-
Improving Lagarias-Odlyzko Algorithm For Average-Case Subset Sum: Modular Arithmetic Approach
Authors:
Antoine Joux,
Karol Węgrzycki
Abstract:
Lagarias and Odlyzko (J.~ACM~1985) proposed a polynomial time algorithm for solving ``\emph{almost all}'' instances of the Subset Sum problem with $n$ integers of size $Ω(Γ_{\text{LO}})$, where $\log_2(Γ_{\text{LO}}) > n^2 \log_2(γ)$ and $γ$ is a parameter of the lattice basis reduction ($γ> \sqrt{4/3}$ for LLL). The algorithm of Lagarias and Odlyzko is a cornerstone result in cryptography. Howeve…
▽ More
Lagarias and Odlyzko (J.~ACM~1985) proposed a polynomial time algorithm for solving ``\emph{almost all}'' instances of the Subset Sum problem with $n$ integers of size $Ω(Γ_{\text{LO}})$, where $\log_2(Γ_{\text{LO}}) > n^2 \log_2(γ)$ and $γ$ is a parameter of the lattice basis reduction ($γ> \sqrt{4/3}$ for LLL). The algorithm of Lagarias and Odlyzko is a cornerstone result in cryptography. However, the theoretical guarantee on the density of feasible instances has remained unimproved for almost 40 years.
In this paper, we propose an algorithm to solve ``almost all'' instances of Subset Sum with integers of size $Ω(\sqrt{Γ_{\text{LO}}})$ after a single call to the lattice reduction. Additionally, our argument allows us to solve the Subset Sum problem for multiple targets while the previous approach could only answer one target per call to lattice basis reduction. We introduce a modular arithmetic approach to the Subset Sum problem. The idea is to use the lattice reduction to solve a linear system modulo a suitably large prime. We show that density guarantees can be improved, by analysing the lengths of the LLL reduced basis vectors, of both the primal and the dual lattices simultaneously.
△ Less
Submitted 28 August, 2024;
originally announced August 2024.
-
Polynomial Time Algorithms for Integer Programming and Unbounded Subset Sum in the Total Regime
Authors:
Divesh Aggarwal,
Antoine Joux,
Miklos Santha,
Karol Węgrzycki
Abstract:
The Unbounded Subset Sum (USS) problem is an NP-hard computational problem where the goal is to decide whether there exist non-negative integers $x_1, \ldots, x_n$ such that $x_1 a_1 + \ldots + x_n a_n = b$, where $a_1 < \cdots < a_n < b$ are distinct positive integers with $\text{gcd}(a_1, \ldots, a_n)$ dividing $b$. The problem can be solved in pseudopolynomial time, while specialized cases, suc…
▽ More
The Unbounded Subset Sum (USS) problem is an NP-hard computational problem where the goal is to decide whether there exist non-negative integers $x_1, \ldots, x_n$ such that $x_1 a_1 + \ldots + x_n a_n = b$, where $a_1 < \cdots < a_n < b$ are distinct positive integers with $\text{gcd}(a_1, \ldots, a_n)$ dividing $b$. The problem can be solved in pseudopolynomial time, while specialized cases, such as when $b$ exceeds the Frobenius number of $a_1, \ldots, a_n$ simplify to a total problem where a solution always exists.
This paper explores the concept of totality in USS. The challenge in this setting is to actually find a solution, even though we know its existence is guaranteed. We focus on the instances of USS where solutions are guaranteed for large $b$. We show that when $b$ is slightly greater than the Frobenius number, we can find the solution to USS in polynomial time.
We then show how our results extend to Integer Programming with Equalities (ILPE), highlighting conditions under which ILPE becomes total. We investigate the diagonal Frobenius number, which is the appropriate generalization of the Frobenius number to this context. In this setting, we give a polynomial-time algorithm to find a solution of ILPE. The bound obtained from our algorithmic procedure for finding a solution almost matches the recent existential bound of Bach, Eisenbrand, Rothvoss, and Weismantel (2024).
△ Less
Submitted 11 July, 2024; v1 submitted 7 July, 2024;
originally announced July 2024.
-
Elliptic curves over Hasse pairs
Authors:
Eleni Agathocleous,
Antoine Joux,
Daniele Taufer
Abstract:
We call a pair of distinct prime powers $(q_1,q_2) = (p_1^{a_1},p_2^{a_2})$ a Hasse pair if $|\sqrt{q_1}-\sqrt{q_2}| \leq 1$. For such pairs, we study the relation between the set $\mathcal{E}_1$ of isomorphism classes of elliptic curves defined over $\mathbb{F}_{q_1}$ with $q_2$ points, and the set $\mathcal{E}_2$ of isomorphism classes of elliptic curves over $\mathbb{F}_{q_2}$ with $q_1$ points…
▽ More
We call a pair of distinct prime powers $(q_1,q_2) = (p_1^{a_1},p_2^{a_2})$ a Hasse pair if $|\sqrt{q_1}-\sqrt{q_2}| \leq 1$. For such pairs, we study the relation between the set $\mathcal{E}_1$ of isomorphism classes of elliptic curves defined over $\mathbb{F}_{q_1}$ with $q_2$ points, and the set $\mathcal{E}_2$ of isomorphism classes of elliptic curves over $\mathbb{F}_{q_2}$ with $q_1$ points. When both families $\mathcal{E}_i$ contain only ordinary elliptic curves, we prove that their isogeny graphs are isomorphic. When supersingular curves are involved, we describe which curves might belong to these sets. We also show that if both the $q_i$'s are odd and $\mathcal{E}_1 \cup \mathcal{E}_2 \neq \emptyset$, then $\mathcal{E}_1 \cup \mathcal{E}_2$ always contains an ordinary elliptic curve. Conversely, if $q_1$ is even, then $\mathcal{E}_1 \cup \mathcal{E}_2$ may contain only supersingular curves precisely when $q_2$ is a given power of a Fermat or a Mersenne prime. In the case of odd Hasse pairs, we could not rule out the possibility of an empty union $\mathcal{E}_1 \cup \mathcal{E}_2$, but we give necessary conditions for such a case to exist. In an appendix, Moree and Sofos consider how frequently Hasse pairs occur using analytic number theory, making a connection with Andrica's conjecture on the difference between consecutive primes.
△ Less
Submitted 5 June, 2024;
originally announced June 2024.
-
RYDE: A Digital Signature Scheme based on Rank-Syndrome-Decoding Problem with MPCitH Paradigm
Authors:
Loïc Bidoux,
Jesús-Javier Chi-Domínguez,
Thibauld Feneuil,
Philippe Gaborit,
Antoine Joux,
Matthieu Rivain,
Adrien Vinçotte
Abstract:
We present a signature scheme based on the Syndrome-Decoding problem in rank metric. It is a construction from multi-party computation (MPC), using a MPC protocol which is a slight improvement of the linearized-polynomial protocol used in [Fen22], allowing to obtain a zero-knowledge proof thanks to the MPCitH paradigm. We design two different zero-knowledge proofs exploiting this paradigm: the fir…
▽ More
We present a signature scheme based on the Syndrome-Decoding problem in rank metric. It is a construction from multi-party computation (MPC), using a MPC protocol which is a slight improvement of the linearized-polynomial protocol used in [Fen22], allowing to obtain a zero-knowledge proof thanks to the MPCitH paradigm. We design two different zero-knowledge proofs exploiting this paradigm: the first, which reaches the lower communication costs, relies on additive secret sharings and uses the hypercube technique [AMGH+22]; and the second relies on low-threshold linear secret sharings as proposed in [FR22]. These proofs of knowledge are transformed into signature schemes thanks to the Fiat-Shamir heuristic [FS86].
△ Less
Submitted 6 December, 2023; v1 submitted 17 July, 2023;
originally announced July 2023.
-
Classical and Quantum Algorithms for Variants of Subset-Sum via Dynamic Programming
Authors:
Jonathan Allcock,
Yassine Hamoudi,
Antoine Joux,
Felix Klingelhöfer,
Miklos Santha
Abstract:
Subset-Sum is an NP-complete problem where one must decide if a multiset of $n$ integers contains a subset whose elements sum to a target value $m$. The best-known classical and quantum algorithms run in time $\tilde{O}(2^{n/2})$ and $\tilde{O}(2^{n/3})$, respectively, based on the well-known meet-in-the-middle technique. Here we introduce a novel classical dynamic-programming-based data structure…
▽ More
Subset-Sum is an NP-complete problem where one must decide if a multiset of $n$ integers contains a subset whose elements sum to a target value $m$. The best-known classical and quantum algorithms run in time $\tilde{O}(2^{n/2})$ and $\tilde{O}(2^{n/3})$, respectively, based on the well-known meet-in-the-middle technique. Here we introduce a novel classical dynamic-programming-based data structure with applications to Subset-Sum and a number of variants, including Equal-Sums (where one seeks two disjoint subsets with the same sum), 2-Subset-Sum (a relaxed version of Subset-Sum where each item in the input set can be used twice in the summation), and Shifted-Sums, a generalization of both of these variants, where one seeks two disjoint subsets whose sums differ by some specified value.
Given any modulus $p$, our data structure can be constructed in time $O(n^2p)$, after which queries can be made in time $O(n^2)$ to the lists of subsets summing to any value modulo $p$. We use this data structure in combination with variable-time amplitude amplification and a new quantum pair finding algorithm, extending the quantum claw finding algorithm to the multiple solutions case, to give an $O(2^{0.504n})$ quantum algorithm for Shifted-Sums, an improvement on the best-known $O(2^{0.773n})$ classical running time. Incidentally, we obtain new $\tilde{O}(2^{n/2})$ and $\tilde{O}(2^{n/3})$ classical and quantum algorithms for Subset-Sum, not based on the seminal meet-in-the-middle method. We also study Pigeonhole Equal-Sums and Pigeonhole Modular Equal-Sums, where the existence of a solution is guaranteed by the pigeonhole principle. For the former problem, we give faster classical and quantum algorithms with running time $\tilde{O}(2^{n/2})$ and $\tilde{O}(2^{2n/5})$, respectively. For the more general modular problem, we give a classical algorithm that also runs in time $\tilde{O}(2^{n/2})$.
△ Less
Submitted 22 July, 2022; v1 submitted 13 November, 2021;
originally announced November 2021.
-
Discrete logarithm and Diffie-Hellman problems in identity black-box groups
Authors:
Gabor Ivanyos,
Antoine Joux,
Miklos Santha
Abstract:
We investigate the computational complexity of the discrete logarithm, the computational Diffie-Hellman and the decisional Diffie-Hellman problems in some identity black-box groups G_{p,t}, where p is a prime number and t is a positive integer. These are defined as quotient groups of vector space Z_p^{t+1} by a hyperplane H given through an identity oracle. While in general black-box groups with u…
▽ More
We investigate the computational complexity of the discrete logarithm, the computational Diffie-Hellman and the decisional Diffie-Hellman problems in some identity black-box groups G_{p,t}, where p is a prime number and t is a positive integer. These are defined as quotient groups of vector space Z_p^{t+1} by a hyperplane H given through an identity oracle. While in general black-box groups with unique encoding these computational problems are classically all hard and quantumly all easy, we find that in the groups G_{p,t} the situation is more contrasted. We prove that while there is a polynomial time probabilistic algorithm to solve the decisional Diffie-Hellman problem in $G_{p,1}$, the probabilistic query complexity of all the other problems is Omega(p), and their quantum query complexity is Omega(sqrt(p)). Our results therefore provide a new example of a group where the computational and the decisional Diffie-Hellman problems have widely different complexity.
△ Less
Submitted 19 May, 2021; v1 submitted 5 November, 2019;
originally announced November 2019.
-
Algorithmic aspects of elliptic bases in finite field discrete logarithm algorithms
Authors:
Antoine Joux,
Cecile Pierrot
Abstract:
Elliptic bases, introduced by Couveignes and Lercier in 2009, give an elegant way of representing finite field extensions. A natural question which seems to have been considered independently by several groups is to use this representation as a starting point for small characteristic finite field discrete logarithm algorithms. This idea has been recently proposed by two groups working on it, in or…
▽ More
Elliptic bases, introduced by Couveignes and Lercier in 2009, give an elegant way of representing finite field extensions. A natural question which seems to have been considered independently by several groups is to use this representation as a starting point for small characteristic finite field discrete logarithm algorithms. This idea has been recently proposed by two groups working on it, in order to achieve provable quasi-polynomial time for discrete logarithms in small characteristic finite fields. In this paper, we don't try to achieve a provable algorithm but, instead, investigate the practicality of heuristic algorithms based on elliptic bases. Our key idea, is to use a different model of the elliptic curve used for the elliptic basis that allows for a relatively simple adaptation of the techniques used with former Frobenius representation algorithms. We haven't performed any record computation with this new method but our experiments with the field F 3 1345 indicate that switching to elliptic representations might be possible with performances comparable to the current best practical methods.
△ Less
Submitted 5 July, 2019;
originally announced July 2019.
-
Certified lattice reduction
Authors:
Thomas Espitau,
Antoine Joux
Abstract:
Quadratic form reduction and lattice reduction are fundamental tools in computational number theory and in computer science, especially in cryptography. The celebrated Lenstra-Lenstra-Lovász reduction algorithm (so-called LLL) has been improved in many ways through the past decades and remains one of the central methods used for reducing integral lattice basis. In particular, its floating-point va…
▽ More
Quadratic form reduction and lattice reduction are fundamental tools in computational number theory and in computer science, especially in cryptography. The celebrated Lenstra-Lenstra-Lovász reduction algorithm (so-called LLL) has been improved in many ways through the past decades and remains one of the central methods used for reducing integral lattice basis. In particular, its floating-point variants-where the rational arithmetic required by Gram-Schmidt orthogonalization is replaced by floating-point arithmetic-are now the fastest known. However, the systematic study of the reduction theory of real quadratic forms or, more generally, of real lattices is not widely represented in the literature. When the problem arises, the lattice is usually replaced by an integral approximation of (a multiple of) the original lattice, which is then reduced. While practically useful and proven in some special cases, this method doesn't offer any guarantee of success in general. In this work, we present an adaptive-precision version of a generalized LLL algorithm that covers this case in all generality. In particular, we replace floating-point arithmetic by Interval Arithmetic to certify the behavior of the algorithm. We conclude by giving a typical application of the result in algebraic number theory for the reduction of ideal lattices in number fields.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic
Authors:
Razvan Barbulescu,
Pierrick Gaudry,
Antoine Joux,
Emmanuel Thomé
Abstract:
In the present work, we present a new discrete logarithm algorithm, in the same vein as in recent works by Joux, using an asymptotically more efficient descent approach. The main result gives a quasi-polynomial heuristic complexity for the discrete logarithm problem in finite field of small characteristic. By quasi-polynomial, we mean a complexity of type $n^{O(\log n)}$ where $n$ is the bit-size…
▽ More
In the present work, we present a new discrete logarithm algorithm, in the same vein as in recent works by Joux, using an asymptotically more efficient descent approach. The main result gives a quasi-polynomial heuristic complexity for the discrete logarithm problem in finite field of small characteristic. By quasi-polynomial, we mean a complexity of type $n^{O(\log n)}$ where $n$ is the bit-size of the cardinality of the finite field. Such a complexity is smaller than any $L(\varepsilon)$ for $ε>0$. It remains super-polynomial in the size of the input, but offers a major asymptotic improvement compared to $L(1/4+o(1))$.
△ Less
Submitted 26 November, 2013; v1 submitted 18 June, 2013;
originally announced June 2013.
