Coster M. et al, "Improved Low-Density Subset Sum Algorithms". Computational Complexity 2 (1992), pp. 111-128.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....precondition of gaining generalizable knowledge is a well defined problem class on which algorithms can be compared [4] For the purpose of this paper we use the subset sum problem as an example. It is an NP hard combinatorial optimization problem. Besides, it is known where the hard instances lie [1]. In the subset sum problem we are given a set of positive integers and a positive integer . The task is to find a # such that the sum of the elements in is closest to, without exceeding, For this problem it is possible to define a problem ....

M. J. Coster, A. Joux, B. A. LaMacchia, A. M. Odlyzko, C.-P. Schnorr, and J. Stern. An improved low-density subset sum algorithm. Computational Complexity, 2:111--128, 1992.

.... 00 that the resulting scheme was still insecure. Indeed, he presented an e#cient lattice based multiround passive attack, which was successful (in practice) against many choices of the parameters. Merkle s paper [10] included an analysis of the attack, inspired by well known lattice based methods [5] to solve the subset sum problem. However, the analysis was rather technical and not exactly correct (it assumed a distribution of the parameters which was not the one induced by the protocol) We present a simple analysis of a slight variant of Merkle s attack, which enables to explain ....

....expected: they often return a shortest lattice vector, provided that the lattice dimension is not too large. Hence, it is useful to predict what can be achieved e#ciently if an SVP oracle (that is, an algorithm which solves SVP) is available. For instance, this was done for the subset sum problem [5]. However, unless the lattice dimension is extremely small, it is hard to predict beforehand whether an SVP instance is solvable in practice, which means that experiments are always necessary in this case. 3 An Analysis of Merkle s Multi round Attack 3.1 Merkle s Attack The attack of Merkle ....

[Article contains additional citation context not shown here]

M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern, `Improved low-density subset sum algorithms', Comput. Complexity , 2 (1992), 111--128.

.... almost all subset sum problem instances with n= log 2 (max j a j ) 0:9408 finds a feasible vector. The algorithm uses the above basis as input. For further details on finding feasible solutions to subset sum problems arising in cryptography we refer to the above references and to the papers [6], 16] and [9] A recent application in cryptography is due to Coppersmith [3] who uses basis reduction to find small integer solutions to a polynomial in a single variable modulo N , and to a polynomial in two variables over the integers. This has applications to some RSA based cryptographic ....

M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.P. Schnorr (1992). Improved low-density subset sum algorithms. Computational Complexity 2, 111--128.

....based on basis reduction for finding a decomposition into irreducible factors of a non zero polynomial in one variable with rational coefficients. In cryptography, basis reduction has been used to solve subset sum problems arising in connection with certain cryptosystems, see for instance [4], 8] 14] 15] A recent application in cryptography is due to Coppersmith [2] who uses basis reduction to find small integer solutions to a polynomial in a single variable modulo N , and to a polynomial in two variables over the integers. This has applications to some RSA based cryptographic ....

M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.P. Schnorr (1992). Improved low-density subset sum algorithms. Computational Complexity 2, 111--128.

....compute the shortest vector in the lattice L a;a 0 . Lagarias and Odlyzko also prove that the algorithm SV actually nds a solution to almost all feasible subset sum problems (49) having density d(a) 2 ) log( for any xed 0. Coster, Joux, LaMacchia, Odlyzko, Schnorr, Stern [24] proposed two ways of improving Theorem 2.5. They showed that almost all subset sum problems (49) having density d(a) 0:9408 can be solved in polynomial time in presence of an oracle that nds the shortest vector in certain lattices. Both ways of improving the bound on the density involve some ....

....1 j n, then the vector (w j ) 1 j n solves the subset sum problem (49) By shifting the feasible region to be symmetric about the origin we now look for vectors of shorter Euclidean length. Coster et al. prove the following theorem that is analogous to Theorem 2.5. 26 Theorem 2.6. [24]. Let A be a natural number, and let a 1 ; a n be random integers such that 1 a j A, for 1 j n. Let x = x 1 ; x n ) x j 2 f0; 1g, be xed, and let j=1 a j x j . If the density d(a) 0:9408, then the subset sum problem (49) de ned by a 1 ; a n can almost ....

M. J. Coster, A. Joux, B. A. LaMacchia, A. M. Odlyzko, C. P. Schnorr and J. Stern (1992), Improved low-density subset sum algorithms, Computational Complexity 2, 111-128.

....exists for this problem, it says little about the hardness of a random instance. Many NP Complete problems are known to have polynomial average case algorithms. The subset problem under the assumption that the inputs are chosen uniformly at random has been investigated in a number of papers [8, 12, 15, 27, 32]. For the case l(n) n Lagarias and Odlyzko [32] and Brickell [8] have shown a feasible algorithm which solves this problem for almost all instances of these dimensions. The Lagarias Odlyzko [32] and Brickell [8] algorithms mentioned above transform the subset sum problem into a shortest ....

....is that if (n) 1:5472 Delta n then with high probability (over the choices of the subset problem of these dimensions) the vector corresponding to the solution to the subset sum problem is the shortest in the lattice. This was improved very recently by Coster, LaMacchia, Odlyzko and Schnorr [12] and Joux and Stern [27] who showed a different transformation that has the property that the vector corresponding to the solution is the shortest whenever (n) 1:0629 Delta n. 12] also contains some evidence showing the limitation of this method. The above mentioned papers suggest as a ....

[Article contains additional citation context not shown here]

M. J. Coster, B. A. LaMacchia, A. M. Odlyzko and C. P. Schnorr, An improved low-density subset sum algorithm, Proc. Advances in Cryptology - Eurocrypt'91, Springer Verlag, 1991, pp. 54--67.

....a new, even simpler, proof of the same NPhardness result. The new proof will be used to derive a new hardness result for the closest vector problem with preprocessing. Our proof is by reduction from the subset sum problem, and it is related to (a variant of) the Lagiarias Odlyzko algorithm [23] [24] (see section V for further discussion) Given a subset sum instance (a1 ; an ; s) we de ne a lattice basis B with one row b i for each subset sum coecient a i . Then we associate a target vector y to the sum s. Vectors b i and y are de ned as follows: b i = a i ; i 1 z 0; ....

....solution if and only if CVP instance (B; y; t) has a solution. Moreover, the lattice B depends only on the dimension k of m. V. Discussion The reduction we gave from SS to CVP has obvious connections to the Lagarias Odlyzko algorithm to solve subset sum (or more precisely the improved version in [24]) The (improved) Lagarias Odlyzko algorithm works as follows: given a subset sum instance (a; s) build a lattice 2 6 6 6 4 c a1 2 0 0 . 0 . 0 c an 0 0 2 c s 1 1 3 7 7 7 5 where c is a suciently large constant, and look for a short non zero vector in the ....

Matthijs J. Coster, Antoine Joux, Brian A. LaMacchia, Andrew M. Odlyzko, Claus-Peter Schnorr, and Jacques Stern, \Improved low-density subset sum algorithms," Computational Complexity, vol. 2, no. 2, pp. 111{ 128, 1992.

....low exponents, and some future applications appear to require large exponents [3, 7] We analyze the generation schemes using standard assumptions. 9 1. 3 Lattice attacks on subset sum problems Subset sum constructions have been so successfully attacked by lattice reduction [16] based methods [5, 15, 8] that it is often considered risky to base cryptographic constructions on them. Our experiments show that the L 3 algorithm can be expected to solve subset sum problems up to about n = 40, where n is the size of the set from which subset sums are formed. Let be the length of the integers in ....

M. J. Coster, A. Joux, B. A. LaMacchia, A. M. Odlyzko, C. P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. In Computational Complexity 2, pages 111--128. Birkhauser-Verlag, Basel, 1992. 37

....shortest vector in the lattice L a,a0 . Lagarias and Odlyzko also prove that the algorithm SV actually finds a solution to almost all feasible subset sum problems (49) having density d(a) 2 #) log( 4 3 ) 1 n 1 for any fixed # 0. Coster, Joux, LaMacchia, Odlyzko, Schnorr, Stern [24] proposed two ways of improving Theorem 2.5. They showed that almost all subset sum problems (49) having density d(a) 0.9408 can be solved in polynomial time in presence of an oracle that finds the shortest vector in certain lattices. Both ways of improving the bound on the density involve ....

....j # n, then the vector (w j 1 2 ) 1 # j # n solves the subset sum problem (49) By shifting the feasible region to be symmetric about the origin we now look for vectors of shorter Euclidean length. Coster et al. prove the following theorem that is analogous to Theorem 2.5. Theorem 2.6. [24]. Let A be a natural number, and let a 1 , a n be random integers such that 1 # a j # A, for 1 # j # n. Let x = x 1 , x n ) x j # 0, 1 , be fixed, and let a 0 = # n j=1 a j x j . If the density d(a) 0.9408, then the subset sum problem (49) defined by a 1 , ....

M. J. Coster, A. Joux, B. A. LaMacchia, A. M. Odlyzko, C. P. Schnorr and J. Stern (1992), Improved low-density subset sum algorithms, Computational Complexity 2, 111--128.

....system is the same as that of compact knapsack cryptosystems. Lagarias and Odlyzko [5] proposed a polynomial time algorithm to attack original knapsack cryptosystems and showed that original knapsack problems with d 0:645 can be solved using this algorithm with high probability. Coster et al. [1] showed that a simple modification of this algorithm solves original knapsack problems with d 0:940 with high probability. Cusick s attack [2] breaks the LCL system completely, but it does not seem to work even for simple modifications of the LCL system. We extend the algorithm in [5] to compact ....

....the solution of a knapsack is not the shortest vector in the lattice generated from that knapsack. Then we show that the probability that Algorithm SV 0 fails is very small. Finally we give an attack example. For the special case b = 1, the performance of the low density attack was proved in [1], 3] and [5] and our proof of Theorem 1 is a generalization of [1] Our assumption that b AE log 2 n 10 in Theorem 1 makes sense, because we use compact knapsacks to reduce n while keeping a system s security [8] Before we prove Theorem 1, we define some notations. The Euclidean norm kvk of ....

[Article contains additional citation context not shown here]

M. J. Coster, B. A. LaMacchia, A. M. Odlyzko, and C. P. Schnorr. An Improved Low-Density Subset Sum Algorithm. In D. W. Davies, editor, Advances in Cryptology EUROCRYPT '91, volume 547 of Lecture Notes in Computer Science, pages 54--67. Springer--Verlag, 1991.

....exists for this problem, it says little about the hardness of a random instance. Many NP Complete problems are known to have polynomial average case algorithms. The subset problem under the assumption that the inputs are chosen uniformly at random has been investigated in a number of papers [8, 11, 14, 25, 28]. For the case l(n) n 2 , Lagarias and Odlyzko [28] and Brickell [8] have shown a feasible algorithm which solves this problem for almost all instances of these dimensions. The Lagarias Odlyzko [28] and Brickell [8] algorithms mentioned above transform the subset sum problem into a shortest ....

....is that if (n) 1:5472 Delta n then with high probability (over the choices of the subset problem of these dimensions) the vector corresponding to the solution to the subset 4 sum problem is the shortest in the lattice. This was improved very recently by Coster, LaMacchia, Odlyzko and Schnorr [11] and Joux and Stern [25] who showed a different transformation that has the property that the vector corresponding to the solution is the shortest whenever (n) 1:0629 Delta n. 11] also contains some evidence showing the limitation of this method. The above mentioned papers suggest as a ....

[Article contains additional citation context not shown here]

M. J. Coster, B. A. LaMacchia, A. M. Odlyzko and C. P. Schnorr, An improved low-density subset sum algorithm, Proc. Advances in Cryptology - Eurocrypt'91, Springer Verlag, 1991, pp. 54--67.

....This heuristic bound turns out to be not too far away from the truth. Indeed, one can show that the target vector (x 1 Gamma 1=2; xn Gamma 1=2; 1) is with high probability (over the choice of the a i s) the shortest vector in the embedding lattice, when the density d 0:9408 : see [41] who used a slightly different lattice, but the proof carries through) This is done by enumerating all possible short vectors, and using bounds on the number of integral points in high dimensional spheres [93] The result improved the earlier bound of 0:6463 : from Lagarias and Odlyzko [85] ....

M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Comput. Complexity, 2:111--128, 1992.

No context found.

M. J. Coster, A. Joux, B. A. LaMacchia, A. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Computational Complexity, 2:11--28, 1992.

....the weight constraint is replaced by the constraint that the secret solution s to the equation H(s) i consists entirely of zeros and ones. Thus the underlying difficult problem is a modular knapsack. Although it is known that knapsacks can be attacked by methods based on lattice reduction (see [8, 3]) it is clear also that these methods do not apply to the modular case, at least when the modulus m is very small. Possible values for the scheme are (with the same notations as above) One round of the protocol is performed as follows: 1. The prover picks a random vector y with coefficients ....

M. J. Coster, A. Joux, B. A. LaMacchia, A. M. Odlyzko, C. P. Schnorr and J. Stern, Improved low-density subset sum algorithms, Computational Complexity, to appear.

No context found.

M. J. Coster, A. Joux, B. A. LaMacchia, A. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Computational Complexity, 2:11--28, 1992. 20

....: 85 vii viii LIST OF FIGURES Introduction In 1985 Lagarias and Odlyzko [26] developed a general attack on knapsack cryptosystems which reduces solving subset sum problems to the problem of finding the Euclidean norm shortest nonzero vector in a point lattice. Recent improvements to this attack [12, 19] have stimulated interest in finding lattice basis reduction algorithms well suited to the lattices associated with subset sum problems. This thesis studies a new approach to lattice basis reduction originally developed by M. Seysen [38] Seysen s reduction algorithm was initially developed to ....

....message quickly. However, there have been two independent attacks, one due to Brickell [6] and one due to Lagarias and Odlyzko [26] which attempt to solve all subset sum problems of a certain type, independent of the method in which the weights were chosen. These methods (and the newer result in [12]) depend in theory only on the density of the subset sum problem to be solved. In practice, however, the success rate of these methods is bounded by the performance of the basis reduction technique used in the attack. Section 3.2 below outlines currently known methods for solving subset sum ....

[Article contains additional citation context not shown here]

M. J. Coster, B. A. LaMacchia, A. M. Odlyzko and C. P. Schnorr, An improved low-density subset sum algorithm, Advances in Cryptology: Proceedings of Eurocrypt '91, D. Davies, ed., to appear.

....of L(a 1 ; an ; s) with high probability over the choice of the a i s. The proof relies on bounds [77] on the number of integer points in n dimensional balls. Thus, if one has access to an SVP oracle, one can solve most subset sum problems of density d 0:6463: Coster et al. [34] later improved the connection between SVP and the knapsack problem. By using a simple variant of L(a 1 ; an ; s) they showed that if d 0:9408 : the knapsack problem can be reduced to a lattice shortest vector problem (in dimension n) with high probability. In a different context ....

M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Comput. Complexity, 2:111--128, 1992.

No context found.

Coster M. et al, "Improved Low-Density Subset Sum Algorithms". Computational Complexity 2 (1992), pp. 111-128.

No context found.

M. J. Coster, A. Joux, B. A. LaMacchia, A. M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Computational Complexity, 2(2):111-128, 1992.

No context found.

M. J. Coster, A. Joux, B. A. LaMacchia, A. M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Computational Complexity, 2(2):111--128, 1992.

No context found.

Matthijs J. Coster, Antoine Joux, Brian A. LaMacchia, Andrew M. Odlyzko, Claus-Peter Schnorr, and Jacques Stern. Improved lowdensity subset sum algorithms. Comput. Complex., 2(2):111--128, 1992.

No context found.

M. Coster, A. Joux, B. LaMacchia, A. Odlyzko, C. P. Schnorr, J. Stern. Improved Low-Density Subset Sum Algorithms. Journal of Computational Complexity, 111--128, 1992.

No context found.

Matthijs J. Coster, Antoine Joux, Brian A. LaMacchia, Andrew M. Odlyzko, Claus-Peter Schnorr, and Jacques Stern. Improved low-density subset sum algorithms. Computational Complexity, 2:111-128, 1992.

No context found.

Coster, M. J., Joux, A., LaMacchia, B A.and Odlyzko, A. M., Schnorr, C. P., and Stern, J. Improved low-density subset sum algorithms. Computational Complexity 2 (1992), 111--128.

No context found.

Matthijs J. Coster, Antoine Joux, Brian A. LaMacchia, Andrew M. Odlyzko, Claus-Peter Schnorr, and Jacques Stern. Improved low-density subset sum algorithms. Computational Complexity, 2:111--128, 1992.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC