Create Presentation
Download Presentation

Download Presentation
## Knapsack Cryptosystems

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Knapsack Cryptosystems**Behdad Esfahbod December 2001 Knapsack Cryptosystems**Agenda**• Knapsack problem and it’s computation complexity • Knapsack as a public key cryptosystem • The Merkle-Hellman knapsack cryptosystem • Shamir’s attack to basic Merkle-Hellman Knapsack cryptosystem • Lagarias and Odlyzko’s attack for solving low-density knapsack cryptosystems • The Chor-Rivest knapsack Knapsack Cryptosystems**Overview**• Knapsack rose as a public key cryptosystem, because of it’s computational complexity and efficiency • Many knapsack cryptosystems were broken in late 1970’s • Final fall of knapsack cryptosystem dated to Shamir’s announcement in the spring of 1982 of a polynomial time attack on the singly-iterated Merkle-Hellman cryptosystem Knapsack Cryptosystems**The Knapsack problem**The knapsack or subset-sum problem is to determine, given positive integers (or weights) and a[1], …, a[n], and s, whether there is a subset of the a[j]’s that sums to s. That is: Knapsack Cryptosystems**Algorithmic view on knapsack**• If we have a good algorithm to find if there is a solution to knapsack, we can find such a solution easily too • The general knapsack problem is known to be NP-complete • Assuming that a[i]’s are not too large, the trivial algorithm for solving knapsack, needs O(2^n) steps Knapsack Cryptosystems**A better algorithm for knapsack**• Just compute these sets: • Sort them, and scan for a common member • This will take O(n2^(n/2))=O(2^(n.lg(n)/2)) • It needs O(2^(n/2)) storage space • Surprisingly enough, this is still the fastest algorithm known for the general knapsack problem! Knapsack Cryptosystems**Knapsacks withsuper-increasing sequence**• A sequence a[i] is called a super-increasing sequence if • A knapsack problem with super-increasing set of weights is easy to solve: Other x[i]’s can be found recursively Knapsack Cryptosystems**Basic idea behind all public key knapsack cryptosystems**• Start with a knapsack b[1], …, b[n] that is easy to solve • Transform it into the public knapsack a[1], …, a[n] by a process that conceals the structure of the knapsack • With the hope that knapsack a[1], …, a[n] is hard to solve • The designer is in the position to reverse the concealing transformation and solve the easy knapsack Knapsack Cryptosystems**Merkle-Hellman system**• Used by Merkle and Hellman in 1978 • Based on modular multiplication • Start with a super-increasing knapsack b[1], …, b[n] with: • Choose M and W with: Knapsack Cryptosystems**Merkle-Hellman system (cont.)**• Compute • Select permutation p[i] of {1, …, n} • Define • Public key: a[j], 1<= j <= n • Private key: M, W, b[j], 1<= j <=n • A message (x[1], …, x[n]) is encoded as: Knapsack Cryptosystems**Merkle-Hellman system (decrypt)**The b[i] are super-increasing Easy to solve Knapsack Cryptosystems**Multiply-iterated Merkle-Hellman cryptosystem**• The algorithm mentioned is called basic of singly-iterated Merkle-Hellman cryptosystem • A multiply-iterated Merkle-Hellman cryptosystem is the same method, with more than one different (M[k], W[k])s with (M[k], W[k]) = 1 applied in a chain Knapsack Cryptosystems**Merkle-Hellman vs. RSA**• MH is about 100 times faster than RSA (MH: n ~ 100, RSA: m ~ 500bits) • MH needs twice communication capacity, RSA needs same capacity as the input • MH’s public key is of size 2.n^2 = 20,000 RSA’s is 2.m = 1000 • MH assumes P <> NP, while RSA assumes factorization is in NP (<> P) Knapsack Cryptosystems**Security of MH cryptosystem**• What if P = NP? • What if most instances of knapsack, or MH are easy to solve? • How many information do MH public key leak? • As an example, the equation of knapsack modulo 2, provides a single bit of information about them (as not all the a[i] can be even) Knapsack Cryptosystems**Brassard’s note on complexity of cryptography applied to**MH • The interesting result of Brassard says essentially that if breaking a cryptosystem is NP-hard, then NP = Co-NP, that is a surprising complexity theory result • If NP <> Co-NP, then breaking the MH cannot be NP-hard, and so is likely to be easier than solving the general knapsack problem Knapsack Cryptosystems**Attacks on Merkle-Hellman knapsack cryptosystem**• These attacks rely on the fact that the modular multiplication does not disguise enough the easy knapsack: • Shamir’s polynomial algorithm for the singly-iterated Merkle-Hellman, 1982 • Brickell’s attack on the multiply-iterated Merkle-Hellman, 1985 Knapsack Cryptosystems**Shamir’s attack on basic Merkle-Hellman system**• Let • Then • Means that for some integers k[j] • Hence • That is an interesting result as we will see Knapsack Cryptosystems**This means that all of the k[j]/a[j] are close to U/M**• We know that b[1], …, b[5] ~ 2^n • Let • We obtain • Subtracting i=1 term: • That implies: Knapsack Cryptosystems**k[j[i]].a[j[1]] is on the order of 2^4n, then the a[i], k[i]**should be of very special structure • In most cases k[j[i]], 1 <= i <= 5 are determined uniquely by this equation • Shamir’s main contribution was to notice that this could be done in polynomial time by invoking H. W. Lenstra’s theorem that the integer programming problem in a fixed number of variables can be solved in polynomial time • This yields the k[j[i]], 1 <= I <= 5 Knapsack Cryptosystems**Now we have the k[j[i]], 1<= i <=5**• Once the k[j[i]] are found, one obtains an approximation to U/M • From the approximation of U/M, constructs a pair (U’, M’) with U’/M’ close to U/M such that: • The weights c[j] obtained by form a super-increasing sequence when arranged in increasing order • The c[j] can be used to decrypt the message! Knapsack Cryptosystems**But how to find j[1], …, j[5]?**• As permutation p[i] is secret, we do not have j[1], …, j[5] • The solution is easy, the cryptanalyst considers all possible choices of them, and still remains in polynomial time! Knapsack Cryptosystems**Difficulties of Shamir’s method**• The crucial tool in the attack was Lenstra’s result on integer programming in a fixed number of variables • Continued fraction can be used instead of Lenstra’s result, but when the b[i] are too large, it fails • Lenstra’s result is powerful, but is of mostly theoretical interest, since its running time is given by a high degree polynomial, and so it has never been implemented Knapsack Cryptosystems**Attacks to low-density general knapsack problems**• Low-density attacks try to solve the general knapsack problem, when the a[i] are large enough • There are two known approaches to solve general low-density knapsacks: • One due to Lagarias and Odlyzko, 1983 • Brickell low-density attack, 1984 Knapsack Cryptosystems**On integer lattices**• An integer lattice is an additive subgroup of Z^n that contains n linearly independent vectors over R^n • A basis (v[1],…,v[n]) of L is a set of elements of L such that L = z[1]v[1] + … + z[n]v[n] • Bases are not unique, but exist all the time • Finding the shortest non-zero vector of a lattice, given its basis, is a very important, and quite hard problem, although there is no proof that it is • We will show a basis with a matrix which its rows are the vectors of basis Knapsack Cryptosystems**Lovasz-reduced basis**• Lovasz found a polynomial time algorithm that, given a basis for a lattice, produces a reduced basis. • The first vector in a Lovasz-reduced basis is not too long • If v[1], …, v[n] is a Lovasz-reduced basis of a lattice, then: Knapsack Cryptosystems**The low-density attack itself**• Given the a[i] and s, we form the (n+1)-dimensional lattice with basis Knapsack Cryptosystems**And the miracle is**• If v[1], …, v[n+1] are the rows of V, and the x[j] solve the knapsack problem, then • Since the x[j] are 0 or 1, this vector is very short • The basic attack consists of running the Lovasz lattice basis reduction algorithm on the basis V and checking whether the resulting reduced basis contains a vector that is a solution or not Knapsack Cryptosystems**The Chor-Rivest knapsack**• The Chor-Rivest cryptosystem, developed in 1985, is one of the few knapsack systems that have not been broken, and among the most attractive ones • Based on arithmetic in finite fields that computing discrete logarithms is fairy easy Knapsack Cryptosystems**The Chor-Rivest cryptosystem**• Let GF(p^h) be a finite field such that p^h - 1 has only moderate prime factors, so that it’s easy to compute discrete logarithms in GF(p^h) [one possible choice is p=197, h=24] • Let f(x) be a monic irreducible polynomial of degree h over GF(p), so that GF(p^h) can be represented as GF(p)[x]/f(x) • Let t be the residue class of x modulo f(x), so that t is an element of GF(p^h) and f(t)=0 • Let g be a generator of the multiplicative group of GF(p^h) Knapsack Cryptosystems**Chor-Rivest (public-key)**• For alpha in GF(p), let a[alpha] be an integer such that • Let pi be a one-to-one map from {0, 1, …, p-1} to GF(p) • Choose an integer d and define • c[0], c[1], …, c[p-1] are the public key Knapsack Cryptosystems**Chor-Rivest (encryption)**• Messages to be encoded are first transformed into p-vectors (m[0], …, m[p-1]) of non-negative integers such that • The cipher-text that is transmitted is then Knapsack Cryptosystems**Chor-Rivest (decryption)**• First compute • Then we have • And • Now we can recover the m[i] by factoring G+f(x)! Knapsack Cryptosystems**?**Any questions Knapsack Cryptosystems