1 / 42

Knapsack Cryptosystems

Knapsack Cryptosystems. Dinara Barshevich JASS’05 St. Petersburg. Brief historical background. 1976, Diffie & Hellman – Public Key Cryptosystem 1977 RSA – the first incarnation of such system 1978 Merkle – Hellman Cryptosystem 1980s years: attacks to MH. Agenda.

brett-stevenson
Download Presentation

Knapsack Cryptosystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Knapsack Cryptosystems Dinara Barshevich JASS’05 St. Petersburg Knapsack Cryptosystems

  2. Brief historical background • 1976, Diffie & Hellman – Public Key Cryptosystem • 1977 RSA – the first incarnation of such system • 1978 Merkle – Hellman Cryptosystem • 1980s years: attacks to MH Knapsack Cryptosystems

  3. Agenda • Idea of Public-Key Cryptosystems • Knapsack problem: setting, comlexity and basic analyses • Knapsack Public-Key Cryptosystems • Algorithm of Merkle – Hellman • Attacks to Merkle – Hellman Cryptosystem • What next? Knapsack Cryptosystems

  4. Public key cryptosystems M - plaintext Receiver Encryption: sender Key generation E(M, K1) = C - cyphertext C - ciphertext Public key - K1 Private key - K2 Decryption: receiver D(C, K2) = M - original M - plaintext Knapsack Cryptosystems

  5. The Knapsack problem – closely related to subset-sum problem. Knapsack Cryptosystems

  6. Some observations on Knapsack • The general knapsack problem is known to be NP-complete • Efficient algorithm of the feasibility form of the problem helps to find such a solution easily. • Assuming that {ai } are not too large, the trivial algorithm for solving knapsack needs O(2ⁿ) steps Knapsack Cryptosystems

  7. A better algorithm for Knapsack • Compute: • Sort them, and scan for a common member: • using O(n2^(n/2)) time+ O(2^(n/2)) storage space. • It’s the fastest algorithm! Knapsack Cryptosystems

  8. Easy-solvable knapsacks: Knapsack Cryptosystems

  9. Knapsacks with super-increasing sequence • A sequence {ai} is called a super-increasing sequence if • O(n) - algorithm for Knapsack with super-increasing weights: for j = n downto 1 { If s  ai then { xi = 1; s = s - ai; } else xi = 0; } return (x1, x2,..., xn). • Solution if exists is unique! Knapsack Cryptosystems

  10. Basic idea: Public key Private {A1,.An} {B1,.,Bn} Alice Alice Bob Public Private Bob:encoding Alice:decoding Alice X1,..Xn C=∑BiXi X1,..Xn S=∑AiXi Charlie Hard knapsack Easy knapsack Knapsack Cryptosystems

  11. MH system: key generation • Start with a super-increasing knapsack {b1,…, bn} such that: • Choose M and W such that: Knapsack Cryptosystems

  12. MH system (cont.) • Compute Knapsack Cryptosystems

  13. MH system: encryption Knapsack Cryptosystems

  14. MH system: decryption The {b1,…, bn} are super-increasing  Easy to solve Knapsack Cryptosystems

  15. Two variants of Merkle-Hellman cryptosystem • singly-iterated Merkle-Hellman cryptosystem • multiply-iterated Merkle-Hellman cryptosystem Knapsack Cryptosystems

  16. Multiply-iterated MH cryptosystem Knapsack Cryptosystems

  17. MH vs. RSA • MH is about 100 times faster than RSA (MH: n ~ 100, RSA: m ~ 500bits) • MH : n bits are encoded in 2n bits, RSA: n bits are encoded in n bits • MH’s public key is of size 2n² ~ 20,000 for n ~ 100 and RSA’s is 2m ~ 1000 for m ~ 500bits • MH assumes P <> NP, while RSA assumes factorization is in NP (<> P) Knapsack Cryptosystems

  18. Security of MH cryptosystem:general doubts. • What if P = NP? • What if most instances of knapsack used by MH are easy to solve? • What if one can deduce from the public Knapsack what the construction method is? Knapsack Cryptosystems

  19. Security of MH cryptosystem:special doubts. • Result of Brassard: if breaking a cryptosystem is NP-hard, then NP = Co-NP. • If NP <> Co-NP, then breaking the MH cannot be NP-hard! • Linearity of MH equation: e.g. provides a single bit of information about plaintext (as we may assume:not all the ai are even) Knapsack Cryptosystems

  20. Parameters choice • If some bj is large we get inefficient knapsack • If, say, b1 = 1 then aj = W for some j • One can try all aj as a candidate for W Knapsack Cryptosystems

  21. Parameters choice – cont’d Knapsack Cryptosystems

  22. Attacks on MH Cryptosystem • modular multiplication does not disguise enough the easy knapsack using Private Key Attack method B1,…Bn Easy C1,…Cn Easy A1,…An General Charlie Alice Knapsack Cryptosystems

  23. Attacks on MH Cryptosystem • try to solve the general knapsack problem, when the ai are large enough using Private Key A1,…An General but large enough B1,…Bn Easy Alice Knapsack Cryptosystems

  24. Attacks on MH knapsack cryptosystem • Rely on the fact that the modular multiplication does not disguise enough the easy knapsack: 1. Shamir’s polynomial algorithm for the singly-iterated Merkle-Hellman, 1982 2. Brickell’s attack on the multiply-iterated Merkle-Hellman, 1985 Knapsack Cryptosystems

  25. Shamir’s attack on basic MH system Knapsack Cryptosystems

  26. This means that all of the kj /aj are close to U/M • In MH: b1,…, bq~ 2ⁿ: q – small enough • Let • We obtain • Subtracting i=1 term: • That implies: Knapsack Cryptosystems

  27. kji aj1 is on the order of 2^4n, then the kj,and aj should be of very special structure • In most cases the kji ,1≤ i ≤ q are determined uniquely by this equation • invoking H. W. Lenstra’s theorem: the integer programming problem in a fixed number of variables can be solved in polynomial time! • This yields the kji ,1≤ i ≤ q Knapsack Cryptosystems

  28. Now we have the kji ,1≤ i ≤ q • we can construct a pair (U´, M´): U´/M´ close to U/M such that: if compute the weights cj by - form a super-increasing sequence when arranged in increasing order • The cj can be used to decrypt the message! Knapsack Cryptosystems

  29. But how to find j1,…, jq ? • As permutation π is secret, we do not have j1,…, jq • The solution is easy: the cryptanalyst considers all possible choices of them, and still remains in polynomial time! Knapsack Cryptosystems

  30. Difficulties of Shamir’s method • The crucial tool in the attack was Lenstra’s result on integer programming in a fixed number of variables • Lenstra’s algorithm running time is given by a high degree polynomial – never implemented! • Continued fraction can be used instead of Lenstra’s result, but when the bj are large enough, it fails Knapsack Cryptosystems

  31. Attacks to low-density general knapsack problems • try to solve the general knapsack problem, when the ai are large enough • 2 famous attacks: - Lagarias and Odlyzko, 1983 - Brickell low-density attack, 1984 Knapsack Cryptosystems

  32. On integer lattices • An integer lattice is an additive subgroup of Zⁿ that contains n linearly independent vectors over Rⁿ • A basis (v1 ,…, vn ) of L is a set of elements of L such that L = {z1 v1 +…+ zn vn : zi – integer} • Input: (v1 ,…, vn ) – basis of L - lattice • SVL: Find the shortest non-zero vector of L • quite hard problem – yet not proved! Knapsack Cryptosystems

  33. Lovasz-reduced basis • Lovasz’ polynomial-time algorithm: • given a basis for a lattice, constructs Lovasz- reduced basis (v1 ,…, vn ): Knapsack Cryptosystems

  34. The low-density attack itself • Given the ai and s, form the (n+1)-dimensional lattice with basis Knapsack Cryptosystems

  35. And the miracle is • If {xj | j = 1..n} solve the knapsack problem, then • Since the xj are 0 or 1, this vector is very short • The basic attack: 1. run the Lovasz lattice basis reduction algorithm on the basis V 2. check if the resulting reduced basis contains a vector that is a solution or not Knapsack Cryptosystems

  36. How it works: • If {aj} are large: most vectors in the lattice are large. So the vector X corresponding to our solution might be the shortest: • If aj ~ 2^(βn) whereβ>1.54725 then Xis the shortest in most lattices • So: if we could efficiently solve SVL – we can solve most low-density knapsacks Knapsack Cryptosystems

  37. How we solve SVL • Proved: we can solve knapsacks with aj ~ 2^(n^2) – extremely large! In practice: much better Knapsack Cryptosystems

  38. Summary: • MH algorithm itself • Attack using revealing an easy knapsack from public • Attack using solvability of low-density knapsacks Knapsack Cryptosystems

  39. In conclusion: • Both of two main fears were borne out. • A few knapsack-based Cryptosystems still remain unbroken: e.g. Chor – Rivest 1988 • Since 1) high speed • 2) factorization and logarithm procedures can turn out efficiently solvable someday • 3) elegance of the algorithm search is going on… Knapsack Cryptosystems

  40. Example - exercise • Make a private key: with n = 6 • (2, 3, 6, 13, 27,52) • M = 105, W = 31 • aj : (62, 93, 81, 88, 102, 37) Knapsack Cryptosystems

  41. Encryption • Let Mes = 011000110101101110 • Shift it: 011000 – 93+81 = 174 • 110101 – 62+93+88+37 = 280 • 101110 – 62+81+88 +102 = 333 • Cipher = (174, 280, 333) Knapsack Cryptosystems

  42. Decryption Knapsack Cryptosystems

More Related