Appendix: Lattice problems

A quick primer to essential notions useful in post-quantum cryptography. While this aims to be precise, it cannot and will not be exhaustive; please check out the wealth of resources available to students of cryptography1.

SIS problem

(Inhomogenous) Short Integer Solutions problem 2

Given

  • \(A \overset{R}{\leftarrow}\mathbb{Z}_q^{n\times m}\), an \((n\times m)\) matrix with random entries in \(\mathbb{Z}_q\),
  • \(b \overset{R}{\leftarrow}\mathbb{Z}_q^{m}\), an \((m \times 1)\) vector with random entries in \(\mathbb{Z}_q\),

find \(z \in\mathbb{Z}^{m}\) such that \(Az=b\pmod{q}\) and \(z\in[-B,B]^m\).


Parameters

  • If \(n>m\), no solution exists.
  • If \((2B+1)^m \gg q^n\) i.e., \(m \gg (n \log q)/\log(2B + 1)\), a solution is likely to exist.

Equivalence: SIS

Inhomogeneous indicates that \(b\neq 0\). The SIS problem with \(b=0\) is of equivalent difficulty.

LWE problem

Learning With Errors problem 3

Let

  • \(s \overset{R}{\leftarrow}\mathbb{Z}_q^{n}\) a vector with random entries in \(\mathbb{Z}_q\) – a secret;
  • \(e \overset{R}{\leftarrow} [-B,B]^m\) with \(B \ll q/2\) – a small error.

Given

  • \(A \overset{R}{\leftarrow}\mathbb{Z}_q^{m\times n}\) an \(m\times n\) matrix with random entries in \(\mathbb{Z}_q\),
  • \(b = As+e \pmod{q}\),

find \(s\).


Parameters

  • If \(e=0\) (\(B=0\)), a solution is easy to find.
  • If \(B=(q-1)/2\), a solution is impossible to find; assume \(B<q/4\).
  • If \(m\gg n\), an unique solution is likely to exist.
    • However, if also \(B\ll\sqrt{n}\), a solution can be easy to find.

Equivalence: DLWE, ss-LWE

The difficulty of solving the LWE problem has been proved equivalent to:

  • the Decisional LWE (DLWE) problem: distinguish whether a given \(\tilde{b}\) is a solution to an LWE instance or a random vector in \(\mathbb{Z}_q^{m}\);
  • the short-secret LWE (ss-LWE) problem: same as LWE but with smaller coefficients in \(s\), more precisely \(s \overset{R}{\leftarrow}[-B,B]^m\) a vector with random entries in \([-B,B]^m\) rather than \(\mathbb{Z}_q\).

References

  1. Menezes, A. J. (2024). Cryptography 101. https://cryptography101.ca/↩︎

  2. Ajtai, M. (1996). Generating hard instances of lattice problems (extended abstract). STOC 96, 99–108. https://doi.org/10.1145/237814.237838 ↩︎

  3. Regev, O. (2005). On lattices, learning with errors, random linear codes, and cryptography. STOC 96, 84–93. https://doi.org/10.1145/1060590.1060603 ↩︎

Last updated on