Presentation is loading. Please wait.

Presentation is loading. Please wait.

Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs.

Published byAdela Stevenson Modified over 8 years ago

Similar presentations

Presentation on theme: "Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs."— Presentation transcript:

1 Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs

2 Trapdoor Sampling A t s = Given: a random matrix A and vector t Find: vector s with small coefficients such that As=t Without a “trapdoor” for A, this is a very hard problem When sampling in a protocol, want to make sure s is independent of the trapdoor mod p

3 Trapdoor Sampling First algorithm: Gentry, Peikert, Vaikuntanathan (2008) Very “geometric” The distribution of s is a discrete Gaussian Agrawal, Boneh, Boyen (2010) + Micciancio, Peikert (2012) More “algebraic” (you don’t even see the lattices) Still s needs to be a discrete Gaussian Are Gaussians “fundamental” to trapdoor sampling?

4 Constructing a Trapdoor A s t =mod p

5 Constructing a Trapdoor A1A1 t s1s1 =mod p A2A2 s2s2

6 A1A1 R G + Random matrix Random matrix with small coefficients Special matrix that is easy to invert A1A1 Constructing a Trapdoor A =

7 A1A1 R G + Random matrix Random matrix with small coefficients Special matrix that is easy to invert A1A1 Constructing a Trapdoor A = H Invertible matrix H that is used as a “tag” in many advanced constructions

8 Easily-Invertible Matrix Matrix G has the property that for any t, you can find a 0/1 vector s 2 such that Gs 2 =t (a bijection between integer vectors and {0,1} * ) 1 2 4 8 … q/2...... 1 2 4 8 … q/2 G =

9 Example 1 2 4 8 1011001010110010 13 4 =

10 Inverting with a Trapdoor A = [A 1 | A 2 ] = [A 1 | A 1 R+G] Want to find a small s such that As=t s = (s 1,s 2 ) t = As = A 1 s 1 +(A 1 R+G)s 2 = A 1 (s 1 +Rs 2 ) + Gs 2 t = Gs 2 s 1 = - Rs 2 set to 0 Reveals R Bad

11 Inverting with a Trapdoor A = [A 1 | A 2 ] = [A 1 | A 1 R+G] Want to find a small s such that As=t s = (s 1,s 2 ) t = As = A 1 s 1 +(A 1 R+G)s 2 = A 1 (s 1 +Rs 2 ) + Gs 2 t - A 1 y = Gs 2 s 1 = y - Rs 2 small y Intuition: y helps to hide R

12 The Distribution we Hope to Get t = A 1 (s 1 +Rs 2 ) + Gs 2 t - A 1 y = Gs 2 s 1 = y - Rs 2 s 2  D 2 s 1  D 1 | A 1 s 1 + (A 1 R+G)s 2 = t Output s = (s 1,s 2 ) small y (but enough entropy) uniformly random (leftover hash lemma) random bit string (because of the shape of G) Depends on R, s 2, and y

13 Rejection Sampling Make sure it’s at most 1

14 Removing the Dependence on R Assume R and s 2 are fixed s 1 = y - Rs 2 If y  D y then Pr[s 1 ] = Pr[y=s 1 +Rs 2 ] We want Pr[s 1 ] to be exactly D 1 (s 1 ) (conditioned on As=t) So sample y and output s 1 =y - Rs 2 with probability D 1 (s 1 ) / (c∙D y (s 1 +Rs 2 )) s 2  D 2 s 1  D 1 | A 1 s 1 + (A 1 R+G)s 2 = t Output s = (s 1,s 2 )

15 The Real Distribution y  D y s 2  G -1 (t - A 1 y) s 1  y - Rs 2 Output s=(s 1,s 2 ) with probability D 1 (s 1 )/(c∙D y (s 1 +Rs 2 )) s 2  D 2 s 1  D 1 | A 1 s 1 + (A 1 R+G)s 2 = t Output s = (s 1,s 2 ) Real DistributionTarget Distribution the shift Rs 2 depends on y (what’s the distribution of s 1 ??)

16 Equivalence of Distributions y  D y s 2  G -1 (t - A 1 y) s 1  y - Rs 2 Output s=(s 1,s 2 ) with probability D 1 (s 1 )/(c∙D y (s 1 +Rs 2 )) s 2  D 2 s 1  D 1 | A 1 s 1 + (A 1 R+G)s 2 = t Output s = (s 1,s 2 ) Real DistributionTarget Distribution 1.For (almost) all s=(s 1,s 2 ) in the support of TD, D 1 (s 1 )/(c∙D y (s 1 +Rs 2 )) ≤ 1 2.D 2 is uniformly random and G is a 1-1 and onto function between the support of D 2 and Z p n 3.For x  D 1 and x  D y, Δ(A 1 x, U(Z p n )) < 2 -(n logp+λ) ≈ λc∙2 -λ (2) and (3) break the dependency between s 2 and y and (1) allows rejection sampling

17 Our “Unbalanced” Result A1A1 t s1s1 =mod p A2A2 s2s2 n Has entropy greater than nlogp Binary vector

18 Is the Gaussian Distribution “Fundamental” to Lattices My opinion To lattices – YES A Gaussian distribution centered at any point in space is uniform over R n / L for any “small-enough” lattice L To lattice cryptography – NO We usually work with random lattices of a special form Can use the leftover hash lemma to argue uniformity But … Gaussians are often an optimization

19 What Distribution to use in Practice? Gaussians are often (always?) the “optimal” distribution to use for minimizing the parameters But … Sampling Gaussians requires high(er) precision so maybe too costly in low-power devices Try to use the distribution that minimizes parameters try to improve the efficiency later

Download ppt "Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.

Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.
Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.

Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
P ROBABILITY T HEORY APPENDIX C P ROBABILITY T HEORY you can never know too much probability theory. If you are well grounded in probability theory, you.

P ROBABILITY T HEORY APPENDIX C P ROBABILITY T HEORY you can never know too much probability theory. If you are well grounded in probability theory, you.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Quantum Spectrum Testing Ryan O’Donnell John Wright (CMU)

Quantum Spectrum Testing Ryan O’Donnell John Wright (CMU)
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
CSC321: 2011 Introduction to Neural Networks and Machine Learning Lecture 10: The Bayesian way to fit models Geoffrey Hinton.

CSC321: 2011 Introduction to Neural Networks and Machine Learning Lecture 10: The Bayesian way to fit models Geoffrey Hinton.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
Simulation Where real stuff starts. ToC 1.What, transience, stationarity 2.How, discrete event, recurrence 3.Accuracy of output 4.Monte Carlo 5.Random.

Simulation Where real stuff starts. ToC 1.What, transience, stationarity 2.How, discrete event, recurrence 3.Accuracy of output 4.Monte Carlo 5.Random.
Random-Variate Generation. Need for Random-Variates We, usually, model uncertainty and unpredictability with statistical distributions Thereby, in order.

Random-Variate Generation. Need for Random-Variates We, usually, model uncertainty and unpredictability with statistical distributions Thereby, in order.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
Dimensional reduction, PCA

Dimensional reduction, PCA
Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.

Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

Similar presentations

Ads by Google