One-More-ISIS: Difference between revisions

One-More-ISIS was introduced in 2022 by Agrawal, Kirshanova, Stehlé, and Yadav.^[1] The assumption states that, given an ISIS solver, it remains hard to compute an additional preimage for a polynomial number of possible ISIS targets.

Formal Definition

One-More-ISIS_n,m,q,β,s

Let matrix ${\displaystyle \mathbf{𝐀}\in {\mathbb{\mathbb{Z}}}_q^{n\times m}}$ and ${\displaystyle T\subset {\mathbb{\mathbb{Z}}}_q^n}$ be chosen uniformly at random. Given the challenge matrix ${\displaystyle \mathbf{𝐀}}$ and the set of target vectors ${\displaystyle T}$, an adversary can query a preimage oracle ${\displaystyle O_{\text{pre}}}$ adaptively, which on input ${\displaystyle \widehat{\mathbf{𝐭}}\in {\mathbb{\mathbb{Z}}}_q^n}$ outputs a preimage ${\displaystyle \widehat{\mathbf{𝐬}}\leftarrow {\mathbf{𝐀}}_s^{-1}(\widehat{\mathbf{𝐭}})}$. Let ${\displaystyle k\in {\mathbb{\mathbb{N}}}_0}$ denote the number of times ${\displaystyle O_{\text{pre}}}$ was queried. Then, an adversary is asked to output a set ${\displaystyle \{{\mathbf{𝐬}}_i{\}}_{i\in [k+1]}}$ of ${\displaystyle k+1}$ short preimages of target vectors in ${\displaystyle T}$ satisfying ${\displaystyle \mathrm{\forall }i\in [k+1]:\mathbf{𝐀}\cdot {\mathbf{𝐬}}_i\in T\wedge \Vert {\mathbf{𝐬}}_i\Vert \le \beta .}$

Hardness of One-More-ISIS

The hardness of One-More-ISIS is analysed using direct cryptanalysis in the original paper^[1]. The authors give a combinatorial attack and a lattice attack.

Combinatorial Attack. The adversary requests ${\displaystyle n\cdot q}$ preimages for all ${\displaystyle \{a\cdot {\mathbf{𝐞}}_i:a\in {\mathbb{\mathbb{Z}}}_q{\}}_{i\in [n]}}$. Then, the adversary can compute preimages for any image by adding up at most n preimages. As the length of the preimages returned by the  challenger is ${\displaystyle s\sqrt{m}}$, it allows to solve the One-more-ISIS  problem if ${\displaystyle s\cdot \sqrt{n}\cdot m\le \beta }$. The attack can be adapted to smaller and larger sets of preimages, increasing and decreasing the output norm, respectively.

Lattice Attack. The adversary requests more than ${\displaystyle m}$ preimages of zero. Then, the adversary can produce a short basis trapdoor for ${\displaystyle \mathbf{𝐀}}$. This trapdoor is of degraded quality relative to the trapdoor used by the challenger. They explore further options to improve the quality of the short basis trapdoor.

Constructions based on One-More-ISIS

• Blind signature^[1]

Related Assumptions

• Randomised One-More-ISIS
• One-More-RSA^[2]
• ISIS_f
• Generalised ISIS_f

Further reading suggestions

• Blog article on the cryptanalytic target One-More-ISIS by Martin Albrecht

References