Lecture 6: Lattice Trapdoor Constructions

Transcription

1 Homomorphic Encryption and Lattices, Spring 0 Instructor: Shai Halevi Lecture 6: Lattice Trapdoor Constructions April 7, 0 Scribe: Nir Bitansky This lecture is based on the trapdoor constructions due to Ajtai [Ajt99], Alwen-Peikert[AP], and Micciancio-Peikert [MP]. In previous lectures, we have seen that, given a random matrix A R Z n m q with q polyn and m n log q, finding a short vector v such that A v = 0 mod q is at least as hard as obtaining a good SIVP approximation algorithm. Where short means of size O m and good means up to poly factors. We would like to generate A together with a short basis S for the lattice Λ q A def = { x Z m : A x = 0 mod q} Such a short basis can then be used to construct various cryptographic schemes, such as signatures, encryption, identity-based encryption and more. We first note that det Λ q A q n. Proof sketch. For any u [q ] n Consider the co-set u + Λ q A = { x Z m : A x = u mod q} Then, det Λ q A is the number of such distinct co-sets, which is at most q n and exactly q n if A is of full rank. Therefore, by Minkowski, there exist vectors in Λ q A of size at most mq n m. Our goal is to obtain a short basis S Z m m, where all vectors are of size O mq n m. We would also like m to be as small as possible, preferably On log q. Easy exercise: Generate A with a single short vector v Λ q A. For this purpose, we can simply choose a random short vector v {0, } m, and then choose a random A such that A v = 0 mod q. Equivalently, choose the first m columns of A at random, and the last column to be a random subset sum of the first columns. By the left over hash lemma LOHL, A is statistically close to random, so long that m > 3n log q. Still easy: Generate A with t short vectors v,..., v t Λ q A. Choose a random A R Z n m, where m = m t. Then choose A = A R, where R R {0, } m t. By LOHL, A is still statistically close to random, so long that m > 3n log q. In general, using this naive method, we will always be Ωn log q vectors short. Starting with A Z n m, can we add a single dimension and obtain two short vectors? This is actually almost as hard as finding a short vector for the initial A. Indeed, assume we add a, and obtain short u, u = v, γ, v, γ such that A a v v γ γ = 0 mod q

2 Then, A γ v γ v = 0 mod q, and the vector γ v γ v is short and non-zero since u, u are independent. This still does not mean that we can not extend A to obtain a short basis; namely, it is possible that if we add t dimensions we might obtain even more than t short vectors. The Alwen-Peikert Construction Let m + m = m. As a first step, let us try to extend a given A Z n m to A A Z n m together with a short basis S Z m m, allowing A Z n m not to be random. We require that V W A A = 0 mod q For now we shall work with W = 0. After seeing that I does not suffice, we will slightly augment the choice of U, while keeping it invertible. In what follows all equalities are done modulo q. To obtain A V +A 0 we need A = A V U. Let G = V U. To obtain A W +A P = 0 we need A GP = 0. Let H = GP. We wish to obtain: GU 0 S = such that U, GU, P are small i.e., with small entries and H = GP Λ q A. Since we can not find short vectors in Λ q A, H will be large. Adding the fact that P should be small, we deduce that G must also be large. That is, we are interested in finding small U and large G, such that GU is small. First attempt: Consider then g... g t g g g... g t g t This is not good enough since any column of G is a subset sum of columns in GU, implying that G t GU, and hence GU has large entries. Second attempt: Consider then g... g t g g g... g t g t Now we can have g i+ g i and GU can still potentially be small. Our final U will be based on the above. Let us for now denote by T l a matrix such as the above of dimension l l. For a given vector h, let l = log h the maximum bit size of entries in h. We define: G[ h] def = l... 4

3 Note that: G[ h]t l = l i h i+ Which is just the binary representation of h. Similarly, for a matrix H =... ht, define: G[H] = G[ h ]... G[ h t ] Then, for l i = log h i, we set T l... The corresponding G[H] U is a zero-one matrix. Recall that for a given H, we would like to get GP = H, where P is also small. We thus set G = G[H], and choose P to be a block-diagonal zeroone matrix, which selects the rightmost column of every block G[ h i ]. That is, for p i = 0,..., 0, T of dimension i, set: P = p l... T lt So that G[H] P = p lt G[ h ] p l... G[ h t ] p lt =... ht To satisfy H = GP Λ q A, we choose H to be any basis of Λ q A e.g. H = HNFΛ q A. Now, set A = A G[H], and get: G[H] U 0 A A S = A A So what did we achieve so far? = A G A GU A GP = 0 mod q At this point, given A Z n m, we can extend it with A Z n m and find a small S {, 0, } m m, such that A A S = 0 mod q. However, A is completely determined by A, can we get back to A = A R, for a random R, so that A will be close to random given A? Randomizing the matrix. Instead of setting A = A G, let us set A = A G + R, where R is random. This already guarantees by LOHL that A A is close to random. Now, we adapt the rest of the construction accordingly. We require that G + RU W A A = 0 mod q Which already zeros out the left part of the product. For the right part, we should zero out A W + A P = A W A G + RP Choosing G and P as before, it holds that A GP = 0, and hence to zero out the above, it suffices to set W = RP. It is left to check: a S is still small; b S is indeed a basis. The first check follows easily. Indeed, since R is a zero-one matrix and P simply selects a subset of its columns, then W is also a zero-one matrix. In addition, G + R GU + RU is also small, since GU is small as before, and RU has entries of magnitude at most 3. We now show the second. Claim. S is a basis of Λ q A iff H is a basis of Λ q A. 3

4 Proof. Using linear-algebraic facts regarding the determinant of block matrices, we get for an invertible U: V W det S = det = det U det V U P W = det G + RP W = det GP = det H Now since both A and A have full rank n, then det Λ q A = det Λ q A = q n. Hence, S is a basis for Λ q A iff det S = q n iff det H = q n iff H is a basis for Λ q A. Parameters. We started with A Z n m, where m = Ωn log q allowing use of LOHL. H has entries as large as q and so the number of columns in G[H] is m m log q = On log q. Consequently, m = m + m = On log q. The entries of S are all bounded by a constant and hence all vectors in S are of size O m. Variants.. Instead of setting GP = H Λ q A in the above construction, set GP = H for some fixed, and use G[H ] rather than G[H]. Like the original construction, this construction can also be shown to satisfy our requirements. It turns out that for some choices of e.g. = I result in improved parameters.. Alwen-Peikert also show a slightly different technique that achieves m = On log q. Their idea is to represent rows of H rather than columns, and use the fact that H has many small rows. The Miccancio-Peikert Construction Generate a random A with a trapdoor T that allows sampling random short vectors x such that A x = u mod q for any given u. This is done in two steps: start from a special lattice G Z n m, for which the above sampling is possible; Use the trapdoor to translate the random A to the special G. For a matrix B Z n m, denote f B x = A x mod q. Our goal is to generate A with a trapdoor T that allows sampling short pre-images of a given u under f A. Step : In homework. Yields G Z m q, where m = n log q. Step : Choose A R Z n m q, where m = 3n log q. Set A = A R + G mod q for R R {0, } m m. Output the matrix and trapdoor A = I R A A T = 0 I Sampling: given u Z n q, do the following:. Sample a short z Z m e.g. from a sphere or Gaussian.. Set v = u A z mod q. 3. Sample a short pre-image z of u under f G. w z z + R z 4. Output w = = T = w z z 4

5 z, z are short by construction, and so is R; hence, w is short. In addition, A w = A G A R I R z = A 0 I z G z z A z + G z = A z + v = A z + u A z = u mod q = Remark: If z, z are chosen from a spherical distribution, w is chosen from a skewed distribution, due to the effect of T which can be fixed with some extra effort. References [Ajt99] Miklós Ajtai. Generating hard instances of the short basis problem. In ICALP 99, volume 644 of Lecture Notes in Computer Science, pages 9. Springer, 999. [AP] Joël Alwen and Chris Peikert. Generating shorter bases for hard random lattices. Theory Comput. Syst., 483: , 0. [MP] Daniele Micciancio and Chris Peikert. smaller. In manuscript, 0. Trapdoors for lattices: Simpler, tighter, faster, 5