<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>http://70.231.62.181/index.php?action=history&amp;feed=atom&amp;title=Short_integer_solution_problem</id>
	<title>Short integer solution problem - Revision history</title>
	<link rel="self" type="application/atom+xml" href="http://70.231.62.181/index.php?action=history&amp;feed=atom&amp;title=Short_integer_solution_problem"/>
	<link rel="alternate" type="text/html" href="http://70.231.62.181/index.php?title=Short_integer_solution_problem&amp;action=history"/>
	<updated>2026-07-04T19:01:49Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.45.1</generator>
	<entry>
		<id>http://70.231.62.181/index.php?title=Short_integer_solution_problem&amp;diff=2640335&amp;oldid=prev</id>
		<title>imported&gt;Antonissimo: /* top */ more convenient syntax</title>
		<link rel="alternate" type="text/html" href="http://70.231.62.181/index.php?title=Short_integer_solution_problem&amp;diff=2640335&amp;oldid=prev"/>
		<updated>2025-11-30T04:55:53Z</updated>

		<summary type="html">&lt;p&gt;&lt;span class=&quot;autocomment&quot;&gt;top: &lt;/span&gt; more convenient syntax&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;{{Short description|Computational problem used in cryptography}}&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Short integer solution (SIS)&amp;#039;&amp;#039;&amp;#039; and &amp;#039;&amp;#039;&amp;#039;ring-SIS&amp;#039;&amp;#039;&amp;#039; problems are two &amp;#039;&amp;#039;average&amp;#039;&amp;#039;-case problems that are used in [[lattice-based cryptography]] constructions. Lattice-based cryptography began in 1996 from a seminal work by [[Miklós Ajtai]]&amp;lt;ref name=&amp;quot;Ajtai, Miklós 1996&amp;quot;&amp;gt;Ajtai, Miklós. [Generating hard instances of lattice problems.] Proceedings of the twenty-eighth annual ACM symposium on Theory of computing. ACM, 1996.&amp;lt;/ref&amp;gt; who presented a family of [[one-way function]]s based on SIS problem. He showed that it is secure in an average case if the [[shortest vector problem]] &amp;lt;math&amp;gt;\mathrm{SVP}_\gamma&amp;lt;/math&amp;gt; (where &amp;lt;math&amp;gt;\gamma = n^c&amp;lt;/math&amp;gt; for some constant &amp;lt;math&amp;gt;c&amp;gt;0&amp;lt;/math&amp;gt;) is hard in the worst case.&lt;br /&gt;
&lt;br /&gt;
Average case problems are the problems that are hard to be solved for some randomly selected instances. For cryptography applications, worst case complexity is not sufficient, and we need to guarantee cryptographic construction are hard based on average case complexity.&lt;br /&gt;
&lt;br /&gt;
==Lattices==&lt;br /&gt;
A &amp;#039;&amp;#039;full rank [[Lattice (group)|lattice]]&amp;#039;&amp;#039; &amp;lt;math&amp;gt; \mathfrak{L} \subset \R^n &amp;lt;/math&amp;gt; is a set of integer linear combinations of &amp;lt;math&amp;gt; n &amp;lt;/math&amp;gt; linearly independent vectors &amp;lt;math&amp;gt; \{b_1,\ldots,b_n\} &amp;lt;/math&amp;gt;, named &amp;#039;&amp;#039;basis&amp;#039;&amp;#039;:&lt;br /&gt;
&lt;br /&gt;
: &amp;lt;math&amp;gt;&lt;br /&gt;
    \mathfrak{L}(b_1,\ldots,b_n) = \left\{ \sum_{i=1}^n z_i b_i: z_i \in \Z \right\} = \{ B\boldsymbol{z}: \boldsymbol{z} \in \Z^n \}&lt;br /&gt;
&amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
where &amp;lt;math&amp;gt; B \in \R ^{n\times n} &amp;lt;/math&amp;gt; is a matrix having basis vectors in its columns.&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Remark:&amp;#039;&amp;#039;&amp;#039; Given &amp;lt;math&amp;gt; B_1,B_2 &amp;lt;/math&amp;gt; two bases for lattice &amp;lt;math&amp;gt; \mathfrak{L} &amp;lt;/math&amp;gt;, there exist unimodular matrices &amp;lt;math&amp;gt; U_1 &amp;lt;/math&amp;gt; such that &amp;lt;math&amp;gt; B_1 = B_2U_1^{-1}, B_2 = B_1U_1 &amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
==Ideal lattice==&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Definition:&amp;#039;&amp;#039;&amp;#039; Rotational [[shift operator]] on &amp;lt;math&amp;gt; \R^n (n \geq 2) &amp;lt;/math&amp;gt; is denoted by &amp;lt;math&amp;gt; \operatorname{rot} &amp;lt;/math&amp;gt;, and is defined as:&lt;br /&gt;
&lt;br /&gt;
: &amp;lt;math&amp;gt;&lt;br /&gt;
    \forall \boldsymbol{x} = (x_1,\ldots,x_{n-1},x_n) \in \R^n: \operatorname{rot}(x_1,\ldots,x_{n-1},x_n) = (x_n,x_1,\ldots,x_{n-1})&lt;br /&gt;
&amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Cyclic lattices===&lt;br /&gt;
Micciancio introduced &amp;#039;&amp;#039;cyclic lattices&amp;#039;&amp;#039; in his work in generalizing the compact [[knapsack problem]] to arbitrary rings.&amp;lt;ref name=&amp;quot;micciancio2002generalized&amp;quot;&amp;gt;Micciancio, Daniele. [Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions.] Foundations of Computer Science, 2002. Proceedings. The 43rd Annual IEEE Symposium on. IEEE, 2002.&amp;lt;/ref&amp;gt; A cyclic lattice is a lattice that is closed under rotational shift operator. Formally, cyclic lattices are defined as follows:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Definition:&amp;#039;&amp;#039;&amp;#039; A lattice &amp;lt;math&amp;gt; \mathfrak{L} \subseteq \Z^n &amp;lt;/math&amp;gt; is cyclic if &amp;lt;math&amp;gt; \forall \boldsymbol{x} \in \mathfrak{L}: \operatorname{rot}(\boldsymbol{x}) \in \mathfrak{L} &amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Examples:&amp;#039;&amp;#039;&amp;#039;&amp;lt;ref&amp;gt;Fukshansky, Lenny, and Xun Sun. [On the geometry of cyclic lattices.] Discrete &amp;amp; Computational Geometry 52.2 (2014): 240–259.&amp;lt;/ref&amp;gt;&lt;br /&gt;
# &amp;lt;math&amp;gt; \Z^n &amp;lt;/math&amp;gt; itself is a cyclic lattice.&lt;br /&gt;
# Lattices corresponding to any ideal in the quotient polynomial ring &amp;lt;math&amp;gt; R = \Z[x]/(x^n-1) &amp;lt;/math&amp;gt; are cyclic: &lt;br /&gt;
consider the quotient polynomial ring &amp;lt;math&amp;gt; R = \Z[x]/(x^n-1) &amp;lt;/math&amp;gt;, and let &amp;lt;math&amp;gt; p(x) &amp;lt;/math&amp;gt; be some polynomial in &amp;lt;math&amp;gt; R &amp;lt;/math&amp;gt;, i.e. &amp;lt;math&amp;gt; p(x) = \sum_{i=0}^{n-1}a_ix^i &amp;lt;/math&amp;gt; where &amp;lt;math&amp;gt; a_i \in \Z &amp;lt;/math&amp;gt; for &amp;lt;math&amp;gt; i = 0,\ldots, n-1 &amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Define the embedding coefficient &amp;lt;math&amp;gt; \Z &amp;lt;/math&amp;gt;-module isomorphism &amp;lt;math&amp;gt; \rho &amp;lt;/math&amp;gt; as:&lt;br /&gt;
&lt;br /&gt;
: &amp;lt;math&amp;gt;&lt;br /&gt;
    \begin{align}&lt;br /&gt;
        \quad \rho: R &amp;amp; \rightarrow \Z^n \\[4pt]&lt;br /&gt;
         p(x) = \sum_{i=0}^{n-1}a_ix^i &amp;amp; \mapsto (a_0,\ldots,a_{n-1})&lt;br /&gt;
    \end{align}&lt;br /&gt;
&amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Let &amp;lt;math&amp;gt; I \subset R &amp;lt;/math&amp;gt; be an ideal. The lattice corresponding to ideal &amp;lt;math&amp;gt; I \subset R &amp;lt;/math&amp;gt;, denoted by &amp;lt;math&amp;gt; \mathfrak{L}_I &amp;lt;/math&amp;gt;, is a sublattice of &amp;lt;math&amp;gt; \Z^n &amp;lt;/math&amp;gt;, and is defined as&lt;br /&gt;
&lt;br /&gt;
: &amp;lt;math&amp;gt; \mathfrak{L}_I := \rho(I) = \left\{ (a_0,\ldots,a_{n-1}) \mid \sum_{i=0}^{n-1}a_ix^i \in I \right\} \subset \Z^n. &amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Theorem:&amp;#039;&amp;#039;&amp;#039; &amp;lt;math&amp;gt; \mathfrak{L} \subset \Z^n &amp;lt;/math&amp;gt; is cyclic if and only if &amp;lt;math&amp;gt; \mathfrak{L} &amp;lt;/math&amp;gt; corresponds to some ideal &amp;lt;math&amp;gt; I &amp;lt;/math&amp;gt; in the quotient polynomial ring &amp;lt;math&amp;gt; R = \Z[x]/(x^n-1) &amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;proof:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&amp;lt;math&amp;gt; \Leftarrow)&amp;lt;/math&amp;gt; We have:&lt;br /&gt;
: &amp;lt;math&amp;gt;&lt;br /&gt;
    \mathfrak{L} = \mathfrak{L}_I := \rho(I) = \left\{ (a_0,\ldots,a_{n-1}) \mid \sum_{i=0}^{n-1}a_ix^i \in I\right\}&lt;br /&gt;
&amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Let &amp;lt;math&amp;gt; (a_0,\ldots,a_{n-1}) &amp;lt;/math&amp;gt; be an arbitrary element in &amp;lt;math&amp;gt; \mathfrak{L} &amp;lt;/math&amp;gt;. Then, define &amp;lt;math&amp;gt; p(x) = \sum_{i=0}^{n-1}a_ix^i \in I &amp;lt;/math&amp;gt;. But since &amp;lt;math&amp;gt; I &amp;lt;/math&amp;gt; is an ideal, we have &amp;lt;math&amp;gt; xp(x) \in I &amp;lt;/math&amp;gt;. Then, &amp;lt;math&amp;gt; \rho(xp(x)) \in \mathfrak{L}_I &amp;lt;/math&amp;gt;. But, &amp;lt;math&amp;gt; \rho(xp(x)) = \operatorname{rot}(a_0,\ldots,a_{n-1}) \in \mathfrak{L}_I &amp;lt;/math&amp;gt;. Hence, &amp;lt;math&amp;gt; \mathfrak{L} &amp;lt;/math&amp;gt; is cyclic.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;math&amp;gt; \Rightarrow)&amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Let &amp;lt;math&amp;gt; \mathfrak{L} \subset \Z^n &amp;lt;/math&amp;gt; be a cyclic lattice. Hence &amp;lt;math&amp;gt; \forall (a_0,\ldots,a_{n-1}) \in \mathfrak{L}: \operatorname{rot}(a_0,\ldots,a_{n-1}) \in \mathfrak{L} &amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Define the set of polynomials &amp;lt;math&amp;gt; I: = \left\{ \sum_{i=0}^{n-1}a_ix^i \mid (a_0,\ldots,a_{n-1}) \in \mathfrak{L} \right\} &amp;lt;/math&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
# Since &amp;lt;math&amp;gt; \mathfrak{L} &amp;lt;/math&amp;gt; a lattice and hence an additive subgroup of &amp;lt;math&amp;gt; \Z^n &amp;lt;/math&amp;gt;, &amp;lt;math&amp;gt; I \subset R &amp;lt;/math&amp;gt; is an additive subgroup of &amp;lt;math&amp;gt; R &amp;lt;/math&amp;gt;.&lt;br /&gt;
# Since &amp;lt;math&amp;gt; \mathfrak{L} &amp;lt;/math&amp;gt; is cyclic, &amp;lt;math&amp;gt; \forall p(x) \in I: xp(x) \in I &amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Hence, &amp;lt;math&amp;gt; I \subset R &amp;lt;/math&amp;gt; is an ideal, and consequently, &amp;lt;math&amp;gt; \mathfrak{L} = \mathfrak{L}_I &amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
===Ideal lattices ===&lt;br /&gt;
Source:&amp;lt;ref&amp;gt;Craig Gentry. [http://portal.acm.org/citation.cfm?id=1536414.1536440 Fully Homomorphic Encryption Using Ideal Lattices]. In &amp;#039;&amp;#039;the 41st ACM Symposium on Theory of Computing (STOC)&amp;#039;&amp;#039;, 2009.&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Let &amp;lt;math&amp;gt; f(x) \in \Z[x] &amp;lt;/math&amp;gt; be a [[monic polynomial]] of degree &amp;lt;math&amp;gt; n &amp;lt;/math&amp;gt;. For cryptographic applications, &amp;lt;math&amp;gt; f(x) &amp;lt;/math&amp;gt; is usually selected to be irreducible. The ideal generated by &amp;lt;math&amp;gt; f(x) &amp;lt;/math&amp;gt; is:&lt;br /&gt;
&lt;br /&gt;
: &amp;lt;math&amp;gt;&lt;br /&gt;
    (f(x)) := f(x) \cdot\Z[x] = \{ f(x)g(x): \forall g(x) \in \Z[x] \}.&lt;br /&gt;
&amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The quotient polynomial ring &amp;lt;math&amp;gt;R = \Z[x]/(f(x))&amp;lt;/math&amp;gt; partitions &amp;lt;math&amp;gt;\Z[x]&amp;lt;/math&amp;gt; into equivalence classes of polynomials of degree at most &amp;lt;math&amp;gt;n-1&amp;lt;/math&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
: &amp;lt;math&amp;gt;&lt;br /&gt;
    R = \Z[x]/(f(x)) = \left\{ \sum_{i=0}^{n-1}a_ix^i: a_i \in \Z \right\}&lt;br /&gt;
&amp;lt;/math&amp;gt;&lt;br /&gt;
where addition and multiplication are reduced modulo &amp;lt;math&amp;gt;f(x)&amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Consider the embedding coefficient &amp;lt;math&amp;gt;\Z&amp;lt;/math&amp;gt;-module isomorphism &amp;lt;math&amp;gt;\rho&amp;lt;/math&amp;gt;. Then, each ideal in &amp;lt;math&amp;gt;R&amp;lt;/math&amp;gt; defines a sublattice of &amp;lt;math&amp;gt;\Z^n&amp;lt;/math&amp;gt; called [[Ideal lattice cryptography|ideal lattice]].&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Definition:&amp;#039;&amp;#039;&amp;#039; &amp;lt;math&amp;gt;\mathfrak{L}_I&amp;lt;/math&amp;gt;, the lattice corresponding to an ideal &amp;lt;math&amp;gt;I&amp;lt;/math&amp;gt;, is called ideal lattice. More precisely, consider a quotient polynomial ring &amp;lt;math&amp;gt;R = \Z[x]/(p(x))&amp;lt;/math&amp;gt;, where &amp;lt;math&amp;gt;(p(x))&amp;lt;/math&amp;gt; is the ideal generated by a degree &amp;lt;math&amp;gt;n&amp;lt;/math&amp;gt; polynomial &amp;lt;math&amp;gt;p(x) \in \Z[x]&amp;lt;/math&amp;gt;.  &amp;lt;math&amp;gt;\mathfrak{L}_I&amp;lt;/math&amp;gt;, is a sublattice of &amp;lt;math&amp;gt;\Z^n&amp;lt;/math&amp;gt;, and is defined as:&lt;br /&gt;
&lt;br /&gt;
: &amp;lt;math&amp;gt;&lt;br /&gt;
    \mathfrak{L}_I := \rho(I) = \left\{ (a_0,\ldots,a_{n-1}) \mid \sum_{i=0}^{n-1}a_i x^i \in I \right\} \subset \Z^n.&lt;br /&gt;
&amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Remark:&amp;lt;ref&amp;gt;Peikert, Chris. [A decade of lattice cryptography.] Cryptology ePrint Archive, Report 2015/939, 2015.&amp;lt;/ref&amp;gt;&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
# It turns out that [[Lattice problem|&amp;lt;math&amp;gt;\text{GapSVP}_\gamma&amp;lt;/math&amp;gt;]] for even small &amp;lt;math&amp;gt;\gamma = \operatorname{poly(n)}&amp;lt;/math&amp;gt; is typically easy on ideal lattices. The intuition is that the algebraic symmetries causes the minimum distance of an ideal to lie within a narrow, easily computable range. &lt;br /&gt;
# By exploiting the provided algebraic symmetries in ideal lattices, one can convert a short nonzero vector into &amp;lt;math&amp;gt;n&amp;lt;/math&amp;gt; linearly independent ones of (nearly) the same length. Therefore, on ideal lattices, [[Shortest vector problem|&amp;lt;math&amp;gt;\mathrm{SVP}_\gamma&amp;lt;/math&amp;gt;]] and [[Lattice problem|&amp;lt;math&amp;gt;\mathrm{SIVP}_\gamma&amp;lt;/math&amp;gt;]] are equivalent with a small loss.&amp;lt;ref&amp;gt;Peikert, Chris, and Alon Rosen. [Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices.] Theory of Cryptography. Springer Berlin Heidelberg, 2006. 145–166.&amp;lt;/ref&amp;gt; Furthermore, even for [[Quantum algorithm|quantum algorithms]], [[Shortest vector problem|&amp;lt;math&amp;gt;\mathrm{SVP}_\gamma&amp;lt;/math&amp;gt;]] and [[Lattice problem|&amp;lt;math&amp;gt;\mathrm{SIVP}_\gamma&amp;lt;/math&amp;gt;]] are believed to be very hard in the worst-case scenario.&lt;br /&gt;
&lt;br /&gt;
==Short integer solution problem==&lt;br /&gt;
The Short Integer Solution (SIS) problem is an &amp;#039;&amp;#039;average&amp;#039;&amp;#039; case problem that is used in lattice-based cryptography constructions. Lattice-based cryptography began in 1996 from a seminal work by Ajtai&amp;lt;ref name=&amp;quot;Ajtai, Miklós 1996&amp;quot;/&amp;gt; who presented a family of one-way functions based on the SIS problem. He showed that it is secure in an average case if &amp;lt;math&amp;gt;\mathrm{SVP}_{\gamma}&amp;lt;/math&amp;gt; (where &amp;lt;math&amp;gt;\gamma = n^c&amp;lt;/math&amp;gt; for some constant &amp;lt;math&amp;gt;c&amp;gt;0&amp;lt;/math&amp;gt;) is hard in a worst-case scenario. Along with applications in classical cryptography, the SIS problem and its variants are utilized in several post-quantum security schemes including [[Lattice-based cryptography|CRYSTALS-Dilithium]] and [[Lattice-based cryptography|Falcon]].&amp;lt;ref name=&amp;quot;Crystals-Dilithium&amp;quot;&amp;gt;{{cite web|url=https://pq-crystals.org/dilithium/data/dilithium-specification-round3.pdf|title=CRYSTALS-Dilithium:Algorithm Specifications and Supporting Documentation|last1=Bai|first1=Shi|last2=Ducas|first2=Léo|last3=Kiltz|first3=Eike|last4=Lepoint|first4= Tancrède|last5=Lyubashevsky|first5=Vadim|last6=Schwabe|first6=Peter|last7=Seiler|first7=Grego4|last8=Stehlé|first8=Damien|date=October 1, 2020|access-date=November 13, 2023|website=PQ-Crystals.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;FALCON&amp;quot;&amp;gt;{{cite web|url=https://falcon-sign.info|title=Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU|first1=Pierre-Alain|last1=Fouque|first2=Jeffrey|last2=Hoffstein|first3=Paul|last3=Kirchner|first4=Vadim|last4=Lyubashevsky|first5=Thomas|last5=Pornin|first6=Thomas|last6=Prest|first7=Thomas|last7=Ricosset|first8=Gregor|last8=Seiler|first9=William|last9=Whyte|first10=Zhenfei|last10=Zhang|date=October 1, 2020|access-date=November 13, 2023}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===SIS&amp;lt;sub&amp;gt;&amp;#039;&amp;#039;q&amp;#039;&amp;#039;,&amp;#039;&amp;#039;n&amp;#039;&amp;#039;,&amp;#039;&amp;#039;m&amp;#039;&amp;#039;,&amp;#039;&amp;#039;&amp;amp;beta;&amp;#039;&amp;#039;&amp;lt;/sub&amp;gt;===&lt;br /&gt;
Let &amp;lt;math&amp;gt;A \in \Z^{n\times m}_q&amp;lt;/math&amp;gt; be an &amp;lt;math&amp;gt;n\times m&amp;lt;/math&amp;gt; matrix with entries in &amp;lt;math&amp;gt;\Z_q&amp;lt;/math&amp;gt; that consists of &amp;lt;math&amp;gt;m&amp;lt;/math&amp;gt; uniformly random vectors &amp;lt;math&amp;gt;\boldsymbol{a_i} \in \Z^n_q&amp;lt;/math&amp;gt;: &amp;lt;math&amp;gt;A = [\boldsymbol{a_1}|\cdots|\boldsymbol{a_m}]&amp;lt;/math&amp;gt;. Find a nonzero vector &amp;lt;math&amp;gt;\boldsymbol{x} \in \Z^m&amp;lt;/math&amp;gt; such that for some norm &amp;lt;math&amp;gt;\|\cdot\|&amp;lt;/math&amp;gt;:&lt;br /&gt;
* &amp;lt;math&amp;gt; 0 &amp;lt; \|\boldsymbol{x}\| \leq \beta&amp;lt;/math&amp;gt;,&lt;br /&gt;
* &amp;lt;math&amp;gt;f_A(\boldsymbol{x}) := A\boldsymbol{x} = \boldsymbol{0} \in \Z^n_q&amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
A solution to SIS without the required constraint on the length of the solution (&amp;lt;math&amp;gt;\|\boldsymbol{x}\| \leq \beta&amp;lt;/math&amp;gt;) is easy to compute by using &amp;#039;&amp;#039;Gaussian elimination&amp;#039;&amp;#039; technique. We also require &amp;lt;math&amp;gt;\beta &amp;lt; q&amp;lt;/math&amp;gt;, otherwise &amp;lt;math&amp;gt;\boldsymbol{x} = (q,0,\ldots,0) \in \Z^m&amp;lt;/math&amp;gt; is a trivial solution.&lt;br /&gt;
 &lt;br /&gt;
In order to guarantee &amp;lt;math&amp;gt;f_A(\boldsymbol{x})&amp;lt;/math&amp;gt; has non-trivial, short solution, we require:&lt;br /&gt;
* &amp;lt;math&amp;gt;\beta \geq \sqrt{n\log q}&amp;lt;/math&amp;gt;, and&lt;br /&gt;
* &amp;lt;math&amp;gt;m \geq n\log q&amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Theorem:&amp;#039;&amp;#039;&amp;#039; For any &amp;lt;math&amp;gt;m = \operatorname{poly}(n)&amp;lt;/math&amp;gt;, any  &amp;lt;math&amp;gt;\beta &amp;gt; 0&amp;lt;/math&amp;gt;, and any sufficiently large &amp;lt;math&amp;gt;q \geq \beta n^c&amp;lt;/math&amp;gt; (for any constant &amp;lt;math&amp;gt;c &amp;gt;0&amp;lt;/math&amp;gt;), solving &amp;lt;math&amp;gt;\operatorname{SIS}_{n,m,q,\beta}&amp;lt;/math&amp;gt; with nonnegligible probability is at least as hard as solving the &amp;lt;math&amp;gt;\operatorname{GapSVP}_\gamma&amp;lt;/math&amp;gt; and &amp;lt;math&amp;gt;\operatorname{SIVP}_\gamma&amp;lt;/math&amp;gt; for some &amp;lt;math&amp;gt;\gamma = \beta \cdot O(\sqrt{n})&amp;lt;/math&amp;gt; with a high probability in the worst-case scenario.&lt;br /&gt;
&lt;br /&gt;
===R-SIS&amp;lt;sub&amp;gt;&amp;#039;&amp;#039;q&amp;#039;&amp;#039;,&amp;#039;&amp;#039;n&amp;#039;&amp;#039;,&amp;#039;&amp;#039;m&amp;#039;&amp;#039;,&amp;#039;&amp;#039;&amp;amp;beta;&amp;#039;&amp;#039;&amp;lt;/sub&amp;gt;===&lt;br /&gt;
The SIS problem solved over an ideal ring is also called the Ring-SIS or R-SIS problem.&amp;lt;ref name=&amp;quot;micciancio2002generalized&amp;quot;/&amp;gt;&amp;lt;ref&amp;gt;Lyubashevsky, Vadim, et al. [SWIFFT: A modest proposal for FFT hashing.] Fast Software Encryption. Springer Berlin Heidelberg, 2008.&amp;lt;/ref&amp;gt; This problem considers a quotient polynomial ring &amp;lt;math&amp;gt;R_q = \Z_q[x]/(f(x))&amp;lt;/math&amp;gt; with &amp;lt;math&amp;gt;f(x) = x^n-1&amp;lt;/math&amp;gt; for some integer &amp;lt;math&amp;gt;n&amp;lt;/math&amp;gt; and with some norm &amp;lt;math&amp;gt;\|\cdot\|&amp;lt;/math&amp;gt;. Of particular interest are cases where there exists integer &amp;lt;math&amp;gt;k&amp;lt;/math&amp;gt; such that &amp;lt;math&amp;gt;n=2^k&amp;lt;/math&amp;gt; as this restricts the quotient to cyclotomic polynomials.&amp;lt;ref name=LangloisStehle2015&amp;gt;Langlois, Adeline, and Damien Stehlé. [Worst-case to average-case reductions for module lattices.] Designs, Codes and Cryptography 75.3 (2015): 565–599.&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
We then define the problem as follows:&lt;br /&gt;
&lt;br /&gt;
Select &amp;lt;math&amp;gt;m&amp;lt;/math&amp;gt; independent uniformly random elements &amp;lt;math&amp;gt;a_i \in R_q&amp;lt;/math&amp;gt;. Define vector &amp;lt;math&amp;gt;\vec{\boldsymbol{a}}:=(a_1,\ldots,a_m) \in R_q^m&amp;lt;/math&amp;gt;. Find a nonzero vector &amp;lt;math&amp;gt;\vec{\boldsymbol{z}}:=(z_1,\ldots,z_m) \in R^m&amp;lt;/math&amp;gt; such that:&lt;br /&gt;
* &amp;lt;math&amp;gt; 0&amp;lt;\|\vec{\boldsymbol{z}}\| \leq \beta&amp;lt;/math&amp;gt;,&lt;br /&gt;
* &amp;lt;math&amp;gt;f_{\vec{\boldsymbol{a}}}(\vec{\boldsymbol{z}}) := \vec{\boldsymbol{a}}^{T}.\vec{\boldsymbol{z}} = \sum_{i=1}^m a_i.z_i = 0 \in R_q&amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Recall that to guarantee existence of a solution to SIS problem, we require &amp;lt;math&amp;gt;m \approx n\log q&amp;lt;/math&amp;gt;. However, Ring-SIS problem provide us with more compactness and efficacy: to guarantee existence of a solution to Ring-SIS problem, we require &amp;lt;math&amp;gt;m \approx \log q&amp;lt;/math&amp;gt; .&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Definition:&amp;#039;&amp;#039;&amp;#039; The &amp;#039;&amp;#039;nega-circulant matrix&amp;#039;&amp;#039; of &amp;lt;math&amp;gt;b&amp;lt;/math&amp;gt; is defined as:&lt;br /&gt;
&lt;br /&gt;
: &amp;lt;math&amp;gt;&lt;br /&gt;
\text{for} \quad b = \sum_{i=0}^{n-1}b_ix^i \in R, \quad &lt;br /&gt;
    \operatorname{rot}(b) := \begin{bmatrix}&lt;br /&gt;
       b_0 &amp;amp; -b_{n-1} &amp;amp; \ldots &amp;amp; -b_1  \\[0.3em]&lt;br /&gt;
       b_1 &amp;amp; b_0 &amp;amp; \ldots &amp;amp; -b_2 \\[0.3em]&lt;br /&gt;
       \vdots &amp;amp; \vdots &amp;amp; \ddots &amp;amp; \vdots \\[0.3em]&lt;br /&gt;
       b_{n-1} &amp;amp; b_{n-2} &amp;amp; \ldots &amp;amp; b_0&lt;br /&gt;
     \end{bmatrix}&lt;br /&gt;
&amp;lt;/math&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When the quotient [[polynomial ring]] is &amp;lt;math&amp;gt;R = \Z[x]/(x^n+1)&amp;lt;/math&amp;gt; for &amp;lt;math&amp;gt;n = 2^k&amp;lt;/math&amp;gt;, the ring multiplication &amp;lt;math&amp;gt;a_i.p_i&amp;lt;/math&amp;gt; can be efficiently computed by first forming &amp;lt;math&amp;gt;\operatorname{rot}(a_i)&amp;lt;/math&amp;gt;, the nega-circulant matrix of &amp;lt;math&amp;gt;a_i&amp;lt;/math&amp;gt;, and then multiplying &amp;lt;math&amp;gt;\operatorname{rot}(a_i)&amp;lt;/math&amp;gt; with &amp;lt;math&amp;gt;\rho(p_i(x)) \in Z^n&amp;lt;/math&amp;gt;, the embedding coefficient vector of &amp;lt;math&amp;gt;p_i&amp;lt;/math&amp;gt; (or, alternatively with &amp;lt;math&amp;gt;\sigma(p_i(x)) \in Z^n&amp;lt;/math&amp;gt;, the canonical coefficient vector.&lt;br /&gt;
&lt;br /&gt;
Moreover, R-SIS problem is a special case of SIS problem where the matrix &amp;lt;math&amp;gt;A&amp;lt;/math&amp;gt; in the SIS problem is restricted to negacirculant blocks: &amp;lt;math&amp;gt;A = [\operatorname{rot}(a_1)|\cdots|\operatorname{rot}(a_m)]&amp;lt;/math&amp;gt;.&amp;lt;ref name=LangloisStehle2015 /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===M-SIS&amp;lt;sub&amp;gt;&amp;#039;&amp;#039;q&amp;#039;&amp;#039;,&amp;#039;&amp;#039;n&amp;#039;&amp;#039;,&amp;#039;&amp;#039;d&amp;#039;&amp;#039;,&amp;#039;&amp;#039;m&amp;#039;&amp;#039;,&amp;#039;&amp;#039;&amp;amp;beta;&amp;#039;&amp;#039;&amp;lt;/sub&amp;gt;===&lt;br /&gt;
The SIS problem solved over a module lattice is also called the Module-SIS or M-SIS problem. Like R-SIS, this problem considers the quotient polynomial ring &amp;lt;math&amp;gt;R = \Z[x]/(f(x))&amp;lt;/math&amp;gt; and &amp;lt;math&amp;gt;R_q = \Z_q[x]/(f(x))&amp;lt;/math&amp;gt; for &amp;lt;math&amp;gt;f(x) = x^n-1&amp;lt;/math&amp;gt; with a special interest in cases where &amp;lt;math&amp;gt;n&amp;lt;/math&amp;gt; is a power of 2. Then, let &amp;lt;math&amp;gt;M&amp;lt;/math&amp;gt; be a module of rank &amp;lt;math&amp;gt;d&amp;lt;/math&amp;gt; such that &amp;lt;math&amp;gt;M\subseteq R^d&amp;lt;/math&amp;gt; and let &amp;lt;math&amp;gt;\|\cdot\|&amp;lt;/math&amp;gt; be an arbitrary norm over &amp;lt;math&amp;gt;R_q^{m}&amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
We then define the problem as follows:&lt;br /&gt;
&lt;br /&gt;
Select &amp;lt;math&amp;gt;m&amp;lt;/math&amp;gt; independent uniformly random elements &amp;lt;math&amp;gt;a_i \in R_q^d&amp;lt;/math&amp;gt;. Define vector &amp;lt;math&amp;gt;\vec{\boldsymbol{a}}:=(a_1,\ldots,a_m) \in R_q^{d\times m}&amp;lt;/math&amp;gt;. Find a nonzero vector &amp;lt;math&amp;gt;\vec{\boldsymbol{z}}:=(z_1,\ldots,z_m) \in R^m&amp;lt;/math&amp;gt; such that:&lt;br /&gt;
* &amp;lt;math&amp;gt; 0 &amp;lt;\|\vec{\boldsymbol{z}}\| \leq \beta&amp;lt;/math&amp;gt;,&lt;br /&gt;
* &amp;lt;math&amp;gt;f_{\vec{\boldsymbol{a}}}(\vec{\boldsymbol{z}}) := \vec{\boldsymbol{a}}^{T}.\vec{\boldsymbol{z}} = \sum_{i=1}^m a_i.z_i = 0 \in R_q^d&amp;lt;/math&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
While M-SIS is a less compact variant of SIS than R-SIS, the M-SIS problem is asymptotically at least as hard as R-SIS and therefore gives a tighter bound on the hardness assumption of SIS. This makes assuming the hardness of M-SIS a safer, but less efficient underlying assumption when compared to R-SIS.&amp;lt;ref name=LangloisStehle2015 /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Lattice-based cryptography]]&lt;br /&gt;
*[[Homomorphic encryption]]&lt;br /&gt;
*[[Ring learning with errors key exchange]]&lt;br /&gt;
*[[Post-quantum cryptography]]&lt;br /&gt;
*[[Lattice problem]]&lt;br /&gt;
*{{slink|TFNP#PPP}}&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references/&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{{Computational hardness assumptions}}&lt;br /&gt;
&lt;br /&gt;
[[Category:Number theory]]&lt;br /&gt;
[[Category:Lattice-based cryptography]]&lt;br /&gt;
[[Category:Post-quantum cryptography]]&lt;br /&gt;
[[Category:Computational problems]]&lt;br /&gt;
[[Category:Computational hardness assumptions]]&lt;/div&gt;</summary>
		<author><name>imported&gt;Antonissimo</name></author>
	</entry>
</feed>