Improving Lagarias-Odlyzko Algorithm For Average-Case Subset Sum: Modular Arithmetic Approach

Lagarias and Odlyzko (J.~ACM~1985) proposed a polynomial time algorithm for solving ``\emph{almost all}'' instances of the Subset Sum problem with $n$ integers of size $\Omega(\Gamma_{\text{LO}})$, where $\log_2(\Gamma_{\text{LO}}) > n^2 \log_2(\gamma)$ and $\gamma$ is a parameter of the lattice basis reduction ($\gamma > \sqrt{4/3}$ for LLL). The algorithm of Lagarias and Odlyzko is a cornerstone result in cryptography. However, the theoretical guarantee on the density of feasible instances has remained unimproved for almost 40 years. In this paper, we propose an algorithm to solve ``almost all'' instances of Subset Sum with integers of size $\Omega(\sqrt{\Gamma_{\text{LO}}})$ after a single call to the lattice reduction. Additionally, our argument allows us to solve the Subset Sum problem for multiple targets while the previous approach could only answer one target per call to lattice basis reduction. We introduce a modular arithmetic approach to the Subset Sum problem. The idea is to use the lattice reduction to solve a linear system modulo a suitably large prime. We show that density guarantees can be improved, by analysing the lengths of the LLL reduced basis vectors, of both the primal and the dual lattices simultaneously.