Cryptanalysis of a New Knapsack Type Public-Key Cryptosystem
Rooh allah Rastaghi 1 1Electrical Engineering Department, Aeronautical University of Since & Technology (Shahid Sattari), Tehran, Iran [email protected]
quantum computers. Therefore, traditional public key Abstract —In [5], a new knapsack type public key cryptosystem cryptosystem based on the two problems cannot be used to is introduced. In this cryptosystem, Hwang et al. used a new provide privacy protections any longer, and public key algorithm called Permutation Combination Algorithm. By exploiting cryptosystems secure in quantum computing environments are this algorithm, they attempt to increase the density of knapsack to needed to be developed. The knapsack problem is NP- avoid the low-density attack [2], [6]. complete. Hence, we can design cryptosystems based on the We show that this cryptosystem is insecure, since this knapsack problem in order to resist quantum attacks. On the cryptosystem is based on basic Merkel-Hellman [9] knapsack cryptosystem, and because of the superincreasing structure, we can other hand, Although the underlying problem is NP-complete, use the Shamir’s attack on basic Merkle-Hellman knapsack [7], [14] but some of the knapsack cryptosystem such as Merkle- to break this cryptosystem. Hellman [14], Chor-Rivest [16], … was broken due to the special structure of the private key and the mathematical way Keywords — Public key cryptosystem, Knapsack problem, that public key (public knapsack) was built from the private Shamir attack, Cryptanalysis. key. In this paper, we Analysis the knapsack PKC Based on I. INTRODUCTION Permutation Combination Algorithm was presented by Hwang N 1976, Diffie and Hellman [3] introduced the public key et al . and show that Because of the identical structure, in key Icryptosystem (PKC). Most public key cryptosystems fall generation stage, with the basic Merkel-Hellman knapsack into one of the two categories below [1]: cryptosystem, we can use the Shamir’s attack for this • Public key cryptosystems based on hard number- cryptosystem and obtain equivalent private keys theoretic problems: e.g., RSA [13], ElGamal [4] and …. (superincreasing sequence). The rest of this paper is organized • Public key cryptosystems based on subset sum or subset as follows. In the following section, we explain the subset sum product problems: e.g., Merkle-Hellman [9], Chor- problem and the basic Merkle-Hellman cryptosystem briefly.
Rivest [1], Morri-Kasahara [11], Naccache-Stern Then, in Section 3, we review the Shamir’s attack. Hwang et [12],… . al.’s knapsack cryptosystem will be present in Section 4 and Unlike hard number-theoretic problems, the knapsack the cryptanalysis of this system will be discussed in Section 5. problem has been proven to be NP-complete [10]. That is to say, there is no polynomial algorithm will be invented to solve II. THE SUBSET SUM PROBLEM AND THE BASIC MERKLE - HELLMAN CRYPTOSYSTEM the knapsack problem. Since its Merkle-Hellman proposal, knapsack public key The subset sum problem is stated as follows: given a set of cryptosystem had been widely studied, and many knapsack positive integers and positive integer . public key cryptosystems were developed. However, almost Whether there is a {� subset�, ��, . of . . , �the�} that sums to . That � is all knapsack cryptosystem were shown insecure in that they equivalent to determine whether�� there are � variables are vulnerable to some known attacks, such as low density such that attack [2], [6], Shamir’s attack [14], and Diophantine (�� , ��, . . . , ��) approximation attacks [17]. There is no question that knapsack � public key cryptosystems still warrant continuous researches, as a result of the NP-completeness nature, the faster speed, � = � �� �� , ��� {0, 1}, 1 ≤ � ≤ � and a desire to have a wide variety of available cryptosystems. ��� Nowadays, we reconsider knapsack public key cryptography if the set of positive integers is a also because Shor [15] showed that integer factorization and superincreasing�= sequence, {��,��,. . . , ��} discrete logarithm problems can be easily solved by using e.g.
� ��� �� > � �� , � ≥ 2 � = � ���� , ���{0,1} ��� ��� Then the knapsack problem is solvable in polynomial time. can be solved in polynomial time. This approach originates The basic Merkel-Hellman knapsack cryptosystem, use a with Shamir [14] although we follow the presentation of superincreasing sequence as a private key. This cryptosystem Lagarias [7]. is as follows: Such as Hwang et al.’s knapsack cryptosystem, we assume Key generation: The designer choose a superincreasing that no permutation is used. Hence equation (1) can be written sequence and two large positive integers as follows: and , �such = (�that�,� �, . . . , ��) � � �� = �. �� ��� � , . Let where . We have � �� � > ∑��� �� ���(�, �) = 1 � = � (��� �) 1 ≤ � < � He selects a permutation of and then transforms the easily solved knapsack� {1,2,...,�} into a trapdoor �� = ��� ��� � knapsack via the relation � This means that for , there exists some integers � such that 1 ≤ � ≤ � . (1) �� �� = �. ��(�) ��� � ��� − ��� = �� The public key is and the private key is and . Hence, � � � =. (� �, ��, . . . , ��) 0 ≤ � < � . (2) {(� �, ��, . . . , ��), �, �, �} Encryption: to encrypt the binary message 0 ≤ �/� − ��/�� = ��/��� Since the are superincreasing we have and so , we compute: ��� � � � = (��, ��, … , ��) � � < �/2 . � ��� 0 ≤ �/� − ��/�� < 1/��2 � � In particular, the right side of is � = � � � ��� ��� very small. Hence we can assume�/� − ��/�� <. 1/(� �2 ) And send it to the receiver. We now observe that to break�/� the ≈ basic ��/� Merkle-Hellman� Decryption: To recover plaintext from ciphertext , the knapsack it is sufficient to find any pair of positive receiver should do the following � � integers such that is a superincreasing(�′, �′) sequence 1) Compute (or similar enough �′�to a� ��� �′superincreasing sequence that one can solve the subset sum problem). We show that if is close enough to , then . ��/�� �� � = �� ��� � Subtracting�/� the case(�′, �′) = of (� � equation, ��) (2) from the -th 2) With his private key, solve a gives � = 1 � superincreasing subset sum problem(��, � �,. and . . , � find�), integers such that
( ��, ��, . . . , ��), ��� {0, 1} �� �� �� �� ���� − ���� − = − = � � � � � � � � � � � � � � � � and so, for , � = � ���� ��� � 2 ≤ � ≤ � ��� (3) Note that since hence . |���������| ���� � � � | � � � �| � ����� 3) The message bits� >are∑ ��� �� � = ∑��� ���� � � − � � = � < � = 2� < � Taking and then is very close to a superincreasing�′ = �� sequence.�′ = �� �′�� ��� �′ �� = ��(�) , �=1,2,…,� Since is public, It remains to compute the integer such III. SHAMIR ATTACK ON BASIC MERKLE -HELLMAN that equation�� (3) holds, given only the integers �� . KNAPSACK CRYPTOSYSTEM Another way to write equation (3) is ��, ��, . . . , ��
In 1982, Adi Shamir [14] shows that modular multiplication can’t hide the superincreasing sequence (private key) and �� �� � hence all the equation of the form � − � = ����� �� �� ����2
and one sees that the problem is precisely simultaneous . diophantine approximation. We can use lattice based reduction �� = {��, ����, ����, … , ��, ��,��, ��, ��} for solving simultaneous diophantine approximation. 2) Recombine all the elements of the original sequence Perfoming lattice basis reduction one obtains a guess for . which obtain sequences . The�� We now set and and computes �� � (�!��) � sequences (�! − 1) are �defined,. . . , � as follows: for �. This= �� is a superincreasing�′ = �� sequence.�′� � We ��� �′ then ��(� = 1, 2, … , �! − 1) compute2 ≤ � ≤ � for any challenge ciphertext that is decrypted�′� (��� �′) using the superincreasing sequence, and therefore� �� = {��,����, ����, … , ��, ��, ��, ��, ��} message is recovered. �� = {��,����, ����, … , ��, ��, ��, ��, ��} �� = {��, ����, ����, … , ��, ��,��, ��, ��}
IV. DESCRIPTION OF HWANG ET AL.’ S CRYPTOSYSTEM �� = {��, ����, ����, … , ��, ��,��, ��, ��} Hwang’s cryptosystem is based on the Merkle-Hellman �� = {��,����, ����, … , ��, ��, ��, ��, ��} cryptosystem. In the key generation stage, each user chooses a �� = {��,����, ����, … , ��, ��, ��, ��, ��} superincreasing sequence as secret ⋮ key. i.e. � = {��,�� , … , ����� } ��!�� = {��, ��,����, … , ����, ����, �� } 3) Suppose we can compute for . can ��� be written as �� 1 ≤ � ≤ �! − 1 � � � � > � � (� = 1, 2, … , 1360) � ��� and are secret modular multipliers such that � = � ��(� − �)! , 0 ≤ �� ≤ � � �′ ��� , and . each sequence has an own corresponding value called the ���� � factorial carry value . Using the ��� (�, �) = 1 � > ∑��� �� � × � = 1 ��� � Each user transfers superincreasing sequence factorial carry value, {� we�, � can��� , … efficiently . , ��, ��} obtain any into a pseudorandom sequence sequence. Let and we want determine the sequence � = {��,�� , … , ����� } as follows: . We can write� = 6 � � = {��, �� , … , ����� } � (4) So6 the = factorials 0 × (� − carry 1)!+⋯+1×3!+0×2!+0×1!+0 value of is: �� = �� .� ��� � , (1 ≤ � ≤ 1360) ��
Further, each user chooses a random 170× 256 binary matrix 4) With { the��, ���� knowledge, … . , ��, � �} of= {0, the 0, … original, 0, 1, 0, 0, 0} sequence H, a vector and a vector and the factorial � � = (�� to, � �satisfy, … , ���� the) following equation: {carry��, � ��� value, � ���, … , ��, ��, ��, �� ,of �� } , we can compute � �� = (ℎ��, ℎ��, … , ℎ���� ) sequence {0,0,0, as follows: . . , 0,1,0,0,0} �� �� �. � = �� ��� � Get by introducing . Here, the remaining elements�� in � the� = 0 sequence are ��� . ℎ�,� ⋯ ℎ�,��� �� ��� Get{���� , ���� by, … introducing , ��, ��, ��, ��,��} . Here, the remaining � ⋮ ⋱ ⋮ � . � ⋮ � = � ⋮ � ��� � ��� elements���� in the sequence are���� = 0 . ℎ���,� ⋯ ℎ���,��� � ℎ���� {����, … , ��, ��, ��, ��, ��} � � Get⋮ by introducing . Here, the remaining � � elements� in the sequence are� . = � ⋮ � ��� � � � = 0 ���� Get by introducing {��1., � � Here,, ��, � �} the remaining elements�� in the sequence are�� = . ��� Get by introducing { � . � Here,�} the remaining ��� � , � , � ℎ�� = 2 = � ℎ�,��� ��� � (� = 1, 2, … , 170) elements�� in the sequence are�� = 0 . ��� Get by introducing {��, �. �} Here, the remaining Let be a one-way hash function. elements�� in the sequence are�� = 0. The H(. public ) key is and the private key is Get by introducing {. ��} . (�, �) Therefore,� the sequence � is: � � � = 0 (�,They �, �, present � , �) a permutation combination algorithm and �� want this algorithm to ensure the security of the cryptosystem. . The permutation algorithm is as follows: {��, ����, ����, … , ��,��, ��, ��, ��} Encryption: The sender executes the following steps to
1) Define an original sequence generate the ciphertext of theA message . � �
1) Compute the digest of as �. � 3) Recombine each subset public key vector using 2) Compute� = ����� (�) � by means of the Permutation 3) Compute the factorial carry value � = � ��� 170! �Combination = {��, ��, … Algorithm. , ���� } B chooses each subset public of where � = {��, ��, … , ���� } key vector in the first 128 elements. Then, will obtain
�′ 1024 elements � . However
� ��� = {�� ��, �� �� is , … still , �� a����� superincreasing} � � ��� � = � × 169! + � × 168! + ⋯ + � × 0! sequence.�� �� �� ����� � = {�� ,�� , … , �� } 4) Divide B’s public key vector 4) Divide into . Each is into 8 subset public key vectors.� Each�� subset�� public����� key � = {� , � , … , � } a 1024-bit� ciphertext.� = {� �, . . . , ��} �� (� = 1, 2, … , �) vector has 170 elements.
5) Compute the recombine message , which is given as
the product of and ��� � . �� = {(���, ��� , … , ����� ), � �� � (� = 1, 2, … , �) (����� , ����� , … , ����� ), � ���� = �� × � ��� � ⋮ . ���� � = ∑��� (���� × ��,�) × � ��� � (������ , ������ , … , ������ )} ���� � ∑��� �� �,� 5) Recombine each subset public key vector using = (�� × � × � )× � ��� � by means of the Permutation ���� = ∑��� ���� × ��,� ��� � �Combination = {��, ��, … Algorithm. , ���� } chooses each subset public key vector in the first 128� elements. Then, will obtain So the receiver solves this superincreasing knapsack problem 1024 elements � . and then obtains the message . 6) is divided ��� = {�� into��, �� ��, … , �� ����� } . Each Obviously, there is no difference� between the cryptosystem � is a 1024-bit {�message.�,��,… , ��} above and the original Merkle-Hellman except the omission of the permutation in the key generation stage. � � (� = 1, 2, … , �) � V. ATTACKING ON THE CRYPTOSYSTEM �� = {��,�, … , ��,���� } 7) The corresponding ciphertext is given as the product of As mentioned in section IV, Hwang et al. suppose that and . �� superincreasing sequence is private � �� �� (� =1,2,…,�) key and produce public key �from = {�equation�,�� , … , (4): ����� }
���� . �� = � ���� × ��,� �� = ��.� ��� �, 1 ≤ � ≤ 1360 ��� Let . We have �� The ciphertext is . sends to � = � ��� � � through the insecure channel.� = {�� , . . . , ��} � (�, � ) � �� = ��. � ��� � , 1 ≤ � ≤ 1360 Decryption: After receiving and , executes the We can use Shamir’s (or Lagarias) method, as described in following steps to derive from � : �′ � section III, and find a pair of integers such that � � � (�, � ) is close to . With this pairs, we can( �′,now �′ compute) integers� /�′ 1) Compute the factorial carry value �/� of where � � ��� � = {� , � , … , � } � � �′ �′� = ��. � ��� � , 1 ≤ � ≤ 1360 which form a superincreasing sequence. This sequence can � � = �� × 169! + �� × 168! + ⋯ , ���� × 0 then be used in place of to secret key vector 2) Divide his secret key vector . into 8 subset public key vectors. � �� �� ����� � =On (� the�,� � other, … , � ���� hand,) we can eavesdrop pair from � = {� , � , … , � } � insecure channel and hence we can compute factorial(� , �) carry value of where �� = {(���, ��� , … , ����� ), � = {��, ��, … , ���� } �′ ���� ���� ���� (� , � ,… , � ), � (����� , ����� ,… , ����� ), � = �� × 169! + �� × 168! + ⋯ + ���� × 0! (����� , ����� ,… , ����� ), Then we divide recovered similar secret key vector ′ ⋮ . ′ ′ ′ into 8 subset public key vectors: (������ , ������ , … , ������ )} � = {� �, � �, … , � ���� }
(ICALP) , Lecture Notes in Computer Science, vol. 172, pp. 312-323, ′ ′ ′ Springer-Verlag, Berlin, 1984. ′ [8] K. Lenstra, H. W. Lenstra Jr., and L. Lovász, “Factoring Polynomials � = {(� �′ , � �, …′ , � ���′ ), with rational coefficients”, Muth. Ann., vol.261, pp. 515-534, 1982.
( � ��� , � �,… , � ��� ), [9] R. Merkle and M. E. Hellman, “Hiding information and signatures in trapdoor knapsack,” IEEE Trans. Inform. Theory , vol. IT-24, pp. 525– ′ ⋮ ′ ′ . 530, Sept 1978. (� ���� , � �,… , � ���� )} [10] R. Michael, and S. David, Computers and Intractability: A guide to the And recombine each subset public key vector using theory of NP-completeness . W. H. Freeman & Co., San Francisco, 1979. [11] M. Morii, M. Kasahara, “New public key cryptosystem using discrete by means of the Permutation logarithm over GF(p),” IEICE Transactions , vol. J71-D, pp. 448-453, �Combination = {��, ��, … Algorithm. , ���� } We choose each subset public key 1988 vector in the first 128 elements. Then, we will obtain 1024 [12] D. Naccache and J. Stern, “A new public-key cryptosystem,” Advances in Cryptology, euro crypt '97, Lecture Notes in computer Science , vol. elements . 1233, pp 27-36. Springer-Verlag, 1997. Divide �′� = into {�′� �,�′��, … , �′����� and} with computed pair [13] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining ′ ′ we� can compute:� = {� �, . . . , ��} digital signatures and public key Cryptosystems,” Communications of the ACM , vol. 21, pp. 120–126, Feb. 1978. (� , � ) [14] A. Shamir, “A Polynomial-time Algorithm for Breaking the Basic ′ ′ Merkle-Hellman Cryptosystem,” Proceedings of the IEEE Symposium ���� = �� × � ��� � on Foundations of Computer Science, New York , pp. 145-152, 1982. ′ ′ [15] P.W. Shor, “Polynomial-time algorithms for prime factorization and ���� = ∑��� (��� × ��,�)� ��� � discrete logarithms on a quantum computer,” SIAM Journal of ′ ′ Computing , vol. 26, pp. 1484-1509, 1997. ���� = ∑��� (� �� × ��,�) ��� � [16] S. Vaudenay, “Cryptanalysis of the Chor-Rivest cryptosystem,” Note that ′ ′ ′ . Advances in Cryptology CRYPTO 98, Lecture Notes in computer Since � � is a superincreasing Science, vol. 1462, pp. 243-256, Springer- Verlag, Berlin, 1998. �� × � ��� � = � � [17] B. Wang and Y. Hu, “Diophantine approximation attack on a fast public sequence, {�′� we � can, �′� solve�, … , �′� this���� easy} knapsack problem for key cryptosystem,” ISPEC 2006 , Lecture Notes in computer Science, and therefore we can obtain the message vol.3903, pp. 25-32, Springer-Verlag, Berlin, 2006. . [18] W. Zhang, B. Wang and Y. Hu, “A New Knapsack Public-Key 1 ≤ � ≤ � Cryptosystem,” IEEE, Fifth International Conference on Information � = {��,��,… , ��} Assurance and Security , pp.53-56, 2009. VI. CONCLUSION We considered a new knapsack PKC cryptosystem. This system uses a combination permutation algorithm in the encryption phase to avoid the low density attack by keeping the density high. This system is vulnerable, since like Merkle- Hellman cryptosystem use a superincreasing sequence and attempt to hide this sequence with modular multiplication. But as Shamir showed, the modular multiplication can’t hide the superincreasing sequence. To avoid this attack we can choose another easy knapsack problem for example, like this presented in [18] or we don’t use modular multiplication for produce the public key.
REFERENCES [1] B. Chor and R.L. Rivest, “A knapsack-type public key cryptosystem based on arithmetic in finite fields”, IEEE Trans. Inform. Theory , vol. 34, pp. 901–909, September 1988. [2] M. J. Coster, B. A. LaMacchia, A. M. Odlyzko, and C. P. Schnorr, “An improved low-density subset sum algorithm, in Advances in Cryptology”, EUROCRYPT’91, Lecture Notes in Computer Science , vol. 547, pp. 54–67, 1991. [3] W. Diffiee, M. Hellman, “New Directions in Cryptography ”, IEEE Transaction on Information Theory, IT-22 (6), pp. 644-654, 1976. [4] T. ElGamal, “A public-key cryptosystem and a signature scheme based on discrete logarithms”, IEEE Transactions on Information Theory , vol. IT-31, pp. 469–472, July 1985. [5] M. S. Hwang, C. C. Lee, and S. F. Tzeng, “A New Knapsack Public- Key Cryptosystem Based on Permutation Combination Algorithm”, International Journal of Applied Mathematics and Computer Sciences vol. 5; 1, pp. 33-38, Winter 2009. [6] J. C. Lagarias and A. M. Odlyzko, “Solving low-density subset sum problems”, J. Ass. Comput. Much. vol. 32, no. 1, pp. 229-246. Jan. 1985. [7] J. C. Lagarias, “Performance Analysis of Shamir’s Attack on the Basic Merkle-Hellman Knapsack Public Key Cryptosystem”, Proc. 11th Intern. Colloquium on Automata, Languages and Programming