I am new to lattice cryptography. May I ask why, if one has a trapdoor for SIS, i.e., can compute a short $x$ that satisfies $Ax=0$, then one can have a trapdoor for $Ax_{2}=y$? TIA
1 Answer
A vector $x$ such that $Ax = 0 \pmod q$ is not a “trapdoor” by itself, it's just one solution to the SIS problem. Equivalently, it is a single short vector of the SIS lattice. Having this $x$ is not sufficient to solve arbitrary inhomogeneous SIS (ISIS) instances $Ax' = y \pmod q$.
If, instead, you have a short basis of the SIS lattice, then that does give you a trapdoor, and lets you solve ISIS instances, with the caveat that there is a gap (usually $\Omega(\sqrt{n})$) between the size of the short basis vectors and the size of the ISIS solutions.