No exponential quantum speedup for $\mathrm{SIS}^\infty$ anymore

Abstract: In 2021, Chen, Liu, and Zhandry presented an efficient quantum algorithm for the average-case $\ell_\infty$-Short Integer Solution ($\mathrm{SIS}^\infty$) problem, in a parameter range outside the normal range of cryptographic interest, but still with no known efficient classical algorithm. This was particularly exciting since $\mathrm{SIS}^\infty$ is a simple problem without structure, and their algorithmic techniques were different from those used in prior exponential quantum speedups. We present efficient classical algorithms for all of the $\mathrm{SIS}^\infty$ and (more general) Constrained Integer Solution problems studied in their paper, showing there is no exponential quantum speedup anymore.

• The paper demonstrates that classical algorithms decisively refute the exponential quantum speedup for average-case SIS∞ by matching and surpassing earlier quantum bounds.
• It introduces deterministic, polynomial-time methods using combinatorial and linear-algebraic reductions that improve efficiency and parameter flexibility.
• The work redefines cryptographic security assumptions and highlights practical limits to quantum advantage in post-quantum cryptography.

No Exponential Quantum Speedup for $\mathrm{SIS}^\infty$ Anymore

Overview and Motivation

The paper rigorously addresses the computational complexity of the average-case $\ell_\infty$-Short Integer Solution ($\mathrm{SIS}^\infty$) problem and its generalizations, which were previously believed to admit exponential quantum speedups over classical algorithms in certain parameter regimes. The 2021 work of Chen, Liu, and Zhandry (CLZ) introduced a quantum algorithm for $\mathrm{SIS}^\infty$ in a regime with no known efficient classical solution, leveraging quantum reductions and techniques distinct from those used in hidden subgroup or simulation-based quantum speedups. This result was notable because $\mathrm{SIS}^\infty$ is structurally simple and underpins the security of several post-quantum cryptographic schemes.

The present work demonstrates that, contrary to prior belief, there is no exponential quantum speedup for $\mathrm{SIS}^\infty$ in these regimes. The authors construct efficient classical algorithms for all the $\mathrm{SIS}^\infty$ and Constrained Integer Solution (CIS) problems considered by CLZ, and in fact, their classical algorithms outperform the quantum ones in both asymptotic complexity and parameter flexibility.

Problem Definitions and Prior Quantum Algorithms

The $\mathrm{SIS}^\infty$ problem is defined as follows: Given $H \in \mathbb{F}_q^{n \times m}$, find a nonzero $x \in \mathbb{F}_q^m$ such that $Hx = 0$ and $\|x\|_\infty \leq s$ for some $s < q/2$. The CIS generalization restricts the entries of $x$ to a subset $A \subseteq \mathbb{F}_q$.

CLZ's quantum algorithm, based on Regev's reduction, solves average-case $\mathrm{SIS}^\infty$ for $m \geq C q^4 \log q \cdot n^k$ and $s = (q-k)/2$, with $k$ constant and $q$ prime. The algorithm also extends to CIS with $|A| = q-k+1$.

Classical Algorithmic Contributions

The authors present deterministic, polynomial-time classical algorithms for both worst-case and average-case instances, with several key improvements:

• Parameter Regimes: The classical algorithms work for $m \geq C n^k$ (removing the $q^4 \log q$ factor), and for $s = \lfloor q/(2k) \rfloor$, which is a much stricter notion of "shortness" than in the quantum regime.
• Generalization: The algorithms handle CIS for arbitrary allowed sets $A$, not just intervals, and work for both average-case and worst-case $H$.
• Efficiency: The running time is $\mathrm{poly}(m, \log q)$, even when $q$ is exponentially large in $n$.
• Determinism and Robustness: The algorithms are deterministic and do not rely on random oracles or probabilistic reductions.

Technical Approach

The core technical innovation is a suite of combinatorial and linear-algebraic reductions that dequantize the quantum filtering and decoding techniques. The authors introduce a "halving trick" and generalizations thereof, which iteratively reduce the allowed coefficient set for solutions, enabling the construction of short zero-sum vectors with polynomial sample complexity. The approach leverages:

• Sparse Zero-Sum Construction: Efficient algorithms for finding sparse zero-sum vectors in $\mathbb{F}_q^n$ using combinatorial partitioning and dimension reduction.
• General Reducibility: Definitions and constructions of reducible vectors that allow for recursive reduction of the solution space.
• Arithmetic Progression Arguments: Use of arithmetic combinatorics to guarantee the existence of long arithmetic progressions in allowed sets, facilitating the CIS reductions.
• Fast Linear Algebra: Application of fast matrix multiplication algorithms to optimize the runtime of basis search and projection steps.

Strong Numerical Results and Contradictory Claims

The paper establishes several strong results that directly contradict the previously held belief in exponential quantum speedup for these problems:

• For $\mathrm{SIS}^\infty$, a classical algorithm finds a nonzero $x$ with $\|x\|_\infty \leq \lfloor q/(2k) \rfloor$ in time $\mathrm{poly}(m, \log q)$ for $m \geq C n^k$, outperforming the quantum algorithm's $m \geq C q^4 \log q \cdot n^k$ and $s = (q-k)/2$.
• For CIS with $|A| = q-k+1$, the classical algorithm works for $m \geq C \log q \cdot n^2$ when $q > 4^{k-1}$, and $m \geq C \log q \cdot n^{k-1}$ for $k \geq 3$, strictly improving the quantum bounds.
• For $\mathbb{F}_q^n$-Subset-Sum, the classical algorithm achieves $m \geq C n^{q/2 + o(1)}$ in the average case, compared to the quantum $m \geq C n^{q-1}$.

These results are robust across a wide range of parameters, including exponentially large $q$, and apply to both average-case and worst-case instances.

Implications for Cryptography and Quantum Algorithms

The findings have significant implications for post-quantum cryptography and the search for quantum advantage:

• Cryptographic Hardness: The parameter regimes where quantum algorithms were previously thought to threaten the hardness of $\mathrm{SIS}^\infty$-based cryptosystems (e.g., Dilithium, Wave) are now shown to be efficiently solvable classically for $m \gg n$, undermining the basis for quantum speedup in these settings.
• Quantum Algorithm Design: The techniques used in CLZ and related works (Yamakawa-Zhandry, DQI) do not yield exponential speedup for natural, structureless problems in the regimes considered. The only remaining candidates for exponential quantum speedup are highly structured or black-box problems with $m = O(n)$, which are not covered by the present dequantization.
• Complexity Theory: The results reinforce the scarcity of natural problems admitting exponential quantum speedup outside the hidden subgroup and simulation domains, and highlight the power of combinatorial and algebraic methods in dequantizing quantum algorithms.

Theoretical and Practical Extensions

The paper discusses several avenues for further optimization and generalization:

• Sample Complexity: Potential improvements in the dependence on $q$ and $k$ for sample complexity, and the possibility of matching the $O(n^k)$ bound for all $k$.
• General Finite Fields and Rings: Extension of the algorithms to non-prime fields and rings, with minor modifications.
• Targeted Sums and Closest-Vector Problems: Adaptation of the techniques to targeted sum problems and more general CIS instances with per-coordinate constraints.
• Subexponential Regimes: Investigation of subexponential-time tradeoffs for $m = n^{c}$ with $1 < c < 2$, relevant for cryptographic applications.

Conclusion

This work decisively refutes the existence of exponential quantum speedup for the average-case $\mathrm{SIS}^\infty$ and related CIS problems in the parameter regimes previously considered intractable for classical algorithms. The authors' classical algorithms not only match but surpass the efficiency of quantum approaches, with improved parameter flexibility and deterministic guarantees. The results have direct consequences for cryptographic security assumptions and the landscape of quantum algorithmic advantage, and they underscore the importance of combinatorial and algebraic techniques in complexity theory and algorithm design. Future research may focus on further optimizing sample complexity, extending the framework to broader algebraic settings, and exploring the boundaries of quantum-classical separations in structured and black-box problem domains.