After a “lattice-assumptions winter”
(there, I coined it now!) because “knapsack”, the last few years have seen the introduction of a bunch of newfangled SIS-like assumptions along the lines of:
Given
s.t.
, with
short, it is hard to find a short
s.t.
.
s.t. 
, with 
short, it is hard to find a short 
s.t. 
. That is, in some shape or form, these assumptions posit that some variant of SIS or ISIS remains hard even if you hand out some short preimages of some specially selected targets. There’s quite some variety here: BASIS instead hands out a trapdoor for a bigger related matrix, one-more-ISIS allows the adversary to pick the targets but has tight norm constraints etc.
I’ve started to track these new assumptions in the SIS with Hints Zoo, with the hope of encouraging cryptanalysis, reductions and/or re-use of existing assumptions. That page has been up for a little while. I’m blogging about it now, because it now has a few “non-trivial” entries, that you might have missed and that illustrate well that cryptanalysis and reductions are fruitful endeavours here:
- Knowledge k-R-ISIS is false
- Knowledge (I’m good with words like that!) of this break has been circulating a while, but since the paper breaking it is finally out, it is time to amplify the message: The knowledge version of the k-R-ISIS assumption from https://eprint.iacr.org/2022/941 is (at least morally) false. It thus gets a “BROKEN” tag.
- Twin k-R-ISIS is no easier than k-R-ISIS
- In Appendix A of https://eprint.iacr.org/2023/1469 we show that if you can solve Twin k-R-ISIS you can also solve k-R-ISIS (under parameters etc). It thus gets an “EQUIVALENT” tag.
-PRISIS is hard
- under the M-SIS assumption and for degree
, as was shown in https://eprint.iacr.org/2023/846. That
is useful is established in https://eprint.iacr.org/2023/1469. It thus gets a “STANDARD” tag.
-PRISIS is hard
, as was shown in If your (favourite) assumption is missing or is misrepresented, please get in touch: PRs welcome, too.