Skip to content
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg March 10, 2020

Solving subset sum with small space – Handling cryptanalytic Big Data

Alexander May ORCID logo


Big Data applications are characterized by processing an amount of data too huge to be stored. Cryptographic protocols are by construction supposed to define huge data spaces that cannot be handled by any attacker. Nevertheless, the task of protocol cryptanalysis is to properly select cryptographic parameter lengths that guarantee both efficiency and security. This requires to break cryptographic protocols and their underlying hardness assumptions for mid-sized parameters. But even for mid-sized parameters cryptographic search spaces are way too huge to be stored. This asks for technical solutions that traverse the search space without storing elements. As an appealingly simple example, we address the subset sum problem which lies at the heart of many modern cryptographic protocols designed to offer security even against quantum computers. In the subset sum problem, one obtains integers a1,,an and an integer target t, and has to find a subset of the ai’s that exactly sums to t. A trivial memory-less algorithm tests for all 2n subsets, whether their sum equals t. It may come as a surprise that there exist memory-less algorithms significantly faster than 2n. We give a survey on recent memory-less techniques, that apply but are not limited to the subset sum problem. We start by describing a general collision finding technique that was introduced in 1994 in the seminal work of van Oorschot and Wiener. Applied to subset sum the van Oorschot-Wiener technique leads to a 20.75n-algorithm. This was improved in 2011 by Becker, Coron and Joux to 20.72n using the representation technique. Recently, Esser and May presented a memory-less algorithm achieving 20.65n using two-layered collision finding. These running times have to be compared to the optimal 20.5n lower bound for collision finding algorithms.


Funding statement: This work was funded by DFG under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972.


The author wants to thank the anonymous reviewers for their constructive comments.


1. M. Alekhnovich. More on average case vs approximation complexity. In: 44th Annual IEEE Symposium on Foundations of Computer Science, IEEE Proceedings, pp. 298–307, 2003.Search in Google Scholar

2. N. Bansal, S. Garg, J. Nederlof, N. Vyas. Faster space-efficient algorithms for subset sum, k-sum, and related problems. SIAM Journal on Computing 47(5):1755–1777, 2018.10.1137/17M1158203Search in Google Scholar

3. A. Becker, J. S. Coron, A. Joux. Improved generic algorithms for hard knapsacks. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt), pp. 364–385. Springer, Berlin, Heidelberg, 2011.10.1007/978-3-642-20465-4_21Search in Google Scholar

4. A. Esser and A. May. Low Weight Discrete Logarithms and Subset Sum in 20.65nwith Polynomial Memory, Cryptology ePrint Archive, Report 2019/931, to appear at: Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt), 2020.Search in Google Scholar

5. E. Horowitz, S. Sahni. Computing partitions with applications to the knapsack problem. Journal of the ACM 21(2):277–292, 1974.10.1145/321812.321823Search in Google Scholar

6. N. Howgrave-Graham, A. Joux. New generic algorithms for hard knapsacks. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt), pp. 235–256. Springer, Berlin, Heidelberg, 2010.10.1007/978-3-642-13190-5_12Search in Google Scholar

7. R. Impagliazzo, M. Naor. Efficient cryptographic schemes provably as secure as subset sum. Journal of Cryptology 9(4):199–216, 1996.10.1109/SFCS.1989.63484Search in Google Scholar

8. T. Kleinjung, K. Aoki, J. Franke, A. K. Lenstra, E. Thomé, J. W. Bos, P. Gaudry, A. Kruppa, P. L. Montgomery, D. A. Osvik, H. Te Riele. Factorization of a 768-bit RSA modulus. In: Annual Cryptology Conference, pp. 333–350. Springer, Berlin, Heidelberg, 2010.10.1007/978-3-642-14623-7_18Search in Google Scholar

9. A. K. Lenstra and E. R. Verheul. Selecting cryptographic key sizes. In: International Workshop on Public Key Cryptography. Springer, Berlin, Heidelberg, 2000.10.1007/978-3-540-46588-1_30Search in Google Scholar

10. J. M. Pollard A Monte Carlo method for factorization. BIT Numerical Mathematics 15(3):331–334, 1975.10.1007/BF01933667Search in Google Scholar

11. O. Regev O. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM 56(6):34, 2009.10.1145/1060590.1060603Search in Google Scholar

12. J. A. Silva, E. R. Faria, R. C. Barros, E. R. Hruschka, A. C. De Carvalho, J. Gama. Data stream clustering: A survey. ACM Computing Surveys 46(1):13, 2013.10.1145/2522968.2522981Search in Google Scholar

13. P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Review 41(2):303–332, 1999.10.1137/S0036144598347011Search in Google Scholar

14. P. C. van Oorschot, M. J. Wiener. Parallel collision search with cryptanalytic applications. Journal of Cryptology 12(1):1–28, 1999.10.1007/PL00003816Search in Google Scholar

15. D. E. Knuth. The art of computer programming 2: Seminumerical algorithms. Addison Wesley Publishing Company, 1969.Search in Google Scholar

Received: 2019-10-08
Revised: 2020-02-19
Accepted: 2020-02-23
Published Online: 2020-03-10
Published in Print: 2020-05-27

© 2020 Walter de Gruyter GmbH, Berlin/Boston