Subset Sum from Lattice Reduction

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Vadim's talk at 2nd BIU gives good intro to why we can use LLL for subset sum in theory, this note focus on "how exactly" in practice for the engineers, as my digest of various related work and why they make sense.

Here's the implementation of this SSP solver in python.

Recall that the goal of lattice reduction algorithms are to find orthonormal bases (i.e. nice, short, and nearly orthogonal) given an arbitrary bases of the lattice. More technically, they obtain a basis whose Gram-Schmidt vectors are not decreasing too quickly (which implies that the basis vectors are somewhat orthogonal to each other).

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Theorm^[1]: the vector
$b_{1}^{'}$ in a LLL-reduced basis (is short) has length at most
$2^{(n - 1) / 2} \cdot λ_{1} (L (B))$

For now, we treat lattice reduction algorithm like LLL as an oracle that returns short bases in a lattice, and amazingly even finds the shortest non-zero vector in the lattice with high probability in polynomial time.

Recall the Subset Sum Problem (SSP):

[SSP]: Given a multiset
$\set a_{i}$ , and a target
$S = \sum_{i = 1}^{n} a_{i} \cdot x_{i}$ where
$x_{i} \in \set 0, 1$ , find a subset that sums to
$S$ .
- Brickell and Lagarias & Odlyzko showed that almost all low-density subset sum can be solved in poly time,
  $d = n / \log max a_{i}$ ;
  $d > 1$ generally mean many subset solutions with the same target sum; we are interested in
  $d \leq 1$ .
- SSP doesn’t constrain
  $| x |$ since it is tasked to find a solution, not “the” solution.

Utilizing LLL to solve SSP is essentially reducing the latter to the former, here’re some attempts that gradually build towards the one reduction that we’ll use. At the center, we need to construct a problem instance

B^{t} = [b_{1} | b_{2} | \dots | b_{d}]

, given the SSP set

\set a_{i}

, to feed into the LLL oracle such that the returned

b_{1}^{'}

from the reduced bases correspond to the SSP solutions.

note:
$d \leq n$ ,
$d$ is called lattice dimension,
$n$ is called embedding dimension, most cases in cryptography, people consider squared, fully-ranked matrix. When we only use
$n$ subscript, we are implicitly using full-rank
$B$
notation: by convention (and in python),
$B$ is a row matrix, first row is
$b_{1}$ , but in lattice crypto, the convention is taking column matrix as input, which we denotes
$B^{t}$

First Attempt

B = [\begin{matrix} I & a \\ 0 & - S \end{matrix}] = {[\begin{matrix} b_{1} := & (1 & 0 & \dots & 0 & a_{1}) \\ b_{2} := & (0 & 1 & \dots & 0 & a_{2}) \\ \dots \\ b_{n} := & (0 & 0 & \dots & 1 & a_{n}) \\ b_{n + 1} := & (0 & 0 & \dots & 0 & - S) \end{matrix}]}_{(n + 1) \times (n + 1)}

Now, any lattice point in

L (B^{t})

can be expressed by a linear combination of the row vectors. Let’s denote the linear combinator

\set c_{i}

z = [z_{1}, \dots, z_{n + 1}] = [c_{1}, c_{2}, \dots, c_{n}, \sum_{i = 1}^{n} c_{i} \cdot a_{i} - c_{n + 1} \cdot S] \in L (B^{t})

It’s not hard to verify that actual solution

x \in L

is a short vector in the lattice, thus we can hope that our LLL oracle finds it, and we can check this condition on the reduced

b_{1}^{'}

z_{i} \in \set 0, 1 for i \in [n] \land z_{n + 1} = 0

, then output

(z_{i})_{i \in [n]}

as the solution. Wola!

Unfortunately, there’s a problem: there could be shorter vectors than

$x$ and lattice oracle might return them instead!

If any one of
$a_{i}$ is small, then that row itself is already a short vector
if any two inputs are close
$a_{i} \approx a_{j}$ , then the difference (i.e.
$r o w_{i} - r o w_{j}$ ) is a short vector
1. more generally, if
  $β_{i} a_{i} \approx β_{j} a_{j}$ for any small integer coeffs
  $β_{i}, β_{j}$ , then
  $z := (β_{i} \cdot r o w_{i} - β_{j} \cdot r o w_{j})$ is a short vector

In short, all the above 3 cases presents high probability of our lattice oracle failing to produce the intended solution of SSP, and since we don’t have prior knowledge or constraint on values of

\set a_{i}

, we need to modify our

B

to avoid these possibilities.

Second Attempts

Both cases above can be solved with one simple trick: scale the last column with some value

N > \sqrt{n}

(don’t worry about the bound, just think a big number like 1000)!

B = [\begin{matrix} I & N a \\ 0 & - N S \end{matrix}] = {[\begin{matrix} 1 & 0 & \dots & 0 & N a_{1} \\ 0 & 1 & \dots & 0 & N a_{2} \\ \dots \\ 0 & 0 & \dots & 1 & N a_{n} \\ 0 & 0 & \dots & 0 & - N S \end{matrix}]}_{(n + 1) \times (n + 1)}

Each row is no longer a short vector, and LLL does need more work to find an actual smaller vector in this lattice. And the second concern is also mitigated since the delta

β_{i} N a_{i} - β_{j} N a_{j}

is also scaled up, thus unlikely to be a shorter vector than our intended solution

x

anymore.

note: if
$a_{i} = a_{j}$ , then the second concern still stands, we will discuss this towards the end.

This version is essentially Lagarias and Odlyzko’s reduction in their work “Solving low-density subset sum problems”.

There are still some unsatisfactory limitations:

the success probability is bounded, and based on analysis in LO’85, this reduction only works for SSP with density
$d < 0.6463$ (another detailed analysis is in P.58 of LaMacchia’s “Basis Reduction Algorithms and Subset Sum Problems”)
observe the entry
$z_{n + 1} := N (\sum_{i = 1}^{n} c_{i} \cdot a_{i} - c_{n + 1} \cdot S)$ : what if
$c_{1} a_{1} + c_{2} a_{2} = c_{n + 1} \cdot S$ for some coefficients
$c_{1}, c_{2}, c_{n + 1} > 1$ ? Then there are more competing short vectors again.

(e.g.):
$[0, 0, 2, 0, 1, 0, 0]$ v.s.
$x = [1, 1, 0, 1, 1, 1, 0]$ where
$2 a_{3} + a_{5} = 5 S$ and
$a_{1} + a_{2} + a_{4} + a_{5} + a_{6} = S$ . the former is a shorter vector and more likely to be returned by LLL oracle, but not exactly what we wanted.

In short, the lesson is we want to add even more constraints to the coefficients

\set c_{i}

that contributes to the term

z_{n + 1}

so that constraining

z_{n + 1} = 0

actually leads to

(z_{i})_{i \in [n]} = x

without many competing/alternative short vectors.

Final Reduction

To improve the theoretical bound issue in point 3 above, “An Improved Low-density Subset Sum Algorithm” [CLOS’91] has proposed to use:

B = [\begin{matrix} I & N a \\ 1 / 2 & N S \end{matrix}] = {[\begin{matrix} 1 & 0 & \dots & 0 & N a_{1} \\ 0 & 1 & \dots & 0 & N a_{2} \\ \dots \\ 0 & 0 & \dots & 1 & N a_{n} \\ 1 / 2 & 1 / 2 & \dots & 1 / 2 & N S \end{matrix}]}_{(n + 1) \times (n + 1)}

This slightly modified reduction increase the range of SSP instances we can solve to any

d < 0.9408

. But we skip the analysis, as it’s non-essential to us, and take it as given.

To address concern 4 above, [Schnorr’93] in “Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems” on Sec. 7 build on top of [CLOS’91], added an extra column (second last column below) to control and constrain the equivalent value of

c_{n + 1}

in our previous attempt.

B = [\begin{matrix} 2 I & 0 & N a \\ 1 & 1 & N S \end{matrix}] = {[\begin{matrix} 2 & 0 & \dots & 0 & 0 & N a_{1} \\ 0 & 2 & \dots & 0 & 0 & N a_{2} \\ \dots \\ 0 & 0 & \dots & 2 & 0 & N a_{n} \\ 1 & 1 & \dots & 1 & 1 & N S \end{matrix}]}_{(n + 1) \times (n + 2)}

The condition to check becomes:

| z_{n + 1} | = 1 \land z_{n + 2} = 0 \land z_{1}, \dots, z_{n} \in \set \pm 1

It’s not hard to verify that the foregoing condition guarantees

(| z_{i} - z_{n + 1} | / 2)_{i \in [n]} = x

with overwhelming probability (since we avoid all of the 4 caveats above).

Say

z_{n + 1} = 1 \Rightarrow c_{n + 1} = 1 \Rightarrow \sum c_{i} a_{i} = S

, and since

(z_{i} := 2 c_{i} + 1)_{i \in [n]} \in \set \pm 1 \Rightarrow c_{i} \in \set 0, - 1 \Rightarrow | z_{i} - z_{n + 1} | / 2 \in \set 0, 1

, Wola! You can easily double-check the other case when

z_{n + 1} = - 1

Higher-dimension SSP

Up until now, we only consider

a_{i}

as scalars. What if they are vectors of higher dimension themselves, say

a_{i} = (a_{i, 1}, \dots, a_{i, m}), S = (S_{1}, \dots, S_{m}) \in R^{m}

? We could flatten out all the

m

dimensions and use the same argument, inflating the embedding dimension but keeps the same lattice dimension for

B^{t}

. Concretely:

B = [\begin{matrix} 2 I & 0 & N \vec{a} \\ 1 & 1 & N S \end{matrix}] = {[\begin{matrix} 2 & 0 & \dots & 0 & 0 & N a_{1, 1} & N a_{1, 2} & \dots & N a_{1, m} \\ 0 & 2 & \dots & 0 & 0 & N a_{2, 1} & N a_{2, 2} & \dots & N a_{2, m} \\ \dots \\ 0 & 0 & \dots & 2 & 0 & N a_{n, 1} & N a_{n, 2} & \dots & N a_{n, m} \\ 1 & 1 & \dots & 1 & 1 & N S_{1} & N S_{2} & \dots & N S_{m} \end{matrix}]}_{(n + 1) \times (n + m + 1)}

The condition check becomes:

| z_{n + 1} | = 1 \land z_{n + 2}, \dots, z_{n + m + 1} = 0 \land z_{1}, \dots, z_{n} \in \set \pm 1

TODO: add more analysis on the success rate or density bound?

Modular SSP

Sometimes, we are asked to solve the modular variant of SSP where values and summations are carried out in

\mod q

instead of in

R .

TODO: add adaptation here.

One more thing

Recall the edge case of some

a_{i} = a_{j}

that goes outside the scope of classical definition of SSP instance, that may cause competing short vectors.

If there aren’t too many (say constant number) of these duplicates, then we can simply remove

a_{j}

and feed

(\set a_{i} ∖ a_{j}, S - a_{j})

and

(\set a_{i} ∖ a_{j}, S)

to the current subset sum solver. Note the two instances corresponds to the original

c_{j} = 1

and

c_{j} = 0

. Since our reduction in the final attempt gives a poly-time solver, we would end up a poly-time solver here too. Effectively, we are guessing

c_{j}

and trading off run-time with success probability.

This approach also works if there are logarithmic number of duplicates, as guessing all possible combination takes the power set of those duplicates, and logarithmic duplicates leads to

O (n)

number of tries, which still end up with poly-time solver.

However, if we go beyond log number of duplicates, then in practice, instead of suffering from super-poly runtime, we might choose to suffer from a slightly higher failure probability from the subset solver instead. Additionally, we can check more than just

b_{1}^{'}

, but also the first few reduced basis, since there’s likelihood that the first reduced basis is the shortest competing vector while the second shortest basis corresponds to our subset solution. In terms of bound and guarantee, it’s beyond my depth for now but some statistical empirical evaluations might enlighten us.

both the screenshot and the theorem are excerpt from Regev's lecture note. ↩︎

Cred Mao

2025/02/04 11:11:39

Maybe add another column to the right of the lattice construction for Higher-dimension SSP, ([0]*n+[1])^T, and get $z_{n+1+m+1}$ ,and get each $x = abs(z_i - z_{n+1+m+1})/2, i \in {1,n}$

Subset Sum from Lattice Reduction

First Attempt

Second Attempts

Final Reduction

Higher-dimension SSP

Modular SSP

One more thing

Read more

VRS Benchmarks

Rust `no_std` Playbook

On Siddhartha

CRYSTAL-Kyber Engineering Plan