1 / 33

540 likes | 1.73k Views

Knapsack Cryptosystems. Behdad Esfahbod December 2001. Agenda. Knapsack problem and it ’ s computation complexity Knapsack as a public key cryptosystem The Merkle-Hellman knapsack cryptosystem Shamir ’ s attack to basic Merkle-Hellman Knapsack cryptosystem

Download Presentation
## Knapsack Cryptosystems

**An Image/Link below is provided (as is) to download presentation**
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.
Content is provided to you AS IS for your information and personal use only.
Download presentation by click this link.
While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

**Knapsack Cryptosystems**Behdad Esfahbod December 2001 Knapsack Cryptosystems**Agenda**• Knapsack problem and it’s computation complexity • Knapsack as a public key cryptosystem • The Merkle-Hellman knapsack cryptosystem • Shamir’s attack to basic Merkle-Hellman Knapsack cryptosystem • Lagarias and Odlyzko’s attack for solving low-density knapsack cryptosystems • The Chor-Rivest knapsack Knapsack Cryptosystems**Overview**• Knapsack rose as a public key cryptosystem, because of it’s computational complexity and efficiency • Many knapsack cryptosystems were broken in late 1970’s • Final fall of knapsack cryptosystem dated to Shamir’s announcement in the spring of 1982 of a polynomial time attack on the singly-iterated Merkle-Hellman cryptosystem Knapsack Cryptosystems**The Knapsack problem**The knapsack or subset-sum problem is to determine, given positive integers (or weights) and a[1], …, a[n], and s, whether there is a subset of the a[j]’s that sums to s. That is: Knapsack Cryptosystems**Algorithmic view on knapsack**• If we have a good algorithm to find if there is a solution to knapsack, we can find such a solution easily too • The general knapsack problem is known to be NP-complete • Assuming that a[i]’s are not too large, the trivial algorithm for solving knapsack, needs O(2^n) steps Knapsack Cryptosystems**A better algorithm for knapsack**• Just compute these sets: • Sort them, and scan for a common member • This will take O(n2^(n/2))=O(2^(n.lg(n)/2)) • It needs O(2^(n/2)) storage space • Surprisingly enough, this is still the fastest algorithm known for the general knapsack problem! Knapsack Cryptosystems**Knapsacks withsuper-increasing sequence**• A sequence a[i] is called a super-increasing sequence if • A knapsack problem with super-increasing set of weights is easy to solve: Other x[i]’s can be found recursively Knapsack Cryptosystems**Basic idea behind all public key knapsack cryptosystems**• Start with a knapsack b[1], …, b[n] that is easy to solve • Transform it into the public knapsack a[1], …, a[n] by a process that conceals the structure of the knapsack • With the hope that knapsack a[1], …, a[n] is hard to solve • The designer is in the position to reverse the concealing transformation and solve the easy knapsack Knapsack Cryptosystems**Merkle-Hellman system**• Used by Merkle and Hellman in 1978 • Based on modular multiplication • Start with a super-increasing knapsack b[1], …, b[n] with: • Choose M and W with: Knapsack Cryptosystems**Merkle-Hellman system (cont.)**• Compute • Select permutation p[i] of {1, …, n} • Define • Public key: a[j], 1<= j <= n • Private key: M, W, b[j], 1<= j <=n • A message (x[1], …, x[n]) is encoded as: Knapsack Cryptosystems**Merkle-Hellman system (decrypt)**The b[i] are super-increasing Easy to solve Knapsack Cryptosystems**Multiply-iterated Merkle-Hellman cryptosystem**• The algorithm mentioned is called basic of singly-iterated Merkle-Hellman cryptosystem • A multiply-iterated Merkle-Hellman cryptosystem is the same method, with more than one different (M[k], W[k])s with (M[k], W[k]) = 1 applied in a chain Knapsack Cryptosystems**Merkle-Hellman vs. RSA**• MH is about 100 times faster than RSA (MH: n ~ 100, RSA: m ~ 500bits) • MH needs twice communication capacity, RSA needs same capacity as the input • MH’s public key is of size 2.n^2 = 20,000 RSA’s is 2.m = 1000 • MH assumes P <> NP, while RSA assumes factorization is in NP (<> P) Knapsack Cryptosystems**Security of MH cryptosystem**• What if P = NP? • What if most instances of knapsack, or MH are easy to solve? • How many information do MH public key leak? • As an example, the equation of knapsack modulo 2, provides a single bit of information about them (as not all the a[i] can be even) Knapsack Cryptosystems**Brassard’s note on complexity of cryptography applied to**MH • The interesting result of Brassard says essentially that if breaking a cryptosystem is NP-hard, then NP = Co-NP, that is a surprising complexity theory result • If NP <> Co-NP, then breaking the MH cannot be NP-hard, and so is likely to be easier than solving the general knapsack problem Knapsack Cryptosystems**Attacks on Merkle-Hellman knapsack cryptosystem**• These attacks rely on the fact that the modular multiplication does not disguise enough the easy knapsack: • Shamir’s polynomial algorithm for the singly-iterated Merkle-Hellman, 1982 • Brickell’s attack on the multiply-iterated Merkle-Hellman, 1985 Knapsack Cryptosystems**Shamir’s attack on basic Merkle-Hellman system**• Let • Then • Means that for some integers k[j] • Hence • That is an interesting result as we will see Knapsack Cryptosystems**This means that all of the k[j]/a[j] are close to U/M**• We know that b[1], …, b[5] ~ 2^n • Let • We obtain • Subtracting i=1 term: • That implies: Knapsack Cryptosystems**k[j[i]].a[j[1]] is on the order of 2^4n, then the a[i], k[i]**should be of very special structure • In most cases k[j[i]], 1 <= i <= 5 are determined uniquely by this equation • Shamir’s main contribution was to notice that this could be done in polynomial time by invoking H. W. Lenstra’s theorem that the integer programming problem in a fixed number of variables can be solved in polynomial time • This yields the k[j[i]], 1 <= I <= 5 Knapsack Cryptosystems**Now we have the k[j[i]], 1<= i <=5**• Once the k[j[i]] are found, one obtains an approximation to U/M • From the approximation of U/M, constructs a pair (U’, M’) with U’/M’ close to U/M such that: • The weights c[j] obtained by form a super-increasing sequence when arranged in increasing order • The c[j] can be used to decrypt the message! Knapsack Cryptosystems**But how to find j[1], …, j[5]?**• As permutation p[i] is secret, we do not have j[1], …, j[5] • The solution is easy, the cryptanalyst considers all possible choices of them, and still remains in polynomial time! Knapsack Cryptosystems**Difficulties of Shamir’s method**• The crucial tool in the attack was Lenstra’s result on integer programming in a fixed number of variables • Continued fraction can be used instead of Lenstra’s result, but when the b[i] are too large, it fails • Lenstra’s result is powerful, but is of mostly theoretical interest, since its running time is given by a high degree polynomial, and so it has never been implemented Knapsack Cryptosystems**Attacks to low-density general knapsack problems**• Low-density attacks try to solve the general knapsack problem, when the a[i] are large enough • There are two known approaches to solve general low-density knapsacks: • One due to Lagarias and Odlyzko, 1983 • Brickell low-density attack, 1984 Knapsack Cryptosystems**On integer lattices**• An integer lattice is an additive subgroup of Z^n that contains n linearly independent vectors over R^n • A basis (v[1],…,v[n]) of L is a set of elements of L such that L = z[1]v[1] + … + z[n]v[n] • Bases are not unique, but exist all the time • Finding the shortest non-zero vector of a lattice, given its basis, is a very important, and quite hard problem, although there is no proof that it is • We will show a basis with a matrix which its rows are the vectors of basis Knapsack Cryptosystems**Lovasz-reduced basis**• Lovasz found a polynomial time algorithm that, given a basis for a lattice, produces a reduced basis. • The first vector in a Lovasz-reduced basis is not too long • If v[1], …, v[n] is a Lovasz-reduced basis of a lattice, then: Knapsack Cryptosystems**The low-density attack itself**• Given the a[i] and s, we form the (n+1)-dimensional lattice with basis Knapsack Cryptosystems**And the miracle is**• If v[1], …, v[n+1] are the rows of V, and the x[j] solve the knapsack problem, then • Since the x[j] are 0 or 1, this vector is very short • The basic attack consists of running the Lovasz lattice basis reduction algorithm on the basis V and checking whether the resulting reduced basis contains a vector that is a solution or not Knapsack Cryptosystems**The Chor-Rivest knapsack**• The Chor-Rivest cryptosystem, developed in 1985, is one of the few knapsack systems that have not been broken, and among the most attractive ones • Based on arithmetic in finite fields that computing discrete logarithms is fairy easy Knapsack Cryptosystems**The Chor-Rivest cryptosystem**• Let GF(p^h) be a finite field such that p^h - 1 has only moderate prime factors, so that it’s easy to compute discrete logarithms in GF(p^h) [one possible choice is p=197, h=24] • Let f(x) be a monic irreducible polynomial of degree h over GF(p), so that GF(p^h) can be represented as GF(p)[x]/f(x) • Let t be the residue class of x modulo f(x), so that t is an element of GF(p^h) and f(t)=0 • Let g be a generator of the multiplicative group of GF(p^h) Knapsack Cryptosystems**Chor-Rivest (public-key)**• For alpha in GF(p), let a[alpha] be an integer such that • Let pi be a one-to-one map from {0, 1, …, p-1} to GF(p) • Choose an integer d and define • c[0], c[1], …, c[p-1] are the public key Knapsack Cryptosystems**Chor-Rivest (encryption)**• Messages to be encoded are first transformed into p-vectors (m[0], …, m[p-1]) of non-negative integers such that • The cipher-text that is transmitted is then Knapsack Cryptosystems**Chor-Rivest (decryption)**• First compute • Then we have • And • Now we can recover the m[i] by factoring G+f(x)! Knapsack Cryptosystems**?**Any questions Knapsack Cryptosystems

More Related