Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On Wagner's k-Tree Algorithm Over Integers

Haoxing Lin, Prashant Nalini Vasudevan

TL;DR

A broader rigorous analysis of the k-Tree algorithm, showing upper and lower bounds on its success probability and complexity for any size of the input lists, and confirming Wagner's heuristic conclusions.

Abstract

The k-Tree algorithm [Wagner 02] is a non-trivial algorithm for the average-case k-SUM problem that has found widespread use in cryptanalysis. Its input consists of k lists, each containing n integers from a range of size m. Wagner's original heuristic analysis suggested that this algorithm succeeds with constant probability if n = m^{1/(\log{k}+1)}, and that in this case it runs in time O(kn). Subsequent rigorous analysis of the algorithm [Lyubashevsky 05, Shallue 08, Joux-Kippen-Loss 24] has shown that it succeeds with high probability if the input list sizes are significantly larger than this. We present a broader rigorous analysis of the k-Tree algorithm, showing upper and lower bounds on its success probability and complexity for any size of the input lists. Our results confirm Wagner's heuristic conclusions, and also give meaningful bounds for a wide range of list sizes that are not covered by existing analyses. We present analytical bounds that are asymptotically tight, as well as an efficient algorithm that computes (provably correct) bounds for a wide range of concrete parameter settings. We also do the same for the k-Tree algorithm over Z_m. Finally, we present experimental evaluation of the tightness of our results.

On Wagner's k-Tree Algorithm Over Integers

TL;DR

A broader rigorous analysis of the k-Tree algorithm, showing upper and lower bounds on its success probability and complexity for any size of the input lists, and confirming Wagner's heuristic conclusions.

Abstract

The k-Tree algorithm [Wagner 02] is a non-trivial algorithm for the average-case k-SUM problem that has found widespread use in cryptanalysis. Its input consists of k lists, each containing n integers from a range of size m. Wagner's original heuristic analysis suggested that this algorithm succeeds with constant probability if n = m^{1/(\log{k}+1)}, and that in this case it runs in time O(kn). Subsequent rigorous analysis of the algorithm [Lyubashevsky 05, Shallue 08, Joux-Kippen-Loss 24] has shown that it succeeds with high probability if the input list sizes are significantly larger than this. We present a broader rigorous analysis of the k-Tree algorithm, showing upper and lower bounds on its success probability and complexity for any size of the input lists. Our results confirm Wagner's heuristic conclusions, and also give meaningful bounds for a wide range of list sizes that are not covered by existing analyses. We present analytical bounds that are asymptotically tight, as well as an efficient algorithm that computes (provably correct) bounds for a wide range of concrete parameter settings. We also do the same for the k-Tree algorithm over Z_m. Finally, we present experimental evaluation of the tightness of our results.

Paper Structure

This paper contains 51 sections, 23 theorems, 177 equations, 9 figures, 21 algorithms.

Table of Contents

  1. Introduction
  2. Paper Outline.
  3. Our Results
  4. Analytical Bounds.
  5. Computational Bounds.
  6. Using Our Bounds.
  7. Experimental Evaluation.
  8. Technical Overview
  9. Setup.
  10. Heuristic Analysis.
  11. Relaxing the Assumptions.
  12. Computing the Expectation.
  13. Concentration.
  14. Computing the Second Moment.
  15. Computing the Lower Bound.
  16. ...and 36 more sections

Key Result

Theorem 1

Consider any $k, n, m\in \mathbb{N}$, where $k \geq 4$ is a power of $2$ and $m > 30^{\log{k}+1}$. Set $p = m^{\frac{-1}{\log{k}+1}}$ and $c = n / m^{\frac{1}{\log{k}+1}}$. The probability of success of the $k$-Tree algorithm is bounded as: Its complexity is bounded as follows:

Figures (9)

  • Figure 1: The $k$-Tree algorithm over Integers
  • Figure 2: Plot of upper and lower bounds on success probabilities against the input list size $n$. Bounds from both \ref{['infthm:ktree', 'infthm:program']} are represented. The quantity $c$ is defined to be the ratio $n/m^{1/(\log{k}+1)}$. Labels on the x-axis are $\log_2(n)$, with the corresponding value of $c$ in square brackets.
  • Figure 3: Plots of the complexity of the $k$-Tree algorithm that is sufficient to provably achieve success probability of $0.01$, against $k$. Input list size in each case is chosen so that the lower bound on success probability is slightly larger than $0.01$. Computed using \ref{['infthm:program']}.
  • Figure 4: Comparison of bounds produced by \ref{['infthm:program']} with those of Shallue08 and JKL24. For the other papers, we plot the minimum complexity of $k$-Tree for which they show non-trivial lower bounds on success probability (usually close to $1$). In our case, we plot the smallest complexity of $k$-Tree for which the lower bound on success probability produced by \ref{['infthm:program']} is at least $0.5$.
  • Figure 5: The $k$-Tree algorithm over Integers
  • ...and 4 more figures

Theorems & Definitions (61)

  • Theorem 1
  • Corollary 1.1
  • Theorem 2
  • Remark 1.2: Simple Optimizations
  • Remark 1.3: Measure of Complexity
  • Remark 1.4: Integers vs. $\mathbb{Z}_m$
  • Theorem 2.1
  • Corollary 2.2
  • Proposition 2.3
  • Proposition 2.4
  • ...and 51 more