Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele - - PowerPoint PPT Presentation

Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus

Nicholas Genise Daniele Micciancio (UCSD)

1

Overview of the Talk

• Part 1: Background
• Part 2: Our solution for arbitrary modulus G-lattice sampling
• Part 3: Our solution for perturbation sampling in the ring setting

2

Part 1: Background

3

Lattices

• A lattice is a discrete subgroup of Euclidean space: ℒ ⊂ ℝ𝑜.
• A lattice is represented by a basis: B = (𝑐1, … , 𝑐𝑜) ∊ ℝ𝑜 𝑦 𝑜 .

ℒ = ℒ 𝐶 = 𝐶ℤ𝑜

• The GSO orthongalization is 𝑐𝑗

∗ = 𝑐𝑗 ⊥ 𝑡𝑞𝑏𝑜(𝑐1, … , 𝑐𝑗−1).

4

Discrete Gaussians

• Since lattices are countably infinite, we cannot simply sample the uniform

distribution over a lattice.

• Instead, we will sample a gaussian distribution over the lattice (or a coset).

Pr 𝑌 = 𝑏 α exp(−π 𝑏 − 𝑑 2/𝑡2)

• The generic algorithm given a basis as input is time 𝑃(𝑜3). This is for gaussian

width 𝑡 larger then the GSO length.

• The sum of two independent DG random vectors is also a DG.

5

(In)SIS Problem

6

• 𝐵 is a uniformly random matrix mod q with more columns than rows: 𝐵 ∈ ℤ𝑟

𝑜 𝑦 𝑛

• For short integer vector inputs, 𝑔

𝐵 is a CR Compression Function:

𝑔

𝐵: x ∊ ℤ𝑛: 𝑦 𝑗𝑡 "𝑡ℎ𝑝𝑠𝑢" → ℤ𝑟 𝑜

𝑔

𝐵 𝑦 = 𝐵𝑦 𝑛𝑝𝑒 𝑟 = 𝑣 ∊ ℤ𝑟 𝑜

• Inverting 𝑔

𝐵 can be seen as picking a short element in a coset (𝑣 ∊ ℤ𝑟 𝑜) of

Λ𝑟

⊥ 𝐵 = {𝑦 ∊ ℤ𝑛 |𝐵𝑦 = 0 𝑛𝑝𝑒 𝑟 }

𝐵

Lattice Trapdoors (MP12)

• We generate 𝐵 with a trapdoor 𝑈: 𝐵 = ( ҧ

𝐵|𝐻 − ҧ 𝐵𝑈) where ҧ 𝐵 is truly random and 𝑈 is a matrix with small entries (𝐻 is public).

• Using the trapdoor as a linear transformation, we can reduce the problem of

sampling short vectors in cosets of Λ𝑟

⊥ 𝐵 to sampling short vectors in the

cosets of Λ𝑟

⊥ 𝐻 .

• Notice: 𝐵 𝑈

𝐽 = 𝐻 mod q.

• Mapping the cosets of Λ𝑟

⊥(𝐻) to cosets of Λ𝑟 ⊥ 𝐵 with 𝑈 leaks information

about the trapdoor. We convolve with a perturbation on an arbitrary lattice to hide the trapdoor statistically.

7

Applications for Lattice Trapdoors

8

IBE Digital Signatures Group Signatures ABE CH-PRFs ⋮

Part 2, Our Solution to Efficient G-lattice Sampling

9

G-Lattices

• 𝐻 has a simple structure: 𝐻 = 𝐽𝑜 ⊗ 𝑕𝑢 =

𝑕𝑢 ⋯ ⋮ ⋱ ⋮ ⋯ 𝑕𝑢

• 𝑕𝑢 = (1, 2, … , 2𝑙−1) where 𝑙 = 𝑑𝑓𝑗𝑚(log 𝑟).
• This reduces sampling the cosets of Λ𝑟

⊥ 𝐻 to sampling the cosets of the k-

dimensional lattice Λ𝑟

⊥ 𝑕𝑢 .

• The basis for Λ𝑟

⊥ 𝑕𝑢 is always sparse but its GSO is generally dense.

• The GSO is only sparse when q is a power of 2 (triangular basis).
• Otherwise, the basis is almost triangular (but still time 𝑙3 sampling by density
• f the GSO).

10

Our Solution

• Sample a different lattice!
• For any modulus q, ℒ 𝐶𝑟 = Λ𝑟

⊥ 𝑕𝑢 ’s basis factors as 𝐶𝑟 = 𝐶𝐸 where 𝐶

and 𝐸 are sparse, triangular matrices.

• Now we can sample the lattice generated by 𝐸 in time 𝑃(𝑙) and apply 𝐶 as

a linear transformation.

11

Our Solution Cont.

• Since applying 𝐶 as a linear transformation warps the distribution on Λ𝑟

⊥ 𝑕𝑢 ,

we apply a perturbation to get a spherical DG. This is also done in linear time.

• We order the operations in the algorithm to minimize the number of floating

point operations (mostly in the perturbation).

• We use the maxlog metric on distributions for tightest analysis. Our analysis

suggests double precision floating point numbers are sufficient for most applications.

12

13

Implementation

Part 3, Algebraic Perturbations

14

Trapdoors in the Ring Setting

• In the ring setting we replace numbers in ℤ (and ℤ𝑟) with polynomials in

𝑆𝑜 = ℤ 𝑦 /(𝑦𝑜 + 1) (and ℤ𝑟 𝑦 /(𝑦𝑜 + 1)). Let 𝐺

𝑜 = ℝ 𝑦 /(𝑦𝑜 + 1).

• The trapdoor matrix is now a block matrix with anti-cyclic matrices. Each anti-

cyclic block represents multiplication in R.

• Problem: with how few resources can we sample a perturbation (on any

lattice) with a structured covariance 𝐷𝑝𝑤 𝑞 = 𝑡2𝐽 − 𝑈𝑈𝑢 𝑈 𝑈𝑢 𝐽 ?

15

Our Solution

• First we use the sparsity of the covariance to efficiently reduce to sampling a

2n-dimensional perturbation with covariance 𝑈𝑈𝑢 ∊ 𝑆𝑜

2 𝑦 2.

• Then we use a convolution to reduce this to sampling two perturbations in 𝑆𝑜

with covariance in 𝐺

𝑜.

• With a change of basis and another convolution, we reduce sampling an n-

dimensional structured perturbation to sampling two perturbations in 𝑆𝑜/2 with covariances in 𝐺

𝑜/2. (FFO by Ducas and Prest)

• Recurse until we are sampling a discrete gaussian over ℤ.

16

Solution Cont.

• Once we start recursing on smaller rings, our algorithm can be seen as a

version of FFO where we compute the matrix factorization on the fly.

• This leads to a logarithmic savings in memory (𝑃 𝑜 𝑤𝑡. 𝑃(𝑜 log 𝑜)).
• We prove a simpler convolution lemma for cleaner analysis, geared towards
• ur matrix decompositions.
• The end result is a simple time 𝑃(𝑜 log 𝑜 log 𝑟) time perturbation algorithm.

17

Conclusions

• Improved G-lattice sampling from time 𝑃(𝑜𝑙3) to time 𝑃(𝑜𝑙).
• Perturbation sampling in the ring setting with less memory, 𝑃(𝑜) versus

𝑃(𝑜 log 𝑜).

18

Future Directions

• Can we perform linear time sampling G-lattices directly in the CRT form for

ℤ𝑟 for a composite 𝑟?

• Can we use an FFO-like technique for faster SVP

, CVP , or basis reduction algorithms?

19

Questions?

20