Combinatorial Algorithms for Subset Sum Problems Dissertation an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum vorgelegt von Ilya Ozerov Erstgutachter: Prof. Dr. Alexander May Zweitgutachter: Prof. Dr. Gregor Leander Tag der m¨undlichen Pr¨ufung:05.02.2016 Contents 1 Introduction 1 2 Consistency Problem 5 2.1 High-Level Idea . .6 2.1.1 NN Problem . .6 2.1.2 zeroAND Problem . .9 2.1.3 A Joint Solution . 12 2.2 Consistency Problem . 15 2.2.1 Preliminaries . 15 2.2.2 Problem and Algorithm . 18 2.2.3 Analysis . 21 2.3 Weight Match Problem . 25 2.3.1 General Case . 25 2.3.2 Random Weight Match Problem . 27 2.4 Nearest Neighbor Problem . 28 2.4.1 Analysis . 29 3 Subset Sum Problem 33 3.1 Generalized Problem . 34 3.1.1 Brute Force . 34 3.1.2 Meet-in-the-Middle . 35 3.2 Random Subset Sum Problem . 36 3.2.1 Tools . 37 3.3 Known Results . 41 3.3.1 Meet-in-the-Middle Resivited . 41 3.3.2 Classical Representations . 42 3.4 Consistent Representations . 51 3.4.1 Group Weight Match Problem . 52 3.4.2 Algorithm . 54 4 Binary Subset Sum Problem 59 4.1 Known Results . 60 4.1.1 Meet-in-the-Middle . 60 4.1.2 Representations I . 60 4.1.3 Representations II . 64 4.2 Novel Results . 68 iv CONTENTS 4.2.1 Consistent Representations I . 68 4.2.2 Consistent Representations II . 71 4.3 Results in Special Groups . 74 4.3.1 Algorithms . 74 5 Knapsack Problem 79 5.1 Results . 80 6 Decoding Problem 81 6.1 Classical Algorithms . 83 6.1.1 Prange's Information Set Decoding . 83 6.1.2 Stern's Decoding . 86 6.1.3 MMT . 89 6.1.4 BJMM . 91 6.2 Application of the Nearest Neighbor Technique . 95 6.2.1 Basic Approach . 95 6.2.2 Using Representations . 98 6.2.3 Nearest Neighbor with MMT . 100 6.2.4 Nearest Neighbor with BJMM . 102 6.3 Conclusion . 106 7 Discrete Logarithm Problem 107 7.1 Known Generic Algorithm . 109 7.2 New Generic Algorithm . 109 7.3 Optimal Splitting . 114 Es werden neue Algorithmen f¨urdiese Klasse von Problemen entwickelt, indem ein sogenanntes Konsistenzproblem untersucht wird, was zu besseren Algorithmen f¨urdas zeroAND Problem und das Nearest Neighbor Prob- lem f¨uhrt.Dies impliziert die bestbekannten Algorithmen f¨urdas Knapsack Problem mit einer Komplexit¨atvon 20:287n und das Dekodierproblem mit Laufzeit 20:097n. Es wird gezeigt, dass die verwendeten Techniken ebenfalls in einem Spezialfall des Diskreten Logarithmusproblems angewandt werden k¨onnen. Summary In this thesis, we present a generalized framework for the study of combinatorial problems, so-called Subset Sum Problems. In this framework, we improve the best known technique for solving this class of problems by identifying a Consistency Problem. We present a more efficient algorithm for this problem, which leads to algorithms for the special cases of the zeroAND Problem and the Nearest Neighbor Problem. This implies the best known algorithm for the Knapsack Problem with time complexity 20:287n and the Decoding Problem with time complexity 20:097n. We show that the studied combinatorial techniques can also be applied to a special case of the Discrete Logarithm Problem. Chapter 1 Introduction The results by Cook [Coo71], Karp [Kar72], and Levin [Lev73] on NP-completeness identify a large class of problems that are equally hard, i.e. once there is an efficient algorithm for only one of these problems, it directly implies an efficient algorithm for all the problems from the class. An algorithm for a problem is called efficient if it runs in time polynomially in the input size for all instances of the problem. An unsolved question \P =? NP" in computer science is, if there either exist efficient algorithms for this class of problems, or if it can be shown that there are none. NP-hard problems are a larger class of problems that are at least as hard as NP-complete problems. A decision problem simply asks if a problem instance is solvable or not, whereas a computational problem also asks to find a solution. In this thesis, we want to concentrate on two NP-hard computational problems, the Knapsack Problem [Kar72] and the Decoding Problem [BMvT78]. The Knapsack Problem asks to find a subset of n given integers a1; : : : ; an 2 Z that sums to a target integer s 2 Z. The Decoding Problem asks to find a closest codeword of a linear code C to a given vector x. Notice that even though there might be instances of NP-hard problems that are indeed difficult to solve, this is clearly not true for all instances. An important task for the field of cryptography is therefore to identify a certain subset of hard instances. Ideally, one would like to link the worst-case hardness (i.e. the hardness of the hardest instance) to some average- case hardness, which is the hardness of an instance chosen from some distribution. Indeed, Ajtai [Ajt96] was able to show a reduction between the average-case and the worst-case of a so-called Unique Shortest Vector Problem (USVP). That is, if one is able to break a certain average-case instance (e.g. an instance of a cryptographic scheme like [AD97]) efficiently, one is able to solve any and, therefore, also the hardest instance of the USVP efficiently. However, Ajtai wasn't able to show that the USVP is NP-hard, which is only provable for the Shortest Vector Problem. This indicates that it doesn't seem to be possible to link the average-case hardness and the worst-case hardness of NP-hard problems. However, even if such a link could be established, it is still unclear how fast the problems can be solved for practical instances. Therefore, one has to rely on identifying instances that are practically hard to solve by analyzing the best algorithms for these instances.
