ISISf: Difference between revisions

The ISIS_f assumption was introduced by Bootle, Lyubashevsky, Nguyen, and Sorniotti in 2023.^[1] It introduces a function ${\displaystyle f}$ that removes the requirement of a static target vector and passes additional hints to the adversary.

Formal Definition

ISIS_f

Let ${\displaystyle (n,m,d,q,\beta ,k,s,N)}$ be public parameters, matrix ${\displaystyle \mathbf{𝐀}\in {{ℛ}}_q^{n\times m}}$ be chosen uniformly at random and ${\displaystyle f}$ be a specified function ${\displaystyle f:[N]\to {{ℛ}}_q^n}$. The challenger generates ${\displaystyle k}$ hints ${\displaystyle (x_i,{\mathbf{𝐬}}_i)}$ in the following way.

• ${\displaystyle x_i\leftarrow [N]}$
• ${\displaystyle {\mathbf{𝐬}}_i\leftarrow {\mathbf{𝐀}}_s^{-1}(f(x_i))}$

Given the matrix ${\displaystyle \mathbf{𝐀}}$, the function ${\displaystyle f}$, and the set of hints ${\displaystyle \{(x_i,{\mathbf{𝐬}}_i){\}}_{i\in [k]}}$, the adversary is asked to find a new tuple ${\displaystyle (x^{*},{\mathbf{𝐬}}^{*})\in [N]\times {{ℛ}}^m}$ satisfying ${\displaystyle \mathbf{𝐀}\cdot {\mathbf{𝐬}}^{*}=f\left(x^{*}\right)modq\wedge 0<\Vert {\mathbf{𝐬}}^{*}\Vert \le \beta \wedge (x^{*},{\mathbf{𝐬}}^{*})\notin \{(x_i,{\mathbf{𝐬}}_i{)}_{i\in [k]}\}.}$

Intuition. ISIS_f essentially expects the adversary to either successfully solve ISIS or compute a preimage of the function ${\displaystyle f}$. Thus, the hardness of ISIS_f depends on the choice of ${\displaystyle f}$. We list few examples for insecure choices of ${\displaystyle f}$.

• Additively homomorphic functions imply trivial solutions by adding or subtracting two hints.
• Any efficiently invertible function using public information enables choosing ${\displaystyle {\mathbf{𝐬}}^{*}\in {{ℛ}}^m}$ short and finding a preimage of ${\displaystyle \mathbf{𝐀}\cdot {\mathbf{𝐬}}^{*}}$.
• Assume ${\displaystyle f}$ is a linear function and the domain of ${\displaystyle f}$ was mapped to ${\displaystyle {\mathbb{\mathbb{Z}}}_N}$. Then, any hint ${\displaystyle (x_i,{\mathbf{𝐬}}_i)}$ can be used to generate a valid ISIS_f solution ${\displaystyle (-x_i,-{\mathbf{𝐬}}_i)}$.

Interactive ISIS_f

Let ${\displaystyle (n,m,d,{\ell }_m,{\ell }_r,q,{\beta }_s,{\beta }_m,s,N)}$ be public parameters, matrices ${\displaystyle \mathbf{𝐀}\in {{ℛ}}_q^{n\times m},\mathbf{𝐂}\in {{ℛ}}_q^{n\times ({\ell }_m+{\ell }_r)}}$ be chosen uniformly at random, ${\displaystyle f}$ be a specified function ${\displaystyle f:[N]\to {{ℛ}}_q^n}$, and ${\displaystyle {ℳ}=\mathrm{\varnothing }}$. Given the matrices ${\displaystyle \mathbf{𝐀},\mathbf{𝐂}}$, and the function ${\displaystyle f}$, an adversary is able to query an oracle ${\displaystyle O_{\text{pre}}}$ adaptively, which on input ${\displaystyle \mathbf{𝐦}\in {{ℛ}}^{{\ell }_m},\mathbf{𝐫}\in {{ℛ}}^{{\ell }_r}}$ proceeds as follows.

1. if ${\displaystyle \Vert (\mathbf{𝐦},\mathbf{𝐫})\Vert >{\beta }_m}$ then return ${\displaystyle \perp }$
2. ${\displaystyle x\leftarrow [N]}$
3. ${\displaystyle \mathbf{𝐬}\leftarrow {\mathbf{𝐀}}_s^{-1}(f(x)+\mathbf{𝐂}\cdot \left[\begin{array}{c}\mathbf{𝐦}\\ \mathbf{𝐫}\end{array}\right])}$
4. ${\displaystyle {ℳ}\leftarrow {ℳ}\cup \{\mathbf{𝐦}\}}$
5. return ${\displaystyle (x,\mathbf{𝐬})}$

An adversary is asked to find a new tuple ${\displaystyle (x^{*},{\mathbf{𝐬}}^{*},{\mathbf{𝐦}}^{*},{\mathbf{𝐫}}^{*})}$ satisfying ${\displaystyle {\mathbf{𝐦}}^{*}\notin {ℳ}\wedge \mathbf{𝐀}\cdot {\mathbf{𝐬}}^{*}=f(x^{*})+\mathbf{𝐂}\cdot \left[\begin{array}{c}\mathbf{𝐦}\\ \mathbf{𝐫}\end{array}\right]\wedge 0<\Vert {\mathbf{𝐬}}^{*}\Vert \le {\beta }_s\wedge \Vert ({\mathbf{𝐦}}^{*},{\mathbf{𝐫}}^{*})\Vert \le {\beta }_m.}$

Intuition. The interactive version expands ISIS_f by an Ajtai commitment and enables adaptive queries, where an adversary controls the input to the Ajtai commitment. Notice that the adversary is not capable of influencing the choice of ${\displaystyle x\in [N]}$, which can be thought of as salt in the context of a signature whereas ${\displaystyle \mathbf{𝐬}\in {{ℛ}}^m}$ is the signature.

Hardness of ISIS_f and its interactive version

If ${\displaystyle f}$ is a random oracle then the problem, in the ROM, is at least as hard as SIS.^[2]

Bootle et al.^[1] set ${\displaystyle f}$ to be ${\displaystyle f(x)=\mathbf{𝐁}\cdot \text{bin}(x)}$, where ${\displaystyle \text{bin}:[N]\to {\mathbb{\mathbb{Z}}}^{\lceil \log (N)\rceil }}$ outputs the binary encoding of ${\displaystyle x\in [N]}$. They call this problem ISIS_bin. The authors analyse direct lattice reduction as well as exploiting relations on the image space for ISIS_bin.

In Theorem 3.3, Bootle et al.^[1] show that interactive ISIS_f is at least as hard as ISIS_f. The reduction uses ${\displaystyle \mathbf{𝐂}=\mathbf{𝐀}\cdot \mathbf{𝐑}}$ for a uniformly chosen ${\displaystyle \mathbf{𝐑}\leftarrow \{0,1{\}}^{m\times ({\ell }_m+{\ell }_r)}}$, rejection sampling, the entropy that ${\displaystyle x\in [N]}$ and ${\displaystyle \mathbf{𝐬}\in {{ℛ}}^m}$ are sampled with and introduces a polynomial loss factor depending on the number of allowed queries to ${\displaystyle O_{\text{pre}}}$.

Constructions based on ISIS_f

Bootle et al.^[1] provide a framework to generically build the following constructions from any interactive ISIS_f instance.

• Signatures^[1]
• Group signatures^[1]
• Blind signatures^[1][3]
• Anonymous credentials^[1][3]

Related Assumptions

• Generalised ISIS_f
• One-More-ISIS
• Randomised One-More-ISIS

References