ISISf: Difference between revisions

Latest revision as of 13:29, 27 August 2025

The ISIS_f assumption was introduced by Bootle, Lyubashevsky, Nguyen, and Sorniotti in 2023.^[1] It introduces a function $f$ that removes the requirement of a static target vector and passes additional hints to the adversary.

Formal Definition

ISIS_f

Let $(n, m, d, q, β, k, s, N)$ be public parameters, matrix $𝐀 \in ℛ_{q}^{n \times m}$ be chosen uniformly at random and $f$ be a specified function $f : [N] \to ℛ_{q}^{n}$ . The challenger generates $k$ hints $(x_{i}, 𝐬_{i})$ in the following way.

$x_{i} \leftarrow [N]$
$𝐬_{i} \leftarrow 𝐀_{s}^{- 1} (f (x_{i}))$

Given the matrix $𝐀$ , the function $f$ , and the set of hints ${(x_{i}, 𝐬_{i})}_{i \in [k]}$ , the adversary is asked to find a new tuple $(x^{*}, 𝐬^{*}) \in [N] \times ℛ^{m}$ satisfying $𝐀 \cdot 𝐬^{*} = f (x^{*}) mod q \land 0 < ‖ 𝐬^{*} ‖ \leq β \land (x^{*}, 𝐬^{*}) \notin {(x_{i}, 𝐬_{i})_{i \in [k]}} .$

Intuition. ISIS_f essentially expects the adversary to either successfully solve ISIS or compute a preimage of the function $f$ . Thus, the hardness of ISIS_f depends on the choice of $f$ . We list few examples for insecure choices of $f$ .

Additively homomorphic functions imply trivial solutions by adding or subtracting two hints.
Any efficiently invertible function using public information enables choosing $𝐬^{*} \in ℛ^{m}$ short and finding a preimage of $𝐀 \cdot 𝐬^{*}$ .
Assume $f$ is a linear function and the domain of $f$ was mapped to $ℤ_{N}$ . Then, any hint $(x_{i}, 𝐬_{i})$ can be used to generate a valid ISIS_f solution $(- x_{i}, - 𝐬_{i})$ .

Interactive ISIS_f

Let $(n, m, d, ℓ_{m}, ℓ_{r}, q, β_{s}, β_{m}, s, N)$ be public parameters, matrices $𝐀 \in ℛ_{q}^{n \times m}, 𝐂 \in ℛ_{q}^{n \times (ℓ_{m} + ℓ_{r})}$ be chosen uniformly at random, $f$ be a specified function $f : [N] \to ℛ_{q}^{n}$ , and $ℳ = \emptyset$ . Given the matrices $𝐀, 𝐂$ , and the function $f$ , an adversary is able to query an oracle $O_{pre}$ adaptively, which on input $𝐦 \in ℛ^{ℓ_{m}}, 𝐫 \in ℛ^{ℓ_{r}}$ proceeds as follows.

if $‖ (𝐦, 𝐫) ‖ > β_{m}$ then return $⊥$
$x \leftarrow [N]$
$𝐬 \leftarrow 𝐀_{s}^{- 1} (f (x) + 𝐂 \cdot [\begin{matrix} 𝐦 \\ 𝐫 \end{matrix}])$
$ℳ \leftarrow ℳ \cup {𝐦}$
return $(x, 𝐬)$

An adversary is asked to find a new tuple $(x^{*}, 𝐬^{*}, 𝐦^{*}, 𝐫^{*})$ satisfying $𝐦^{*} \notin ℳ \land 𝐀 \cdot 𝐬^{*} = f (x^{*}) + 𝐂 \cdot [\begin{matrix} 𝐦 \\ 𝐫 \end{matrix}] \land 0 < ‖ 𝐬^{*} ‖ \leq β_{s} \land ‖ (𝐦^{*}, 𝐫^{*}) ‖ \leq β_{m} .$

Intuition. The interactive version expands ISIS_f by an Ajtai commitment and enables adaptive queries, where an adversary controls the input to the Ajtai commitment. Notice that the adversary is not capable of influencing the choice of $x \in [N]$ , which can be thought of as salt in the context of a signature whereas $𝐬 \in ℛ^{m}$ is the signature.

Hardness of ISIS_f and its interactive version

If $f$ is a random oracle then the problem, in the ROM, is at least as hard as SIS.^[2]

Bootle et al.^[1] set $f$ to be $f (x) = 𝐁 \cdot bin (x)$ , where $bin : [N] \to ℤ^{⌈ \log (N) ⌉}$ outputs the binary encoding of $x \in [N]$ . They call this problem ISIS_bin. The authors analyse direct lattice reduction as well as exploiting relations on the image space for ISIS_bin.

In Theorem 3.3, Bootle et al.^[1] show that interactive ISIS_f is at least as hard as ISIS_f. The reduction uses $𝐂 = 𝐀 \cdot 𝐑$ for a uniformly chosen $𝐑 \leftarrow {0, 1}^{m \times (ℓ_{m} + ℓ_{r})}$ , rejection sampling, the entropy that $x \in [N]$ and $𝐬 \in ℛ^{m}$ are sampled with and introduces a polynomial loss factor depending on the number of allowed queries to $O_{pre}$ .

Constructions based on ISIS_f

Bootle et al.^[1] provide a framework to generically build the following constructions from any interactive ISIS_f instance.

Signatures^[1]
Group signatures^[1]
Blind signatures^[1]^[3]
Anonymous credentials^[1]^[3]

Related Assumptions

References

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 ^1.7 Bootle, J., Lyubashevsky, V., Nguyen, N.K. and Sorniotti, A. A framework for practical anonymous credentials from lattices. Annual International Cryptology Conference. Cham: Springer Nature Switzerland, 2023.
↑ Gentry, Craig, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. Proceedings of the fortieth annual ACM symposium on Theory of computing. 2008.
↑ ^3.0 ^3.1 Lyubashevsky, Vadim, Gregor Seiler, and Patrick Steuer. The LaZer library: Lattice-based zero knowledge and succinct proofs for quantum-safe privacy. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 2024.

[:0-1] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 ^1.7 Bootle, J., Lyubashevsky, V., Nguyen, N.K. and Sorniotti, A. A framework for practical anonymous credentials from lattices. Annual International Cryptology Conference. Cham: Springer Nature Switzerland, 2023.

[2] Gentry, Craig, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. Proceedings of the fortieth annual ACM symposium on Theory of computing. 2008.

[:1-3] 3.0 ^3.1 Lyubashevsky, Vadim, Gregor Seiler, and Patrick Steuer. The LaZer library: Lattice-based zero knowledge and succinct proofs for quantum-safe privacy. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 2024.

[1]

[2]

[3]

@@ Line 1: / Line 1: @@
-The ISIS<sub>f</sub>  assumption was introduced by Bootle, Lyubashevsky, Nguyen, and Sorniotti in 2023.<ref name=":0">Bootle, Jonathan, et al. [https://eprint.iacr.org/2023/560.pdf A framework for practical anonymous credentials from lattices]. ''Annual International Cryptology Conference''. Cham: Springer Nature Switzerland, 2023.</ref> It introduces a function <math>f</math> that removes the requirement of a static target vector and passes additional hints to the adversary.
+The ISIS<sub>f</sub>  assumption was introduced by Bootle, Lyubashevsky, Nguyen, and Sorniotti in 2023.<ref name=":0">Bootle, J., Lyubashevsky, V., Nguyen, N.K. and Sorniotti, A. [https://eprint.iacr.org/2023/560.pdf A framework for practical anonymous credentials from lattices]. ''Annual International Cryptology Conference''. Cham: Springer Nature Switzerland, 2023.</ref> It introduces a function <math>f</math> that removes the requirement of a static target vector and passes additional hints to the adversary.
 == Formal Definition ==
@@ Line 47: / Line 47: @@
 == Related Assumptions ==
-* Generalised ISIS<sub>f</sub>
+* [[Generalised ISISf|Generalised ISIS<sub>f</sub>]]
-* One-More-ISIS
+* [[One-More-ISIS]]
-* Randomised One-More-ISIS
+* [[Randomised One-More-ISIS]]
 == References ==
 <references />

Latest revision as of 13:29, 27 August 2025

Formal Definition

ISISf

Interactive ISISf

Hardness of ISISf and its interactive version

Constructions based on ISISf