Journal of Information Security and Applications 58 (2021) 102782

Contents lists available at ScienceDirect

Journal of Information Security and Applications

journal homepage: www.elsevier.com/locate/jisa

A comprehensive review on collision-resistant hash functions on lattices

Nimish Mishra a , SK Hafizul Islam a ,∗, Sherali Zeadally b
a
Department of Computer Science and Engineering, Indian Institute of Information Technology Kalyani, West Bengal 741235, India
b
College of Communication and Information, University of Kentucky, Lexington, KY, 40506, USA

ARTICLE INFO ABSTRACT

Keywords: Hash functions have always attracted a lot of attention in modern cryptography because of their hard to
Closest vector problem invert nature. However, all previous constructions of cryptographic primitives face the threat of being broken
Hash function by the recent advancements in quantum technology. The focus has thus shifted to developing cryptographic
Lattice
primitives on mathematical structures such as lattices that are intractable by quantum algorithms. We review
Shortest vector problem
the computational problems defined on lattices and their respective hardness and discuss constructions of
Worst-case hardness assumption
hash function families based on both integer and ideal lattices whose security depends on these computational
problems on lattices. We provide a comparative analysis of the theoretical security and concrete instantiations
claimed by the different hash function families. Finally, we review techniques used in the reductions for the
security proofs of constructions of different hash function families.

1. Introduction than their number-theoretic counterparts. For instance, lattice-based

In the past few years, due to steady advancements in quantum
algorithms and in quantum hardware, several quantum algorithms
have come up that take advantage of superposition, entanglement, and
other quantum phenomena to process information faster – up to non-
negligible speedups – than their classical counterparts. Therefore, sev-
eral efforts have focused on the design of post-quantum cryptographic
primitives such as lattices that are secure under quantum attacks. The
use of lattices as the base for constructing cryptographic primitives
received huge interests since the publication of Ajtai’s seminal paper
[1] which describes ways to establish the security of lattice-based
primitives.
Lattices have been studied extensively and cryptographic primitives
based on them are attractive for a variety of reasons. First, the core op-
erations they require are modulo (the modulus is small enough to fit in
a processor register) matrix–vector computation which is cheaper than
group operations undertaken by conventional, pre-quantum cryptogra-
phy. Second, the lack of algorithms that can exactly solve mathematical
problems on lattices demonstrates their hardness. Approximation algo-
rithms do exist, and one of them is the Lenstra–Lenstra–Lovàsz (LLL) [2]
algorithm and its improved versions that apply lattice reduction and
achieve exponential approximation factors while running in polyno-
mial time. However, no algorithm with polynomial-time upper bound
can approximate problems on large ranked lattices within polynomial
factors, thereby demonstrating the strong potential of lattices in cryp-
tography. Lattice-based constructions, however, allow less structure
hash functions have domains that are subsets of rings and are not
closed under addition or multiplication whereas number-theoretic hash
functions have rings as domains. While this constrained structure pre-
vents adapting quantum algorithms (for problems like IF and DL) to
lattices, it also increases the difficulty in developing lattice-based prim-
itives. Here, IF and DL are integer factorization and discrete logarithm
problems.
Ajtai’s work [1] was the first step in establishing the intractability of
breaking cryptographic primitives on lattice problems in the worst-case.
Theoretically, assuming worst-case hardness is safer than assuming
hardness on the average due to experimental evidences that algorithms
can sometimes perform better on certain random instances of a problem
that is provably secure for the average-case scenario. Extreme caution is
then needed to disqualify choices of parameters that make the average-
case constructions tractable. Worst-case hardness assumes intractability
of any instance of the problem, making it more secure. Thus, when Ajtai
et al. [1] provided reduction from cryptographic constructions in the
average-case to lattice problems in the worst case, interests from the
research community increased.
We have entered into an exciting phase where post-quantum cryp-
tography is gaining increased attention from the research community
which, in fact, mirrors the advancements and predictions the quan-
tum computing community places on large-scale quantum computers.
The motivation is to migrate sensitive infrastructure from conven-
tional cryptography to post-quantum cryptography. NIST’s ongoing

∗ Corresponding author.
E-mail addresses: neelam.nimish@gmail.com (N. Mishra), hafi786@gmail.com (S.H. Islam), szeadally@uky.edu (S. Zeadally).

https://doi.org/10.1016/j.jisa.2021.102782

Available online 11 February 2021

2214-2126/© 2021 Elsevier Ltd. All rights reserved.
N. Mishra et al.
post-quantum standardization procedure aims to bring together peo-
ple to propose schemes and critically analyze others’ constructions
hoping to reach consensus on secure post-quantum constructions. Al-
though NIST requires its standards to be efficiently implemented on
constrained devices such as the Cortex microcontrollers, lattice-based
cryptography has yet a long way to go before being practical. Not
all lattice based primitives and constructions are efficient; problems
include (but not limited to) large key sizes, large communication costs
(which is related to parameterization in general), difficulty of ensuring
ideal distribution while sampling, theoretical security proofs assuming
an ideal random oracle model (which is an unrealistic assumption in
realistic settings), a question whether parameterization eases security
guarantee (i.e. if constraining the scheme to a set of parameters makes
it easier to break as compared to the claims made by the theoretical
security proofs), and so on. Additionally, cryptanalysis efforts on lattice
based primitives have been few so far and more attention is needed in
this direction. For instance, the reader can find secure constructions
of NIST finalists [3]. However, some side-channel attacks have been
proposed recently which shed doubt on the practicality of such schemes
(in few cases, electromagnetic emanation reveals a major portion of
secret key).
There is reason for hope though. Cryptography is a never-ending
cycle of building better constructions in response to more advanced
attacks and the increasing use of constrained devices. Lattice-based
schemes have shown promise on constrained devices and we argue that
stronger and practical constructions will emerge in the future.
1.1. Motivation
Hash functions are one of the most basic cryptographic primitives
and have always received widespread attention from the cryptographic
community. Upon establishing the hardness of several lattice based
problems, the community quickly turned its attention in designing
lattice based primitives: hash functions being one of the earliest designs
emerge.
We argue that we need a review of lattice based hash functions be-
cause of the following reasons. First, hash functions find their applica-
tion in many other cryptographic primitives such as digital signatures,
public key encryption (PKE) schemes, Key Encapsulation mechanisms
(KEM), searchable encryption schemes, Fujisaki–Okamoto transform
(that converts a PKE/KEM from being secure to indistinguishability under
chosen plaintext attacks to being secure under the more powerful threat
model: indistinguishability under chosen ciphertext attack), and so on. In
such schemes, hash functions are available as sub-routines, and it is
imperative to make them post-quantum too.
Second, analysis of hash functions’ theoretical security gives insight
into a range of techniques which can be of independent interest to the
reader. This is the main reason for the authors to focus on summarizing
core theoretical proofs while discussing the hash functions. Finally,
another important motivation behind this work is to compare different
lattice based hash functions based on their approximation factors,
security assumption they base their security on, time taken, and the
class of lattice used (which provides insight into the structure of the
lattice and storage requirement for the hash function to operate).
1.2. Objectives and research contributions
The main objectives of this review are:
• We review the core design principles when constructing lattice
based hash functions. The design choices include class of lattice
used (general or cyclic), the hardness assumption used (i.e. which
problem from Section 2.5 is used in the security reduction for the
hash function), the choice of reduction proofs and the tightness
of the reduction, collision resistance, and the time and space
requirement to break the construction.
2
Journal of Information Security and Applications 58 (2021) 102782
Table 1
Notations used in the paper.
Notation Description
N/R/Z Set of natural/real numbers/integers
R Ring
L(𝐁) Lattice of dimension 𝑛 and rank 𝑚
𝐁 Basis matrix of L(𝐁)
R𝑛 Euclidean space of dimension 𝑛
H A hash function family
𝑞 Security parameter
𝑑𝑒𝑡(𝐀) Determinant of the matrix 𝐀
• We review the literature on recently developed algorithms aimed
at solving or approximating (as the case may be) the lattice-based
problems. This not only introduces to the reader the general tech-
niques developed so far to solve such problems along with their
time and space requirement, but also drives home the confidence
in the hardness of lattice-based problems (which, even after much
study, have not resulted in time and space requirement below
exponential ranges for approximation factors of interest to us).
• We compare different hash functions based on their theoreti-
cal and practical characteristics. It is our hope that this may
help readers in choosing better designs for other cryptographic
primitives.
• In this review, we focus sorely on hash functions, thereby sep-
arating them from other cryptographic primitives where they
usually occur (such as digital signatures) and view/compare them
independently.
This work contributes the following:
• We study hash functions that are resistant to collisions and secure
under assumptions in the worst case.
• We review literature on lattice-based hash functions and briefly
discuss correctness, underlying hard problems, optimal parameter
choices, weaknesses, and reduction techniques applied.
• We provide a comparative analysis of the various hash functions
and compare them based on their general security, the underlying
hard problems and performance for concrete instantiations.
1.3. Organization
We organize the rest of the paper as follows. Section 2 briefly
discusses the concept of lattices and computational problems on them.
Section 3 discusses the literature on hash functions, with Sections 3.1
and 3.2 discussing constructions on integer and cyclic lattices re-
spectively. Section 4 discusses some recent ideas on hash functions.
Section 5 presents a comparative study of the hash functions described
in the paper and their concrete instantiations in C++. Section 6 makes
some concluding remarks.
2. Preliminaries
Here, we review different lattices and the computations problems
on them. Table 1 presents the notations used in this paper.
2.1. Integer lattice
Integer lattices are discrete subsets of the 𝑛-dimensional Euclidean
space R𝑛 . Formally, given a set of 𝑚 vectors in R𝑛 : {𝐛𝟏 , 𝐛𝟐 , 𝐛𝟑 , … , 𝐛𝐦 }
arranged as columns of a matrix 𝐁 = [𝐛𝟏 , 𝐛𝟐 , 𝐛𝟑 , … , 𝐛𝐦 ] and linearly
independent such that 𝐁 ∈ R𝑛×𝑚 , the integer lattice L(𝐁) ⊆ R𝑛 is
∑
given by L(𝐁) = { 𝑚 𝑖=1 𝑥𝑖 𝐛𝑖 ∶ 𝑥𝑖 ∈ Z}, or equivalently, L(𝐁) =
{ 𝐁𝐱 ∶ 𝑥 ∈ Z𝑚 } for the usual matrix–vector multiplication. The matrix
𝐁 is defined as the basis of the lattice. The underlying assumption is
that 𝐁 has rational coordinates and can be converted to an integer
N. Mishra et al.
matrix by scaling with a suitable factor. Without loss of generality,
integer matrices are thus considered as the basis matrices throughout
the paper. The integers 𝑚 and 𝑛 are the rank and dimension of the lattice,
and if 𝑚 = 𝑛, the lattice is called full rank.
Definition 1 (Half-open Parallelepiped). Given a basis matrix 𝐁 ∈ Z𝑛×𝑚 ,
the half-open parallelepiped for a lattice L(𝐁) is given as P (𝐁) = {𝐁𝐱 ∶
0 ≤ 𝑥𝑖 < 1}.
𝑃 (𝐵) intuitively describes the smallest unit of lattice that is repeated
over the entire space rendering the lattice its periodic structure.
Lemma 1. An arbitrarily defined matrix 𝐁 ∈ Z𝑛×𝑚 is a basis of for the
corresponding lattice L(𝐁) iff P (𝐁) contains no other lattice point except the
origin.
Lattices are infinite, but their bases allow a concise and finite
description. An integer lattice can have several bases, each of which
creates a different fundamental parallelepiped while spanning the same
set of discrete lattice points. Lattices and vector spaces have a common
finite description namely, basis, but differ in the way the linearly
independent vectors in the basis are combined. Vector spaces allow
arbitrary combination of basis vectors whereas lattices allow only
integral combination forcing a discrete structure. Every lattice basis
is also a basis for the continuous vector space ∈ 𝐬𝐩𝐚𝐧(𝐁). However
the converse is not necessarily true (i.e. every basis for the continuous
vector space may not be the basis for a discrete, infinite lattice).
Definition 2 (Equivalent Bases). Two distinct bases 𝐁, 𝐁′ ∈ Z𝑛×𝑚 , are
equivalent iff there exists a matrix 𝐔 ∈ Z𝑚×𝑚 and 𝑑𝑒𝑡(𝐔) = ±1 (where
𝐔 is termed as unimodular) and 𝐁′ = 𝐁𝐔. Elementary integral column
operations on 𝐁 to achieve 𝐁′ are given as [4]:
• Swap two columns.
• Multiply a column with −1.
• Add a column to the scaled result of another column where only
integral scalars are allowed.
The determinant of L(𝐁) is given as the volume of P (𝐁) for some ba-
sis 𝐁. For definition of the same lattice under equivalent bases, volume
of P (𝐁) remains constant because only the shape of the half-open par-
allelepiped changes under inter-conversion between equivalent bases,
further implying that the determinant is invariant under change of
bases. Geometrically, the determinant is the inverse of density of lattice
points.
Definition 3 (Norm). Given a finite 𝑛-dimensional vector 𝐱, the 𝑙𝑝
1
norm for 𝑝 ≥ 1 is given as ‖𝐱‖𝑝 = (𝑥𝑝1 + 𝑥𝑝2 + … + 𝑥𝑝𝑛 ) 𝑝 , where
𝐱 = {𝑥1 , 𝑥2 , … , 𝑥𝑛 }. The value of 𝑝 can be infinite. 𝑙∞ is then given
as the max-norm: ‖𝐱‖∞ = 𝐦𝐚𝐱{𝑥1 , 𝑥2 , … , 𝑥𝑛 }.
The value of 𝑝 can be infinite. 𝑙∞ is then defined as the max-norm:
‖𝐱‖∞ = 𝐌𝐚𝐱{𝑥1 , 𝑥2 , ⋯ , 𝑥𝑛 }.
Definition 4 (Open Ball). A 𝑛-dimensional open ball is given as B(𝐱, 𝑟) =
{𝐲 ∈ R𝑛 ∶ ‖𝐱 − 𝐲‖< 𝑟} for radius r and center x.
Definition 5 (Successive Minima). Successive minima for a lattice L(𝐁),
norm 𝑝 ≥ 1 and arbitrary basis 𝐁 ∈ Z𝑛×𝑚 , are given as 𝜆𝑖 (𝐁) = 𝐌𝐢𝐧{𝑟 ∶
𝑑𝑖𝑚(L(𝐁) ∩ B(𝐱, 𝑟)) ≥ 𝑖}.
Informally, the value of the 𝑖th successive minimum represents the
minimum length 𝑟 such that a ball of radius 𝑟 centered about a point 𝐱
contains at least 𝑖 independent vectors. Several upper bounds on 𝜆𝑖 (𝐁)
can be expressed in the form of the determinant of the lattice, formally
known as the Minkowski’s theorem.
3
Journal of Information Security and Applications 58 (2021) 102782
Theorem 1 (Minkowski’s Theorem). For any lattice L(𝐁),
∏
𝑛
1 √ 1
{ 𝜆𝑖 (L(𝐁))} 𝑛 ≤ 𝛾𝑑𝑒𝑡(L(𝐁)) 𝑛
𝑖=1
where 𝛾 is the approximation factor and 𝛾 ≤ 𝑛. Minkowski’s theorem helps
to upper bound 𝜆𝑖 (𝐁). This provides a convenient mathematical tool to upper
bound 𝜆1 and 𝜆𝑛 used in some computation problems such as SVP and SIVP
(Section 2.5 provides more details).
2.2. 𝑞-ary lattices
Given an integer 𝑞 and a basis 𝐁 ∈ Z𝑛×𝑚 , the q-ary lattice L(𝐁) is
given as Z𝑛𝑞 ⊆ L(𝐁) ⊆ Z𝑛 . Every integer lattice is q-ary for some integer
q. There exists a one-to-one correspondence between q-ary lattices of
dimension 𝑛 and subgroups of Z𝑛𝑞 . Inclusion on any vector 𝐱 ∈ Z𝑛 in a
q-ary lattice depends only upon 𝐱 𝑚𝑜𝑑 𝑞.
Definition 6. Let 𝐀 ∈ Z𝑛×𝑚𝑞 be an integral matrix with modulo 𝑞, then
the following q-ary lattices are defined:
𝛬⟂ 𝑛
𝑞 = {𝐭 ∈ Z ∶ 𝐀𝐭 = 𝟎 mod 𝑞}
𝛬𝑞 = {𝐭 ∈ Z𝑛 and 𝐮 ∈ Z𝑚 ∶ 𝐭 = 𝐀𝐓 𝐮 mod 𝑞}
The main advantage of 𝑞-ary lattices is that it allows cryptographic
primitives to be based on SIS and LWE problems which are known to be
at least as hard as conventional worst-case lattice-based computational
problems. For instance, given the definition of SIS and SVP problems
(Section 2.5), SIS is simply SVP on the q-ary lattice 𝛬⟂𝑞.
2.3. Dual lattice
Definition 7 (Dual Lattice). For basis 𝐁 ∈ Z𝑛×𝑚 of lattice L(𝐁), the
lattice dual to L(𝐁) is given as L∗ (𝐁∗ ) = {𝐱 ∶ ⟨𝐱, 𝐲⟩ ∈ Z, ∀ 𝐲 ∈ L(𝐁)}.
Some identities on dual lattices include:
• L∗ = (L𝑇 )−1 or the dual may be obtained by inverting the
transpose of the initial lattice.
• 𝑑𝑒𝑡(L∗ ) = 𝑑𝑒𝑡(1 L) because transposing the basis matrix does not
affect the eigenvalues, only the inverse operation has an effect on
the determinant.
Lemma 2. The lattice L(𝐁∗ ) with the basis 𝐁∗ is the dual of L(𝐁), where
𝐁∗ = 𝐁(𝐁𝑇 𝐁)−1 .
Dual lattice is another concept taken from dual space from the the-
ory of vector spaces but working on integers rather than real numbers.
By definition, the dual lattice is not guaranteed to a sub-lattice of L(𝐁).
Dual lattices manifest themselves in transference theorems linking fun-
damental lattice parameters. Intuitively, transference theorems build
upon the property 𝑑𝑒𝑡(L∗ ) = 𝑑𝑒𝑡(1 L) as developed in Definition 7 and
connect, through an approximate inverse relation, the covering radius
of the lattice (refer Definition 20) and the length of the shortest vector
of the lattice (Definition 11).
2.4. Cyclic and ideal lattices
Definition 8 (Rotation Shift Operation). For an arbitrary vector 𝐱 ∈ R𝑛
where 𝐱 = {𝑥1 , 𝑥2 , … , 𝑥𝑛 }, the rotation shift operator, represented as
𝐑𝐨𝐭(𝐱), is defined as 𝐑𝐨𝐭(𝐱) = {𝑥𝑛 , 𝑥1 , 𝑥2 , ⋯ , 𝑥𝑛−1 }. Repeated applica-
tion of the operation can be represented as a raised whole number index
on 𝐑𝐨𝐭 such as 𝐑𝐨𝐭 0 (𝐱), 𝐑𝐨𝐭 1 (𝐱), or 𝐑𝐨𝐭 𝑘 (𝐱).
Definition 9 (Cyclic Lattice). The lattice L(𝐁) for a given basis 𝐁 ∈
Z𝑛×𝑚 , is said to be cyclic iff , for any positive integer 𝑘, 𝐑𝐨𝐭 𝑘 (𝑥) ∈ L(𝐁).
For the usual definitions of rings, isomorphism, and polynomials,
ideal lattices are isomorphic to ideals in quotient polynomial rings
Z[𝑥]∕⟨𝑓 (𝑥)⟩ for 𝑓 (𝑥) from Z[𝑥] that is both irreducible and monic.
N. Mishra et al.
Definition 10 (Ideal Lattice). An ideal lattice L(𝐁) ⊆ Z𝑛 is an integer
lattice with basis 𝐁 ∈ Z𝑛×𝑚 such that L(𝐁) = {𝑔(𝑥) mod 𝑓 (𝑥) ∶ 𝑔(𝑥) ∈
𝐼(𝑥)} for 𝐼(𝑥) ∈ Z[𝑥]∕⟨𝑓 (𝑥)⟩ where 𝑓 (𝑥) is a monic polynomial 𝑓 (𝑥) of
𝑟 2
degree 𝑛. Multivariate extension is given as Z[𝑥1 , 𝑥2 , ⋯, 𝑥𝑛 ]∕⟨𝑥11 − 1,
𝑟 𝑟
𝑥22 − 1, ⋯, 𝑥𝑛𝑛 − 1⟩ such that 𝑟1 × 𝑟2 × 𝑟3 × ⋯ × 𝑟𝑘 = 𝑛.
For cryptographic primitives on normal lattices, it is worth noting
the large storage requirements associated with every entry of the
lattice. Cyclic lattices became popular because they drastically reduced
this requirement: one has to store just one column and compute other
columns through the operator defined in Definition 8. Cyclic lattices
also have interesting properties. For instance, Piekert et al. [5] gave
a tighter reduction from SIVP to SVP (Section 2.5 presents an exact
formulation of these problems) on cyclic lattices as compared to earlier
reductions on general/normal lattices. We present the literature on
hash functions built solely on cyclic lattices to introduce the reader to
this special class of lattices.
2.5. Computational problems
Computational problems can be defined in their search, optimiza-
tion, or decision version. Search version requires searching for the
solution amongst all possibilities, the optimization version requires a
solution that optimizes a certain criterion, and the decision version
requires outputting a binary decision on whether a specified property is
met. For the usual meaning of complexity classes 𝑃 and 𝑁𝑃 , reducing
problem 𝐴 to a problem 𝐵 implies converting any instance of 𝐴 to
some instance of 𝐵. This means given access to an oracle of 𝐵, 𝐴 can
be solved thus stating that 𝐴 is not harder than 𝐵. Polynomial-time
reductions for decisions problems are such that for problems 𝐴 and 𝐵,
𝐴 is reduced to 𝐵 in polynomial time iff there exists a polynomial-time
bounded function 𝑓 and 𝑥 ∈ 𝐴 iff 𝑓 (𝑥) ∈ 𝐵.
Definition 11 (Minimum Distance). The minimum distance of a lattice
L(𝐁) can be expressed as:
𝑑𝑚𝑖𝑛 (L) = 𝐌𝐢𝐧 ‖𝐯‖
𝐯∈L∖{𝟎}
Definition 12 (Shortest Vector Problem (SVP)). For any lattice L(𝐁) with
basis 𝐁 ∈ Z𝑛×𝑚𝑞 , SVP is to find a non-zero vector 𝐯 ∈ L(𝐁) so that
‖𝐯‖ = 𝑑𝑚𝑖𝑛 (L).
Definition 13 (Approximate SVP). For any lattice L(𝐁) with basis
𝐁 ∈ Z𝑛×𝑚
𝑞 and an approximation factor 𝛾 ≥ 1, approximate versions
of SVP are given as:
• Search SVP𝛾 : Find a non-zero vector 𝐯 ∈ L(𝐁) such that ‖𝐯‖2 ≤
𝛾 ⋅ 𝜆1 (L(𝐁))
• Optimization SVP𝛾 (OptSVP𝛾 ): Find 𝑑 such that 𝑑 ≤ 𝜆1 ⋅ (L(𝐁)) <
𝛾 ⋅ 𝑑.
• Decisional SVP𝛾 (GapSVP𝛾 ): Given a positive rational number 𝑟,
determine whether 𝜆1 ⋅ (L(𝐁)) ≤𝑟 or 𝜆1 (L(𝐁)) > 𝛾⋅𝑟
For large 𝛾 and lattice dimension 𝑛, polynomial-time approximation
algorithms such as the LLL-algorithm [2] exist. The hardness required
by cryptography comes from small values of 𝛾. A less accurate but
faster version of LLL by introducing deep insertions was introduced by
Schnorr et al. [6]. Moreover, the algorithm for block Korkin–Zolotarev
reduction proposed by Schnorr et al. [6] was improved by Chen et al.
[7] and can be efficiently used to attack poorly instantiated schemes
relying on the approximate version of SVP. The only downside to using
BZP is that is requires an accurate low dimensional SVP solver, which
is easier when compared to the problem given to BZP, but still hard in
general.
For large 𝛾, some techniques have been developed to efficiently
address such SVP instances. One such technique is enumeration due
to Fincke et al. [8] where the authors consider a few vectors lying
4
Journal of Information Security and Applications 58 (2021) 102782
in a suitable ellipsoid about the origin instead of the entire lattice
space. Kannan [9] uses a similar idea but introduces preprocessing that
reduces the run-time to 2O(𝑛log2 𝑛) . Both Pohst et al. [10] and Fincke
et al. [8] run in time 2O(𝑛 ) for a lattice described by a basis that has
undergone LLL-reduction. Although much better than the traditional
SVP solvers, enumeration is highly inefficient in general and is inferior
to sieving methods as first proposed by Ajtai et al. [11] which achieved
a runtime of 2O(𝑛) while sacrificing space complexity because sieving
stores a list of lattice vectors whereas enumeration needs space linear
in dimension of the lattice. The algorithm is iteratively applied to
the pre-determined list and it halts when we obtain a list of vectors
bounded above by 𝜆1 (L(𝐁)) for the basis matrix 𝐁. Micciancio et al. [12]
addressed the problem in the reverse way by starting out with an
empty list and adding to it vectors as the algorithm iterates. Pujol
et al. [13] used the sieving methods described to solve the SVP in
time 22.465𝑛+O(𝑛) and space 21.233𝑛+O(𝑛) . Wang et al. [14] proposed a
two-level sieve improvement to the one-level sieve used in Nguyen–
Vidick [15] to achieve time and space complexity of 20.3836𝑛 and 20.2557𝑛 ,
respectively. This two-level sieve was extended to a three-level sieve
by Zhang et al. [16] which achieved the time and space complexity of
20.3778𝑛+O(𝑛) and 20.2833𝑛+O(𝑛) respectively. A slightly different approach
was taken by Micciancio et al. [17] where they addressed the problem
through Voronoi cells (we have delved deeper on the subject of voronoi
cells in Definition 26 and the discussion thereafter); however, their
time (O(22𝑛 )) and space (O(2𝑛 )) requirements are not acceptable. In
contrast to all these approaches, the quantum search algorithm of
Laarhoven et al. [18] improves by provably finding a shortest vec-
tor in 21.799𝑛+O(𝑛) and heuristically finding an almost short vector in
20.384𝑛+O(𝑛) . Aggarwal et al. [19] proposed a randomized algorithm for
solving the discrete-Gaussian sampling problem (or sampling lattice
vectors according to a Gaussian distribution defined about a center
lattice point for some standard deviation) which solves SVP in time and
space 2(𝑛+O(𝑛)) .
For all the algorithms we have discussed so far, efficient implemen-
tation is needed to keep the arbitrary function O(𝑛) as low as possible.
Other techniques such as parallelism [20,21] may also be employed to
speed up implementations.
Definition 14 (Closest Vector Problem (CVP)). For any lattice L(𝐁) with
basis 𝐁 ∈ Z𝑛×𝑚 and 𝐮 ∈ 𝑠𝑝𝑎𝑛(𝐁), CVP is to find 𝐯 ∈ L such that
𝑞
‖𝐮 − 𝐯‖ = 𝑑𝑚𝑖𝑛 (L).
Definition 15 (Approximate CVP). Given a lattice basis 𝐁 ∈ Z𝑞𝑛×𝑚 , a
target vector 𝐭 ∈ R𝑛 , and an approximation factor 𝛾, approximate
versions of CVP are given as:
• Search CVP𝛾 : Find a vector 𝐯 ∈ L(𝐁) such that ‖𝐭 − 𝐯‖2 ≤
𝛾 ⋅ 𝐝𝐢𝐬𝐭(𝐭, L(𝐁)), where 𝐝𝐢𝐬𝐭(𝐭, L(𝐁)) is the distance of 𝐭 from L(𝐁).
• Optimization CVP𝛾 (OptCVP𝛾 ): Find 𝑑 such that 𝑑 ≤ 𝐝𝐢𝐬𝐭(𝐭,
L(𝐁)) < 𝛾 ⋅ 𝑑.
• Decisional CVP𝛾 (GapCVP𝛾 ): Given a positive rational number 𝑟,
distinguish between 𝐝𝐢𝐬𝐭(𝐭, L(𝐁)) ≤ 𝑟 and 𝐝𝐢𝐬𝐭(𝐭, L(𝐁)) > 𝛾 ⋅ 𝑟.
CVP is considered a hard problem for reasonable parameters, even
after allowing unbounded pre-processing [22–24]. SVP is the first
lattice based problem to gain widespread attention; it is only natural
that the community tried to adapt SVP algorithms to solving CVP.
Sieving has been successful in solving SVP. Becker et al. [25] and
Becker et al. [26] proposed heuristic algorithms to solve CVP in time
20.3774𝑛 and space 20.2925𝑛 . Laarhoven et al. [27] improved upon previous
work by proposing algorithms that can address a single instance of CVP
in time 20.292𝑛+O(𝑛) as well as multiple instances of CVP on the same
lattice (albeit with more preprocessing). The main advantage of sieving
is that it generates more vectors than the closest vector (to a target)
and this information can be reused in solving other instances from the
same lattice. However, we need memory because we need to store a
list of vectors (as opposed to a single vector in enumeration methods).
N. Mishra et al.
In a different vein, the idea of Voronoi cells proposed by Micciancio
et al. [28] can be applied in this context to achieve a O(22𝑛 )-time
and O(2𝑛 )-space algorithm for solving approximate CVP. Doulgerakis
et al. [29] also use Voronoi cells with some more applications as
compared to faster enumeration solvers, when dealing with several
instances of CVP from the same lattice. Aggarwal et al. [30] provided
a 2𝑛+O(𝑛) algorithm to solve the exact version of CVP by devising
solutions for discrete Gaussian sampling and then adapting them for
CVP (a similar idea as in Aggarwal et al. [19]). As an intermediate
result, they also provide a 2𝑛+O(𝑛) approximation algorithm with an
1 2
approximation factor 𝛾 = 1 + . Some of the recently devel-
2O(𝑛log2 𝑛)
oped solutions solving CVP on specific problems are described now.
McCormick et al. [31] proposed a polynomial time algorithm to solve
CVP in specialized lattices whose Voronoi cells are projections of a
regular cube. Blomqvist et al. [32] extended the classic Babai’s nearest
plane algorithm to develop a double-plane algorithm that performs well
if a good quality lattice is provided as input.
Definition 16 (Shortest Independent Vectors Problem (SIVP)). For a
lattice L(𝐁) of dimension 𝑛 with basis 𝐁 = [𝐛𝟏 , 𝐛𝟐 , 𝐛𝟑 , ⋯, 𝐛𝐦 ], SIVP is
to find 𝑛 linearly independent vectors 𝐯1 , 𝐯2 , ⋯, 𝐯𝑛 so that 𝐌𝐚𝐱‖𝐯𝑖 ‖ ≤
𝐌𝐚𝐱𝐁 ‖𝐛𝑖 ‖.
Definition 17 (Approximate SIVP). Given a lattice basis 𝐁 ∈ Z𝑛×𝑚
𝑞 , and
an approximation factor 𝛾, approximate versions of SIVP are given as:
• Search SIVP𝛾 (SIVP𝛾 ): Find 𝑛 linearly independent vectors 𝐯1 , 𝐯2 ,
… , 𝐯𝑛 ∈ L(𝐁) of length 𝐌𝐚𝐱‖𝐯𝑖 ‖2 ≤ 𝛾 ⋅ 𝜆𝑛 (L(𝐁)).
• Optimization SIVP𝛾 (OptSIVP𝛾 ): Find 𝑑 such that 𝑑 ≤ 𝜆𝑛 ⋅
(L(𝐁)) < 𝛾⋅𝑑.
• Decisional SIVP𝛾 (GapSIVP𝛾 ): Given additionally a positive ra-
tional number 𝑟, distinguish between 𝜆𝑛 (L(𝐁)) ≤ 𝑟 or 𝜆𝑛 (L(𝐁)) >
𝛾⋅𝑟.
SIVP can be solved using through the LLL-algorithm [2] by reducing
any arbitrary basis 𝐁 to a LLL-reduced basis that satisfies ‖𝐁‖ ≤
𝛾 𝜆𝑛 (L(𝐁)) for 𝛾 = 2𝑛 . No polynomial time algorithm exists that solves
SIVP to within 𝑛O(1) factors.
Definition 18 (Short Integer Solutions Problem (SIS)). Given a lattice
basis 𝐁 ∈ Z𝑛×𝑚
𝑞 and a constant 𝛽, the SIS problem is to find a non-zero
vector 𝐱 ∈ Z𝑚𝑞 ∶ ∣ 𝐱 ∣ ≤ 𝛽 and 𝐁𝐱 = 𝟎 (𝐦𝐨𝐝 𝐪).
Definition 19 (Inhomogeneous Short Integer Solutions Problem (ISIS)).
Given a lattice basis 𝐁 ∈ Z𝑛×𝑚 𝑛 3. Discussion on collision-free hash function
𝑞 , a vector 𝐲 ∈ Z𝑞 , and a constant 𝛽,
the ISIS problem is to find a non-zero vector 𝐱 ∈ Z𝑚
𝑞 ∶ ∣ 𝐱 ∣ ≤ 𝛽 and
𝐁𝐱 = 𝐲 (𝐦𝐨𝐝 𝐪).
The hardness of the SIS problem depends upon the constant factor
𝛽: if 𝛽 is too small, the problem would be intractable; if 𝛽 is too large,
the problem is trivial. For appropriate parameters, the SIS problem has
an average-case to worst-case reduction to the standard lattice based
problems described above. This makes SIS an interesting problem to
base a cryptographic primitive’s security on. The ISIS problem can
be thought of as a coset version of the SIS problem, and has similar
hardness proofs. No known algorithm can tractably solve the SIS and
ISIS problems yet.
Definition 20 (Covering Radius). The covering radius in the 𝑙𝑝 norm of
a full-rank lattice L(𝐁) ∈ R𝑛 is defined as:
𝜌(L(𝐁)) = 𝐌𝐚𝐱𝐱∈R𝑛 𝐝𝐢𝐬𝐭(𝐱, L(𝐁))
Definition 21 (Approximate Covering Radius Problem). Given a lattice
basis 𝐁, and an approximation factor 𝛾, approximate versions of CRP
are given as:
5
Journal of Information Security and Applications 58 (2021) 102782
• Search CRP𝛾 ): No known problem formulation whose solution is
verifiable in polynomial time [33].
• Decisional CRP𝛾 (GapCRP𝛾 ): Given additionally a positive ratio-
nal number 𝑟, distinguish between 𝜌(L(𝐁)) ≤𝑟 and 𝜌(L(𝐁)) > 𝛾⋅𝑟
where 𝜌 is the covering radius.
To date, CRP has not received widespread attention with respect
to constructing algorithms to solve it. Guruswami et al. [34] pro-
posed a probabilistic polynomial time algorithm for GapCRP𝛾 for 𝛾 =
2O(𝑛log2 log2 𝑛∕log2 𝑛) and a deterministic polynomial time algorithm for
𝛾 = 2O(𝑛(log2 log2 log2 𝑛) ∕log2 𝑛) . The abysmal approximation factors
obtained has increased interests in this problem.
Definition 22 (Approximate Unique Shortest Vector Problem (u-SVP)).
Given a basis matrix 𝐁 of L(𝐁), the promise that 𝜆2 (𝐁) > 𝛾 ⋅𝜆1 (𝐁), and an
approximation factor 𝛾, approximate search version of 𝑢-SVP is given
as:
• Search u-SVP𝛾 : Find a non-zero vector 𝐯 ∈ L(𝐁) such that ‖𝐯‖2 ≤
𝛾 ⋅ 𝜆1 (𝐁)
Definition 23 (Approximate Guaranteed Distance Decoding Problem
(GDD)). Given a basis matrix 𝐁 of L(𝐁), a target vector 𝐭 ∈ 𝐬𝐩𝐚𝐧(𝐁),
and an approximation factor 𝛾, approximate search version of GDD is
given as:
• Search GDD𝛾 : Find a vector 𝐯 ∈ L(𝐁) such that dist(𝐭, 𝐯) ≤
𝛾 ⋅ 𝜌(L(𝐁)), where 𝜌 is the covering radius ofL(𝐁).
Micciancio et al. [35] proposed a trivial combination of LLL-basis
reduction [2] and nearest-plane algorithm [33] to yield a solution
√
to GDD for approximation factors 𝑛2𝑛 . The techniques proposed in
[11,36] can achieve better approximation factors: 2O(𝑛log2 log2 𝑛∕log2 𝑛)
for GDD.
Several years of research has strengthened the belief that achieving
polynomial approximation factors 𝛾 from polynomial time algorithms
is intractable, allowing these problems to be the basis of security of
various lattice based cryptographic primitives.
Definition 24 (Negligible Function). A function 𝜖(𝑘) ∶ N → R is said to
be negligible if, for every integer 𝑣 > 0, there exists an integer 𝑢 such
that 𝜖(𝑘) ≤ 𝑘1𝑣 holds ∀ 𝑘 ≥ 𝑢.
Theoretically, breaking cryptographic schemes is not intractable
for an adversary with unlimited computational capacity. Practically,
however, all adversaries are limited by the computational capacity they
have. A cryptographic scheme is considered secure if an adversary
cannot break it efficiently.
Definition 25 (Collision-free Hash Function(CRHF)). A CRHF ℎ(⋅) is a
function ℎ ∶ {0, 1}𝑎 → {0, 1}𝑏 with a key satisfying:
(1) Compression: 𝑎 > 𝑏
(2) Collision resistance: for any value of the security parameter
𝑛 ∈ N, there exists a negligible function 𝜖(𝑛) :
𝐏𝐫[𝑥, 𝑦 ←𝑅 {0, 1}𝑎 ∶ 𝑥 ≠ 𝑦 and ℎ(𝑥) = ℎ(𝑦)] ≤ 𝜖(𝑛)
where 𝑥 ←𝑅 {0, 1}𝑎 represents uniform at random sampling.
Concretely, the collision resistance property is required on H so that
a non-uniform adversary A cannot efficiently find collisions for some
ℎ ∈ H.
N. Mishra et al.
3.1. Collision-free hash functions proposed by [37] and associated improve-
ments
The first breakthrough in constructing lattice-based primitives was
Ajtai’s seminal works [1,38] which used the 𝑛𝑐 -approximate SVP (for
𝑐 > 0) to propose one-way functions. Inverting such a function with
non-negligible probability means solving any instance of approximate
SVP. Goldreich et al. [37] modified Ajtai’s proposal [1] to construct
two similar hash function families based on modular linear equations.
To reduce from average-case to problems in the worst case, a sampling
procedure is adopted wherein a large space is considered and is divided
into sub-regions ensuring almost uniform distribution of lattice points,
such that sampling from such sub-regions yields useful short vectors
while being almost uniformly distributed over the concerned group,
usually Z𝑛𝑞 .
Given security parameter 𝑛, a uniformly at random matrix 𝐀 ∈ Z𝑛×𝑚 𝑞 lattice up to factors of 𝛾, thereby establishing security.
is chosen, 𝑚 and 𝑛 are such that 𝑛 log2 𝑞 < 𝑚 < 2𝑛𝑞4 , 𝑞 = O (𝑛𝑐 ) for
2 7
𝑐 > 0 (for instance, 𝑚 = O (𝑛 ), 𝑞 = O (𝑛 )). The hash function family
ℎ𝐀 ∶ {0, 1}𝑚 → Z𝑛𝑞 is defined for a binary message 𝐱 = {𝐱1 , 𝐱1 , ⋯,
𝐱𝑚 } ∈ {0, 1}𝑚 as ℎ𝐀 (𝐱) = 𝐀𝐱 (mod 𝑞). Since 𝑚 > 𝑛 log𝑞, collisions exist
in ℎ𝐀 . To find collisions for distinct lattice vectors say 𝐚 and 𝐛 so that
𝐱 = 𝐚 − 𝐛, Ajtai considered {𝐱 ∈ Z𝑚 𝑞 ∶ ‖𝐱‖2 < 𝑛 ; 𝐀𝐱 ≡ 0(mod 𝑞)}.
However, Goldreich et al. [37] consider 𝐱 to be strictly from {−1, 0, √ 1},
a harder constraint on the length of the vector, which is now O ( 𝑚).
Goldreich et al. [37] also defines another construction ℎ𝐀,𝐫 (𝐱) = 𝐀𝐱 + 𝐫
for some random 𝐫 ∈ Z𝑛𝑞 . This ensures ℎ𝐀,𝐫 is universal: any two images
are spread uniformly over the range in a pairwise independent manner.
Both constructions in Goldreich et al. [37] are collision resistant due to
the constraint on the size of the input vector.
Remark. The constant 𝑐 in Ajtai et al. [1] and Goldreich et al. [37] was
tightened further in Cai et al. [39] and Cai et al. [40] reducing 𝑐 > 8
to 𝑐 = 4 + 𝜖. Micciancio [41] tightened the bound where hardness
was still based on 𝑛𝑐 -approximate SVP with further √ reductions in the
approximation factor to O (𝜏𝑛3 log2 𝑛) with 𝜏 ∈ [1, 𝑛] or roughly to a
factor of 3 + 𝜖 (𝜏 is the ratio of CR to the PR of the lattice, where CR =
covering radius and PR = packing radius). This improvement is based
on the covering radius problem (Definition 21) and the reductions that
follow therein. CRP is conjectured to be 𝛱2 hard [28]. Concretely, for
the security parameter 𝑛, CRP can be approximated by a deterministic
algorithm in polynomial-time for approximation factor log2 𝑛 but not
for 𝛺(log2 log2 𝑛) unless there exist simulations of NP in deterministic
𝑛O (log2 log2 log2 𝑛) time [34]. CRP is probably harder than SVP and other
well-studied lattice-based problems and a construction based on CRP
can be considered secure.
Micciancio [41] considers the output of a hash function ℎ𝐀 (𝐱) be
in Z𝑛𝑞 for some integer 𝑞. This is a finite, abelian group equivalent to
the quotient group Z𝑛 ∕𝑞Z𝑛 . 𝑞Z𝑛 is naturally partitioned into 𝑞 𝑛 hyper-
cubes; each hyper-cube corresponding to some element in Z𝑛 ∕𝑞Z𝑛 ,
and thus to some element in Z𝑛𝑞 . Consider a lattice L(𝐁) and let each
hypercube of 𝑞Z𝑛 contain roughly the same number of lattice points.
The idea is to connect the hardness of estimating the number of points
in each hypercube with the intractability of finding collisions in the
hash function. The main improvement in the approximation factor
in Micciancio’s work [41] comes from replacing the hypercubes with
Voronoi cells. For lattices considered in [41], Voronoi cells are almost
spherical, thereby causing an efficient partition of space.
Definition 26 (Voronoi Cell). A Voronoi cell for a lattice point 𝐱 ∈
L(𝐁) is given as 𝑉 (𝐱, L) = {𝐳 ∈ 𝐬𝐩𝐚𝐧(L) ∶ ∀𝐲 ∈ L(𝐁), ‖𝐳 − 𝐱‖2 ≤
‖𝐳 − 𝐲‖2 }. The main property of Voronoi cells:
𝜆1
sphere of radius ⊂ 𝑉 (𝐱, L) ⊂ sphere of radius 𝜌
2 offset vectors), better approximation factors and improved security.
𝜆
where 𝜌 and 21 are the covering radius and packing radius of L(𝐁),
respectively, for the usual definition of 𝜆1 (see Definition 13). When 𝜏
6
Journal of Information Security and Applications 58 (2021) 102782
is balanced, the packing and covering radii are almost equal implying
𝑉 (𝐱, L) are almost spherical. To construct the hash function, for an
arbitrary lattice 𝐀 and a scaling factor 𝛼, a sub-lattice L(𝐌) ⊂ 𝐀 is
given as 𝐌 = 𝛼𝜌(𝐀)𝐈 + 𝐑, with 𝐈 as the identity matrix and a random
matrix 𝐑 such that the lengths of columns of 𝐑 are upper-bounded
by 𝜌(𝐀), or lattice points in L(𝐌) are within distance 𝜌(𝐀) of lattice
points in 𝐀. Then is defined a finite abelian group 𝐺 = 𝐀∕L(𝐌) with
its elements represented in log2 ∣ 𝐺 ∣ bits. The hash function is then
∑𝑚
given as ℎ𝐚 ∶ {0, 1}𝑚 → 𝐺 ∶ ℎ𝐚 (𝐱) = 𝑖=1 𝑎𝑖 𝑥𝑖 for input binary
𝑚
string 𝐱 of length 𝑚 and key 𝐚 ∈ 𝐺 . The following relation holds:
log2 ∣ 𝐺 ∣< 𝑛(log2 𝑛 + log2 𝛼) and collisions exist for 𝑚 > log2 ∣ 𝐺 ∣. For
parameter 𝛼 chosen to be asymptotically similar to 𝑛, 𝑛(log2 𝑛 + log2 𝛼)
reduces to O (𝑛log2 𝑛) and gives an upper bound for ∣ 𝐺 ∣. Finally,
hardness of finding collisions for any uniformly at random key 𝐚 from
𝐺𝑚 is connected to hardness of approximating covering radius for any
Remark. Micciancio and Regev [42] further reduced the approxima-
tion factors to linear in n using Gaussian measures and improved on
the assumptions in Regev’s work [43] where the hardness is based on
unique-SVP that is, for small approximation factors, not known to be
NP-hard. Micciancio and Regev’s work [42] is important in many ways:
connecting the hardness of hash functions with worst-case hardness of
CRP, SIVP, and SVP for approximation factors up to Õ (𝑛), introducing a
general procedure for reductions, and introducing Gaussian techniques
that help in reductions among lattice problems. These may be of
independent interest to the reader.
Micciancio and Regev [42] give the hash function ℎ𝐚 such that
ℎ𝐚 (𝐱) = 𝐀𝐱 mod 𝑞 for 𝐀 ∈ Z𝑛×𝑚 𝑚 O (1) and
𝑞 , 𝐱 ∈ {0, 1} , 𝑞 = 𝑛
𝑚 > 𝑛log2 𝑞 for collisions to exist. For distinct input vectors 𝐚 and 𝐛,
existence of collision implies 𝐀𝐚 − 𝐀𝐛 ≡ 𝟎 mod 𝑞, i.e., 𝐀𝐳 ≡ 𝟎 (mod 𝑞)
such that 𝐳 ≠ 𝟎 and ‖𝐳‖∞ = 1 because the input domain is {0, 1}𝑚 .
Finding collisions is thus reduced to finding short integer solutions to
the homogeneous equation, which is intractable in polynomial time.
The requirement in the entire setup is that 𝐀 must be uniformly at
random from Z𝑛×𝑚 𝑞 . Micciancio and Regev’s work [42] is also interesting
for a general take on approaches to worst-case to average-case reduc-
tions. Almost all the previous works [1,37,39,43,44] follow a similar
approach abstracted here. The outputs of the hash function are usually
in Z𝑛𝑞 . The idea is to search for the existence of a sampling procedure
running in time polynomial in size of the problem that samples group
elements and offset vectors (this offset vector does not need to be in the
lattice defined). If this offset vector (compare with 𝐳 = 𝐚 − 𝐛) is the
solution of the homogeneous modular linear equation, it implies that
the offset vector maps to an actual lattice point. Depending on the norm
of the sampled vector (compare with the norm of 𝐚 and 𝐛), the offset
vector can be considered short, implying it maps to a short vector in
the lattice.
The difference between works is the sampling procedure. As op-
posed to [1,37,39,43,44] (described in the previous paragraph), Mic-
ciancio and Regev [42] described a method of division of a large
hypercube into smaller hyper-cubes such that each hypercube corre-
sponds to some element of Z𝑛𝑞 . For every sample from L(𝐁) ∩ 𝑞Z𝑛 ,
there is a corresponding smaller hypercube 𝐶 wherein that sample
lies and a offset vector corresponding to the center of 𝐶. Hypercube
C is small enough that the offset vectors are small, and large enough
that almost equal number of lattice points in L(𝐁) lie in each of
the smaller hyper-cubes, ensuring uniformly at random distribution
over Z𝑛𝑞 . The reader is also referred to Micciancio’s work [41] for a
similar sampling procedure wherein Voronoi cells instead of smaller
hypercubes are considered, and lattice L(𝐁) is chosen such that the cells
are almost spherical ensuring tighter packing (and thus even shorter
The sampling procedure from [42] is primarily responsible for efficient
approximation factors: [42] takes a random lattice point and a random
N. Mishra et al.
Gaussian vector and reduces the noise vector modulo the basis such that
a uniform distribution is obtained the fundamental parallelepiped. This
fundamental parallelepiped is divided into 𝑞 𝑛 sub-regions to correspond
to group elements in Z𝑛𝑞 ; the reduced noise vector then induces almost
uniform distribution over Z𝑛𝑞 . Such additions of Gaussian blur to smooth
a discrete lattice into (almost) uniform distribution is also seen in
Regev [43].
Regev [43] considers the 𝑛𝑐 -𝑢SVP problem (Definition 22) and intro-
duces the idea of Fourier analysis in lattice-based constructions. Earlier
indirect applications of Fourier analysis were through transference
theorems in Cai et al. [40]. The hash function family considered in
Regev’s work [43] is the modular subset sum function, also appearing
independently in Impagliazzo’s work [45] involving an average-case to
average-case reduction. Modular subset sum problem is a specialized
version of the subset sum problem with the constraint that the subset
sum is modulo some positive integer. It was noted in [1] that results of
hash functions based on random lattices can be extended to modular
subset sum functions, thus connecting Regev’s work [43] with past
constructions of hash functions. The proposal from Regev [43] requires
a series of four reductions from O (𝑛1.5 )-𝑢SVP lattice problem to the
problem of distinguishing two distributions ( uniform distribution and
special distribution concentrated around integral multiples of ℎ1 where ℎ
is large and unknown and functionally related to the shortest vector in
the lattice. The main reduction involves four reductions and contains
ideas about making the lattice sparse without losing the shortest vector,
and using this sparse lattice to ensure if there exists a short vector of
length 1𝑛 such that all non-parallel vectors to this short vector are of
1.5 √
length at least 𝑛 𝑛 = 𝑛. The third step uses an idea of Ajtai et al. [46]
(based on a lemma from Banaszczyk [47]) that combines a random
√
lattice point from the dual lattice with a Gaussian of radius 𝑛 to
produce two 𝑛-dimensional distributions: the uniform and the specialized
distributions. The last reduction transforms these distributions to one-
dimensional distributions and completes the initial distinguishability
problem described. Here, 𝑛-dimensional distributions are random vec-
tors whose 𝑛 components are random variables. An algorithm able to
distinguish between these distributions for a non-negligible fraction of
values of h can distinguish them for all values of ℎ, thereby making
proofs simpler.
Hash functions on the modular subset set problem are formulated as
∑
𝑓 (𝐛) = 𝑚 𝑖=1 𝑏𝑖 𝑎𝑖 mod 𝑁 where 𝐛 denotes the binary vector to be hashed
(𝑏𝑖 ∈ {0, 1} for 𝑖 = 1, 2, 3, … , 𝑚) and 𝑚 = O (log2 𝑁) and 𝑎𝑖 denotes
the components of the key used. A collision finding algorithm needs to
search, √with non-negligible probability, a non-zero vector 𝐝 such that
∑
‖𝐝‖2 ≤ 𝑚 (sufficiently short vector) and 𝑚 𝑖=1 𝑑𝑖 𝑎𝑖 ≡ 𝟎 (mod 𝑁). This
𝑐
algorithm then has a solution to 𝑛 -𝑢SVP.
3.2. Collision-free hash function on cyclic and ideal lattices
For schemes on integer lattices, while the representation of hash
function parameters is feasible with current memory constraints, the
size of the key is a major bottleneck: the key 𝐀 ∈ Z𝑛×𝑚 is such that when
𝑞
𝑛 grows, 𝑚 also increases. By imposing special structures on the lattice
used, efficient schemes could be designed. For instance, not choosing
the key 𝐀 at random but with special cyclic structure. The key would
contain 𝑚𝑛 blocks (𝐀𝑖 ∈ Z𝑛×𝑚 𝑞 ) that are circulant. Two improvements
herein: reduced storage size since only the first column needs to be
stored (the remaining columns are simply cyclic permutations of the
first column), and the running time of matrix–vector product is reduced
to asymptotically linear time (Fast Fourier Transform (FFT) is appli-
cable due to the cyclic structure). However, this structure invalidates
the proofs of security established by Cai et al. [39], Micciancio [41],
Micciancio et al. [42] because they assume a uniform distribution
of key 𝐀 over Z𝑛×𝑚 𝑞 . However, one proof of security was given by
Micciancio [35], who showed the average hardness of inverting hash
functions built on the circulant property, but only for a few classes
of lattices. Finding collisions, however, was not difficult [5]–[48]. In
7
Journal of Information Security and Applications 58 (2021) 102782
a way, these results demonstrate the importance of concrete theoreti-
cal security proofs for collision resistance whenever modifications are
made. Collision resistance was addressed by Lyubashevsky et al. [48]
and Peikert et al. [5]. Both works consider collision-resistant hash
function families built on the generalized knapsack function on ideal
lattices; Lyubashevsky et al. [48] takes a more generalized approach
than Peikert et al. [5] in that it considers general monic polynomials
in the definition of the ideals, instead of a specific polynomial (𝛼 𝑛 − 1)
taken in the latter. This improves upon the scheme in Peikert et al.
[5] because some choices of the polynomial other than (𝛼 𝑛 − 1) lead
to better hash function families. The security assumption is the lack of
polynomial-time algorithms to attack lattice problems on ideal lattices,
partly motivated by the fact that algorithms attacking lattice problems
have been unable to take advantage of the cyclic structure of lattices.
Generalized knapsack functions have attacks described in [49–51] but
these attacks are useless against knapsacks based on ideal lattices. The
collision-resistant hash family H(R, 𝐷, 𝑚) from message domain 𝐷𝑚 to
output domain R is defined for R = Z𝑝 [𝛼]∕⟨𝑓 ⟩, where 𝛼 is the variable,
𝐷 = {𝑔 ∈ R ∶ ‖𝑔‖𝑓 ≤ 𝑑} for some positive integer 𝑑, polynomial
modulo norm ‖𝑔‖𝑓 [48], and rank 𝑚 of the lattice. The conditions for
collision-resistance need 𝑓 to be irreducible over the polynomial ring
and a certain ratio called the expansion factor to be as low as possible.
Lyubashevsky and Micciancio [48] define the problem called ap-
proximate shortest polynomial problem to establish hardness of their hash
function family. The infinite norm of a set 𝑆 is given as 𝜆∞ (𝑆) =
1
𝑚𝑖𝑛 {‖𝐱‖∞ ∶ 𝐱 ∈ 𝑆}. Given a monic polynomial 𝑓 of degree 𝑛 and
an ideal 𝐼 ⊆ Z[𝛼]∕⟨𝑓 ⟩, the problem is to find a non-zero 𝑔 ∈ 𝐼 such
that ‖𝑔‖𝑓 ≤ 𝛾𝜆∞ 1
(𝐼) for some approximation factor 𝛾. Lyubashevsky
et al. [48] provides a proof of polynomial time reduction for this
problem to finding collisions, thereby establishing security. The hash
∑
function is given as ℎ𝐚 (𝐛) = 𝑚 𝑚
𝑖=1 𝑎𝑖 𝑏𝑖 for key 𝐚 ∈ R and input 𝐛 ∈
𝑚
𝐷 where ℎ is uniformly at random from H. Collisions are inevitable
log2 𝑝
for 𝑚 > such that ∣ 𝐷𝑚 ∣ = (2𝑑+1)𝑛𝑚 and 𝑝 is such that ∣ R ∣ = 𝑝𝑛 .
log2 2𝑑
The size of the key is O (𝑛 log2 𝑛) and hashing of the message is done in
O (𝑛 log2 𝑛 log2 log2 𝑛).
The work in Peikert et al. [5] assumes a stronger worst-case assump-
tion than Micciancio [35] about hardness of SVP in cyclic lattices for all
sufficiently large prime dimension. Peikert et al. [5] formulate the proof
using a chain of reductions, thereby introducing several interesting
generalized problems. Since cyclic lattices are isomorphic to ideals in
Z[𝛼]∕(𝛼 𝑛 − 1), (𝛼 𝑛 − 1) can be represented in terms of the product of
cyclotomic polynomials. A cyclotomic polynomial 𝛷𝑘 (𝛼) is a minimal
polynomial in the kth primitive root of unity (𝜁),
∏
𝛷𝑘 (𝛼) = (𝛼 − 𝜁 𝑗 )
𝑗∈[1,𝑘];gcd(𝑗,𝑘)=1
such that 𝛷𝑘 (𝛼) are irreducible over Z[𝛼] and (𝛼 𝑛 −1) can be represented
as their product. For any vector x belonging to a field 𝐹 , 𝑥(𝛼) ∈ 𝐹 [𝛼],
or a polynomial in 𝛼 whose coefficients are the components of 𝑥. Then,
the cyclotomic subspace 𝐻𝛷 is defined as the linear subspace under
R𝑛 : 𝐻𝛷 = {𝐱 ∈ R𝑛 ∶ 𝛷(𝛼) divides 𝑥(𝛼) over R[𝛼]} where 𝛷(𝛼) is
the product of 𝛷𝑘 (𝛼) for some values of k. It is not necessary that
𝛷(𝛼) = (𝛼 𝑛 − 1). The cyclotomic versions of problems on cyclic lattices
are: subSIVP and subSVP. Both of these problems require the lattice
basis 𝐁 to be full rank and the polynomial 𝛷(𝛼) not equal to (𝛼 𝑛 − 1) but
dividing the latter. Given these conditions, subSIVP asks a set of vectors
𝑆 such that ‖𝑆‖ ≤ 𝛾(𝑛).𝜁 (𝐷) and subSVP asks for a single vector 𝐦 such
that ‖𝐦‖ ≤ 𝛾(𝑛).𝜁 (𝐷). Here 𝐷 is the domain under consideration: entire
lattice or 𝐻𝛷 ) and 𝜁 is an arbitrary function (𝑛th successive minimum
or any other function defined on lattices). There exist worst-case to
worst-case reductions among these problems.
Peikert and Rosen [5] base their hash functions on generalized
∑
knapsack function given as 𝑓𝐚 (𝐱) = 𝑚 𝑖=1 𝑎𝑖 𝑥𝑖 for some 𝑎𝑖 ∈ R, and
𝐱 ∈ 𝑆 ⊆ R. The security parameter is 𝑛 as in R = (Z𝑛𝑝 , +, ×). 𝑆 is
chosen to be [0, 𝑝𝛩(1) ]. Such a choice leads to efficient implementation
N. Mishra et al. Journal of Information Security and Applications 58 (2021) 102782

Table 2
Comparative analysis of running times of various hash functions.
Ref. Lattice used Parameters Setup time (msec) Hashing time (msec)
[1] Integer lattice 𝑛 = 500; 𝑚 = O (𝑛2 ); 𝑞 is prime and 𝑞 = O (𝑛7 ) 4069.23 308.36
[37] Integer lattice 𝑛 = 500; 𝑚 = O (𝑛2 ); 𝑞 is prime and 𝑞 = O (𝑛7 ) 3994.13 345.11
[41] Integer lattice 𝑛 = 50; 𝑚 = O (2𝑛); 𝑞 = O (𝑛7 ); 𝛼 = O (𝑛1.5 log2 𝑛) 106 293.06 7288.10
2
[43] Integer lattice 𝑛 = 2.80624304008; 𝑁 = 28×𝑛 𝑚 = O (𝑛2 ) 17 779.21 × 10−3 2786.59 × 10−3
[48] Cyclic lattice 𝑛 = 257; 𝑝 = 225 ; 𝐟 = 𝑥256 + 1 20 063.724 8276 × 10−3

Table 3 4. Recent advances on collision-free hash function

Comparative analysis of the various hash function constructions discussed in the paper.
Ref. Security Lattice used Hardness Approximation 4.1. Programmable Hash Function (PHF)
assumption factor
[1] One-way Integer lattice SVP 𝛾 = O (𝑛𝑐 ); 𝑐>8
Zhang et al. [53] proposed a construction, called programmable hash
[37] One-way and CR Integer lattice SVP 𝛾 = O (𝑛𝑐 ); 𝑐 > 8
[39] One-way and CR Integer lattice SVP 𝛾 = O (𝑛4+𝜖 )
functions, originally introduced by Hofheinz et al. [54] achieving short
[41] One-way and CR Integer lattice SVP 𝛾 = O (𝑛3+𝜖 ) signature schemes over bilinear maps. Other works on PHF include
[42] One-way and CR Integer lattice SVP, SIVP, CRP 𝛾 = Õ (𝑛) Hofheinz et al. [54], Yamada et al. [55], Hofheinz et al. [56], Freire
[43] One-way and CR Integer lattice Unique-SVP 𝛾 = O (𝑛1.5 ) et al. [57], and Catalano et al. [58] which base the constructions
[35] One-way Cyclic lattice GDD 𝛾 = Õ (𝑛1+𝜖 )
on hardness of discrete logarithm problem. Formally, PHFs are keyed
[48] One-way and CR Cyclic lattice SPP 𝛾 = Õ (𝑛)𝜖 2
[5] One-way and CR Cyclic lattice SVP 𝛾 = Õ (𝑛) group hash functions over a finite group G that operate in two statis-
tically indistinguishable based on the mode of key generation: normal
CR: Collision-resistant; SVP: Shortest Vector Problem: CRP: Covering Radius Problem;
SIVP: Shortest Independent Vectors Problem; GDD: Guaranteed Distance Decoding mode such that ℎ ∶ {0, 1}𝑚 → G and a trapdoor mode where additional
Problem; SPP: Shortest Polynomial Problem. information 𝑎, 𝑏 ∈ Z is obtained such that for pre-fixed 𝑔, ℎ ∈ G,
ℎ ∶ {0, 1}𝑚 = 𝑔 𝑎 ⋅ ℎ𝑏 .
Zhang et al. [53] derived lattice-based PHFs that are collision
of the hash function: convolution and addition in (O (𝑛 log2 𝑛)). The resistant under the hardness assumption of Inhomogeneous Small Integer
generalized knapsack function is linear: 𝑓𝐚 (𝐝) + 𝑓𝐚 (𝐝′ ) = 𝑓𝐚 (𝐝 + 𝐝′ ). For Solutions (ISIS) problem. Such hash functions are not group based,
𝑓𝐚 (𝐝′ ) = 0, collision is detected. Thus, given a fixed 𝐝 ∈ 𝑆, we need to but retain the statistically indistinguishable operations. On lattices, the
find 𝐝′ such that the condition is satisfied. We note √ however a condition normal operation is given as ℎ(𝐱) ∈ Z𝑛×𝑚 𝑞 . The trapdoor operation
involves outputting trapdoors 𝐀 and 𝐁 such that, for any generators
on 𝐝: ‖𝐝‖∞ < 𝑝𝛩(1) leading to the relations ‖𝐝‖ ≤ 𝑛‖𝐝‖∞ < 𝑝𝛩(1) and
𝐏 ∈ Z𝑛×𝑝 and 𝐐 ∈ Z𝑛×𝑚𝑞 , ℎ(𝑥) = 𝐏𝐀 + 𝐁𝐐 where 𝐀 ∈ Z𝑝
𝑝×𝑚
and
‖𝐝′ ‖∞ = 1, implying we are trying to find relatively short vectors. For 𝑞
𝑛×𝑛
𝐁 ∈ Z𝑞 . The generator 𝐏 embeds the ISIS problem whereas the
an efficient hash function, the security parameter 𝑛 is chosen as prime
generator 𝐐 embeds a variant of the SVP.
and 𝛷(𝛼) = 𝛼 − 1; the hash function has outputs compressed by factors
𝑚 log2 (𝑝𝛩(1) )
of . Security is established by worst case reduction from an
log2 𝑝 4.2. On Gröbner bases and ideal lattices
incremental version of subSVP where 𝜁 = 𝜂𝜖 to finding collisions (𝜂𝜖 is
described as the lattice function tasked with finding the value of the Francis and Dukkipati [59] proposed hash functions on Gröbner
smoothing parameter for the given lattice, or informally, finding the bases and multivariate ideal lattices with hardness based on the Smallest
radius of the Gaussian noise whose uniform samples when added to Polynomial Problem (SPP). In the univariate case, SPP is reducible to
the lattice can transform it into a near uniform distribution, i.e. loss of Shortest Conjugate Problem (SCP). In the multivariate case, however,
discreteness due to the added blur). Hardness is therefore established by Francis et al. [59] introduced a problem called the Smallest Substitu-
further reduction from SVP to the above chosen cyclotomic version. tion Problem—SSP. SCP can be polynomially reduced to SSP, thereby
For instance, for prime 𝑛, 𝑚 = 𝛩(log2 𝑛) and 𝑝 = 𝑛2.5+𝛩(1) , finding establishing the hardness for SPP (SCP and SSP are based on the
collisions is as hard as solving SVP up to factors of 𝑛⋅𝑝𝑜𝑙𝑦(log2 𝑛) with isomorphism of number and functional fields respectively). The hash
non-negligible probability. function constructions are defined as H(R, 𝐷, 𝑚) where R = Z𝑝 [𝑥1 , 𝑥2 ,
Despite the security guarantee, there exist trade-offs between the ⋯, 𝑥𝑛 ]∕𝐼 and 𝑝 is of the order 𝑛2 . 𝐷 is a subset of R having {𝑔 ∈ R}
provable security of hash functions and their efficient implementation. such that the norm of 𝑔 with respect to the ideal 𝐼 is upper bounded by
SWIFFT is one proposal that is provably secure and practically effi- a parameter 𝑑. The theoretical security requires the ideal I in a finitely
cient. Lyubashevsky et al. [52] introduced SWIFFT as an extension to generated residue class polynomial ring Z[𝑥1 , 𝑥2 , ⋅, 𝑥𝑛 ]∕𝐼 to be a prime
Micciancio’s work [35], as a hash function scheme that is collision ideal, which forces the generated multivariate lattice to be full rank
resistant, secure based on problems in the worst-case on cyclic lattices, (this is exactly like the full rank requirement of univariate lattices that
and with comparable performance to modern ad-hoc hash functions. helps in preventing the development of collision attacks against them).
log2 𝑝
SWIFFT arranges the input binary strings of length 𝑚𝑛 as a block For the parameter 𝑚 ≥ , the hash function has collisions, and an
log2 2𝑑
matrix ∈ {0, 1}𝑚×𝑛 . The efficient implementation of this scheme is algorithm to find such collisions is equivalent to solving approximate-
achieved by using column FFT on the matrix. The computation is SPP. The earlier discussion on reductions of these problems establishes
parallelizable and connected to well-studied cryptographic problems. the security of such constructions.
∑𝑛
Formally, the function is described as ℎ𝐚 (𝐱) = 𝑖=1 𝑎𝑖 𝑥𝑖 where 𝑎𝑖 is
sampled uniformly at random from the ring R = Z𝑝 [𝑥]∕⟨𝑥𝑛 + 1⟩ and 𝑥𝑖 4.3. Chameleon hash functions
are sampled from ideals in R. The use of FFT eases the implementation
of polynomial products implicit in the function definition. Security Mohassel et al. [60] proposed the Chameleon hash functions, which
considerations are based on the irreducible nature of 𝑥𝑛 + 1 over the depend on certain probability distributions, have a key pair, and are
defined ring, the fact that 𝑝 should be prime and 𝑝 − 1 should be a collision resistant. A chameleon hash function satisfies three properties:
multiple of 2𝑛 (leads to optimized running time for FFT), and uniform (i) it is computable using the public key, (ii) collision resistance without
distribution of 𝑎𝑖 over the ring. Further improvements include storing trapdoor, and (iii) easy to find collisions with trapdoor. Generalized
the initial computation of FFT on binary vectors in lookup tables and chameleon hash functions are sets of three algorithms (say 𝐺𝑒𝑛, ℎ,
taking better advantage of parallelism offered by modern processors. and ℎ−1 ). 𝐺𝑒𝑛 generates the key pair: the public key 𝑘𝑝𝑢𝑏𝑙𝑖𝑐 and the

8
N. Mishra et al.
Table 4
Comparative analysis of the strengths and weaknesses of various hash function constructions discussed in this paper.
Ref. Strengths
[1] – Simple to implement (modular matrix–vector arithmetic)
– Forms the basis for future hash functions that will be developed
– Simpler sampling distribution (i.e. uniform) when
compared to other works
[37] – Collision resistant construction
– Universal construction: any two images are spread
uniformly over the range in a pairwise independent manner
[41] – Tighter bound on approximation factors
– Introduces the idea of Voronoi cells which are of
interest because of their geometrical properties
[43] – Bases security on unique-SVP, a new problem
– The function belongs to a modular subset sum family which
is probably the first instance of this version of subset sum
– Introduces idea of Fourier analysis in constructions
[35] – Based on cyclic lattice and thus requires less storage space
– Application of FFT speeds up implementation
[48] – Uses general monic polynomials (we note that [5] uses
a specific monic polynomial)
– Attacks on lattice based constructions have been unable
to take advantage of cyclic lattices.
[5] – Other than the properties of cyclic lattices, this
introduces problems on cyclotomic polynomials which
may be of independent interest to the reader
[39] and [40] tighten the bounds on approximation factors; they do not propose a different construction so we do not make a separate entry.
[42] proposes several results of theoretical interests, tighter reductions. The integer lattice based modular matrix–vector implementation is not much
different than previous works, so we do not make a separate entry in the table.
trapdoor 𝑘𝑡𝑟𝑎𝑝 . ℎ converts a given message 𝑚 to its hash: output ℎ𝑎𝑠ℎ =
ℎ(𝑚, 𝑘𝑝𝑢𝑏𝑙𝑖𝑐 , 𝑟), where 𝑟 is drawn from some probability distribution 𝑃
over set 𝑆. Finally, ℎ−1 outputs 𝑟′ over 𝑆 given ℎ−1 (𝑚, 𝑚′ , 𝑘𝑡𝑟𝑎𝑝 , 𝑟) such
that for distinct messages 𝑚 and 𝑚′ and 𝑟 ∈ 𝑆 as discussed before,
ℎ(𝑚, 𝑘𝑝𝑢𝑏𝑙𝑖𝑐 , 𝑟) = ℎ(𝑚′ , 𝑘𝑝𝑢𝑏𝑙𝑖𝑐 , 𝑟′ ). Lattice-based chameleon hash functions
can be constructed in similar ways. For the security parameter 𝑘, define
𝑘×𝑚 𝑘×𝑚
𝐀 ∈ Z𝑞 1 and 𝐁 ∈ Z𝑞 2 as well as the message domain 𝑀 =
𝑚
{𝐱 ∈ Z𝑞 1 ∶ ‖𝐱‖2 ≤ 𝛽1 } and randomness domain (discrete Gaussian)
𝑚
𝑅 = {𝐱 ∈ Z𝑞 2 ∶ ‖𝐱‖2 ≤ 𝛽2 }. Here 𝛽1 and 𝛽2 are parameters that
directly affect the length of such domains. The hash function is given
as ℎ(𝐦, 𝐫) = 𝐀𝐦 + 𝐁𝐫 where 𝐦 ∈ 𝑀 and 𝐫 ∈ 𝑅 and output 𝐲 ∈ Z𝑘𝑝 . The
hardness of ℎ(𝑚, 𝑟) is based on assumed worst-case hardness of the SIS
problem. The trapdoor information is a short basis for arbitrary lattice
that has matrix 𝐁 (used in ℎ(𝐦, 𝐫)) as its parity check matrix. A good
choice of parameters includes 𝑞 as odd prime and poly(k). 𝑚1 and 𝑚2
(dimensions of subspaces from which 𝐀 and 𝐁 are sampled) are of order
O (𝑘log2 𝑞).
5. Comparative theoretical security and performance analysis
Table 2 presents a comparative analysis of execution costs of various
hash functions discussed so far. Implementations are done using FLINT
[61] in C++ on MacBook Air with Intel HD Graphics 6000 1536 MB
graphics, 8 GB 1600 MHz DDR3 RAM, and running macOS High Sierra
(version 10.13.6) with 1.8 GHz Intel Core i5 processor, . The times
reported in Table 2 are the mean of 100 independent iterations. Setup
time in milliseconds denotes any pre-processing (such as key generation
or enforcing certain pre-conditions on the structure of the lattice) that
might be necessary to begin hashing. Hashing time in milliseconds
denotes the time, given a key, to hash a certain message of length linear
in parameter 𝑚. The parameters and their values in Table 2 are taken
from the concrete instantiations from respective papers which proposed
the hash functions. The cyclic lattice-based hash function in Peikert
et al. [5] is similar to that of Lyubashevsky et al. [48] (Section 3.2).
In Table 2, the implementation of Goldreich et al. [37] is ℎ𝐀,𝐫 (𝐱) =
𝐀𝐱 + 𝐫 (as defined in Section 3.1). The implementation of Micciancio’s
scheme [41] proceeds in the following stages: beginning with a random
full rank matrix, checking if it is almost perfect, forming the group 𝐺
9
Journal of Information Security and Applications 58 (2021) 102782
Weaknesses
– Being one-way, the construction is not secure
– The length of the solution vector is not as constrained as in [37]
which leads to not-so-short solutions
– Large approximation factors
– Large approximation factors
– The function core being integer lattices, storage problems arise
(esp. storing the hash function key)
– Sampling is complex (using abelian group in key sampling)
– Requires approximating covering radius and shortest vector
if the implementation checks for almost perfect lattices
– Unique-SVP is not known to be NP-hard for small
approximation factors. Construction is thus insecure for
desirable approximation factors
– Construction is not collision resistant.
– Polynomial sampling can be problematic and requires
careful implementation
– Bases its construction on a single monic polynomial
– Polynomial rings and their sub-domains may be tricky to
implement and to ensure ideal sampling from them
as defined in Section 3.1, creating the key, and hashing. The shortest
vector was approximated using Lemma 2.8 and Theorem 10 in Miccian-
cio et al. [33] while the covering radius was approximated using the
ideas described in Micciancio et al. [33]. Concretely, to approximate
the covering radius, we choose a target vector as far away from the
lattice as possible; the distance of the target vector from the lattice
becomes the covering radius. 𝐺 is formed by reducing the arbitrary
vector in the span of 𝐀 with respect to the lattice 𝐌 by using the vector-
modulo-basis reduction as described in Micciancio et al. [62]. Table 3
presents a comparative analysis of theoretical security (comparison is
based on security, run-time, approximation factors, geometry, and the
hardness assumption). All hardness assumptions are the approximate
versions where 𝛾 represents the approximation factor for the respective
problem(s). Both Ajtai [1] and Micciancio [35] proposed constructions
that are one-way with their collision resistant versions respectively
in Goldreich et al. [37] and Lyubashevsky et al. [48], and Peikert
et al. [5]. Table 4 presents the strengths and weaknesses of the hash
function constructions discussed in this paper.
6. Conclusion
In this review, we described the computational problems on lattices
and discussed hash function families based on lattices, along with the
underlying reductions and secure concrete instantiations. We also gave
a comparative theoretical and experimental analysis of the different in-
stantiations of the hash function families. These advances have come a
long way in bridging the gap between theoretically secure schemes and
practical implementations. One good example is SWIFFT (Section 3.2)
that balances the tradeoff between implementation constraints due to
computing resources and theoretical security. The schemes discussed
in this review provide a base for richer cryptographic primitives while
improving our understanding of computational problems, suggesting
ways to manipulate lattices for establishing security, providing tighter
bounds on approximations of lattice-based problems, and enriching the
independent field of lattices in general.
N. Mishra et al.
CRediT authorship contribution statement
Nimish Mishra: Conceptualization, Investigation, Methodology,
Validation, Formal analysis, Writing - review & editing, Visualization,
Data curation. SK Hafizul Islam: Supervision, Conceptualization, In-
vestigation, Methodology, Validation, Formal analysis, Writing - review
& editing, Visualization. Sherali Zeadally: Supervision, Conceptualiza-
tion, Investigation, Methodology, Validation, Formal analysis, Writing
- review & editing, Visualization.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Acknowledgments
We thank the anonymous reviewers for their valuable comments
which helped us improve the organization, content, and presentation
of this paper.
Ethical approval
This article does not contain any studies with human participants
performed by any of the authors.
References
[1] Ajtai M. Generating hard instances of lattice problems (extended abstract). In:
Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Com-
puting. STOC ’96, New York, NY, USA: Association for Computing Machinery;
1996, p. 99–108. http://dx.doi.org/10.1145/237814.237838.
[2] Lenstra AK, Lenstra HW, Lovász L. Factoring polynomials with rational
coefficients. Math Ann 1982;261(ARTICLE):515–34.
[3] NIST. PQC standardization process: Third round candidate announcement. 2020,
https://csrc.nist.gov/News/2020/pqc-third-round-candidate-announcement, (ac-
cessed January 12, 2020).
[4] Micciancio D. Introduction to lattices, cse 206a: lattice algorithms and
applications. 2012.
[5] Peikert C, Rosen A. Efficient collision-resistant hashing from worst-case assump-
tions on cyclic lattices. In: Theory of Cryptography Conference. Springer; 2006,
p. 145–66.
[6] Schnorr C-P, Euchner M. Lattice basis reduction: Improved practical algorithms
and solving subset sum problems. In: International Symposium on Fundamentals
of Computation Theory. Springer; 1991, p. 68–85.
[7] Chen Y, Nguyen PQ. BKZ 2.0: Better lattice security estimates. In: International
Conference on the Theory and Application of Cryptology and Information
Security. Springer; 2011, p. 1–20.
[8] Fincke U, Pohst M. Improved methods for calculating vectors of short length in
a lattice, including a complexity analysis. Math Comput 1985;44(170):463–71.
[9] Kannan R. Improved algorithms for integer programming and related lattice
problems. In: Proceedings of the fifteenth annual ACM symposium on theory
of computing. 1983. p. 193–206.
[10] Pohst M. On the computation of lattice vectors of minimal length, suc-
cessive minima and reduced bases with applications. ACM Sigsam Bull
1981;15(1):37–44.
[11] Ajtai M, Kumar R, Sivakumar D. A sieve algorithm for the shortest lattice vector
problem. In: Proceedings of the thirty-third annual ACM symposium on theory
of computing. 2001. p. 601–610.
[12] Micciancio D, Voulgaris P. Faster exponential time algorithms for the short-
est vector problem. In: Proceedings of the Twenty-First Annual ACM-SIAM
Symposium on Discrete Algorithms. SIAM; 2010, p. 1468–80.
[13] Pujol X, Stehlé D. Solving the shortest lattice vector problem in time 22.465 n..
IACR Cryptol. ePrint Arch. 2009;2009:605.
[14] Wang X, Liu M, Tian C, Bi J. Improved Nguyen-Vidick heuristic sieve algorithm
for shortest vector problem. In: Proceedings of the 6th ACM symposium on
information, computer and communications security. 2011. p. 1–9.
[15] Nguyen PQ, Vidick T. Sieve algorithms for the shortest vector problem are
practical. J Math Cryptol 2008;2(2):181–207.
[16] Zhang F, Pan Y, Hu G. A three-level sieve algorithm for the shortest vector prob-
lem. In: International Conference on Selected Areas in Cryptography. Springer;
2013, p. 29–47.
10
Journal of Information Security and Applications 58 (2021) 102782
[17] Micciancio D, Voulgaris P. A deterministic single exponential time algorithm
for most lattice problems based on voronoi cell computations. SIAM J Comput
2013;42(3):1364–91.
[18] Laarhoven T, Mosca M, Van De Pol J. Solving the shortest vector problem in lat-
tices faster using quantum search. In: International Workshop on Post-Quantum
Cryptography. Springer; 2013, p. 83–101.
[19] Aggarwal D, Dadush D, Regev O, Stephens-Davidowitz N. Solving the shortest
vector problem in 2n time using discrete Gaussian sampling. In: Proceedings
of the forty-seventh annual ACM symposium on theory of computing. 2015. p.
733–742.
[20] Milde B, Schneider M. A parallel implementation of Gausssieve for the shortest
vector problem in lattices. In: International Conference on Parallel Computing
Technologies. Springer; 2011, p. 452–8.
[21] Teruya T, Kashiwabara K, Hanaoka G. Fast lattice basis reduction suitable for
massive parallelization and its application to the shortest vector problem. In:
IACR International Workshop on Public Key Cryptography. Springer; 2018, p.
437–60.
[22] Micciancio D. The hardness of the closest vector problem with preprocessing.
IEEE Trans Inform Theory 2001;47(3):1212–5.
[23] Alekhnovich M, Khot SA, Kindler G, Vishnoi NK. Hardness of approximating the
closest vector problem with pre-processing. In: 46th Annual IEEE Symposium on
Foundations of Computer Science (FOCS’05). IEEE; 2005, p. 216–25.
[24] Chen W, Meng J. The hardness of the closest vector problem with preprocessing
over 𝑒𝑙𝑙_𝑖𝑛𝑓 𝑡𝑦 norm. IEEE Trans Inform Theory 2006;52(10):4603–6.
[25] Becker A, Gama N, Joux A. A sieve algorithm based on overlattices. LMS J
Comput Math 2014;17(A):49–70.
[26] Becker A, Gama N, Joux A. Solving shortest and closest vector problems: The
decomposition approach.. IACR Cryptol. ePrint Arch. 2013;2013:685.
[27] Laarhoven T. Sieving for closest lattice vectors (with preprocessing). In: In-
ternational Conference on Selected Areas in Cryptography. Springer; 2016, p.
523–42.
[28] Micciancio D, Voulgaris P. A deterministic single exponential time algorithm
for most lattice problems based on voronoi cell computations. SIAM J Comput
2013;42(3):1364–91.
[29] Doulgerakis E, Laarhoven T, de Weger B. Finding closest lattice vectors us-
ing approximate voronoi cells. In: International Conference on Post-Quantum
Cryptography. Springer; 2019, p. 3–22.
[30] Aggarwal D, Dadush D, Stephens-Davidowitz N. Solving the closest vector
problem in 2ˆ n Time–The Discrete Gaussian Strikes Again!. In: 2015 IEEE 56th
Annual Symposium on Foundations of Computer Science. IEEE; 2015, p. 563–82.
[31] McCormick ST, Peis B, Scheidweiler R, Vallentin F. A polynomial time algorithm
for solving the closest vector problem in zonotopal lattices. 2020, arXiv preprint
arXiv:2004.07574.
[32] Blomqvist F, Greferath M. The double-plane algorithm: A simple algorithm for
the closest vector problem. In: 2018 International Symposium on Information
Theory and Its Applications (ISITA). IEEE; 2018, p. 193–7.
[33] Micciancio D, Goldwasser S. Complexity of lattice problems: a cryptographic
perspective, Vol. 671. Springer Science & Business Media; 2012.
[34] Guruswami V, Micciancio D, Regev O. The complexity of the covering radius
problem. Comput Complexity 2005;14(2):90–121.
[35] Micciancio D. Generalized compact knapsacks, cyclic lattices, and efficient
one-way functions. Comput Complexity 2007;16(4):365–411.
[36] Schnorr C-P. A hierarchy of polynomial time lattice basis reduction algorithms.
Theor Comput Sci 1987;53(2–3):201–24.
[37] Goldreich O, Goldwasser S, Halevi S. Collision-free hashing from lattice
problems.. IACR Cryptol. ePrint Arch. 1996;1996:9.
[38] Bernstein D, Buchmann J, Goldwasser S. Post-Quantum Cryptograhy. Springer;
2000.
[39] Cai J-Y, Nerurkar AP. An improved worst-case to average-case connection for
lattice problems. In: Proceedings 38th Annual Symposium on Foundations of
Computer Science. IEEE; 1997, p. 468–77.
[40] Cai J-Y. Applications of a new transference theorem to ajtai’s connection
factor. In: Proceedings. Fourteenth Annual IEEE Conference on Computational
Complexity (Formerly: Structure in Complexity Theory Conference)(Cat. No.
99CB36317). IEEE; 1999, p. 205–14.
[41] Micciancio D. Improved cryptographic hash functions with worst-case/average-
case connection. In: Proceedings of the thiry-fourth annual ACM Symposium on
theory of computing. 2002. p. 609–618.
[42] Micciancio D, Regev O. Worst-case to average-case reductions based on Gaussian
measures. SIAM J Comput 2007;37(1):267–302.
[43] Regev O. New lattice-based cryptographic constructions. J ACM 2004;51(6):899–
942.
[44] Micciancio D. Almost perfect lattices, the covering radius problem, and
applications to ajtai’s connection factor. SIAM J Comput 2004;34(1):118–69.
[45] Impagliazzo R, Naor M. Efficient cryptographic schemes provably as secure as
subset sum. J Cryptol 1996;9(4):199–216.
[46] Ajtai M, Dwork C. A public-key cryptosystem with worst-case/average-case
equivalence. In: Proceedings of the twenty-ninth annual ACM symposium on
theory of computing. 1997. p. 284–293.
[47] Banaszczyk W. New bounds in some transference theorems in the geometry of
numbers. Math Ann 1993;296(1):625–35.
N. Mishra et al.
[48] Lyubashevsky V, Micciancio D. Generalized compact knapsacks are collision re-
sistant. In: International Colloquium on Automata, Languages, and Programming.
Springer; 2006, p. 144–55.
[49] Joux A, Granboulan L. A practical attack against knapsack based hash functions.
In: Workshop on the Theory and Application of of Cryptographic Techniques.
Springer; 1994, p. 58–66.
[50] Shamir A. A polynomial time algorithm for breaking the basic merkle-hellman
cryptosystem. In: 23rd Annual Symposium on Foundations of Computer Science
(Sfcs 1982). IEEE; 1982, p. 145–52.
[51] Vaudenay S. Cryptanalysis of the chor-rivest cryptosystem. J Cryptol
2001;14(2):87–100.
[52] Lyubashevsky V, Micciancio D, Peikert C, Rosen A. SWIFFT: A modest proposal
for FFT hashing. In: International Workshop on Fast Software Encryption.
Springer; 2008, p. 54–72.
[53] Zhang J, Chen Y, Zhang Z. Programmable hash functions from lattices: short
signatures and ibes with small key sizes. In: Annual International Cryptology
Conference. Springer; 2016, p. 303–32.
[54] Hofheinz D, Kiltz E. Programmable hash functions and their applications. In:
Annual International Cryptology Conference. Springer; 2008, p. 21–38.
11
Journal of Information Security and Applications 58 (2021) 102782
[55] Yamada S, Hanaoka G, Kunihiro N. Two-dimensional representation of cover
free families and its applications: Short signatures and more. In: Cryptographers’
Track at the RSA Conference. Springer; 2012, p. 260–77.
[56] Hofheinz D, Kiltz E. Programmable hash functions and their applications. J
Cryptol 2012;25(3):484–527.
[57] Freire ES, Hofheinz D, Paterson KG, Striecks C. Programmable hash functions
in the multilinear setting. In: Annual Cryptology Conference. Springer; 2013, p.
513–30.
[58] Catalano D, Fiore D, Nizzardo L. Programmable hash functions go private:
constructions and applications to (homomorphic) signatures with shorter public
keys. In: Annual Cryptology Conference. Springer; 2015, p. 254–74.
[59] Francis M, Dukkipati A. On ideal lattices, Gröbner bases and generalized hash
functions. J Algebra Appl 2018;17(06):1850112.
[60] Mohassel P. One-time signatures and chameleon hash functions. In: International
Workshop on Selected Areas in Cryptography. Springer; 2010, p. 302–19.
[61] Hart WB. Fast library for number theory: An introduction. In: Proceedings of
the Third International Congress on Mathematical Software. ICMS’10, Berlin,
Heidelberg: Springer-Verlag; 2010, p. 88–91, http://flintlib.org.
[62] Micciancio D. Cryptographic functions from worst-case complexity assumptions.
In: The LLL Algorithm. Springer; 2009, p. 427–52.