cryptosystems from unique-svp lattices ajtai-dwork’97/07, regev’03

11

Cryptosystems from Cryptosystems from unique-SVP latticesunique-SVP latticesAjtai-Dwork’97/07, Regev’03Ajtai-Dwork’97/07, Regev’03

Many slides borrowed from Oded Regev, denoted byMany slides borrowed from Oded Regev, denoted by

Shai Halevi, MIT, August 2009Shai Halevi, MIT, August 2009

22

Promise: the shortest Promise: the shortest vector u is shorter by a vector u is shorter by a factor of f(n) factor of f(n)

Algorithm for 2Algorithm for 2nn-unique -unique SVP [LLL82,Schnorr87]SVP [LLL82,Schnorr87]

Believed to be hard for Believed to be hard for any polynomial nany polynomial ncc

f(n)-unique-SVPf(n)-unique-SVP

1 f(n)

1 2n

believed hard easy

nc

33

“Worst-caseDistinguisher”

Wavy-vs-Uniform

Worst-caseDecisionu-SVP

BasicIntuition

AD97 PKEbit-by-bit

n-dimensional

Leftover hash lemma

Worst-caseSearchu-SVP

Regev03:“Hensel lifting”

AD97:Geometric

Ajtai-Dwork & Regev’03 PKEsAjtai-Dwork & Regev’03 PKEs

AD07 PKEO(n)-bits

n-dimensional

Regev03 PKEbit-by-bit

1-dimensional

Projectingto a line

Amortizing byadding dimensions

Nea

rly-t

rivia

lw

orst

-cas

e/av

erag

e-ca

sere

duct

ions

44

n-dimensional n-dimensional distributionsdistributions

?

Wavy Uniform

Distinguish between the distributions:Distinguish between the distributions:

(In a random direction)

55

Given a lattice L, the dual lattice is Given a lattice L, the dual lattice is LL* * = { x | = { x | for all for all yyL, <x,y>L, <x,y>Z }Z }

Dual LatticeDual Lattice

0

1/5

L L*

0

5

66

LL** - the dual of L - the dual of L

0

L

0

n1/n

n

L*

0

n

Case 1

Case 2

77

Input: a basis B* for L*Input: a basis B* for L* Produce a distribution that is:Produce a distribution that is:

Wavy if L has unique shortest vector (|u|Wavy if L has unique shortest vector (|u|1/n)1/n) Uniform (on P(B*)) if Uniform (on P(B*)) if 11(L) > (L) > nn

Choose a point from a Gaussian of radius Choose a point from a Gaussian of radius n, and reduce mod P(B*)n, and reduce mod P(B*) Conceptually, a “random L* point” with a Conceptually, a “random L* point” with a

Gaussian(Gaussian(n) perturbationn) perturbation

ReductionReduction

88

Creating the DistributionCreating the DistributionL*

0

n

L*+ perturb

Case 1

Case 2

99

Theorem: (using [Banaszczyk’93])Theorem: (using [Banaszczyk’93])The distribution obtained above depends only The distribution obtained above depends only on the points in L of distance on the points in L of distance n from the n from the originorigin

(up to an exponentially small error)(up to an exponentially small error)

Therefore, Therefore, Case 1: Determined by Case 1: Determined by multiples of umultiples of u

wavywavy on hyperplanes orthogonal to on hyperplanes orthogonal to u u

Case 2: Determined by Case 2: Determined by the originthe origin

uniformuniform

Analyzing the DistributionAnalyzing the Distribution

1010

For a set A in RFor a set A in Rnn,, define:define:

Poisson Summation Formula implies:Poisson Summation Formula implies:

Banaszczyk’s theorem:Banaszczyk’s theorem:

For any lattice L,For any lattice L,

Proof of TheoremProof of Theorem

Ax

xeA2

)(

Lx

yxi xeLdLyLPy })({)()(),( ,2**

)(2)( )(n

nn BnLBnL

1111

In Case 2, the distribution obtained is In Case 2, the distribution obtained is very close to uniform:very close to uniform:

Because:Because:

Proof of Theorem (cont.)Proof of Theorem (cont.)

Lx

yxi xeLdLyLPy })({)()(),( ,2**

)(})({1)(}0{

,2 LdxeLdLx

yxi

}0{}0{

,2 })({})({LxLx

yxi xxe

)(})0{( nBnLL )()( 2)(2 n

nn BnL

1212

next“Worst-case

Distinguisher”Wavy-vs-Uniform


BasicIntuition



AD97:Geometric


1313

Reminder: L* lives in hyperplanesReminder: L* lives in hyperplanes

We want to identify u We want to identify u Using an oracle that distinguishes wavy Using an oracle that distinguishes wavy

distributions from uniform in P(B*)distributions from uniform in P(B*)

u

H0

H1

H-1

DistinguishDistinguishSearch, AD97Search, AD97

1414

The planThe plan

1.1. Use the oracle to distinguish points close Use the oracle to distinguish points close to Hto H00 from points close to H from points close to H11

2.2. Then grow very long vectors that are Then grow very long vectors that are rather close to Hrather close to H00

3.3. This gives a very good approximationThis gives a very good approximationfor u, then we use it to find u exactlyfor u, then we use it to find u exactly

1515

Distinguishing HDistinguishing H00 from H from H11

Input: basis B* for L*, ~length of u, point xInput: basis B* for L*, ~length of u, point x And access to wavy/uniform distinguisherAnd access to wavy/uniform distinguisher

Decision: Decision: Is x 1/poly(n) close to HIs x 1/poly(n) close to H00 or to H or to H11??

Choose y from a wavy distribution near L*Choose y from a wavy distribution near L* y = Gaussian(y = Gaussian()* with )* with < 1/2|u| < 1/2|u|

Pick Pick RR[0,1], set z = [0,1], set z = x + y mod P(B*)x + y mod P(B*)

Ask oracle if z is drawn from wavy or Ask oracle if z is drawn from wavy or uniform distributionuniform distribution

* Gaussian(): variance 2 in each coordinate

1616

Distinguishing HDistinguishing H00 from H from H11 (cont.) (cont.)

x

Case 1: x close to HCase 1: x close to H00

x also close to Hx also close to H0 0

x + y mod P(B*) close to L*, wavyx + y mod P(B*) close to L*, wavy

H0

1717


x

Case 2: x close to HCase 2: x close to H11

x “in the middle” between Hx “in the middle” between H0 0 and Hand H11

Nearly uniform component in the u directionNearly uniform component in the u direction x + y mod P(B*) nearly uniform in P(B*)x + y mod P(B*) nearly uniform in P(B*)

H0

H1

1818

Repeat poly(n) times, take majorityRepeat poly(n) times, take majority Boost the advantage to near-certaintyBoost the advantage to near-certainty

Below we assume a “perfect distinguisher”Below we assume a “perfect distinguisher” Close to HClose to H0 0 always says NO always says NO

Close to HClose to H1 1 always says YES always says YES Otherwise, there are no guaranteesOtherwise, there are no guarantees

• Except halting in polynomial timeExcept halting in polynomial time


1919

Growing Large VectorsGrowing Large Vectors

Start from some xStart from some x00 between H between H-1-1 and H and H+1+1

e.g. a random vector of length 1/|u|e.g. a random vector of length 1/|u|

In each step, choose xIn each step, choose xii s.t. s.t. |x|xii| ~ 2|x| ~ 2|xi-1i-1||

xxii is somewhere between H is somewhere between H-1-1 and H and H+1+1

Keep going for poly(n) stepsKeep going for poly(n) steps Result is x* between HResult is x* between H11 with |x*|=N/|u| with |x*|=N/|u|

Very large N, e.g., N=2Very large N, e.g., N=2nn

we’ll see how in a minute

2

2020

From xFrom xi-1i-1 to x to xii

Try poly(n) many candidates:Try poly(n) many candidates: Candidate w = 2xCandidate w = 2xi-1 i-1 + Gaussian(1/|u|)+ Gaussian(1/|u|)

For j = 1,…, m=poly(n)For j = 1,…, m=poly(n) wwjj = j/m · w = j/m · w

Check if wCheck if wjj is near H is near H00 or near H or near H11

If none of the wIf none of the wjj’s is near H’s is near H1 1 then accept w then accept w

and set xand set xii = w = w

Else try another candidate Else try another candidate

w=wm

w1

w2

2121

From xFrom xi-1i-1 to x to xii: Analysis: Analysis

xxi-1i-1 between H between H11 w is between H w is between Hnn

Except with exponentially small probabilityExcept with exponentially small probability

w is NOT between Hw is NOT between H11 some w some wjj near H near H11

So w will be rejectedSo w will be rejected So if we make progress, we know that we So if we make progress, we know that we

are on the right trackare on the right track

2222

From xFrom xi-1i-1 to x to xii: Analysis (cont.): Analysis (cont.)

With probability 1/poly(n), w is close to HWith probability 1/poly(n), w is close to H00

The component in the u direction is GaussianThe component in the u direction is Gaussianwith mean < 2/|u| and variance 1/|u|with mean < 2/|u| and variance 1/|u|22

2xi-1

H0

H1

noise

2323

From xFrom xi-1i-1 to x to xii: Analysis (cont.): Analysis (cont.)

With probability 1/poly, w is close to HWith probability 1/poly, w is close to H00

The component in the u direction is GaussianThe component in the u direction is Gaussianwith mean < 2/|u| and standard deviation 1/|u|with mean < 2/|u| and standard deviation 1/|u|

w is close to Hw is close to H00, all w, all wjj’s are close to H’s are close to H00

So w will be acceptedSo w will be accepted After polynomially many candidates, we After polynomially many candidates, we

will make progress whpwill make progress whp

2424

Finding uFinding u

Find n-1 x*’sFind n-1 x*’s x*x*t+1t+1 is chosen orthogonal to x* is chosen orthogonal to x*11,…,x*,…,x*tt

By choosing the Gaussians in that subspace By choosing the Gaussians in that subspace

Compute uCompute u’’ {x* {x*11,…,x*,…,x*n-1n-1}, with |u}, with |u’’|=1|=1 uu’ ’ is exponentially close to u/|u|is exponentially close to u/|u|

• u/|u| = (uu/|u| = (u’’+e), |e|=1/N+e), |e|=1/N• Can make N Can make N 2 2n n (e.g., N=2(e.g., N=2n n ))

Diophantine approximation to solve for uDiophantine approximation to solve for u

2

(slide 60)

2525

“Worst-caseDistinguisher”

Wavy-vs-Uniform


BasicIntuition

AD97 PKEbit-by-bit

n-dimensional

Worst-case/average-case+leftover hash lemma



AD97:Geometric


next

(slide 36)

2626

Average-case DistinguisherAverage-case Distinguisher Intuition: lattice only matters via the direction of uIntuition: lattice only matters via the direction of u Security parameter n, other parameters N,Security parameter n, other parameters N, A random u in n-dim. unit sphere defines A random u in n-dim. unit sphere defines DDuu(N,(N,))

= disceret-Gaussian(N) in one dimension= disceret-Gaussian(N) in one dimension• Defines a vector x=Defines a vector x=·u/<u,u>, namely x·u/<u,u>, namely xu and <x,u>=u and <x,u>=

y = Gaussian(N) in the other n-1 dimensionsy = Gaussian(N) in the other n-1 dimensions e = Gaussian(e = Gaussian() in all n dimensions) in all n dimensions Output x+y+eOutput x+y+e

The average-case problemThe average-case problem Distinguish Distinguish DDuu(N,(N,) from ) from GG(N,(N,)=Gaussian(N)+Gaussian()=Gaussian(N)+Gaussian()) For a noticeable fraction of u’sFor a noticeable fraction of u’s

2727

Worst-case/average-case (cont.)Worst-case/average-case (cont.)

Thm: Distinguishing Thm: Distinguishing DDuu(N,(N,) from Uniform ) from Uniform

Distinguishing Wavy Distinguishing WavyB* B* from Uniformfrom UniformB*B* for all B* for all B* When L(B) is unique-SVP, we know When L(B) is unique-SVP, we know 11(L(B)) upto (L(B)) upto

(1+1/poly(n)(1+1/poly(n)-factor, for params N = 2-factor, for params N = 2(n)(n), , =n=n-4-4

Pf: Given B*, scale it s.t. Pf: Given B*, scale it s.t. 11(L(B)) (L(B)) [1,1+1/poly) [1,1+1/poly)

Also apply random rotationAlso apply random rotation Given samples x (from UniformGiven samples x (from UniformB*B* / Wavy / WavyB*B*))

Sample y=discrete-GaussianSample y=discrete-GaussianB*B*(N)(N)• Can do this for large enough NCan do this for large enough N

Output z=x+yOutput z=x+y

““Clearly” z is close to Clearly” z is close to GG(N)(N) //DDuu(N)(N) respectivelyrespectively

2828

The AD97 CryptosystemThe AD97 Cryptosystem

Secret key: a random u Secret key: a random u unit sphere unit sphere Public key: n+m+1 vectors (m=8n log n)Public key: n+m+1 vectors (m=8n log n)

bb11,…b,…bnn DDuu(2(2nn,n,n-4-4), v), v00,v,v11,…,v,…,vm m DDuu(n2(n2nn,n,n-3-3))

• So <bSo <bii,u>, <v,u>, <vii,u> ~ integer,u> ~ integer

• We insist on <vWe insist on <v00,u> ~ odd integer,u> ~ odd integer

Will use P(bWill use P(b11,…b,…bnn) for encryption) for encryption Need P(bNeed P(b11,…b,…bnn) with “width” > 2) with “width” > 2nn/n/n

2929

The AD97 Cryptosystem (cont.)The AD97 Cryptosystem (cont.)

Encryption(Encryption():): cc’’ random-subset-sum(v random-subset-sum(v11,…v,…vmm) + ) + vv00/2/2

output c = (coutput c = (c’’+Gaussian(n+Gaussian(n-4-4)) mod P(B))) mod P(B)

Decryption(c)Decryption(c):: If <u,c> is closer than ¼ to integer say 0, If <u,c> is closer than ¼ to integer say 0,

else say 1else say 1

Correctness due to <bCorrectness due to <bii,u>,<v,u>,<vjj,u>~integer,u>~integer and width of P(B)and width of P(B)

3030

AD97 SecurityAD97 Security

The bThe bii’s, v’s, vii’s chosen from ’s chosen from DDuu(something)(something)

By hardness assumption, can’t distinguish By hardness assumption, can’t distinguish from from GGuu(something)(something)

Claim: if they were from Claim: if they were from GGuu(something), (something),

c would have no information on the bit c would have no information on the bit Proven by leftover hash lemma + smoothingProven by leftover hash lemma + smoothing

Note: vNote: vii’s have variance n’s have variance n22 larger than b larger than bii’s’s

In the In the GGuu case v case vii mod P(B) is nearly uniform mod P(B) is nearly uniform

3131

AD97 Security (cont.)AD97 Security (cont.)

Partition P(B) to qPartition P(B) to qnn cells, q~n cells, q~n77

For each point vFor each point v ii, consider, considerthe cell where it liesthe cell where it lies rrii is the corner of that cell is the corner of that cell

SSvvii mod P(B) = mod P(B) = SSrrii mod P(B) + n mod P(B) + n-5-5 “error” “error” S is our random subsetS is our random subset

SSrrii mod P(B) is a nearly-random cell mod P(B) is a nearly-random cell We’ll show this using leftover hashWe’ll show this using leftover hash

The Gaussian(nThe Gaussian(n-4-4) in c drowns the error term) in c drowns the error term

q

q

3232

Leftover HashingLeftover Hashing

Consider hash function HConsider hash function HRR:{0,1}:{0,1}mm [q] [q]nn The key is R=[rThe key is R=[r11,…,r,…,rmm]] [q] [q]nnmm

The input is a bit vector b=[The input is a bit vector b=[11,…,,…,mm]]TT{0,1}{0,1}mm

HHRR(b) = Rb mod q(b) = Rb mod q H is “pairwise independent” (well, almost..)H is “pairwise independent” (well, almost..)

Yay, let’s use the leftover hash lemmaYay, let’s use the leftover hash lemma <R,H<R,HRR(b)>, <R,(b)>, <R,UU> statistically close> statistically close

For random RFor random R [q] [q]nnmm, b, b{0,1}{0,1}mm, , UU[q][q]n n

Assuming m Assuming m n log q n log q

3333

AD97 Security (cont.)AD97 Security (cont.) We proved We proved SSrrii mod P(B) is nearly-random mod P(B) is nearly-random

Recall:Recall: cc00 = = SSrrii + error(n + error(n-5-5) + Gaussian(n) + Gaussian(n-4-4) mod P(B)) mod P(B)

For any x and error e, |e|~nFor any x and error e, |e|~n-5-5, the distr. , the distr. x+e+Gaussian(nx+e+Gaussian(n-5-5), x+Gaussian(n), x+Gaussian(n-4-4) are ) are statistically closestatistically close

So cSo c00 ~ ~ SSrrii + Gaussian(n + Gaussian(n-3-3) mod P(B)) mod P(B) Which is close to uniform in P(B)Which is close to uniform in P(B) Also cAlso c11 = c = c00 + v + v00/2 mod P(B) close to uniform/2 mod P(B) close to uniform

3434

Average-caseDecision

Wavy-vs-Uniform


BasicIntuition

AD97 PKEbit-by-bit

n-dimensional

Leftover hash lemma



AD97:Geometric


AD07 PKEO(n)-bits

n-dimensional

Regev03 PKEbit-by-bit

1-dimensional

Projectingto a line

Amortizing byadding dimensions

Nottoday

(slide 49)

3535

Backup SlidesBackup Slides

1.1. Regev’s Decision-to-Search uSVPRegev’s Decision-to-Search uSVP

2.2. Regev’s dimension reductionRegev’s dimension reduction

3.3. Diophantine ApproximationDiophantine Approximation

3636

uSVP DecisionuSVP DecisionSearchSearch

Search-uSVP

Decision mod-pproblem

Decision-uSVP

3737

Reduction from:Reduction from:Decision mod-pDecision mod-p

Given a basis (vGiven a basis (v11…v…vnn) for n) for n1.51.5-unique -unique lattice, and a prime p>nlattice, and a prime p>n1.51.5

Assume the shortest vector is:Assume the shortest vector is:

u = au = a11vv11+a+a22vv22+…+a+…+annvvnn

Decide whether Decide whether aa1 1 is divisible by pis divisible by p

3838

Reduction to:Reduction to:Decision uSVPDecision uSVP

Given a lattice, distinguish between:Given a lattice, distinguish between:Case 1. Shortest vector is of length 1/n and all Case 1. Shortest vector is of length 1/n and all

non-parallel vectors are of length more than non-parallel vectors are of length more than nn

Case 2. Shortest vector is of length more than Case 2. Shortest vector is of length more than nn

3939

The reductionThe reduction

Input: a basis (vInput: a basis (v11,…,v,…,vnn) of a n) of a n1.51.5 unique unique latticelattice

Scale the lattice so that the shortest Scale the lattice so that the shortest vector is of length 1/nvector is of length 1/n

Replace vReplace v1 1 by pvby pv11. Let M be the resulting . Let M be the resulting latticelattice

If p | aIf p | a1 1 then M has shortest vector 1/n then M has shortest vector 1/n and all non-parallel vectors more than and all non-parallel vectors more than n n

If p aIf p a1 1 then M has shortest vector more then M has shortest vector more than than nn

|

4040

The input lattice LThe input lattice L

0

n

1/nL

u2u

-u

4141

The lattice MThe lattice M

0n

1/n

The lattice M is spanned by pvThe lattice M is spanned by pv11,v,v22,…,v,…,vnn::

If p|aIf p|a11, then u = (a, then u = (a11/p)•pv/p)•pv1 1 + a+ a22vv2 2 +…+ +…+ aannvvnn M :M :

M

u

4242

The lattice MThe lattice M

0n

The lattice M is spanned by pvThe lattice M is spanned by pv11,v,v22,…,v,…,vnn::

If p aIf p a11, then u, then uM:M:

M

|

pu

-pu

4343

Search-uSVP

Decision mod-pproblem

Decision-uSVP

uSVP DecisionuSVP DecisionSearchSearch

4444

Reduction from:Reduction from:Decision mod-pDecision mod-p

Given a basis (vGiven a basis (v11…v…vnn) for n) for n1.51.5-unique -unique lattice, and a prime p>nlattice, and a prime p>n1.51.5

Assume the shortest vector is:Assume the shortest vector is:

u = au = a11vv11+a+a22vv22+…+a+…+annvvnn

Decide whether Decide whether aa1 1 is divisible by pis divisible by p

4545

The ReductionThe Reduction Idea: decrease the coefficients of the Idea: decrease the coefficients of the

shortest vectorshortest vector

If we find out that p|aIf we find out that p|a11 then we can then we can replace the basis with replace the basis with pvpv11,v,v22,…,v,…,vn n . .

u is still in the new lattice:u is still in the new lattice:

u = (u = (aa11/p/p)•pv)•pv1 1 + + aa22vv2 2 + … + + … + aannvvnn

The same can be done whenever p|aThe same can be done whenever p|a i i for for some isome i

4646

The ReductionThe Reduction But what if p aBut what if p aii for all i ? for all i ?

Consider the basis Consider the basis vv11,v,v22-v-v11,v,v33,…,v,…,vnn

The shortest vector isThe shortest vector is

u = u = (a(a11+a+a22))vv1 1 + + aa22(v(v22-v-v11)) + + aa33vv3 3 ++ … + … + aannvvnn

The first coefficient is aThe first coefficient is a11+a+a22

Similarly, we can set it to Similarly, we can set it to

aa11--bbp/2p/2ccaa2 2 ,…, a,…, a11-a-a2 2 , a, a1 1 , a, a11+a+a2 2 , … , , … , aa11++bbp/2p/2ccaa22

One of them is divisible by p, so we choose it One of them is divisible by p, so we choose it and continueand continue

|

4747

The ReductionThe Reduction Repeating this process decreases Repeating this process decreases

the coefficients of u are by a factor the coefficients of u are by a factor of p at a timeof p at a time The basis that we started from had The basis that we started from had

coefficients coefficients 2 22n2n

The coefficients are integersThe coefficients are integers

After After 2n 2n22 steps, all the coefficient steps, all the coefficient but one must be zerobut one must be zero

The last vector standing must be The last vector standing must be uu

4848

Regev’s dimension Regev’s dimension reductionreduction

4949

Distinguish between the 1-Distinguish between the 1-dimensional distributions:dimensional distributions:

0

0 R-1

R-1

Uniform:

Wavy:

Reducing from n to 1-dimensionReducing from n to 1-dimension

5050

Reducing from n to 1-Reducing from n to 1-dimensiondimension

First attempt: sample and project to a lineFirst attempt: sample and project to a line

5151

Reducing from n to 1-Reducing from n to 1-dimensiondimension

But then we lose the wavy structure!But then we lose the wavy structure! We should project only from points very We should project only from points very

close to the lineclose to the line

5252

The solutionThe solution

Use the periodicity of the distributionUse the periodicity of the distribution Project on a ‘dense line’ :Project on a ‘dense line’ :

5353


5454


We choose the line that connects the We choose the line that connects the origin to eorigin to e11+Ke+Ke22+K+K22ee33…+K…+Kn-1n-1eenn

where K is where K is large enoughlarge enough

The distance between hyperplanes is nThe distance between hyperplanes is n The sides are of length 2The sides are of length 2nn

Therefore, we choose K=2Therefore, we choose K=2O(n)O(n) Hence, d<O(KHence, d<O(Knn)=2^(O(n)=2^(O(n22))))

5555

So far: a problem that is hard in the So far: a problem that is hard in the worst-case: distinguish between uniform worst-case: distinguish between uniform and d,γ-wavy distributions for and d,γ-wavy distributions for allall integers integers d<2^(nd<2^(n22) )

For cryptographic applications, we would For cryptographic applications, we would like to have a problem that is hard on the like to have a problem that is hard on the average: distinguish between uniform average: distinguish between uniform and d,γ-wavy distributions for and d,γ-wavy distributions for a non-a non-negligible fractionnegligible fraction of d in [2^(nof d in [2^(n22), ), 22••2^(n2^(n22)])]

Worst-case vs. Average-Worst-case vs. Average-casecase

5656

The following procedure transforms d,γ-The following procedure transforms d,γ-wavy into 2d,γ-wavy for all integer d:wavy into 2d,γ-wavy for all integer d: Sample Sample aa from the distribution from the distribution Return either Return either a/2a/2 or or (a+R)/2(a+R)/2 with probability ½ with probability ½

In general, for any real In general, for any real 1,1,we can we can compresscompress d,γ-wavy into d,γ-wavy into d,γ-wavyd,γ-wavy

Notice that compressing preserves the Notice that compressing preserves the uniform distributionuniform distribution

We show a reduction from worst-case to We show a reduction from worst-case to average-caseaverage-case

CompressingCompressing

5757

Assume there exists a distinguisher between Assume there exists a distinguisher between uniform and d,γ-wavy distribution for some non-uniform and d,γ-wavy distribution for some non-negligible fraction of d in [2^(nnegligible fraction of d in [2^(n22), 2), 2••2^(n2^(n22)])]

Given either a uniform or a d,γ-wavy Given either a uniform or a d,γ-wavy distribution for some integer d<2^(ndistribution for some integer d<2^(n22) repeat ) repeat the following:the following: Choose Choose in {1,…,2in {1,…,22^(n2^(n22)} according to a certain )} according to a certain

distributiondistribution Compress the distribution by Compress the distribution by Check the distinguisher’s acceptance probabilityCheck the distinguisher’s acceptance probability

If for some If for some the acceptance probability differs the acceptance probability differs from that of uniform sequences, return ‘wavy’; from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’otherwise, return ‘uniform’

ReductionReduction

5858

…1

d

2^(n2)…

22^(n2)

Distribution is uniform:Distribution is uniform: After compression it is still uniformAfter compression it is still uniform Hence, the distinguisher’s acceptance Hence, the distinguisher’s acceptance

probability equals that of uniform sequences probability equals that of uniform sequences for all for all

Distribution is d,γ-wavy:Distribution is d,γ-wavy: After compression it is in the good range with After compression it is in the good range with

some probabilitysome probability Hence, for some Hence, for some , the distinguisher’s , the distinguisher’s

acceptance probability differs from that of acceptance probability differs from that of uniform sequencesuniform sequences

ReductionReduction

5959

Diophantine Diophantine ApproximationApproximation

6060

Solving for uSolving for u(from slide 24)(from slide 24)

Recall: We have B=(bRecall: We have B=(b11,…b,…bnn) and u) and u’’

Shortest vector uShortest vector uL(B) is u = L(B) is u = iibbii, |, |ii| < 2| < 2nn

• Because the basis B is LLL reducedBecause the basis B is LLL reduced uu’ ’ is very very close to u/|u|is very very close to u/|u|

• u/|u| = (uu/|u| = (u’’+e), |e|=1/N, N +e), |e|=1/N, N 2 2n n (e.g., N=2(e.g., N=2n n ))

Express uExpress u’’ = = iibbii ( (ii‘s are reals)‘s are reals)

Set Set ii = = ii//nn for i=1,…,n-1 for i=1,…,n-1 ii very very close to very very close to ii//n n ( ( ii··nn = = ii+O(+O(nn/N) )/N) )

2

6161

Diophantine ApproximationDiophantine Approximation

Look for Look for nn<2<2nn s.t. for all i, s.t. for all i, ii··nn is 2 is 2nn/N away /N away

from an integer (for Nfrom an integer (for N = 2= 2nn ) )

z is the uniquez is the uniqueshortest in L(M)shortest in L(M)by a factor~N/2by a factor~N/2nn

Use LLL to find itUse LLL to find it

Compute the Compute the ii’s and u’s and u

2

1 –11

1 –22

… 1 –n-1n-1

1/1/NN

1

2

…

n

O(2n/N)O(2n/N)

...O(2n/N)O(2n/N)

=

basis M integer

vector

short lattice point

z

6262

Why is z unique-shortest?Why is z unique-shortest? Assume we have another short vector yAssume we have another short vector yL(M)L(M)

nn not much larger than 2 not much larger than 2nn, also the other , also the other ii’s’s Every small yEvery small yL(M) corresponds to vL(M) corresponds to vL(B) L(B)

such that v/|v| very very close to u’such that v/|v| very very close to u’ So also v/|v| very very close to u/|u| (~2So also v/|v| very very close to u/|u| (~2nn/N)/N) Smallish coefficient Smallish coefficient v not too long (~2 v not too long (~22n2n)) v very close to its projection on u (~2v very close to its projection on u (~23n3n/N)/N) s.t. (v–s.t. (v–u)u)L(B) is shortL(B) is short

• Of length Of length 2 23n3n/N + /N + 11/2 < /2 < 11

v must be a multiple of uv must be a multiple of u

u

~2n/N

v

|v|~

22n

~23n/N

cryptosystems from unique-svp lattices ajtai-dwork’97/07, regev’03

Documents