2

For a matrix $\mathbf{A} \in \mathbb{Z}_q^{n\times m}$ I will use $\mathbf{A}^{-1}_\sigma (\mathbf{v})$ to denote a vector $\mathbf{u}$ sampled from a discrete gaussian over $\mathbb{Z}^m$ with standard deviation $\sigma$ conditioned on $\mathbf{A}\mathbf{u} = \mathbf{v}$, which naturally extended to matrices by sampling each column.

Some recent lattice-based cryptography protocols are based on Short Integer Solution (SIS) or Learning With Error (LWE) with additional hints. For instance, Wee24 introduced the $\ell$-succinct SIS assumption which states that it is hard to Solve SIS with respect to a matrix $\mathbf{A}$ even when the adversary is given matrices $\mathbf{W}$ and $\mathbf{T}$ such that $[\mathbf{I}_{\ell} \otimes \mathbf{A}\mid \mathbf{W}]\cdot \mathbf{T} = \mathbf{I}_\ell\otimes \mathbf{G}$, where $\mathbf{G}$ is the gadget matrix that contains powers of two on its diagonal, $\mathbf{I}_\ell$ is the identity matrix of $\ell \times \ell$ dimension, $\mathbf{W}$ is a random matrix, $\otimes$ is the Kronecker product, and $\mathbf{T}\gets [\mathbf{I}_{\ell} \otimes \mathbf{A}\mid \mathbf{W}]^{-1}_{\sigma_0} (\mathbf{G})$.

In constructions where the $\ell$-succinct is used, the proof generally follows this series of hybrids:

  • Hybrid 0: $\mathbf{A}$ is generated with a trapdoor $\mathbf{T}_\mathbf{A}$ that allows to execute an algorithm $\mathsf{SamplePre}$ that efficiently samples from the distribution $\mathbf{A}^{-1}_{\sigma}(*)$ for a sufficiently large $\sigma>0$, and $\mathbf{T}$ is generated by executing $\mathsf{SamplePre}$.
  • Hybrid 1: $\mathbf{A}$ is generated with a trapdoor $\mathbf{T}_\mathbf{A}$, but instead of using $\mathsf{SamplePre}$ to sample $\mathbf{T}$, we sample $\mathbf{T}$ directly from $[ \mathbf{I}_\ell \otimes \mathbf{A}\mid \mathbf{W}]^{-1}_{\sigma} (\mathbf{G})$.
  • Hybrid 2: $\mathbf{A}$ is sampled uniformly at random and $\mathbf{T}$ directly from $[ \mathbf{I}_\ell \otimes \mathbf{A}\mid \mathbf{W}]^{-1}_{\sigma} (\mathbf{G})$ (This is exactly an instance given by an $\ell$-succinct challenger).

Given that we generally want the reduction to be polytime, does that mean, in Hybrid 1, the reduction can "efficiently" sample from $[ \mathbf{I}_\ell \otimes \mathbf{A}\mid \mathbf{W}]^{-1}_{\sigma} (\mathbf{G})$? If so, wouldn't that mean the reduction could "efficiently" sample from $\mathbf{A}^{-1}_{\sigma}(\mathbf{0})$, and therefore solve SIS on its own without the help of the adversary?

This approach also occurs in works that rely on the structured Basis Augmented SIS (struct BASIS) assumption introduced by Wee-Wu23 which states that it is hard to solve SIS for a matrix $\mathbf{A}$ even when the adversary is given $\mathbf{W}$ and $\mathbf{T} \gets [\mathbf{I}_\ell \otimes \mathbf{A} \mid \mathbf{W} \mathbf{\bar{G}}]^{-1}_{\sigma}(\mathsf{diag}(\mathbf{W}_1^{-1}\mathbf{G}, \dots, \mathbf{W}_\ell^{-1}\mathbf{G}))$, where $\mathbf{W} = [\mathbf{W}_1^\top\mid \dots \mid\mathbf{W}_\ell^\top]^{\top}$ and $\mathbf{\bar{G}} = [1^\ell \otimes \mathbf{G}]$

Hence, what is the reasoning behind allowing the reduction/challenger to sample directly from $\mathbf{\bar{A}}^{-1}_\sigma(*)$ for some matrix $\mathbf{\bar{A}}$ during a hybrid?

vxek
  • 551
  • 3
  • 10

0 Answers0