For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}.
Lattice-based cryptography takes advantage of a simple mathematical structure, the so-called lattices, in order to provide beyond encryption and signature cryptography.
For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12,AFG14}.
Concurrently, worst-case lattice problems have been extensively analysed in the last decade~\cite{ADS15,ADRS15,HK17}, both classically and quantumly.
This gives us a good confidence in the lattice-based assumptions (given the \emph{caveats} of Chapter~\ref{ch:proofs}) such as Learning with Errors ($\LWE$) and Short Integer Solutions ($\SIS$) that are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful algorithms that relies on \emph{lattice trapdoors}.
A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i^{})^{}_{1\leq i \leq n}$ belonging to some~$\RR^n_{}$.
A lattice's basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
For any lattice point $\mathbf{t}\in\Lambda_q^{\mathbf{u}}(\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A})+\mathbf{t}$. Meaning that $\Lambda_q^{\mathbf{u}}(\mathbf{A})$
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``worst-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes.
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
For a lattice $\Lambda$ of dimension $n$, let us define for $i \in\{1,\ldots,n\}$ the $i$-th successive minimum as
\[\lambda_i(\Lambda)=\inf\bigl\{ r \mid\dim\left(\Span\left(\lambda\cap\mathcal B\left(\mathbf0, r \right)\right)\right)\geq i \bigr\}, \]
where $\mathcal B(\mathbf c, r)$ denotes the ball of radius $r$ centered in $\mathbf c$.
\end{definition}
Which lead us to the $\SIVP$ problem, which is finding a set of sufficiently short linearly independent vectors given a lattice basis.
\begin{definition}[$\SIVP$] \label{de:sivp}
For a dimension $n$ lattice described by a basis $\mathbf B \in\RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1\|\leq\| v_2\|\leq\ldots\leq\| v_n \|$ and $\|v_n\|\leq\gamma\cdot\lambda_n(\mathbf B)$.
\end{definition}
As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
Let $n,m \geq1$, $q \geq2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s}\in\mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a}\hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow\chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s}+ e)\in\mathbb{Z}_q^n \times\mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s}\hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times\mathbb{Z}_q)$.
\end{definition}
If $q$ is a prime power, $B \geq\sqrt{n}\omega(\log n)$, $\gamma=\widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}).
% (see~\cite{Pei09,BLPRS13} for classical analogues).
\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient
We also make use of an algorithm that extends a trapdoor for~$\mathbf{A}\in\ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B}\in\ZZ_q^{n \times m'}$ whose left~$n \times m$
\noindent In our security proofs, analogously to \cite{Boy10,BHJ+15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements
There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in\ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in\ZZ^{m \times m}$,
a short basis $\mathbf{T_C}\in\ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in\ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma\geq\|
\widetilde{\mathbf{T_C}}\|\cdot\Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b}\in\ZZ^{2m}$ such that $\left[ \begin{array}{c|c}\mathbf A ~ &~ \mathbf A
\cdot\mathbf R + \mathbf C \end{array}\right]\cdot\mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted
lattice $\Lambda^\mathbf{u}_q \left(\left[\begin{array}{c|c}\mathbf A ~&~ \mathbf A \cdot\mathbf R +\mathbf C \end{array}\right]\right)$.
%$\{ \mathbf x \in \ZZ^{2 m} : \left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \cdot \mathbf x = \mathbf u \bmod q \}$.