ISISf

The ISIS_f assumption was introduced by Bootle, Lyubashevsky, Nguyen, and Sorniotti in 2023.^[1] It introduces a function $f$ that removes the requirement of a static target vector and passes additional hints to the adversary.

Formal Definition

ISIS_f

Let $(n, m, d, q, β, k, s, N)$ be public parameters, matrix $𝐀 \in ℛ_{q}^{n \times m}$ be chosen uniformly at random and $f$ be a specified function $f : [N] \to ℛ_{q}^{n}$ . The challenger generates $k$ hints $(x_{i}, 𝐬_{i})$ in the following way.

$x_{i} \leftarrow [N]$
$𝐬_{i} \leftarrow 𝐀_{s}^{- 1} (f (x_{i}))$

Given the matrix $𝐀$ , the function $f$ , and the set of hints ${(x_{i}, 𝐬_{i})}_{i \in [k]}$ , the adversary is asked to find a new tuple $(x^{*}, 𝐬^{*}) \in [N] \times ℛ^{m}$ satisfying $𝐀 \cdot 𝐬^{*} = f (x^{*}) mod q \land 0 < ‖ 𝐬^{*} ‖ \leq β \land (x^{*}, 𝐬^{*}) \in {(x_{i}, 𝐬_{i})_{i \in [k]}} .$

Intuition. ISIS_f essentially expects the adversary to either successfully solve ISIS or compute a preimage of the function $f$ . Thus, the hardness of ISIS_f depends on the choice of $f$ . We list few examples for insecure choices of $f$ .

Additively homomorphic functions imply trivial solutions by adding or subtracting two hints.
Any efficiently invertible function using public information enables choosing $𝐬^{*} \in ℛ^{m}$ short and finding a preimage of $𝐀 \cdot 𝐬^{*}$ .
Assume $f$ is a linear function and the domain of $f$ was mapped to $ℤ_{N}$ . Then, any hint $(x_{i}, 𝐬_{i})$ can be used to generate a valid ISIS_f solution $(- x_{i}, - 𝐬_{i})$ .

Interactive ISIS_f

TODO

Hardness of ISIS_f and its interactive version

TODO

Constructions based on ISIS_f

Bootle et al.^[1] provide a framework to generically build the following constructions from any ISIS_f instance.

Signatures^[1]
Group signatures^[1]
Blind signatures^[1]^[2]
Anonymous credentials^[1]^[2]

Related Assumptions

Generalised ISIS_f
One-More-ISIS
Randomised One-More-ISIS

References

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 Bootle, Jonathan, et al. A framework for practical anonymous credentials from lattices. Annual International Cryptology Conference. Cham: Springer Nature Switzerland, 2023.
↑ ^2.0 ^2.1 Lyubashevsky, Vadim, Gregor Seiler, and Patrick Steuer. The LaZer library: Lattice-based zero knowledge and succinct proofs for quantum-safe privacy. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 2024.

[:0-1] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 Bootle, Jonathan, et al. A framework for practical anonymous credentials from lattices. Annual International Cryptology Conference. Cham: Springer Nature Switzerland, 2023.

[:1-2] 2.0 ^2.1 Lyubashevsky, Vadim, Gregor Seiler, and Patrick Steuer. The LaZer library: Lattice-based zero knowledge and succinct proofs for quantum-safe privacy. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 2024.

[1]

[2]