In the average-case $k$-SUM problem, given $r$ integers chosen uniformly at random from $\{0,\dots,M-1\}$, the objective is to find a ``solution'' set of $k$ numbers that sum to $0$ modulo $M$. In the dense regime of $M \leq r^k$, where solutions exist with high probability, the complexity of these problems is well understood. Much less is known in the sparse regime of $M\gg r^k$, where solutions are unlikely to exist. In this work, we initiate the study of the sparse regime for $k$-SUM and its variant $k$-XOR, especially their planted versions, where a random solution is planted in a randomly generated instance and has to be recovered. We provide evidence for the hardness of these problems and suggest new applications to cryptography. Complexity. First we study the complexity of these problems in the sparse regime and show: - Conditional Lower Bounds. Assuming established conjectures about the hardness of average-case (non-planted) $k$-SUM/$k$-XOR when $M = r^k$, we provide non-trivial lower bounds on the running time of algorithms for planted $k$-SUM when $r^k\leq M\leq r^{2k}$. - Hardness Amplification. We show that for any $M \geq r^k$, if an algorithm running in time $T$ solves planted $k$-SUM/$k$-XOR with success probability $\Omega(1/\text{polylog}(r))$, then there is an algorithm running in time $\tilde{O}(T)$ that solves it with probability $(1-o(1))$. - New Reductions and Algorithms. We provide reductions for $k$-SUM/$k$-XOR from search to decision, as well as worst-case and average-case reductions to the Subset Sum problem from $k$-SUM, as well as a new algorithm for average-case $k$-XOR at low densities. Cryptography. We show that by additionally assuming mild hardness of $k$-XOR, we can construct Public Key Encryption (PKE) from a weaker variant of the Learning Parity with Noise (LPN) problem than was known before.

翻译：在平均情形$k$-SUM问题中，给定从$\{0,\dots,M-1\}$均匀随机选取的$r$个整数，目标是找到一个由$k$个数构成的"解"集，使其总和模$M$等于$0$。在$M \leq r^k$的稠密情形下（此时解以高概率存在），这些问题的复杂度已被充分理解。而在$M\gg r^k$的稀疏情形下（此时解几乎不可能存在），人们所知甚少。本文首次系统研究$k$-SUM及其变体$k$-XOR的稀疏情形，特别关注其植入版本（即在随机生成的实例中植入一个随机解并要求恢复该解）。我们为这些问题的困难性提供证据，并提出了密码学方面的新应用。复杂度。首先研究这些问题的稀疏情形复杂度，并证明：- 条件下界。基于$M = r^k$时平均情形（非植入）$k$-SUM/$k$-XOR困难性的公认猜想，我们给出了当$r^k\leq M\leq r^{2k}$时植入$k$-SUM算法运行时间的非平凡下界。- 困难性放大。我们证明对任意$M \geq r^k$，若存在运行时间为$T$的算法以$\Omega(1/\text{polylog}(r))$的成功概率求解植入$k$-SUM/$k$-XOR，则存在运行时间为$\tilde{O}(T)$的算法以概率$(1-o(1))$解决该问题。- 新归约与算法。我们给出$k$-SUM/$k$-XOR从搜索到判定的归约、从$k$-SUM到子集和问题的最坏情形和平均情形归约，以及低密度下平均情形$k$-XOR的新算法。密码学。我们证明通过额外假设$k$-XOR的适度困难性，可从比先前已知更弱的带噪声奇偶学习问题变体构造公钥加密方案。