Difference between revisions of "Lattice based cryptography"

PROBLEM. ${\displaystyle {\textbf {SVP}}}$ – The Shortest Vector Problem

Given a basis ${\displaystyle B}$ of a lattice ${\displaystyle {\mathcal {L}}}$
Goal. Find the shortest vector ${\displaystyle y}$ in ${\displaystyle {\mathcal {L}}}$ such that ${\displaystyle \lVert y\rVert =\lambda _{1}({\mathcal {L}})}$.

PROBLEM. ${\displaystyle {\textbf {SVP}}_{\gamma }}$– The Approximate Shortest Vector Problem

Given a basis ${\displaystyle B}$ of a lattice ${\displaystyle {\mathcal {L}}}$
Goal. Find the shortest vector ${\displaystyle y}$ in ${\displaystyle {\mathcal {L}}}$ such that ${\displaystyle \lVert y\rVert =\gamma \lambda _{1}({\mathcal {L}})}$.

PROBLEM. ${\displaystyle {\text{CVP}}-}$The Closest Vector Problem

Given a basis ${\displaystyle B}$ of a lattice ${\displaystyle {\mathcal {L}}}$, a target vector ${\displaystyle t\in \mathbb {R} ^{n}}$.
Goal. Find the closest vector ${\displaystyle x}$ in ${\displaystyle {\mathcal {L}}}$ such that ${\displaystyle \lVert t-x\rVert \leq {\text{dist}}(t,{\mathcal {L}})}$.

PROBLEM. ${\displaystyle {\text{CVP}}_{\gamma }-}$The Approximate Closest Vector Problem

Given a basis ${\displaystyle B}$ of a lattice ${\displaystyle {\mathcal {L}}}$, a target vector ${\displaystyle t\in \mathbb {R} ^{n}}$.
Goal. Find the closest vector ${\displaystyle x}$ in ${\displaystyle {\mathcal {L}}}$ such that ${\displaystyle \lVert t-x\rVert \leq \gamma {\text{dist}}(t,{\mathcal {L}})}$.

PROBLEM. Search - LWE Problem

Goal. Find the secret ${\displaystyle s}$ given access to many independent samples LWE ${\displaystyle (a,\langle a,s\rangle +e)}$.

PROBLEM. Decisional - LWE Problem

Goal. Distinguish between an unifomrly instance ${\displaystyle (a,{\mathcal {U}}(\mathbb {Z} _{q}^{n}))}$ and a sample from LWE oracle ${\displaystyle (a,\langle a,s\rangle +e)}$.

PROBLEM. Search - RLWE Problem

Let ${\displaystyle {\mathcal {\psi }}}$ be a damily of distribution over ${\displaystyle K_{\mathbb {R} }}$.
Goal. Find the secret ${\displaystyle s}$ given access to many independent samples ${\displaystyle (a,\langle a,s\rangle +e)}$ where ${\displaystyle s\in R_{q}^{V}}$ and ${\displaystyle \chi \in {\mathcal {\psi }}}$.

PROBLEM. Decisional - RLWE Problem

Let ${\displaystyle {\mathcal {\tau }}}$ be a family of distribution over ${\displaystyle K_{\mathbb {R} }}$.
Goal. The average-case decision version of the ring-LWE problem is to distinguish with non-negligible advantage between arbitrarily many independent samples from ${\displaystyle (a,{\mathcal {U}}_{n})}$ for a random choice of ${\displaystyle (s,\psi )\to U(R_{q}^{V})\times {\mathcal {\tau }}}$, and the same number of uniformly random and independent samples from ${\displaystyle R_{q}\times \mathbb {T} }$.

PROBLEM. Search - MLWE Problem

Let ${\displaystyle {\mathcal {\psi }}}$ be a family of distribution over ${\displaystyle K_{\mathbb {R} }}$
Goal. Find the secret ${\displaystyle s}$ given access to many independent samples ${\displaystyle (a,\langle a,s\rangle +e)}$ where ${\displaystyle s\in R_{q}^{V}}$ and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \chi \in \mathcal{\psi}} .

PROBLEM. Decisional - MLWE Problem

Let Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal{\psi} } be a family of distribution over Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle K_{\mathbb{R}}}
Goal. Distinguish the following two distributions: in the first distribution, one samples ${\displaystyle (a,\langle a,s\rangle +e)}$ from MLWE oracle; in the second distribution, one samples uniformly a pair of Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle (a, \mathcal{U}(R_q))} .

PROBLEM. Decisional - PLWE Problem

Goal. The decision version of the PLWE problem is to distinguish the following two distributions: in the first distribution, one samples ${\displaystyle (a,\langle a,s\rangle +e)}$ from PLWE oracle; in the second distribution, one samples uniformly a pair of ${\displaystyle (a,{\mathcal {U}}(R_{q}))}$.

PROBLEM. SIS – Small Integer Solutions

Given a modulus Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle p} , a set Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle B \subset \mathbb{Z}} that contains Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle {0,1}} or ${\displaystyle {-1,0,1}}$, a Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle n \times m} matrix Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle A} , and a column vector ${\displaystyle s}$ in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathbb{Z}_q^n}
Goal. Find a non-zero vector Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle x} in ${\displaystyle B^{m}}$ such that Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle A x = 0 \text{ mod } q} .

PROBLEM. Ring SIS - Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \text{RSIS}_{n,m,q,\beta}}

Let ${\displaystyle R=\mathbb {Z} [X]/(X^{n}+1)}$ and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle R_q=R/qR} , where Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle n} is a power of Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle 2} and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle q = 1 mod 2n} . Given a uniformaly random matrix ${\displaystyle A\in R_{q}^{1\times m}}$.
Goal. Find a non-zero vector Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle x\in R^m} such that Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle ||x||_{\infty} \le \beta} and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle A\cdot x = 0 } .

PROBLEM. MSIS – Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \text{Module-SIS}_{q,m,\beta}}

Let ${\displaystyle R=\mathbb {Z} [X]/(X^{n}+1)}$ and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle R_q=R/qR} . Given a uniformaly random matrix Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle A \in R_q^{d \times m}} .
Goal. Find a non-zero vector Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle x\in R^m} such that Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle ||x||_{\infty} \le \beta} and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle [I|A] \cdot x = 0 } .