IEICE TRANS. FUNDAMENTALS, VOL.E95–A, NO.5 MAY 2012 903 PAPER On the Hardness of Subset Sum Problem from Different Intervals Jun KOGURE †a) , Noboru KUNIHIRO †† , Members, and Hirosuke YAMAMOTO †† , Fellow SUMMARY The subset sum problem, which is often called as the knapsack problem, is known as an NP-hard problem, and there are sev- eral cryptosystems based on the problem. Assuming an oracle for shortest vector problem of lattice, the low-density attack algorithm by Lagarias and Odlyzko and its variants solve the subset sum problem efficiently, when the “density” of the given problem is smaller than some threshold. When we define the density in the context of knapsack-type cryptosystems, weights are usually assumed to be chosen uniformly at random from the same in- terval. In this paper, we focus on general subset sum problems, where this assumption may not hold. We assume that weights are chosen from differ- ent intervals, and make analysis of the effect on the success probability of above algorithms both theoretically and experimentally. Possible applica- tion of our result in the context of knapsack cryptosystems is the security analysis when we reduce the data size of public keys. key words: subset sum problem, knapsack problem, low-density attack, lattice reduction 1. Introduction When a set of positive integers (weights) S = {a 1 ,..., a n } (a i  a j ) and a positive integer s are given, find- ing a vector e = (e 1 ,..., e n ) ∈{0, 1} n satisfying ∑ n i=1 a i e i = s, is called the subset sum problem (or the knapsack prob- lem), and is known as an NP-hard problem in general (see, e.g., [4]). Lagarias-Odlyzko [8] and Brickell [1] indepen- dently found an algorithm (LO algorithm, hereafter) that solves subset sum problems, using lattice reduction algo- rithm. Both methods almost always solve the problem in polynomial time if we assume a shortest vector oracle of a lattice and if the density of the subset sum problem is less than 0.6463 ... , where the density d is defined by d = n/(log 2 max i a i ). (1) Coster, Joux, LaMacchia, Odlyzko, Schnorr, and Stern raised the critical density up to 0.9408 ... (CJLOSS algo- rithm, hereafter) [2]. They assumed that all a i ’s are chosen uniformly at random from an interval (0, A] for some integer A, and the density was defined as d = n/(log 2 A). (2) Since these algorithms are effective against subset sum problems with relatively low densities, they are sometimes Manuscript received September 26, 2011. † The author is with Fujitsu Laboratories Ltd., Kawasaki-shi, 211-8588 Japan. †† The authors are with The University of Tokyo, Kashiwa-shi, 277-8561 Japan. a) E-mail: kogure@jp.fujitsu.com DOI: 10.1587/transfun.E95.A.903 called the “low-density attack” in the context of breaking knapsack-type cryptosystems. However, in general density cases, the subset sum problem is still hard. In the LO al- gorithm, the subset sum problem is reduced to the Shortest Vector Problem (SVP) of a lattice constructed from the given problem, and one or two SVP oracle calls are admitted. Al- though no polynomial-time algorithms that solve Shortest Vector problem are known, the polynomial-time algorithm by Lenstra, Lenstra & Lov´ asz (LLL algorithm) [7] solves it with some approximation factor and works relatively bet- ter in practice than in theory. One can also use the block Korkine-Zolotarev(BKZ) algorithm [11] (as in [12]), which provides better approximation factor but may not work in polynomial-time, if its block length parameter gets larger. There have been proposed several public key cryp- tosystems whose security is based on the hardness of the subset sum problem. For example, Chor-Rivest proposed a cryptosystem that can use subset sum problems with rela- tively high densities [3]. Though the system was attacked by an algebraic approach [13], the attack may not be valid in general cases. Okamoto-Tanaka-Uchiyama proposed an- other cryptosystem OTU, in an attempt to resist adversaries that can run quantum computers [10]. In these cryptosystems the Hamming weight of solu- tions is bounded by βn for a small constant β ≤ 1/2. In general cases, we can take β = 1/2. In cases β is relatively small, Coster et al. [2] give improvements on their CJLOSS algorithm, which we refer as CJLOSS+ algorithm in this paper. Our Motivation and Contributions: In the context of knapsack-type cryptosystems, public key a i ’s are often generated by taking the value mod A for some integer A. Hence it would be reasonable to adapt the follow- ing assumption: Assumption 1. a i ’s are chosen uniformly at random from the same interval (0, A]. In this case, the density can be defined as Eq. (2), and the effectiveness of LO algorithm is well analyzed. On the other hand, in general subset sum problems, this assumption may not always hold and the effectiveness of LO algorithm is not well known. In this paper, we focus on gen- eral subset sum problems and analyze its hardness, mainly from theoretical interests. As LO algorithm can be applied to general subset sum problems and often works efficiently, analyzing its effectiveness is very important in order to an- Copyright c  2012 The Institute of Electronics, Information and Communication Engineers