Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [sis]

For questions involving/related to the Short Integer Solutions(SIS) problem.

Short integer solution (SIS) and ring-SIS problems are two average-case problems that are used in lattice-based cryptography constructions.

Lattice-based cryptography began in 1996 from a seminal work by Ajtai who presented a family of one-way functions based on SIS problem. He showed that it is secure in an average case if the shortest vector problem $\operatorname{SVP}_\gamma$ (where $\gamma = n^c$ for some constant $c > 0$ is hard in a worst-case scenario.

51 questions
11
votes
1 answer

Relationship between LWE, SIS, and ISIS

Suppose I have a short-secret LWE instance $As+e=b\mod q$. If I treat this as a single matrix, it becomes an ISIS problem: $$ \begin{pmatrix} I &A\end{pmatrix}\begin{pmatrix} e \\ s\end{pmatrix}=b\mod q$$ Any short solution to this problem solves my…
Sam Jaques
  • 1,808
  • 9
  • 13
10
votes
2 answers

Concrete evidence for the asymptotics of $\lambda_1(\Lambda^\perp(A))$?

A recent eprint paper claims to bound $\lambda_1(\Lambda^\perp(\mathbf{A}))$ for $\mathbf{A}\in\mathbb{Z}^{n\times m}$, a uniformly random matrix, by $O(1)$, specifically by $4$. This has applications to solving $\mathsf{SIS}_{n,m,q,4}$ in…
Mark Schultz-Wu
  • 15,089
  • 1
  • 22
  • 53
10
votes
1 answer

Relation between decisional SIS and leftover hash lemma in lattices

The semantic security of Regev's cryptosystem [Reg05] is based on the LWE assumption and leftover hash lemma. This lemma implies that because $m \approx (n+1)\log q$ is large enough, so for uniform $A\in \mathbb{Z}_q^{(n+1)\times m}$ and uniformly…
Hamidreza
  • 1,049
  • 7
  • 19
10
votes
1 answer

Can lattice cryptography problems (ISIS, LWE, etc) be reduced to HSP?

I'm aware that RSA and ECC can be reduced to the Abelian Hidden Subgroup Problem (HSP), which is what makes them vulnerable to Shor's algorithm. I'm curious whether similar reductions exist for lattice-based cryptographic problems such as the…
beep
  • 201
  • 1
7
votes
1 answer

Is LPN not as important as LWE and SVP?

I've been learning about lattice cryptography and have noticed that most resources such as this survey by Chris Peikart, the Winter School on Lattice Cryptography etc don't include material on LPN, and typically only discuss SIS and LWE. According…
fraiser
  • 448
  • 3
  • 8
7
votes
1 answer

Hardness of Short Interger Solution in Lattices

Short Integer Solution ($SIS_{n,m,q,\beta}$) is defined as: Given a matrix $A \in \mathbb{Z}_{q}^{n \times m}$, find a non-zero vector $x \in \mathbb{Z}^{m}$ such that $A \cdot x = 0\mod q$ and $||x|| \le \beta $. In the paper Trapdoors for hard…
preethi
  • 951
  • 7
  • 24
7
votes
1 answer

How to estimate the hardness of SIS instances?

The Short Integer Solution (SIS) problem is to find, given a matrix $A \in \mathbb{F}_q^{n \times m}$ with uniformly random coefficients, a vector $\mathbf{x} \in \mathbb{Z}^m \backslash \{\mathbf{0}\}$ such that $A\mathbf{x} = \mathbf{0} \mod q$…
Alan
  • 1,505
  • 9
  • 10
6
votes
1 answer

The equivalence of SIS and ISIS(Inhomogeneous SIS)

I would like to know whether these two problems are equivalent or not, namely: $SIS_\alpha$: Given $A \in \mathbb{Z}_q^{n\times m}$ find $ e \in \mathbb{Z}_q^{m}$ such that $ Ae = 0$ and and $\|e\| \le \alpha$. $ISIS_\alpha$: Given $A \in…
crypton00b
  • 63
  • 4
6
votes
1 answer

Parameters for high density SIS

I am considering the SIS problem of finding $x\in \mathbb{Z}^m$ such that for random $A\in\mathbb{Z}_q^{n\times m}$, $Ax=0$ and $\lVert x\rVert < \beta$ for some $p$-norm and bound $\beta < q$. High density is when $n\log_2(q) \ll m$, or more…
Joseph Johnston
  • 357
  • 1
  • 9
6
votes
2 answers

ZK Proof for SIS

Let $A x = 0 \bmod q$ with $\Vert x \Vert < \beta$ as part of a lattice SIS problem. Does there exist an efficient zero knowledge proof of knowledge for such a solution? My idea is to use it for an authentication protocol. But all ZK protocols I've…
user27950
5
votes
1 answer

When does the SIS (Short Integer Solution) Lattice-problem start becoming easy (According to the parameters size)?

SIS (Short Integer Solution) Problem : Given $m$ uniformly random vectors $a \in Z_q^n$, grouped as the columns of a matrix $A \in Z_q^{n.m}$, find a nonzero integer vector $z \in Z^m$ with $||z|| \leq \beta \lt q$, such that $Az = 0 \mod…
abdul rahman taleb
  • 363
  • 1
  • 9
5
votes
1 answer

ISIS problem in the case of $m=n$

The Inhomogeneous Short Integer Solution (ISIS) problem is as follows: given an integer $q$, a matrix $A\in \mathbb{Z}^{n\times m}_q$, a vector $b\in \mathbb{Z}^{n}_q$, and a real $\beta$, find an integer vector $e\in\mathbb{Z}^m$ such that…
Don Freecs
  • 617
  • 5
  • 16
4
votes
0 answers

polynomial time reduction from SIS to decisional-LWE?

Is the claim "If there is an efficient algorithm that solves SIS, then there is an efficient algorithm that solves decisional LWE" is sufficient? or, Is the claim above is equivalent to the fact that an instance of SIS is a polynomial-time reduction…
DP2040
  • 83
  • 6
4
votes
0 answers

Size of $q$ in reductions from lattice problems to R-SIS

The Short integer solution problem is parameterized by four values: $n$, the dimension of the vectors that must be added $m$, the number of samples (dimension of the solution) $\beta$, upper-bound for the length of the solution $q$, the modulus…
Hilder Vitor Lima Pereira
  • 7,476
  • 1
  • 25
  • 45
4
votes
1 answer

Is there any reduction from Short Integer Solution to $\textrm{SIVP}_\gamma$

Short Integer Solution (SIS) is proved to be hard by reducing $\textrm{SIVP}_\gamma$ to SIS, i.e., if we solve SIS, then we can solve $\textrm{SIVP}_\gamma$. Is there any way to reduce an instance of SIS to an instance of $\textrm{SIVP}_\gamma$?
preethi
  • 951
  • 7
  • 24
1
2 3 4