SSrrii + error(n + error(n-5-5) + Gaussian(n) + Gaussian(n-4-4) mod P(B)) mod P(B)
For any x and error e, |e|~nFor any x and error e, |e|~n-5-5, the distr. , the distr. x+e+Gaussian(nx+e+Gaussian(n-5-5), x+Gaussian(n), x+Gaussian(n-4-4) are ) are statistically closestatistically close
So cSo c00 ~ ~ SSrrii + Gaussian(n + Gaussian(n-3-3) mod P(B)) mod P(B) Which is close to uniform in P(B)Which is close to uniform in P(B) Also cAlso c11 = c = c00 + v + v00/2 mod P(B) close to uniform/2 mod P(B) close to uniform
3434
Average-caseDecision
Wavy-vs-Uniform
Worst-caseDecisionu-SVP
BasicIntuition
AD97 PKEbit-by-bit
n-dimensional
Leftover hash lemma
Worst-caseSearchu-SVP
Regev03:“Hensel lifting”
AD97:Geometric
Ajtai-Dwork & Regev’03 PKEsAjtai-Dwork & Regev’03 PKEs
AD07 PKEO(n)-bits
n-dimensional
Regev03 PKEbit-by-bit
1-dimensional
Projectingto a line
Amortizing byadding dimensions
Nottoday
(slide 49)
3535
Backup SlidesBackup Slides
1.1. Regev’s Decision-to-Search uSVPRegev’s Decision-to-Search uSVP
2.2. Regev’s dimension reductionRegev’s dimension reduction
3.3. Diophantine ApproximationDiophantine Approximation
3636
uSVP DecisionuSVP DecisionSearchSearch
Search-uSVP
Decision mod-pproblem
Decision-uSVP
3737
Reduction from:Reduction from:Decision mod-pDecision mod-p
Given a basis (vGiven a basis (v11…v…vnn) for n) for n1.51.5-unique -unique lattice, and a prime p>nlattice, and a prime p>n1.51.5
Assume the shortest vector is:Assume the shortest vector is:
u = au = a11vv11+a+a22vv22+…+a+…+annvvnn
Decide whether Decide whether aa1 1 is divisible by pis divisible by p
3838
Reduction to:Reduction to:Decision uSVPDecision uSVP
Given a lattice, distinguish between:Given a lattice, distinguish between:Case 1. Shortest vector is of length 1/n and all Case 1. Shortest vector is of length 1/n and all
non-parallel vectors are of length more than non-parallel vectors are of length more than nn
Case 2. Shortest vector is of length more than Case 2. Shortest vector is of length more than nn
3939
The reductionThe reduction
Input: a basis (vInput: a basis (v11,…,v,…,vnn) of a n) of a n1.51.5 unique unique latticelattice
Scale the lattice so that the shortest Scale the lattice so that the shortest vector is of length 1/nvector is of length 1/n
Replace vReplace v1 1 by pvby pv11. Let M be the resulting . Let M be the resulting latticelattice
If p | aIf p | a1 1 then M has shortest vector 1/n then M has shortest vector 1/n and all non-parallel vectors more than and all non-parallel vectors more than n n
If p aIf p a1 1 then M has shortest vector more then M has shortest vector more than than nn
|
4040
The input lattice LThe input lattice L
0
n
1/nL
u2u
-u
4141
The lattice MThe lattice M
0n
1/n
The lattice M is spanned by pvThe lattice M is spanned by pv11,v,v22,…,v,…,vnn::
If p|aIf p|a11, then u = (a, then u = (a11/p)•pv/p)•pv1 1 + a+ a22vv2 2 +…+ +…+ aannvvnn M :M :
M
u
4242
The lattice MThe lattice M
0n
The lattice M is spanned by pvThe lattice M is spanned by pv11,v,v22,…,v,…,vnn::
If p aIf p a11, then u, then uM:M:
M
|
pu
-pu
4343
Search-uSVP
Decision mod-pproblem
Decision-uSVP
uSVP DecisionuSVP DecisionSearchSearch
4444
Reduction from:Reduction from:Decision mod-pDecision mod-p
Given a basis (vGiven a basis (v11…v…vnn) for n) for n1.51.5-unique -unique lattice, and a prime p>nlattice, and a prime p>n1.51.5
Assume the shortest vector is:Assume the shortest vector is:
u = au = a11vv11+a+a22vv22+…+a+…+annvvnn
Decide whether Decide whether aa1 1 is divisible by pis divisible by p
4545
The ReductionThe Reduction Idea: decrease the coefficients of the Idea: decrease the coefficients of the
shortest vectorshortest vector
If we find out that p|aIf we find out that p|a11 then we can then we can replace the basis with replace the basis with pvpv11,v,v22,…,v,…,vn n . .
u is still in the new lattice:u is still in the new lattice:
u = (u = (aa11/p/p)•pv)•pv1 1 + + aa22vv2 2 + … + + … + aannvvnn
The same can be done whenever p|aThe same can be done whenever p|a i i for for some isome i
4646
The ReductionThe Reduction But what if p aBut what if p aii for all i ? for all i ?
Consider the basis Consider the basis vv11,v,v22-v-v11,v,v33,…,v,…,vnn
The shortest vector isThe shortest vector is
u = u = (a(a11+a+a22))vv1 1 + + aa22(v(v22-v-v11)) + + aa33vv3 3 ++ … + … + aannvvnn
The first coefficient is aThe first coefficient is a11+a+a22
Similarly, we can set it to Similarly, we can set it to
aa11--bbp/2p/2ccaa2 2 ,…, a,…, a11-a-a2 2 , a, a1 1 , a, a11+a+a2 2 , … , , … , aa11++bbp/2p/2ccaa22
One of them is divisible by p, so we choose it One of them is divisible by p, so we choose it and continueand continue
|
4747
The ReductionThe Reduction Repeating this process decreases Repeating this process decreases
the coefficients of u are by a factor the coefficients of u are by a factor of p at a timeof p at a time The basis that we started from had The basis that we started from had
coefficients coefficients 2 22n2n
The coefficients are integersThe coefficients are integers
After After 2n 2n22 steps, all the coefficient steps, all the coefficient but one must be zerobut one must be zero
The last vector standing must be The last vector standing must be uu
4848
Regev’s dimension Regev’s dimension reductionreduction
4949
Distinguish between the 1-Distinguish between the 1-dimensional distributions:dimensional distributions:
0
0 R-1
R-1
Uniform:
Wavy:
Reducing from n to 1-dimensionReducing from n to 1-dimension
5050
Reducing from n to 1-Reducing from n to 1-dimensiondimension
First attempt: sample and project to a lineFirst attempt: sample and project to a line
5151
Reducing from n to 1-Reducing from n to 1-dimensiondimension
But then we lose the wavy structure!But then we lose the wavy structure! We should project only from points very We should project only from points very
close to the lineclose to the line
5252
The solutionThe solution
Use the periodicity of the distributionUse the periodicity of the distribution Project on a ‘dense line’ :Project on a ‘dense line’ :
5353
The solutionThe solution
5454
The solutionThe solution
We choose the line that connects the We choose the line that connects the origin to eorigin to e11+Ke+Ke22+K+K22ee33…+K…+Kn-1n-1eenn
where K is where K is large enoughlarge enough
The distance between hyperplanes is nThe distance between hyperplanes is n The sides are of length 2The sides are of length 2nn
Therefore, we choose K=2Therefore, we choose K=2O(n)O(n) Hence, d<O(KHence, d<O(Knn)=2^(O(n)=2^(O(n22))))
5555
So far: a problem that is hard in the So far: a problem that is hard in the worst-case: distinguish between uniform worst-case: distinguish between uniform and d,γ-wavy distributions for and d,γ-wavy distributions for allall integers integers d<2^(nd<2^(n22) )
For cryptographic applications, we would For cryptographic applications, we would like to have a problem that is hard on the like to have a problem that is hard on the average: distinguish between uniform average: distinguish between uniform and d,γ-wavy distributions for and d,γ-wavy distributions for a non-a non-negligible fractionnegligible fraction of d in [2^(nof d in [2^(n22), ), 22••2^(n2^(n22)])]
Worst-case vs. Average-Worst-case vs. Average-casecase
5656
The following procedure transforms d,γ-The following procedure transforms d,γ-wavy into 2d,γ-wavy for all integer d:wavy into 2d,γ-wavy for all integer d: Sample Sample aa from the distribution from the distribution Return either Return either a/2a/2 or or (a+R)/2(a+R)/2 with probability ½ with probability ½
In general, for any real In general, for any real 1,1,we can we can compresscompress d,γ-wavy into d,γ-wavy into d,γ-wavyd,γ-wavy
Notice that compressing preserves the Notice that compressing preserves the uniform distributionuniform distribution
We show a reduction from worst-case to We show a reduction from worst-case to average-caseaverage-case
CompressingCompressing
5757
Assume there exists a distinguisher between Assume there exists a distinguisher between uniform and d,γ-wavy distribution for some non-uniform and d,γ-wavy distribution for some non-negligible fraction of d in [2^(nnegligible fraction of d in [2^(n22), 2), 2••2^(n2^(n22)])]
Given either a uniform or a d,γ-wavy Given either a uniform or a d,γ-wavy distribution for some integer d<2^(ndistribution for some integer d<2^(n22) repeat ) repeat the following:the following: Choose Choose in {1,…,2in {1,…,22^(n2^(n22)} according to a certain )} according to a certain
distributiondistribution Compress the distribution by Compress the distribution by Check the distinguisher’s acceptance probabilityCheck the distinguisher’s acceptance probability
If for some If for some the acceptance probability differs the acceptance probability differs from that of uniform sequences, return ‘wavy’; from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’otherwise, return ‘uniform’
ReductionReduction
5858
…1
d
2^(n2)…
22^(n2)
Distribution is uniform:Distribution is uniform: After compression it is still uniformAfter compression it is still uniform Hence, the distinguisher’s acceptance Hence, the distinguisher’s acceptance
probability equals that of uniform sequences probability equals that of uniform sequences for all for all
Distribution is d,γ-wavy:Distribution is d,γ-wavy: After compression it is in the good range with After compression it is in the good range with
some probabilitysome probability Hence, for some Hence, for some , the distinguisher’s , the distinguisher’s
acceptance probability differs from that of acceptance probability differs from that of uniform sequencesuniform sequences
ReductionReduction
5959
Diophantine Diophantine ApproximationApproximation
6060
Solving for uSolving for u(from slide 24)(from slide 24)
Recall: We have B=(bRecall: We have B=(b11,…b,…bnn) and u) and u’’
Shortest vector uShortest vector uL(B) is u = L(B) is u = iibbii, |, |ii| < 2| < 2nn
• Because the basis B is LLL reducedBecause the basis B is LLL reduced uu’ ’ is very very close to u/|u|is very very close to u/|u|
• u/|u| = (uu/|u| = (u’’+e), |e|=1/N, N +e), |e|=1/N, N 2 2n n (e.g., N=2(e.g., N=2n n ))
Express uExpress u’’ = = iibbii ( (ii‘s are reals)‘s are reals)
Set Set ii = = ii//nn for i=1,…,n-1 for i=1,…,n-1 ii very very close to very very close to ii//n n ( ( ii··nn = = ii+O(+O(nn/N) )/N) )
2
6161
Diophantine ApproximationDiophantine Approximation
Look for Look for nn<2<2nn s.t. for all i, s.t. for all i, ii··nn is 2 is 2nn/N away /N away
from an integer (for Nfrom an integer (for N = 2= 2nn ) )
z is the uniquez is the uniqueshortest in L(M)shortest in L(M)by a factor~N/2by a factor~N/2nn
Use LLL to find itUse LLL to find it
Compute the Compute the ii’s and u’s and u
2
1 –11
1 –22
… 1 –n-1n-1
1/1/NN
1
2
…
n
O(2n/N)O(2n/N)
...O(2n/N)O(2n/N)
=
basis M integer
vector
short lattice point
z
6262
Why is z unique-shortest?Why is z unique-shortest? Assume we have another short vector yAssume we have another short vector yL(M)L(M)
nn not much larger than 2 not much larger than 2nn, also the other , also the other ii’s’s Every small yEvery small yL(M) corresponds to vL(M) corresponds to vL(B) L(B)
such that v/|v| very very close to u’such that v/|v| very very close to u’ So also v/|v| very very close to u/|u| (~2So also v/|v| very very close to u/|u| (~2nn/N)/N) Smallish coefficient Smallish coefficient v not too long (~2 v not too long (~22n2n)) v very close to its projection on u (~2v very close to its projection on u (~23n3n/N)/N) s.t. (v–s.t. (v–u)u)L(B) is shortL(B) is short
• Of length Of length 2 23n3n/N + /N + 11/2 < /2 < 11
v must be a multiple of uv must be a multiple of u
u
~2n/N
v
|v|~
22n
~23n/N