The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications

  • Phong Nguyen
  • Jacques Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1666)


At Eurocrypt’98, Boyko, Peinado and Venkatesan presented simple and very fast methods for generating randomly distributed pairs of the form (x; g x mod p) using precomputation. The security of these methods relied on the potential hardness of a new problem, the so-called hidden subset sum problem. Surprisingly, apart from exhaustive search, no algorithm to solve this problem was known. In this paper, we exhibit a security criterion for the hidden subset sum problem, and discuss its implications on the practicability of the precomputation schemes. Our results are twofold. On the one hand, we present an efficient lattice-based attack which is expected to succeed if and only if the parameters satisfy a particular condition that we make explicit. Experiments have validated the theoretical analysis, and show the limitations of the precomputation methods. For instance, any realistic smart-card implementation of Schnorr’s identification scheme using these precomputations methods is either vulnerable to the attack, or less efficient than with traditional precomputation methods. On the other hand, we show that, when another condition is satisfied, the pseudo-random generator based on the hidden subset sum problem is strong in some precise sense which includes attacks via lattice reduction. Namely, using the discrete Fourier transform, we prove that the distribution of the generator’s output is indistinguishable from the uniform distribution. The two conditions complement each other quite well, and therefore form a convincing picture of the security level.


  1. 1.
    M. Ajtai. Generating hard instances of lattice problems. In Proc. 28th ACM STOC, pages 99–108, 1996. Extended version at
  2. 2.
    V. Boyko, M. Peinado, and R. Venkatesan. Speeding up discrete log and factoring based schemes via precomputations. In Proc. of Eurocrypt’ 98, volume 1403 of LNCS, pages 221–235. Springer-Verlag, 1998.Google Scholar
  3. 3.
    E. Brickell, D.M. Gordon, K.S. McCurley, and D. Wilson. Fast exponentiation with precomputation. In Proc. of Eurocrypt’92, volume 658 of Lecture Notes in Computer Science, pages 200–207. Springer-Verlag, 1993.Google Scholar
  4. 4.
    E. F. Brickell and K. S. McCurley. An interactive identification scheme based on discrete logarithms and factoring. Journal of Cryptology, 5(1):29–39, 1992.zbMATHCrossRefGoogle Scholar
  5. 5.
    M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Computational Complexity, 2:111–128, 1992.zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    P. de Rooij. On the security of the Schnorr scheme using preprocessing. In Proc. of Eurocrypt’91, volume 547 of LNCS, pages 71–80. Springer-Verlag, 1991.Google Scholar
  7. 7.
    P. de Rooij. Efficient exponentiation using precomputation and vector addition chains. In Proc. of Eurocrypt’94, volume 950 of Lecture Notes in Computer Science, pages 389–399. Springer-Verlag, 1995.Google Scholar
  8. 8.
    P. de Rooij. On Schnorr’s preprocessing for digital signature schemes. Journal of Cryptology, 10(1):1–16, 1997.zbMATHCrossRefGoogle Scholar
  9. 9.
    T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31:469–472, 1985.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    R. Impagliazzo and M. Naor. Efficient cryptographic schemes provably as secure as subset sum. Journal of Cryptology, 9(4):199–216, 1996.zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients. Math. Ann., 261:515–534, 1982.zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    C.H. Lim and P.J. Lee. More flexible exponentiation with precomputation. In Proc. of Crypto’94, volume 839 of Lecture Notes in Computer Science, pages 95–107. Springer-Verlag, 1994.Google Scholar
  13. 13.
    National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.Google Scholar
  14. 14.
    P. Nguyen and J. Stern. Merkle-Hellman revisited: a cryptanalysis of the QuVanstone cryptosystem based on group factorizations. In Proc. of Crypto’97, volume 1294 of LNCS, pages 198–212. Springer-Verlag, 1997.Google Scholar
  15. 15.
    P. Nguyen and J. Stern. Cryptanalysis of a fast public key cryptosystem presented at SAC’ 97. In Proc. of SAC’ 98, LNCS. Springer-Verlag, 1998.Google Scholar
  16. 16.
    P. Nguyen and J. Stern. The Béguin-Quisquater server-aided RSA protocol from Crypto’ 95 is not secure. In Proc. of Asiacrypt’ 98, volume 1514 of LNCS, pages 372–379. Springer-Verlag, 1998.Google Scholar
  17. 17.
    C.-P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987.zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    C.P. Schnorr. Efficient identification and signatures for smart cards. In Proc. of Crypto’89, volume 435, pages 239–252. Springer-Verlag, 1990.MathSciNetGoogle Scholar
  19. 19.
    C.P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4:161–174, 1991.zbMATHCrossRefGoogle Scholar
  20. 20.
    C.P. Schnorr and H.H. Horner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Proc. of Eurocrypt’95, volume 921 of LNCS, pages 1–12. Springer-Verlag, 1995.Google Scholar
  21. 21.
    V. Shoup. Number Theory C++ Library (NTL) version 3.6. Can be obtained at

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Phong Nguyen
    • 1
  • Jacques Stern
    • 1
  1. 1.École Normale SupérieureLaboratoire d’InformatiqueParis Cedex 05France

Personalised recommendations