SelfTargetMSIS in Lattice Cryptography

• SelfTargetMSIS is a self-targeting variant of MSIS that serves as a core security assumption for CRYSTALS-Dilithium by extending classical lattice problems with quantum-resistant features.
• The reduction from MLWE to SelfTargetMSIS employs measure-and-reprogram and quantum rewinding techniques, transforming a forger into an MLWE adversary under the QROM.
• Optimized parameter choices in SelfTargetMSIS enable native NTT performance and provable post-quantum security, though at the cost of increased key and signature sizes.

SelfTargetMSIS is a computational problem within module lattice-based cryptography, introduced as a central security assumption in the analysis of CRYSTALS-Dilithium digital signatures. It extends the traditional Module Short Integer Solution (MSIS) problem to a “self-targeting” variant, forming the basis for the first quantum reduction from Module Learning With Errors (MLWE) to Dilithium’s signature security in the Quantum Random Oracle Model (QROM). This problem and its reduction underpin the provable post-quantum security of Dilithium instantiated in rings with moduli q ≡ 1 mod 2n, enabling practical use of the fastest Number Theoretic Transform (NTT) algorithms in implementation (Jackson et al., 2023).

1. Definition and Formalization

Let $q$ be an odd prime, $n$ a power of 2, and $R_q = \mathbb{Z}_q[X]/(X^n+1)$. Consider integer parameters $m, k, \gamma, \tau$ and a hash function $H\colon \{0,1\}^* \to B_\tau$, where $B_\tau \subset R_q$ is the set of ring elements with exactly $\tau$ nonzero coefficients, each in $\{\pm1\}$. A quantum adversary $\mathcal{A}$ is given quantum query access to $H$ and a random $n$0.

Success in SelfTargetMSIS$n$1 is defined as the adversary producing a pair $n$2 such that

$n$3

where $n$4 is the canonical matrix–vector product over $n$5, $n$6 is the $n$7 identity, and $n$8 selects the last coordinate of $n$9. Formally,

$R_q = \mathbb{Z}_q[X]/(X^n+1)$0

This formulation captures the challenge of finding a "self-targeted" preimage $R_q = \mathbb{Z}_q[X]/(X^n+1)$1 whose last component matches the hash output, even when $R_q = \mathbb{Z}_q[X]/(X^n+1)$2 is accessible only as a quantum random oracle (Jackson et al., 2023).

2. Relationship to Classical MSIS and MLWE

SelfTargetMSIS is a structural extension of the MSIS problem. In MSIS$R_q = \mathbb{Z}_q[X]/(X^n+1)$3, the adversary, given $R_q = \mathbb{Z}_q[X]/(X^n+1)$4, finds nonzero $R_q = \mathbb{Z}_q[X]/(X^n+1)$5 such that $R_q = \mathbb{Z}_q[X]/(X^n+1)$6 and $R_q = \mathbb{Z}_q[X]/(X^n+1)$7.

Connections:

• MSIS ≤ROM SelfTargetMSIS: Classically, given two distinct SelfTargetMSIS solutions for the same $R_q = \mathbb{Z}_q[X]/(X^n+1)$8 but different $R_q = \mathbb{Z}_q[X]/(X^n+1)$9, their difference is a short MSIS solution.
• MLWE to SelfTargetMSIS (quantum): The sEUF security reduction chain for Dilithium in the QROM decomposes a forger into three parts: one attacking MLWE, one for SelfTargetMSIS, and one for MSIS. Therefore, demonstrating the quantum hardness of SelfTargetMSIS underpins the security of Dilithium in the QROM (Jackson et al., 2023).

3. Quantum Reduction: MLWE to SelfTargetMSIS

The key technical contribution is a quantum reduction from MLWE$m, k, \gamma, \tau$0 to SelfTargetMSIS$m, k, \gamma, \tau$1. The reduction follows four main steps:

• Plain→SelfTargetMSIS: Ensures the input matrix $m, k, \gamma, \tau$2 is in row-echelon form (specifically $m, k, \gamma, \tau$3), so a solver for the "Plain" problem yields a SelfTargetMSIS solver, modulo negligible loss.
• Plain→CCB (Chosen-Coordinate Binding): Applies the Liu–Zhandry "measure-and-reprogram" lemma, converting any $m, k, \gamma, \tau$4-query SelfTargetMSIS adversary into a query-free solver for a CCB experiment—with a quadratic degradation to $m, k, \gamma, \tau$5 in advantage.
• CCB→Collapse (Collapsing Test): Utilizes quantum rewinding techniques (Unruh), showing that a successful CCB adversary gives a solution to the collapsing test experiment, with success probability squared (minus statistical offset).
• Collapse→MLWE: Uses identity-vs-measurement distinguishing (following Liu–Montgomery–Zhandry) to show any successful Collapse adversary can be turned into an MLWE distinguisher, given appropriate parameter constraints ($m, k, \gamma, \tau$6 and $m, k, \gamma, \tau$7).

The result is that, under these conditions, any quantum adversary with non-negligible advantage $m, k, \gamma, \tau$8 against SelfTargetMSIS can be converted into an MLWE adversary with comparable runtime and advantage $m, k, \gamma, \tau$9 (Jackson et al., 2023).

4. Collapsing Hash Functions and Security in the QROM

The analysis requires that the MSIS-derived hash function $H\colon \{0,1\}^* \to B_\tau$0 is collapsing in the sense of Unruh. This property ensures that, in the QROM, hash outputs appear classical to any quantum adversary, enabling the Fiat–Shamir with aborts paradigm for signature security to go through with negligible loss.

The collapsing property is established through a sequence of projection-based arguments connecting the ability to win the Chosen-Coordinate Binding game to violating the collapsing condition. Specifically, if an adversary can produce two distinct valid preimages with different last coordinates, then the hash cannot be collapsing. This property is critical for extending the sEUF–CMA (strong Existential Unforgeability under Chosen Message Attack) proof for Dilithium from the classical ROM to the QROM (Jackson et al., 2023).

5. Integration in Dilithium Security Proofs

With these reductions and hash function properties, security proofs for CRYSTALS-Dilithium under the native condition $H\colon \{0,1\}^* \to B_\tau$1 in the QROM are achieved under standard Module LWE and MSIS assumptions. Specifically, for any forger making $H\colon \{0,1\}^* \to B_\tau$2 queries, the existential unforgeability advantage is bounded by:

$H\colon \{0,1\}^* \to B_\tau$3

Given the reduction $H\colon \{0,1\}^* \to B_\tau$4, every Dilithium forger yields a nonnegligible MLWE or MSIS solver (Jackson et al., 2023).

6. Parameter Choices and Practical Implications

The quantum reduction introduces a $H\colon \{0,1\}^* \to B_\tau$5-factor loss, requiring larger parameters for concrete instantiations. For NIST Level 3 security (target 128-bit quantum SVP cost), Jackson et al. propose:

• $H\colon \{0,1\}^* \to B_\tau$6, $H\colon \{0,1\}^* \to B_\tau$7, $H\colon \{0,1\}^* \to B_\tau$8, $H\colon \{0,1\}^* \to B_\tau$9, $B_\tau \subset R_q$0, $B_\tau \subset R_q$1, $B_\tau \subset R_q$2, $B_\tau \subset R_q$3, $B_\tau \subset R_q$4
• Public key size: $B_\tau \subset R_q$5 bytes
• Signature size: $B_\tau \subset R_q$6 bytes

Compared to standard Dilithium ($B_\tau \subset R_q$7 B public key, $B_\tau \subset R_q$8 B signature), these settings are $B_\tau \subset R_q$9 larger in signature and $\tau$0 larger in public key size at Level 3. However, they are the first settings for which sEUF in QROM is provably reduced to MLWE/MSIS, exploiting native NTT (“fast ring”) structures. Additionally, the ring arithmetic is $\tau$1–$\tau$2 faster than hybrid-NTT instantiations previously needed to avoid the $\tau$3 case (Jackson et al., 2023).

Security Level	MLWE (bits)	SelfTargetMSIS (bits)	Public Key Size (B)	Signature Size (B)
Level 3 (128Q)	$\tau$4400	$\tau$5100	18,592	13,490

7. Significance and Ongoing Research

SelfTargetMSIS enables the first quantum-sound security proof for CRYSTALS-Dilithium in its natural parameter regime, without requiring restrictive modulus choices or inefficient hybrid structures. The quantum reduction and collapsing hash analysis close prior gaps in the QROM, providing a solid foundation for Dilithium as a post-quantum standard with native NTT performance. A plausible implication is ongoing optimization of parameter sizes and better bounds for SelfTargetMSIS hardness, as this directly impacts key and signature efficiency in practice (Jackson et al., 2023).