Solving subset sum with small space – Handling cryptanalytic Big Data

摘要

Big Data applications are characterized by processing an amount of data too huge to be stored. Cryptographic protocols are by construction supposed to define huge data spaces that cannot be handled by any attacker. Nevertheless, the task of protocol cryptanalysis is to properly select cryptographic parameter lengths that guarantee both efficiency and security. This requires to break cryptographic protocols and their underlying hardness assumptions for mid-sized parameters. But even for mid-sized parameters cryptographic search spaces are way too huge to be stored. This asks for technical solutions that traverse the search space without storing elements. As an appealingly simple example, we address the subset sum problem which lies at the heart of many modern cryptographic protocols designed to offer security even against quantum computers. In the subset sum problem, one obtains integers a1,…,an{a_{1}},dots ,{a_{n}} and an integer target t, and has to find a subset of the ai{a_{i}}’s that exactly sums to t. A trivial memory-less algorithm tests for all 2n{2^{n}} subsets, whether their sum equals t. It may come as a surprise that there exist memory-less algorithms significantly faster than 2n{2^{n}}. We give a survey on recent memory-less techniques, that apply but are not limited to the subset sum problem. We start by describing a general collision finding technique that was introduced in 1994 in the seminal work of van Oorschot and Wiener. Applied to subset sum the van Oorschot-Wiener technique leads to a 20.75n{2^{0.75n}}-algorithm. This was improved in 2011 by Becker, Coron and Joux to 20.72n{2^{0.72n}} using the representation technique. Recently, Esser and May presented a memory-less algorithm achieving 20.65n{2^{0.65n}} using two-layered collision finding. These running times have to be compared to the optimal 20.5n{2^{0.5n}} lower bound for collision finding algorithms.