Improved Reduction Between SIS Problems Over Structured Lattices

Many lattice-based cryptographic schemes are constructed based on hard problems on an algebraic structured lattice, such as the short integer solution (SIS) problems. These problems are called ring-SIS (R-SIS) and its generalized version, module-SIS (M-SIS). Generally, it has been considered that problems defined on the module lattice are more difficult than the problems defined on the ideal lattice. However, Koo, No, and Kim showed that R-SIS is more difficult than M-SIS under some norm constraints of R-SIS. However, this reduction has problems in that the rank of the module is limited to about half of the instances of R-SIS, and the comparison is not performed through the same modulus of R-SIS and M-SIS. In this paper, we propose the three reductions. First, we show that R-SIS is more difficult than M-SIS with the same modulus and ring dimension under some constraints of R-SIS. Also, we show that through the reduction from M-SIS to R-SIS with the same modulus, the rank of the module is extended as much as the number of instances of R-SIS from half of the number of instances of R-SIS compared to the previous work. Second, we show that R-SIS is more difficult than M-SIS under some constraints, which is tighter than the M-SIS in the previous work. Finally, we propose that M-SIS with the modulus prime <inline-formula> <tex-math notation="LaTeX">$q^{k}$ </tex-math></inline-formula> is more difficult than M-SIS with the composite modulus <inline-formula> <tex-math notation="LaTeX">$c$ </tex-math></inline-formula>, such that <inline-formula> <tex-math notation="LaTeX">$c$ </tex-math></inline-formula> is divided by <inline-formula> <tex-math notation="LaTeX">$q$ </tex-math></inline-formula>. Through the three reductions, we conclude that R-SIS with the modulus <inline-formula> <tex-math notation="LaTeX">$q$ </tex-math></inline-formula> is more difficult than M-SIS with the composite modulus <inline-formula> <tex-math notation="LaTeX">$c$ </tex-math></inline-formula>.


I. INTRODUCTION
Many cryptographic schemes are based on problems that are difficult to solve on computers, including the RSA based on prime factor decomposition and the elliptic curve cryptographic (ECC) scheme based on the discrete logarithm problem (DLP). Since the prime factor decomposition problem and DLP take a long time to solve on computers, cryptographic schemes based on these problems have been considered secure. However, due to the quantum computer's development, it is known that many cryptographic schemes can be broken using quantum algorithms operated on quantum computers [1]. Therefore, candidates of cryptographic schemes that are resistant to quantum computers have been actively researched. The representative candidates are lattice-based cryptography, code-based cryptography, multivariate polynomial-based cryptography, isogeny-based The associate editor coordinating the review of this manuscript and approving it for publication was Neetesh Saxena . cryptography. Among them, the diverse forms of latticebased cryptography such as public-key cryptographic schemes, signature schemes, and key encapsulation mechanisms are submitted in NIST post-quantum cryptography (PQC) standardization competition for the advantages of small-sized key and efficiency as well as security [2].
Lattice-based cryptographic schemes are based on hard problems such as the shortest independent vector problem (SIVP), which is known to reduce to short integer solution (SIS) problem and learning with error (LWE) problem. The SIS problem introduced by Ajtai [3] has been used to construct many lattice-based cryptographic schemes. The SIS problem is defined as follows: Let Z and R denote the sets of integers and real numbers, respectively. Let Z q denote the set of integers modulo q. For any positive integers m, n, given positive real number β ∈ R, and positive integer q, the SIS problem is to find solution z ∈ Z m such that A · z = 0 mod q and 0 < z ≤ β for uniformly random matrix A ∈ Z n×m q . A one-way function can be constructed from the VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ SIS problem [7], and then many cryptographic schemes can be constructed from one-way function [4]- [6]. However, cryptographic schemes based on SIS are inefficient since the size of the key of the signature scheme or commitment scheme is too large. Many cryptographic schemes based on structured lattices such as the ideal and module lattices have been proposed to overcome this problem. The ideal lattice is defined on the lattice with a polynomial ring structure, and the module lattice is defined on a module structure, which is an algebraic structure that generalizes ring structure and vector space. Then we can define the SIS problem over the structured lattices. The SIS problem defined over an ideal lattice is said to be ring-SIS (R-SIS) [8], and the SIS problem defined over a module lattice is said to be module-SIS (M-SIS) [9]. It is shown that R-SIS and M-SIS are as hard as SIVP defined on the ideal lattice and the module-lattice, respectively [9], [10].

A. PREVIOUS WORKS
Generally, it has been considered that M-SIS is a more difficult problem than R-SIS in the polynomial ring. For example, suppose that there is an algorithm A for solving M-SIS. The instances of R-SIS can be embedded in M-SIS since the polynomial ring defining R-SIS is considered the module with rank one. Then the algorithm A can be used to find the solution of R-SIS. Thus, in lattice-based cryptographic schemes [11]- [13], [14], M-SIS is preferred due to the fundamental difficulty as well as the reduced key-size and thus, we do not work on the existence of an algorithm to solve the R-SIS.
However, the problems over the module lattice are not always more difficult than the problems over the ideal lattice. In the case of SIS over structured lattices, Koo, No, and Kim showed that the R-SIS problem is more difficult than M-SIS for some specific parameters [15]. In other words, there exists a reduction from M-SIS q k ,m k ,β to R-SIS q,m,β , where β = m k 2 (d−1) β k(2d−1) . To show this, they assign a specific constraint to the upper bound of the norm of the solution of R-SIS. In particular, due to this constraint, the possible range of module rank that can be reduced to R-SIS is limited to d < m+1 2 for sufficiently large modulus q. Also, this reduction showed the relationship between R-SIS with m instances and modulus q and M-SIS with m k instances and modulus q k for some k > 1. In other words, this reduction cannot be said to be established for the same modulus and the same instances. Also, we can infer tight rank-modulus trade-off reduction from R-SIS to M-SIS through [18]- [20]. First, let nd be a ring-dimension defining R-SIS. Reference [19] proposed that there exists a quantum reduction from R-SIS to R-LWE. Since [18] proposed a tight rankmodulus trade-off reduction from R-LWE to M-LWE with ring dimension n and module-rank d. Finally, we use the dual attack reduction [20] from M-LWE to M-SIS, preserving rank and ring dimension. All these steps preserve the modulus q. However, this reduction does not preserve the ring dimension, that is, not the same ring.

B. CONTRIBUTIONS
In this paper, we propose the improved reduction from M-SIS to R-SIS compared to the previous work [15]. Similar to the previous work, the proposed reduction considers some conditions of the upper bound β on the norm of the solution of R-SIS. However, there are three differences between the previous work and the proposed reduction.
First, we propose a new method to find m distinct solutions of instances of R-SIS q,m,β . Using this method, we obtain the reduction from M-SIS q,m,β 1 to R-SIS q,m,β , where β 1 = (t · √ m) d−1 β d in Theorem 3 and t is a positive integer. This reduction preserves the modulus q and ring-dimension n. In particular, we can see that the possible range of module rank that allows the reduction from M-SIS to R-SIS is doubled compared to that in the previous work [15].
Second, we propose that M-SIS q,m,β 1 is more difficult than To show this, first, we show the reduction from M-SIS q k ,m k ,β k to M-SIS q,m,β in Theorem 4, where there is no constraint on β; that is, β can be t · √ m · β as in Fig. 1. From this reduction, the modulus and the number of instances of M-SIS q k ,m k ,β 2 are matched with M-SIS q k ,m k ,β 3 as in Fig. 1. Then, we show a reduction from M-SIS q k ,m k ,β 3 to M-SIS q,m,β 2 for some k ≥ 1 by comparing the upper bound of M-SIS solutions in Theorem 5.
Third, we propose a reduction between M-SIS problems with different modulus. There is a reduction from M-SIS c,m k ,γ to M-SIS q k ,m k ,β 2 , where c is a composite integer with a factor q k and γ = c q k β 2 for some k ≥ 1 in Theorem 6. Thus, as the modulus of M-SIS becomes large, M-SIS becomes less secure. Combining three reductions, that is, Theorems 3, 4, and 6, we propose the following main result, Theorem 7 (See Subsection IV-C for details): Main Result 1 (Theorem 7): Let m be a positive integer. Let t be positive integers and q be a prime such that Let c be a composite integer such that c is divided by q k for some k ≥ 1. Choose a module rank d ∈ Z >0 such that Let a positive real number β be an upper bound on the norm of the solution of R-SIS q,m,β such that Assume that an algorithm A exists for solving R-SIS q,m,β . Then there exists an algorithm B for solving M-SIS c,m k ,γ , where γ = c q k (t · √ m) k(d−1) β kd . As mentioned in [15], when constructing M-SIS based cryptographic scheme, the algorithm for solving R-SIS for certain parameters should be considered. When we construct the cryptographic scheme based on M-SIS, through the proposed work, it means that we need to consider the tighter parameters compared to the previous work [15]. For example, we assume that M-SIS q,m,β 1 , where m = 10, n = 2 8 , log(q) ≈ 40, log(β 1 ) ≈ 50, d = 3, and consider the collision-hash function defined over the module as follows: it is difficult to find a solution z ≤ β 1 . If we assume that there exists an algorithm for solving R-SIS q,m,β , where β ≈ 10, a solution of M-SIS q,m,β 1 could not be found through previous work [15]. However, due to the tighter parameters of the proposed work, we may be able to find a solution of M-SIS q,m,β 1 for the same case.

C. ORGANIZATION
The remainder of this paper is organized as follows: In Section II, SIS problems on ideal and module lattices and the results of the previous works are introduced. In Section III, we propose a new method to find m distinct solutions for R-SIS. Using this method, we derive the reduction from M-SIS q,m,(t· √ m) d−1 β d to R-SIS q,m,β . Also, we show the possible range of module rank of the proposed reduction. And it shows the comparison with the range in [15]. Section IV proposes the various reductions among the M-SIS problems, which lead to the reduction from M-SIS c,m k , c to R-SIS q,m,β for the modulus c such that q k |c for some k ≥ 1. Finally, the conclusion and suggested future works are provided in Section V.

A. STRUCTURED LATTICES 1) NOTATIONS
Let D be a distribution over some finite set S, and then x ← D means that x is chosen from the distribution D. Let A be an algorithm, and then x → A means that A inputs x and y ← A means that A outputs y.

2) IDEALS AND MODULES
Let (X ) be a monic irreducible polynomial of degree n and Q be the set of rational numbers. We use the 2n-th cyclotomic polynomial (X ) = X n + 1 with n = 2 s for some positive integer s because many lattice-based cryptosystems use the 2n-th cyclotomic polynomial (X ). Let K be a number field as Q[X ]/ (X ) and define R as the ring Z[X ]/ (X ) . Conveniently, we refer to R as the polynomial ring. A nonempty set I ⊆ R is an ideal of R if I is an additive subgroup of R and for all r ∈ R and all x ∈ I , r · x ∈ I . The quotient ring R/I is the set of equivalence classes r + I of R modulo I . Let q be the positive integer and define R q = R/qR. Define M ⊆ K d as an R-module, where R is the ring of integers of K and K is a number field if M is closed under addition and under scalar multiplication by elements of R. It is known that M /qM is isomorphic to R d q [9]. The element of R d q is denoted by the vector a, whose entry is an element of the polynomial ring, that is, a = (a 1 (X ), . . . , a d (X )) ∈ R d q . A matrix is denoted by an uppercase letter in bold.

3) CANONICAL EMBEDDING
In [9], the canonical embeddings are the n ring homomorphisms σ j : K → C for all j = 1, . . . , n, where C is the set of the complex numbers. They are defined by σ j (X ) = ξ j , where ξ is the solution of X n + 1 for any j ∈ Z × 2n with n = 2 r for some positive integer r, where Z × 2n denotes the set of integer j module 2n such that gcd(j, 2n) = 1. We define the canonical embedding vector as the ring homomorphism σ C : K → C n as σ C (x) = (σ j (x)) j∈Z × 2n under component-wise addition and multiplication. For any a ∈ K , we define the norm of a as Also, for any a = (a 1 , . . . , a d ) ∈ K d , we define the norm of a as

B. SHORT INTEGER SOLUTION PROBLEMS
First, we define the short integer solution (SIS) problem over the lattice used in many lattice-based cryptographic schemes such as signature schemes and commitment schemes. This problem was first defined by Ajtai [3].
This problem is extended to the structured lattices, which are ideal lattices and module lattices. Since the instances of R-SIS are polynomial, the key size of the signature scheme based on R-SIS can be smaller than that of a signature scheme based on SIS. The module structure is a generalized structure of the ring, and the R-SIS problem can be extended to the problem over module lattice, termed M-SIS. These problems are defined as follows: Definition 1 ( [8], [9], [16]): The problem R-SIS q,m,β is defined as follows: Given a 1 , . . . , a m ∈ R q chosen independently from the uniform distribution, the R-SIS problem is to find [9]): Similarly, the problem M-SIS q,m,β is defined as follows: Given a 1 , . . . , a m ∈ R d q chosen independently from the uniform distribution, the M-SIS problem is to find we find the solution of the instance of R-SIS. However, Koo, et al., showed that R-SIS is more difficult than M-SIS under norm constraints of R-SIS [15]. To show the reduction from M-SIS to R-SIS, Koo, et al., showed it in two steps. The first step is that there exists a reduction from R-SIS q k ,m k ,β k to R-SIS q,m,β as follows: Theorem 1 [15]: Let m be a positive integer and q be a prime. Choose the upper bound of the norm, β ∈ R such that β ≥ √ n · m · q 1 m and q ≥ β √ nω(log n). Assume that there exists an algorithm A for solving the R-SIS q,m,β problem. Then there exists an algorithm A for solving the R-SIS q k ,m k ,β k for any integer k ≥ 1, which corresponds to the reduction from R-SIS q k ,m k ,β k to R-SIS q,m,β .
In the second step, we need to find as many distinct solutions as the number of instances for the same instances of R-SIS. However, finding distinct solutions for the same instances of R-SIS is not straightforward since details of the algorithms' process for solving R-SIS are unknown. To resolve this problem, we use the following lemma.
Lemma 1 [15]: Let m and k > 1 be positive integers, and q be a prime. Let β be a real number such that max(q, √ n · m· q k m ) ≤ β. Assume that an algorithm A exists for solving R-SIS q k ,m,β such that A outputs a solution z ∈ R m with gcd(z, q) = 1. Let a 1 , . . . , a m ∈ R q k be instances of R-SIS q k ,m,β . Then we can find m distinct solutionsz ( The following theorem shows the second step: a reduction from M-SIS q k ,m,β to R-SIS q k ,m,β using Lemma 1.
Theorem 2 [15]: Let m be a fixed positive integer. Let k > 1 be a positive integer and q be a prime. Choose a module rank d ∈ Z such that max(q, Let a positive real number β be an upper bound of the norm of the solution of R-SIS q k ,m,β such that 1) . Assume that an algorithm A exists for solving the R-SIS q k ,m,β problem such that A outputs a solution z ∈ R m with gcd(z, q) = 1. Then an algorithm A exists for solving the M-SIS q k ,m,β problem with module rank d, where β = m 1 2 (d−1) β (2d−1) ; that is, there exists a reduction from M-SIS q k ,m,β to R-SIS q k ,m,β .
Combining Theorems 1 and 2, we can show that there exists the reduction from M-SIS q k ,m k ,β to R-SIS q,m,β with β = m k 2 (d−1) β k(2d−1) as in the following corollary.
Corollary 1 [15]: Let m be a fixed positive integer. Let k > 1 be a positive integer and q be a prime. Choose a module Let a positive real number β be an upper bound on the norm of the solution of R-SIS q,m,β such that 1) . Assume that an algorithm A exists for solving the R-SIS q,m,β problem. Then an algorithm A exists for solving M-SIS q k ,m k ,β problem with module −1) ; that is, there exists a reduction from M-SIS q k ,m k ,β to R-SIS q,m,β .

D. RANGE OF MODULE RANK FOR PREVIOUS WORK
The module rank d is determined by (1) in Corollary 1. Since n is the dimension of the polynomial ring R and m is the number of instances of R-SIS, these parameters are fixed. Thus, the module rank d depends only on the modulus prime q, with fixed parameters n and m. By modifying (1), we have the range of module rank, where the reduction in Corollary 1 is possible, as follows: Then we have d < m + 1 2 for sufficiently large q [15]. Thus, the possible module rank d which enables the reduction from M-SIS q k ,m k ,β to R-SIS q,m,β is upper bounded by m+1 2 for sufficiently large q, where β = m k 2 (d−1) β k(2d−1) .

III. IMPROVED REDUCTION FROM M-SIS TO R-SIS
In this section, we propose a new method to find m distinct solutions for instances of R-SIS. In particular, the m distinct solutions are linearly independent over R q . Using m distinct solutions, we obtain the solution for instances of M-SIS. Similar to the previous work [15], there is a range of module rank that allows the reduction from M-SIS to R-SIS. However, the proposed work shows that the range of module rank is doubled compared to the previous work.

A. IMPROVED REDUCTION FROM M-SIS TO R-SIS FOR THE SAME MODULUS AND THE NUMBER OF INSTANCES
We propose a new method of finding m distinct solutions of instances of R-SIS. Finding distinct solutions for the same instances of R-SIS is difficult since details of the algorithms' process for solving R-SIS are not known. For example, if the algorithm A for solving R-SIS is deterministic, then this algorithm outputs the same solution for the same instance. To overcome this problem, we devise a method to add randomness before using the algorithm for solving R-SIS.

Lemma 2:
Let m be a positive integer and let t be a positive integer. Choose a prime q such that √ n · m · q 1 m < q t .

Choose a real number β such that
Suppose that there exists an algorithm A for solving R-SIS q,m,β . Let a = (a 1 , . . . , a m ) ∈ R m q be chosen independently from uniform distribution. Then there exist m linearly independent solutionsz (j) = (z . Then a (1) is uniform and we can consider a (1) as an instance of R-SIS q,m,β . Using the algorithm A for solving R-SIS q,m,β , we obtain a non-trivial solution z (1) = (1) is a non-trivial solution of (a 1 , . . . , a m ) with z (1) ≤ t ·β since z (1) is a non-trivial solution in R m and there is a non-zero r (1) i in R. Since t · β is less than q, we consider r (2) ≤ t and let a (2) = (a 1 · r 1 , . . . , a m · r (2) m ). Then a (2) is uniform and we can consider a (2) as an instance of R-SIS q,m,β . Through the above process, we obtain a non-trivial solutionz (2) = (r 1 · z 1 , . . . , r m · z (2) m ) ∈ R m with z (2) ≤ t · β. Also, we consider r (2) i , z (2) i ∈ R as r (2) i , z (2) i ∈ R q for all i = 1, . . . , m.

then we repeat
Step 3 untilz (1) ,z (2) , . . . ,z (j) are linearly independent, which is also possible from |S j−1 | |T j−1 |. If we repeat this process m times, then we can find m linearly independent solutions The above solutions are not exact solutions of R-SIS q,m,β , but we can use these solutions to find the solution of M-SIS. Now, we prove the reduction from M-SIS to R-SIS using Lemma 2. The proof of the following theorem is the same as that of Theorem 2. However, the upper bound of the solution of R-SIS is changed since we use Lemma 2. Also, the condition for β is changed as in the following theorem, where the reduction from M-SIS to R-SIS is satisfied.
Theorem 3: Let m, t be positive integers and q be chosen as in Lemma 2. Choose a module rank d ∈ Z >0 such that Let a positive real number β be an upper bound on the norm of the solution of R-SIS q,m,β such that Assume that an algorithm A exists for solving R-SIS q,m,β . Then there exists an algorithm A 1 for solving M-SIS q,m,β 1 , Let a 1 , . . . , a m ∈ R d q be instances of M-SIS q,m,β , which are chosen independently from the uniform distribution, where a i = (a i1 , . . . , a id ) (a 1i , . . . , a mi ). Then the i-th row a i of A is considered as an instance of R-SIS. Consider the last row a d of A. Then there are m distinct solutionsz Then, we have where a i is an m-tuple vector. Applying the above method d − 1 times, we obtain the solution matrix Finally, applying the algorithm A to a * 1 , we find a solution z with z ≤ β such that A * · z = 0 mod q. Then, we have the solution z =Z d · · ·Z 2 · z for A. Then A · z = 0 mod q and From (3), we have that the upper bound β 1 = (t · √ m) d−1 · β d on the norm of the solution of M-SIS q,m,β 1 is less than q since Thus, we find a non-trivial solution of M-SIS q,m,β 1 and show that there exists a reduction from M-SIS q,m,β 1 to

B. THE POSSIBLE RANGE OF MODULE RANK FOR M-SIS
Similar to the previous work [15], the possible range of module rank of M-SIS that satisfies the reduction from M-SIS q,m,β 1 to R-SIS q,m,β depends on (3) in Theorem 3, where β 1 = (t √ m) d−1 β d . Moreover, n and m are fixed since n and m are the dimension of the polynomial ring R and the number of instances of R-SIS, respectively. Also, given t, the module rank d depends on the modulus q. In this paper,  2m log q + m log m + 2m log t m log n + 2m log m + 2 log q + 2m log t .
Then, for sufficiently large q, we obtain the range of module rank as This result is twice as large as the range of module rank of the reduction from M-SIS to R-SIS [15]. Fig. 2 shows the possible module ranks with the different parameters and log 2 q for n = 2 16 , t = 10. In the case of Fig. 2(a), the bits of modulus q vary from 0 to 100. In the case of Fig. 2(b), the bits of modulus q vary from 0 to 10 5 . As log 2 q increases, the possible range of module rank d approaches the number of instances m as in Fig. 2(b). Also, as m increases, the possible range of module rank d becomes even wider.
The possible range of module rank is doubled compared to that of the previous result in (2). Also, the previous work considered the case that the modulus exponent k is larger than one, but in this work, we propose the reduction for the case of k = 1. Fig. 3 shows the comparison of the possible ranges of module ranks of the previous work [15] and the proposed work for n = 2 16 , t = 10. In the case of Fig. 3(a), the bits of modulus q vary from 0 to 100. The range of module rank of the previous work is larger than that of the proposed work in the range 0 to 10, but, in the range 10 to 100, the range of the proposed work is larger than that of previous work. Also, the previous reduction is possible when the exponent k of the modulus of M-SIS is larger than one, but the proposed reduction is also possible when the exponent of k of that of M-SIS is equal to one. In the case of Fig. 3(b), the bits of modulus q vary from 0 to 10 5 , and it shows the convergence values of (2) and (4). (2) converges to half of the number of instances of R-SIS, which is the maximum module rank. However, (4) converges to the same number of instances of R-SIS, which is the maximum module rank.

IV. REDUCTION FROM VARIOUS M-SIS PROBLEMS TO R-SIS PROBLEM
In this section, we derive several reductions among the M-SIS problems, which lead to the reduction from M-SIS c,m k , c q k (t· √ m) k(d−1) β kd to R-SIS q,m,β for the modulus c such that q k |c.

A. REDUCTION BETWEEN M-SIS PROBLEMS WITH INCREASED MODULUS
First, we derive the reduction from M-SIS q k ,m k ,β k to M-SIS q,m,β as in the following theorem, where its proof is the same as that of Theorem 1 in the previous work [15]. Theorem 4: Let m be a positive integer and q be a prime. Let d be a positive integer such that d define a rank of module defining M-SIS q,m,β and M-SIS q k ,m k ,β k . Assume that there exists an algorithm A 1 for solving the M-SIS q,m,β problem. Then there exists an algorithm A 2 for solving the M-SIS q k ,m k ,β k for any integer k ≥ 1, which corresponds to the reduction from M-SIS q k ,m k ,β k to M-SIS q,m,β .
Proof: Assume that there exists an algorithm A 1 for solving M-SIS q,m,β . Assume that a 1 , . . . , a m k ∈ R d q k are chosen independently from uniform distribution over R d q . We can write A = (a 1 , . . . , a m k ) = (ā 1 , . . . ,ā m k−1 ), wherē a i is an m tuple vector. Using the algorithm A 1 , we obtain the solution z i ∈ R m such thatā i · z i = 0 mod q and z i ≤ β. Since β < q and q is a prime, gcd(z i , q) = 1. Thus,ā i · z i = q · a i and a i =ā i · z i /q ∈ R d q k−1 for some a i ∈ R d . Set A = (a 1 , . . . , a m k−1 ) and use the induction on k. Then we find a solution z = (z 1 , . . . , = q · A · z = 0 mod q k and z ≤ z · max i z i ≤ β k . Thus, M-SIS q,m,β is more difficult than M-SIS q k ,m k ,β k . Using Theorem 4, we can obtain the following reduction. Corollary 2: There exists the reduction from M-SIS q k ,m k ,β 2 to M-SIS q,m,β 1 , where β 1 = (t · √ m) d−1 β d and β 2 = β k 1 as in Fig. 1.

B. REDUCTION BETWEEN M-SIS PROBLEMS WITH CHANGED NORM BOUND
In order to derive the reduction from M-SIS q k ,m k ,β 3 to M-SIS q,m,β 1 in Fig. 1, we use the reduction from M-SIS q k ,m k ,β 3 to M-SIS q k ,m k ,β 2 , where and k ≥ 1. To derive the reduction, we need to know the following remark.
Assume that there exists an algorithm A for solving R-SIS q,m,β . Then there exists an algorithm A for solving R-SIS q,m,β . Similarly, assume that there exists an algorithm A for solving M-SIS q,m,β . Then there exists an algorithm A for solving M-SIS q,m,β with the same module rank.
Thus, we derive the reduction from M-SIS q k ,m k ,β 3 to M-SIS q k ,m k ,β 2 as in the following theorem.
Theorem 5: Let m be a positive integer. Let t be positive integers and q a prime such that Choose a module rank d ∈ Z >0 such that Let β be a positive real number such that Then M-SIS q k ,m k ,β 2 is harder than M-SIS q k ,m k ,β 3 , where Proof: Assume that there exists an algorithm A 2 for solving M-SIS q k ,m k ,β 2 , where β 2 = t · √ m k(d−1) β kd . Then we need to compare β 2 and β 3 as , which is larger than one if t ≤ √ n · m · q 1 m . Thus, we obtain . From Theorems 3, 5, and Corollary 2, we can derive the reduction from M-SIS q k ,m k ,β 3 to R-SIS q,m,β , where β 3 = m k 2 (d−1) β k(2d−1) for k ≥ 1, where Corollary 1 in the previous work [15] derived the same reduction for k > 1.

C. REDUCTION FROM M-SIS WITH COMPOSITE NUMBER AS MODULUS TO R-SIS
In this subsection, we observe the relationship between M-SIS with modulus q k for prime q and k ≥ 1 and M-SIS with modulus c as a composite number. In particular, composite number c is divided by prime q k . The following theorem shows the relationship between two problems.
Theorem 6: Let m, t, and q be chosen as in Theorem 5. Let k ≥ 1 be a positive integer. Let c be a composite integer such that q k divides c. Assume that there exists an algorithm A for solving M-SIS q k ,m k ,β 2 . Then there exists an algorithm B for solving M-SIS c,m k ,γ , where γ = c q k β 2 and β 2 = (t · √ m) k(d−1) β kd for k ≥ 1. Proof: Let a 1 , . . . , a m k ∈ R d c be chosen independently from uniform distribution, where a i = (a i1 , . . . , a id ) for all i = 1, . . . , m k . For i = 1, . . . , m k and j = 1, . . . , d, a ij = a (0) ij + q k a (1) ij + · · · + q ks a (s) ij for some integer s and thus we write a i = a (0) i + q k a (1) i + · · · + q ks a (s) i . Thus, a i ≡ a (0) i mod q k . From the algorithm A for solving M-SIS q k ,m k ,β 2 , we can find the solution z 1 , . . . , z m k ∈ R such that a (0) Thus, m k i=1 a i · z i = q k · α for some α ∈ R and we have = c · α = 0 mod c. Since c q k is an integer, c q k z i is in R for all i = 1, . . . , m k . And we obtain c q k z = c q k z ≤ c q k β 2 . Thus, c q k z is a solution of the instance of M-SIS c,m k ,γ , where γ = c q k β 2 and β 2 = (t · √ m) k(d−1) β kd for k ≥ 1. Using Theorems 3, 6, and Corollary 2, we obtain the reduction from M-SIS c,m k ,γ to R-SIS q,m,β , when γ = c q k (t · √ m) k(d−1) β kd as in the following theorem. Theorem 7: Let m, t, and q be chosen as in Theorem 5. Let c be a composite integer such that c is divided by q k for some k ≥ 1. Choose a module rank d ∈ Z >0 such that Let a positive real number β be an upper bound on the norm of the solution of R-SIS q,m,β such that Assume that an algorithm A exists for solving R-SIS q,m,β . Then there exists an algorithm B for solving M-SIS c,m k ,γ , where γ = c q k (t · √ m) k(d−1) β kd .

V. CONCLUSION AND FUTURE WORKS
In this paper, we derived the reduction from M-SIS c,m k ,γ to R-SIS q,m,β , where γ = c q k (t √ m) k(d−1) β kd and c is a composite integer that has a factor q k for some k ≥ 1. To show this reduction, we proposed the three reductions. First, we proposed the reduction from M-SIS q,m,β 1 to R-SIS q,m,β , where β 1 = (t √ m) d−1 β d . To show this reduction, we devised the new method to find m distinct solutions of R-SIS q,m,β . This new method is to add randomness to the algorithm for solving R-SIS q,m,β . Thus, we can devise an algorithm that gives m distinct solutions to the same instances of R-SIS. Compared to the previous work [15], this reduction is preserved the same modulus and ring dimension. Also, the possible range of module rank for reduction from M-SIS q,m,β to R-SIS q,m,β could be doubled compared to [15].
Second, we proposed the reduction from M-SIS q k ,m k ,β 2 to R-SIS q,m,β , where β 2 = β k 1 = (t √ m) k(d−1) β kd . To show this reduction, we derived the method extending the reduction from R-SIS q k ,m k ,β k to R-SIS q,m,β shown in [15] to the reduction from M-SIS q k ,m k ,β 2 to M-SIS q,m,β 1 , where β 2 = β k 1 = (t √ m) k(d−1) β kd . Also, we showed that M-SIS q k ,m k ,β 2 is more difficult than M-SIS q k ,m k ,β 3 defined in the previous work [15], where β 3 = m k 2 (d−1) β k(2d−1) for k ≥ 1 using the fact that M-SIS becomes more difficult when the upper bound of M-SIS is tighter. This means that R-SIS is more difficult than M-SIS, which is tighter than the M-SIS in the previous work [15].
Finally, we showed that M-SIS q k ,m k ,γ is more difficult than M-SIS c,m k ,β 2 , where c is a composite integer with a factor q k and γ = c q k β 2 = c q k (t √ m) k(d−1) β kd . In the previous work [15], all reductions depend on the prime modulus q. However, we proposed the reductions between the M-SIS problems with the different modulus. Combining three reductions, we obtained the reduction from M-SIS c,m k ,γ to R-SIS q,m,β .
As a future work, it is crucial to handle the upper bound of the solution of R-SIS and M-SIS because this upper bound determines the rank of the module. Also, since we showed the results for R-SIS and M-SIS related to only one prime q, we need to derive the relationship between R-SIS and M-SIS with different primes p and q as the modulus.