Cryptanalysis of a New Knapsack Type Public-Key Cryptosystem Rooh allah Rastaghi 1 1Electrical Engineering Department, Aeronautical University of Since & Technology (Shahid Sattari), Tehran, Iran [email protected] quantum computers. Therefore, traditional public key Abstract —In [5], a new knapsack type public key cryptosystem cryptosystem based on the two problems cannot be used to is introduced. In this cryptosystem, Hwang et al. used a new provide privacy protections any longer, and public key algorithm called Permutation Combination Algorithm. By exploiting cryptosystems secure in quantum computing environments are this algorithm, they attempt to increase the density of knapsack to needed to be developed. The knapsack problem is NP- avoid the low-density attack [2], [6]. complete. Hence, we can design cryptosystems based on the We show that this cryptosystem is insecure, since this knapsack problem in order to resist quantum attacks. On the cryptosystem is based on basic Merkel-Hellman [9] knapsack cryptosystem, and because of the superincreasing structure, we can other hand, Although the underlying problem is NP-complete, use the Shamir’s attack on basic Merkle-Hellman knapsack [7], [14] but some of the knapsack cryptosystem such as Merkle- to break this cryptosystem. Hellman [14], Chor-Rivest [16], … was broken due to the special structure of the private key and the mathematical way Keywords — Public key cryptosystem, Knapsack problem, that public key (public knapsack) was built from the private Shamir attack, Cryptanalysis. key. In this paper, we Analysis the knapsack PKC Based on I. INTRODUCTION Permutation Combination Algorithm was presented by Hwang N 1976, Diffie and Hellman [3] introduced the public key et al . and show that Because of the identical structure, in key Icryptosystem (PKC). Most public key cryptosystems fall generation stage, with the basic Merkel-Hellman knapsack into one of the two categories below [1]: cryptosystem, we can use the Shamir’s attack for this • Public key cryptosystems based on hard number- cryptosystem and obtain equivalent private keys theoretic problems: e.g., RSA [13], ElGamal [4] and …. (superincreasing sequence). The rest of this paper is organized • Public key cryptosystems based on subset sum or subset as follows. In the following section, we explain the subset sum product problems: e.g., Merkle-Hellman [9], Chor- problem and the basic Merkle-Hellman cryptosystem briefly. Rivest [1], Morri-Kasahara [11], Naccache-Stern Then, in Section 3, we review the Shamir’s attack. Hwang et [12],… . al.’s knapsack cryptosystem will be present in Section 4 and Unlike hard number-theoretic problems, the knapsack the cryptanalysis of this system will be discussed in Section 5. problem has been proven to be NP-complete [10]. That is to say, there is no polynomial algorithm will be invented to solve II. THE SUBSET SUM PROBLEM AND THE BASIC MERKLE - HELLMAN CRYPTOSYSTEM the knapsack problem. Since its Merkle-Hellman proposal, knapsack public key The subset sum problem is stated as follows: given a set of cryptosystem had been widely studied, and many knapsack positive integers and positive integer . public key cryptosystems were developed. However, almost Whether there is a {͕subsetͥ, ͕ͦ, .of . , ͕the)} that sums to . That ͧis all knapsack cryptosystem were shown insecure in that they equivalent to determine whether͕$ there are ͧvariables are vulnerable to some known attacks, such as low density such that attack [2], [6], Shamir’s attack [14], and Diophantine (ͬͥ , ͬͦ, . , ͬ)) approximation attacks [17]. There is no question that knapsack ) public key cryptosystems still warrant continuous researches, as a result of the NP-completeness nature, the faster speed, ͧ = ȕ ͕$ ͬ$ , ͬ$# {0, 1}, 1 ≤ ͝ ≤ ͢ and a desire to have a wide variety of available cryptosystems. $Ͱͥ Nowadays, we reconsider knapsack public key cryptography if the set of positive integers is a also because Shor [15] showed that integer factorization and superincreasing̼= sequence, {͖ͥ,͖ͦ,. , ͖)} discrete logarithm problems can be easily solved by using e.g. $ͯͥ ) ͖$ > ȕ ͖% , ͝ ≥ 2 ͗ = ȕ ͬ$͕$ , ͬ$#{0,1} %Ͱͥ $Ͱͥ Then the knapsack problem is solvable in polynomial time. can be solved in polynomial time. This approach originates The basic Merkel-Hellman knapsack cryptosystem, use a with Shamir [14] although we follow the presentation of superincreasing sequence as a private key. This cryptosystem Lagarias [7]. is as follows: Such as Hwang et al.’s knapsack cryptosystem, we assume Key generation: The designer choose a superincreasing that no permutation is used. Hence equation (1) can be written sequence and two large positive integers as follows: and , ̼such = (͖thatͥ,͖ ͦ, . , ͖)) ͑ ͊ ͕$ = ͑. ͖$ ͣ͘͡ ͊ , . Let where . We have ) ͯͥ ͊ > ∑$Ͱͥ ͖$ ͛͗͘(͑, ͊) = 1 ͏ = ͑ (ͣ͘͡ ͊) 1 ≤ ͏ < ͊ He selects a permutation of and then transforms the easily solved knapsack {1,2,...,͢} into a trapdoor ͖$ = ͏͕$ ͣ͘͡ ͊ knapsack via the relation ̼ This means that for , there exists some integers ̻ such that 1 ≤ ͝ ≤ ͢ . (1) ͟$ ͕$ = ͑. ͖_($) ͣ͘͡ ͊ ͕$͏ − ͟$͊ = ͖$ The public key is and the private key is and . Hence, $ $ ̻ =. (͕ ͥ, ͕ͦ, . , ͕)) 0 ≤ ͟ < ͕ . (2) {(͖ ͥ, ͖ͦ, . , ͖)), ͑, ͊, } Encryption: to encrypt the binary message 0 ≤ ͏/͊ − ͟$/͕$ = ͖$/͕$͊ Since the are superincreasing we have and so , we compute: )ͯ$ $ $ ͇ = (ͥ͡, ͦ͡, … , ͡)) ͖ ͖ < ͊/2 . ) )ͯ$ 0 ≤ ͏/͊ − ͟$/͕$ < 1/͕$2 $ $ In particular, the right side of is ͗ = ȕ ͕ ͡ )ͯͥ $Ͱͥ very small. Hence we can assume͏/͊ − ͥ͟/͕ͥ <. 1/(͕ ͥ2 ) And send it to the receiver. We now observe that to break͏/͊ the ≈basic ͥ͟/͕ Merkle-Hellmanͥ Decryption: To recover plaintext from ciphertext , the knapsack it is sufficient to find any pair of positive receiver should do the following ͇ ͗ integers such that is a superincreasing(͏′, ͊′) sequence 1) Compute (or similar enough ͏′͕to a$ ͣ͘͡ ͊′superincreasing sequence that one can solve the subset sum problem). We show that if is close enough to , then . ͥ͟/͕ͥ ͯͥ ͘ = ͗͑ ͣ͘͡ ͊ Subtracting͏/͊ the case(͏′, ͊′) = of (͟ ͥequation, ͕ͥ) (2) from the -th 2) With his private key, solve a gives ͝ = 1 ͝ superincreasing subset sum problem(͖ͥ, ͖ ͦ,.and . , ͖find)), integers such that ( ͦͥ, ͦͦ, . , ͦ)), ͦ$# {0, 1} ͥ͟ ͟$ ͖$ ͖ͥ ͕͖ͥ$ − ͕$͖ͥ − = − = ͥ $ $ ͥ ͥ $ ) ͕ ͕ ͕ ͊ ͕ ͊ ͕ ͕ ͊ and so, for , ͘ = ȕ ͘$ͦ$ ͣ͘͡ ͊ 2 ≤ ͝ ≤ ͢ $Ͱͥ (3) Note that since hence . |uĜͯĜu| ͦĜ ) ) | $ ͥ ͥ $| $ ġĜu 3) The message bits͊ >are∑ $Ͱͥ ͖$ ͘ = ∑$Ͱͥ ͘$ͦ$ ͕ ͟ − ͕ ͟ = < = 2͖ < ͦ Taking and then is very close to a superincreasing͊′ = ͕ͥ sequence.͏′ = ͥ͟ ͏′͕$ ͣ͘͡ ͊′ ͡$ = ͦ_($) , ͝=1,2,…,͢ Since is public, It remains to compute the integer such III. SHAMIR ATTACK ON BASIC MERKLE -HELLMAN that equation͕ͥ (3) holds, given only the integers ͥ͟ . KNAPSACK CRYPTOSYSTEM Another way to write equation (3) is ͕ͥ, ͕ͦ, . , ͕) In 1982, Adi Shamir [14] shows that modular multiplication can’t hide the superincreasing sequence (private key) and ͕$ ͟$ ͊ hence all the equation of the form ɴ − ɴ = )ͯ$ͯͥ ͕ͥ ͥ͟ ͕ͥͥ͟2 and one sees that the problem is precisely simultaneous . diophantine approximation. We can use lattice based reduction ̾ͤ = {̿), ̿)ͯͥ, ̿)ͯͦ, … , ̿ͩ, ̿ͨ,̿ͧ, ̿ͦ, ̿ͥ} for solving simultaneous diophantine approximation. 2) Recombine all the elements of the original sequence Perfoming lattice basis reduction one obtains a guess for . which obtain sequences . The̾ͤ We now set and and computes ͥ͟ ͥ ()!ͯͥ) ɑ sequences (͢! − 1) are defined̾ ,. , ̾ as follows: for ͏. This= ͥ͟ is a ͊′superincreasing = ͕ͥ sequence.͏′͕ $We ͣ͘͡ ͊′ then ̾$(͝ = 1, 2, … , ͢! − 1) compute2 ≤ ͝ ≤ ͢ for any challenge ciphertext that is decrypted͏′͗ (ͣ͘͡ ͊′) using the superincreasing sequence, and therefore͗ ̾ͤ = {̿),̿)ͯͥ, ̿)ͯͦ, … , ̿ͩ, ̿ͨ, ̿ͧ, ̿ͦ, ̿ͥ} message is recovered. ̾ͥ = {̿),̿)ͯͥ, ̿)ͯͦ, … , ̿ͩ, ̿ͨ, ̿ͧ, ̿ͥ, ̿ͦ} ̾ͦ = {̿), ̿)ͯͥ, ̿)ͯͦ, … , ̿ͩ, ̿ͨ,̿ͦ, ̿ͧ, ̿ͥ} IV. DESCRIPTION OF HWANG ET AL.’ S CRYPTOSYSTEM ̾ͧ = {̿), ̿)ͯͥ, ̿)ͯͦ, … , ̿ͩ, ̿ͨ,̿ͦ, ̿ͥ, ̿ͧ} Hwang’s cryptosystem is based on the Merkle-Hellman ̾ͨ = {̿),̿)ͯͥ, ̿)ͯͦ, … , ̿ͩ, ̿ͨ, ̿ͥ, ̿ͧ, ̿ͦ} cryptosystem. In the key generation stage, each user chooses a ̾ͩ = {̿),̿)ͯͥ, ̿)ͯͦ, … , ̿ͩ, ̿ͨ, ̿ͥ, ̿ͦ, ̿ͧ} superincreasing sequence as secret ⋮ key. i.e. ̼ = {͖ͥ,͖ͦ , … , ͖ͥͧͪͤ } ̾)!ͯͥ = {̿ͥ, ̿ͦ,̿ͧ̿ͨ, … , ̿)ͯͦ, ̿)ͯͥ, ̿) } 3) Suppose we can compute for . can $ͯͥ be written as ̾( 1 ≤ ͡ ≤ ͢! − 1 ͡ $ % ͖ > ȕ ͖ (͝ = 1, 2, … , 1360) ) %Ͱͥ and are secret modular multipliers such that ͡ = ȕ ̀$(͢ − ͝)! , 0 ≤ ͡$ ≤ ͢ ͑ ͑′ $Ͱͥ , and . each sequence has an own corresponding value called the ͥͧͪͤ ɑ factorial carry value . Using the ͛͗͘ (͊, ͑) = 1 ͊ > ∑$Ͱͥ ͖$ ͑ × ͑ = 1 ͣ͘͡ ͊ Each user transfers superincreasing sequence factorial carry value, {̀we), ̀can)ͯͥ , …efficiently . , ̀ͦ, ̀ͥ} obtain any into a pseudorandom sequence sequence. Let and we want determine the sequence ̼ = {͖ͥ,͖ͦ , … , ͖ͥͧͪͤ } as follows: . We can write͡ = 6 ͪ ̻ = {͕ͥ, ͕ͦ , … , ͕ͥͧͪͤ } ̾ (4) So6 the = factorials 0 × (͢ − 1carry)!+⋯+1×3!+0×2!+0×1!+0 value of is: ͕$ = ͖$ .͑ ͣ͘͡ ͊ , (1 ≤ ͝ ≤ 1360) ̾ͪ Further, each user chooses a random 170× 256 binary matrix 4) With {thè), ̀)ͯͥknowledge, … . , ̀ͦ, ̀ ͥ}of= {0,the 0, …original , 0, 1, 0, 0, 0}sequence H, a vector and a vector and the factorial ͌ = (ͦͥ to, ͦ ͦsatisfy, … , ͦͦͩͪ the) following equation: {carry̿), ̿ )ͯͥvalue, ̿ )ͯͦ, … , ̿ͩ, ̿ͨ, ̿ͧ, ̿ͦ ,of ̿ͥ } , we can compute ͂͌ = (ℎͦͥ, ℎͦͦ, … , ℎͦͥͫͤ ) sequence {0,0,0, as follows: .