540 likes | 1.92k Views
Knapsack Cryptosystems. Behdad Esfahbod December 2001. Agenda. Knapsack problem and it ’ s computation complexity Knapsack as a public key cryptosystem The Merkle-Hellman knapsack cryptosystem Shamir ’ s attack to basic Merkle-Hellman Knapsack cryptosystem
E N D
Knapsack Cryptosystems Behdad Esfahbod December 2001 Knapsack Cryptosystems
Agenda • Knapsack problem and it’s computation complexity • Knapsack as a public key cryptosystem • The Merkle-Hellman knapsack cryptosystem • Shamir’s attack to basic Merkle-Hellman Knapsack cryptosystem • Lagarias and Odlyzko’s attack for solving low-density knapsack cryptosystems • The Chor-Rivest knapsack Knapsack Cryptosystems
Overview • Knapsack rose as a public key cryptosystem, because of it’s computational complexity and efficiency • Many knapsack cryptosystems were broken in late 1970’s • Final fall of knapsack cryptosystem dated to Shamir’s announcement in the spring of 1982 of a polynomial time attack on the singly-iterated Merkle-Hellman cryptosystem Knapsack Cryptosystems
The Knapsack problem The knapsack or subset-sum problem is to determine, given positive integers (or weights) and a[1], …, a[n], and s, whether there is a subset of the a[j]’s that sums to s. That is: Knapsack Cryptosystems
Algorithmic view on knapsack • If we have a good algorithm to find if there is a solution to knapsack, we can find such a solution easily too • The general knapsack problem is known to be NP-complete • Assuming that a[i]’s are not too large, the trivial algorithm for solving knapsack, needs O(2^n) steps Knapsack Cryptosystems
A better algorithm for knapsack • Just compute these sets: • Sort them, and scan for a common member • This will take O(n2^(n/2))=O(2^(n.lg(n)/2)) • It needs O(2^(n/2)) storage space • Surprisingly enough, this is still the fastest algorithm known for the general knapsack problem! Knapsack Cryptosystems
Knapsacks withsuper-increasing sequence • A sequence a[i] is called a super-increasing sequence if • A knapsack problem with super-increasing set of weights is easy to solve: Other x[i]’s can be found recursively Knapsack Cryptosystems
Basic idea behind all public key knapsack cryptosystems • Start with a knapsack b[1], …, b[n] that is easy to solve • Transform it into the public knapsack a[1], …, a[n] by a process that conceals the structure of the knapsack • With the hope that knapsack a[1], …, a[n] is hard to solve • The designer is in the position to reverse the concealing transformation and solve the easy knapsack Knapsack Cryptosystems
Merkle-Hellman system • Used by Merkle and Hellman in 1978 • Based on modular multiplication • Start with a super-increasing knapsack b[1], …, b[n] with: • Choose M and W with: Knapsack Cryptosystems
Merkle-Hellman system (cont.) • Compute • Select permutation p[i] of {1, …, n} • Define • Public key: a[j], 1<= j <= n • Private key: M, W, b[j], 1<= j <=n • A message (x[1], …, x[n]) is encoded as: Knapsack Cryptosystems
Merkle-Hellman system (decrypt) The b[i] are super-increasing Easy to solve Knapsack Cryptosystems
Multiply-iterated Merkle-Hellman cryptosystem • The algorithm mentioned is called basic of singly-iterated Merkle-Hellman cryptosystem • A multiply-iterated Merkle-Hellman cryptosystem is the same method, with more than one different (M[k], W[k])s with (M[k], W[k]) = 1 applied in a chain Knapsack Cryptosystems
Merkle-Hellman vs. RSA • MH is about 100 times faster than RSA (MH: n ~ 100, RSA: m ~ 500bits) • MH needs twice communication capacity, RSA needs same capacity as the input • MH’s public key is of size 2.n^2 = 20,000 RSA’s is 2.m = 1000 • MH assumes P <> NP, while RSA assumes factorization is in NP (<> P) Knapsack Cryptosystems
Security of MH cryptosystem • What if P = NP? • What if most instances of knapsack, or MH are easy to solve? • How many information do MH public key leak? • As an example, the equation of knapsack modulo 2, provides a single bit of information about them (as not all the a[i] can be even) Knapsack Cryptosystems
Brassard’s note on complexity of cryptography applied to MH • The interesting result of Brassard says essentially that if breaking a cryptosystem is NP-hard, then NP = Co-NP, that is a surprising complexity theory result • If NP <> Co-NP, then breaking the MH cannot be NP-hard, and so is likely to be easier than solving the general knapsack problem Knapsack Cryptosystems
Attacks on Merkle-Hellman knapsack cryptosystem • These attacks rely on the fact that the modular multiplication does not disguise enough the easy knapsack: • Shamir’s polynomial algorithm for the singly-iterated Merkle-Hellman, 1982 • Brickell’s attack on the multiply-iterated Merkle-Hellman, 1985 Knapsack Cryptosystems
Shamir’s attack on basic Merkle-Hellman system • Let • Then • Means that for some integers k[j] • Hence • That is an interesting result as we will see Knapsack Cryptosystems
This means that all of the k[j]/a[j] are close to U/M • We know that b[1], …, b[5] ~ 2^n • Let • We obtain • Subtracting i=1 term: • That implies: Knapsack Cryptosystems
k[j[i]].a[j[1]] is on the order of 2^4n, then the a[i], k[i] should be of very special structure • In most cases k[j[i]], 1 <= i <= 5 are determined uniquely by this equation • Shamir’s main contribution was to notice that this could be done in polynomial time by invoking H. W. Lenstra’s theorem that the integer programming problem in a fixed number of variables can be solved in polynomial time • This yields the k[j[i]], 1 <= I <= 5 Knapsack Cryptosystems
Now we have the k[j[i]], 1<= i <=5 • Once the k[j[i]] are found, one obtains an approximation to U/M • From the approximation of U/M, constructs a pair (U’, M’) with U’/M’ close to U/M such that: • The weights c[j] obtained by form a super-increasing sequence when arranged in increasing order • The c[j] can be used to decrypt the message! Knapsack Cryptosystems
But how to find j[1], …, j[5]? • As permutation p[i] is secret, we do not have j[1], …, j[5] • The solution is easy, the cryptanalyst considers all possible choices of them, and still remains in polynomial time! Knapsack Cryptosystems
Difficulties of Shamir’s method • The crucial tool in the attack was Lenstra’s result on integer programming in a fixed number of variables • Continued fraction can be used instead of Lenstra’s result, but when the b[i] are too large, it fails • Lenstra’s result is powerful, but is of mostly theoretical interest, since its running time is given by a high degree polynomial, and so it has never been implemented Knapsack Cryptosystems
Attacks to low-density general knapsack problems • Low-density attacks try to solve the general knapsack problem, when the a[i] are large enough • There are two known approaches to solve general low-density knapsacks: • One due to Lagarias and Odlyzko, 1983 • Brickell low-density attack, 1984 Knapsack Cryptosystems
On integer lattices • An integer lattice is an additive subgroup of Z^n that contains n linearly independent vectors over R^n • A basis (v[1],…,v[n]) of L is a set of elements of L such that L = z[1]v[1] + … + z[n]v[n] • Bases are not unique, but exist all the time • Finding the shortest non-zero vector of a lattice, given its basis, is a very important, and quite hard problem, although there is no proof that it is • We will show a basis with a matrix which its rows are the vectors of basis Knapsack Cryptosystems
Lovasz-reduced basis • Lovasz found a polynomial time algorithm that, given a basis for a lattice, produces a reduced basis. • The first vector in a Lovasz-reduced basis is not too long • If v[1], …, v[n] is a Lovasz-reduced basis of a lattice, then: Knapsack Cryptosystems
The low-density attack itself • Given the a[i] and s, we form the (n+1)-dimensional lattice with basis Knapsack Cryptosystems
And the miracle is • If v[1], …, v[n+1] are the rows of V, and the x[j] solve the knapsack problem, then • Since the x[j] are 0 or 1, this vector is very short • The basic attack consists of running the Lovasz lattice basis reduction algorithm on the basis V and checking whether the resulting reduced basis contains a vector that is a solution or not Knapsack Cryptosystems
The Chor-Rivest knapsack • The Chor-Rivest cryptosystem, developed in 1985, is one of the few knapsack systems that have not been broken, and among the most attractive ones • Based on arithmetic in finite fields that computing discrete logarithms is fairy easy Knapsack Cryptosystems
The Chor-Rivest cryptosystem • Let GF(p^h) be a finite field such that p^h - 1 has only moderate prime factors, so that it’s easy to compute discrete logarithms in GF(p^h) [one possible choice is p=197, h=24] • Let f(x) be a monic irreducible polynomial of degree h over GF(p), so that GF(p^h) can be represented as GF(p)[x]/f(x) • Let t be the residue class of x modulo f(x), so that t is an element of GF(p^h) and f(t)=0 • Let g be a generator of the multiplicative group of GF(p^h) Knapsack Cryptosystems
Chor-Rivest (public-key) • For alpha in GF(p), let a[alpha] be an integer such that • Let pi be a one-to-one map from {0, 1, …, p-1} to GF(p) • Choose an integer d and define • c[0], c[1], …, c[p-1] are the public key Knapsack Cryptosystems
Chor-Rivest (encryption) • Messages to be encoded are first transformed into p-vectors (m[0], …, m[p-1]) of non-negative integers such that • The cipher-text that is transmitted is then Knapsack Cryptosystems
Chor-Rivest (decryption) • First compute • Then we have • And • Now we can recover the m[i] by factoring G+f(x)! Knapsack Cryptosystems
? Any questions Knapsack Cryptosystems