1 / 8

Understanding Knapsack Cryptosystems: Challenges and Attacks

This text examines the knapsack problem, specifically in the context of cryptography. The knapsack problem involves finding a subset of integers that sum up to a target value, a problem known to be NP-complete. The Merkle-Hellman cryptosystem employs this problem using large, relatively prime integers to create public and private keys based on superincreasing sequences. Despite its elegance and speed, the system is vulnerable to attacks, such as Shamir's method, which can exploit weaknesses in the structure of keys. Techniques to solve low-density subset-sum problems further illuminate the cryptographic landscape.

forbes
Télécharger la présentation

Understanding Knapsack Cryptosystems: Challenges and Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Poking Holes in Knapsack Cryptosystems Grayson Myers

  2. Knapsack (Subset Sum) Problem • Given integers a1,…,an • Given a target sum S (“knapsack”). • Determine if there exists a subset of the integers that sums to S. • In other words, find binary x1,…,xn so: • S = ∑ xi*ai • NP-complete

  3. Merkle-Hellman (1978) • Public-key cryptosystem based on the knapsack problem • Choose large, relatively-prime integers M and W • Create a superincreasing sequence b1,…,bn • Private key is M, W, and the b’s. • Public key is sequence a1,…,an, s.t. • ai = bi*W mod M • Suggestion: n = 100, M is 202 bits

  4. Merkle-Hellman (cont.) • To encrypt an n-bit message x1,…,xn: • Compute S = ∑ xi*ai • To decrypt: • Compute S’ = W-1*S mod M • Solve S’ = ∑ xi*bi for xi • Easy because b’s are superincreasing • Works as long as ∑ bi < M.

  5. Shamir’s Attack (1982) • Exploits structure in the ai sequence to find M and W-1 • Results in some superincreasing sequence that allows the message to be recovered

  6. Lagarias and Odlyzko (1983) • Solve low-density subset sum problems directly • Do lattice basis reduction on the following basis: V1= 1 0 … 0 -a1 0 1 … 0 -a2 V2= … Vn= 0 0 … 1 -an Vn+1= 0 0 … 0 S

  7. Lagarias and Odlyzko (Cont.) • Vectors in L look like: • z1(v1) + z2(v2) + … + zn(vn) + zn+1(vn+1) • In particular, this vector is in L: • x = (x1, x2,…, xn, 0) • x is very short, therefore likely to appear in the reduced basis • Works when density of subset sum is low • Defined as n/(# of bits in S)

  8. Summary • Knapsack cryptosystems: • Elegant • Fast • Insecure • Subset sum problem is NP-complete, but there are too many easy cases.

More Related