No exponential quantum speedup for $\mathrm{SIS}^\infty$ anymore
Robin Kothari, Ryan O'Donnell, Kewen Wu
TL;DR
This work dequantizes SIS$^{\infty}$ and CIS by constructing efficient deterministic classical algorithms that solve these problems in broad parameter regimes, including worst-case inputs and average-case settings with exponentially large field sizes. The authors develop a suite of reductions anchored by a generalized halving trick, zero-sum theory, and dimension-reduction techniques to produce reducible vectors and recover zero-sums with reduced weight, achieving poly-time runtimes in $m$ and $\log q$ and favorable dependence on $n$, $q$, and $k$. They extend these methods to $\,\mathbb{F}_q^n$-Subset-Sum and CIS, improving prior quantum bounds across many regimes and even handling cases where $q$ is exponentially large in $n$. The results imply there is no exponential quantum speedup for SIS$^{\infty}$ in a wide range of practical settings and have implications for post-quantum cryptography by enhancing classical attack capabilities. Overall, the paper provides a comprehensive framework that unifies SIS$^{\infty}$, CIS, and related problems under classical algorithms with strengthened performance guarantees, challenging prior expectations of quantum advantage.
Abstract
In 2021, Chen, Liu, and Zhandry presented an efficient quantum algorithm for the average-case $\ell_\infty$-Short Integer Solution ($\mathrm{SIS}^\infty$) problem, in a parameter range outside the normal range of cryptographic interest, but still with no known efficient classical algorithm. This was particularly exciting since $\mathrm{SIS}^\infty$ is a simple problem without structure, and their algorithmic techniques were different from those used in prior exponential quantum speedups. We present efficient classical algorithms for all of the $\mathrm{SIS}^\infty$ and (more general) Constrained Integer Solution problems studied in their paper, showing there is no exponential quantum speedup anymore.