Knapsack Cryptosystems Behdad Esfahbod December 2001 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems Agenda Knapsack problem and it’s computation complexity Knapsack as a public key cryptosystem The Merkle-Hellman knapsack cryptosystem Shamir’s attack to basic Merkle-Hellman Knapsack cryptosystem Lagarias and Odlyzko’s attack for solving low-density knapsack cryptosystems The Chor-Rivest knapsack 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems Overview Knapsack rose as a public key cryptosystem, because of it’s computational complexity and efficiency Many knapsack cryptosystems were broken in late 1970’s Final fall of knapsack cryptosystem dated to Shamir’s announcement in the spring of 1982 of a polynomial time attack on the singly-iterated Merkle-Hellman cryptosystem 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems The Knapsack problem The knapsack or subset-sum problem is to determine, given positive integers (or weights) and a[1], …, a[n], and s, whether there is a subset of the a[j]’s that sums to s. That is: 9/22/2018 Knapsack Cryptosystems

Algorithmic view on knapsack If we have a good algorithm to find if there is a solution to knapsack, we can find such a solution easily too The general knapsack problem is known to be NP-complete Assuming that a[i]’s are not too large, the trivial algorithm for solving knapsack, needs O(2^n) steps 9/22/2018 Knapsack Cryptosystems

A better algorithm for knapsack Just compute these sets: Sort them, and scan for a common member This will take O(n2^(n/2))=O(2^(n.lg(n)/2)) It needs O(2^(n/2)) storage space Surprisingly enough, this is still the fastest algorithm known for the general knapsack problem! 9/22/2018 Knapsack Cryptosystems

Knapsacks with super-increasing sequence A sequence a[i] is called a super-increasing sequence if A knapsack problem with super-increasing set of weights is easy to solve: Other x[i]’s can be found recursively 9/22/2018 Knapsack Cryptosystems

Basic idea behind all public key knapsack cryptosystems Start with a knapsack b[1], …, b[n] that is easy to solve Transform it into the public knapsack a[1], …, a[n] by a process that conceals the structure of the knapsack With the hope that knapsack a[1], …, a[n] is hard to solve The designer is in the position to reverse the concealing transformation and solve the easy knapsack 9/22/2018 Knapsack Cryptosystems

Merkle-Hellman system Used by Merkle and Hellman in 1978 Based on modular multiplication Start with a super-increasing knapsack b[1], …, b[n] with: Choose M and W with: 9/22/2018 Knapsack Cryptosystems

Merkle-Hellman system (cont.) Compute Select permutation p[i] of {1, …, n} Define Public key: a[j], 1<= j <= n Private key: M, W, b[j], 1<= j <=n A message (x[1], …, x[n]) is encoded as: 9/22/2018 Knapsack Cryptosystems

Merkle-Hellman system (decrypt) The b[i] are super-increasing  Easy to solve 9/22/2018 Knapsack Cryptosystems

Multiply-iterated Merkle-Hellman cryptosystem The algorithm mentioned is called basic of singly-iterated Merkle-Hellman cryptosystem A multiply-iterated Merkle-Hellman cryptosystem is the same method, with more than one different (M[k], W[k])s with (M[k], W[k]) = 1 applied in a chain 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems Merkle-Hellman vs. RSA MH is about 100 times faster than RSA (MH: n ~ 100, RSA: m ~ 500bits) MH needs twice communication capacity, RSA needs same capacity as the input MH’s public key is of size 2.n^2 = 20,000 RSA’s is 2.m = 1000 MH assumes P <> NP, while RSA assumes factorization is in NP (<> P) 9/22/2018 Knapsack Cryptosystems

Security of MH cryptosystem What if P = NP? What if most instances of knapsack, or MH are easy to solve? How many information do MH public key leak? As an example, the equation of knapsack modulo 2, provides a single bit of information about them (as not all the a[i] can be even) 9/22/2018 Knapsack Cryptosystems

Brassard’s note on complexity of cryptography applied to MH The interesting result of Brassard says essentially that if breaking a cryptosystem is NP-hard, then NP = Co-NP, that is a surprising complexity theory result If NP <> Co-NP, then breaking the MH cannot be NP-hard, and so is likely to be easier than solving the general knapsack problem 9/22/2018 Knapsack Cryptosystems

Attacks on Merkle-Hellman knapsack cryptosystem These attacks rely on the fact that the modular multiplication does not disguise enough the easy knapsack: Shamir’s polynomial algorithm for the singly-iterated Merkle-Hellman, 1982 Brickell’s attack on the multiply-iterated Merkle-Hellman, 1985 9/22/2018 Knapsack Cryptosystems

Shamir’s attack on basic Merkle-Hellman system Let Then Means that for some integers k[j] Hence That is an interesting result as we will see 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems This means that all of the k[j]/a[j] are close to U/M We know that b[1], …, b[5] ~ 2^n Let We obtain Subtracting i=1 term: That implies: 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems k[j[i]].a[j[1]] is on the order of 2^4n, then the a[i], k[i] should be of very special structure In most cases k[j[i]], 1 <= i <= 5 are determined uniquely by this equation Shamir’s main contribution was to notice that this could be done in polynomial time by invoking H. W. Lenstra’s theorem that the integer programming problem in a fixed number of variables can be solved in polynomial time This yields the k[j[i]], 1 <= I <= 5 9/22/2018 Knapsack Cryptosystems

Now we have the k[j[i]], 1<= i <=5 Once the k[j[i]] are found, one obtains an approximation to U/M From the approximation of U/M, constructs a pair (U’, M’) with U’/M’ close to U/M such that: The weights c[j] obtained by form a super-increasing sequence when arranged in increasing order The c[j] can be used to decrypt the message! 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems But how to find j[1], …, j[5]? As permutation p[i] is secret, we do not have j[1], …, j[5] The solution is easy, the cryptanalyst considers all possible choices of them, and still remains in polynomial time! 9/22/2018 Knapsack Cryptosystems

Difficulties of Shamir’s method The crucial tool in the attack was Lenstra’s result on integer programming in a fixed number of variables Continued fraction can be used instead of Lenstra’s result, but when the b[i] are too large, it fails Lenstra’s result is powerful, but is of mostly theoretical interest, since its running time is given by a high degree polynomial, and so it has never been implemented 9/22/2018 Knapsack Cryptosystems

Attacks to low-density general knapsack problems Low-density attacks try to solve the general knapsack problem, when the a[i] are large enough There are two known approaches to solve general low-density knapsacks: One due to Lagarias and Odlyzko, 1983 Brickell low-density attack, 1984 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems On integer lattices An integer lattice is an additive subgroup of Z^n that contains n linearly independent vectors over R^n A basis (v[1],…,v[n]) of L is a set of elements of L such that L = z[1]v[1] + … + z[n]v[n] Bases are not unique, but exist all the time Finding the shortest non-zero vector of a lattice, given its basis, is a very important, and quite hard problem, although there is no proof that it is We will show a basis with a matrix which its rows are the vectors of basis 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems Lovasz-reduced basis Lovasz found a polynomial time algorithm that, given a basis for a lattice, produces a reduced basis. The first vector in a Lovasz-reduced basis is not too long If v[1], …, v[n] is a Lovasz-reduced basis of a lattice, then: 9/22/2018 Knapsack Cryptosystems

The low-density attack itself Given the a[i] and s, we form the (n+1)-dimensional lattice with basis 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems And the miracle is If v[1], …, v[n+1] are the rows of V, and the x[j] solve the knapsack problem, then Since the x[j] are 0 or 1, this vector is very short The basic attack consists of running the Lovasz lattice basis reduction algorithm on the basis V and checking whether the resulting reduced basis contains a vector that is a solution or not 9/22/2018 Knapsack Cryptosystems

The Chor-Rivest knapsack The Chor-Rivest cryptosystem, developed in 1985, is one of the few knapsack systems that have not been broken, and among the most attractive ones Based on arithmetic in finite fields that computing discrete logarithms is fairy easy 9/22/2018 Knapsack Cryptosystems

The Chor-Rivest cryptosystem Let GF(p^h) be a finite field such that p^h - 1 has only moderate prime factors, so that it’s easy to compute discrete logarithms in GF(p^h) [one possible choice is p=197, h=24] Let f(x) be a monic irreducible polynomial of degree h over GF(p), so that GF(p^h) can be represented as GF(p)[x]/f(x) Let t be the residue class of x modulo f(x), so that t is an element of GF(p^h) and f(t)=0 Let g be a generator of the multiplicative group of GF(p^h) 9/22/2018 Knapsack Cryptosystems

Chor-Rivest (public-key) For alpha in GF(p), let a[alpha] be an integer such that Let pi be a one-to-one map from {0, 1, …, p-1} to GF(p) Choose an integer d and define c[0], c[1], …, c[p-1] are the public key 9/22/2018 Knapsack Cryptosystems

Chor-Rivest (encryption) Messages to be encoded are first transformed into p-vectors (m[0], …, m[p-1]) of non-negative integers such that The cipher-text that is transmitted is then 9/22/2018 Knapsack Cryptosystems

Chor-Rivest (decryption) First compute Then we have And Now we can recover the m[i] by factoring G+f(x)! 9/22/2018 Knapsack Cryptosystems

Knapsack Cryptosystems ? Any questions 9/22/2018 Knapsack Cryptosystems