For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions stem from lattice-based cryptography~\cite{NIS17}.
Lattice-based cryptography takes advantage of a simple mathematical structure in order to realize advanced functionalities, beyond encryption and signature schemes.
For instance, fully homomorphic encryption~\cite{Gen09,GSW13} is only known to be possible in the lattice-based world for now.
This gives us a good confidence in lattice assumptions (given the \emph{caveats} of \cref{ch:proofs}) such as Learning-with-Errors ($\LWE$) and Short Integer Solutions ($\SIS$) which are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful tools that rely on \emph{lattice trapdoors}.
A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i^{})^{}_{1\leq i \leq n}$ of~$\RR^n_{}$.
For any lattice point $\mathbf{t}\in\Lambda_q^{\mathbf{u}}(\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A})+\mathbf{t}$, meaning that $\Lambda_q^{\mathbf{u}}(\mathbf{A})$
$D_{\Lambda,\sigma,\mathbf{c}}(\mathbf{y})=\rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(\Lambda)$ for any $\mathbf{y}\in\Lambda$, where $\rho_{\sigma, \mathbf{c}}(\Lambda)\triangleq\sum_{\mathbf x \in\Lambda}\rho_{\sigma, \mathbf{c}}(\mathbf{x})$.
This problem reduces to the \textit{Learning-with-Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later in \cref{le:sis-hard} and~\ref{le:lwe-hard}.
These links are important as those are ``worst-case-to-average-case'' reductions.
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (i.e., the length of a shortest non-zero vector in a lattice).
For a dimension-$n$ lattice described by a basis $\mathbf{B}\in\RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1\|\leq\| v_2\|\leq\ldots\leq\| v_n \|$ and $\|v_n\|\leq\gamma\cdot\lambda_n(\mathbf{B})$.
As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting, which are illustrated in Figure~\ref{fig:lwe-sis}.
In particular, it means that no polynomial-time algorithm can solve those problems with non-negligible probability and non-negligible advantage given that $\SIVP$ is hard.
%As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A}\sample\U(\Zq^{n \times m})$, find~$\mathbf{x}\in\Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\|\leq\beta$.
The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A}\sample\U(\Zq^{n \times m})$ and $\mathbf{u}\in\Zq^n$, find~$\mathbf{x}\in\Lambda_q^{\mathbf{u}}(\mathbf{A})$ with~$0 < \|\mathbf{x}\|\leq\beta$.
For a fixed $\mathbf{s}\in\mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a}\hookleftarrow\U(\mathbb{Z}_q^n)$ and $e \hookleftarrow\chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s}+ e)\in\mathbb{Z}_q^n \times\mathbb{Z}_q$.
The \emph{Learning-with-Errors} problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s}\hookleftarrow\U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $\U(\mathbb{Z}_q^n \times\mathbb{Z}_q)$.
If $q$ is a prime power, $B \geq\sqrt{n}\omega(\log n)$, $\gamma=\widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$.
Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (statistically close to) uniform matrix $\mathbf{A}\in\ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$.
Thus, a vector sampled from $D_{\Lambda^\perp_{q}(\mathbf{A}), \sigma}$, which is short with overwhelming probabilities according to~\cref{le:small}, is a solution to $\SIS_{n,m,q,\sigma\sqrt{n}}$.
Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice.
The following Lemma states that it is possible to efficiently compute a statistically uniform~$\mathbf{A}$ along with a short basis of its orthogonal lattice $\Lambda^{\perp}_q(\mathbf{A})$.
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq2$ with~$m \geq\Omega(n \log q)$, and outputs a matrix~$\mathbf{A}\in\ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$\U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\|\leq\bigO(\sqrt{n \log q})$.
\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using $\TrapGen$ and $\GPVSample$ in this thesis.
We also make use of an algorithm that extends a trapdoor for~$\mathbf{A}\in\ZZ_q^{n \times m}$ to a trapdoor of any~$\mathbf{B}\in\ZZ_q^{n \times m'}$ for which a $m$-subset of its columns is $\mathbf{A}$. For the sake of simplicity we will consider the case where~$\mathbf{A}$ is the left~$n \times m$ submatrix of~$\mathbf{B}$.
In some of our security proofs, analogously to \cite{Boy10,BHJ+15}, we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf{A}, \mathbf{C}\in\ZZ_q^{n \times m}$, a low-norm matrix $\mathbf{R}\in\ZZ^{m \times m}$,
a short basis $\mathbf{T_C}\in\ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf{u}\in\ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma\geq\|
\widetilde{\mathbf{T_C}}\|\cdot\Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b}\in\ZZ^{2m}$ such that $\left[ \begin{array}{c|c}\mathbf{A} ~ &~ \mathbf{A}
\cdot\mathbf{R} + \mathbf{C}\end{array}\right]\cdot\mathbf{b} = \mathbf{u}\bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted