Poking Holes in Knapsack Cryptosystems Grayson Myers

Knapsack (Subset Sum) Problem Given integers a1,…,an Given a target sum S (“knapsack”). Determine if there exists a subset of the integers that sums to S. In other words, find binary x1,…,xn so: S = ∑ xi*ai NP-complete

Merkle-Hellman (1978) Public-key cryptosystem based on the knapsack problem Choose large, relatively-prime integers M and W Create a superincreasing sequence b1,…,bn Private key is M, W, and the b’s. Public key is sequence a1,…,an, s.t. ai = bi*W mod M Suggestion: n = 100, M is 202 bits

Merkle-Hellman (cont.) To encrypt an n-bit message x1,…,xn: Compute S = ∑ xi*ai To decrypt: Compute S’ = W-1*S mod M Solve S’ = ∑ xi*bi for xi Easy because b’s are superincreasing Works as long as ∑ bi < M.

Shamir’s Attack (1982) Exploits structure in the ai sequence to find M and W-1 Results in some superincreasing sequence that allows the message to be recovered

Lagarias and Odlyzko (1983) Solve low-density subset sum problems directly Do lattice basis reduction on the following basis: V1= 1 0 … 0 -a1 0 1 … 0 -a2 V2= … Vn= 0 0 … 1 -an Vn+1= 0 0 … 0 S

Lagarias and Odlyzko (Cont.) Vectors in L look like: z1(v1) + z2(v2) + … + zn(vn) + zn+1(vn+1) In particular, this vector is in L: x = (x1, x2,…, xn, 0) x is very short, therefore likely to appear in the reduced basis Works when density of subset sum is low Defined as n/(# of bits in S)

Summary Knapsack cryptosystems: Elegant Fast Insecure Subset sum problem is NP-complete, but there are too many easy cases.