Short integer solution problem

Micciancio introduced cyclic lattices in his work in generalizing the compact knapsack problem to arbitrary rings.[2] A cyclic lattice is a lattice that is closed under rotational shift operator. Formally, cyclic lattices are defined as follows:

Definition: A lattice ${\displaystyle {\mathfrak {L}}\subseteq \mathbb {Z} ^{n}}$ is cyclic if ${\displaystyle \forall {\boldsymbol {x}}\in {\mathfrak {L}}:\operatorname {rot} ({\boldsymbol {x}})\in {\mathfrak {L}}}$.

Examples: [3]

1. ${\displaystyle \mathbb {Z} ^{n}}$ itself is a cyclic lattice.
2. Lattices corresponding to any ideal in the quotient polynomial ring ${\displaystyle R=\mathbb {Z} [x]/(x^{n}-1)}$ are cyclic:

consider the quotient polynomial ring ${\displaystyle R=\mathbb {Z} [x]/(x^{n}-1)}$, and let ${\displaystyle p(x)}$ be some polynomial in ${\displaystyle R}$, i.e. ${\displaystyle p(x)=\sum _{i=0}^{n-1}a_{i}x^{i}}$ where ${\displaystyle a_{i}\in \mathbb {Z} }$ for ${\displaystyle i=0,\ldots ,n-1}$.

Define the embedding coefficient ${\displaystyle \mathbb {Z} }$-module isomorphism ${\displaystyle \rho }$ as:

${\displaystyle {\begin{aligned}\quad \rho :R&\rightarrow \mathbb {Z} ^{n}\\[4pt]\rho (x)=\sum _{i=0}^{n-1}a_{i}x^{i}&\mapsto (a_{0},\ldots ,a_{n-1})\end{aligned}}}$

Let ${\displaystyle I\subset R}$ be an ideal. The lattice corresponding to ideal ${\displaystyle I\subset R}$, denoted by ${\displaystyle {\mathfrak {L}}_{I}}$, is a sublattice of ${\displaystyle \mathbb {Z} ^{n}}$, and is defined as

${\displaystyle {\mathfrak {L}}_{I}:=\rho (I)=\left\{(a_{0},\ldots ,a_{n-1})\mid \sum _{i=0}^{n-1}a_{i}x^{i}\in I\right\}\subset \mathbb {Z} ^{n}.}$

Theorem: ${\displaystyle {\mathfrak {L}}\subset \mathbb {Z} ^{n}}$ is cyclic if and only if ${\displaystyle {\mathfrak {L}}}$ corresponds to some ideal ${\displaystyle I}$ in the quotient polynomial ring ${\displaystyle R=\mathbb {Z} [x]/(x^{n}-1)}$.

proof: ${\displaystyle \Leftarrow )}$ We have:

${\displaystyle {\mathfrak {L}}={\mathfrak {L}}_{I}:=\rho (I)=\left\{(a_{0},\ldots ,a_{n-1})\mid \sum _{i=0}^{n-1}a_{i}x^{i}\in I\right\}}$

Let ${\displaystyle (a_{0},\ldots ,a_{n-1})}$ be an arbitrary element in ${\displaystyle {\mathfrak {L}}}$. Then, define ${\displaystyle p(x)=\sum _{i=0}^{n-1}a_{i}x^{i}\in I}$. But since ${\displaystyle I}$ is an ideal, we have ${\displaystyle xp(x)\in I}$. Then, ${\displaystyle \rho (xp(x))\in {\mathfrak {L}}_{I}}$. But, ${\displaystyle \rho (xp(x))=\operatorname {rot} (a_{0},\ldots ,a_{n-1})\in {\mathfrak {L}}_{I}}$. Hence, ${\displaystyle {\mathfrak {L}}}$ is cyclic.

${\displaystyle \Rightarrow )}$

Let ${\displaystyle {\mathfrak {L}}\subset \mathbb {Z} ^{n}}$ be a cyclic lattice. Hence ${\displaystyle \forall (a_{0},\ldots ,a_{n-1})\in {\mathfrak {L}}:\operatorname {rot} (a_{0},\ldots ,a_{n-1})\in {\mathfrak {L}}}$.

Define the set of polynomials ${\displaystyle I:=\left\{\sum _{i=0}^{n-1}a_{i}x^{i}\mid (a_{0},\ldots ,a_{n-1})\in {\mathfrak {L}}\right\}}$:

1. Since ${\displaystyle {\mathfrak {L}}}$ a lattice and hence an additive subgroup of ${\displaystyle \mathbb {Z} ^{n}}$, ${\displaystyle I\subset R}$ is an additive subgroup of ${\displaystyle R}$.
2. Since ${\displaystyle {\mathfrak {L}}}$ is cyclic, ${\displaystyle \forall p(x)\in I:xp(x)\in I}$.

Hence, ${\displaystyle I\subset R}$ is an ideal, and consequently, ${\displaystyle {\mathfrak {L}}={\mathfrak {L}}_{I}}$.

Let ${\displaystyle f(x)\in \mathbb {Z} [x]}$ be a monic polynomial of degree ${\displaystyle n}$. For cryptographic applications, ${\displaystyle f(x)}$ is usually selected to be irreducible. The ideal generated by ${\displaystyle f(x)}$ is:

${\displaystyle (f(x)):=f(x)\cdot \mathbb {Z} [x]=\{f(x)g(x):\forall g(x)\in \mathbb {Z} [x]\}.}$

The quotient polynomial ring ${\displaystyle R=\mathbb {Z} [x]/(f(x))}$ partitions ${\displaystyle \mathbb {Z} [x]}$ into equivalence classes of polynomials of degree at most ${\displaystyle n-1}$:

${\displaystyle R=\mathbb {Z} [x]/(f(x))=\left\{\sum _{i=0}^{n-1}a_{i}x^{i}:a_{i}\in \mathbb {Z} \right\}}$

where addition and multiplication are reduced modulo ${\displaystyle f(x)}$.

Consider the embedding coefficient ${\displaystyle \mathbb {Z} }$-module isomorphism ${\displaystyle \rho }$. Then, each ideal in ${\displaystyle R}$ defines a sublattice of ${\displaystyle \mathbb {Z} ^{n}}$ called ideal lattice.

Definition: ${\displaystyle {\mathfrak {L}}_{I}}$, the lattice corresponding to an ideal ${\displaystyle I}$, is called ideal lattice. More precisely, consider a quotient polynomial ring ${\displaystyle R=\mathbb {Z} [x]/(p(x))}$, where ${\displaystyle (p(x))}$ is the ideal generated by a degree ${\displaystyle n}$ polynomial ${\displaystyle p(x)\in \mathbb {Z} [x]}$. ${\displaystyle {\mathfrak {L}}_{I}}$, is a sublattice of ${\displaystyle \mathbb {Z} ^{n}}$, and is defined as:

${\displaystyle {\mathfrak {L}}_{I}:=\rho (I)=\left\{(a_{0},\ldots ,a_{n-1})\mid \sum _{i=0}^{n-1}a_{i}x^{i}\in I\right\}\subset \mathbb {Z} ^{n}.}$

Remark:[6]

1. It turns out that ${\displaystyle {\text{GapSVP}}_{\gamma }}$ for even small ${\displaystyle \gamma =\operatorname {poly(n)} }$ is typically easy on ideal lattices. The intuition is that the algebraic symmetries causes the minimum distance of an ideal to lie within a narrow, easily computable range.
2. By exploiting the provided algebraic symmetries in ideal lattices, one can convert a short nonzero vector into ${\displaystyle n}$ linearly independent ones of (nearly) the same length. Therefore, on ideal lattices, ${\displaystyle \mathrm {SVP} _{\gamma }}$ and ${\displaystyle \mathrm {SIVP} _{\gamma }}$ are equivalent with a small loss.[7] Furthermore, even for quantum algorithms, ${\displaystyle \mathrm {SVP} _{\gamma }}$ and ${\displaystyle \mathrm {SIVP} _{\gamma }}$ are very hard in the worst-case scenario.

Let ${\displaystyle A\in \mathbb {Z} _{q}^{n\times m}}$ be an ${\displaystyle n\times m}$ matrix with entries in ${\displaystyle \mathbb {Z} _{q}}$ that consists of ${\displaystyle m}$ uniformly random vectors ${\displaystyle {\boldsymbol {a_{i}}}\in \mathbb {Z} _{q}^{n}}$: ${\displaystyle A=[{\boldsymbol {a_{1}}}|\cdots |{\boldsymbol {a_{m}}}]}$. Find a nonzero vector ${\displaystyle {\boldsymbol {x}}\in \mathbb {Z} ^{m}}$ such that:

• ${\displaystyle \|{\boldsymbol {x}}\|\leq \beta }$
• ${\displaystyle f_{A}({\boldsymbol {x}}):=A{\boldsymbol {x}}={\boldsymbol {0}}\in \mathbb {Z} _{q}^{n}}$

A solution to SIS without the required constraint on the length of the solution (${\displaystyle \|{\boldsymbol {x}}\|\leq \beta }$) is easy to compute by using Gaussian elimination technique. We also require ${\displaystyle \beta <q}$, otherwise ${\displaystyle {\boldsymbol {x}}=(q,0,\ldots ,0)\in \mathbb {Z} ^{m}}$ is a trivial solution.

In order to guarantee ${\displaystyle f_{A}({\boldsymbol {x}})}$ has non-trivial, short solution, we require:

• ${\displaystyle \beta \geq {\sqrt {n\log q}}}$, and
• ${\displaystyle m\geq n\log q}$

Theorem: For any ${\displaystyle m=\operatorname {poly} (n)}$, any ${\displaystyle \beta >0}$, and any sufficiently large ${\displaystyle q\geq \beta n^{c}}$ (for any constant ${\displaystyle c>0}$), solving ${\displaystyle \operatorname {SIS} _{n,m,q,\beta }}$ with nonnegligible probability is at least as hard as solving the ${\displaystyle \operatorname {GapSVP} _{\gamma }}$ and ${\displaystyle \operatorname {SIVP} _{\gamma }}$ for some ${\displaystyle \gamma =\beta \cdot O({\sqrt {n}})}$ with a high probability in the worst-case scenario.

Ring-SIS problem, a compact ring-based analogue of SIS problem, was studied in.[2][8] They consider quotient polynomial ring ${\displaystyle R=\mathbb {Z} [x]/(f(x))}$ with ${\displaystyle f(x)=x^{n}-1}$ and ${\displaystyle x^{2^{k}}+1}$, respectively, and extend the definition of norm on vectors in ${\displaystyle \mathbb {R} ^{n}}$ to vectors in ${\displaystyle R^{m}}$ as follows:

Given a vector ${\displaystyle {\vec {\boldsymbol {z}}}=(p_{1},\ldots ,p_{m})\in R^{m}}$ where ${\displaystyle p_{i}(x)}$ are some polynomial in ${\displaystyle R}$. Consider the embedding coefficient ${\displaystyle \mathbb {Z} }$-module isomorphism ${\displaystyle \rho }$:

${\displaystyle {\begin{aligned}&\rho :R\rightarrow \mathbb {Z} ^{n}\\[3pt]\rho (x)&=\sum _{i=0}^{n-1}a_{i}x^{i}\mapsto (a_{0},\ldots ,a_{n-1})\end{aligned}}}$

Let ${\displaystyle {\boldsymbol {z_{i}}}=\rho (p_{i}(x))\in Z^{n}}$. Define norm ${\displaystyle {\vec {\boldsymbol {z}}}}$ as:

${\displaystyle \|{\vec {\boldsymbol {z}}}\|:={\sqrt {\sum _{i=1}^{m}\|{\boldsymbol {z_{i}}}\|^{2}}}}$

Alternatively, a better notion for norm is achieved by exploiting the canonical embedding. The canonical embedding is defined as:

${\displaystyle {\begin{aligned}\sigma :R=\mathbb {Z} /(f(x))&\rightarrow \mathbb {C} ^{n}\\p(x)&\mapsto (p(\alpha _{1}),\ldots ,p(\alpha _{n})\end{aligned}}}$

where ${\displaystyle \alpha _{i}}$ is the ${\displaystyle i^{th}}$ complex root of ${\displaystyle f(x)}$ for ${\displaystyle i=1,\ldots ,n}$.

Given the quotient polynomial ring ${\displaystyle R=\mathbb {Z} /(f(x))}$, define

${\displaystyle R_{q}:=R/qR=\mathbb {Z} _{q}[x]/(f(x))}$. Select ${\displaystyle m}$ independent uniformly random elements ${\displaystyle a_{i}\in R_{q}}$. Define vector ${\displaystyle {\vec {\boldsymbol {a}}}:=(a_{1},\ldots ,a_{m})\in R_{q}^{m}}$. Find a nonzero vector ${\displaystyle {\vec {\boldsymbol {z}}}:=(p_{1},\ldots ,p_{m})\in R^{m}}$ such that:

• ${\displaystyle \|{\vec {\boldsymbol {z}}}\|\leq \beta }$
• ${\displaystyle f_{\vec {\boldsymbol {a}}}({\vec {\boldsymbol {z}}}):={\vec {\boldsymbol {a}}}^{\,t}.{\vec {\boldsymbol {z}}}=\sum _{i=1}^{m}a_{i}.p_{i}=0\in R_{q}}$

Recall that to guarantee existence of a solution to SIS problem, we require ${\displaystyle m\approx n\log q}$. However, Ring-SIS problem provide us with more compactness and efficacy: to guarantee existence of a solution to Ring-SIS problem, we require ${\displaystyle m\approx \log q}$.

Definition: The nega-circulant matrix of ${\displaystyle b}$ is defined as:

${\displaystyle {\text{for}}\quad b=\sum _{i=0}^{n-1}b_{i}x^{i}\in R,\quad \operatorname {rot} (b):={\begin{bmatrix}b_{0}&-b_{n-1}&\ldots &-b_{1}\\[0.3em]b_{1}&b_{0}&\ldots &-b_{2}\\[0.3em]\vdots &\vdots &\ddots &\vdots \\[0.3em]b_{n-1}&b_{n-2}&\ldots &b_{0}\end{bmatrix}}}$

When the quotient polynomial ring is ${\displaystyle R=\mathbb {Z} /(x^{n}+1)}$ for ${\displaystyle n=2^{k}}$, the ring multiplication ${\displaystyle a_{i}.p_{i}}$ can be efficiently computed by first forming ${\displaystyle \operatorname {rot} (a_{i})}$, the nega-circulant matrix of ${\displaystyle a_{i}}$, and then multiplying ${\displaystyle \operatorname {rot} (a_{i})}$ with ${\displaystyle \rho (p_{i}(x))\in Z^{n}}$, the embedding coefficient vector of ${\displaystyle p_{i}}$ (or, alternatively with ${\displaystyle \sigma (p_{i}(x))\in Z^{n}}$, the canonical coefficient vector).

Moreover, R-SIS problem is a special case of SIS problem where the matrix ${\displaystyle A}$ in the SIS problem is restricted to negacirculant blocks: ${\displaystyle A=[\operatorname {rot} (a_{1})|\cdots |\operatorname {rot} (a_{m})]}$.[9]