Random Fixed-Size Subset Sum

• RFSS is a combinatorial problem that asks for a k-element subset from n elements whose sum meets a target, with relevance to cryptanalysis and neural network design.
• Advanced splitting systems and the k-set birthday collision method are key to managing the prohibitive time and space costs in exploring all possible subsets.
• Probabilistic threshold analyses and time–space trade-offs provide practical insights, guiding implementations in cryptographic security and sparse neural network expressivity.

The Random Fixed-Size Subset Sum (RFSS) problem asks, for a collection of $n$ elements (either as integers or i.i.d. random variables), about the existence or enumeration of $k$-element subsets whose sum achieves a prescribed target. Appearing both as a core component of cryptanalytic attacks on knapsack-type schemes and as an analytic tool in recent results on neural network expressivity, the RFSS blends extremal combinatorics, additive probability, and algorithmic number theory. The fixed-size constraint introduces nontrivial combinatorial dependencies, contrasting with unrestricted subset sum and fundamentally changing both algorithmic strategies and probabilistic thresholds.

1. Formal Definitions and Problem Variants

Let $a_1,\dots,a_n$ be elements of an abelian group (for cryptographic applications, typically positive integers or elements of $\mathbb{Z}/m\mathbb{Z}$; for probabilistic/statistical applications, they are usually i.i.d. random variables). For a fixed integer $k$ and target $t$, the RFSS problem requires finding a subset $Y\subseteq\{1,\dots,n\}$ of size $|Y| = k$ such that

$\sum_{i \in Y} a_i = t.$

In vector notation, one seeks $x \in \{0,1\}^n$ with $||x||_1 = k$ and $\sum_{i=1}^n a_i x_i = t$. In the modular variant, $a_i$ are drawn uniformly from $\mathbb{Z}/m\mathbb{Z}$, and equality is taken modulo $m$; in the integer variant, $a_i$ are positive integers. In analysis motivated by neural network theory, $a_i$ are often i.i.d. real random variables with mean zero and unit variance, and the focus shifts to the approximation of an arbitrary $z$ in an interval by a sum of $k$ of the $a_i$ up to some $\varepsilon$.

The brute-force approach requires checking all $\binom{n}{k}$ subsets, incurring prohibitive time and space costs for large $n,k$.

2. Algorithmic Approaches: Generalized Splitting and $k$-Set Birthday Collision

For the modular RFSS, division algorithms proceed by partitioning the $n$-element index set into $k=2^r$ blocks, each of roughly $n/k$ elements, via an $(n,k,k)$-splitting system. Each division $D\in\mathcal{D}$ partitions $X=\{1,\dots,n\}$ into $(I_1,\dots,I_k)$ so that any $k$-element subset $Y$ aligns with some division, such that $|Y\cap I_j|$ matches a prescribed splitting according to $k$ and $n$.

Stinson's original “2-set splitting” is generalized to arbitrary $k=2^r$, with the guarantee that the family $\mathcal{D}$ of divisions has size $O(n^{k-1})$ and that for every $k$-subset $Y$ there exists at least one division with the desired block intersection property. Selecting a random division ensures that, with probability $\Omega(k^{(1-k)/2})$, the division is "good" for the unknown solution.

On each block, one enumerates the modular sums of all possible size-$k$ subsets, collecting lists $L_1,\dots,L_k$ (of length $N \sim m^{1/(r+1)}$). The $k$-set birthday method, originally due to Wagner and adapted to subset sum by Lyubashevsky, is used to find, via a multi-stage merging process over $\log_2 k$ rounds, a combination $(s_1,\dots,s_k)$ with $s_j \in L_j$ and $\sum_j s_j \equiv t \pmod{m}$. Each merge is constrained to a progressively smaller interval, dramatically improving collision rates and thus efficiency.

For the integer RFSS, this modular algorithm is lifted by repeatedly applying the birthday collision process and checking—by direct evaluation—whether the identified modular solution corresponds to an integer solution. The expected number of oracle calls until success is $\Theta\left(\frac{\binom{n}{k}}{m}\right)$, yielding the central time–space trade-off: $T \cdot S^{\log_2 k} = O\left(\binom{n}{k}\right).$

3. Probabilistic Thresholds and Sparsity Guarantees

When $a_i$ are i.i.d. random variables, the RFSS asks: for fixed $k$ and $\varepsilon>0$, what is the minimum $n$ such that, with high probability, for every target $z \in [-\sqrt{k},\sqrt{k}]$, there exists a $k$-element subset whose sum $\varepsilon$-approximates $z$? The main theorem in (Natale et al., 2024) shows that if the distribution of $a_i$ (“sum-bounded” as defined by constants $c_\ell, c_u$, satisfied by Gaussian and Uniform$[-1,1]$) has sufficiently regular convolution densities, then there are absolute $c_{\mathrm{hyp}},c_{\mathrm{thm}}$ such that

$$n \geq c_{\mathrm{hyp}}\,\frac{\log_2(k/\varepsilon)}{H_2(k/n)}$$

guarantees, for every $z$, a $k$-subset sum within $\varepsilon$ of $z$ with probability at least $c_{\mathrm{thm}}$. For simultaneous coverage of all $z$, an extra square-log factor suffices: $$n \geq c_{\mathrm{amp}}\,\frac{(\log_2(k/\varepsilon))^2}{H_2(k/n)}.$$ Here, $H_2(p)$ denotes binary entropy. This threshold is shown to be tight up to absolute constants: if $n$ falls below this, coverage for even a single $z$ fails. The proof employs the second-moment (Paley–Zygmund) method, analyzing the overlap structure among $k$-subsets and the anti-concentration properties of sum-bounded $X_i$.

4. Time–Space Trade-offs, Parallelization, and Regimes

For integer and modular RFSS, the running time/space behavior is summarized as: $$T = O\left( m^{1/(\log k + 1)} \cdot \frac{\binom{n}{k}}{m} \right)$$

$S = O\left(m^{1/(\log k + 1)}\right)$

which rearranges to

$T \cdot S^{\log_2 k} = O(\binom{n}{k}).$

Selecting $k$ to balance time and space, small $k$ (e.g., $k=2$) yields the standard baby-step/giant-step curve $T S^2 = O(\binom{n}{k})$ (square-root time, quarter-root space); larger $k$ raises the exponent, e.g., $k=4$ yields $T S^4=O(\binom{n}{k})$. The choice of modulus $m$ and list sizes $N$ is fine-tuned to ensure collision likelihood and independence of the modular oracles. Each trial is embarrassingly parallel, and the expected time drops roughly linearly with $P$ processors until space limits dominate.

A table summarizing the time–space trade-off regimes follows:

$k$	Trade-off curve	Space cost per trial
2	$T S^2 = O(\binom{n}{k})$	$S = O(m^{1/2})$
$2^r$	$T S^r = O(\binom{n}{k})$	$S = O(m^{1/(r+1)})$
Large $k$	$T S^{\log_2 k}=O(\binom{n}{k})$	$S = O(m^{1/(\log k + 1)})$

5. Limitations, Robustness, and Comparison to Lattice Attacks

Classical lattice-based attacks apply to low-density subset sum instances, converting the problem to CVP or SVP in high-dimensional lattices, with practical performance when the information density $n/\log A \lesssim 1$. For cryptographic schemes using fixed-weight subset sums, the bit-security can be packed into larger $n$ at higher density (as measured by $\log \binom{n}{k}/\log A$), exceeding the critical threshold and causing lattice reduction methods to fail. Division algorithms for RFSS, by contrast, are agnostic to the density and work for arbitrarily high densities provided the combinatorics of the splitting and list-filling steps are feasible.

Regarding the probabilistic variant (random RFSS with i.i.d. variables), the sum-boundedness condition is essential. The bounds are shown to be essentially tight: coverage fails below the stated threshold for $n$. A plausible implication is that further improvements would require either relaxing the subset-size constraint or assuming additional structure in the distribution of $a_i$.

6. Applications to Cryptography and Neural Network Expressivity

In cryptography, RFSS forms the security core of modern knapsack-based systems: a solution to the RFSS for the public key sequence and the ciphertext results directly in a message attack. The time–space trade-off of division algorithms delineates the security margin, especially at high densities unreached by lattice methods.

Recent work on neural network expressivity, notably the Strong Lottery Ticket Hypothesis (SLTH) (Natale et al., 2024), identifies the RFSS as a technical bottleneck. Achieving sparse winning tickets in random neural networks requires constructing, for every target weight, a realization as a sum of exactly $k$ random weights with prescribed approximation error. By applying the RFSS bounds, one can fix the sparsity level (i.e., exact $k$) and guarantee that, after pruning, only $k$ edges per target remain, establishing the first nontrivial density–overparameterization relationship for the existence of sparse subnetworks approximating arbitrary targets in deep nets. The scaling

$$n^* \sim \frac{(\log_2(2\ell d_{i-1} d_i n_i^*/\varepsilon))^2}{H_2(k/n_i^*)}$$

captures, for each layer, the overparameterization needed to guarantee that every target weight can be constructed via $k$ random active connections with the prescribed error.

7. Empirical Results and Observed Scaling

Experiments conducted for moderate $n$ (e.g., $n=24$), integer density $0.9$, and several modular densities verify the predicted scaling laws. For each $k$–set algorithm (e.g., $k=2,4,8$), the observed number of modular oracle solutions until an integer hit aligns with the theoretical expectation $\binom{n}{k}/m$ up to moderate variance. As $k$ increases, the success rate per trial drops and runtime grows, reflecting the underlying $T S^{\log_2 k} = O(\binom{n}{k})$ trade-off. Parallel implementation is straightforward, yielding nearly linear improvement with increased processor count until the space constraint dominates.

$d_m$	2-set $N_o$/th.	4-set $N_o$/th.	8-set $N_o$/th.
1.5	209/256	168/256	265/256
2.0	1955/4096	5436/4096	1831/4096
4.0	$3.5 \times 10^5$/ $2.6 \times 10^5$	$2.6 \times 10^5$/ $2.6 \times 10^5$	$3.3 \times 10^5$/ $2.6 \times 10^5$

This data confirms the essential correctness and practical scalability of the division algorithm and associated trade-off, as well as the presence of moderate variance around the mean.

---

In summary, the Random Fixed-Size Subset Sum problem serves as a central object in both cryptanalytic and expressive-combinatorial settings. Division algorithms, $k$-set splitting systems, and probabilistic threshold analyses together provide rigorous, tight bounds on the time–space, sparsity–overparameterization, and success probability trade-offs. These techniques remain effective beyond the reach of classical lattice methods, and provide a foundation for guarantees in the existence and construction of sparse approximators in overparameterized systems.