Cryptanalysis of a New Knapsack Type Public-Key Cryptosystem Roohollah Rastaghi Department of Electrical Engineering, Aeronautical University of Since & Technology, Tehran, Iran [email protected] protections any longer, and PKC schemes secure in quantum Abstract — Recently, Hwang et al. introduced a knapsack computing environment are needed to be developed. Although type public-key cryptosystem. They proposed a new algorithm the underlying problem is NP-complete, but almost all called permutation combination algorithm. By exploiting this knapsack cryptosystems were shown insecure in that they are algorithm, they attempt to increase the density of knapsack to vulnerable to some known attacks such as: low density attack avoid the low-density attack. [2,6], Shamir’s attack [14] and diophantine approximation We show that this cryptosystem is not secure, as it based on attack [17]. This vulnerability is due to the special structure of basic Merkel-Hellman knapsack cryptosystem and because of the private key and the mathematical methods that public key the superincreasing structure, we can use shamir's attack on (public knapsack) was built from the private key. the basic Merkel-Hellman knapsack to break this In this paper, we analyze security of the Hwang et al . cryptosystem. cryptosystem [5]. We show that due to similarity of the key generation algorithm of their scheme with the basic Merkel- Keywords — Public-key cryptosystem, Knapsack problem, Hellman cryptosystem, we can use Shamir’s attack to obtain Shamir’s attack, Cryptanalysis. equivalent private keys. The rest of this paper is organized as follows. In the next I. INTRODUCTION section, we briefly explain subset sum problem and the basic N 1976, Diffie and Hellman [3] introduced the notion of the Merkle-Hellman cryptosystem. Then, in Section 3, we review Ipublic-key cryptography. Until that time, most public-key the Shamir’s attack. Hwang et al.’s knapsack cryptosystem cryptosystems (PKC) fall into one of the two below categories will be presented in Section 4 and cryptanalysis of this system [1]: will be given in Section 5. • Public-key cryptosystems based on hard number- theoretic problems: e.g., RSA [13], ElGamal [4] and …. II. THE SUBSET SUM PROBLEM AND THE BASIC MERKLE - • Public-key cryptosystems based on subset sum or HELLMAN CRYPTOSYSTEM subset product problems: e.g., Merkle-Hellman [9], The subset sum problem is stated as follows: given a set of Chor-Rivest [1], Morri-Kasahara [11], Naccache-Stern positive integers and positive integer . Whether [12],… . there is a subset of(͕ theͥ, . ,s ͕ that)) sums to . This is equivalentͧ to Unlike hard number-theoretic problems, the knapsack determine whether there͕ $are variables ͧ such that problem has been proven to be NP-complete [10]. That is, (ͬͥ, . , ͬ)) there is no polynomial algorithm will be invented to solve the ) knapsack problem. Since its Merkle-Hellman proposal, knapsack PKCs had ͧ = ȕ ͕$ ͬ$ , ͬ$# ʜ0, 1ʝ, 1 ≤ ͝ ≤ ͢ . been widely studied, and many knapsack-based PKCs were $Ͱͥ developed. There is no question that knapsack PKCs still If the set of positive integers be a superincreasing sequence, e.g. (͕ͥ, . , ͕, ))then the knapsack warrant continuous researches, as a result of the NP- $ͯͥ completeness nature, the faster speed and a desire to have a problem is solvable͖ $in> polynomial∑%Ͱͥ ͖%, ͝ ≥time. 2 wide variety of available cryptosystems. Nowadays, The basic Merkel-Hellman knapsack cryptosystem uses a researchers reconsider knapsack public-key cryptography also superincreasing sequence as a private key. This cryptosystem because Shor [15] showed that integer factorization and is as follows: discrete logarithm problems can be easily solved by using Key generation. The designer chooses a superincreasing quantum computers. Therefore, traditional PKC schemes sequence and two large positive integers and , based on the two problems cannot be used to provide privacy such that (͖ͥ, . , ͖)) ͫ ͤ , . ) ͤ > ∑$Ͱͥ ͖$ gcd(ͫ, ͤ) = 1 1 He also selects a permutation of and then ͖$ = ͏͕$ mod ͤ. transforms the easily solved knapsack ʜ1,2,...,͢ʝ into trapdoor This means that for , there exists some integers knapsack via the relation ̼ such that 1 ≤ ͝ ≤ ͢ (͕ͥ, . , ͕)) ͟$ . (1) ͕$͏ − ͟$ͤ = ͖$ ͕$ = ͫ. ͖_($) mod ͤ and . Hence, The public key is and the private key is 0 ≤ ͟$ < ͕$ (͕. ͥ, . , ͕)) . (2) ʜ(͖ ͥ, ͖ͦ, . , ͖)), ͑, ͊, ʝ 0 ≤ ͏/ͤ − ͟$/͕$ = ͖$/͕$ͤ Encryption. To encrypt message , he Since the s are superincreasing we have and so )ͯ$ computes ͡ = (ͥ͡, … , ͡)) ͖$ ͖$ < ͤ/2 . )ͯ$ $ $ $ ) 0 ≤ ͏/ͤ − ͟ /͕ < 1/͕ 2 In particular, the right side of is )ͯͥ ͗ = ȕ ͕$͡$, very small. Hence we can assume͏/ͤ − ͥ͟/͕ͥ <.1/(͕ ͥ2 ) $Ͱͥ We now observe that to break͏/ͤ the ≈basic ͥ͟/͕ Merkle-Hellmanͥ and sends it to the receiver. knapsack it is sufficient to find any pair of positive Decryption: To recover plaintext from ciphertext , the integers such that is a superincreasing(͏′, ͤ′) sequence receiver should perform the following steps. ͡ ͗ (or similar enough ͏′͕to a$ mod ͤ′superincreasing sequence that one can 1) Compute solve the subset sum problem). We show that if is close enough to , then . ͥ͟/͕ͥ ͯͥ Subtracting͏/ͤ the case(͏′, ͤ′) = (͟of ͥequation, ͕ͥ) (2) from the -th ͘ = ͗ͫ mod ͤ. gives ͝ = 1 ͝ 2) With his private key, solve a superincreasing subset sum problem(͖ ͥand, . , ͖find)), integers such that (ͦͥ, . , ͦ)), ͥ͟ ͟$ ͖$ ͖ͥ ͕͖ͥ$ − ͕$͖ͥ $ ʜ ʝ − = − = ͦ # 0, 1 ͕ͥ ͕$ ͕$ ͤ ͕ͥͤ ͕͕ͥ$ͤ ) and so, for , 2 ≤ ͝ ≤ ͢ ͘ = ȕ ͘$ͦ$ ͣ͘͡ ͤ . $Ͱͥ |uĜͯĜu| ͦ+Ĝ + (3) Note that since hence . |͕$ͥ͟ − ͕ͥ͟$| = + < + = 2͖$ < ͦġĜu. ) ) 3) The message bitsͤ >are∑ $Ͱͥ ͖$ ͘ = ∑$Ͱͥ ͘$ͦ$ Taking and then is very close to a superincreasingͤ′ = ͕ͥ sequence.͏′ = ͥ͟ ͏′͕$ mod ͤ′ Since is public, It remains to compute the integer such ͡$ = ͦ_($) , ͝ = 1, 2, … , ͢. that equation͕ͥ (3) holds, given only the integers ͥ͟ . III. SHAMIR ATTACK ON BASIC MERKLE -HELLMAN Another way to write equation (3) is ͕ͥ, . , ͕) KNAPSACK CRYPTOSYSTEM In 1982, Adi Shamir [14] shows that modular multiplication cannot perfectly hide the superincreasing sequence (private ͕$ ͟$ ͤ ɴ − ɴ = )ͯ$ͯͥ, key), and hence, all the equation of the form ͕ͥ ͥ͟ ͕ͥͥ͟2 and one sees that the problem is precisely simultaneous diophantine approximation. We can use lattice based reduction ) algorithm for solving simultaneous diophantine ͗ = ȕ ͬ$͕$ , ͬ$ ∈ ʜ0,1ʝ, approximation. Performing lattice basis reduction one obtains $Ͱͥ a guess for . We now set and and ɑ can be solved in polynomial time. This approach originates computes ͥ͟ for ͏ = ͥ͟ . Thisͤ′ = ͕isͥ a with Shamir [14] although we follow the presentation of superincreasing͏′͕ $sequence. mod ͤ′ We then2 ≤compute ͝ ≤ ͢ for Lagarias [7]. any challenge ciphertext that is decrypted͏′͗ mod ͤ′ using the Such as Hwang et al.’s knapsack cryptosystem [5], we superincreasing sequence, and͗ therefore message is recovered. assume that no permutation is used. Hence equation (1) can be written as follows: IV. DESCRIPTION OF HWANG ET AL.’ S CRYPTOSYSTEM Hwang’s cryptosystem is based on the Merkle-Hellman $ $ ͕ = ͫ. ͖ mod ͤ. cryptosystem. In the key generation stage, each user chooses a Let where . We have ͯͥ superincreasing sequence as secret key. ͏ = ͫ mod ͤ 1 ≤ ͏ < ͤ ̼ = ʜ͖ͥ,… , ͖ͥͧͪͤ ʝ 2 i.e. ̾)!ͯͥ = ʜ̿ͥ, ̿ͦ,̿ͧ̿ͨ, … , ̿)ͯͦ, ̿)ͯͥ, ̿) ʝ $ͯͥ 3) Suppose we can compute for . can ͖$ > ȕ ͖% (͝ = 1, 2, … , 1360 ). be written as ̾( 1 ≤ ͡ ≤ ͢! − 1 ͡ %Ͱͥ ) and are secret modular multipliers such that ͑ ͑′ ͡ = ȕ ̀$(͢ − ͝)! , 0 ≤ ̀$ ≤ ͢ − ͝ , and $Ͱͥ ͥͧͪͤ ɑ gcd (͊, ͑) = 1 ͊ > ∑$Ͱͥ ͖. $ ͑ × ͑ = each sequence has an own corresponding value called the 1 ͣ͘͡ ͊ factorial carry value . Using the Each user transfers superincreasing sequence factorial carry value, ʜ̀we), ̀can)ͯͥ , …efficiently . , ̀ͦ, ̀ͥʝ obtain any into a pseudorandom sequence sequence. Let and we want determine the sequence ̼ = ʜ͖ͥ , … , ͖ ͥͧͪͤas follows:ʝ ̻ = . We can write͡ = 6 ʜ͕ ͥ, … , ͕ͥͧͪͤ ʝ ̾ͪ (4) So6 the = factorials 0 × (͢ − 1carry)!+⋯+1×3!+0×2!+0×1!+0 value of is: ͕$ = ͖$ .͑ mod ͊ , (1 ≤ ͝ ≤ 1360 ). ̾ͪ Further, each user chooses a random 170× 256 binary matrix 4) With ʜthè), ̀)ͯͥknowledge, … . , ̀ͦ, ̀ ͥʝof= ʜ0,the 0, …original , 0, 1, 0, 0, 0ʝsequence H, a vector and a vector and the factorial to͌ =satisfy (ͦͥ, the … , ͦfollowingͦͩͪ ) equation: ͂͌ = ʜcarry̿), ̿ )ͯͥvalue, ̿ )ͯͦ, … , ̿ͩ, ̿ͨ, ̿ͧ, ̿ͦ ,of ̿ͥ ʝ , we can compute (ℎͦ ͥ, … , ℎͦͥͫͤ ) sequence ʜ0,0,0, as follows: . , 0,1,0,0,0ʝ ̾ͪ ̾ͪ ͂. ͌ = ͂͌ ͣ͘͡ ͢ Get by introducing . Here, the remaining elements̿) in ̀the) = 0 sequence are #-u . ℎͥ,ͥ ⋯ ℎͥ,ͦͩͪ ͦͥ #-v Getʜ̿)ͯͥ , ̿)ͯͦ by, … introducing , ̿ͩ, ̿ͨ, ̿ͧ, ̿ͦ,̿ͥʝ . Here, the remaining ʬ ⋮ ⋱ ⋮ ʭ . Ƶ ⋮ ƹ = ʬ ⋮ ʭ ͣ͘͡ ͢ ͦͩͪ elements̿)ͯͥ in the sequence arè)ͯͥ = 0 . ℎͥͫͤ,ͥ ⋯ ℎͥͫͤ,ͦͩͪ ͦ ℎͦͥͫͤ ʜ̿)ͯͦ, … , ̿ͩ, ̿ͨ, ̿ͧ, ̿ͦ, ̿ͥʝ t ͦ Get by introducing . Here, the remaining u ⋮ ͦ elementsͩ in the sequence areͩ . = ʦ ⋮ ʧ ͣ͘͡ ͢ ̿ ̀ = 0 ͦuz} Get by introducing ʜ̿ͨ1., ̿ ͧHere,, ̿ͦ, ̿ ͥʝthe remaining elements̿ͧ in the sequence arè ͨ = . ͦͩͪ Get by introducing ͨ . ͦ Here,ͥ the remaining $ͯͥ ʜ̿ , ̿ , ̿ ʝ ℎͦ$ = 2 = ȕ ℎ$,%ͦ% ͣ͘͡ ͢ (͝ = 1, 2, … , 170 ).