SIS Problem in Lattice Cryptography

• The Short Integer Solution (SIS) problem is a computational challenge in lattice-based cryptography defined by norm constraints over modular and non-modular integer matrices.
• It underpins modern cryptographic schemes by enabling worst-case to average-case hardness reductions and secure designs for hash functions and digital signatures.
• Recent advances like Semaev’s bucketing and Wagner’s rounding methods offer subexponential solutions under relaxed parameters while maintaining cryptographic security.

The Short Integer Solution (SIS) problem is a foundational computational problem in lattice-based cryptography, algorithmic number theory, and complexity theory. It is central to the security of several post-quantum cryptographic primitives, provides a concrete basis for worst-case to average-case hardness reductions, and serves as a testbed in the study of lattice algorithms and quantum/classical complexity separation. SIS comes in several variants, notably modular SIS (over $\mathbb{Z}_q$), non-modular integer SIS (over $\mathbb{Z}$), and norm-constrained versions (e.g., $\ell_2$, $\ell_\infty$), each capturing distinct cryptographic and algorithmic phenomena.

1. Problem Definition and Variants

The classical SIS problem is parameterized by integers $n,m$, modulus $q$, and norm bound $v$. Given an integer matrix $A \in \mathbb{Z}_q^{m \times n}$ of rank $n$ modulo $q$, the homogeneous SIS problem asks for a nonzero integer vector $\mathbb{Z}$0 such that: $\mathbb{Z}$1 where $\mathbb{Z}$2 is typically the Euclidean norm, but variants using the $\mathbb{Z}$3 norm ($\mathbb{Z}$4) and other convex norms are prevalent, especially in cryptographic contexts and quantum complexity studies (Semaev, 2020, Ducas et al., 29 Mar 2025, Kothari et al., 8 Oct 2025).

A non-modular version (over $\mathbb{Z}$5), denoted $\mathbb{Z}$6, is defined similarly, except that $\mathbb{Z}$7 and solutions satisfy $\mathbb{Z}$8 in $\mathbb{Z}$9 without modular reduction, with the further constraint $\ell_2$0 for a small $\ell_2$1 (Draziotis et al., 7 Mar 2026).

The MultiSIS problem generalizes classical SIS to require $\ell_2$2 linearly independent, distinct solutions satisfying the norm bound (Semaev, 2020).

A common constraint is $\ell_2$3, and $\ell_2$4 are chosen so nontrivial solutions exist yet are hard to find.

2. Algorithmic Landscape and Parameter Regimes

The SIS problem is challenging because in the cryptographically relevant regime ($\ell_2$5, $\ell_2$6 mildly super-polynomial in $\ell_2$7), it is conjectured to require exponential time to solve. For larger $\ell_2$8 or $\ell_2$9, trivial solutions abound (by the pigeonhole principle or Siegel's lemma), and for small $\ell_\infty$0 or $\ell_\infty$1, solutions may not exist or are uniquely determined.

Classical lattice enumeration methods, such as sphere enumeration or BKZ-reduction followed by enumeration, incur exponential cost $\ell_\infty$2 in the lattice dimension (Semaev, 2020). Combinatorial algorithms, including $\ell_\infty$3-sum reductions and birthday-paradox–style list merging, have not broken this exponential barrier for cryptographic parameters.

Recent advances include:

• Semaev’s iterative bucketing/subexponential algorithm: Semaev introduced a multi-stage collision-based combinatorial strategy, wherein at each of $\ell_\infty$4 stages, short linear combinations of rows of $\ell_\infty$5 are merged via sorting/hashing to find collisions, ultimately yielding a collection of short ($\ell_\infty$6) vectors solving $\ell_\infty$7. For regimes where $\ell_\infty$8 and $\ell_\infty$9, the total run-time $n,m$0 satisfies $n,m$1 for some $n,m$2—thus, subexponential in $n,m$3 (Semaev, 2020). This algorithm is heuristic, and its success is predicated on independent collision events and the Gaussian heuristic for ball counts in high-dimensional integer spaces.
• Wagner’s Algorithm for $n,m$4: A provable subexponential algorithm for the $n,m$5 version combines list bucketing and merging with discrete Gaussian randomized rounding (GPV-style). By interpreting bucketing as progressing backwards through a chain of projected $n,m$6-ary lattices and superlattices, and carefully balancing block sizes and rounding moduli, this method achieves complexity $n,m$7 for norm bound $n,m$8 and $n,m$9 (Ducas et al., 29 Mar 2025). This procedure also serves as an approximate discrete-Gaussian sampler over the SIS lattice.
• Dequantization of Quantum Algorithms: The previously observed exponential quantum speedup for average-case $q$0 (CLZ algorithm) in wide-matrix/high-norm regimes has been removed by the development of classical polynomial-time methods that apply whenever $q$1 for fixed $q$2 and norm bound $q$3 (Kothari et al., 8 Oct 2025). Through recursive combinatorial reductions (e.g., halving and $q$4-partition tricks), these classical algorithms subsume quantum advantages in the high-$q$5 regime, but require $q$6, which is not cryptographically practical.

3. Complexity, Hardness, and Average-Case Reductions

The complexity of SIS is intimately tied to the structure of integer lattices and worst-case lattice problems.

• The modular SIS problem, for appropriate parameters, admits a worst-case to average-case reduction: an average-case SIS solver implies a worst-case approximating algorithm for the Shortest Independent Vectors Problem (SIVP) to within $q$7 factors [Ajtai template, referenced in (Draziotis et al., 7 Mar 2026)]. For non-modular $q$8, a similar reduction yields a $q$9-approximation to SIVP in polynomial time, highlighting the slightly looser hardness guarantee in the non-modular variant (Draziotis et al., 7 Mar 2026). These reductions are realized by sampling lattice points via smoothed Gaussians, discretization, and rounding, and then invoking the SIS oracle.
• Key technical parameters include the smoothing parameter $v$0 of the target lattice, the ball-count (Gaussian heuristic) for the number of short vectors, and precise norm/rounding error bounds derived from high-dimensional probability and combinatorics.
• The cryptographic window is governed by $v$1, $v$2, where no known classical or quantum algorithm is convincingly subexponential (Semaev, 2020, Ducas et al., 29 Mar 2025, Kothari et al., 8 Oct 2025). Increasing $v$3 or $v$4 beyond cryptographic thresholds transitions SIS to the combinatorially "easy" regime, where efficient (even polynomial time) algorithms are known.

4. Combinatorial and Lattice Algorithms

A range of algorithmic strategies appear in the literature:

• Bucketing/Merging (Wagner, Semaev): Multistage partitioning (bucketing) of variable blocks, hash collisions, and recursive merges reduce the solution norm at each stage, at the cost of exponential or subexponential list sizes at intermediate steps. Success probability is estimated using heuristic independence and collision models (Semaev, 2020, Ducas et al., 29 Mar 2025).
• Recursive Coefficient Reduction: The halving trick, $v$5-partition combinatorics, and layered construction of zero-sum certificates enable efficient reduction of coefficient norms for dense solution spaces; these methods are essential in dequantizing quantum speedups for high-dimensional, loose-norm instances (Kothari et al., 8 Oct 2025).
• Sample Precision and Gaussian Rounding: For norm-constrained targets and cryptographic applications demanding discrete Gaussian samplers, algorithmic precision is governed by how well the sampler approximates discrete Gaussian distributions over $v$6-ary lattices. Wagner’s algorithm with Gaussian randomized rounding maintains statistical closeness to ideal Gaussian outputs, an essential primitive for trapdoor-based constructions (Ducas et al., 29 Mar 2025).

The table below summarizes complexity in selected regimes:

Parameter Regime	Best-known Algorithm	Complexity	Practical Relevance
$v$7, cryptographic $v$8	Lattice enumeration/BKZ	$v$9	Cryptographically secure
$A \in \mathbb{Z}_q^{m \times n}$0, large $A \in \mathbb{Z}_q^{m \times n}$1	Classical $A \in \mathbb{Z}_q^{m \times n}$2-partition	$A \in \mathbb{Z}_q^{m \times n}$3	Not cryptographically secure
$A \in \mathbb{Z}_q^{m \times n}$4, $A \in \mathbb{Z}_q^{m \times n}$5	Wagner’s with Gauss. rounding	$A \in \mathbb{Z}_q^{m \times n}$6	Above practical parameter sets
SIS$A \in \mathbb{Z}_q^{m \times n}$7, $A \in \mathbb{Z}_q^{m \times n}$8, $A \in \mathbb{Z}_q^{m \times n}$9, $n$0	Oracle reduction to SIVP	Reduces to SIVP	Theoretical hardness result

5. Cryptographic Impact and Parameter Selection

SIS underpins designs for hash functions, digital signatures (notably the NIST standard Dilithium), and encryption schemes. Security proofs and implementations rely on the conjectured exponential hardness for parameters bounding $n$1 and $n$2 near minimal thresholds to avoid trivial solutions and feasible attacks:

• For modular SIS, the guidelines for parameter selection are $n$3 (with small $n$4) and $n$5 near the Gaussian heuristic (e.g., $n$6). If $n$7 or $n$8 are boosted significantly, Semaev’s subexponential algorithm implies that cryptanalytic feasibility increases rapidly (Semaev, 2020).
• Wagner’s algorithm for $n$9-SIS achieves subexponential complexity at width $q$0 only when $q$1 exceeds $q$2 by $q$3, a regime outside all deployed cryptosystems. For concrete parameter sets, such as those in Dilithium ($q$4, $q$5, $q$6–$q$7), the list sizes and runtime exceed $q$8, keeping these attacks infeasible (Ducas et al., 29 Mar 2025).
• The dequantization of quantum speedups establishes that exponential quantum advantage for SIS is absent outside the exceedingly wide-matrix regime—thereby shifting focus to classical subexponential attacks as the limiting threat in practice (Kothari et al., 8 Oct 2025).
• For SIS over $q$9, provable average-case/worst-case equivalence lends cryptographic confidence, albeit with a looser $\mathbb{Z}$00 reduction factor compared to modular SIS, due to rounding and discretization constraints intrinsic to the non-modular setting (Draziotis et al., 7 Mar 2026).

6. Open Questions, Limitations, and Future Directions

Several fronts remain active for research:

• Intermediate Regimes and Fine-grained Complexity: There is ongoing investigation into the complexity transition between the polynomial-time tractable regime ($\mathbb{Z}$01) and the conjecturally exponential regime ($\mathbb{Z}$02). Interpolating subexponential algorithms for $\mathbb{Z}$03, as well as pushing dequantization and combinatorial methods toward practical parameter sizes, are open avenues (Kothari et al., 8 Oct 2025).
• Norm Variants and Structural Constraints: While the $\mathbb{Z}$04 and $\mathbb{Z}$05 variants of SIS are well studied, the landscape of combinatorial and statistical algorithms under more general norms and constraint sets (e.g., subset sum, boolean) continues to evolve. The extension of combinatorial reducibility to these settings, or the existence of analogous average-case hardness results, is under exploration (Draziotis et al., 7 Mar 2026, Kothari et al., 8 Oct 2025).
• Quantum Algorithms and Black-box Separations: While polynomial-time quantum/classical separation is eliminated in high-matrix SIS regimes, quantum speedups for other related problems (e.g., certain black-box SIS-related primitives, OPI problems) remain a target for dequantization, adaptation, or formal reduction (Kothari et al., 8 Oct 2025).
• Heuristic versus Rigorous Algorithmics: The Semaev algorithm and several subexponential combinatorial strategies rely on unproven independence and collision heuristics. Formalizing or replacing these analyses with provable high-dimensional probabilistic and combinatorial bounds, or demonstrating limitations in actual random instance distributions, is an open technical challenge (Semaev, 2020).

A plausible implication is that practical cryptosystems should tightly control $\mathbb{Z}$06 and $\mathbb{Z}$07, maintaining proximity to parameters where SIS is conjectured hard, and continually monitor progress in both combinatorial and lattice algorithms to ensure robust security margins. There is no evidence—classical or quantum—that the SIS problem is tractable at cryptographic parameter sets currently in use.

---

Key References:

• Semaev's bucketing algorithm for SIS and MultiSIS (Semaev, 2020)
• Wagner's algorithm and its subexponential application to $\mathbb{Z}$08 (Ducas et al., 29 Mar 2025)
• Non-modular SIS: worst-case to average-case reduction (Draziotis et al., 7 Mar 2026)
• Dequantization of exponential quantum speedup for high-$\mathbb{Z}$09 $\mathbb{Z}$10 (Kothari et al., 8 Oct 2025)