"Subexponential algorithm for the subset-sum problem"
Monday, April 27th, 2015, 2:00 pm
EBU3B, Room 4258
We study the low-density randomized subset-sum problem, where given n uniform integers between 0 and 2^(nd), and the sum of any subset, the goal is to recover the subset. d=o(1) is called the density and we will show how to solve the problem in subexponential time 2^(n/(2-o(1))/ln(1/d)), while lattice reduction based achieve a complexity of 2^O(nd log(nd)).
The first step is to remark that we can embed the problem in a bounded distance decoding problem over a lattice, where the decoded point is in the fundamental parallelepiped of a known matrix.
The second step is a reduction of this problem into a learning with errors problem with binary secret (Binary-LWE).
The final step, our contribution, is to show a subexponential algorithm for this problem. The algorithm is a modification of the algorithm of Blum, Kalai, Wasserman, where we partially reduce each chunk (of variable size) of the vectors.
This result has a lot of cryptographic applications (e.g. NTRU, BLISS, public-key cryptosystems based on LWE) and also gives the first subexponential algorithm for restricted classical problems with polynomial approximation factors (GapSVP, UniqueSVP, BDD).