Short Integer Solution (SIS) Overview

• Short Integer Solution (SIS) is a core lattice problem defined by finding a short nonzero vector in the kernel of an integer matrix modulo q, serving as the security basis for many post-quantum schemes.
• Variants like SIS∞ and MultiSIS adjust norm constraints and problem structure, enabling their use in diverse cryptographic protocols including signature schemes and commitment designs.
• Recent algorithmic improvements, such as combinatorial halving techniques and k-partition methods, refine hardness assumptions and inform secure parameter selection in cryptographic applications.

The Short Integer Solution (SIS) problem is a foundational lattice problem with direct cryptographic significance, worst-to-average-case equivalence, and serves as the security basis for diverse post-quantum schemes. Given an integer matrix modulo $q$, SIS asks for a nontrivial short integral vector (with norm bounded by parameter $\beta$ or $B$), lying in the kernel modulo $q$. Variants include imposing infinity norm (SIS$^\infty$), demanding multiple solutions (MultiSIS), or requiring the solution vector to be in a specific structured set.

1. Formal Definitions and Variants

The standard SIS problem, denoted $\mathrm{SIS}_{n,m,q,\beta}$, is defined as follows. For integers $n,\ m,\ q$, and a norm bound $\beta$, given $A \in \mathbb{Z}_q^{m \times n}$ sampled uniformly at random, the goal is to find $x \in \mathbb{Z}^n \backslash \{0\}$ such that $A x \equiv 0 \pmod{q}$ and $\|x\| \leq \beta$, with $\|\cdot\|$ typically the Euclidean norm (Blömer et al., 12 Sep 2025, Semaev, 2020).

The SIS$^\infty$ ($\ell_\infty$-SIS) variant, central to recent advances, demands $\|x\|_\infty \leq B$ for some $B \leq \lfloor q/2 \rfloor$ (Kothari et al., 8 Oct 2025, Ducas et al., 29 Mar 2025). The standard setting for post-quantum cryptography uses parameters $m \approx n \log n$, $q = n^{O(1)}$, $\beta = O(\sqrt{n}) q^{1/n}$.

SIS also generalizes to A-Constrained Integer Solution (A-CIS), MultiSIS, and inhomogeneous SIS (target $a \in \mathbb{Z}_q^n$, requiring $A x \equiv a \pmod{q}$).

2. Parameter Regimes and Worst-to-Average-Case Reductions

SIS’s cryptographic relevance derives from its tight worst-to-average-case reductions. Ajtai’s seminal construction and later Micciancio–Regev establish that solving average-case SIS (random $A$) with $\beta = \mathrm{poly}(n)$ and $q = \mathrm{poly}(n)$ is as hard as approximating the Shortest Independent Vector Problem (SIVP) or Shortest Vector Problem (SVP) on arbitrary lattices in $n$ dimensions to within polynomial factors (Blömer et al., 12 Sep 2025).

For SIS$^\infty$, cryptographic parameters select $m = O(n)$, $B = q/4$ or smaller, and polynomial $q$. In this regime, no known polynomial-time algorithm (classical or quantum) exists (Kothari et al., 8 Oct 2025). Quantum algorithmic separations were recently studied in wider parameter spaces (large $m$, looser $B$) for SIS$^\infty$.

SIS Variant	Norm Bound	Typical $m$	Regime of Interest
SIS (Euclidean)	$\|x\| \leq \beta$	$n \cdot \mathrm{polylog}(n)$	Cryptographic hardness
SIS$^\infty$	$\|x\|_\infty \leq B$	$O(n)$ to $\gg n^2$	Parameter separations
MultiSIS	Several solutions	$m$ as above	Signature schemes, SV

3. Classical and Quantum Algorithms for SIS

Early algorithms for SIS, including exhaustive search and lattice basis reduction (e.g. BKZ), have exponential time complexity in $m$ or $n$ (Semaev, 2020). Notably, Semaev introduced a sorting-based combinatorial method for SIS and MultiSIS with sub-exponential complexity for a broad parameter range, specifically $T = \exp(O((\log n)^2))$ for $\beta = \mathrm{poly}(n),\ q = n^{O(1)}$, greatly improving over the $2^{O(m)}$ cost of previous methods (Semaev, 2020). The approach recursively combines “short vector” solutions by pairwise matching and does not rely on basis reduction.

For SIS$^\infty$, Wagner’s generalized birthday algorithm, adapted with discrete Gaussian techniques, achieves sub-exponential time $\exp(O(n / \log\log n))$ for width parameters $B = q / \mathrm{polylog}(n)$, with an explicit, provable algorithmic analysis (Ducas et al., 29 Mar 2025). This methodology underpins the security of NIST PQC schemes such as Dilithium. However, while the asymptotic runtime is subexponential, concrete attacks remain infeasible for recommended parameters due to prohibitive list sizes (e.g., $N \approx 2^{270}$ for level 2 Dilithium) (Ducas et al., 29 Mar 2025).

Recently, a claimed quantum exponential speedup for average-case SIS$^\infty$ by Chen–Liu–Zhandry (CLZ) was refuted: classical deterministic algorithms based on combinatorial halving tricks and interval partitioning now efficiently solve these cases in polytime for $m \gg n^2$, entirely eliminating the previously observed quantum-classical gap (Kothari et al., 8 Oct 2025).

4. Algorithmic Frameworks for SIS$^\infty$: Recent Developments

The main algorithmic advances for SIS$^\infty$ (Kothari et al., 8 Oct 2025) center on two frameworks:

• Halving Trick: Given “large-norm” zero-sums in the kernel, one recursively reduces the problem to smaller bounds by pairing solutions, at the cost of increasing the sample size quadratically per step. After $k$ iterations, one solves SIS$^\infty$ with $B \approx q/(2^k)$ using $m \approx (n+1)^k$ samples and runtime $\tilde{O}(k n^{\omega-1} (n+1)^k)$.
• $k$-Partition Forest: The solution interval $\{ -B, ..., B \}$ is partitioned into $k+1$ intervals, and a recursive multilevel construction combines solutions to directly reach a solution with minimal target bound. This method achieves $B = \lfloor q/(2k) \rfloor$ with $m = O((n+k)^{k+1} k^{k(k-1)/2})$ and similar runtime.

Additionally, reductions handle average-case subset-sum ($B=1$) and general A-CIS subclasses by translation/dilation, supporting arbitrary “almost full” sets $A \subseteq \mathbb{F}_q$.

Summary Table: Recent SIS$^\infty$ Algorithmic Results (Kothari et al., 8 Oct 2025, Ducas et al., 29 Mar 2025)

Method	Regime	Running Time	Main Bound
Halving Trick	$m \geq C n^k$	Poly($m$, $\log q$)	$B \approx q/(2^k)$
$k$-Partition	$m \geq O((n+k)^{k+1})$	Poly($m$, $\log q$)	$B \approx q/(2k)$
Wagner/BKW	$m \geq n + o(n)$	$\exp(O(n / \log\log n))$	$B \approx q / \mathrm{polylog}(n)$

These classical results now fully subsume previously known quantum speedups in SIS$^\infty$ regimes.

5. Cryptographic Implications

SIS and SIS$^\infty$ are pillars of post-quantum cryptography, serving as the security backbone for hash functions, commitment schemes, authentication protocols, and signature schemes, notably including CRYSTALS-Dilithium. The hardness of SIS for suitable parameters is directly reducible to worst-case hard lattice problems such as SIVP and SVP (Blömer et al., 12 Sep 2025), upholding its suitability for cryptographic use.

However, recent algorithmic breakthroughs have sharply delineated the secure parameter envelope. For SIS$^\infty$ and related A-CIS problems with $m \gg n^2$, polynomial-time classical algorithms now exist (Kothari et al., 8 Oct 2025), precluding cryptographic constructions relying on the hardness of SIS$^\infty$ in these parameter ranges. The concrete security of recommended cryptographic parameters (e.g., $m = \Theta(n)$, $B \approx q/4$ for signatures) remains strong, as no polynomial or subexponential algorithms are known in these regimes (Ducas et al., 29 Mar 2025, Kothari et al., 8 Oct 2025). Some schemes must, however, scrutinize their parameter settings to avoid being inadvertently positioned in classically tractable domains.

6. Structured SIS, Lattice Constructions, and Applications in Coding

Beyond foundational cryptographic use, SIS lattices and their ring/module extensions (R-SIS, M-SIS) yield concise, efficient constructions in other areas. Notably, explicit randomized constructions of symplectic lattices from SIS or R-SIS matrices enable the design of Gottesman–Kitaev–Preskill (GKP) quantum codes (Blömer et al., 12 Sep 2025). These codes achieve nearly optimal minimum distance $d \approx \sqrt{n/\pi e}$ with efficient randomized decoding algorithms, running in time $\tilde O(n^2)$ (SIS), $\tilde O(n)$ (R-SIS), or $\tilde O(k n)$ (M-SIS for rank $k$). Unlike earlier approaches that relied on trapdoor constructions, these codes are trapdoor-free and perform comparably to, or even outperform, NTRU-based codes for certain parameters.

7. Perspectives and Open Problems

While worst-case/average-case equivalence, abundant applications, and robust security reductions position SIS as a cryptographic cornerstone, numerous research directions remain. Open problems include rigorous security reductions for newly proposed combinatorial algorithms (Semaev, 2020), precise numerical analyses for moderate-size instances, parameter selection for cryptographic deployment resilient to current and future algorithms, and further study of highly structured variants and their reductions to classic SIS/LWE problems. Recent “dequantizations” of SIS$^\infty$, quantum linear-system solvers, and recommendation-system speedups emphasize the need for dynamic re-examination of quantum-classical separations across computational lattice problems (Kothari et al., 8 Oct 2025).