A Polynomial-Time Algorithm for Solving the Hidden Subset Sum Problem

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12171)


At Crypto ’99, Nguyen and Stern described a lattice based algorithm for solving the hidden subset sum problem, a variant of the classical subset sum problem where the n weights are also hidden. While the Nguyen-Stern algorithm works quite well in practice for moderate values of n, we argue that its complexity is actually exponential in n; namely in the final step one must recover a very short basis of a n-dimensional lattice, which takes exponential-time in n, as one must apply BKZ reduction with increasingly large block-sizes.

In this paper, we describe a variant of the Nguyen-Stern algorithm that works in polynomial-time. The first step is the same orthogonal lattice attack with LLL as in the original algorithm. In the second step, instead of applying BKZ, we use a multivariate technique that recovers the short lattice vectors and finally the hidden secrets in polynomial time. Our algorithm works quite well in practice, as we can reach \(n \simeq 250\) in a few hours on a single PC.


  1. [Bab86]
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefGoogle Scholar
  2. [BNNT11]
    Brier, É., Naccache, D., Nguyen, P.Q., Tibouchi, M.: Modulus fault attacks against RSA-CRT signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 192–206. Springer, Heidelberg (2011). Scholar
  3. [BPV98]
    Boyko, V., Peinado, M., Venkatesan, R.: Speeding up discrete log and factoring based schemes via precomputations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 221–235. Springer, Heidelberg (1998). Scholar
  4. [CG20]
    Coron, J.-S., Gini, A.: A polynomial-time algorithm for solving the hidden subset sum problem. Full version of this paper. Cryptology ePrint Archive, Report 2020/461 (2020).
  5. [CJL+92]
    Coster, M.J., Joux, A., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.-P., Stern, J.: Improved low-density subset sum algorithms. Comput. Complex. 2, 111–128 (1992)MathSciNetCrossRefGoogle Scholar
  6. [CKPS00]
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). Scholar
  7. [CLO05]
    Cox, D.A., Little, J., Oshea, D.: Using Algebraic Geometry. Springer, New York (2005). Scholar
  8. [CLT13]
    Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). Scholar
  9. [CN11]
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). Scholar
  10. [CN19]
    Coron, J.-S., Notarnicola, L.: Cryptanalysis of CLT13 multilinear maps with independent slots. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part II. LNCS, vol. 11922, pp. 356–385. Springer, Cham (2019). Scholar
  11. [CNT10]
    Coron, J.-S., Naccache, D., Tibouchi, M.: Fault attacks against emv signatures. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 208–220. Springer, Heidelberg (2010). Scholar
  12. [CP19]
    Coron, J.-S., Pereira, H.V.L.: On Kilian’s randomization of multilinear map encodings. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part II. LNCS, vol. 11922, pp. 325–355. Springer, Cham (2019). Scholar
  13. [FLLT15]
    Fouque, P.-A., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of the Co-ACD assumption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 561–580. Springer, Heidelberg (2015). Scholar
  14. [fpl16]
    The FPLLL development team. FPLLL, a lattice reduction library (2016).
  15. [HPS11]
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). Scholar
  16. [LLL82]
    Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982). Scholar
  17. [LO85]
    Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. J. ACM 32(1), 229–246 (1985)MathSciNetCrossRefGoogle Scholar
  18. [LT15]
    Lepoint, T., Tibouchi, M.: Cryptanalysis of a (somewhat) additively homomorphic encryption scheme used in PIR. In: Brenner, M., Christin, N., Johnson, B., Rohloff, K. (eds.) FC 2015. LNCS, vol. 8976, pp. 184–193. Springer, Heidelberg (2015). Scholar
  19. [NS97]
    Nguyen, P., Stern, J.: Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 198–212. Springer, Heidelberg (1997). Scholar
  20. [NS98a]
    Nguyen, P., Stern, J.: The Béguin-Quisquater server-aided RSA protocol from Crypto ’95 is not secure. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 372–379. Springer, Heidelberg (1998). Scholar
  21. [NS98b]
    Nguyen, P., Stern, J.: Cryptanalysis of the Ajtai-Dwork cryptosystem. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 223–242. Springer, Heidelberg (1998). Scholar
  22. [NS99]
    Nguyen, P., Stern, J.: The hardness of the hidden subset sum problem and its cryptographic implications. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 31–46. Springer, Heidelberg (1999). Scholar
  23. [NS09]
    Nguyen, P.Q., Stehlé, D.: An LLL algorithm with quadratic complexity. SIAM J. Comput. 39(3), 874–903 (2009)MathSciNetCrossRefGoogle Scholar
  24. [NSS04]
    Naccache, D., Smart, N.P., Stern, J.: Projective coordinates leak. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 257–267. Springer, Heidelberg (2004). Scholar
  25. [Sag19]
    The Sage Developers. Sagemath, the Sage Mathematics Software System (Version 8.9) (2019).
  26. [Sch87]
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefGoogle Scholar
  27. [Sho]
    Shoup, V.: Number theory C++ library (NTL) version 3.6.
  28. [vDGHV10]
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010). Scholar

Copyright information

© International Association for Cryptologic Research 2020

Authors and Affiliations

  1. 1.University of LuxembourgEsch-sur-AlzetteLuxembourg

Personalised recommendations