Discrete Gaussian Leftover Hash Lemma over Infinite Domains
Shweta Agrawal,Craig Gentry,Shai Halevi,Amit Sahai +3 more
- pp 97-116
TLDR
This work proves a "lattice world" analog of LHL over infinite domains, proving that certain "generalized subset sum" distributions are statistically close to well behaved discrete Gaussian distributions, even without any modular reduction.Abstract:
The classic Leftover Hash Lemma LHL is often used to argue that certain distributions arising from modular subset-sums are close to uniform over their finite domain. Though very powerful, the applicability of the leftover hash lemma to lattice based cryptography is limited for two reasons. First, typically the distributions we care about in lattice-based cryptography are discrete Gaussians, not uniform. Second, the elements chosen from these discrete Gaussian distributions lie in an infinite domain: a lattice rather than a finite field.
In this work we prove a "lattice world" analog of LHL over infinite domains, proving that certain "generalized subset sum" distributions are statistically close to well behaved discrete Gaussian distributions, even without any modular reduction. Specifically, given many vectors $\{\vec x_i\}_{i=1}^m$ from some lattice Li¾?i¾?i¾?ℝ n , we analyze the probability distribution $\sum_{i=1}^m z_i \vec x_i$ where the integer vector $\vec z \in \mathbb{Z}^m$ is chosen from a discrete Gaussian distribution. We show that when the $\vec x_i$ 's are "random enough" and the Gaussian from which the $\vec z$ 's are chosen is "wide enough", then the resulting distribution is statistically close to a near-spherical discrete Gaussian over the latticei¾?L. Beyond being interesting in its own right, this "lattice-world" analog of LHL has applications for the new construction of multilinear maps [5], where it is used to sample Discrete Gaussians obliviously. Specifically, given encoding of the $\vec x_i$ 's, it is used to produce an encoding of a near-spherical Gaussian distribution over the lattice. We believe that our new lemma will have other applications, and sketch some plausible ones in this work.read more
Citations
More filters
Book ChapterDOI
Practical Multilinear Maps over the Integers
TL;DR: A different construction that works over the integers instead of ideal lattices, similar to the DGHV fully homomorphic encryption scheme, and a different technique for proving the full randomization of encodings, using the classical leftover hash lemma over a quotient lattice.
Book
Advances in cryptology -- EUROCRYPT 2010 : 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30-June 3, 2010 : proceedings
TL;DR: Cryptosystems I and II: Cryptography between Wonderland and Underland as discussed by the authors, a simple BGN-type Cryptosystem from LWE, or Bonsai Trees, or how to delegate a Lattice Basis.
Book ChapterDOI
Graph-Induced Multilinear Maps from Lattices
TL;DR: In this article, a graph-induced multilinear encoding scheme from lattices was proposed, in which the arithmetic operations that are allowed are restricted through an explicitly defined directed graph (somewhat similar to the asymmetric variant of previous schemes).
Book
Advances in cryptology : Eurocrypt 2011 : 30th annual international conference on the theory and applications of cryptographic techniques, Tallinn, Estonia, May 15-19, 2011 : proceedings
TL;DR: This book constitutes the refereed proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2011, held in Tallinn, Estonia, in May 2011, and contains 31 papers, presented together with 2 invited talks.
Book ChapterDOI
GGHLite: More Efficient Multilinear Maps from Ideal Lattices
TL;DR: In this paper, the security analysis of the re-randomization process in the GGH construction has been improved by applying the Renyi divergence instead of the conventional statistical distance as a measure of distance between distributions.
References
More filters
Proceedings ArticleDOI
On lattices, learning with errors, random linear codes, and cryptography
TL;DR: A public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP, and an efficient solution to the learning problem implies a quantum, which can be made classical.
Proceedings ArticleDOI
Trapdoors for hard lattices and new cryptographic constructions
TL;DR: In this article, the authors show how to construct a variety of "trapdoor" cryptographic tools assuming the worst-case hardness of standard lattice problems (such as approximating the length of the shortest nonzero vector to within certain polynomial factors).
Journal ArticleDOI
On lattices, learning with errors, random linear codes, and cryptography
TL;DR: A (classical) public-key cryptosystem whose security is based on the hardness of the learning problem, which is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem that is quantum.
Book ChapterDOI
Fully homomorphic encryption over the integers
TL;DR: A fully homomorphic encryption scheme, using only elementary modular arithmetic, that reduces the security of the scheme to finding an approximate integer gcd, and investigates the hardness of this task, building on earlier work of Howgrave-Graham.
Journal Article
Trapdoors for Hard Lattices and New Cryptographic Constructions.
TL;DR: In this article, the authors show how to construct a variety of "trapdoor" cryptographic tools assuming the worst-case hardness of standard lattice problems (such as approximating the length of the shortest nonzero vector to within certain polynomial factors).