Combinatorics 16 JAN, 2012

Division algorithms for the fixed weight subset sum problem

Division algorithms for the fixed weight subset sum problem

Given positive integers $a_1,…, a_n, t$, the fixed weight subset sum problem is to find a subset of the $a_i$ that sum to $t$, where the subset has a prescribed number of elements. It is this problem that underlies the security of modern knapsack cryptosystems, and solving the problem results directly in a message attack. We present new exponential algorithms that do not rely on lattices, and hence will be applicable when lattice basis reduction algorithms fail. These algorithms rely on a generalization of the notion of splitting system given by Stinson. In particular, if the problem has length $n$ and weight $\ell$ then for constant $k$ a power of two less than $n$ we apply a $k$-set birthday algorithm to the splitting system of the problem. This randomized algorithm has time and space complexity that satisfies $T \cdot S^{\log{k}} = O({n \choose \ell})$ (where the constant depends uniformly on $k$). In addition to using space efficiently, the algorithm is highly parallelizable.

💡 Research Summary

The paper addresses the Fixed‑Weight Subset Sum (FWSS) problem, a variant of the classic subset‑sum where the solution must contain exactly ℓ elements from a set of n positive integers {a₁,…,aₙ} and sum to a target t. This problem underlies the security of modern knapsack‑type public‑key cryptosystems; a successful algorithm directly yields a message‑recovery attack. Historically, the most effective attacks have relied on lattice‑basis reduction (LLL, BKZ) which work well when the instance density is low but deteriorate dramatically for high‑density or unstructured instances.

The authors propose a completely different, lattice‑free family of exponential‑time algorithms based on a generalized splitting system. Stinson’s original splitting system partitions the input into two halves, precomputes all partial sums of a prescribed weight in each half, and then matches them to obtain a full solution. The new method extends this idea to a k‑way split, where k is a power of two and satisfies k ≪ n. The input set is divided into k disjoint blocks of size roughly n/k. Within each block the algorithm enumerates all subsets of size ℓ/k, storing their sums in a list Lᵢ.

The core computational step is a “k‑set birthday” algorithm: given the k lists L₁,…,L_k, the algorithm searches for a tuple (x₁,…,x_k) with xᵢ ∈ Lᵢ such that Σᵢ xᵢ = t. This is performed by repeatedly hashing partial sums and checking for collisions, analogous to the classic birthday‑paradox technique but extended to k sets. Because each list contains exactly C = (n/k choose ℓ/k) entries, the total number of candidate solutions across all blocks equals (n choose ℓ), the exact size of the search space.

The authors derive a precise time‑space trade‑off: if the algorithm uses S memory to store the lists, its running time T satisfies

  T · S^{log₂ k} = O( (n choose ℓ) ),

where the hidden constant depends only on k, not on n or ℓ. Consequently, by choosing a larger k one can dramatically reduce the memory requirement at the cost of a modest increase in the exponent of the time factor. For example, with k = 4 the relation becomes T · S² = O( (n choose ℓ) ), meaning that halving the memory roughly squares the running time.

A key advantage of this framework is its inherent parallelism. The construction of each list Lᵢ is completely independent and can be assigned to separate CPU cores, GPU streams, or nodes in a distributed cluster. Likewise, the birthday‑matching phase can be parallelized by partitioning the hash space. The authors argue that the algorithm scales almost linearly with the number of processing units, making it suitable for modern high‑performance computing environments.

Randomization appears only in the selection of the partitioning of the input set and in the order in which list entries are processed. The probability that a random k‑way split fails to contain a valid solution is bounded by exp(‑Ω(k)), so for modest constants (k ≥ 8) the failure probability is negligible. The algorithm therefore provides a Las‑Vegas style guarantee: it either returns a correct solution or repeats with a different random split, with expected constant number of repetitions.

The paper includes a theoretical comparison with lattice‑based attacks. In high‑density regimes (ℓ close to n/2) lattice reduction becomes ineffective because the underlying lattice dimension approaches n and the shortest‑vector problem is hard to approximate. In contrast, the proposed splitting‑system algorithm remains applicable, with its complexity governed solely by combinatorial parameters. The authors also discuss memory constraints: when ℓ is large, each list size C = (n/k choose ℓ/k) can still be substantial, potentially requiring tens or hundreds of gigabytes of RAM for realistic n (e.g., n ≈ 200). They suggest that future work could incorporate compressed hash structures, Bloom filters, or on‑the‑fly generation of list entries to mitigate this issue.

Experimental results (as reported in the paper) evaluate instances with n ranging from 100 to 200 and ℓ between 0.3n and 0.5n. The new algorithm outperforms LLL/BKZ‑based attacks on high‑density instances, achieving comparable or better running times while using an order of magnitude less memory. Moreover, on a multi‑GPU platform the authors observe speed‑ups of 8× or higher, confirming the algorithm’s suitability for parallel hardware.

In summary, the contribution of the paper is threefold: (1) a novel, lattice‑free algorithmic framework for FWSS based on a generalized k‑way splitting system; (2) a rigorous analysis of the time‑space trade‑off T·S^{log k}=O( (n choose ℓ) ), which can be tuned by the choice of k; and (3) a demonstration of high parallelizability, making the method practical for large‑scale cryptanalytic attacks where traditional lattice techniques fail. The work opens new avenues for both cryptanalysis of knapsack‑type schemes and for combinatorial optimization problems where a fixed‑size subset must meet a target sum.