k-SIS

The k-SIS assumption was introduced in 2011 by Boneh and Freeman^[1]. The assumption hands out ${\displaystyle k}$ hints additionally to the SIS challenge matrix restricting the solution space by any linear combination of these hints.

Formal Definition

k-SIS_n,m,d,q,β,s

Let matrix ${\displaystyle \mathbf{𝐀}\in {{ℛ}}_q^{n\times m}}$ be chosen uniformly at random and ${\displaystyle k}$ hint vectors ${\displaystyle {\mathbf{𝐬}}_i}$ from ${\displaystyle D_{{\mathrm{\Lambda }}_q^{\perp }(\mathbf{𝐀}),s}}$ with ${\displaystyle \Vert {\mathbf{𝐬}}_i\Vert }$. Given ${\displaystyle \mathbf{𝐀}}$ and ${\displaystyle \{{\mathbf{𝐬}}_i{\}}_{i\in [k]}}$, an adversary is asked to find a new short non-zero vector ${\displaystyle {\mathbf{𝐬}}^{*}\in {{ℛ}}^m}$ satisfying ${\displaystyle {𝒜}\cdot {\mathbf{𝐬}}^{*}=\mathbf{𝟎}modq\wedge \Vert {\mathbf{𝐬}}^{*}\Vert \le \beta \wedge {\mathbf{𝐬}}^{*}\notin {𝒦}-\text{span}(\{{\mathbf{𝐬}}_i{\}}_{i\in [k]}).}$

The provided definition is the module-variant, which was defined by Albrecht et al.^[2] The original version can be recovered by setting ${\displaystyle {ℛ}=\mathbb{\mathbb{Z}}}$ and ${\displaystyle {𝒦}=\mathbb{\mathbb{Q}}}$.

Intuitively, k-SIS asks for a SIS solution that is not a linear combination of the provided hints.

Hardness of k-SIS

k-SIS (over ${\displaystyle \mathbb{\mathbb{Z}}}$) is at least as hard as SIS. Boneh and Freeman^[1] proved this result for constant ${\displaystyle k\in {𝒪}(1)}$ and Ling et al.^[3] improved this result to ${\displaystyle k\in {𝒪}(m)}$.

TODO - Provide intuition of reduction

Constructions based on k-SIS

• Linearly homomorphic signatures^[1]

Related Assumptions

• k-LWE

References