Wagner's Algorithm Provably Runs in Subexponential Time for SIS$^\infty$
Léo Ducas, Lynn Engelberts, Johanna Loyer
TL;DR
This work shows that a variant of Wagner's algorithm can solve Short Integer Solvability problems with infinity-norm bounds in subexponential time, specifically for $\mathrm{SIS}^\infty_{n,m,q,\beta}$ with $q=\mathrm{poly}(n)$ and $\beta = q/\mathrm{polylog}(n)$ when $m=n+\omega(n/\log\log n)$. The authors achieve this by reframing Wagner's method as a backward walk through a hierarchy of projected lattices, augmented with discrete Gaussian sampling and randomized rounding to maintain probabilistic control, and they provide a rigorous Gaussian sampler (via DGLift and bucket-and-combine) with smoothing-aware parameter choices. They also extend the technique to subexponential-time results for ISIS and SIS$^\times$ under $\ell_2$-norm bounds, and analyze the concrete security implications for Dilithium, concluding that the subexponential attack does not pose an immediate threat to practical security. The work contributes a new, provable framework for lattice-based attacks that blends Waher-style construction with modern Gaussian techniques, clarifying the delicate interplay between parameter regimes, sampling accuracy, and lattice geometry. Overall, the paper advances the understanding of the hardness landscape for SIS/LWE variants and informs parameter selection in post-quantum cryptography.
Abstract
At CRYPTO 2015, Kirchner and Fouque claimed that a carefully tuned variant of the Blum-Kalai-Wasserman (BKW) algorithm (JACM 2003) should solve the Learning with Errors problem (LWE) in slightly subexponential time for modulus $q=\mathrm{poly}(n)$ and narrow error distribution, when given enough LWE samples. Taking a modular view, one may regard BKW as a combination of Wagner's algorithm (CRYPTO 2002), run over the corresponding dual problem, and the Aharonov-Regev distinguisher (JACM 2005). Hence the subexponential Wagner step alone should be of interest for solving this dual problem - namely, the Short Integer Solution problem (SIS) - but this appears to be undocumented so far. We re-interpret this Wagner step as walking backward through a chain of projected lattices, zigzagging through some auxiliary superlattices. We further randomize the bucketing step using Gaussian randomized rounding to exploit the powerful discrete Gaussian machinery. This approach avoids sample amplification and turns Wagner's algorithm into an approximate discrete Gaussian sampler for $q$-ary lattices. For an SIS lattice with $n$ equations modulo $q$, this algorithm runs in subexponential time $\exp(O(n/\log \log n))$ to reach a Gaussian width parameter $s = q/\mathrm{polylog}(n)$ only requiring $m = n + ω(n/\log \log n)$ many SIS variables. This directly provides a provable algorithm for solving the Short Integer Solution problem in the infinity norm ($\mathrm{SIS}^\infty$) for norm bounds $β= q/\mathrm{polylog}(n)$. This variant of SIS underlies the security of the NIST post-quantum cryptography standard Dilithium. Despite its subexponential complexity, Wagner's algorithm does not appear to threaten Dilithium's concrete security.