Solving Random Subset Sum Problem by lp-norm SVP Oracle

It is well known that almost all random subset sum instances with density less than 0.6463... can be solved with an l2-norm SVP oracle by Lagarias and Odlyzko. Later, Coster et al. improved the bound to 0.9408... by using a different lattice. In this paper, we generalize this classical result to lp-norm. More precisely, we show that for p∈i¾?+, an lp-norm SVP oracle can be used to solve almost all random subset sum instances with density bounded by i¾?p, where i¾?1=0.5761 and $\delta_p = 1/\frac{1}{2^p}\log_22^{p+1}-2+\log_21+\frac{1}{2^p-11-\frac{1}{2^{p+1}-2}^{2^p-1}}$ for pi¾?3asymptotically, i¾?pi¾?2p/p+2. Since i¾?p goes increasingly to infinity when p tends to infinity, it can be concluded that an lp-norm SVP oracle with bigger p can solve more subset sum instances. An interesting phenomenon is that an lp-norm SVP oracle with pi¾?3 can help solve almost all random subset sum instances with density one, which are thought to be the most difficult instances.

[1]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[2]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[3]  Oded Regev,et al.  Lattice problems and norm embeddings , 2006, STOC '06.

[4]  William Whyte,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.

[5]  Santosh S. Vempala,et al.  Enumerative Lattice Algorithms in any Norm Via M-ellipsoid Coverings , 2010, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[6]  Claus-Peter Schnorr,et al.  An Improved Low-Denisty Subset Sum Algorithm , 1991, EUROCRYPT.

[7]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[8]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[9]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[10]  Antoine Joux,et al.  Improved low-density subset sum algorithms , 1992, computational complexity.

[11]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[12]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[13]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[14]  Alan M. Frieze,et al.  On the Lagarias-Odlyzko Algorithm for the Subset Sum Problem , 1986, SIAM J. Comput..

[15]  Daniele Micciancio,et al.  Inapproximability of the Shortest Vector Problem: Toward a Deterministic Reduction , 2012, Theory Comput..

[16]  Ravi Kannan,et al.  Succinct Certificates for Almost All Subset Sum Problems , 1989, SIAM J. Comput..

[17]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[18]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[19]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[20]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[21]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[22]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[23]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[24]  Moni Naor,et al.  Efficient cryptographic schemes provably as secure as subset sum , 2004, Journal of Cryptology.

[25]  Jeffrey C. Lagarias,et al.  Solving low density subset sum problems , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).