1 / 8

Poking Holes in Knapsack Cryptosystems

Poking Holes in Knapsack Cryptosystems. Grayson Myers. Knapsack (Subset Sum) Problem. Given integers a 1 ,…,a n Given a target sum S (“knapsack”). Determine if there exists a subset of the integers that sums to S. In other words, find binary x 1 ,…,x n so: S = ∑ x i *a i NP-complete.

forbes
Download Presentation

Poking Holes in Knapsack Cryptosystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Poking Holes in Knapsack Cryptosystems Grayson Myers

  2. Knapsack (Subset Sum) Problem • Given integers a1,…,an • Given a target sum S (“knapsack”). • Determine if there exists a subset of the integers that sums to S. • In other words, find binary x1,…,xn so: • S = ∑ xi*ai • NP-complete

  3. Merkle-Hellman (1978) • Public-key cryptosystem based on the knapsack problem • Choose large, relatively-prime integers M and W • Create a superincreasing sequence b1,…,bn • Private key is M, W, and the b’s. • Public key is sequence a1,…,an, s.t. • ai = bi*W mod M • Suggestion: n = 100, M is 202 bits

  4. Merkle-Hellman (cont.) • To encrypt an n-bit message x1,…,xn: • Compute S = ∑ xi*ai • To decrypt: • Compute S’ = W-1*S mod M • Solve S’ = ∑ xi*bi for xi • Easy because b’s are superincreasing • Works as long as ∑ bi < M.

  5. Shamir’s Attack (1982) • Exploits structure in the ai sequence to find M and W-1 • Results in some superincreasing sequence that allows the message to be recovered

  6. Lagarias and Odlyzko (1983) • Solve low-density subset sum problems directly • Do lattice basis reduction on the following basis: V1= 1 0 … 0 -a1 0 1 … 0 -a2 V2= … Vn= 0 0 … 1 -an Vn+1= 0 0 … 0 S

  7. Lagarias and Odlyzko (Cont.) • Vectors in L look like: • z1(v1) + z2(v2) + … + zn(vn) + zn+1(vn+1) • In particular, this vector is in L: • x = (x1, x2,…, xn, 0) • x is very short, therefore likely to appear in the reduced basis • Works when density of subset sum is low • Defined as n/(# of bits in S)

  8. Summary • Knapsack cryptosystems: • Elegant • Fast • Insecure • Subset sum problem is NP-complete, but there are too many easy cases.

More Related