Advertisement

A Polynomial-Time Algorithm for Solving the Hidden Subset Sum Problem

Conference paper
First Online:
  • 831 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12171)

Abstract

At Crypto ’99, Nguyen and Stern described a lattice based algorithm for solving the hidden subset sum problem, a variant of the classical subset sum problem where the n weights are also hidden. While the Nguyen-Stern algorithm works quite well in practice for moderate values of n, we argue that its complexity is actually exponential in n; namely in the final step one must recover a very short basis of a n-dimensional lattice, which takes exponential-time in n, as one must apply BKZ reduction with increasingly large block-sizes.

In this paper, we describe a variant of the Nguyen-Stern algorithm that works in polynomial-time. The first step is the same orthogonal lattice attack with LLL as in the original algorithm. In the second step, instead of applying BKZ, we use a multivariate technique that recovers the short lattice vectors and finally the hidden secrets in polynomial time. Our algorithm works quite well in practice, as we can reach \(n \simeq 250\) in a few hours on a single PC.

This is a preview of subscription content, log in to check access.

References

  1. [Bab86]
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefGoogle Scholar
  2. [BNNT11]
    Brier, É., Naccache, D., Nguyen, P.Q., Tibouchi, M.: Modulus fault attacks against RSA-CRT signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 192–206. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23951-9_13CrossRefGoogle Scholar
  3. [BPV98]
    Boyko, V., Peinado, M., Venkatesan, R.: Speeding up discrete log and factoring based schemes via precomputations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 221–235. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054129CrossRefGoogle Scholar
  4. [CG20]
    Coron, J.-S., Gini, A.: A polynomial-time algorithm for solving the hidden subset sum problem. Full version of this paper. Cryptology ePrint Archive, Report 2020/461 (2020). https://eprint.iacr.org/2020/461
  5. [CJL+92]
    Coster, M.J., Joux, A., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.-P., Stern, J.: Improved low-density subset sum algorithms. Comput. Complex. 2, 111–128 (1992)MathSciNetCrossRefGoogle Scholar
  6. [CKPS00]
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_27CrossRefGoogle Scholar
  7. [CLO05]
    Cox, D.A., Little, J., Oshea, D.: Using Algebraic Geometry. Springer, New York (2005).  https://doi.org/10.1007/b138611CrossRefGoogle Scholar
  8. [CLT13]
    Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_26CrossRefGoogle Scholar
  9. [CN11]
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1CrossRefGoogle Scholar
  10. [CN19]
    Coron, J.-S., Notarnicola, L.: Cryptanalysis of CLT13 multilinear maps with independent slots. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part II. LNCS, vol. 11922, pp. 356–385. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-34621-8_13CrossRefGoogle Scholar
  11. [CNT10]
    Coron, J.-S., Naccache, D., Tibouchi, M.: Fault attacks against emv signatures. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 208–220. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11925-5_15CrossRefGoogle Scholar
  12. [CP19]
    Coron, J.-S., Pereira, H.V.L.: On Kilian’s randomization of multilinear map encodings. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part II. LNCS, vol. 11922, pp. 325–355. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-34621-8_12CrossRefGoogle Scholar
  13. [FLLT15]
    Fouque, P.-A., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of the Co-ACD assumption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 561–580. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_27CrossRefGoogle Scholar
  14. [fpl16]
    The FPLLL development team. FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll
  15. [HPS11]
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_25CrossRefGoogle Scholar
  16. [LLL82]
    Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982).  https://doi.org/10.1007/BF01457454MathSciNetCrossRefzbMATHGoogle Scholar
  17. [LO85]
    Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. J. ACM 32(1), 229–246 (1985)MathSciNetCrossRefGoogle Scholar
  18. [LT15]
    Lepoint, T., Tibouchi, M.: Cryptanalysis of a (somewhat) additively homomorphic encryption scheme used in PIR. In: Brenner, M., Christin, N., Johnson, B., Rohloff, K. (eds.) FC 2015. LNCS, vol. 8976, pp. 184–193. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48051-9_14CrossRefGoogle Scholar
  19. [NS97]
    Nguyen, P., Stern, J.: Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 198–212. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052236CrossRefGoogle Scholar
  20. [NS98a]
    Nguyen, P., Stern, J.: The Béguin-Quisquater server-aided RSA protocol from Crypto ’95 is not secure. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 372–379. Springer, Heidelberg (1998).  https://doi.org/10.1007/3-540-49649-1_29CrossRefGoogle Scholar
  21. [NS98b]
    Nguyen, P., Stern, J.: Cryptanalysis of the Ajtai-Dwork cryptosystem. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 223–242. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055731CrossRefGoogle Scholar
  22. [NS99]
    Nguyen, P., Stern, J.: The hardness of the hidden subset sum problem and its cryptographic implications. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 31–46. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_3CrossRefGoogle Scholar
  23. [NS09]
    Nguyen, P.Q., Stehlé, D.: An LLL algorithm with quadratic complexity. SIAM J. Comput. 39(3), 874–903 (2009)MathSciNetCrossRefGoogle Scholar
  24. [NSS04]
    Naccache, D., Smart, N.P., Stern, J.: Projective coordinates leak. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 257–267. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24676-3_16CrossRefGoogle Scholar
  25. [Sag19]
    The Sage Developers. Sagemath, the Sage Mathematics Software System (Version 8.9) (2019). https://www.sagemath.org
  26. [Sch87]
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefGoogle Scholar
  27. [Sho]
    Shoup, V.: Number theory C++ library (NTL) version 3.6. http://www.shoup.net/ntl/
  28. [vDGHV10]
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_2CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2020

Authors and Affiliations

  1. 1.University of LuxembourgEsch-sur-AlzetteLuxembourg

Personalised recommendations

Cite paper

Buy options