Adapting Density Attacks to Low-Weight Knapsacks

Cryptosystems based on the knapsack problem were among the first public-key systems to be invented. Their high encryption/ decryption rate attracted considerable interest until it was noticed that the underlying knapsacks often had a low density, which made them vulnerable to lattice attacks, both in theory and practice. To prevent low-density attacks, several designers found a subtle way to increase the density beyond the critical density by decreasing the weight of the knapsack, and possibly allowing non-binary coefficients. This approach is actually a bit misleading: we show that low-weight knapsacks do not prevent efficient reductions to lattice problems like the shortest vector problem, they even make reductions more likely. To measure the resistance of low-weight knapsacks, we introduce the novel notion of pseudo-density, and we apply the new notion to the Okamoto-Tanaka-Uchiyama (OTU) cryptosystem from Crypto ’00. We do not claim to break OTU and we actually believe that this system may be secure with an appropriate choice of the parameters. However, our research indicates that, in its current form, OTU cannot be supported by an argument based on density. Our results also explain why Schnorr and Horner were able to solve at Eurocrypt ’95 certain high-density knapsacks related to the Chor-Rivest cryptosystem, using lattice reduction.

[1]  Damien Stehlé,et al.  Floating-Point LLL Revisited , 2005, EUROCRYPT.

[2]  Hendrik W. Lenstra On the Chor—Rivest knapsack cryptosystem , 2004, Journal of Cryptology.

[3]  Andrew Odlyzko,et al.  The Rise and Fall of Knapsack Cryptosystems , 1998 .

[4]  Serge Vaudenay,et al.  Cryptanalysis of the Chor-Rivest Cryptosystem , 1998, CRYPTO.

[5]  Jeffrey C. Lagarias,et al.  Solving low density subset sum problems , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[6]  Joseph H. Silverman,et al.  Dimension Reduction Methods for Convolution Modular Lattices , 2001, CaLC.

[7]  Phong Q. Nguyen,et al.  Noisy Polynomial Interpolation and Noisy Chinese Remaindering , 2000, EUROCRYPT.

[8]  Claus-Peter Schnorr,et al.  Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction , 1995, EUROCRYPT.

[9]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[10]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[11]  Jacques Stern,et al.  The Two Faces of Lattices in Cryptology , 2001, CaLC.

[12]  Keisuke Tanaka,et al.  Density Attack to the Knapsack Cryptosystems with Enumerative Source Encoding , 2004 .

[13]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[14]  A. Odlyzko,et al.  Lattice points in high-dimensional spheres , 1990 .

[15]  Jacques Stern,et al.  Merkle-Hellman Revisited: A Cryptanalysis of the Qu-Vanstone Cryptosystem Based on Group Factorizations , 1997, CRYPTO.

[16]  Ronald L. Rivest,et al.  A knapsack-type public key cryptosystem based on arithmetic in finite fields , 1988, IEEE Trans. Inf. Theory.

[17]  Phong Q. Nguyen Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto '97 , 1999, CRYPTO.

[18]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.

[19]  Antoine Joux,et al.  Improved low-density subset sum algorithms , 1992, computational complexity.

[20]  Daniele Micciancio,et al.  The hardness of the closest vector problem with preprocessing , 2001, IEEE Trans. Inf. Theory.

[21]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[22]  Keisuke Tanaka,et al.  Quantum Public-Key Cryptosystems , 2000, CRYPTO.