The k-Tree algorithm [Wagner 02] is a non-trivial algorithm for the average-case k-SUM problem that has found widespread use in cryptanalysis. Its input consists of k lists, each containing n integers from a range of size m. Wagner's original heuristic analysis suggested that this algorithm succeeds with constant probability if n = m^{1/(\log{k}+1)}, and that in this case it runs in time O(kn). Subsequent rigorous analysis of the algorithm [Lyubashevsky 05, Shallue 08, Joux-Kippen-Loss 24] has shown that it succeeds with high probability if the input list sizes are significantly larger than this. We present a broader rigorous analysis of the k-Tree algorithm, showing upper and lower bounds on its success probability and complexity for any size of the input lists. Our results confirm Wagner's heuristic conclusions, and also give meaningful bounds for a wide range of list sizes that are not covered by existing analyses. We present analytical bounds that are asymptotically tight, as well as an efficient algorithm that computes (provably correct) bounds for a wide range of concrete parameter settings. We also do the same for the k-Tree algorithm over Z_m. Finally, we present experimental evaluation of the tightness of our results.

翻译：k-Tree算法[Wagner 02]是针对平均情况k-SUM问题的一种非平凡算法，在密码分析领域得到了广泛应用。其输入包含k个列表，每个列表包含n个取自大小为m的整数范围内的整数。Wagner最初的启发式分析表明，当n = m^{1/(\log{k}+1)}时，该算法以恒定概率成功运行，且此时时间复杂度为O(kn)。后续对该算法的严格分析[Lyubashevsky 05, Shallue 08, Joux-Kippen-Loss 24]表明，当输入列表尺寸显著大于该阈值时，算法以高概率成功。本文提出了对k-Tree算法更全面的严格分析，给出了任意输入列表尺寸下算法成功概率与复杂度的上下界。我们的结果证实了Wagner的启发式结论，并为现有分析未涵盖的广泛列表尺寸范围提供了有意义的界。我们给出了渐近紧的分析界，并提出了一种高效算法，可为大量具体参数设置计算（可证明正确的）界。对于Z_m上的k-Tree算法，我们也完成了同样的分析工作。最后，我们通过实验评估了所得结果的紧致性。