Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1
Overview of the Talk • Part 1: Background • Part 2: Our solution for arbitrary modulus G-lattice sampling • Part 3: Our solution for perturbation sampling in the ring setting 2
Part 1: Background 3
Lattices • A lattice is a discrete subgroup of Euclidean space: ℒ ⊂ ℝ 𝑜 . • A lattice is represented by a basis: B = (𝑐 1 , … , 𝑐 𝑜 ) ∊ ℝ 𝑜 𝑦 𝑜 . ℒ = ℒ 𝐶 = 𝐶ℤ 𝑜 ∗ = 𝑐 𝑗 ⊥ 𝑡𝑞𝑏𝑜(𝑐 1 , … , 𝑐 𝑗−1 ) . • The GSO orthongalization is 𝑐 𝑗 4
Discrete Gaussians • Since lattices are countably infinite, we cannot simply sample the uniform distribution over a lattice. • Instead, we will sample a gaussian distribution over the lattice (or a coset). Pr 𝑌 = 𝑏 α exp(−π 𝑏 − 𝑑 2 /𝑡 2 ) • The generic algorithm given a basis as input is time 𝑃(𝑜 3 ) . This is for gaussian width 𝑡 larger then the GSO length. • The sum of two independent DG random vectors is also a DG. 5
(In)SIS Problem 𝐵 𝑜 𝑦 𝑛 • 𝐵 is a uniformly random matrix mod q with more columns than rows: 𝐵 ∈ ℤ 𝑟 • For short integer vector inputs, 𝑔 𝐵 is a CR Compression Function: 𝐵 : x ∊ ℤ 𝑛 : 𝑦 𝑗𝑡 "𝑡ℎ𝑝𝑠𝑢" → ℤ 𝑟 𝑜 𝑔 𝑜 𝑔 𝐵 𝑦 = 𝐵𝑦 𝑛𝑝𝑒 𝑟 = 𝑣 ∊ ℤ 𝑟 𝑜 ) of • Inverting 𝑔 𝐵 can be seen as picking a short element in a coset ( 𝑣 ∊ ℤ 𝑟 ⊥ 𝐵 = {𝑦 ∊ ℤ 𝑛 |𝐵𝑦 = 0 𝑛𝑝𝑒 𝑟 } Λ 𝑟 6
ҧ Lattice Trapdoors (MP12) • We generate 𝐵 with a trapdoor 𝑈: 𝐵 = ( ҧ 𝐵𝑈) where ҧ 𝐵 is truly random 𝐵|𝐻 − and 𝑈 is a matrix with small entries ( 𝐻 is public). • Using the trapdoor as a linear transformation, we can reduce the problem of ⊥ 𝐵 to sampling short vectors in the sampling short vectors in cosets of Λ 𝑟 ⊥ 𝐻 . cosets of Λ 𝑟 • Notice: 𝐵 𝑈 = 𝐻 mod q . 𝐽 • Mapping the cosets of Λ 𝑟 ⊥ 𝐵 with 𝑈 leaks information ⊥ (𝐻) to cosets of Λ 𝑟 about the trapdoor. We convolve with a perturbation on an arbitrary lattice 7 to hide the trapdoor statistically.
Applications for Lattice Trapdoors ABE IBE CH-PRFs Digital Signatures ⋮ Group Signatures 8
Part 2, Our Solution to Efficient G-lattice Sampling 9
G-Lattices 𝑢 ⋯ 0 • 𝐻 has a simple structure: 𝐻 = 𝐽 𝑜 ⊗ 𝑢 = ⋮ ⋱ ⋮ 𝑢 0 ⋯ • 𝑢 = (1, 2, … , 2 𝑙−1 ) where 𝑙 = 𝑑𝑓𝑗𝑚(log 𝑟) . ⊥ 𝐻 to sampling the cosets of the k- • This reduces sampling the cosets of Λ 𝑟 ⊥ 𝑢 . dimensional lattice Λ 𝑟 ⊥ 𝑢 is always sparse but its GSO is generally dense. • The basis for Λ 𝑟 • The GSO is only sparse when q is a power of 2 (triangular basis). • Otherwise, the basis is almost triangular (but still time 𝑙 3 sampling by density 10 of the GSO).
Our Solution • Sample a different lattice! ⊥ 𝑢 ’s basis factors as 𝐶 𝑟 = 𝐶𝐸 where 𝐶 • For any modulus q, ℒ 𝐶 𝑟 = Λ 𝑟 and 𝐸 are sparse, triangular matrices. • Now we can sample the lattice generated by 𝐸 in time 𝑃(𝑙) and apply 𝐶 as a linear transformation. 11
Our Solution Cont. ⊥ 𝑢 , • Since applying 𝐶 as a linear transformation warps the distribution on Λ 𝑟 we apply a perturbation to get a spherical DG. This is also done in linear time. • We order the operations in the algorithm to minimize the number of floating point operations (mostly in the perturbation). • We use the maxlog metric on distributions for tightest analysis. Our analysis suggests double precision floating point numbers are sufficient for most applications. 12
Implementation 13
Part 3, Algebraic Perturbations 14
Trapdoors in the Ring Setting • In the ring setting we replace numbers in ℤ (and ℤ 𝑟 ) with polynomials in 𝑆 𝑜 = ℤ 𝑦 /(𝑦 𝑜 + 1) (and ℤ 𝑟 𝑦 /(𝑦 𝑜 + 1) ). Let 𝐺 𝑜 = ℝ 𝑦 /(𝑦 𝑜 + 1) . • The trapdoor matrix is now a block matrix with anti-cyclic matrices. Each anti- cyclic block represents multiplication in R . • Problem: with how few resources can we sample a perturbation (on any 𝑈𝑈 𝑢 𝑈 lattice) with a structured covariance 𝐷𝑝𝑤 𝑞 = 𝑡 2 𝐽 − 𝐽 ? 𝑈 𝑢 15
Our Solution • First we use the sparsity of the covariance to efficiently reduce to sampling a 2n-dimensional perturbation with covariance 𝑈𝑈 𝑢 ∊ 𝑆 𝑜 2 𝑦 2 . • Then we use a convolution to reduce this to sampling two perturbations in 𝑆 𝑜 with covariance in 𝐺 𝑜 . • With a change of basis and another convolution, we reduce sampling an n- dimensional structured perturbation to sampling two perturbations in 𝑆 𝑜/2 with covariances in 𝐺 𝑜/2 . (FFO by Ducas and Prest) • Recurse until we are sampling a discrete gaussian over ℤ . 16
Solution Cont. • Once we start recursing on smaller rings, our algorithm can be seen as a version of FFO where we compute the matrix factorization on the fly. • This leads to a logarithmic savings in memory (𝑃 𝑜 𝑤𝑡. 𝑃(𝑜 log 𝑜)) . • We prove a simpler convolution lemma for cleaner analysis, geared towards our matrix decompositions. • The end result is a simple time 𝑃(𝑜 log 𝑜 log 𝑟) time perturbation algorithm. 17
Conclusions • Improved G-lattice sampling from time 𝑃(𝑜𝑙 3 ) to time 𝑃(𝑜𝑙) . • Perturbation sampling in the ring setting with less memory, 𝑃(𝑜) versus 𝑃(𝑜 log 𝑜) . 18
Future Directions • Can we perform linear time sampling G-lattices directly in the CRT form for ℤ 𝑟 for a composite 𝑟 ? • Can we use an FFO-like technique for faster SVP , CVP , or basis reduction algorithms? 19
Questions? 20
Recommend
More recommend
