SVP\gamma
\gamma=nc
c>0
Average case problems are the problems that are hard to be solved for some randomly selected instances. For cryptography applications, worst case complexity is not sufficient, and we need to guarantee cryptographic construction are hard based on average case complexity.
A full rank lattice
ak{L}\subset\Rn
n
\{b1,\ldots,bn\}
ak{L}(b1,\ldots,bn)=\left\{
| n | |
| \sum | |
| i=1 |
zibi:zi\in\Z\right\}=\{B\boldsymbol{z}:\boldsymbol{z}\in\Zn\}
where
B\in\Rn x
Remark: Given
B1,B2
ak{L}
U1
B1=B2U
| -1 | |
| 1 |
,B2=B1U1
Definition: Rotational shift operator on
\Rn(n\geq2)
\operatorname{rot}
\forall\boldsymbol{x}=(x1,\ldots,xn-1,xn)\in\Rn:\operatorname{rot}(x1,\ldots,xn-1,xn)=(xn,x1,\ldots,xn-1)
Micciancio introduced cyclic lattices in his work in generalizing the compact knapsack problem to arbitrary rings.[2] A cyclic lattice is a lattice that is closed under rotational shift operator. Formally, cyclic lattices are defined as follows:
Definition: A lattice
ak{L}\subseteq\Zn
\forall\boldsymbol{x}\inak{L}:\operatorname{rot}(\boldsymbol{x})\inak{L}
Examples:[3]
\Zn
R=\Z[x]/(xn-1)
R=\Z[x]/(xn-1)
p(x)
R
p(x)=
| n-1 | |
| \sum | |
| i=0 |
| i | |
| a | |
| ix |
ai\in\Z
i=0,\ldots,n-1
Define the embedding coefficient
\Z
\rho
\begin{align} \rho:R& → \Zn\\[4pt] p(x)=
| n-1 | |
| \sum | |
| i=0 |
| i | |
| a | |
| ix |
&\mapsto(a0,\ldots,an-1) \end{align}
Let
I\subsetR
I\subsetR
ak{L}I
\Zn
ak{L}I:=\rho(I)=\left\{(a0,\ldots,an-1)\mid
| n-1 | |
| \sum | |
| i=0 |
| i | |
| a | |
| ix |
\inI\right\}\subset\Zn.
Theorem:
ak{L}\subset\Zn
ak{L}
I
R=\Z[x]/(xn-1)
proof:
\Leftarrow)
ak{L}=ak{L}I:=\rho(I)=\left\{(a0,\ldots,an-1)\mid
| n-1 | |
| \sum | |
| i=0 |
| i | |
| a | |
| ix |
\inI\right\}
Let
(a0,\ldots,an-1)
ak{L}
p(x)=
| n-1 | |
| \sum | |
| i=0 |
| i | |
| a | |
| ix |
\inI
I
xp(x)\inI
\rho(xp(x))\inak{L}I
\rho(xp(x))=\operatorname{rot}(a0,\ldots,an-1)\inak{L}I
ak{L}
⇒ )
Let
ak{L}\subset\Zn
\forall(a0,\ldots,an-1)\inak{L}:\operatorname{rot}(a0,\ldots,an-1)\inak{L}
Define the set of polynomials
I:=\left\{
| n-1 | |
| \sum | |
| i=0 |
| i | |
| a | |
| ix |
\mid(a0,\ldots,an-1)\inak{L}\right\}
ak{L}
\Zn
I\subsetR
R
ak{L}
\forallp(x)\inI:xp(x)\inI
Hence,
I\subsetR
ak{L}=ak{L}I
Let
f(x)\in\Z[x]
n
f(x)
f(x)
(f(x)):=f(x) ⋅ \Z[x]=\{f(x)g(x):\forallg(x)\in\Z[x]\}.
The quotient polynomial ring
R=\Z[x]/(f(x))
\Z[x]
n-1
R=\Z[x]/(f(x))=\left\{
| n-1 | |
| \sum | |
| i=0 |
| i: | |
| a | |
| ix |
ai\in\Z\right\}
f(x)
Consider the embedding coefficient
\Z
\rho
R
\Zn
Definition:
ak{L}I
I
R=\Z[x]/(p(x))
(p(x))
n
p(x)\in\Z[x]
ak{L}I
\Zn
ak{L}I:=\rho(I)=\left\{(a0,\ldots,an-1)\mid
| n-1 | |
| \sum | |
| i=0 |
aixi\inI\right\}\subset\Zn.
Remark:[5]
GapSVP\gamma
\gamma=\operatorname{poly(n)}
n
SVP\gamma
SIVP\gamma
SVP\gamma
SIVP\gamma
The Short Integer Solution (SIS) problem is an average case problem that is used in lattice-based cryptography constructions. Lattice-based cryptography began in 1996 from a seminal work by Ajtai[1] who presented a family of one-way functions based on the SIS problem. He showed that it is secure in an average case if
SVP\gamma
\gamma=nc
c>0
Let
A\in
| n x m | |
| \Z | |
| q |
n x m
\Zq
m
\boldsymbol{ai}\in
| n | |
| \Z | |
| q |
A=[\boldsymbol{a1}| … |\boldsymbol{am}]
\boldsymbol{x}\in\Zm
\| ⋅ \|
0<\|\boldsymbol{x}\|\leq\beta
fA(\boldsymbol{x}):=A\boldsymbol{x}=\boldsymbol{0}\in
| n | |
| \Z | |
| q |
A solution to SIS without the required constraint on the length of the solution (
\|\boldsymbol{x}\|\leq\beta
\beta<q
\boldsymbol{x}=(q,0,\ldots,0)\in\Zm
fA(\boldsymbol{x})
\beta\geq\sqrt{nlogq}
m\geqnlogq
Theorem: For any
m=\operatorname{poly}(n)
\beta>0
q\geq\betanc
c>0
\operatorname{SIS}n,m,q,\beta
\operatorname{GapSVP}\gamma
\operatorname{SIVP}\gamma
\gamma=\beta ⋅ O(\sqrt{n})
The SIS problem solved over an ideal ring is also called the Ring-SIS or R-SIS problem.[2] [9] This problem considers a quotient polynomial ring
Rq=\Zq[x]/(f(x))
f(x)=xn-1
n
\| ⋅ \|
k
n=2k
We then define the problem as follows:
Select
m
ai\inRq
\vec{\boldsymbol{a}}:=(a1,\ldots,am)\in
| m | |
| R | |
| q |
\vec{\boldsymbol{z}}:=(z1,\ldots,zm)\inRm
0<\|\vec{\boldsymbol{z}}\|\leq\beta
f\vec{\boldsymbol{a
Recall that to guarantee existence of a solution to SIS problem, we require
m ≈ nlogq
m ≈ logq
Definition: The nega-circulant matrix of
b
for b=
| n-1 | |
| \sum | |
| i=0 |
| i | |
| b | |
| ix |
\inR, \operatorname{rot}(b):=\begin{bmatrix} b0&-bn-1&\ldots&-b1\\[0.3em] b1&b0&\ldots&-b2\\[0.3em] \vdots&\vdots&\ddots&\vdots\\[0.3em] bn-1&bn-2&\ldots&b0 \end{bmatrix}
When the quotient polynomial ring is
R=\Z[x]/(xn+1)
n=2k
ai.pi
\operatorname{rot}(ai)
ai
\operatorname{rot}(ai)
\rho(pi(x))\inZn
pi
\sigma(pi(x))\inZn
Moreover, R-SIS problem is a special case of SIS problem where the matrix
A
A=[\operatorname{rot}(a1)| … |\operatorname{rot}(am)]
The SIS problem solved over a module lattice is also called the Module-SIS or M-SIS problem. Like R-SIS, this problem considers the quotient polynomial ring
R=\Z[x]/(f(x))
Rq=\Zq[x]/(f(x))
f(x)=xn-1
n
M
d
M\subseteqRd
\| ⋅ \|
| m | |
| R | |
| q |
We then define the problem as follows:
Select
m
ai\in
| d | |
| R | |
| q |
\vec{\boldsymbol{a}}:=(a1,\ldots,am)\in
| d x m | |
| R | |
| q |
\vec{\boldsymbol{z}}:=(z1,\ldots,zm)\inRm
0<\|\vec{\boldsymbol{z}}\|\leq\beta
f\vec{\boldsymbol{a
While M-SIS is a less compact variant of SIS than R-SIS, the M-SIS problem is asymptotically at least as hard as R-SIS and therefore gives a tighter bound on the hardness assumption of SIS. This makes assuming the hardness of M-SIS a safer, but less efficient underlying assumption when compared to R-SIS.