SIS on Dillithium

Question

I was reading the Dillithium spec : https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf#equation.6.13

And in the specification, they mention using LWE for key recovery and SIS for forgery. From my understanding, the difference between LWE and SIS is that SIS corresponds to a high-density setting, while LWE can be seen as a low-density SIS instance.

Given this, why does the SIS instance in Equation 13 of Section 6.2.1 look very similar to an LWE instance? Yet in the appendix, it is analyzed as a SIS problem rather than an LWE problem.

Let me know if you'd like me to clarify this further!

score 2 · Accepted Answer · answered Jan 14 '25 at 13:35

In learning with errors there is no constraint on the size of the secret vector $\mathbf s$ to be recovered (though in most cases of cryptopgraphic interest, it is small). The problem however is to recover the particular $\mathbf s$ used to construct the samples rather than any other possible solution that could have produced the samples within some likelihood.

In short integer solution the solution does is constrained in size, but there is no requirement to recover a particular solution (nor a priori a guarantee that a solution exists).

For Dilithium key recovery, there is a specific value (i.e. the actual secret key) that must be recovered (which is size constrained), making it a LWE instance. For forgery, any legitimate short integer solution will be accepted (though one may not exist) which is an SIS instance.

score 1 · Answer 2 · answered Jan 15 '25 at 17:30

1

if $z$ and $u'$ are short then you can write equation (13) as $$\begin{bmatrix} A & ||Id \end{bmatrix}\cdot\begin{bmatrix} z \\u' \end{bmatrix} = t'\mod q $$ which is an ISIS instance.

answered Jan 15 '25 at 17:30

Don Freecs

617
5
16

SIS on Dillithium

2 Answers2