Short Integer Solution: Difference between revisions

Revision as of 11:09, 24 July 2025

Short Integer Solution (SIS) is an average-case problem, which was introduced in 1996 by Miklós Ajtai.^[1] He introduced a family of one-way functions based on SIS and showed that SIS is hard to solve on average if a version of the shortest vector problem is hard in a worst-case scenario.

Formal Definition

SIS_n,m,q,β `STANDARD`

Let matrix $𝐀 \in ℤ_{q}^{n \times m}$ be chosen uniformly at random. An adversary is asked to find a short non-zero vector $𝐬 \in ℤ^{m}$ satisfying $𝐀 \cdot 𝐬 = 𝟎 mod q \land 0 < ‖ 𝐬 ‖ \leq β$ .

A solution to SIS without the condition $‖ 𝐬 ‖ \leq β$ can be found using Gaussian elimination. Thus, the condition $β < q$ is required as otherwise $(q, 0, \dots, 0) \in ℤ^{m}$ is a trivial solution.

Versions of SIS

ISIS_n,m,q,β - Inhomogeneous SIS `EQUIVALENT`

Let matrix $𝐀 \in ℤ_{q}^{n \times m}$ and target vector $𝐭 \in ℤ_{q}^{n}$ be chosen uniformly at random. An adversary is asked to find a short vector $𝐬 \in ℤ^{m}$ satisfying $𝐀 \cdot 𝐬 = 𝐭 mod q \land ‖ 𝐬 ‖ \leq β$ .

The inhomogeneous version of SIS introduces a target vector $𝐭 \in ℤ_{q}^{n}$ , which is chosen uniformly at random. The probability of ending up in the homogeneous case with $𝐭 = 𝟎$ happens with probability $q^{- n}$ , which allows removing the condition of $𝐬$ being non-zero.

ISIS is as hard as SIS. A SIS instance can be reduced to ISIS using the last column of $𝐀$ as target vector for ISIS. Any solution $𝐬 \in ℤ^{m - 1}$ to the ISIS instance with challenge matrix $𝐀_{[1 : m - 1]}$ and target vector $𝐚_{m}$ yields a valid SIS solution $(𝐬^{T}, - 1) \in ℤ^{m}$ of slightly larger norm. The reduction from ISIS to SIS requires index guessing a non-zero entry in the SIS solution and embedding the target vector at this position in the challenge matrix $𝐀$ .

NFSIS_n,m,q,β - Normal Form SIS `EQUIVALENT`

Let matrix $\bar{𝐀} \in ℤ_{q}^{n \times m - n}$ be chosen uniformly at random and define $𝐀 = [\begin{matrix} 𝐈_{n} & \bar{𝐀} \end{matrix}]$ . An adversary is asked to find a short non-zero vector $𝐬 \in ℤ^{m}$ satisfying $𝐀 \cdot 𝐬 = 𝐭 mod q \land 0 < ‖ 𝐬 ‖ \leq β$ .

Normal Form SIS is related to the Hermite normal form of a uniformly random matrix $𝐀 \in ℤ_{q}^{n \times m}$ . The normal form version of SIS is often used to reduce public key sizes by size $n$ as the static part of the matrix, the identity matrix $𝐈_{n}$ , can be omitted for data transmission.

A SIS instance can be reduced to a NFSIS instance if the first $n$ columns of its challenge matrix $𝐀$ are invertible over $ℤ_{q}$ . Assuming this is the case, denote the first $n$ columns of $𝐀$ by $𝐀_{0}$ and define the NFSIS challenge matrix by $𝐀_{0}^{- 1} \cdot 𝐀$ . Then, any solution of the NFSIS instance is a solution of the SIS instance and vice versa.

Further versions

SIS with infinity norm^[2]
Decision SIS^[2]

Analysis of Assumption

The initial hardness results of Ajtai^[1] in 1996 were later refined by a series of works^[3]^[4]^[5]. All results follow are instances of the following theorem.

Theorem^[6] For any m = poly(n), any β > 0, and any sufficiently large q ≥ β · poly(n), solving SIS_n,m,,q,β with non-negligible probability is at least as hard as solving the decisional approximate shortest vector problem GapSVP_γ and the approximate shortest independent vectors problems SIVP_γ (among others) on arbitrary n-dimensional lattices (i.e., in the worst case) with overwhelming probability, for some γ = β · poly(n).

Constructions based on SIS

This is a non-exhaustive list of constructions, whose security is or can be based on SIS (or R-SIS and M-SIS).

One-way function^[1]
Collision-resistant hash function
Preimage Sampleable Function^[4]
Signatures^[2]^[4]^[7]
Commitments^[8]^[9]
Vector and Functional Commitments^[10]

Related Assumptions

Approximate SIS
Learning with Errors

References

↑ ^1.0 ^1.1 ^1.2 Ajtai, Miklós. Generating hard instances of lattice problems. Proceedings of the twenty-eighth annual ACM symposium on Theory of computing. 1996.
↑ ^2.0 ^2.1 ^2.2 Lyubashevsky, Vadim. Lattice signatures without trapdoors. Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012.
↑ Micciancio, Daniele, and Oded Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM journal on computing 37.1 (2007): 267-302.
↑ ^4.0 ^4.1 ^4.2 Gentry, Craig, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. Proceedings of the fortieth annual ACM symposium on Theory of computing. 2008.
↑ Micciancio, Daniele, and Chris Peikert. Hardness of SIS and LWE with small parameters. Annual cryptology conference. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013.
↑ ^6.0 ^6.1 Peikert, Chris. A decade of lattice cryptography. Foundations and trends® in theoretical computer science 10.4 (2016): 283-424.
↑ Boyen, Xavier. Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more. International workshop on public key cryptography. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010.
↑ Baum, Carsten, et al. More efficient commitments from structured lattice assumptions. International conference on security and cryptography for networks. Cham: Springer International Publishing, 2018.
↑ Lyubashevsky, Vadim, Ngoc Khanh Nguyen, and Maxime Plançon. Lattice-based zero-knowledge proofs and applications: shorter, simpler, and more general. Annual International Cryptology Conference. Cham: Springer Nature Switzerland, 2022.
↑ Peikert, Chris, Zachary Pepin, and Chad Sharp. Vector and functional commitments from lattices. Theory of Cryptography Conference. Cham: Springer International Publishing, 2021.

[:0-1] 1.0 ^1.1 ^1.2 Ajtai, Miklós. Generating hard instances of lattice problems. Proceedings of the twenty-eighth annual ACM symposium on Theory of computing. 1996.

[:1-2] 2.0 ^2.1 ^2.2 Lyubashevsky, Vadim. Lattice signatures without trapdoors. Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012.

[3] Micciancio, Daniele, and Oded Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM journal on computing 37.1 (2007): 267-302.

[:2-4] 4.0 ^4.1 ^4.2 Gentry, Craig, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. Proceedings of the fortieth annual ACM symposium on Theory of computing. 2008.

[5] Micciancio, Daniele, and Chris Peikert. Hardness of SIS and LWE with small parameters. Annual cryptology conference. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013.

[:3-6] 6.0 ^6.1 Peikert, Chris. A decade of lattice cryptography. Foundations and trends® in theoretical computer science 10.4 (2016): 283-424.

[7] Boyen, Xavier. Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more. International workshop on public key cryptography. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010.

[8] Baum, Carsten, et al. More efficient commitments from structured lattice assumptions. International conference on security and cryptography for networks. Cham: Springer International Publishing, 2018.

[9] Lyubashevsky, Vadim, Ngoc Khanh Nguyen, and Maxime Plançon. Lattice-based zero-knowledge proofs and applications: shorter, simpler, and more general. Annual International Cryptology Conference. Cham: Springer Nature Switzerland, 2022.

[10] Peikert, Chris, Zachary Pepin, and Chad Sharp. Vector and functional commitments from lattices. Theory of Cryptography Conference. Cham: Springer International Publishing, 2021.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

@@ Line 1: / Line 1: @@
-Short Integer Solution (SIS) is an average-case problem, which was introduced in 1996 by Miklós Ajtai.<ref>Ajtai, Miklós. [https://dl.acm.org/doi/pdf/10.1145/237814.237838 Generating hard instances of lattice problems]. ''Proceedings of the twenty-eighth annual ACM symposium on Theory of computing''. 1996.</ref> He introduced a family of one-way functions based on SIS and showed that SIS is hard to solve on average if a version of the [[wikipedia:Lattice_problem#Shortest_vector_problem_(SVP)|shortest vector problem]] is hard in a worst-case scenario.
+Short Integer Solution (SIS) is an average-case problem, which was introduced in 1996 by Miklós Ajtai.<ref name=":0">Ajtai, Miklós. [https://dl.acm.org/doi/pdf/10.1145/237814.237838 Generating hard instances of lattice problems]. ''Proceedings of the twenty-eighth annual ACM symposium on Theory of computing''. 1996.</ref> He introduced a family of one-way functions based on SIS and showed that SIS is hard to solve on average if a version of the [[wikipedia:Lattice_problem#Shortest_vector_problem_(SVP)|shortest vector problem]] is hard in a worst-case scenario.
 == Formal Definition ==
@@ Line 6: / Line 6: @@
 Let matrix <math>\mathbf{A} \in \mathbb{Z}_q^{n \times m}</math> be chosen uniformly at random. An adversary is asked to find a short non-zero vector <math>\mathbf{s} \in \mathbb{Z}^m</math>satisfying <math>\mathbf{A} \cdot \mathbf{s} = \mathbf{0} \bmod q \land 0 < \lVert \mathbf{s} \rVert \leq \beta</math>.
-A solution to SIS without the condition <math>\lVert \mathbf{s} \rVert \leq \beta</math> can be found using Gaussian elimination. Thus, the condition <math>\beta < q</math> is required as otherwise <math>(q, 0,\dots,0) \in \mathbb{Z}^m</math> is a trivial solution.
+A solution to SIS without the condition <math>\lVert \mathbf{s} \rVert \leq \beta</math> can be found using [[wikipedia:Gaussian_elimination|Gaussian elimination]]. Thus, the condition <math>\beta < q</math> is required as otherwise <math>(q, 0,\dots,0) \in \mathbb{Z}^m</math> is a trivial solution.
+== Versions of SIS ==
 === ISIS<sub>n,m,q,β</sub> - Inhomogeneous SIS <code>EQUIVALENT</code> ===
@@ Line 18: / Line 20: @@
 Let matrix <math>\bar{\mathbf{A}} \in \mathbb{Z}_q^{n \times m-n}</math> be chosen uniformly at random and define <math>\mathbf{A} = \begin{bmatrix} \mathbf{I}_n &\bar{\mathbf{A}} \end{bmatrix}</math>. An adversary is asked to find a short non-zero vector <math>\mathbf{s} \in \mathbb{Z}^m</math>satisfying <math>\mathbf{A} \cdot \mathbf{s} = \mathbf{t} \bmod q \land 0 < \lVert \mathbf{s} \rVert \leq \beta</math>.
-TODO
+Normal Form SIS is related to the Hermite normal form of a uniformly random matrix <math>\mathbf{A} \in \mathbb{Z}_q^{n \times m}</math>. The normal form version of SIS is often used to reduce public key sizes by size <math>n</math> as the static part of the matrix, the identity matrix <math>\mathbf{I}_n</math>, can be omitted for data transmission.
+A SIS instance can be reduced to a NFSIS instance if the first <math>n
+</math> columns of its challenge matrix <math>\mathbf{A}</math> are invertible over <math>\mathbb{Z}_q</math>. Assuming this is the case, denote the first <math>n</math> columns of <math>\mathbf{A}</math> by <math>\mathbf{A}_0</math> and define the NFSIS challenge matrix by <math>\mathbf{A}_0^{-1} \cdot \mathbf{A}</math>. Then, any solution of the NFSIS instance is a solution of the SIS instance and vice versa.
+=== Further versions ===
+* SIS with infinity norm<ref name=":1">Lyubashevsky, Vadim. [https://eprint.iacr.org/2011/537.pdf Lattice signatures without trapdoors]. ''Annual International Conference on the Theory and Applications of Cryptographic Techniques''. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012.</ref>
+* Decision SIS<ref name=":1" />
 == Analysis of Assumption ==
-List of Reductions from other problems as well as cryptanalysis performed on SIS. Answer: Why is this problem hard to solve for a (quantum) computer / why should anyone believe that it is hard?
+The initial hardness results of Ajtai<ref name=":0" /> in 1996 were later refined by a series of works<ref>Micciancio, Daniele, and Oded Regev. [https://doi.org/10.1137/S0097539705447360 Worst-case to average-case reductions based on Gaussian measures]. ''SIAM journal on computing'' 37.1 (2007): 267-302.</ref><ref name=":2">Gentry, Craig, Chris Peikert, and Vinod Vaikuntanathan. [https://eprint.iacr.org/2007/432.pdf Trapdoors for hard lattices and new cryptographic constructions]. ''Proceedings of the fortieth annual ACM symposium on Theory of computing''. 2008.</ref><ref>Micciancio, Daniele, and Chris Peikert. [https://eprint.iacr.org/2013/069.pdf Hardness of SIS and LWE with small parameters]. ''Annual cryptology conference''. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013.</ref>. All results follow are instances of the following theorem.
+'''Theorem'''<ref name=":3">Peikert, Chris. [https://eprint.iacr.org/2015/939.pdf A decade of lattice cryptography]. ''Foundations and trends® in theoretical computer science'' 10.4 (2016): 283-424.</ref> For any m = poly(n), any β > 0, and any sufficiently large q ≥ β · poly(n), solving SIS<sub>n,m,,q,β</sub>  with non-negligible probability is at least as hard as solving the decisional approximate shortest vector problem GapSVP<sub>γ</sub> and the approximate shortest independent vectors problems SIVP<sub>γ</sub> (among others) on arbitrary n-dimensional lattices (i.e., in the worst case) with overwhelming probability, for some γ = β · poly(n).
 == Constructions based on SIS ==
-List of constructions built from SIS (with non-extensive list of citations)
+This is a non-exhaustive list of constructions, whose security is or can be based on SIS (or R-SIS and M-SIS).
-* Signatures
+* One-way function<ref name=":0" />
-* (Vector) Commitments
+* Collision-resistant hash function
+* Preimage Sampleable Function<ref name=":2" />
+* Signatures<ref name=":1" /><ref name=":2" /><ref>Boyen, Xavier. [https://link.springer.com/chapter/10.1007/978-3-642-13013-7_29 Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more]. ''International workshop on public key cryptography''. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010.</ref>
+* Commitments<ref>Baum, Carsten, et al. [https://eprint.iacr.org/2016/997.pdf More efficient commitments from structured lattice assumptions]. ''International conference on security and cryptography for networks''. Cham: Springer International Publishing, 2018.</ref><ref>Lyubashevsky, Vadim, Ngoc Khanh Nguyen, and Maxime Plançon. [https://eprint.iacr.org/2022/284.pdf Lattice-based zero-knowledge proofs and applications: shorter, simpler, and more general]. ''Annual International Cryptology Conference''. Cham: Springer Nature Switzerland, 2022.</ref>
+* Vector and Functional Commitments<ref>Peikert, Chris, Zachary Pepin, and Chad Sharp. [https://eprint.iacr.org/2021/1254.pdf Vector and functional commitments from lattices]. ''Theory of Cryptography Conference''. Cham: Springer International Publishing, 2021.</ref>
 == Related Assumptions ==
-* k-SIS
+* Approximate SIS
-* List of closely related assumptions - either because there is a reduction from
+* Learning with Errors
-== See also ==
+== Further reading suggestions ==
-* Space to list links which should be of further interest for people interested in SIS
+* [https://eprint.iacr.org/2015/939.pdf#page=20 Section 4.1] in "A decade of lattice cryptography"<ref name=":3" /> can help providing an intuition about SIS
+* TODO - Discussion about NFSIS
 == References ==