A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM J. Comput., 15(2):536--539, May 1986.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... the knapsack problem to CVP (this reduction appeared in [100] with a slightly different lattice) One can derive from this reduction a provable method to solve the knapsack problem in polynomial time with high probability when the knapsack density defined as d = n= max 1in log 2 a i is low (see [85, 51, 54]) Indeed, if kx Gamma yk = n=4 is strictly less than 2 kLk, then by applying Babai s nearest plane CVP approximation algorithm to L and y, one obtains z 2 L such that kz Gamma yk 2 kx Gamma yk kLk=2, and thus kz Gamma xk kLk where z Gamma x 2 L, which implies that z = x, ....

....d 2=n. This volume argument can be made rigorous because the probability that a fixed non zero vector belongs to L is less than 1=A when the a i s are chosen uniformly at random from [0; A] One deduces that most knapsacks of density roughly less than 2=n are solvable in polynomial time (see [85, 51, 54]) One does not know how to provably solve the knapsack problem in polynomial time when the density lies between 2=n and 1, which is typically the case for cryptographic knapsacks (where the density should be less than 1, otherwise heuristically, there would be several solutions, causing ....

A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM J. Comput, 15(2):536--539, 1986.

....(e 1 ; e 2 ; e n ; 0) the solution vector to the subset sum problem, since e = e i b i Gamma b n 1 : Let P denote the probability that there exists another vector x 2 L such that kxk kek and x 62 f0; e; Gammaeg. The simplified analysis of the Lagarias Odlyzko attack presented in [14] shows that this probability is bounded: P n ; for c 0 = 1:54724 : 3.3) Thus, if the bound on the size of the weights A = 2 cn with c c 0 , lim n 1 P = 0. If the density of a subset sum problem is less than 0:6463 : then 0:6463 : max a i 2 ....

....1 i n. Then ke n independent of the number of e i s which are equal to 1. Using lattice L we are now interested in the probability P that there exists a vector x such that: kx k ke k n; x 62 f0; e ; Gammae g: 3. 4) Utilizing similar techniques to those in [14, 26, 28], 12] shows that the probability P is bounded above by: n c 0 n for c 0 = 1:0628 : 3.5) This bound is similar to that in Equation 3.3 above. Since 1=c 0 = 0:9408 : any subset sum problem with density d 0:9408 : may be solved in polynomial time, given the ....

A. M. Frieze, On the Lagarias-Odlyzko algorithm for the subset sum problem, SIAM J. Comput. 15(2) (May 1986), 536-539.

....for certain subset sums. Recall that LLL is an SVP oracle when the lattice gap is exponential in the lattice dimension. For lattices used in knapsack reductions, the gap increases as the knapsack density decreases, however the gap can be proved to be large enough only in extremely low density (see [42, 43]) Hence, lattice methods to solve the subset sum problem are very heuristic. And lattice attacks against knapsack cryptosystems are somehow even more heuristic, because the reductions from knapsack to SVP assume some (natural) property on the distribution of the weights a i s, which is in ....

A. M. Frieze. On the lagarias-odlyzko algorithm for the subset sum problem. SIAM J. Comput, 15(2):536--539, 1986.

....is at most an exponential times the length of the shortest non zero vector in that lattice. If one uses that algorithm, the Lagarias Odlyzko method can be shown rigorously to solve almost all subset sum problems of density c=n for large n and for a fixed constant c, as is done in [11] See [7] for a simplified analysis of the algorithm. Using more recent algorithms of Schnorr [19] one can improve the cutoff bound to c 0 =n for arbitrarily small constants c 0 0, but at the cost of increasing the degree of the polynomial that bounds the running time. Finding short vectors in ....

..... Empirical tests show that this modification also leads to dramatic improvement in the performance of practical algorithms. We present some results on this in Section 4. More data and fuller comparisons will be given in [12] In Section 2 we derive the Lagarias Odlyzko bound using the approach in [7]. We show in Section 3 that this bound may be increased to 0:9408 : using a simple modification of the Lagarias Odlyzko attack. Finally, Section 4 discusses possible improvements on the new bound and practical results. 2. Previous results In [11] Lagarias and Odlyzko show that if the density ....

[Article contains additional citation context not shown here]

A. M. Frieze, On the Lagarias-Odlyzko algorithm for the subset sum problem, SIAM J. Comput. 15(2) (May 1986), 536-539.

....solution of a knapsack is not the shortest vector in the lattice generated from that knapsack. Then we show that the probability that Algorithm SV 0 fails is very small. Finally we give an attack example. For the special case b = 1, the performance of the low density attack was proved in [1] [3], and [5] and our proof of Theorem 1 is a generalization of [1] Our assumption that b AE log 2 n 10 in Theorem 1 makes sense, because we use compact knapsacks to reduce n while keeping a system s security [8] Before we prove Theorem 1, we define some notations. The Euclidean norm kvk of a ....

.... P Pr(9x; y satisfying (23) 24) and (25) jfx : kxk kekgj Theta jfy : jyj 2 p ngj Theta Pr(ys = P n i=1 a i x i for fixed x; y satisfying (23) and (24) 26) Our task is now to estimate each factor of the righthand side of (26) First we estimate the third factor of (26) According to [3], we assume that the weights a 1 ; a 2 ; a n are randomly chosen, and we get Pr(ys = P n i=1 a i x i for fixed x; y satisfying (23) and (24) 1=A; 27) where A = maxfa 1 ; a 2 ; a n g. The second factor is jfy : jyj 2 p ngj = 4 p n 1: 28) Since e satisfies kek (2 b ....

A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM J. Comput., 15(2):536--539, 1986.

....of the two parameters. Nevertheless, Kabanets has proven the following [Rac98] Theorem 49 For n 2 m n, for some c constant, and for all 0 SS(m;m 1 ) av SS(cn log n; cn log n) The proof involves obtaining a lattice with a n d unique shortest vector, using results from [LO85, Fri86] and finding this vector, using results from [Ajt96] 4.2 Decoding of Linear Codes 4.2.1 Conclusion For each of the four theorems for Average case DLC, we have found a reduction with probability of success poly Gamma p m Delta . These theorems imply two hardness theorems. In all ....

A. M. Frieze. On the lagarias-odlyzko algorithm for the subset sum problem. SIAM Journal of Computation, 15(2):536--539, 1986.

....for certain subset sums. Recall that LLL is an SVP oracle when the lattice gap is exponential in the lattice dimension. For lattices used in knapsack reductions, the gap increases as the knapsack density decreases, however the gap can be proved to be large enough only in extremely low density (see [42, 43]) Hence, lattice methods to solve the subset sum problem are very heuristic. And lattice attacks against knapsack cryptosystems are somehow even more 8 heuristic, because the reductions from knapsack to SVP assume some (natural) property on the distribution of the weights a i s, which is in ....

A. M. Frieze. On the lagarias-odlyzko algorithm for the subset sum problem. SIAM J. Comput, 15(2):536--539, 1986.

.... polynomials over the rationals [59, 57, 72] finite fields [56] and algebraic number fields [58] disprove century old conjectures in mathematics [65] break the Merkle Hellman crypto system [74, 2, 11, 50, 51, 63] check the solvability by radicals [55] solve low density subset sum problems [54, 24, 20], heuristically factor integers [70, 18] and solve many other Diophantine and cryptanalysis problems (e.g. 52, 19, 35, 25, 10] The first and preeminent reason to study the computational complexity of lattice problems is therefore the wide applicability of lattice based techniques to solve a ....

A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM J. Comput., 15(2):536--539, May 1986.

....proof. 1. Introduction The Shortest Vector Problem (SVP) is a famous problem in mathematics that underlies the solution of many other important optimization and combinatorial problems, such as integer programming [19, 18, 14] polynomial factorization [18, 16, 20, 17] low density subset sum [15, 10, 8], cryptanalisys [21, 7, 13, 11, 5] just to say a few. In this paper we show that approximating the shortest vector in a lattice within any constant factor less than p 2 is NP hard for randomized reductions. We also give a deterministic reduction based on a number theoretic conjecture concerning ....

A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM J. Comput., 15(2):536--539, May 1986.

....results. Afterwards, similar problems turned up in connection with an algorithm for solving low density subset sum problems [9] where a crucial role in evaluating the performance of the algorithm is played by an estimate for N( 0 , 0) n , a) This same estimate is also used in [6], which presents a simplified analysis of the algorithm of [9] 2. Main results and proofs We define f (s , y) k = S e s(k y) 2 , y R , s C , Re (s) 0 . 2.1) Our results will be phrased in terms of f (s , y) In the standard terminology of theta functions [2,14] we have f (s ....

A. M. Frieze, On the Lagarias-Odlyzko algorithm for the subset sum problem, SIAM J. Comp. 15 (1986), 536-539.

....[5] They assumed the w i to be drawn from a uniform distribution over f1; 2 bn 2 g and c equal to the sum of items in a randomly chosen subset. Their algorithm solves almost all such instances for the case b 1. The proof was considerably simplified and extended to b 1=2 by Frieze [3]. A so called bounded version of (SSP ) was investigated from a probabilistic point of view by Tinhofer and Schreck [9] D Atri and Puech [2] introduced the following simple greedy heuristic which will be treated also in this paper. We give a slightly modified presentation. The set of selected ....

A. M. Frieze, "On the Lagarias--Odlyzko Algorithm for the subset sum problem", SIAM Journal on Computing 15, (1986), 536-- 539.

....that is at most an exponential times the length of the shortest non zero vector in that lattice. If one uses that algorithm, the Lagarias Odlyzko method can be shown rigorously to solve almost all subset sum problems of density c=n for large n and for a fixed constant c, as is done in [13] See [8] for a simplified analysis of the algorithm. Using more recent algorithms of Schnorr [21] one can improve the cutoff bound to c 0 =n for arbitrarily small constants c 0 0, but at the cost of increasing the degree of the polynomial that bounds the running time. Finding short vectors in ....

....: Empirical tests show that these modifications also lead to dramatic improvements in the performance of practical algorithms. We present some results on this in Section 5. More data and fuller comparisons are given in [14] In Section 2 we derive the Lagarias Odlyzko bound using the approach in [8]. We show in Section 3 that this bound may be increased to 0:9408 : using a simple modification of the Lagarias Odlyzko attack. Section 4 sketches the other modification, which appears to be quite different, but which yields the same bound, and its analysis reduces to essentially the same ....

[Article contains additional citation context not shown here]

A. M. Frieze, On the Lagarias-Odlyzko algorithm for the subset sum problem, SIAM J. Comput. 15(2) (1986), 536-539.

....that is at most an exponential times the length of the shortest non zero vector in that lattice. If one uses that algorithm, the Lagarias Odlyzko method can be shown rigorously to solve almost all subset sum problems of density c=n for large n and for a fixed constant c, as is done in [13] See [8] for a simplified analysis of the algorithm. Using more recent algorithms of Schnorr [21] one can improve the cutoff bound to c 0 =n for arbitrarily small constants c 0 0, but at the cost of increasing the degree of the polynomial that bounds the running time. Finding short vectors in ....

....: Empirical tests show that these modifications also lead to dramatic improvements in the performance of practical algorithms. We present some results on this in Section 5. More data and fuller comparisons are given in [14] In Section 2 we derive the Lagarias Odlyzko bound using the approach in [8]. We show in Section 3 that this bound may be increased to 0:9408 : using a simple modification of the Lagarias Odlyzko attack. Section 4 sketches the other modification, which appears to be quite different, but which yields the same bound, and its analysis reduces to essentially the same ....

[Article contains additional citation context not shown here]

A. M. Frieze, On the Lagarias-Odlyzko algorithm for the subset sum problem, SIAM J. Comput. 15(2) (1986), 536-539.

....with the use of tools from the area of diophantine approximation. The paper [6] contains a survey of many of the systems that have been broken as well as descriptions of some of the attacks. For full details, the reader is advised to consult [6] and many of the references contained there, such as [3,4,5,8,11,16,17,18,22,26]. The remainder of this paper is devoted to a description of one each of the two kinds of basic attacks that have been used. Section 2 describes the attack on the singly iterated Merkle Hellman cryptosystem. This attack allows the cryptanalyst to read encrypted messages just about as fast as ....

....If the a j are chosen at random with a j 2 bn , 1 j n , where b is any constant 1.54725 (the precise definition of the critical constant is complicated and is given in [18] then the vector (3. 3) is the shortest non zero vector in most of these lattices, as is shown in [18] Frieze [11] has obtained a simplified proof of this result. Also, the claim above is valid only for S x j n 2, but it is easy to reduce the general problem to this case. Thus if we could efficiently find shortest non zero vectors in lattices, we could solve most low density knapsacks. The rigorous ....

[Article contains additional citation context not shown here]

A. M. Frieze, "On the Lagarias-Odlyzko Algorithm for the Subset Sum Problem," SIAM J. Comp., vol. 15, no. 2, May 1986, pp. 536-539.

No context found.

A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM J. Comput., 15(2):536--539, May 1986.

No context found.

Alan Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM J. Comput., 15(2):536--539, 1986.

No context found.

A. M. Frieze. On the Lagarias-Odlyzko algorithm for the Subset-Sum Problem. SIAM J. Comput. 15(2), 536-539, 1986.

No context found.

A. M. Frieze. On the Lagarias-Odlyzko algorithm for the Subset-Sum Problem. SIAM J. Comput. 15(2), 536539, 1986.

No context found.

A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problems. SIAM J. Comput., 15(2):536--539, 1986.

No context found.

A. M Frieze, On the Lagarias Odlyzko algorithm for the subset sum problem, SIAM J. Comput., vol 15, 1986, pp. 536--539.

No context found.

A. M Frieze, On the Lagarias Odlyzko algorithm for the subset sum problem, SIAM J. Comput., vol 15, 1986, pp. 536--539. 16

No context found.

A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problems. SIAM J. Comput., 15(2):536--539, 1986.

No context found.

A. M Frieze, On the Lagarias Odlyzko algorithm for the subset sum problem, SIAM J. Comput., vol 15, 1986, pp. 536--539.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC