Behdad Esfahbod - PowerPoint PPT Presentation

About This Presentation
Title:

Behdad Esfahbod

Description:

Knapsack Cryptosystems Behdad Esfahbod December 2001 Agenda Knapsack problem and it s computation complexity Knapsack as a public key cryptosystem The Merkle ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 34
Provided by: behdadOrg
Learn more at: https://behdad.org
Category:

less

Transcript and Presenter's Notes

Title: Behdad Esfahbod


1
Knapsack Cryptosystems
  • Behdad Esfahbod
  • December 2001

2
Agenda
  • Knapsack problem and its computation complexity
  • Knapsack as a public key cryptosystem
  • The Merkle-Hellman knapsack cryptosystem
  • Shamirs attack to basic Merkle-Hellman Knapsack
    cryptosystem
  • Lagarias and Odlyzkos attack for solving
    low-density knapsack cryptosystems
  • The Chor-Rivest knapsack

3
Overview
  • Knapsack rose as a public key cryptosystem,
    because of its computational complexity and
    efficiency
  • Many knapsack cryptosystems were broken in late
    1970s
  • Final fall of knapsack cryptosystem dated to
    Shamirs announcement in the spring of 1982 of a
    polynomial time attack on the singly-iterated
    Merkle-Hellman cryptosystem


4
The Knapsack problem
  • The knapsack or subset-sum problem is to
    determine, given positive integers (or weights)
    and a1, , an, and s, whether there is a
    subset of the ajs that sums to s. That is

5
Algorithmic view on knapsack
  • If we have a good algorithm to find if there is a
    solution to knapsack, we can find such a solution
    easily too
  • The general knapsack problem is known to be
    NP-complete
  • Assuming that ais are not too large, the
    trivial algorithm for solving knapsack, needs
    O(2n) steps

6
A better algorithm for knapsack
  • Just compute these sets
  • Sort them, and scan for a common member
  • This will take O(n2(n/2))O(2(n.lg(n)/2))
  • It needs O(2(n/2)) storage space
  • Surprisingly enough, this is still the fastest
    algorithm known for the general knapsack problem!

7
Knapsacks withsuper-increasing sequence
  • A sequence ai is called a super-increasing
    sequence if
  • A knapsack problem with super-increasing set of
    weights is easy to solve
  • Other xis can be found recursively

8
Basic idea behind all public key knapsack
cryptosystems
  • Start with a knapsack b1, , bn that is easy
    to solve
  • Transform it into the public knapsack a1, ,
    an by a process that conceals the structure of
    the knapsack
  • With the hope that knapsack a1, , an is hard
    to solve
  • The designer is in the position to reverse the
    concealing transformation and solve the easy
    knapsack

9
Merkle-Hellman system
  • Used by Merkle and Hellman in 1978
  • Based on modular multiplication
  • Start with a super-increasing knapsack b1, ,
    bn with
  • Choose M and W with

10
Merkle-Hellman system (cont.)
  • Compute
  • Select permutation pi of 1, , n
  • Define
  • Public key aj, 1lt j lt n
  • Private key M, W, bj, 1lt j ltn
  • A message (x1, , xn) is encoded as

11
Merkle-Hellman system (decrypt)
  • The bi are super-increasing ? Easy to solve

12
Multiply-iterated Merkle-Hellman cryptosystem
  • The algorithm mentioned is called basic of
    singly-iterated Merkle-Hellman cryptosystem
  • A multiply-iterated Merkle-Hellman cryptosystem
    is the same method, with more than one different
    (Mk, Wk)s with (Mk, Wk) 1 applied in a
    chain

13
Merkle-Hellman vs. RSA
  • MH is about 100 times faster than RSA (MH n
    100, RSA m 500bits)
  • MH needs twice communication capacity, RSA needs
    same capacity as the input
  • MHs public key is of size 2.n2 20,000 RSAs
    is 2.m 1000
  • MH assumes P ltgt NP, while RSA assumes
    factorization is in NP (ltgt P)

14
Security of MH cryptosystem
  • What if P NP?
  • What if most instances of knapsack, or MH are
    easy to solve?
  • How many information do MH public key leak?
  • As an example, the equation of knapsack modulo 2,
    provides a single bit of information about them
    (as not all the ai can be even)

15
Brassards note on complexity of cryptography
applied to MH
  • The interesting result of Brassard says
    essentially that if breaking a cryptosystem is
    NP-hard, then NP Co-NP, that is a surprising
    complexity theory result
  • If NP ltgt Co-NP, then breaking the MH cannot be
    NP-hard, and so is likely to be easier than
    solving the general knapsack problem

16
Attacks on Merkle-Hellman knapsack cryptosystem
  • These attacks rely on the fact that the modular
    multiplication does not disguise enough the easy
    knapsack
  • Shamirs polynomial algorithm for the
    singly-iterated Merkle-Hellman, 1982
  • Brickells attack on the multiply-iterated
    Merkle-Hellman, 1985

17
Shamirs attack on basic Merkle-Hellman system
  • Let
  • Then
  • Means that for some integers kj
  • Hence
  • That is an interesting result as we will see

18
  • This means that all of the kj/aj are close to
    U/M
  • We know that b1, , b5 2n
  • Let
  • We obtain
  • Subtracting i1 term
  • That implies

19
  • kji.aj1 is on the order of 24n, then the
    ai, ki should be of very special structure
  • In most cases kji, 1 lt i lt 5 are determined
    uniquely by this equation
  • Shamirs main contribution was to notice that
    this could be done in polynomial time by invoking
    H. W. Lenstras theorem that the integer
    programming problem in a fixed number of
    variables can be solved in polynomial time
  • This yields the kji, 1 lt I lt 5

20
Now we have the kji, 1lt i lt5
  • Once the kji are found, one obtains an
    approximation to U/M
  • From the approximation of U/M, constructs a pair
    (U, M) with U/M close to U/M such that
  • The weights cj obtained by
  • form a super-increasing sequence when
    arranged in increasing order
  • The cj can be used to decrypt the message!

21
But how to find j1, , j5?
  • As permutation pi is secret, we do not have
    j1, , j5
  • The solution is easy, the cryptanalyst considers
    all possible choices of them, and still remains
    in polynomial time!

22
Difficulties of Shamirs method
  • The crucial tool in the attack was Lenstras
    result on integer programming in a fixed number
    of variables
  • Continued fraction can be used instead of
    Lenstras result, but when the bi are too
    large, it fails
  • Lenstras result is powerful, but is of mostly
    theoretical interest, since its running time is
    given by a high degree polynomial, and so it has
    never been implemented

23
Attacks to low-density general knapsack problems
  • Low-density attacks try to solve the general
    knapsack problem, when the ai are large enough
  • There are two known approaches to solve general
    low-density knapsacks
  • One due to Lagarias and Odlyzko, 1983
  • Brickell low-density attack, 1984

24
On integer lattices
  • An integer lattice is an additive subgroup of Zn
    that contains n linearly independent vectors over
    Rn
  • A basis (v1,,vn) of L is a set of elements
    of L such that
  • L z1v1 znvn
  • Bases are not unique, but exist all the time
  • Finding the shortest non-zero vector of a
    lattice, given its basis, is a very important,
    and quite hard problem, although there is no
    proof that it is
  • We will show a basis with a matrix which its rows
    are the vectors of basis

25
Lovasz-reduced basis
  • Lovasz found a polynomial time algorithm that,
    given a basis for a lattice, produces a reduced
    basis.
  • The first vector in a Lovasz-reduced basis is not
    too long
  • If v1, , vn is a Lovasz-reduced basis of a
    lattice, then

26
The low-density attack itself
  • Given the ai and s, we form the
    (n1)-dimensional lattice with basis

27
And the miracle is
  • If v1, , vn1 are the rows of V, and the
    xj solve the knapsack problem, then
  • Since the xj are 0 or 1, this vector is very
    short
  • The basic attack consists of running the Lovasz
    lattice basis reduction algorithm on the basis V
    and checking whether the resulting reduced basis
    contains a vector that is a solution or not

28
The Chor-Rivest knapsack
  • The Chor-Rivest cryptosystem, developed in 1985,
    is one of the few knapsack systems that have not
    been broken, and among the most attractive ones
  • Based on arithmetic in finite fields that
    computing discrete logarithms is fairy easy

29
The Chor-Rivest cryptosystem
  • Let GF(ph) be a finite field such that ph - 1
    has only moderate prime factors, so that its
    easy to compute discrete logarithms in GF(ph)
    one possible choice is p197, h24
  • Let f(x) be a monic irreducible polynomial of
    degree h over GF(p), so that GF(ph) can be
    represented as GF(p)x/f(x)
  • Let t be the residue class of x modulo f(x), so
    that t is an element of GF(ph) and f(t)0
  • Let g be a generator of the multiplicative group
    of GF(ph)

30
Chor-Rivest (public-key)
  • For alpha in GF(p), let aalpha be an integer
    such that
  • Let pi be a one-to-one map from 0, 1, , p-1 to
    GF(p)
  • Choose an integer d and define
  • c0, c1, , cp-1 are the public key

31
Chor-Rivest (encryption)
  • Messages to be encoded are first transformed into
    p-vectors (m0, , mp-1) of non-negative
    integers such that
  • The cipher-text that is transmitted is then

32
Chor-Rivest (decryption)
  • First compute
  • Then we have
  • And
  • Now we can recover the mi by factoring Gf(x)!

33
?
  • Any questions
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Behdad Esfahbod" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!