Poking Holes in Knapsack Cryptosystems Grayson Myers Knapsack

Poking Holes in Knapsack Cryptosystems Grayson Myers

Knapsack (Subset Sum) Problem n Given integers a 1, …, an n Given a target sum S (“knapsack”). n Determine if there exists a subset of the integers that sums to S. n In other words, find binary x 1, …, xn so: n S = ∑ xi*ai n NP-complete

Merkle-Hellman (1978) Public-key cryptosystem based on the knapsack problem n Choose large, relatively-prime integers M and W n Create a superincreasing sequence b 1, …, bn n Private key is M, W, and the b’s. n Public key is sequence a 1, …, an, s. t. n n n ai = bi*W mod M Suggestion: n = 100, M is 202 bits

Merkle-Hellman (cont. ) n To encrypt an n-bit message x 1, …, xn: n Compute S = ∑ xi*ai n To decrypt: n Compute S’ = W-1*S mod M n Solve S’ = ∑ xi*bi for xi n Easy because b’s are superincreasing n Works as long as ∑ bi < M.

Shamir’s Attack (1982) n Exploits structure in the ai sequence to find M and W-1 n Results in some superincreasing sequence that allows the message to be recovered

Lagarias and Odlyzko (1983) Solve low-density subset sum problems directly n Do lattice basis reduction on the following basis: V 1= 1 0 … 0 -a 1 n V 2= V n= Vn+1= 0 1 … 0 -a 2 … 0 0 … 1 -an 0 0 … 0 S

Lagarias and Odlyzko (Cont. ) n Vectors in L look like: n z 1(v 1) + z 2(v 2) + … + zn(vn) + zn+1(vn+1) n In particular, this vector is in L: n x = (x 1, x 2, …, xn, 0) x is very short, therefore likely to appear in the reduced basis n Works when density of subset sum is low n n Defined as n/(# of bits in S)

Summary n Knapsack cryptosystems: n Elegant n Fast n Insecure n Subset sum problem is NP-complete, but there are too many easy cases.