Discrete Gaussian Leftover Hash Lemma over Infinite Domains
نویسندگان
چکیده
The classic Leftover Hash Lemma (LHL) is often used to argue that certain distributions arising from modular subset-sums are close to uniform over their finite domain. Though very powerful, the applicability of the leftover hash lemma to lattice based cryptography is limited for two reasons. First, typically the distributions we care about in lattice-based cryptography are discrete Gaussians, not uniform. Second, the elements chosen from these discrete Gaussian distributions lie in an infinite domain: a lattice rather than a finite field. In this work we prove a “lattice world” analog of LHL over infinite domains, proving that certain “generalized subset sum” distributions are statistically close to well behaved discrete Gaussian distributions, even without any modular reduction. Specifically, given many vectors {xi}i=1 from some lattice L ⊂ R, we analyze the probability distribution ∑m i=1 zixi where the integer vector z ∈ Z m is chosen from a discrete Gaussian distribution. We show that when the xi’s are “random enough” and the Gaussian from which the z’s are chosen is “wide enough”, then the resulting distribution is statistically close to a near-spherical discrete Gaussian over the lattice L. Beyond being interesting in its own right, this “lattice-world” analog of LHL has applications for the new construction of multilinear maps [5], where it is used to sample Discrete Gaussians obliviously. Specifically, given encoding of the xi’s, it is used to produce an encoding of a near-spherical Gaussian distribution over the lattice. We believe that our new lemma will have other applications, and sketch some plausible ones in this work.
منابع مشابه
Lecture 4 : Leftover Hash Lemma and One Way Functions
We recall some definitions and a claim proved in our previous lecture. These will be required to finish the proof for the Leftover Hash Lemma. Definition 1 H∞(X) = − log (maxx Pr [X = x]) ♦ Definition 2 A function Ext : U × S → V is a (k, ε) extractor if for all random variables X with H∞(X) ≥ k, we have: SD [(S,Ext(X,S)) , (S, V )] ≤ ε where S is uniformly distributed over S and V is uniformly...
متن کاملUniversal hash families and the leftover hash lemma, and applications to cryptography and computing
This paper is an expository treatment of the leftover hash lemma and some of its applications in cryptography and complexity theory.
متن کاملFHE Circuit Privacy Almost for Free
Circuit privacy is an important property for many applications of fully homomorphic encryption. Prior approaches for achieving circuit privacy rely on superpolynomial noise flooding or on bootstrapping. In this work, we present a conceptually different approach to circuit privacy based on a novel characterization of the noise growth amidst homomorphic evaluation. In particular, we show that a v...
متن کاملWiretap Channels: Nonasymptotic Fundamental Limits
This paper investigates the maximal secret communication rate over a wiretap channel subject to reliability and secrecy constraints at a given blocklength. New achievability and converse bounds are derived, which are uniformly tighter than existing bounds, and lead to the tightest bounds on the second-order coding rate for discrete memoryless and Gaussian wiretap channels. The exact secondorder...
متن کاملSecret Key Agreement from Correlated Gaussian Sources by Rate Limited Public Communication
We investigate the secret key agreement from correlated Gaussian sources in which the legitimate parties can use the public communication with limited rate. For the class of protocols with the one-way public communication, we show a closed form expression of the optimal trade-off between the rate of key generation and the rate of the public communication. Our results clarify an essential differ...
متن کامل