 Welcome and thank you for watching this video. I am Agnese and I will present you our polynomial time algorithm for solving the hidden subset sum problem. This is a joint work with Jean-Sebastien Corom. Well, our main goal is to solve the hidden subset sum problem, so let me introduce it first. The hidden subset sum problem is closely related to the subset sum problem, which has been widely studied during these years, and essentially in the subset sum problem we have an integer h and a set of integers alpha 1, alpha n, and we know that h is the sum of a subset of these integers. The problem then is to identify such subset. Well, usually this problem is formulated by using binary coefficients in the sum in this way that you can see in this slide, that the problem becomes to determine such binary coefficients given h and the weights alpha i's. In the hidden subset sum problem we have many subset sums respect to the same weights alpha i's, and the problem is given these sums h1, hm to recover both the binary coefficients and the weights. So in this case in the hidden subset sum problem the weights are hidden too. And notice that this fact implies that the standard lattice attacks for the subset sum problem are not applicable in this case. In general, it is convenient to state this problem in a more compact manner. Indeed, we can rewrite this modular system using vectors in this way, and then more formally in the hidden subset sum problem we consider n integers alpha 1, alpha n defined by q and n binary vectors x1, xn which have length m. We call then h the samples vector satisfying then this vectorial equation. And the problem is the following given the modules q and the samples vector h, through cover either the hidden weights alpha i's and the binary vector xi's. In this talk I will usually consider the vectors as row vectors and genot by capital X the matrix whose rows are the xi's. Then X is a binary matrix. A bit of history. Well at Eurokip 98 Boykopen-Ardon and Macintazen presented a fast generator of DLP random pairs whose security relies on the hardness of the hidden subset sum problem. And then the following here at Krypton, Krypton 99 Green and Stern described a lattice-based algorithm for solving the hidden subset sum problem and also its impact on cryptography. Well despite for small n their algorithm is efficient they were not capable to break the problem for n greater than 90. Then in our paper we provide a rigorous analysis of their algorithm and we justify such practical behavior. In addition we provide a variant of the dengue-eastern algorithm which works in heuristic polynomial time. So in this talk I will first present dengue-eastern attack, secondly I will describe our algorithm for solving the hidden subset sum problem gen. I will also introduce the affine variant of the hidden subset sum problem which has some cryptographic applications and I will explain how both the algorithms ours and the dengue-eastern algorithm are applicable to this variant too. And finally I will conclude with some final remarks and open questions. So let's describe the dengue-eastern attack. Remember that as input we have only the modulus and the samples vector h. And we want to recover the hidden weights alpha and the binary vector x size. And we also know that this equation in the box relates them. The nice idea behind the dengue-eastern attack is the following then. If a vector u as orthogonal to h mod q, using this equation we have that the vector of projections pu which it is defined in this slide must be in the orthogonal to alpha mod q. Well then clearly if pu is shorter than the shortest vector of such lattice the lattice of vectors orthogonal to alpha mod q then pu must be 0 but pu equal to 0 implies I mean it is equivalent to u orthogonal to the lattice generated by the x size by the binary vectors. So in other words if q it is as sufficiently large it is possible to recover the orthogonal of the lattice generated by the x size from the lattice of vectors orthogonal to h mod q and h and q are the inputs of the algorithm. So this was the dengue-eastern idea using an orthogonal lattice attack to solve the hidden subset some problem. So following this intuition the dengue-eastern attack is divided into main steps as first from h this algorithm computes a metric c satisfying a similar equation but the point is that c can be not binary. Then in a second step from c it computes the binary metrics x and consequently the alpha the vector containing the weights. So more precisely following the idea I just described if lx is the lattice generated by the x size the binary vectors the first step of the algorithm computes the completion of lx namely first computes the orthogonal lattice of lx from h and q and then it computes the orthogonal again of this lattice finding the completion. So the metric c is actually a basis of this lattice lx bar which is a orthogonal orthogonal. Then we have that lx is a full rank sub lattice of its completion and the x size are short thus the second step uses a lattice reduction strategy to recover the x size. In our paper we analyzed this algorithm regarding step one while we just say that step one of dengue-eastern attack recovers a basis of the completion when q the modulus is sufficiently large. We rigorously proved that with good probability this happens if the logarithm of the modulus is at least 2mn log m where m is the number of samples and n is the number of weights and also this happens in polynomial time. In dengue-eastern paper the suggested number of samples is 2n hence linear in n. In each in our paper we proved that this is optimal this value is optimal in terms of complexity. We also observed that heuristically the minimal subset sum density for which the attack is polynomial can be actually dropped to 1 over n. Regarding the second step in our paper we describe a simple model showing that the x size are very short vectors of lx and for this reason in order to recover them one has to use bkz with very large block size. So this implies that the asymptotical time complexity cannot be polynomial and you can read the in this slide the expected time complexity. So the bottleneck of dengue-eastern attack is the second step and the reason is that it is used a lattice reduction algorithm to find very short vectors. In our paper we saw this issue in introducing a new approach. Okay let's see our polynomial time algorithm. Well our attack is a variant of the attack I've just discussed indeed. We have the same overall structure in two steps which our second step is completely different as it doesn't involve any notion of lattice reduction. However to obtain a polynomial time complexity we require the length of the input vector h which is the number of samples m to be quadratic in n instead of linear as in dengue-eastern attack. And I will explain why later. So our algorithm has two steps as the previous one. The first one is actually an improvement of dengue-eastern first step. More specifically m is larger than we need to generate more orthogonal vectors and in the paper we describe a method to do it with the same asymptotic cost. The second step is an algorithm to recover binary vectors using a multivariate approach. So in our second step we don't use a lattice reduction but we use a multivariate approach to find the x-size. In the next slides I will describe JD of our second step and I invite you to read the full version of the paper for all the details of the algorithm. Okay let's describe now our new second step with a multivariate approach. There are two crucial observations. The first is that Lx is a full rank sublattice of its completion. Then there exists an integer invertible matrix w such that x is equal to wc. Remember that c is the output of the first step. It's the basis of the completion. The latter observation is that being binary is an algebraic condition. And here I mean that a number is 0 or 1 if and only if it satisfies this quadratic equation. Now we have to mix these two ingredients. So each xi, each binary vector is the product of a row of w that here it is denoted by wi and the matrix c. More precisely the jth component of xi which is xij is wi times the jth column of c. And since xjj is also binary it must satisfy the quadratic equation which was in the previous slides. So this implies that for each column of c we have a quadratic equation in the components of wi. Therefore the rows of w are solutions of this multivariate quadratic polynomial system with n variables and m equations. m like number of samples and n like the number of hidden weights. And this leads us to the condition n quadratic in m. And before explaining this last statement I just want to underline that what follows also implies that it isn't necessary to work with the system explicitly. We never have to write the system with the variables in our algorithm. Indeed the coefficients of the monomers of this system depend only on c. As we can construct first the matrix r corresponding to the coefficients of the monomers of degree 2. Subsequently, augmenting it by minus c we obtain a matrix e which is the matrix of the coefficients of the full system. In this way we obtain a representation of the system from c directly. And the key point is that from such representation we can compute the target vectors via leaner algebra by using leaner algebra only. In fact in the paper we describe a method to recover the rows of w computing angle spaces of certain symmetries of a specific basis of the kernel of e. This is a bit technical but all the details are in the paper. The important fact is that in our second step we just use leaner algebra to output the target vectors. Moreover, using the notation that is introduced in this slide we can finally state the rigorous condition under which this strategy, this second step succeeds. Namely f to matrix r of the degree 2 coefficient as rank n squared plus n over 2, then the vectors excise, the binary vectors can be recorded in and to the power of 6 arithmetic operations. And notice that this hypothesis can be verified only if m is greater than n squared plus n over 2. And here is where the condition m quadratic in n comes. Well in practice it is convenient to work model small odd primes since x is binary and we observe that p equal to t is always efficient. Moreover we notice that heuristically this condition is always verified for m approximately n squared plus n over 2 and this holds also mod 3. And for this reason we expect to recover the excise for such value of m. And this explains why for m quadratic in n we have a heuristic polynomial time algorithm. So summarizing, we presented both Dungy and Stern algorithm and our parent. In the second step we used a multivariate approach instead of a lattice reduction and thanks to this new approach we obtain a polynomial algorithm when the number of samples is quadratic in n. Nevertheless with our improved step 1 we don't have to increase the size of the modules neither the asymptotic time complexity of the first step changes. And actually in our algorithm the time complexity is dominated by the first step running time. We also performed some practical experiment which confirmed these analysis. Before concluding I want to briefly present you also the affine variant of the hidden subset sum problem. The affine hidden subset sum problem is as I said a variant of the hidden subset sum problem having cryptographic applications too like the cryptanalysis of the DLP generator in the Schnorr signature. In the affine hidden subset sum problem we have an additional input vector e and an additional hidden coefficient s. And we have this equation satisfied. So in the instant paper is observed that it is possible to modify the original attack in order to solve this further problem. And in particular the modification is made in the first step and so the noise vector is involved only in this part of the algorithm. This implies that our second step is the applicable directly also to this variant and it implies also that we obtain a polynomial time algorithm for this problem too. So as a conclusion in our paper we analysed dengue and stern attack for solving the hidden subset sum problem and we argued that asymptotically dengue and stern attack is not polynomial time. So it hasn't polynomial time. In GH we identified the bottleneck and we proposed a new and completely different approach to recover the short binary vectors. Moreover we observed that asymptotically the heuristic time complexity of our full algorithm is of the order of n to the power of 9. Well the main open questions are if it is possible to further reduce the number of samples and the size of the modules. Well in the full version of the paper we provide two methods to slightly reduce m. However in both cases we still need a quadratic number of samples to have a polynomial running time. That's it. Thank you for your attention and I encourage you to read the full version of the paper where you can find all the details and the results of the practical experiments and our code is also available online. Thank you again for watching this video and enjoy the conference.