Download presentation
Presentation is loading. Please wait.
1
Knapsack Cryptosystems
1 Dinara Barshevich JASS’05 St. Petersburg 9/22/2018 Knapsack Cryptosystems
2
Brief historical background
1976, Diffie & Hellman – Public Key Cryptosystem 1977 RSA – the first incarnation of such system 1978 Merkle – Hellman Cryptosystem 1980s years: attacks to MH 9/22/2018 Knapsack Cryptosystems
3
Knapsack Cryptosystems
Agenda Idea of Public-Key Cryptosystems Knapsack problem: setting, comlexity and basic analyses Knapsack Public-Key Cryptosystems Algorithm of Merkle – Hellman Attacks to Merkle – Hellman Cryptosystem What next? 9/22/2018 Knapsack Cryptosystems
4
Public key cryptosystems
M - plaintext Receiver Encryption: sender Key generation E(M, K1) = C - cyphertext C - ciphertext Public key - K1 Private key - K2 Decryption: receiver D(C, K2) = M - original M - plaintext 9/22/2018 Knapsack Cryptosystems
5
The Knapsack problem – closely related to subset-sum problem.
9/22/2018 Knapsack Cryptosystems
6
Some observations on Knapsack
The general knapsack problem is known to be NP-complete Efficient algorithm of the feasibility form of the problem helps to find such a solution easily. Assuming that {ai } are not too large, the trivial algorithm for solving knapsack needs O(2ⁿ) steps 9/22/2018 Knapsack Cryptosystems
7
A better algorithm for Knapsack
Compute: Sort them, and scan for a common member: using O(n2^(n/2)) time+ O(2^(n/2)) storage space. It’s the fastest algorithm! 9/22/2018 Knapsack Cryptosystems
8
Easy-solvable knapsacks:
9/22/2018 Knapsack Cryptosystems
9
Knapsacks with super-increasing sequence
A sequence {ai} is called a super-increasing sequence if O(n) - algorithm for Knapsack with super-increasing weights: for j = n downto 1 { If s ai then { xi = 1; s = s - ai; } else xi = 0; } return (x1, x2,..., xn). Solution if exists is unique! 9/22/2018 Knapsack Cryptosystems
10
Knapsack Cryptosystems
Basic idea: Public key Private {A1,.An} {B1,.,Bn} Alice Alice Bob Public Private Bob:encoding Alice:decoding X1,..Xn C=∑BiXi Alice X1,..Xn S=∑AiXi Charlie Hard knapsack Easy knapsack 9/22/2018 Knapsack Cryptosystems
11
MH system: key generation
Start with a super-increasing knapsack {b1,…, bn} such that: Choose M and W such that: 9/22/2018 Knapsack Cryptosystems
12
Knapsack Cryptosystems
MH system (cont.) Compute 9/22/2018 Knapsack Cryptosystems
13
Knapsack Cryptosystems
MH system: encryption 9/22/2018 Knapsack Cryptosystems
14
The {b1,…, bn} are super-increasing Easy to solve
MH system: decryption The {b1,…, bn} are super-increasing Easy to solve 9/22/2018 Knapsack Cryptosystems
15
Two variants of Merkle-Hellman cryptosystem
singly-iterated Merkle-Hellman cryptosystem multiply-iterated Merkle-Hellman cryptosystem 9/22/2018 Knapsack Cryptosystems
16
Multiply-iterated MH cryptosystem
9/22/2018 Knapsack Cryptosystems
17
Knapsack Cryptosystems
MH vs. RSA MH is about 100 times faster than RSA (MH: n ~ 100, RSA: m ~ 500bits) MH : n bits are encoded in 2n bits, RSA: n bits are encoded in n bits MH’s public key is of size 2n² ~ 20,000 for n ~ 100 and RSA’s is 2m ~ 1000 for m ~ 500bits MH assumes P <> NP, while RSA assumes factorization is in NP (<> P) 9/22/2018 Knapsack Cryptosystems
18
Security of MH cryptosystem:general doubts.
What if P = NP? What if most instances of knapsack used by MH are easy to solve? What if one can deduce from the public Knapsack what the construction method is? 9/22/2018 Knapsack Cryptosystems
19
Security of MH cryptosystem:special doubts.
Result of Brassard: if breaking a cryptosystem is NP-hard, then NP = Co-NP. If NP <> Co-NP, then breaking the MH cannot be NP-hard! Linearity of MH equation: e.g. provides a single bit of information about plaintext (as we may assume:not all the ai are even) 9/22/2018 Knapsack Cryptosystems
20
Knapsack Cryptosystems
Parameters choice If some bj is large we get inefficient knapsack If, say, b1 = 1 then aj = W for some j One can try all aj as a candidate for W 9/22/2018 Knapsack Cryptosystems
21
Parameters choice – cont’d
9/22/2018 Knapsack Cryptosystems
22
Attacks on MH Cryptosystem
modular multiplication does not disguise enough the easy knapsack using Private Key Attack method B1,…Bn Easy A1,…An General C1,…Cn Easy Alice Charlie 9/22/2018 Knapsack Cryptosystems
23
Attacks on MH Cryptosystem
try to solve the general knapsack problem, when the ai are large enough using Private Key A1,…An General but large enough B1,…Bn Easy Alice 9/22/2018 Knapsack Cryptosystems
24
Attacks on MH knapsack cryptosystem
Rely on the fact that the modular multiplication does not disguise enough the easy knapsack: 1. Shamir’s polynomial algorithm for the singly-iterated Merkle-Hellman, 1982 2. Brickell’s attack on the multiply-iterated Merkle-Hellman, 1985 9/22/2018 Knapsack Cryptosystems
25
Shamir’s attack on basic MH system
9/22/2018 Knapsack Cryptosystems
26
Knapsack Cryptosystems
This means that all of the kj /aj are close to U/M In MH: b1,…, bq ~ 2ⁿ: q – small enough Let We obtain Subtracting i=1 term: That implies: 9/22/2018 Knapsack Cryptosystems
27
Knapsack Cryptosystems
kji aj1 is on the order of 2^4n, then the kj,and aj should be of very special structure In most cases the kji ,1≤ i ≤ q are determined uniquely by this equation invoking H. W. Lenstra’s theorem: the integer programming problem in a fixed number of variables can be solved in polynomial time! This yields the kji ,1≤ i ≤ q 9/22/2018 Knapsack Cryptosystems
28
Knapsack Cryptosystems
Now we have the kji ,1≤ i ≤ q we can construct a pair (U´, M´): U´/M´ close to U/M such that: if compute the weights cj by - form a super-increasing sequence when arranged in increasing order The cj can be used to decrypt the message! 9/22/2018 Knapsack Cryptosystems
29
Knapsack Cryptosystems
But how to find j1,…, jq ? As permutation π is secret, we do not have j1,…, jq The solution is easy: the cryptanalyst considers all possible choices of them, and still remains in polynomial time! 9/22/2018 Knapsack Cryptosystems
30
Difficulties of Shamir’s method
The crucial tool in the attack was Lenstra’s result on integer programming in a fixed number of variables Lenstra’s algorithm running time is given by a high degree polynomial – never implemented! Continued fraction can be used instead of Lenstra’s result, but when the bj are large enough, it fails 9/22/2018 Knapsack Cryptosystems
31
Attacks to low-density general knapsack problems
try to solve the general knapsack problem, when the ai are large enough 2 famous attacks: - Lagarias and Odlyzko, 1983 - Brickell low-density attack, 1984 9/22/2018 Knapsack Cryptosystems
32
Knapsack Cryptosystems
On integer lattices An integer lattice is an additive subgroup of Zⁿ that contains n linearly independent vectors over Rⁿ A basis (v1 ,…, vn ) of L is a set of elements of L such that L = {z1 v1 +…+ zn vn : zi – integer} Input: (v1 ,…, vn ) – basis of L - lattice SVL: Find the shortest non-zero vector of L quite hard problem – yet not proved! 9/22/2018 Knapsack Cryptosystems
33
Knapsack Cryptosystems
Lovasz-reduced basis Lovasz’ polynomial-time algorithm: given a basis for a lattice, constructs Lovasz- reduced basis (v1 ,…, vn ): 9/22/2018 Knapsack Cryptosystems
34
The low-density attack itself
Given the ai and s, form the (n+1)-dimensional lattice with basis 9/22/2018 Knapsack Cryptosystems
35
Knapsack Cryptosystems
And the miracle is If {xj | j = 1..n} solve the knapsack problem, then Since the xj are 0 or 1, this vector is very short The basic attack: 1. run the Lovasz lattice basis reduction algorithm on the basis V 2. check if the resulting reduced basis contains a vector that is a solution or not 9/22/2018 Knapsack Cryptosystems
36
Knapsack Cryptosystems
How it works: If {aj} are large: most vectors in the lattice are large. So the vector X corresponding to our solution might be the shortest: If aj ~ 2^(βn) where β> then X is the shortest in most lattices So: if we could efficiently solve SVL – we can solve most low-density knapsacks 9/22/2018 Knapsack Cryptosystems
37
Knapsack Cryptosystems
How we solve SVL Proved: we can solve knapsacks with aj ~ 2^(n^2) – extremely large! In practice: much better 9/22/2018 Knapsack Cryptosystems
38
Knapsack Cryptosystems
Summary: MH algorithm itself Attack using revealing an easy knapsack from public Attack using solvability of low-density knapsacks 9/22/2018 Knapsack Cryptosystems
39
Knapsack Cryptosystems
In conclusion: Both of two main fears were borne out. A few knapsack-based Cryptosystems still remain unbroken: e.g. Chor – Rivest 1988 Since 1) high speed 2) factorization and logarithm procedures can turn out efficiently solvable someday 3) elegance of the algorithm search is going on… 9/22/2018 Knapsack Cryptosystems
40
Knapsack Cryptosystems
Example - exercise Make a private key: with n = 6 (2, 3, 6, 13, 27,52) M = 105, W = 31 aj : (62, 93, 81, 88, 102, 37) 9/22/2018 Knapsack Cryptosystems
41
Knapsack Cryptosystems
Encryption Let Mes = Shift it: – = 174 – = 280 – = 333 Cipher = (174, 280, 333) 9/22/2018 Knapsack Cryptosystems
42
Knapsack Cryptosystems
Decryption 9/22/2018 Knapsack Cryptosystems
Similar presentations
