New Time-Memory Trade-Offs for Subset Sum – Improving ISD in Theory and Practice

Abstract

We propose new time-memory trade-offs for the random subset sum problem defined on \((a_1,\ldots ,a_n,t)\) over \(\mathbb {Z}_{2^n}\). Our trade-offs yield significant running time improvements for every fixed memory limit \(M\ge 2^{0.091n}\). Furthermore, we interpolate to the running times of the fastest known algorithms when memory is not limited. Technically, our design introduces a pruning strategy to the construction by Becker-Coron-Joux (BCJ) that allows for an exponentially small success probability. We compensate for this reduced probability by multiple randomized executions. Our main improvement stems from the clever reuse of parts of the computation in subsequent executions to reduce the time complexity per iteration.

As an application of our construction, we derive the first non-trivial time-memory trade-offs for Information Set Decoding (ISD) algorithms. Our new algorithms improve on previous (implicit) trade-offs asymptotically as well as practically. Moreover, our optimized implementation also improves on running time, due to reduced memory access costs. We demonstrate this by obtaining a new record computation in decoding quasi-cyclic codes (QC-3138). Using our newly obtained data points we then extrapolate the hardness of suggested parameter sets for the NIST PQC fourth round candidates McEliece, BIKE and HQC, lowering previous estimates by up to 6 bits and further increasing their reliability.

Funded by BMBF under Industrial Blockchain-iBlockchain.

A Generalization to Arbitrary Depth d

Note that in general we have

$$ \mathcal {L}_{i+1}=\frac{(q_i\cdot \mathcal {L}_i)^2}{2^{\ell _i}}, $$

where \(\ell _i\) is the additional bitwise constraint introduced on level i. The time and memory complexity are then given as before. The saturation constraints extend to

$$ q_i\cdot \mathcal {L}_i \le \frac{|D_i|}{2^{\ell _1+\ldots +\ell _i}}\text { for }i=2,\ldots , d-1, $$

where d is the depth of the tree. Together with the definition of the filtering probability given in Eq. (4), we can rewrite the saturation constraints for each level i as

$$ \sum _{j=1}^i (2^{i-j}-1)\ell _j \ge \sum _{j=1}^i 2^{i-j}\cdot r_j \text { for } i=1,\ldots d-2, $$

where there exist \(2^{r_j}\) different representations of any element from \(D_{j+1}\) as a sum of two elements from \(D_j\). Finally, the requirement of finding one representation of the solution in the final list is expressed via the condition

$$ q_d \cdot \mathcal {L}_d = 1, $$

which similar to the saturation constraints rewrites to

$$\begin{aligned} \sum _{j=1}^{d-1} (2^{d-j}-1)\ell _j = \sum _{j=1}^{d-1} 2^{d-j-1}\cdot r_j. \end{aligned}$$

(8)