computational complexity

, Volume 2, Issue 2, pp 111–128 | Cite as

Improved low-density subset sum algorithms

  • Matthijs J. Coster
  • Antoine Joux
  • Brian A. LaMacchia
  • Andrew M. Odlyzko
  • Claus-Peter Schnorr
  • Jacques Stern


The general subset sum problem is NP-complete. However, there are two algorithms, one due to Brickell and the other to Lagarias and Odlyzko, which in polynomial time solve almost all subset sum problems of sufficiently low density. Both methods rely on basis reduction algorithms to find short non-zero vectors in special lattices. The Lagarias-Odlyzko algorithm would solve almost all subset sum problems of density<0.6463 ... in polynomial time if it could invoke a polynomial-time algorithm for finding the shortest non-zero vector in a lattice. This paper presents two modifications of that algorithm, either one of which would solve almost all problems of density<0.9408 ... if it could find shortest non-zero vectors in lattices. These modifications also yield dramatic improvements in practice when they are combined with known lattice basis reduction algorithms.

Key words

subset sum problems knapsack cryptosystems lattices lattice basis reduction 

Subject classifications



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    E. F. Brickell, Solving low density knapsacks, inAdvances in Cryptology, Proceedings of Crypto '83, Plenum Press, New York, 1984, 25–37.Google Scholar
  2. [2]
    E. F. Brickell, The cryptanalysis of knapsack cryptosystems, inApplications of Discrete Mathematics, R. D. Ringeisen and F. S. Roberts, eds., SIAM, 1988, 3–23.Google Scholar
  3. [3]
    E. F. Brickell andA. M. Odlyzko, Cryptanalysis: a survey of recent results,Proc. IEEE 76 (1988), 578–593.Google Scholar
  4. [4]
    B. Chor andR. Rivest, A knapsack-type public key cryptosystem based on arithmetic in finite fields,IEEE Trans. Information Theory IT-34 (1988), 901–909.Google Scholar
  5. [5]
    M. J. Coster, B. A. LaMacchia, A. M. Odlyzko andC.-P. Schnorr, An improved low-density subset sum algorithm, inAdvances in Cryptology: Proceedings of Eurocrypt '91, D. W. Davies, ed.,Lecture Notes in Computer Science 547, Springer-Verlag, New York, 1991, 54–67.Google Scholar
  6. [6]
    Y. Desmedt, What happened with knapsack cryptographic schemes?, inPerformance Limits in Communication, Theory and Practice, J. K. Skwirzynski, ed., Kluwer, Boston, 1988, 113–134.Google Scholar
  7. [7]
    P. van Emde Boas,Another NP-complete partition problem and the complexity of computing short vectors in a lattice, Rept. 81-04, Dept. of Mathematics, Univ. of Amsterdam, 1981.Google Scholar
  8. [8]
    A. M. Frieze, On the Lagarias-Odlyzko algorithm for the subset sum problem,SIAM J. Comput. 15(2) (1986), 536–539.Google Scholar
  9. [9]
    M. L. Furst andR. Kannan, Succinct certificates for almost all subset sum problems,SIAM J. Comput. 18 (1989), 550–558.Google Scholar
  10. [10]
    M. R. Garey andD. S. Johnson,Computers and Intractability: A Guide to the Theory of NP-Completeness, W. H. Freeman and Company, New York, 1979.Google Scholar
  11. [11]
    J. Håstad, B. Just, J. C. Lagarias, andC.-P. Schnorr, Polynomial time algorithms for finding integer relations among real numbers,SIAM J. Comput. 18(5) (1989), 859–881.Google Scholar
  12. [12]
    A. Joux andJ. Stern, Improving the critical density of the Lagarias-Odlyzko attack against subset sum problems,Proceedings of Fundamentals of Computation Theory '91, L. Budach, ed.,Lecture Notes in Computer Science 529, Springer-Verlag, New York, 1991, 258–264.Google Scholar
  13. [13]
    J. C. Lagarias andA. M. Odlyzko, Solving low-density subset sum problems,J. Assoc. Comp. Mach. 32(1) (1985), 229–246.Google Scholar
  14. [14]
    B. A. LaMacchia,Basis Reduction Algorithms and Subset Sum Problems, SM Thesis, Dept. of Elect. Eng. and Comp. Sci., Massachusetts Institute of Technology, Cambridge, MA, 1991. Also available as AI Technical Report 1283, MIT Artificial Intelligence Laboratory, Cambridge, MA, 1991.Google Scholar
  15. [15]
    A. K. Lenstra, H. W. Lenstra, andL. Lovász, Factoring polynomials with rational coefficients,Math. Ann. 261 (1982), 515–534.Google Scholar
  16. [16]
    J. E. Mazo andA. M. Odlyzko, Lattice points in high-dimensional spheres,Monatsh. Math. 110 (1990), 47–61.Google Scholar
  17. [17]
    A. M. Odlyzko, The rise and fall of knapsack cryptosystems, inCryptology and Computational Number Theory, C. Pomerance, ed.,Proc. Symp. Appl. Math. 42, Amer. Math. Soc., Providence, 1990, 75–88.Google Scholar
  18. [18]
    A. Paz andC.-P. Schnorr, Approximating integer lattices by lattices with cyclic factor groups, inAutomata, Languages, and Programming: 14 th ICALP,Lecture Notes in Computer Science 267, Springer-Verlag, New York, 1987, 386–393.Google Scholar
  19. [19]
    S. Radziszowski andD. Kreher, Solving subset sum problems with theL 3 algorithm,J. Combin. Math. Combin. Comput. 3 (1988), 49–63.Google Scholar
  20. [20]
    C.-P. Schnorr, A hierarchy of polynomial time lattice basis reduction algorithms,Theoretical Computer Science 53 (1987), 201–224.Google Scholar
  21. [21]
    C.-P. Schnorr, A more efficient algorithm for lattice basis reduction,J. Algorithms 9 (1988), 47–62.Google Scholar
  22. [22]
    C.-P. Schnorr andM. Euchner, Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems, inProceedings of Fundamentals of Computation Theory '91, L. Budach, ed.,Lecture Notes in Computer Science 529, Springer-Verlag, New York, 1991, 68–85.Google Scholar
  23. [23]
    M. Seysen, Simultaneous reduction of a lattice basis and its reciprocal basis,Combinatorica, to appear.Google Scholar

Copyright information

© Birkhäuser Verlag 1992

Authors and Affiliations

  • Matthijs J. Coster
    • 1
  • Antoine Joux
    • 3
  • Brian A. LaMacchia
    • 1
  • Andrew M. Odlyzko
    • 1
  • Claus-Peter Schnorr
    • 2
  • Jacques Stern
    • 3
  1. 1.AT&T Bell LaboratoriesMurray HillUSA
  2. 2.Fachbereich Mathematik/InformatikUniversität FrankfurtFrankfurt am MainGermany
  3. 3.Ecole Normale SupérieureParis Cedex 05France

Personalised recommendations