Solving Low-Density Subset Sum Problems

The subset sum problem is to decide whether or not the 0-1 integer programming problem Σi=1n aixi = M; all xi = 0 or 1; has a solution, where the ai and M are given positive integers. This problem is NP-complete, and the difficulty of solving it is the basis of public key cryptosystems of knapsack type. We propose an algorithm which when given an instance of the subset sum problem searches for a solution. This algorithm always halts in polynomial time, but does not always find a solution when one exists. It converts the problem to one of finding a particular short vector v in a lattice, and then uses a lattice basis reduction algorithm due to A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovasz to attempt to find v. We analyze the performance of the proposed algorithm. Let the density d of a subset sum problem be defined by d=n/log2(maxi ai). Then for "almost all" problems of density d ≪ .645 the vector v we are searching for is the shortest nonzero vector in the lattice. We prove that for "almost all" problems of density d ≪ 1/n the lattice basis reduction algorithm locates v. Extensive computational tests of the algorithm suggest that it works for densities d ≪ dc (n), where dc (n) is a cutoff value that is substantially larger than 1/n. This method gives a polynomial time attack on knapsack public key cryptosystems that can be expected to break them if they transmit information at rates below dc (n), as n → ∞.

[1]  Erich Kaltofen,et al.  On the complexity of finding short vectors in integer lattices , 1983, EUROCAL.

[2]  Leonard M. Adleman,et al.  On breaking generalized knapsack public key cryptosystems , 1983, STOC.

[3]  Wen-Ch'ing Winnie Li,et al.  Barnes' identities and representations of GL (2). I. Finite field case. , 1983 .

[4]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[5]  Andrew M. Odlyzko,et al.  Cryptanalytic attacks on the multiplicative knapsack cryptosystem and on Shamir's fast signature scheme , 1984, IEEE Trans. Inf. Theory.

[6]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[7]  Adi Shamir Embedding Cryptographic Trapdoors in Arbitrary Knapsack Systems , 1983, Inf. Process. Lett..

[8]  A. Brentjes,et al.  Multi-dimensional continued fraction algorithms , 1981 .

[9]  U. Dieter,et al.  How to calculate shortest vectors in a lattice , 1975 .

[10]  Richard P. Brent,et al.  Recent technical reports , 1977, SIGA.

[11]  Herbert S. Wilf,et al.  Backtrack: An O(1) Expected Time Algorithm for the Graph Coloring Problem , 1984, Inf. Process. Lett..

[12]  Abraham Lempel,et al.  Cryptology in Transition , 1979, CSUR.

[13]  Lothar Afflerbach Minkowskische Reduktionsbedingungen für positiv definite quadratische Formen in 5 Variablen , 1982 .

[14]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.