the geometry of lattice cryptography - uniurb · 2011. 10. 25. · point lattices lattice...
TRANSCRIPT
![Page 1: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/1.jpg)
Point LatticesLattice Cryptography
The Geometry of Lattice Cryptography
Daniele Micciancio
Department of Computer Science and EngineeringUniversity of California, San Diego
August 29-30, 2011 (FOSAD ’11 – Bertinoro, Italy)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 2: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/2.jpg)
Point LatticesLattice Cryptography
Cryptography, Complexity and Lattices
Cryptography: exploiting hard computational problems to buildcomputer systems that are hard to break.
Good news
There are plenty of hardcomputational problems incomputer science.
Bad news
Finding cryptographicallyuseful hard problemsseems hard.
Cryptography requires problems that
are very hard to solve: solution should take enormous time
are hard to solve on average, even with small probability
have extra features, e.g., trapdoors, regularity, etc.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 3: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/3.jpg)
Point LatticesLattice Cryptography
Cryptography, Complexity and Lattices
Cryptography: exploiting hard computational problems to buildcomputer systems that are hard to break.
Good news
There are plenty of hardcomputational problems incomputer science.
Bad news
Finding cryptographicallyuseful hard problemsseems hard.
Cryptography requires problems that
are very hard to solve: solution should take enormous time
are hard to solve on average, even with small probability
have extra features, e.g., trapdoors, regularity, etc.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 4: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/4.jpg)
Point LatticesLattice Cryptography
Cryptography, Complexity and Lattices
Cryptography: exploiting hard computational problems to buildcomputer systems that are hard to break.
Good news
There are plenty of hardcomputational problems incomputer science.
Bad news
Finding cryptographicallyuseful hard problemsseems hard.
Cryptography requires problems that
are very hard to solve: solution should take enormous time
are hard to solve on average, even with small probability
have extra features, e.g., trapdoors, regularity, etc.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 5: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/5.jpg)
Point LatticesLattice Cryptography
Cryptography, Complexity and Lattices
Cryptography: exploiting hard computational problems to buildcomputer systems that are hard to break.
Good news
There are plenty of hardcomputational problems incomputer science.
Bad news
Finding cryptographicallyuseful hard problemsseems hard.
Cryptography requires problems that
are very hard to solve: solution should take enormous time
are hard to solve on average, even with small probability
have extra features, e.g., trapdoors, regularity, etc.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 6: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/6.jpg)
Point LatticesLattice Cryptography
Cryptography, Complexity and Lattices
Cryptography: exploiting hard computational problems to buildcomputer systems that are hard to break.
Good news
There are plenty of hardcomputational problems incomputer science.
Bad news
Finding cryptographicallyuseful hard problemsseems hard.
Cryptography requires problems that
are very hard to solve: solution should take enormous time
are hard to solve on average, even with small probability
have extra features, e.g., trapdoors, regularity, etc.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 7: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/7.jpg)
Point LatticesLattice Cryptography
Cryptography, Complexity and Lattices
Cryptography: exploiting hard computational problems to buildcomputer systems that are hard to break.
Good news
There are plenty of hardcomputational problems incomputer science.
Bad news
Finding cryptographicallyuseful hard problemsseems hard.
Cryptography requires problems that
are very hard to solve: solution should take enormous time
are hard to solve on average, even with small probability
have extra features, e.g., trapdoors, regularity, etc.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 8: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/8.jpg)
Point LatticesLattice Cryptography
Point Lattices and Cryptography
Lattice problems
appear to be very hard (solution takes exponential time),
have been widely studied by mathematicians since 19thcentury (Lagrange, Gauss, Dirichlet, . . . ),
provably yield hard on average problems, from worst-casecomplexity assumptions.
Lattice related constructions and cryptographic functions
have many useful features (linearity, trapdoors, etc.),
are efficient and easy to implement, typically involving onlysimple arithmetic operations on small numbers.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 9: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/9.jpg)
Point LatticesLattice Cryptography
Point Lattices and Cryptography
Lattice problems
appear to be very hard (solution takes exponential time),
have been widely studied by mathematicians since 19thcentury (Lagrange, Gauss, Dirichlet, . . . ),
provably yield hard on average problems, from worst-casecomplexity assumptions.
Lattice related constructions and cryptographic functions
have many useful features (linearity, trapdoors, etc.),
are efficient and easy to implement, typically involving onlysimple arithmetic operations on small numbers.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 10: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/10.jpg)
Point LatticesLattice Cryptography
Point Lattices and Cryptography
Lattice problems
appear to be very hard (solution takes exponential time),
have been widely studied by mathematicians since 19thcentury (Lagrange, Gauss, Dirichlet, . . . ),
provably yield hard on average problems, from worst-casecomplexity assumptions.
Lattice related constructions and cryptographic functions
have many useful features (linearity, trapdoors, etc.),
are efficient and easy to implement, typically involving onlysimple arithmetic operations on small numbers.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 11: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/11.jpg)
Point LatticesLattice Cryptography
Point Lattices and Cryptography
Lattice problems
appear to be very hard (solution takes exponential time),
have been widely studied by mathematicians since 19thcentury (Lagrange, Gauss, Dirichlet, . . . ),
provably yield hard on average problems, from worst-casecomplexity assumptions.
Lattice related constructions and cryptographic functions
have many useful features (linearity, trapdoors, etc.),
are efficient and easy to implement, typically involving onlysimple arithmetic operations on small numbers.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 12: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/12.jpg)
Point LatticesLattice Cryptography
Point Lattices and Cryptography
Lattice problems
appear to be very hard (solution takes exponential time),
have been widely studied by mathematicians since 19thcentury (Lagrange, Gauss, Dirichlet, . . . ),
provably yield hard on average problems, from worst-casecomplexity assumptions.
Lattice related constructions and cryptographic functions
have many useful features (linearity, trapdoors, etc.),
are efficient and easy to implement, typically involving onlysimple arithmetic operations on small numbers.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 13: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/13.jpg)
Point LatticesLattice Cryptography
Ajtai’s function
Definition (Ajtai’s function)
fA(x) = Ax mod q where A ∈ Zn×mq and x ∈ 0, 1m
m
n
x ∈ 0, 1m 0 1 1 0 1 0 0 (q = 10)
A ∈ Zn×mq
1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9
y = Ax ∈ Znq
2271
Security (One-wayness)
Given A and y, it is hard to find x ∈ 0, 1m s.t. fA(x) = y.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 14: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/14.jpg)
Point LatticesLattice Cryptography
Ajtai’s function
Definition (Ajtai’s function)
fA(x) = Ax mod q where A ∈ Zn×mq and x ∈ 0, 1m
m
n
x ∈ 0, 1m 0 1 1 0 1 0 0 (q = 10)
A ∈ Zn×mq
1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9
y = Ax ∈ Znq
2271
Security (One-wayness)
Given A and y, it is hard to find x ∈ 0, 1m s.t. fA(x) = y.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 15: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/15.jpg)
Point LatticesLattice Cryptography
Ajtai’s function
Definition (Ajtai’s function)
fA(x) = Ax mod q where A ∈ Zn×mq and x ∈ 0, 1m
m
n
x ∈ 0, 1m 0 1 1 0 1 0 0 (q = 10)
A ∈ Zn×mq
1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9
y = Ax ∈ Znq
2271
Security (One-wayness)
Given A and y, it is hard to find x ∈ 0, 1m s.t. fA(x) = y.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 16: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/16.jpg)
Point LatticesLattice Cryptography
Outline
1 Point LatticesComputational ProblemsThe dual lattice
2 Lattice CryptographyAverage Case HardnessRandom LatticesCryptographic functions
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 17: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/17.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Outline
1 Point LatticesComputational ProblemsThe dual lattice
2 Lattice CryptographyAverage Case HardnessRandom LatticesCryptographic functions
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 18: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/18.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Point Lattices
The simplest example of lattice is Zn = (x1, . . . , xn) : xi ∈ ZOther lattices are obtained by applying a linear transformation
B : x = (x1, . . . , xn) 7→ Bx = x1 · b1 + · · ·+ xn · bn
B b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 19: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/19.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Point Lattices
The simplest example of lattice is Zn = (x1, . . . , xn) : xi ∈ ZOther lattices are obtained by applying a linear transformation
B : x = (x1, . . . , xn) 7→ Bx = x1 · b1 + · · ·+ xn · bn
(1, 0)
(0, 1)
B b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 20: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/20.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Lattices and Bases
A lattice is the set of all integer linear combinations of (linearlyindependent) basis vectors B = b1, . . . ,bn ⊂ Rn:
L =n∑
i=1
bi · Z = Bx : x ∈ Zn
The same lattice has many bases
L =n∑
i=1
ci · Z
Definition (Lattice)
A discrete additive subgroup of Rn
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 21: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/21.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Lattices and Bases
A lattice is the set of all integer linear combinations of (linearlyindependent) basis vectors B = b1, . . . ,bn ⊂ Rn:
L =n∑
i=1
bi · Z = Bx : x ∈ Zn
The same lattice has many bases
L =n∑
i=1
ci · Z
Definition (Lattice)
A discrete additive subgroup of Rn
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 22: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/22.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Lattices and Bases
A lattice is the set of all integer linear combinations of (linearlyindependent) basis vectors B = b1, . . . ,bn ⊂ Rn:
L =n∑
i=1
bi · Z = Bx : x ∈ Zn
The same lattice has many bases
L =n∑
i=1
ci · Z
Definition (Lattice)
A discrete additive subgroup of Rn
c1
c2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 23: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/23.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Lattices and Bases
A lattice is the set of all integer linear combinations of (linearlyindependent) basis vectors B = b1, . . . ,bn ⊂ Rn:
L =n∑
i=1
bi · Z = Bx : x ∈ Zn
The same lattice has many bases
L =n∑
i=1
ci · Z
Definition (Lattice)
A discrete additive subgroup of Rn
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 24: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/24.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 25: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/25.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
λ1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 26: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/26.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
λ1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 27: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/27.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
λ1λ2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 28: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/28.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
λ1λ2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 29: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/29.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Distance Function and Covering Radius
Distance function
µ(t,L) = minx∈L‖t− x‖
Covering radius
µ(L) = maxt∈span(L)
µ(t,L)
Spheres or radius µ(L) centeredaround all lattice points cover thewhole space
tµ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 30: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/30.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Distance Function and Covering Radius
Distance function
µ(t,L) = minx∈L‖t− x‖
Covering radius
µ(L) = maxt∈span(L)
µ(t,L)
Spheres or radius µ(L) centeredaround all lattice points cover thewhole space
t
µ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 31: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/31.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Distance Function and Covering Radius
Distance function
µ(t,L) = minx∈L‖t− x‖
Covering radius
µ(L) = maxt∈span(L)
µ(t,L)
Spheres or radius µ(L) centeredaround all lattice points cover thewhole space
µ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 32: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/32.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Distance Function and Covering Radius
Distance function
µ(t,L) = minx∈L‖t− x‖
Covering radius
µ(L) = maxt∈span(L)
µ(t,L)
Spheres or radius µ(L) centeredaround all lattice points cover thewhole space
µ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 33: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/33.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Distance Function and Covering Radius
Distance function
µ(t,L) = minx∈L‖t− x‖
Covering radius
µ(L) = maxt∈span(L)
µ(t,L)
Spheres or radius µ(L) centeredaround all lattice points cover thewhole space
µ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 34: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/34.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the covering radius
Let V = [v1, . . . , vn] be linearlyindependent, ‖vi‖ ≤ λnTile Rn with copies ofP(V) = V[0, 1)n
If t ∈ x + P(V), then
‖t− x‖ ≤∑‖vi‖ ≤ nλn.
This proves µ(L) ≤ nλn(L), andcan be further improved:
Theorem
For any lattice L, µ(L) ≤√n2 λn(L)
v1
v2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 35: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/35.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the covering radius
Let V = [v1, . . . , vn] be linearlyindependent, ‖vi‖ ≤ λnTile Rn with copies ofP(V) = V[0, 1)n
If t ∈ x + P(V), then
‖t− x‖ ≤∑‖vi‖ ≤ nλn.
This proves µ(L) ≤ nλn(L), andcan be further improved:
Theorem
For any lattice L, µ(L) ≤√n2 λn(L)
P
v1
v2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 36: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/36.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the covering radius
Let V = [v1, . . . , vn] be linearlyindependent, ‖vi‖ ≤ λnTile Rn with copies ofP(V) = V[0, 1)n
If t ∈ x + P(V), then
‖t− x‖ ≤∑‖vi‖ ≤ nλn.
This proves µ(L) ≤ nλn(L), andcan be further improved:
Theorem
For any lattice L, µ(L) ≤√n2 λn(L)
Px
t
v1
v2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 37: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/37.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the covering radius
Let V = [v1, . . . , vn] be linearlyindependent, ‖vi‖ ≤ λnTile Rn with copies ofP(V) = V[0, 1)n
If t ∈ x + P(V), then
‖t− x‖ ≤∑‖vi‖ ≤ nλn.
This proves µ(L) ≤ nλn(L), andcan be further improved:
Theorem
For any lattice L, µ(L) ≤√n2 λn(L)
Px
t
v1
v2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 38: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/38.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the covering radius
Let V = [v1, . . . , vn] be linearlyindependent, ‖vi‖ ≤ λnTile Rn with copies ofP(V) = V[0, 1)n
If t ∈ x + P(V), then
‖t− x‖ ≤∑‖vi‖ ≤ nλn.
This proves µ(L) ≤ nλn(L), andcan be further improved:
Theorem
For any lattice L, µ(L) ≤√n2 λn(L)
Px
t
v1
v2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 39: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/39.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the successive minima
Let ‖b1‖ = λ1(L)
Let t = 12b1
Then µ(t,L) ≥ λ1/2
This proves λ1(L) ≤ 2µ(L), and canbe further improved:
Theorem
For any lattice L, λn(L) ≤ 2µ(L)
b2
b1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 40: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/40.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the successive minima
Let ‖b1‖ = λ1(L)
Let t = 12b1
Then µ(t,L) ≥ λ1/2
This proves λ1(L) ≤ 2µ(L), and canbe further improved:
Theorem
For any lattice L, λn(L) ≤ 2µ(L)
t b2
b1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 41: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/41.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the successive minima
Let ‖b1‖ = λ1(L)
Let t = 12b1
Then µ(t,L) ≥ λ1/2
This proves λ1(L) ≤ 2µ(L), and canbe further improved:
Theorem
For any lattice L, λn(L) ≤ 2µ(L)
t b2
b1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 42: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/42.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the successive minima
Let ‖b1‖ = λ1(L)
Let t = 12b1
Then µ(t,L) ≥ λ1/2
This proves λ1(L) ≤ 2µ(L), and canbe further improved:
Theorem
For any lattice L, λn(L) ≤ 2µ(L)
t b2
b1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 43: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/43.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Bounding the successive minima
Let ‖b1‖ = λ1(L)
Let t = 12b1
Then µ(t,L) ≥ λ1/2
This proves λ1(L) ≤ 2µ(L), and canbe further improved:
Theorem
For any lattice L, λn(L) ≤ 2µ(L)
t b2
b1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 44: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/44.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Relations among lattice parameters
Theorem
For any lattice L, λ1 ≤ λ2 ≤ . . . ≤ λn ≤ 2µ ≤√
nλn
Remarks:
1 µ ≈ λn (up to√
n factors)
2 For some lattices λ1 λ2 . . . λn3 For some lattices λ1 = λ2 = . . . = λn and 2µ =
√nλn
4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn
Problem
Give an explicit construction of a lattice satisfying µ ≤ 2λ1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 45: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/45.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Relations among lattice parameters
Theorem
For any lattice L, λ1 ≤ λ2 ≤ . . . ≤ λn ≤ 2µ ≤√
nλn
Remarks:
1 µ ≈ λn (up to√
n factors)
2 For some lattices λ1 λ2 . . . λn3 For some lattices λ1 = λ2 = . . . = λn and 2µ =
√nλn
4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn
Problem
Give an explicit construction of a lattice satisfying µ ≤ 2λ1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 46: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/46.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Relations among lattice parameters
Theorem
For any lattice L, λ1 ≤ λ2 ≤ . . . ≤ λn ≤ 2µ ≤√
nλn
Remarks:
1 µ ≈ λn (up to√
n factors)
2 For some lattices λ1 λ2 . . . λn3 For some lattices λ1 = λ2 = . . . = λn and 2µ =
√nλn
4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn
Problem
Give an explicit construction of a lattice satisfying µ ≤ 2λ1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 47: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/47.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Relations among lattice parameters
Theorem
For any lattice L, λ1 ≤ λ2 ≤ . . . ≤ λn ≤ 2µ ≤√
nλn
Remarks:
1 µ ≈ λn (up to√
n factors)
2 For some lattices λ1 λ2 . . . λn3 For some lattices λ1 = λ2 = . . . = λn and 2µ =
√nλn
4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn
Problem
Give an explicit construction of a lattice satisfying µ ≤ 2λ1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 48: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/48.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Relations among lattice parameters
Theorem
For any lattice L, λ1 ≤ λ2 ≤ . . . ≤ λn ≤ 2µ ≤√
nλn
Remarks:
1 µ ≈ λn (up to√
n factors)
2 For some lattices λ1 λ2 . . . λn3 For some lattices λ1 = λ2 = . . . = λn and 2µ =
√nλn
4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn
Problem
Give an explicit construction of a lattice satisfying µ ≤ 2λ1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 49: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/49.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Relations among lattice parameters
Theorem
For any lattice L, λ1 ≤ λ2 ≤ . . . ≤ λn ≤ 2µ ≤√
nλn
Remarks:
1 µ ≈ λn (up to√
n factors)
2 For some lattices λ1 λ2 . . . λn3 For some lattices λ1 = λ2 = . . . = λn and 2µ =
√nλn
4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn
Problem
Give an explicit construction of a lattice satisfying µ ≤ 2λ1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 50: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/50.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Determinant
Definition (Determinant)
det(L) = volume of the fundamental region P =∑
i bi · [0, 1)
Different bases define differentfundamental regions
All fundamental regions have the samevolume
The determinant of a lattice can beefficiently computed from any basis.
P b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 51: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/51.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Determinant
Definition (Determinant)
det(L) = volume of the fundamental region P =∑
i bi · [0, 1)
Different bases define differentfundamental regions
All fundamental regions have the samevolume
The determinant of a lattice can beefficiently computed from any basis.
P b1
b2
c1
c2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 52: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/52.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Determinant
Definition (Determinant)
det(L) = volume of the fundamental region P =∑
i bi · [0, 1)
Different bases define differentfundamental regions
All fundamental regions have the samevolume
The determinant of a lattice can beefficiently computed from any basis.
P b1
b2
c1
c2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 53: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/53.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Determinant
Definition (Determinant)
det(L) = volume of the fundamental region P =∑
i bi · [0, 1)
Different bases define differentfundamental regions
All fundamental regions have the samevolume
The determinant of a lattice can beefficiently computed from any basis.
P b1
b2
c1
c2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 54: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/54.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Density estimates
Definition (Centered Fundamental Parallelepiped)
P =∑
i bi · [−1/2, 1/2)
vol(P(B)) = det(L)
x + P(B) | x ∈ L partitions Rn
For all sufficiently large S ⊆ Rn
|S ∩ L| ≈ vol(S)/ det(L)
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 55: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/55.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Density estimates
Definition (Centered Fundamental Parallelepiped)
P =∑
i bi · [−1/2, 1/2)
vol(P(B)) = det(L)
x + P(B) | x ∈ L partitions Rn
For all sufficiently large S ⊆ Rn
|S ∩ L| ≈ vol(S)/ det(L)
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 56: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/56.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Density estimates
Definition (Centered Fundamental Parallelepiped)
P =∑
i bi · [−1/2, 1/2)
vol(P(B)) = det(L)
x + P(B) | x ∈ L partitions Rn
For all sufficiently large S ⊆ Rn
|S ∩ L| ≈ vol(S)/ det(L)
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 57: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/57.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s convex body theorem
Theorem (Convex Body)
Let C ⊂ Rn be a symmetric convex body. If vol(C ) > 2n, then Ccontains a nonzero integer vector
C = B−1[−r , r ]n has volumedet(B)−1(2r)n = 2n
C contains x ∈ Zn \ 0BC = [−r , r ]n contains Bx
λ1(L) ≤√
nr =√
n det(L)1/n
C
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 58: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/58.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s convex body theorem
Theorem (Convex Body)
Let C ⊂ Rn be a symmetric convex body. If vol(C ) > 2n, then Ccontains a nonzero integer vector
Let L = BZn and r = det(L)1/n. Then,
C = B−1[−r , r ]n has volumedet(B)−1(2r)n = 2n
C contains x ∈ Zn \ 0BC = [−r , r ]n contains Bx
λ1(L) ≤√
nr =√
n det(L)1/n
C
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 59: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/59.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s convex body theorem
Theorem (Convex Body)
Let C ⊂ Rn be a symmetric convex body. If vol(C ) > 2n, then Ccontains a nonzero integer vector
Let L = BZn and r = det(L)1/n. Then,
C = B−1[−r , r ]n has volumedet(B)−1(2r)n = 2n
C contains x ∈ Zn \ 0BC = [−r , r ]n contains Bx
λ1(L) ≤√
nr =√
n det(L)1/n
C
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 60: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/60.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s convex body theorem
Theorem (Convex Body)
Let C ⊂ Rn be a symmetric convex body. If vol(C ) > 2n, then Ccontains a nonzero integer vector
Let L = BZn and r = det(L)1/n. Then,
C = B−1[−r , r ]n has volumedet(B)−1(2r)n = 2n
C contains x ∈ Zn \ 0BC = [−r , r ]n contains Bx
λ1(L) ≤√
nr =√
n det(L)1/n
C
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 61: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/61.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s convex body theorem
Theorem (Convex Body)
Let C ⊂ Rn be a symmetric convex body. If vol(C ) > 2n, then Ccontains a nonzero integer vector
Let L = BZn and r = det(L)1/n. Then,
C = B−1[−r , r ]n has volumedet(B)−1(2r)n = 2n
C contains x ∈ Zn \ 0BC = [−r , r ]n contains Bx
λ1(L) ≤√
nr =√
n det(L)1/n
C
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 62: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/62.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s convex body theorem
Theorem (Convex Body)
Let C ⊂ Rn be a symmetric convex body. If vol(C ) > 2n, then Ccontains a nonzero integer vector
Let L = BZn and r = det(L)1/n. Then,
C = B−1[−r , r ]n has volumedet(B)−1(2r)n = 2n
C contains x ∈ Zn \ 0BC = [−r , r ]n contains Bx
λ1(L) ≤√
nr =√
n det(L)1/n
C
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 63: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/63.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s second theorem
Theorem (Minkowski)
λ1(L) ≤
(∏i
λi (L)
)1/n
≤√
n det(L)1/n
For Zn, λ1 = (∏
i λi )1/n = 1 is smaller than Minkowski’s
bound by√
n
λ1(L) can be arbitrarily smaller than Minkowski’s bound
(∏
i λi (L))1/n is never smaller than Minkowski’s bound bymore than
√n
Can you find lattices with (∏
i λi (L))1/n ≥ Ω(√
n) det(L)1/n
within a constant from Minkowski’s bound?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 64: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/64.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s second theorem
Theorem (Minkowski)
λ1(L) ≤
(∏i
λi (L)
)1/n
≤√
n det(L)1/n
For Zn, λ1 = (∏
i λi )1/n = 1 is smaller than Minkowski’s
bound by√
n
λ1(L) can be arbitrarily smaller than Minkowski’s bound
(∏
i λi (L))1/n is never smaller than Minkowski’s bound bymore than
√n
Can you find lattices with (∏
i λi (L))1/n ≥ Ω(√
n) det(L)1/n
within a constant from Minkowski’s bound?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 65: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/65.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s second theorem
Theorem (Minkowski)
λ1(L) ≤
(∏i
λi (L)
)1/n
≤√
n det(L)1/n
For Zn, λ1 = (∏
i λi )1/n = 1 is smaller than Minkowski’s
bound by√
n
λ1(L) can be arbitrarily smaller than Minkowski’s bound
(∏
i λi (L))1/n is never smaller than Minkowski’s bound bymore than
√n
Can you find lattices with (∏
i λi (L))1/n ≥ Ω(√
n) det(L)1/n
within a constant from Minkowski’s bound?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 66: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/66.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s second theorem
Theorem (Minkowski)
λ1(L) ≤
(∏i
λi (L)
)1/n
≤√
n det(L)1/n
For Zn, λ1 = (∏
i λi )1/n = 1 is smaller than Minkowski’s
bound by√
n
λ1(L) can be arbitrarily smaller than Minkowski’s bound
(∏
i λi (L))1/n is never smaller than Minkowski’s bound bymore than
√n
Can you find lattices with (∏
i λi (L))1/n ≥ Ω(√
n) det(L)1/n
within a constant from Minkowski’s bound?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 67: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/67.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Minkowski’s second theorem
Theorem (Minkowski)
λ1(L) ≤
(∏i
λi (L)
)1/n
≤√
n det(L)1/n
For Zn, λ1 = (∏
i λi )1/n = 1 is smaller than Minkowski’s
bound by√
n
λ1(L) can be arbitrarily smaller than Minkowski’s bound
(∏
i λi (L))1/n is never smaller than Minkowski’s bound bymore than
√n
Can you find lattices with (∏
i λi (L))1/n ≥ Ω(√
n) det(L)1/n
within a constant from Minkowski’s bound?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 68: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/68.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Outline
1 Point LatticesComputational ProblemsThe dual lattice
2 Lattice CryptographyAverage Case HardnessRandom LatticesCryptographic functions
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 69: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/69.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (withx ∈ Zk) of length (at most) ‖Bx‖ ≤ λ1
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 70: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/70.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (withx ∈ Zk) of length (at most) ‖Bx‖ ≤ λ1
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 71: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/71.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (withx ∈ Zk) of length (at most) ‖Bx‖ ≤ λ1
b1
b2
λ1
Bx = 5b1 − 2b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 72: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/72.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Shortest Vector Problem
Definition (Shortest Vector Problem, SVPγ)
Given a lattice L(B), find a (nonzero) lattice vector Bx (withx ∈ Zk) of length (at most) ‖Bx‖ ≤ γλ1
2λ1
b1
b2
λ1
Bx = 5b1 − 2b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 73: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/73.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVP)
Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ λn
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 74: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/74.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVP)
Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ λn
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 75: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/75.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVP)
Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ λn
b1
b2
Bx1
λ2
Bx2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 76: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/76.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVPγ)
Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ γλn
2λ2
b1
b2
Bx1
λ2
Bx2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 77: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/77.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bxwithin distance ‖Bx− t‖ ≤ µ from the target
t
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 78: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/78.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bxwithin distance ‖Bx− t‖ ≤ µ from the target
t
b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 79: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/79.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bxwithin distance ‖Bx− t‖ ≤ µ from the target
tµ
b1
b2
Bx
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 80: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/80.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Closest Vector Problem
Definition (Closest Vector Problem, CVPγ)
Given a lattice L(B) and a target point t, find a lattice vector Bxwithin distance ‖Bx− t‖ ≤ γµ from the target
tµ 2µ
b1
b2
Bx
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 81: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/81.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
NP-hardness of CVP
Definition (Subset Sum)
Given a1, . . . , an, b ∈ Z find S ⊆ 1, . . . , n s.t.∑
i∈S ai = b
a1
a2
a3
a4
a5
a6
b+
Theorem
‖Bx− t‖ ≤√
n if and only if x ∈ 0, 1n and∑
xi=1 ai = b.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 82: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/82.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
NP-hardness of CVP
Definition (Subset Sum)
Given a1, . . . , an, b ∈ Z find S ⊆ 1, . . . , n s.t.∑
i∈S ai = b
b1
b2
b3
b4
b5
b6t+
Theorem
‖Bx− t‖ ≤√
n if and only if x ∈ 0, 1n and∑
xi=1 ai = b.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 83: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/83.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
NP-hardness of CVP
Definition (Subset Sum)
Given a1, . . . , an, b ∈ Z find S ⊆ 1, . . . , n s.t.∑
i∈S ai = b
B =
a1 · · · an2 0 0
0. . . 0
0 0 2
t =
b1...1
Bx−t =
∑
i aixi − b2x1 − 1
...2xn − 1
Theorem
‖Bx− t‖ ≤√
n if and only if x ∈ 0, 1n and∑
xi=1 ai = b.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 84: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/84.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
NP-hardness of CVP
Definition (Subset Sum)
Given a1, . . . , an, b ∈ Z find S ⊆ 1, . . . , n s.t.∑
i∈S ai = b
B =
a1 · · · an2 0 0
0. . . 0
0 0 2
t =
b1...1
Bx−t =
∑
i aixi − b2x1 − 1
...2xn − 1
Theorem
‖Bx− t‖ ≤√
n if and only if x ∈ 0, 1n and∑
xi=1 ai = b.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 85: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/85.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Complexity of CVP, SVP, SIVP
Cryptography
NPC coNP/coAM P/RPγ
1 no(1)√
n 2n
Best algorithm for exact solution takes time 2n [MV10]
(Almost) NP-hard for factors up to γ = n1/loglogn.[Ajtai96,. . . ,HR07]
Polynomial time for slightly subexponential γ[Schnorr93+AKS01,GN08+MV10]
Unlikely to be NP-hard for γ ≥√
n/ log n [GG01,AR04]
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 86: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/86.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Complexity of CVP, SVP, SIVP
Cryptography
NPC coNP/coAM P/RPγ
1 no(1)√
n 2n
Best algorithm for exact solution takes time 2n [MV10]
(Almost) NP-hard for factors up to γ = n1/loglogn.[Ajtai96,. . . ,HR07]
Polynomial time for slightly subexponential γ[Schnorr93+AKS01,GN08+MV10]
Unlikely to be NP-hard for γ ≥√
n/ log n [GG01,AR04]
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 87: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/87.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Complexity of CVP, SVP, SIVP
Cryptography
NPC coNP/coAM P/RPγ
1 no(1)√
n 2n
Best algorithm for exact solution takes time 2n [MV10]
(Almost) NP-hard for factors up to γ = n1/loglogn.[Ajtai96,. . . ,HR07]
Polynomial time for slightly subexponential γ[Schnorr93+AKS01,GN08+MV10]
Unlikely to be NP-hard for γ ≥√
n/ log n [GG01,AR04]
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 88: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/88.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Complexity of CVP, SVP, SIVP
Cryptography
NPC coNP/coAM P/RPγ
1 no(1)√
n 2n
Best algorithm for exact solution takes time 2n [MV10]
(Almost) NP-hard for factors up to γ = n1/loglogn.[Ajtai96,. . . ,HR07]
Polynomial time for slightly subexponential γ[Schnorr93+AKS01,GN08+MV10]
Unlikely to be NP-hard for γ ≥√
n/ log n [GG01,AR04]
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 89: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/89.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Complexity of CVP, SVP, SIVP
Cryptography
NPC coNP/coAM P/RPγ
1 no(1)√
n 2n
Best algorithm for exact solution takes time 2n [MV10]
(Almost) NP-hard for factors up to γ = n1/loglogn.[Ajtai96,. . . ,HR07]
Polynomial time for slightly subexponential γ[Schnorr93+AKS01,GN08+MV10]
Unlikely to be NP-hard for γ ≥√
n/ log n [GG01,AR04]
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 90: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/90.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and lattice cosets
0
tev
Lattice Λ, target t
CVP: Find v such thate = t− v is shortest possible
t′ = t + Bx
v = v′ − Bx
Definition (Coset CVP)
Given a lattice coset t + L, findthe (approximately) shortestelement of t + L.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 91: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/91.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and lattice cosets
0
teve
v
Lattice Λ, target t
CVP: Find v such thate = t− v is shortest possible
t′ = t + Bx
v = v′ − Bx
Definition (Coset CVP)
Given a lattice coset t + L, findthe (approximately) shortestelement of t + L.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 92: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/92.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and lattice cosets
0
tev
Bx
ev
Lattice Λ, target t
CVP: Find v such thate = t− v is shortest possible
t′ = t + Bx
v = v′ − Bx
Definition (Coset CVP)
Given a lattice coset t + L, findthe (approximately) shortestelement of t + L.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 93: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/93.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and lattice cosets
0
tev
Bx
t′
ev
Lattice Λ, target t
CVP: Find v such thate = t− v is shortest possible
t′ = t + Bx
v = v′ − Bx
Definition (Coset CVP)
Given a lattice coset t + L, findthe (approximately) shortestelement of t + L.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 94: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/94.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and lattice cosets
0
tev
Bx
t′
v’
eve
Lattice Λ, target t
CVP: Find v such thate = t− v is shortest possible
t′ = t + Bx
v = v′ − Bx
Definition (Coset CVP)
Given a lattice coset t + L, findthe (approximately) shortestelement of t + L.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 95: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/95.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and lattice cosets
0
tev
Bx
t′
v’
eve
Lattice Λ, target t
CVP: Find v such thate = t− v is shortest possible
t′ = t + Bx
v = v′ − Bx
Definition (Coset CVP)
Given a lattice coset t + L, findthe (approximately) shortestelement of t + L.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 96: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/96.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Working modulo a lattice
Definition (Fundamental Region)
D ⊂ Rn is a fundamental region for L if D + x | x ∈ L is apartition of Rn.
(L,+) is a subgroup of (Rn,+)
One can form the quotien group Rn/LElements of Rn/L are cosets t + LAny fundamental region D gives a setof standard representatives
P =∑
i bi · [0, 1) ≡ Rn/L
P b1
b2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 97: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/97.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Working modulo a lattice
Definition (Fundamental Region)
D ⊂ Rn is a fundamental region for L if D + x | x ∈ L is apartition of Rn.
(L,+) is a subgroup of (Rn,+)
One can form the quotien group Rn/LElements of Rn/L are cosets t + LAny fundamental region D gives a setof standard representatives
P =∑
i bi · [0, 1) ≡ Rn/L
P b1
b2
c1
c2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 98: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/98.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Working modulo a lattice
Definition (Fundamental Region)
D ⊂ Rn is a fundamental region for L if D + x | x ∈ L is apartition of Rn.
(L,+) is a subgroup of (Rn,+)
One can form the quotien group Rn/LElements of Rn/L are cosets t + LAny fundamental region D gives a setof standard representatives
P =∑
i bi · [0, 1) ≡ Rn/L
P b1
b2
c1
c2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 99: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/99.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Working modulo a lattice
Definition (Fundamental Region)
D ⊂ Rn is a fundamental region for L if D + x | x ∈ L is apartition of Rn.
(L,+) is a subgroup of (Rn,+)
One can form the quotien group Rn/LElements of Rn/L are cosets t + LAny fundamental region D gives a setof standard representatives
P =∑
i bi · [0, 1) ≡ Rn/L
P b1
b2
c1
c2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 100: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/100.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Interlude: CVP One-way Function?
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: gL is surjective
β µ: gL(x) is almostuniform
Question
Is fL hard to invert?
x
fL
xb1
b2
0
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 101: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/101.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Interlude: CVP One-way Function?
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: gL is surjective
β µ: gL(x) is almostuniform
Question
Is fL hard to invert?
x
fL
xb1
b2
0
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 102: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/102.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Interlude: CVP One-way Function?
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: gL is surjective
β µ: gL(x) is almostuniform
Question
Is fL hard to invert?
fL
b1
b2
0
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 103: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/103.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Interlude: CVP One-way Function?
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: gL is surjective
β µ: gL(x) is almostuniform
Question
Is fL hard to invert?
fL
b1
b2
0
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 104: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/104.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Interlude: CVP One-way Function?
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: gL is surjective
β µ: gL(x) is almostuniform
Question
Is fL hard to invert?
fL
b1
b2
0
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 105: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/105.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Interlude: CVP One-way Function?
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: gL is surjective
β µ: gL(x) is almostuniform
Question
Is fL hard to invert?
fL
b1
b2
0
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 106: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/106.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Interlude: CVP One-way Function?
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: gL is surjective
β µ: gL(x) is almostuniform
Question
Is fL hard to invert?
fL
b1
b2
0
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 107: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/107.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Outline
1 Point LatticesComputational ProblemsThe dual lattice
2 Lattice CryptographyAverage Case HardnessRandom LatticesCryptographic functions
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 108: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/108.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
The Dual
A vector space over R is a set of vectors V with
a vector addition operation x + y ∈ Va scalar multiplication a · x ∈ V
The dual of a vector space V is the set V ∗ = Hom(V ,R) oflinear functions φ : V → R, typically represented as vectorsx ∈ V , where φx(y) = 〈x, y〉The dual of a lattice Λ is defined similarly as the set of linearfunctions φx : Λ→ Z represented as vectors x ∈ span(Λ).
Definition (Dual lattice)
The dual of a lattice Λ is the set of all vectors x ∈ span(Λ) suchthat 〈x, v〉 ∈ Z for all v ∈ Λ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 109: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/109.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
The Dual
A vector space over R is a set of vectors V with
a vector addition operation x + y ∈ Va scalar multiplication a · x ∈ V
The dual of a vector space V is the set V ∗ = Hom(V ,R) oflinear functions φ : V → R, typically represented as vectorsx ∈ V , where φx(y) = 〈x, y〉The dual of a lattice Λ is defined similarly as the set of linearfunctions φx : Λ→ Z represented as vectors x ∈ span(Λ).
Definition (Dual lattice)
The dual of a lattice Λ is the set of all vectors x ∈ span(Λ) suchthat 〈x, v〉 ∈ Z for all v ∈ Λ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 110: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/110.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
The Dual
A vector space over R is a set of vectors V with
a vector addition operation x + y ∈ Va scalar multiplication a · x ∈ V
The dual of a vector space V is the set V ∗ = Hom(V ,R) oflinear functions φ : V → R, typically represented as vectorsx ∈ V , where φx(y) = 〈x, y〉The dual of a lattice Λ is defined similarly as the set of linearfunctions φx : Λ→ Z represented as vectors x ∈ span(Λ).
Definition (Dual lattice)
The dual of a lattice Λ is the set of all vectors x ∈ span(Λ) suchthat 〈x, v〉 ∈ Z for all v ∈ Λ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 111: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/111.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
The Dual
A vector space over R is a set of vectors V with
a vector addition operation x + y ∈ Va scalar multiplication a · x ∈ V
The dual of a vector space V is the set V ∗ = Hom(V ,R) oflinear functions φ : V → R, typically represented as vectorsx ∈ V , where φx(y) = 〈x, y〉The dual of a lattice Λ is defined similarly as the set of linearfunctions φx : Λ→ Z represented as vectors x ∈ span(Λ).
Definition (Dual lattice)
The dual of a lattice Λ is the set of all vectors x ∈ span(Λ) suchthat 〈x, v〉 ∈ Z for all v ∈ Λ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 112: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/112.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 113: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/113.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 114: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/114.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 115: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/115.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 116: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/116.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 117: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/117.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 118: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/118.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 119: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/119.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 120: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/120.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 121: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/121.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 122: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/122.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Dual lattice: Examples
0
Integer lattice (Zn)∗ = Zn
Rotating (RΛ)∗ = R(Λ∗)
Scaling ( 1q · Λ)∗ = q · Λ∗
Properties of dual:
Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗
2
(Λ∗)∗ = Λ
Operations on x ∈ Λ andy ∈ Λ∗:
〈x, y〉 ∈ Zbut x + y has nogeometric meaning
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 123: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/123.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Lattice Layers
0
Each dual vector v ∈ L∗,partitions the lattice L intolayers orthogonal to v
Li = x ∈ L | x · v = i
Layers are at distance 1/‖v‖ρ(L) ≥ 1
2‖v‖
If λ1(L∗) is small, then ρ(L)is large.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 124: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/124.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Lattice Layers
0
Each dual vector v ∈ L∗,partitions the lattice L intolayers orthogonal to v
Li = x ∈ L | x · v = i
Layers are at distance 1/‖v‖ρ(L) ≥ 1
2‖v‖
If λ1(L∗) is small, then ρ(L)is large.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 125: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/125.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Lattice Layers
0
Each dual vector v ∈ L∗,partitions the lattice L intolayers orthogonal to v
Li = x ∈ L | x · v = i
Layers are at distance 1/‖v‖ρ(L) ≥ 1
2‖v‖
If λ1(L∗) is small, then ρ(L)is large.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 126: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/126.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Lattice Layers
0
Each dual vector v ∈ L∗,partitions the lattice L intolayers orthogonal to v
Li = x ∈ L | x · v = i
Layers are at distance 1/‖v‖ρ(L) ≥ 1
2‖v‖
If λ1(L∗) is small, then ρ(L)is large.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 127: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/127.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
Transference Theorems
Theorem (Banaszczyk)
For any lattice L
1 ≤ 2λ1(L) · ρ(L∗) ≤ n.
Theorem (Banaszczyk)
For every i ,1 ≤ λi (L) · λn−i+1(L∗) ≤ n.
Approximating λ1(L) within a factor n is in NP ∩ coNP
Same is true for λi , . . . , λn and ρ.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 128: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/128.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and dual lattice
0
tev
Lattice Λ, target t = v + e
Dual lattice Λ∗ = L(D).
Syndrome of t:
s = 〈D, t〉 mod 1
= 〈D, v〉+ 〈D, e〉 mod 1
= 〈D, e〉 mod 1.
All vectors in a coset t + Lhave the same syndrome.
Definition (Syndrome CVP)
Find shortest e such that〈D, e〉 = s mod 1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 129: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/129.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and dual lattice
0
tev
Lattice Λ, target t = v + e
Dual lattice Λ∗ = L(D).
Syndrome of t:
s = 〈D, t〉 mod 1
= 〈D, v〉+ 〈D, e〉 mod 1
= 〈D, e〉 mod 1.
All vectors in a coset t + Lhave the same syndrome.
Definition (Syndrome CVP)
Find shortest e such that〈D, e〉 = s mod 1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 130: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/130.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and dual lattice
0
tev
Lattice Λ, target t = v + e
Dual lattice Λ∗ = L(D).
Syndrome of t:
s = 〈D, t〉 mod 1
= 〈D, v〉+ 〈D, e〉 mod 1
= 〈D, e〉 mod 1.
All vectors in a coset t + Lhave the same syndrome.
Definition (Syndrome CVP)
Find shortest e such that〈D, e〉 = s mod 1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 131: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/131.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and dual lattice
0
tev
Lattice Λ, target t = v + e
Dual lattice Λ∗ = L(D).
Syndrome of t:
s = 〈D, t〉 mod 1
= 〈D, v〉+ 〈D, e〉 mod 1
= 〈D, e〉 mod 1.
All vectors in a coset t + Lhave the same syndrome.
Definition (Syndrome CVP)
Find shortest e such that〈D, e〉 = s mod 1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 132: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/132.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and dual lattice
0
teve
Lattice Λ, target t = v + e
Dual lattice Λ∗ = L(D).
Syndrome of t:
s = 〈D, t〉 mod 1
= 〈D, v〉+ 〈D, e〉 mod 1
= 〈D, e〉 mod 1.
All vectors in a coset t + Lhave the same syndrome.
Definition (Syndrome CVP)
Find shortest e such that〈D, e〉 = s mod 1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 133: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/133.jpg)
Point LatticesLattice Cryptography
Computational ProblemsThe dual lattice
CVP and dual lattice
0
teve
Lattice Λ, target t = v + e
Dual lattice Λ∗ = L(D).
Syndrome of t:
s = 〈D, t〉 mod 1
= 〈D, v〉+ 〈D, e〉 mod 1
= 〈D, e〉 mod 1.
All vectors in a coset t + Lhave the same syndrome.
Definition (Syndrome CVP)
Find shortest e such that〈D, e〉 = s mod 1
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 134: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/134.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Outline
1 Point LatticesComputational ProblemsThe dual lattice
2 Lattice CryptographyAverage Case HardnessRandom LatticesCryptographic functions
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 135: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/135.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Back to CVP One-way function
Candidate OWF
Key: a hard lattice L(D)∗
Input: x, ‖x‖ ≤ βOutput: fD(x) = Dx mod 1
β < λ1/2: fL is injective
β ≥ µ: gL is surjectivefD
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 136: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/136.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Special Versions of CVP
Definition (Decisional CVP)
Given (L, t, d), with µ(t,L) ≤ d , find a lattice point withindistance d from t.
If d is arbitrary, then one can find the closest lattice vector bybinary search on d .
Bounded Distance Decoding, BDD: If d < λ1(L)/2, thenthere is at most one solution. Solution is the closest latticevector.
Absolute Distance Decoding, ADD: If d ≥ ρ(L), then there isalways at least one solution. Solution may not be closestlattice vector.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 137: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/137.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Special Versions of CVP
Definition (Decisional CVP)
Given (L, t, d), with µ(t,L) ≤ d , find a lattice point withindistance d from t.
If d is arbitrary, then one can find the closest lattice vector bybinary search on d .
Bounded Distance Decoding, BDD: If d < λ1(L)/2, thenthere is at most one solution. Solution is the closest latticevector.
Absolute Distance Decoding, ADD: If d ≥ ρ(L), then there isalways at least one solution. Solution may not be closestlattice vector.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 138: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/138.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Special Versions of CVP
Definition (Decisional CVP)
Given (L, t, d), with µ(t,L) ≤ d , find a lattice point withindistance d from t.
If d is arbitrary, then one can find the closest lattice vector bybinary search on d .
Bounded Distance Decoding, BDD: If d < λ1(L)/2, thenthere is at most one solution. Solution is the closest latticevector.
Absolute Distance Decoding, ADD: If d ≥ ρ(L), then there isalways at least one solution. Solution may not be closestlattice vector.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 139: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/139.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Special Versions of CVP
Definition (Decisional CVP)
Given (L, t, d), with µ(t,L) ≤ d , find a lattice point withindistance d from t.
If d is arbitrary, then one can find the closest lattice vector bybinary search on d .
Bounded Distance Decoding, BDD: If d < λ1(L)/2, thenthere is at most one solution. Solution is the closest latticevector.
Absolute Distance Decoding, ADD: If d ≥ ρ(L), then there isalways at least one solution. Solution may not be closestlattice vector.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 140: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/140.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
ADD reduces to SIVP
ADD input: L and arbitrary t
Compute short vectors V = SIVP(L)
Use V to find a lattice vector within distance∑i12‖vi‖ ≤ (n/2)λn ≤ nρ from t
t
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 141: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/141.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
ADD reduces to SIVP
ADD input: L and arbitrary t
Compute short vectors V = SIVP(L)
Use V to find a lattice vector within distance∑i12‖vi‖ ≤ (n/2)λn ≤ nρ from t
t
v1
v2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 142: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/142.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
ADD reduces to SIVP
ADD input: L and arbitrary t
Compute short vectors V = SIVP(L)
Use V to find a lattice vector within distance∑i12‖vi‖ ≤ (n/2)λn ≤ nρ from t
t
v1
v2
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 143: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/143.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
BDD reduces to SIVP
BDD input: t close to LCompute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 144: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/144.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
BDD reduces to SIVP
BDD input: t close to LCompute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
vi
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 145: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/145.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
BDD reduces to SIVP
BDD input: t close to LCompute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
vi
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 146: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/146.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
BDD reduces to SIVP
BDD input: t close to LCompute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
vi
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 147: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/147.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
BDD reduces to SIVP
BDD input: t close to LCompute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
vi
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 148: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/148.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Special Versions of SVP and SIVP
GapSVP: compute (or approximate) the value λ1 withoutnecessarily finding a short vector
GapSIVP: compute (or approximate) the value λn withoutnecessarily finding short linearly independent vectors
Transference Theorem λ1 ≈ 1/λ∗n: GapSVP can be(approximately) solved by solving GapSIVP in the dual lattice,and vice versa
Problems
Exercise: Computing λ1 (or λn) exactly is as hard as SVP (orSIVP)Open Problem: Reduce approximate SVP (or SIVP) toapproximate GapSVP (or GapSIVP)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 149: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/149.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Special Versions of SVP and SIVP
GapSVP: compute (or approximate) the value λ1 withoutnecessarily finding a short vector
GapSIVP: compute (or approximate) the value λn withoutnecessarily finding short linearly independent vectors
Transference Theorem λ1 ≈ 1/λ∗n: GapSVP can be(approximately) solved by solving GapSIVP in the dual lattice,and vice versa
Problems
Exercise: Computing λ1 (or λn) exactly is as hard as SVP (orSIVP)Open Problem: Reduce approximate SVP (or SIVP) toapproximate GapSVP (or GapSIVP)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 150: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/150.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Special Versions of SVP and SIVP
GapSVP: compute (or approximate) the value λ1 withoutnecessarily finding a short vector
GapSIVP: compute (or approximate) the value λn withoutnecessarily finding short linearly independent vectors
Transference Theorem λ1 ≈ 1/λ∗n: GapSVP can be(approximately) solved by solving GapSIVP in the dual lattice,and vice versa
Problems
Exercise: Computing λ1 (or λn) exactly is as hard as SVP (orSIVP)Open Problem: Reduce approximate SVP (or SIVP) toapproximate GapSVP (or GapSIVP)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 151: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/151.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Special Versions of SVP and SIVP
GapSVP: compute (or approximate) the value λ1 withoutnecessarily finding a short vector
GapSIVP: compute (or approximate) the value λn withoutnecessarily finding short linearly independent vectors
Transference Theorem λ1 ≈ 1/λ∗n: GapSVP can be(approximately) solved by solving GapSIVP in the dual lattice,and vice versa
Problems
Exercise: Computing λ1 (or λn) exactly is as hard as SVP (orSIVP)Open Problem: Reduce approximate SVP (or SIVP) toapproximate GapSVP (or GapSIVP)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 152: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/152.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Relations among lattice problems
SIVP ≈ ADD [MG’01]
SVP ≤ CVP [GMSS’99]
SIVP ≤ CVP [M’08]
BDD . SIVP
CVP . SVP [L’87]
GapSVP ≈ GapSIVP[LLS’91,B’93]
GapSVP . BDD [LM’09]
GapSVP GapSIVP BDD
SIVP ADD
SVP CVP
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 153: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/153.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Relations among lattice problems
SIVP ≈ ADD [MG’01]
SVP ≤ CVP [GMSS’99]
SIVP ≤ CVP [M’08]
BDD . SIVP
CVP . SVP [L’87]
GapSVP ≈ GapSIVP[LLS’91,B’93]
GapSVP . BDD [LM’09]
GapSVP GapSIVP BDD
SIVP ADD
SVP CVP
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 154: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/154.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Outline
1 Point LatticesComputational ProblemsThe dual lattice
2 Lattice CryptographyAverage Case HardnessRandom LatticesCryptographic functions
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 155: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/155.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Provable security (from average case hardness)
Example 1: (Rabin) modular squaring
fN(x) = x2 mod N, where N = p · qInverting fN is at least as hard as factoring N
Theorem
fN is cryptographically hard to invert, provided most N = p · q arehard to factor
hard N’s
All N’s
hard fN ’s
All fN ’s
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 156: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/156.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Provable security (from average case hardness)
Example 1: (Rabin) modular squaring
fN(x) = x2 mod N, where N = p · qInverting fN is at least as hard as factoring N
Theorem
fN is cryptographically hard to invert, provided most N = p · q arehard to factor
hard N’s
All N’s
hard fN ’s
All fN ’s
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 157: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/157.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Provable security (from average case hardness)
Example 2: CVP function
fD(x) = Dx mod 1
Inverting fD is as hard as ADD/BDD in L(D)∗
Theorem
fD is one-way provided ADD/BDD is hard for most L(D)∗
hard D’s
All D’s
hard fD’s
All fD’s
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 158: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/158.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Provable security (from average case hardness)
Example 2: CVP function
fD(x) = Dx mod 1
Inverting fD is as hard as ADD/BDD in L(D)∗
Theorem
fD is one-way provided ADD/BDD is hard for most L(D)∗
hard D’s
All D’s
hard fD’s
All fD’s
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 159: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/159.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Average-case Complexity
Average-case complexity depends on input distribution
Example (Factoring problem)
Given a number N, output a, b > 1 such that N = ab
Factoring can be easy on average
if N is uniformly random, then N = 2 · N2 with probability 50%!
Factoring N = pq is believed to be hard when p, q arerandomly chosen primes
How do we know L(D)∗ is a hard distribution for ADD/BDD?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 160: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/160.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Average-case Complexity
Average-case complexity depends on input distribution
Example (Factoring problem)
Given a number N, output a, b > 1 such that N = ab
Factoring can be easy on average
if N is uniformly random, then N = 2 · N2 with probability 50%!
Factoring N = pq is believed to be hard when p, q arerandomly chosen primes
How do we know L(D)∗ is a hard distribution for ADD/BDD?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 161: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/161.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Average-case Complexity
Average-case complexity depends on input distribution
Example (Factoring problem)
Given a number N, output a, b > 1 such that N = ab
Factoring can be easy on average
if N is uniformly random, then N = 2 · N2 with probability 50%!
Factoring N = pq is believed to be hard when p, q arerandomly chosen primes
How do we know L(D)∗ is a hard distribution for ADD/BDD?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 162: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/162.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Provable security (from worst case hardness)
There is a probability distribution on D such that
Any fixed lattice L is mapped to a random D
Breaking fD allows to solve ADD/BDD L.
D is also very easy to sample
All lattices
L
hard fD’s
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 163: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/163.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Provable security (from worst case hardness)
There is a probability distribution on D such that
Any fixed lattice L is mapped to a random D
Breaking fD allows to solve ADD/BDD L.
D is also very easy to sample
All lattices
L
hard fD’s
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 164: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/164.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Provable security (from worst case hardness)
There is a probability distribution on D such that
Any fixed lattice L is mapped to a random D
Breaking fD allows to solve ADD/BDD L.
D is also very easy to sample
All lattices
L
hard fD’s
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 165: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/165.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Provable security (from worst case hardness)
There is a probability distribution on D such that
Any fixed lattice L is mapped to a random D
Breaking fD allows to solve ADD/BDD L.
D is also very easy to sample
All lattices
L
hard fD’s
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 166: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/166.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Provable security (from worst case hardness)
There is a probability distribution on D such that
Any fixed lattice L is mapped to a random D
Breaking fD allows to solve ADD/BDD L.
D is also very easy to sample
All lattices
L
hard fD’s
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 167: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/167.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Outline
1 Point LatticesComputational ProblemsThe dual lattice
2 Lattice CryptographyAverage Case HardnessRandom LatticesCryptographic functions
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 168: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/168.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Random lattices in Cryptography
0
Cryptography typically uses (random)lattices Λ such that
Λ ⊆ Zd is an integer latticeqZd ⊆ Λ is periodic modulo a smallinteger q.
Cryptographic functions based on q-arylattices involve only arithmetic modulo q.
Definition (q-ary lattice)
Λ is a q-ary lattice if qZn ⊆ Λ ⊆ Zn
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 169: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/169.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Random lattices in Cryptography
0
Cryptography typically uses (random)lattices Λ such that
Λ ⊆ Zd is an integer latticeqZd ⊆ Λ is periodic modulo a smallinteger q.
Cryptographic functions based on q-arylattices involve only arithmetic modulo q.
Definition (q-ary lattice)
Λ is a q-ary lattice if qZn ⊆ Λ ⊆ Zn
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 170: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/170.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Examples of q-ary lattices
Examples (for any A ∈ Zn×dq )
Λq(A) = x | x mod q ∈ ATZnq ⊆ Zd
Λ⊥q (A) = x | Ax = 0 mod q ⊆ Zd
Theorem
For any lattice Λ the following conditions are equivalent:
qZd ⊆ Λ ⊆ Zd
Λ = Λq(A) for some A
Λ = Λ⊥q (A) for some A
For any fixed A, the lattices Λq(A) and Λ⊥q (A) are different
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 171: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/171.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Examples of q-ary lattices
Examples (for any A ∈ Zn×dq )
Λq(A) = x | x mod q ∈ ATZnq ⊆ Zd
Λ⊥q (A) = x | Ax = 0 mod q ⊆ Zd
Theorem
For any lattice Λ the following conditions are equivalent:
qZd ⊆ Λ ⊆ Zd
Λ = Λq(A) for some A
Λ = Λ⊥q (A) for some A
For any fixed A, the lattices Λq(A) and Λ⊥q (A) are different
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 172: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/172.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Examples of q-ary lattices
Examples (for any A ∈ Zn×dq )
Λq(A) = x | x mod q ∈ ATZnq ⊆ Zd
Λ⊥q (A) = x | Ax = 0 mod q ⊆ Zd
Theorem
For any lattice Λ the following conditions are equivalent:
qZd ⊆ Λ ⊆ Zd
Λ = Λq(A) for some A
Λ = Λ⊥q (A) for some A
For any fixed A, the lattices Λq(A) and Λ⊥q (A) are different
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 173: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/173.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Duality of q-ary lattices
The q-ary lattices associated to A are dual (up to scaling)
Λ⊥q (A) = q · Λq(A)∗
Λq(A) = q · Λ⊥q (A)∗
In particular, det(Λq(A)) · det(Λ⊥q (A)) = qn
det(Λ⊥q (A)) ≤ qk
det(Λq(A)) ≥ qn−k
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 174: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/174.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Duality of q-ary lattices
The q-ary lattices associated to A are dual (up to scaling)
Λ⊥q (A) = q · Λq(A)∗
Λq(A) = q · Λ⊥q (A)∗
In particular, det(Λq(A)) · det(Λ⊥q (A)) = qn
det(Λ⊥q (A)) ≤ qk
det(Λq(A)) ≥ qn−k
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 175: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/175.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Duality of q-ary lattices
The q-ary lattices associated to A are dual (up to scaling)
Λ⊥q (A) = q · Λq(A)∗
Λq(A) = q · Λ⊥q (A)∗
In particular, det(Λq(A)) · det(Λ⊥q (A)) = qn
det(Λ⊥q (A)) ≤ qk
det(Λq(A)) ≥ qn−k
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 176: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/176.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Non-degenerate Matrices
Definition
Mk,n = A ∈ Zk×nq | AZn
q = Zkq
PrA ∈Mk,n ≥ 1− 1qn−k
Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) are the same distribution
det(Λ⊥q (Mk,n)) = det(Λq(Mn−k,n)) = qk
Minkowki’s bound λ1 ≤√
nqk/n
Theorem
Almost every lattice in Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) satisfies
λ1, . . . , λn, ρ = Θ(√
nqk,n)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 177: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/177.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Non-degenerate Matrices
Definition
Mk,n = A ∈ Zk×nq | AZn
q = Zkq
PrA ∈Mk,n ≥ 1− 1qn−k
Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) are the same distribution
det(Λ⊥q (Mk,n)) = det(Λq(Mn−k,n)) = qk
Minkowki’s bound λ1 ≤√
nqk/n
Theorem
Almost every lattice in Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) satisfies
λ1, . . . , λn, ρ = Θ(√
nqk,n)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 178: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/178.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Non-degenerate Matrices
Definition
Mk,n = A ∈ Zk×nq | AZn
q = Zkq
PrA ∈Mk,n ≥ 1− 1qn−k
Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) are the same distribution
det(Λ⊥q (Mk,n)) = det(Λq(Mn−k,n)) = qk
Minkowki’s bound λ1 ≤√
nqk/n
Theorem
Almost every lattice in Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) satisfies
λ1, . . . , λn, ρ = Θ(√
nqk,n)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 179: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/179.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Non-degenerate Matrices
Definition
Mk,n = A ∈ Zk×nq | AZn
q = Zkq
PrA ∈Mk,n ≥ 1− 1qn−k
Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) are the same distribution
det(Λ⊥q (Mk,n)) = det(Λq(Mn−k,n)) = qk
Minkowki’s bound λ1 ≤√
nqk/n
Theorem
Almost every lattice in Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) satisfies
λ1, . . . , λn, ρ = Θ(√
nqk,n)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 180: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/180.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Non-degenerate Matrices
Definition
Mk,n = A ∈ Zk×nq | AZn
q = Zkq
PrA ∈Mk,n ≥ 1− 1qn−k
Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) are the same distribution
det(Λ⊥q (Mk,n)) = det(Λq(Mn−k,n)) = qk
Minkowki’s bound λ1 ≤√
nqk/n
Theorem
Almost every lattice in Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) satisfies
λ1, . . . , λn, ρ = Θ(√
nqk,n)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 181: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/181.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Non-degenerate Matrices
Definition
Mk,n = A ∈ Zk×nq | AZn
q = Zkq
PrA ∈Mk,n ≥ 1− 1qn−k
Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) are the same distribution
det(Λ⊥q (Mk,n)) = det(Λq(Mn−k,n)) = qk
Minkowki’s bound λ1 ≤√
nqk/n
Theorem
Almost every lattice in Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) satisfies
λ1, . . . , λn, ρ = Θ(√
nqk,n)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 182: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/182.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Are q-ary lattices hard?
Question
Are lattice problems on random q-ary lattices hard on average?
GapSVP and GapSIVP are easy!
Why? Just output Minkowki’s bound√
nqk/n!
What about BDD? (Remember BDD ≤ GapSVP.)
BDD may still be hard! Reduction from BDD to GapSVPrequires a wost-case GapSVP oracle.
Are ADD, SIVP, SVP, CVP hard?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 183: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/183.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Are q-ary lattices hard?
Question
Are lattice problems on random q-ary lattices hard on average?
GapSVP and GapSIVP are easy!
Why? Just output Minkowki’s bound√
nqk/n!
What about BDD? (Remember BDD ≤ GapSVP.)
BDD may still be hard! Reduction from BDD to GapSVPrequires a wost-case GapSVP oracle.
Are ADD, SIVP, SVP, CVP hard?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 184: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/184.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Are q-ary lattices hard?
Question
Are lattice problems on random q-ary lattices hard on average?
GapSVP and GapSIVP are easy!
Why? Just output Minkowki’s bound√
nqk/n!
What about BDD? (Remember BDD ≤ GapSVP.)
BDD may still be hard! Reduction from BDD to GapSVPrequires a wost-case GapSVP oracle.
Are ADD, SIVP, SVP, CVP hard?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 185: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/185.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Are q-ary lattices hard?
Question
Are lattice problems on random q-ary lattices hard on average?
GapSVP and GapSIVP are easy!
Why? Just output Minkowki’s bound√
nqk/n!
What about BDD? (Remember BDD ≤ GapSVP.)
BDD may still be hard! Reduction from BDD to GapSVPrequires a wost-case GapSVP oracle.
Are ADD, SIVP, SVP, CVP hard?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 186: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/186.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Are q-ary lattices hard?
Question
Are lattice problems on random q-ary lattices hard on average?
GapSVP and GapSIVP are easy!
Why? Just output Minkowki’s bound√
nqk/n!
What about BDD? (Remember BDD ≤ GapSVP.)
BDD may still be hard! Reduction from BDD to GapSVPrequires a wost-case GapSVP oracle.
Are ADD, SIVP, SVP, CVP hard?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 187: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/187.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Are q-ary lattices hard?
Question
Are lattice problems on random q-ary lattices hard on average?
GapSVP and GapSIVP are easy!
Why? Just output Minkowki’s bound√
nqk/n!
What about BDD? (Remember BDD ≤ GapSVP.)
BDD may still be hard! Reduction from BDD to GapSVPrequires a wost-case GapSVP oracle.
Are ADD, SIVP, SVP, CVP hard?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 188: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/188.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Ajtai’s function
Definition (Ajtai’s function)
Keyed function family
fA(x) = Ax mod q
where A ∈ Zn×mq and x ∈ 0, 1m.
m
n
x ∈ 0, 1m 0 1 1 0 1 0 0
A ∈ Zn×mq
1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9
Ax ∈ Znq
2271
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 189: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/189.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Ajtai’s function and q-ary lattices
fA(x) = Ax mod q, where x is short
The output of fA(x) is the syndrome of x
Inverting fA(x) is the same as CVP in its syndrome decodingformulation with lattice Λ⊥q (A) and target t ∈ x + Λ⊥q (A)
The q-ary lattice Λ⊥q (A) is the kernel of fA
Finding collisions fA(x) = fA(y) is equivalent to finding shortvectors x− y ∈ Λ⊥q (A)
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 190: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/190.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Parameters
Parameters:
n: main security parameterq = n2 = nO(1) small modulusm = 2n log2 q = O(n log n)e.g., n = 256, q = 216, m = 8192
fA is a compression function
It maps m bits to n log2 q < m bits(e.g., 8192→ 4096)There exist collisions fA(x) = fA(y)
m
n
0/1
1 . . . q
Question
Is fA collision resistant when A ∈ Zn×mq is chosen at random?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 191: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/191.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Parameters
Parameters:
n: main security parameterq = n2 = nO(1) small modulusm = 2n log2 q = O(n log n)e.g., n = 256, q = 216, m = 8192
fA is a compression function
It maps m bits to n log2 q < m bits(e.g., 8192→ 4096)There exist collisions fA(x) = fA(y)
m
n
0/1
1 . . . q
Question
Is fA collision resistant when A ∈ Zn×mq is chosen at random?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 192: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/192.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Parameters
Parameters:
n: main security parameterq = n2 = nO(1) small modulusm = 2n log2 q = O(n log n)e.g., n = 256, q = 216, m = 8192
fA is a compression function
It maps m bits to n log2 q < m bits(e.g., 8192→ 4096)There exist collisions fA(x) = fA(y)
m
n
0/1
1 . . . q
Question
Is fA collision resistant when A ∈ Zn×mq is chosen at random?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 193: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/193.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Parameters
Parameters:
n: main security parameterq = n2 = nO(1) small modulusm = 2n log2 q = O(n log n)e.g., n = 256, q = 216, m = 8192
fA is a compression function
It maps m bits to n log2 q < m bits(e.g., 8192→ 4096)There exist collisions fA(x) = fA(y)
m
n
0/1
1 . . . q
Question
Is fA collision resistant when A ∈ Zn×mq is chosen at random?
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 194: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/194.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Efficiency issues
q = nO(1), m = 2n log2 q
Let’s lower n = 64, q = 28, m = 1024
fA maps 1024 bits to 512.
Key size: nm log q = O(n2 log2 n) =219 = 64KB
Runtime: nm = O(n2 log n) = 216
arithmetic operations
Still inefficient because of quadraticdependency in n
m
n
0/1
1 . . . q
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 195: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/195.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Efficiency issues
q = nO(1), m = 2n log2 q
Let’s lower n = 64, q = 28, m = 1024
fA maps 1024 bits to 512.
Key size: nm log q = O(n2 log2 n) =219 = 64KB
Runtime: nm = O(n2 log n) = 216
arithmetic operations
Still inefficient because of quadraticdependency in n
m
n
0/1
1 . . . q
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 196: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/196.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Efficiency issues
q = nO(1), m = 2n log2 q
Let’s lower n = 64, q = 28, m = 1024
fA maps 1024 bits to 512.
Key size: nm log q = O(n2 log2 n) =219 = 64KB
Runtime: nm = O(n2 log n) = 216
arithmetic operations
Still inefficient because of quadraticdependency in n
m
n
0/1
1 . . . q
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 197: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/197.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Efficiency issues
q = nO(1), m = 2n log2 q
Let’s lower n = 64, q = 28, m = 1024
fA maps 1024 bits to 512.
Key size: nm log q = O(n2 log2 n) =219 = 64KB
Runtime: nm = O(n2 log n) = 216
arithmetic operations
Still inefficient because of quadraticdependency in n
m
n
0/1
1 . . . q
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 198: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/198.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Efficient lattice based hashing
Idea
Use structured matrix
A = [A(1) | . . . | A(m/n)]
where A(i) ∈ Zn×nq is circulant
A(i) =
a(i)1 a
(i)n · · · a
(i)2
a(i)2 a
(i)1 · · · a
(i)3
......
. . ....
a(i)n a
(i)n−1 · · · a
(i)1
Proposed by [M02], where it is proved that fA is one-wayunder plausible complexity assumptions
Similar idea first used by NTRU public key cryptosystem(1998), but with no proof of security
Wishful thinking: finding short vectors in Λ⊥q (A) is hard, andtherefore fA is collision resistant
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 199: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/199.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Efficient lattice based hashing
Idea
Use structured matrix
A = [A(1) | . . . | A(m/n)]
where A(i) ∈ Zn×nq is circulant
A(i) =
a(i)1 a
(i)n · · · a
(i)2
a(i)2 a
(i)1 · · · a
(i)3
......
. . ....
a(i)n a
(i)n−1 · · · a
(i)1
Proposed by [M02], where it is proved that fA is one-wayunder plausible complexity assumptions
Similar idea first used by NTRU public key cryptosystem(1998), but with no proof of security
Wishful thinking: finding short vectors in Λ⊥q (A) is hard, andtherefore fA is collision resistant
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 200: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/200.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Efficient lattice based hashing
Idea
Use structured matrix
A = [A(1) | . . . | A(m/n)]
where A(i) ∈ Zn×nq is circulant
A(i) =
a(i)1 a
(i)n · · · a
(i)2
a(i)2 a
(i)1 · · · a
(i)3
......
. . ....
a(i)n a
(i)n−1 · · · a
(i)1
Proposed by [M02], where it is proved that fA is one-wayunder plausible complexity assumptions
Similar idea first used by NTRU public key cryptosystem(1998), but with no proof of security
Wishful thinking: finding short vectors in Λ⊥q (A) is hard, andtherefore fA is collision resistant
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 201: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/201.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Efficient lattice based hashing
Idea
Use structured matrix
A = [A(1) | . . . | A(m/n)]
where A(i) ∈ Zn×nq is circulant
A(i) =
a(i)1 a
(i)n · · · a
(i)2
a(i)2 a
(i)1 · · · a
(i)3
......
. . ....
a(i)n a
(i)n−1 · · · a
(i)1
Proposed by [M02], where it is proved that fA is one-wayunder plausible complexity assumptions
Similar idea first used by NTRU public key cryptosystem(1998), but with no proof of security
Wishful thinking: finding short vectors in Λ⊥q (A) is hard, andtherefore fA is collision resistant
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 202: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/202.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Can you find a collision?
1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3
+1×
6666
−1×
9999
+0×
7777
+1×
3333
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 203: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/203.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Can you find a collision?
1 0 0 -1 -1 1 1 0 0 0 1 1 1 0 -1 0
1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3
5486
+1×
6666
−1×
9999
+0×
7777
+1×
3333
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 204: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/204.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Can you find a collision?
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3
0000
+1×
6666
−1×
9999
+0×
7777
+1×
3333
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 205: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/205.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Can you find a collision?
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3
+1×
6666
−1×
9999
+0×
7777
+1×
3333
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 206: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/206.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Can you find a collision?
1 1 1 1 -1 -1 -1 -1 0 0 0 0 1 1 1 1
1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3
0000
+1×
6666
−1×
9999
+0×
7777
+1×
3333
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 207: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/207.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Remarks about proofs of security
This function is essentially the compression function of hashfunction LASH, modeled after NTRU
You can still “prove” security based on average caseassumption: Breaking the above hash function is as hard asfinding short vectors in a random lattice Λ([A(1)| . . . |A(m/n)])
. . . but we know the function is broken: The underlyingrandom lattice distribution is weak!
Conclusion: Assuming that a problem is hard on average-caseis a really tricky business!
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 208: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/208.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Remarks about proofs of security
This function is essentially the compression function of hashfunction LASH, modeled after NTRU
You can still “prove” security based on average caseassumption: Breaking the above hash function is as hard asfinding short vectors in a random lattice Λ([A(1)| . . . |A(m/n)])
. . . but we know the function is broken: The underlyingrandom lattice distribution is weak!
Conclusion: Assuming that a problem is hard on average-caseis a really tricky business!
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 209: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/209.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Remarks about proofs of security
This function is essentially the compression function of hashfunction LASH, modeled after NTRU
You can still “prove” security based on average caseassumption: Breaking the above hash function is as hard asfinding short vectors in a random lattice Λ([A(1)| . . . |A(m/n)])
. . . but we know the function is broken: The underlyingrandom lattice distribution is weak!
Conclusion: Assuming that a problem is hard on average-caseis a really tricky business!
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 210: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/210.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Remarks about proofs of security
This function is essentially the compression function of hashfunction LASH, modeled after NTRU
You can still “prove” security based on average caseassumption: Breaking the above hash function is as hard asfinding short vectors in a random lattice Λ([A(1)| . . . |A(m/n)])
. . . but we know the function is broken: The underlyingrandom lattice distribution is weak!
Conclusion: Assuming that a problem is hard on average-caseis a really tricky business!
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 211: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/211.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Back to general lattices
Finding short vectors in Λ⊥q (A) when A is a random “blockcirculant” matrix is easy
What about unstructured random A ∈ Zk×nq ?
Question
Is fA collision resistant when A ∈ Zk×nq is random?
Yes, provided SIVP/ADD/BDD are hard in the worst-case![Ajtai96,...,MR04]
We will give an oversimplified proof sketch, where A ∈ Rk×n
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 212: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/212.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Back to general lattices
Finding short vectors in Λ⊥q (A) when A is a random “blockcirculant” matrix is easy
What about unstructured random A ∈ Zk×nq ?
Question
Is fA collision resistant when A ∈ Zk×nq is random?
Yes, provided SIVP/ADD/BDD are hard in the worst-case![Ajtai96,...,MR04]
We will give an oversimplified proof sketch, where A ∈ Rk×n
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 213: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/213.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Back to general lattices
Finding short vectors in Λ⊥q (A) when A is a random “blockcirculant” matrix is easy
What about unstructured random A ∈ Zk×nq ?
Question
Is fA collision resistant when A ∈ Zk×nq is random?
Yes, provided SIVP/ADD/BDD are hard in the worst-case![Ajtai96,...,MR04]
We will give an oversimplified proof sketch, where A ∈ Rk×n
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 214: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/214.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Back to general lattices
Finding short vectors in Λ⊥q (A) when A is a random “blockcirculant” matrix is easy
What about unstructured random A ∈ Zk×nq ?
Question
Is fA collision resistant when A ∈ Zk×nq is random?
Yes, provided SIVP/ADD/BDD are hard in the worst-case![Ajtai96,...,MR04]
We will give an oversimplified proof sketch, where A ∈ Rk×n
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 215: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/215.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 216: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/216.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 217: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/217.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 218: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/218.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 219: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/219.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 220: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/220.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 221: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/221.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 222: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/222.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 223: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/223.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 224: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/224.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√
n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 225: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/225.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Security proof (sketch)
Generate random points ai = vi + ri , wherevi is a random lattice pointri is a random error vector of length ‖ri‖ ≈
√nλn
A = [a1, . . . , am] is distributed almost uniformly at random inRn×m, so
if we can break Ajtai’s function fA, thenwe can find a vector z ∈ −1, 0, 1m such that∑
(vi + ri )zi =∑
aizi = 0
Rearranging the terms yields a lattice vector∑vizi = −
∑rizi
of length at most ‖∑
rixi‖ ≈√
n ·max ‖ri‖ ≈ n · λnDaniele Micciancio The Geometry of Lattice Cryptography
![Page 226: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/226.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Security proof (sketch)
Generate random points ai = vi + ri , wherevi is a random lattice pointri is a random error vector of length ‖ri‖ ≈
√nλn
A = [a1, . . . , am] is distributed almost uniformly at random inRn×m, so
if we can break Ajtai’s function fA, thenwe can find a vector z ∈ −1, 0, 1m such that∑
(vi + ri )zi =∑
aizi = 0
Rearranging the terms yields a lattice vector∑vizi = −
∑rizi
of length at most ‖∑
rixi‖ ≈√
n ·max ‖ri‖ ≈ n · λnDaniele Micciancio The Geometry of Lattice Cryptography
![Page 227: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/227.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Security proof (sketch)
Generate random points ai = vi + ri , wherevi is a random lattice pointri is a random error vector of length ‖ri‖ ≈
√nλn
A = [a1, . . . , am] is distributed almost uniformly at random inRn×m, so
if we can break Ajtai’s function fA, thenwe can find a vector z ∈ −1, 0, 1m such that∑
(vi + ri )zi =∑
aizi = 0
Rearranging the terms yields a lattice vector∑vizi = −
∑rizi
of length at most ‖∑
rixi‖ ≈√
n ·max ‖ri‖ ≈ n · λnDaniele Micciancio The Geometry of Lattice Cryptography
![Page 228: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/228.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Security proof (sketch)
Generate random points ai = vi + ri , wherevi is a random lattice pointri is a random error vector of length ‖ri‖ ≈
√nλn
A = [a1, . . . , am] is distributed almost uniformly at random inRn×m, so
if we can break Ajtai’s function fA, thenwe can find a vector z ∈ −1, 0, 1m such that∑
(vi + ri )zi =∑
aizi = 0
Rearranging the terms yields a lattice vector∑vizi = −
∑rizi
of length at most ‖∑
rixi‖ ≈√
n ·max ‖ri‖ ≈ n · λnDaniele Micciancio The Geometry of Lattice Cryptography
![Page 229: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/229.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
What about efficiency
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
1 -4 -3 -8 6 -4 -9 -0 2 -6 -4 -5 3 -2 -7 -1
8 1 -4 -3 0 6 -4 -9 5 2 -6 -4 1 3 -2 -7
3 8 1 -4 9 0 6 -4 4 5 2 -6 7 1 3 -2
4 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3
Theorem (trivial)
Finding collisions on the average is at least as hard as finding shortvectors in the corresponding random lattices
Theorem (LM’07)
Provably collision resistant, assuming the worst case hardness ofapproximating SVP and SIVP over ideal lattices.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 230: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/230.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
What about efficiency
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
1 -4 -3 -8 6 -4 -9 -0 2 -6 -4 -5 3 -2 -7 -1
8 1 -4 -3 0 6 -4 -9 5 2 -6 -4 1 3 -2 -7
3 8 1 -4 9 0 6 -4 4 5 2 -6 7 1 3 -2
4 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3
Theorem (trivial)
Finding collisions on the average is at least as hard as finding shortvectors in the corresponding random lattices
Theorem (LM’07)
Provably collision resistant, assuming the worst case hardness ofapproximating SVP and SIVP over ideal lattices.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 231: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/231.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
What about efficiency
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
1 -4 -3 -8 6 -4 -9 -0 2 -6 -4 -5 3 -2 -7 -1
8 1 -4 -3 0 6 -4 -9 5 2 -6 -4 1 3 -2 -7
3 8 1 -4 9 0 6 -4 4 5 2 -6 7 1 3 -2
4 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3
Theorem (trivial)
Finding collisions on the average is at least as hard as finding shortvectors in the corresponding random lattices
Theorem (LM’07)
Provably collision resistant, assuming the worst case hardness ofapproximating SVP and SIVP over ideal lattices.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 232: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/232.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Efficiency of anti-cyclic hashing
Key size: (m/n) · n log q = m · log q = O(n) bits
Anti-cyclic matrix-vector multiplication can be computed inquasi-linear time O(n) using FFT
The resulting hash function can also be computed in O(n)time
For approximate choice of parameters, this can be verypractical (SWIFFT [LMPR])
The hash function is linear: A(x + y) = Ax + Ay
We will see that this can be a feature rather than a weakness
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 233: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/233.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Outline
1 Point LatticesComputational ProblemsThe dual lattice
2 Lattice CryptographyAverage Case HardnessRandom LatticesCryptographic functions
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 234: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/234.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Hard Random Lattices
Theorem (Ajtai,MR04)
fA is collision resistant, under the assumption that SIVP is hard toapproximate in the worst-case withing a factor γ ≈ n.
Equivalently, ...
Theorem
If ADD is hard to approximate in the worst case within γ ≈ n, thenADD is hard on average for input distribution Λ⊥q (Zn×m
q ).
Theorem (R05)
If ADD/SIVP is hard to approximate in the worst case withinγ ≈ n even by quantum algorithms, then BDD is hard on averagefor input distribution Λ⊥q (Zn×m
q ).
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 235: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/235.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Hard Random Lattices
Theorem (Ajtai,MR04)
fA is collision resistant, under the assumption that SIVP is hard toapproximate in the worst-case withing a factor γ ≈ n.
Equivalently, ...
Theorem
If ADD is hard to approximate in the worst case within γ ≈ n, thenADD is hard on average for input distribution Λ⊥q (Zn×m
q ).
Theorem (R05)
If ADD/SIVP is hard to approximate in the worst case withinγ ≈ n even by quantum algorithms, then BDD is hard on averagefor input distribution Λ⊥q (Zn×m
q ).
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 236: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/236.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Hard Random Lattices
Theorem (Ajtai,MR04)
fA is collision resistant, under the assumption that SIVP is hard toapproximate in the worst-case withing a factor γ ≈ n.
Equivalently, ...
Theorem
If ADD is hard to approximate in the worst case within γ ≈ n, thenADD is hard on average for input distribution Λ⊥q (Zn×m
q ).
Theorem (R05)
If ADD/SIVP is hard to approximate in the worst case withinγ ≈ n even by quantum algorithms, then BDD is hard on averagefor input distribution Λ⊥q (Zn×m
q ).
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 237: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/237.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
One-time signatures
OTS: diginal signature scheme that allows to sign a singlemessage (faster than a full fledged signature scheme)
Global parameters: q-ary lattice A
Secret key: short error vectors S
Public key: syndromes P = AS (Hash of secret key underhomomorphic hash function)
Message: short vector m
Signature: σ = Sm
Verify: Check if σ is short and Pm = Aσ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 238: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/238.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
One-time signatures
OTS: diginal signature scheme that allows to sign a singlemessage (faster than a full fledged signature scheme)
Global parameters: q-ary lattice A
Secret key: short error vectors S
Public key: syndromes P = AS (Hash of secret key underhomomorphic hash function)
Message: short vector m
Signature: σ = Sm
Verify: Check if σ is short and Pm = Aσ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 239: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/239.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
One-time signatures
OTS: diginal signature scheme that allows to sign a singlemessage (faster than a full fledged signature scheme)
Global parameters: q-ary lattice A
Secret key: short error vectors S
Public key: syndromes P = AS (Hash of secret key underhomomorphic hash function)
Message: short vector m
Signature: σ = Sm
Verify: Check if σ is short and Pm = Aσ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 240: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/240.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
One-time signatures
OTS: diginal signature scheme that allows to sign a singlemessage (faster than a full fledged signature scheme)
Global parameters: q-ary lattice A
Secret key: short error vectors S
Public key: syndromes P = AS (Hash of secret key underhomomorphic hash function)
Message: short vector m
Signature: σ = Sm
Verify: Check if σ is short and Pm = Aσ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 241: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/241.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
One-time signatures
OTS: diginal signature scheme that allows to sign a singlemessage (faster than a full fledged signature scheme)
Global parameters: q-ary lattice A
Secret key: short error vectors S
Public key: syndromes P = AS (Hash of secret key underhomomorphic hash function)
Message: short vector m
Signature: σ = Sm
Verify: Check if σ is short and Pm = Aσ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 242: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/242.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
One-time signatures
OTS: diginal signature scheme that allows to sign a singlemessage (faster than a full fledged signature scheme)
Global parameters: q-ary lattice A
Secret key: short error vectors S
Public key: syndromes P = AS (Hash of secret key underhomomorphic hash function)
Message: short vector m
Signature: σ = Sm
Verify: Check if σ is short and Pm = Aσ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 243: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/243.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
One-time signatures
OTS: diginal signature scheme that allows to sign a singlemessage (faster than a full fledged signature scheme)
Global parameters: q-ary lattice A
Secret key: short error vectors S
Public key: syndromes P = AS (Hash of secret key underhomomorphic hash function)
Message: short vector m
Signature: σ = Sm
Verify: Check if σ is short and Pm = Aσ
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 244: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/244.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
OTS security
Assume there is an attack to the one-time signature scheme. Thenwe can find collisions to hash function fA as follows.
Generate A, S, P = AS
Sign σ = Sm as requested by attacker
Attacker produces a forgery (m′, σ′)
(Sm′, σ′) is a collision: ASm′ = Pm′ = Aσ′
Note: Adversary cannot output σ′ = Sm′ because A,P, σ do notreveal enough information about S.Note: This scheme [LM08] can be very efficient when implementedwith ideal lattices.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 245: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/245.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
OTS security
Assume there is an attack to the one-time signature scheme. Thenwe can find collisions to hash function fA as follows.
Generate A, S, P = AS
Sign σ = Sm as requested by attacker
Attacker produces a forgery (m′, σ′)
(Sm′, σ′) is a collision: ASm′ = Pm′ = Aσ′
Note: Adversary cannot output σ′ = Sm′ because A,P, σ do notreveal enough information about S.Note: This scheme [LM08] can be very efficient when implementedwith ideal lattices.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 246: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/246.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
OTS security
Assume there is an attack to the one-time signature scheme. Thenwe can find collisions to hash function fA as follows.
Generate A, S, P = AS
Sign σ = Sm as requested by attacker
Attacker produces a forgery (m′, σ′)
(Sm′, σ′) is a collision: ASm′ = Pm′ = Aσ′
Note: Adversary cannot output σ′ = Sm′ because A,P, σ do notreveal enough information about S.Note: This scheme [LM08] can be very efficient when implementedwith ideal lattices.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 247: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/247.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
OTS security
Assume there is an attack to the one-time signature scheme. Thenwe can find collisions to hash function fA as follows.
Generate A, S, P = AS
Sign σ = Sm as requested by attacker
Attacker produces a forgery (m′, σ′)
(Sm′, σ′) is a collision: ASm′ = Pm′ = Aσ′
Note: Adversary cannot output σ′ = Sm′ because A,P, σ do notreveal enough information about S.Note: This scheme [LM08] can be very efficient when implementedwith ideal lattices.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 248: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/248.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
OTS security
Assume there is an attack to the one-time signature scheme. Thenwe can find collisions to hash function fA as follows.
Generate A, S, P = AS
Sign σ = Sm as requested by attacker
Attacker produces a forgery (m′, σ′)
(Sm′, σ′) is a collision: ASm′ = Pm′ = Aσ′
Note: Adversary cannot output σ′ = Sm′ because A,P, σ do notreveal enough information about S.Note: This scheme [LM08] can be very efficient when implementedwith ideal lattices.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 249: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/249.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
OTS security
Assume there is an attack to the one-time signature scheme. Thenwe can find collisions to hash function fA as follows.
Generate A, S, P = AS
Sign σ = Sm as requested by attacker
Attacker produces a forgery (m′, σ′)
(Sm′, σ′) is a collision: ASm′ = Pm′ = Aσ′
Note: Adversary cannot output σ′ = Sm′ because A,P, σ do notreveal enough information about S.Note: This scheme [LM08] can be very efficient when implementedwith ideal lattices.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 250: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/250.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Regev (LWE) cryptosystem
m
sT
×
n r × A + e p
u c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: s ∈ Znq, e ∈ Em
Public key:p = As + e ≈c Zm
q
Encryptp(m;(r)):
u = rTA
c = rTp + m − r0
Decrypts(u,c) =c − u · s ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 251: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/251.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Regev (LWE) cryptosystem
m
sT
×
n r × A + e p
u c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: s ∈ Znq, e ∈ Em
Public key:p = As + e ≈c Zm
q
Encryptp(m;(r)):
u = rTA
c = rTp + m − r0
Decrypts(u,c) =c − u · s ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 252: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/252.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Regev (LWE) cryptosystem
m
sT
×
n r × A + e p
u c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: s ∈ Znq, e ∈ Em
Public key:p = As + e ≈c Zm
q
Encryptp(m;(r)):
u = rTA
c = rTp + m − r0
Decrypts(u,c) =c − u · s ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 253: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/253.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Regev (LWE) cryptosystem
m
sT
×
n r × A + e p
u c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: s ∈ Znq, e ∈ Em
Public key:p = As + e ≈c Zm
q
Encryptp(m;(r)):
u = rTA
c = rTp + m − r0
Decrypts(u,c) =c − u · s ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 254: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/254.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Regev (LWE) cryptosystem
m
sT
×
n r × A + e p
u c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: s ∈ Znq, e ∈ Em
Public key:p = As + e ≈c Zm
q
Encryptp(m;(r)):
u = rTA
c = rTp + m − r0
Decrypts(u,c) =c − u · s ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 255: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/255.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Regev (LWE) cryptosystem
m
sT
×
n r × A + e p
u c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: s ∈ Znq, e ∈ Em
Public key:p = As + e ≈c Zm
q
Encryptp(m;(r)):
u = rTA
c = rTp + m − r0
Decrypts(u,c) =c − u · s ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 256: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/256.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
The geometry of LWE encryption
m
sT
×
n r × A + e p
u c
Public key:p = As + e ≈c Zm
q
[A | p]: random q-ary latticewith a planted short vector e
Encryption:(u, c) = [A|p]T r is thesyndrome of r + Λ⊥q ([A|p])
Decryption: use short dualvector e to solve BDDproblem
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 257: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/257.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
The geometry of LWE encryption
m
sT
×
n r × A + e p
u c
Public key:p = As + e ≈c Zm
q
[A | p]: random q-ary latticewith a planted short vector e
Encryption:(u, c) = [A|p]T r is thesyndrome of r + Λ⊥q ([A|p])
Decryption: use short dualvector e to solve BDDproblem
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 258: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/258.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
The geometry of LWE encryption
m
sT
×
n r × A + e p
u c
Public key:p = As + e ≈c Zm
q
[A | p]: random q-ary latticewith a planted short vector e
Encryption:(u, c) = [A|p]T r is thesyndrome of r + Λ⊥q ([A|p])
Decryption: use short dualvector e to solve BDDproblem
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 259: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/259.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
The geometry of LWE encryption
m
sT
×
n r × A + e p
u c
Public key:p = As + e ≈c Zm
q
[A | p]: random q-ary latticewith a planted short vector e
Encryption:(u, c) = [A|p]T r is thesyndrome of r + Λ⊥q ([A|p])
Decryption: use short dualvector e to solve BDDproblem
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 260: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/260.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
GPV (dual LWE) cryptosystem
n
sT
⊗
m r ⊗ A ⊕ e p
u ⊕ e0 c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: r ∈ Em
Public key: u = rTA ≈s Zmq
Encryptu(m;e):
p = As + e
c = u · s + e0 + m
Decryptr(p,c) =c − rTp ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 261: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/261.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
GPV (dual LWE) cryptosystem
n
sT
⊗
m r ⊗ A ⊕ e p
u ⊕ e0 c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: r ∈ Em
Public key: u = rTA ≈s Zmq
Encryptu(m;e):
p = As + e
c = u · s + e0 + m
Decryptr(p,c) =c − rTp ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 262: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/262.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
GPV (dual LWE) cryptosystem
n
sT
⊗
m r ⊗ A ⊕ e p
u ⊕ e0 c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: r ∈ Em
Public key: u = rTA ≈s Zmq
Encryptu(m;e):
p = As + e
c = u · s + e0 + m
Decryptr(p,c) =c − rTp ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 263: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/263.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
GPV (dual LWE) cryptosystem
n
sT
⊗
m r ⊗ A ⊕ e p
u ⊕ e0 c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: r ∈ Em
Public key: u = rTA ≈s Zmq
Encryptu(m;e):
p = As + e
c = u · s + e0 + m
Decryptr(p,c) =c − rTp ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 264: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/264.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
GPV (dual LWE) cryptosystem
n
sT
⊗
m r ⊗ A ⊕ e p
u ⊕ e0 c
Parameters:m, n, q ∈ Z,A ∈ Zm×n
q
Secret key: r ∈ Em
Public key: u = rTA ≈s Zmq
Encryptu(m;e):
p = As + e
c = u · s + e0 + m
Decryptr(p,c) =c − rTp ≈ m.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 265: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/265.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Comparing Regev and GPV encryption
Regev (LWE)
sT
r A e p
u c
GPV (dual LWE)
sT
r A e p
u c
Regev and GPV cryptosystems use the same mathematical objectsA, s, r, e,p,u, c , but operate on them in different roles:
Public key generation ⇐⇒ EncryptionSecret key ⇐⇒ Encryption randomnessPublic key ⇐⇒ Ciphertext
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 266: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/266.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Comparing Regev and GPV encryption
Regev (LWE)
sT
r A e p
u c
GPV (dual LWE)
sT
r A e p
u c
Regev and GPV cryptosystems use the same mathematical objectsA, s, r, e,p,u, c , but operate on them in different roles:
Public key generation ⇐⇒ EncryptionSecret key ⇐⇒ Encryption randomnessPublic key ⇐⇒ Ciphertext
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 267: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/267.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Naive interpretation
The schemes are syntactically similar: Regev and GPVcryptosystems operate on the same mathematical objectsA, s, r, e,p,u, c .
The scheme are semantically different:
Common parameters A ⇐⇒ A Common parameters
secret key s, e ⇐⇒ s, e encryption randomness
encryption randomness r ⇐⇒ r secret key
public key p ⇐⇒ p ciphertext
ciphertext u ⇐⇒ u public key
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 268: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/268.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Naive interpretation
The schemes are syntactically similar: Regev and GPVcryptosystems operate on the same mathematical objectsA, s, r, e,p,u, c .
The scheme are semantically different:
Common parameters A ⇐⇒ A Common parameters
secret key s, e ⇐⇒ s, e encryption randomness
encryption randomness r ⇐⇒ r secret key
public key p ⇐⇒ p ciphertext
ciphertext u ⇐⇒ u public key
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 269: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/269.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
The true answer: Lattices and Duality
The schemes are syntactically different: The symbolsA, s, r, e,p,u, c in Regev and GPV cryptosystems representdifferent mathematical objects
The two schemes are semantically equivalent:
Common parameters A ⇐⇒ A′ Common parameters
secret key s, e ⇐⇒ r′ secret key
encryption randomness r ⇐⇒ s′, e′ encryption randomness
public key p ⇐⇒ u′ public key
ciphertext u ⇐⇒ p′ ciphertext
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 270: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/270.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
The true answer: Lattices and Duality
The schemes are syntactically different: The symbolsA, s, r, e,p,u, c in Regev and GPV cryptosystems representdifferent mathematical objects
The two schemes are semantically equivalent:
Common parameters A ⇐⇒ A′ Common parameters
secret key s, e ⇐⇒ r′ secret key
encryption randomness r ⇐⇒ s′, e′ encryption randomness
public key p ⇐⇒ u′ public key
ciphertext u ⇐⇒ p′ ciphertext
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 271: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/271.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Trapdoor functions
Theorem (A99,AP09,MP11)
There is an algorithm to efficiently generate a random A ∈ Zn×mq
together with a short basis S ∈ Zm×m of Λ⊥q (A).
Trapdoor function:
Inverting fA is a BDD problem
BDD can be solved with a short dual basis
S can be used as an inversion trapdoor
Injective trapdoor functions can be used for the construction of awide range of other more complex cryptographic primitives.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 272: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/272.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Trapdoor functions
Theorem (A99,AP09,MP11)
There is an algorithm to efficiently generate a random A ∈ Zn×mq
together with a short basis S ∈ Zm×m of Λ⊥q (A).
Trapdoor function:
Inverting fA is a BDD problem
BDD can be solved with a short dual basis
S can be used as an inversion trapdoor
Injective trapdoor functions can be used for the construction of awide range of other more complex cryptographic primitives.
Daniele Micciancio The Geometry of Lattice Cryptography
![Page 273: The Geometry of Lattice Cryptography - UniUrb · 2011. 10. 25. · Point Lattices Lattice Cryptography The Geometry of Lattice Cryptography Daniele Micciancio Department of Computer](https://reader036.vdocument.in/reader036/viewer/2022070220/61333c26dfd10f4dd73af4ea/html5/thumbnails/273.jpg)
Point LatticesLattice Cryptography
Average Case HardnessRandom LatticesCryptographic functions
Conclusion
Lattice cryptography allows to build a wide range of manyother cryptographic primitives (Hierarchical identity basedencryption, Fully homomorphic encryption, and much more)
It has great potential for fast implementation due to simpleoperations and high parallelizability
Most primitives can be described and explained in terms of ahandful of basic geometric concepts
Everything that can be done with number theoretic schemecan be done with lattice crypography as well
Currently the only method known to build fully homomorphicencryption
Not quite ready for use in practice, but moving fast in thatdirection
Open problems: concrete efficiency, security evaluation, etc.
Daniele Micciancio The Geometry of Lattice Cryptography