Papers
Topics
Authors
Recent
Search
2000 character limit reached

Short Integer Solution (SIS) Overview

Updated 14 January 2026
  • Short Integer Solution (SIS) is a core lattice problem defined by finding a short nonzero vector in the kernel of an integer matrix modulo q, serving as the security basis for many post-quantum schemes.
  • Variants like SIS∞ and MultiSIS adjust norm constraints and problem structure, enabling their use in diverse cryptographic protocols including signature schemes and commitment designs.
  • Recent algorithmic improvements, such as combinatorial halving techniques and k-partition methods, refine hardness assumptions and inform secure parameter selection in cryptographic applications.

The Short Integer Solution (SIS) problem is a foundational lattice problem with direct cryptographic significance, worst-to-average-case equivalence, and serves as the security basis for diverse post-quantum schemes. Given an integer matrix modulo qq, SIS asks for a nontrivial short integral vector (with norm bounded by parameter β\beta or BB), lying in the kernel modulo qq. Variants include imposing infinity norm (SIS^\infty), demanding multiple solutions (MultiSIS), or requiring the solution vector to be in a specific structured set.

1. Formal Definitions and Variants

The standard SIS problem, denoted SISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}, is defined as follows. For integers n, m, qn,\ m,\ q, and a norm bound β\beta, given AZqm×nA \in \mathbb{Z}_q^{m \times n} sampled uniformly at random, the goal is to find xZn\{0}x \in \mathbb{Z}^n \backslash \{0\} such that β\beta0 and β\beta1, with β\beta2 typically the Euclidean norm (Blömer et al., 12 Sep 2025, Semaev, 2020).

The SISβ\beta3 (β\beta4-SIS) variant, central to recent advances, demands β\beta5 for some β\beta6 (Kothari et al., 8 Oct 2025, Ducas et al., 29 Mar 2025). The standard setting for post-quantum cryptography uses parameters β\beta7, β\beta8, β\beta9.

SIS also generalizes to A-Constrained Integer Solution (A-CIS), MultiSIS, and inhomogeneous SIS (target BB0, requiring BB1).

2. Parameter Regimes and Worst-to-Average-Case Reductions

SIS’s cryptographic relevance derives from its tight worst-to-average-case reductions. Ajtai’s seminal construction and later Micciancio–Regev establish that solving average-case SIS (random BB2) with BB3 and BB4 is as hard as approximating the Shortest Independent Vector Problem (SIVP) or Shortest Vector Problem (SVP) on arbitrary lattices in BB5 dimensions to within polynomial factors (Blömer et al., 12 Sep 2025).

For SISBB6, cryptographic parameters select BB7, BB8 or smaller, and polynomial BB9. In this regime, no known polynomial-time algorithm (classical or quantum) exists (Kothari et al., 8 Oct 2025). Quantum algorithmic separations were recently studied in wider parameter spaces (large qq0, looser qq1) for SISqq2.

SIS Variant Norm Bound Typical qq3 Regime of Interest
SIS (Euclidean) qq4 qq5 Cryptographic hardness
SISqq6 qq7 qq8 to qq9 Parameter separations
MultiSIS Several solutions ^\infty0 as above Signature schemes, SV

3. Classical and Quantum Algorithms for SIS

Early algorithms for SIS, including exhaustive search and lattice basis reduction (e.g. BKZ), have exponential time complexity in ^\infty1 or ^\infty2 (Semaev, 2020). Notably, Semaev introduced a sorting-based combinatorial method for SIS and MultiSIS with sub-exponential complexity for a broad parameter range, specifically ^\infty3 for ^\infty4, greatly improving over the ^\infty5 cost of previous methods (Semaev, 2020). The approach recursively combines “short vector” solutions by pairwise matching and does not rely on basis reduction.

For SIS^\infty6, Wagner’s generalized birthday algorithm, adapted with discrete Gaussian techniques, achieves sub-exponential time ^\infty7 for width parameters ^\infty8, with an explicit, provable algorithmic analysis (Ducas et al., 29 Mar 2025). This methodology underpins the security of NIST PQC schemes such as Dilithium. However, while the asymptotic runtime is subexponential, concrete attacks remain infeasible for recommended parameters due to prohibitive list sizes (e.g., ^\infty9 for level 2 Dilithium) (Ducas et al., 29 Mar 2025).

Recently, a claimed quantum exponential speedup for average-case SISSISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}0 by Chen–Liu–Zhandry (CLZ) was refuted: classical deterministic algorithms based on combinatorial halving tricks and interval partitioning now efficiently solve these cases in polytime for SISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}1, entirely eliminating the previously observed quantum-classical gap (Kothari et al., 8 Oct 2025).

4. Algorithmic Frameworks for SISSISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}2: Recent Developments

The main algorithmic advances for SISSISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}3 (Kothari et al., 8 Oct 2025) center on two frameworks:

  • Halving Trick: Given “large-norm” zero-sums in the kernel, one recursively reduces the problem to smaller bounds by pairing solutions, at the cost of increasing the sample size quadratically per step. After SISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}4 iterations, one solves SISSISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}5 with SISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}6 using SISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}7 samples and runtime SISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}8.
  • SISn,m,q,β\mathrm{SIS}_{n,m,q,\beta}9-Partition Forest: The solution interval n, m, qn,\ m,\ q0 is partitioned into n, m, qn,\ m,\ q1 intervals, and a recursive multilevel construction combines solutions to directly reach a solution with minimal target bound. This method achieves n, m, qn,\ m,\ q2 with n, m, qn,\ m,\ q3 and similar runtime.

Additionally, reductions handle average-case subset-sum (n, m, qn,\ m,\ q4) and general A-CIS subclasses by translation/dilation, supporting arbitrary “almost full” sets n, m, qn,\ m,\ q5.

Summary Table: Recent SISn, m, qn,\ m,\ q6 Algorithmic Results (Kothari et al., 8 Oct 2025, Ducas et al., 29 Mar 2025)

Method Regime Running Time Main Bound
Halving Trick n, m, qn,\ m,\ q7 Poly(n, m, qn,\ m,\ q8, n, m, qn,\ m,\ q9) β\beta0
β\beta1-Partition β\beta2 Poly(β\beta3, β\beta4) β\beta5
Wagner/BKW β\beta6 β\beta7 β\beta8

These classical results now fully subsume previously known quantum speedups in SISβ\beta9 regimes.

5. Cryptographic Implications

SIS and SISAZqm×nA \in \mathbb{Z}_q^{m \times n}0 are pillars of post-quantum cryptography, serving as the security backbone for hash functions, commitment schemes, authentication protocols, and signature schemes, notably including CRYSTALS-Dilithium. The hardness of SIS for suitable parameters is directly reducible to worst-case hard lattice problems such as SIVP and SVP (Blömer et al., 12 Sep 2025), upholding its suitability for cryptographic use.

However, recent algorithmic breakthroughs have sharply delineated the secure parameter envelope. For SISAZqm×nA \in \mathbb{Z}_q^{m \times n}1 and related A-CIS problems with AZqm×nA \in \mathbb{Z}_q^{m \times n}2, polynomial-time classical algorithms now exist (Kothari et al., 8 Oct 2025), precluding cryptographic constructions relying on the hardness of SISAZqm×nA \in \mathbb{Z}_q^{m \times n}3 in these parameter ranges. The concrete security of recommended cryptographic parameters (e.g., AZqm×nA \in \mathbb{Z}_q^{m \times n}4, AZqm×nA \in \mathbb{Z}_q^{m \times n}5 for signatures) remains strong, as no polynomial or subexponential algorithms are known in these regimes (Ducas et al., 29 Mar 2025, Kothari et al., 8 Oct 2025). Some schemes must, however, scrutinize their parameter settings to avoid being inadvertently positioned in classically tractable domains.

6. Structured SIS, Lattice Constructions, and Applications in Coding

Beyond foundational cryptographic use, SIS lattices and their ring/module extensions (R-SIS, M-SIS) yield concise, efficient constructions in other areas. Notably, explicit randomized constructions of symplectic lattices from SIS or R-SIS matrices enable the design of Gottesman–Kitaev–Preskill (GKP) quantum codes (Blömer et al., 12 Sep 2025). These codes achieve nearly optimal minimum distance AZqm×nA \in \mathbb{Z}_q^{m \times n}6 with efficient randomized decoding algorithms, running in time AZqm×nA \in \mathbb{Z}_q^{m \times n}7 (SIS), AZqm×nA \in \mathbb{Z}_q^{m \times n}8 (R-SIS), or AZqm×nA \in \mathbb{Z}_q^{m \times n}9 (M-SIS for rank xZn\{0}x \in \mathbb{Z}^n \backslash \{0\}0). Unlike earlier approaches that relied on trapdoor constructions, these codes are trapdoor-free and perform comparably to, or even outperform, NTRU-based codes for certain parameters.

7. Perspectives and Open Problems

While worst-case/average-case equivalence, abundant applications, and robust security reductions position SIS as a cryptographic cornerstone, numerous research directions remain. Open problems include rigorous security reductions for newly proposed combinatorial algorithms (Semaev, 2020), precise numerical analyses for moderate-size instances, parameter selection for cryptographic deployment resilient to current and future algorithms, and further study of highly structured variants and their reductions to classic SIS/LWE problems. Recent “dequantizations” of SISxZn\{0}x \in \mathbb{Z}^n \backslash \{0\}1, quantum linear-system solvers, and recommendation-system speedups emphasize the need for dynamic re-examination of quantum-classical separations across computational lattice problems (Kothari et al., 8 Oct 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Short Integer Solution (SIS).