Reduction is a technique for proving the security of a cryptosystem.
Reduction is the process in proving the security of a cryptosystem where breaking the security of a primitive is reduced to solving a certain complex problem.
Questions tagged [reduction]
43 questions
11
votes
1 answer
Relationship between LWE, SIS, and ISIS
Suppose I have a short-secret LWE instance $As+e=b\mod q$. If I treat this as a single matrix, it becomes an ISIS problem:
$$ \begin{pmatrix} I &A\end{pmatrix}\begin{pmatrix} e \\ s\end{pmatrix}=b\mod q$$
Any short solution to this problem solves my…
Sam Jaques
- 1,808
- 9
- 13
11
votes
1 answer
What does 'a reduction is tight' mean rigorously?
As far as I know, when someone says 'a reduction is tight', it means that given that there is an adversary $A$ with advantage $\epsilon$ and running time $t$ and another adversary $B$ utilizing $A$ to solve a problem $P$, the advantage and running…
Lee Seungwoo
- 373
- 1
- 8
5
votes
1 answer
Is F(k,k) $\oplus$ F(k,x) a pseudorandom permutation?
Suppose that $F: \{0,1\}^n\times \{0,1\}^n\rightarrow \{0,1\}^n$ is a strongly pseudorandom permutation. Let $\hat{F}(k,x):=F(k,k)\oplus F(k,x)$. I know that $\hat{F}$ can't be a strongly pseudorandom permutation. How to prove that $\hat{F}$ is a…
YirongHu
- 91
- 6
5
votes
1 answer
The rigorous proof in the commitment based on CRHF
I'm reading about the lecture of Yevgeniy Dodis. In his lecture 14, section 2.3.2, gives a commitment construction based on CRHF, but the proof of hiding is high-level. I want to know the rigorous proof that why even subject to $u(x)=m$, the still…
constantine
- 311
- 2
- 12
5
votes
2 answers
Security reduction seems to wrongly show that a non-PRF is a PRF
This is a well-known exercise that has already even been posted here.
I understand both arguments to prove and disprove that $F'$ and $\bar{F}$ are PRFs,
as I explain below,
however, it seems that the proof also applies to the case where $\bar{F}$…
Marcellus
- 274
- 1
- 6
4
votes
0 answers
polynomial time reduction from SIS to decisional-LWE?
Is the claim "If there is an efficient algorithm that solves SIS, then there is an efficient algorithm that solves decisional LWE" is sufficient?
or,
Is the claim above is equivalent to the fact that an instance of SIS is a polynomial-time reduction…
DP2040
- 83
- 6
4
votes
2 answers
Confusion in proof details of General Forking Lemma in paper [BN06]
In ACM CCS 2006, Mihir Bellare and Gregory Neven gave an elegant proof of General Forking Lemma [https://doi.org/10.1145/1180405.1180453]. However, it makes me really confused about steps to prove $\Pr[I'=I \land I \geq 1]\geq acc(x)^2/q$ in Page 11…
Oscar D
- 71
- 3
4
votes
1 answer
Reducing exact SVP to exact SIVP
In "Efficient reductions among lattice problems" by Micciancio (2007) it is said, that
SVP reduces to SIVP in their exact versions.
I did not found anything about this fact, is a reduction that trivial?
Does the same hold for their approximation…
user108492
- 41
- 2
4
votes
1 answer
In reduction from search LWE to decsion LWE why sampling needs to repeat a polynomial number of times?
I've been reading through MIT's lecture notes on learning with errors here, and I'm trying to understand the reduction from Search LWE to Decision LWE, as described there in Section 2.7, "Algorithm 1".
I cannot seem to understand why we need to…
Anon
- 413
- 2
- 8
3
votes
1 answer
What's wrong with the obvious reduction of factoring to DLOG?
Suppose you can solve DLOG in arbitrary groups. Then I give you the challenge of solving DLOG$(a,1)$ over the group $\mathbb{Z}_n^*$, where $a$ is some arbitrary integer and $n$ is some integer to be factored.
Your answer gives me the order of $a$,…
Sam Jaques
- 1,808
- 9
- 13
3
votes
2 answers
Reduction to the DDH problem
I am struggling with a specific reduction as a part of a question I am solving and I was wondering if I can get some advice.
Assume we have Adversary A that can distinguish with high probability between the following distributions-
$(G, q, g, g^x,…
IVRODB
- 111
- 1
3
votes
1 answer
Resources for simple MPC proofs
Could anyone direct me to literature regarding privacy proofs in the MPC setting.
For example, how can one prove the following simple problem:
Suppose a setting with $n$ parties $S_1, \ldots, S_n$ wish to compute an additive sharing of $0$, so…
Kolja
- 165
- 1
- 10
3
votes
1 answer
How does the lengths of the Gram-Schmidt orthogonal basis of a lattice basis change after lll reduction?
Assuming there is a lattice basis $B=\{b_1,...,b_n\}$, we use $B^*=\{b_1^*,...,b_n^*\}$ to denote the Gram-Schmidt orthogonal basis, where $b_i^*=\pi_i(b_i)$ and $\pi_i(b_i)$ denotes the projection of $b_i$ on the orthogonal complement of the space…
kangli
- 75
- 5
3
votes
0 answers
What does break with "usual" classical security reductions in quantum setting?
OK, so I know that this is somewhat really basic in "post-quantum discourse", but unfortunately I did not find any textbooks/entry level papers specific to the topic of reductions in the quantum setting.
It seems that there are two main caveats…
Kirill Tsar.
- 609
- 4
- 13
2
votes
1 answer
Meta Reduction in Fiat Shamir Transformation
What is meant by meta reduction? What does it achieve and how is it different from the normal reduction technique?
Crypto_Research
- 719
- 3
- 10