Slide 1

Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs

Slide 2

Trapdoor Sampling A t s = Given: a random matrix A and vector t Find: vector s with small coefficients such that As=t Without a trapdoor for A, this is a very hard problem When sampling in a protocol, want to make sure s is independent of the trapdoor mod p

Slide 3

Trapdoor Sampling First algorithm: Gentry, Peikert, Vaikuntanathan (2008) Very geometric The distribution of s is a discrete Gaussian Agrawal, Boneh, Boyen (2010) + Micciancio, Peikert (2012) More algebraic (you dont even see the lattices) Still s needs to be a discrete Gaussian Are Gaussians fundamental to trapdoor sampling?

Slide 4

Constructing a Trapdoor A s t =mod p

Slide 5

Constructing a Trapdoor A1A1 t s1s1 =mod p A2A2 s2s2

Slide 6

A1A1 R G + Random matrix Random matrix with small coefficients Special matrix that is easy to invert A1A1 Constructing a Trapdoor A =

Slide 7

A1A1 R G + Random matrix Random matrix with small coefficients Special matrix that is easy to invert A1A1 Constructing a Trapdoor A = H Invertible matrix H that is used as a tag in many advanced constructions

Slide 8

Easily-Invertible Matrix Matrix G has the property that for any t, you can find a 0/1 vector s 2 such that Gs 2 =t (a bijection between integer vectors and {0,1} * ) 1 2 4 8 q/2...... 1 2 4 8 q/2 G =

Slide 9

Example 1 2 4 8 1011001010110010 13 4 =

Slide 10

Inverting with a Trapdoor A = [A 1 | A 2 ] = [A 1 | A 1 R+G] Want to find a small s such that As=t s = (s 1,s 2 ) t = As = A 1 s 1 +(A 1 R+G)s 2 = A 1 (s 1 +Rs 2 ) + Gs 2 t = Gs 2 s 1 = - Rs 2 set to 0 Reveals R Bad

Slide 11

Inverting with a Trapdoor A = [A 1 | A 2 ] = [A 1 | A 1 R+G] Want to find a small s such that As=t s = (s 1,s 2 ) t = As = A 1 s 1 +(A 1 R+G)s 2 = A 1 (s 1 +Rs 2 ) + Gs 2 t - A 1 y = Gs 2 s 1 = y - Rs 2 small y Intuition: y helps to hide R

Slide 12

The Distribution we Hope to Get t = A 1 (s 1 +Rs 2 ) + Gs 2 t - A 1 y = Gs 2 s 1 = y - Rs 2 s 2 D 2 s 1 D 1 | A 1 s 1 + (A 1 R+G)s 2 = t Output s = (s 1,s 2 ) small y (but enough entropy) uniformly random (leftover hash lemma) random bit string (because of the shape of G) Depends on R, s 2, and y

Slide 13

Rejection Sampling Make sure its at most 1

Slide 14

Removing the Dependence on R Assume R and s 2 are fixed s 1 = y - Rs 2 If y D y then Pr[s 1 ] = Pr[y=s 1 +Rs 2 ] We want Pr[s 1 ] to be exactly D 1 (s 1 ) (conditioned on As=t) So sample y and output s 1 =y - Rs 2 with probability D 1 (s 1 ) / (cD y (s 1 +Rs 2 )) s 2 D 2 s 1 D 1 | A 1 s 1 + (A 1 R+G)s 2 = t Output s = (s 1,s 2 )

Slide 15

The Real Distribution y D y s 2 G -1 (t - A 1 y) s 1 y - Rs 2 Output s=(s 1,s 2 ) with probability D 1 (s 1 )/(cD y (s 1 +Rs 2 )) s 2 D 2 s 1 D 1 | A 1 s 1 + (A 1 R+G)s 2 = t Output s = (s 1,s 2 ) Real DistributionTarget Distribution the shift Rs 2 depends on y (whats the distribution of s 1 ??)

Slide 16

Equivalence of Distributions y D y s 2 G -1 (t - A 1 y) s 1 y - Rs 2 Output s=(s 1,s 2 ) with probability D 1 (s 1 )/(cD y (s 1 +Rs 2 )) s 2 D 2 s 1 D 1 | A 1 s 1 + (A 1 R+G)s 2 = t Output s = (s 1,s 2 ) Real DistributionTarget Distribution 1.For (almost) all s=(s 1,s 2 ) in the support of TD, D 1 (s 1 )/(cD y (s 1 +Rs 2 )) 1 2.D 2 is uniformly random and G is a 1-1 and onto function between the support of D 2 and Z p n 3.For x D 1 and x D y, (A 1 x, U(Z p n )) < 2 -(n logp+) c2 - (2) and (3) break the dependency between s 2 and y and (1) allows rejection sampling

Slide 17

Our Unbalanced Result A1A1 t s1s1 =mod p A2A2 s2s2 n Has entropy greater than nlogp Binary vector

Slide 18

Is the Gaussian Distribution Fundamental to Lattices My opinion To lattices YES A Gaussian distribution centered at any point in space is uniform over R n / L for any small-enough lattice L To lattice cryptography NO We usually work with random lattices of a special form Can use the leftover hash lemma to argue uniformity But Gaussians are often an optimization

Slide 19

What Distribution to use in Practice? Gaussians are often (always?) the optimal distribution to use for minimizing the parameters But Sampling Gaussians requires high(er) precision so maybe too costly in low-power devices Try to use the distribution that minimizes parameters try to improve the efficiency later