Knapsack cryptosystems built on NP-hard instance

Knapsac k cryptosys tems built on NP-hard instances Lauren t Ev ain (lauren t.ev ain@univ-ang ers.fr) Abstract: W e construct three public key knapsack cry ptosystems. Standard knapsack cr y ptosystems hide easy instances of the knapsa ck problem and hav e been broken. The sy s tems considered in the a rticle face this problem: T he y hide a random (p ossibly har d) insta nce of the knapsack problem. W e pr ovide b oth complexity results (size of the key , t ime needed to encypher/decypher...) and exper imen tal results. Security r esults a re given for the s e c ond cryptos ystem ( the fas test one and the o ne with the shortest key). Probabilistic p olynomial r eductions show that ﬁnding the priv a te key is a s diﬃcult as factorizing a pr o duct o f tw o primes. W e also consider heuristic atta cks. First, the density o f the cr yptosystem can be chosen ar bitrarily close to o ne, disca r ding low density attacks. Finally , we consider explicit heur istic attacks bas e d on the LLL a lgorithm and we prove that with resp ect to these attacks, the public key is as secure a s a rando m key . In tro duction The principle It is natural to build cryptosy stems rely ing on NP- complete pro blems since NP- c omplete problems are presumably diﬃcult to solve. Ther e are several versions of knapsack pr oblems, all of them b eing NP - complete. Several c r yptosystems relying on k napsack pr oblems hav e been in tro duced in the eigh ties [9] W e are interested in the b ounded version of the knapsa ck problem. Let s, M , v , v 1 , . . . , v s ∈ N . The problem is to determine whether there are integers ǫ i , 0 ≤ ǫ i < M such that P i = s i =1 ǫ i v i = v . In cas e M = 2, the problem is to ﬁll a knapsack of volume v with ob jects of volume v i . Knapsack c r yptosystems are built o n knapsack problems. Alice co ns tructs integers v i (using some priv ate key q ) such tha t the cyphering ma p C is injectiv e: C : { 0 , . . . , M − 1 } s → N , ( ǫ i ) 7→ P ǫ i v i . The sequence v i is the public key . When Bob has a plaintext mess age m ∈ { 0 , . . . , M − 1 } s for Alice, he sends the ciphertext C ( m ). Alice deco des using her priv ate key . Strength an d wea kness of kna psac k cryptosystems The main adv antage of knapsack cryptosystems is the sp eed. T hes e systems attain very high encryption and decryption rates. The knapsack cryptos ystem pr op osed by Merkle - Hellman [7] see med to b e 100 times faster tha n RSA for the same level o f s ecurity at the time it was in tro duced [9]. The main w e akness of k napsack cryptosystems is security . All standa rd knapsack cryptosystems have bee n broken: the Merkle-Hellman cryptosystem by Shamir and Adleman [1 1], , the iter ated Merkle- Hellmann by Br ickell [3] , the Chor-Rivest cr yptosystem by V a udenay in 1 9 97 [12] ... Two main rea sons ex plain the frag ilit y of kna psack cryptosys tems . First, mos t of these cryptosys tems star t with an easy instance. The knapsk ack p ro blem is NP- complete and no fast alg orithm to solve it is known in general. Ho wev er, the knapsack pro blem is easy 1 to solve for so me ins tances ( v i ) i ≤ s : if ( v i ) is a sup erincreas ing sequence in the sense that v i > P j 0 , it is p ossible to factorise n = pq in p olyno mial time with a probability of succ ess at least 1 − η (theorem 22). In fact, our result is a little mor e precise. The priv ate key q is an integer with s uitable prop erties . One co uld use a “pseudo-key” q ′ , ie. an in teger with the sa me prop er ties as q , to crypta nalyse the system. O ur result says that ﬁnding a pseudo-key q ′ with the help some extra -information is as diﬃcult as factor ising a pr o duct of pr imes (ie. there is a p oly nomial proba bilistic reduction as ab ov e). Moreover, the system is more secure if q is the only int eg e r with the required pr op erties. W e giv e evidences in section 4.1 that one can co nstruct with high probability a c r yptosystem with q as the only pseudo-key . The ab ov e r esults express that it is diﬃcult to ﬁnd a pseudo-key . But the cryptosystem could still b e a ttack e d by heuristic attacks. Since most heuristic attacks r ely on the LLL - algorithm and its improv e men ts, we cons ide r the standar d attack r elying o n the LLL- algorithm and the embedding metho d. NP-completness and many exp eriments lead to the co nclusion that the knapsack pro blem is not solv a ble for a random instance x 0 = ( v 1 , . . . , v s ) in high dimension s . The public key is not a random instance x 0 but a slight deformation x 1 of x 0 . A weakness a ppea rs if the heuris tic attacks p erfor m be tter when the r andom x 0 is replaced by x 1 . Our result (theorem 29) says in substa nce that, if x 0 is very general, re pla cing x 0 by a suitable x 1 is no t dangerous : b oth the num b er o f steps to p erform the algorithm a nd the probability of success 5 are unchanged. In other terms, with resp ect to LLL- a ttacks, the system is as sec ure if the messag e is cyphered with x 0 or with a suitable x 1 . Ac kno wledgm en ts Nice surveys on knapsack cryptosys tems made the sub ject a ccessible to me. I am in par ticular g rateful to the author s of [8], [9] and [2]. 1 First system 1.1 Description of the system W e denote by M p × q ( A ) the set of p × q matr ic es with co eﬃcients in the set A . • List o f parameters: M , s ∈ N , ǫ ∈ M s × s ( N ), p 1 , . . . , p s , q 1 , . . . , q s ∈ N , x 0 ∈ M 1 × s ( N ), • Message to b e transmi tted: a column vector m ∈ { 0 , 1 , . . . , M − 1 } s = M s × 1 ( { 0 , . . . , M − 1 } ). • Priv ate k ey: • An inv er tible matrix ǫ ∈ M s × s ( N ) with r ows ǫ 1 , . . . , ǫ s . W e le t || ǫ i || 1 = P j = s j =1 ǫ ij the no rm of the i th row. • A s -tuple o f p ositive ra tio nal num b ers λ i = p i q i , i = 1 , . . . , s such that ( M − 1) λ i || ǫ i || 1 < 1 . • Recursiv e Construction: Choose a random row vector x 0 ∈ N s . Deﬁne the row vector x i , i = 1 . . . s b y x i = q i x i − 1 + p i ǫ i . • Public key: x s • Cyphered message : x s m ∈ N . Notation 4. We denote by C the cyphering fu n ction { 0 , 1 , . . . , M − 1 } s → N , m 7→ N s = x s .m Prop ositio n 5. The function C is inje ctive. It suﬃces to explain how to decy pher to pr ove the pr op osition. W e deﬁne N i , 0 ≤ i ≤ s a nd O i , 1 ≤ i ≤ s by decreas ing induction: • N s = C ( m ) = x s m • N i − 1 = [ N i q i ], where [ . ] denotes the in teger part • O i = ( N i − q i N i − 1 ) /p i . • Let N ∈ M s +1 × 1 ( N ) b e the column vector with entries N 0 , . . . , N s • Let O ∈ M s × 1 ( Q ) b e the column vector with entries O 1 , . . . , O s . • Let X ∈ M s +1 × s ( N ) b e the matrix with rows x 0 , . . . , x s . Prop ositio n 6. The message m veriﬁes X m = N , ǫm = O . In p articular, the c o eﬃcients of O ar e inte gers. Pr o of. W e prove that x i m = N i by decreasing induction on i . The case i = s is tr ue by deﬁnition. If x i m = N i , then ( x i − 1 + λ i ǫ i ) m = N i /q i . Since x i − 1 m ∈ N and 0 < λ i ǫ i m ≤ λ i || ǫ i || 1 ( M − 1 ) < 1 by hypo thesis, we obtain x i − 1 m = [ N i /q i ] = N i − 1 , as expected. Th us ǫ i m = ( x i − ( q i x i − 1 )) m/p i = ( N i − q i N i − 1 ) /p i = O i . Corollary 7 . T o de cypher t he message, • Compute N s − 1 , . . . , N 1 with the formula N i − 1 = [ N i q i ] . • Compute O i = ( N i − q i N i − 1 ) /p i . • Solve the system ǫm = O . 6 1.2 Analysis of the system The underlying one wa y function W e make a quick analysis of the system. The couple ( q s , ǫ s ) in the pr iv ate k ey satisﬁes x s = q s x s − 1 + p s ǫ s with q s > p s || ǫ s || 1 ( M − 1). Comp onent wis e, p s ǫ si is the r est o f the division of x si by q s . These res ts ar e small. The res t of the division o f x si by q s is at mos t q s , and the sum of the rests p s ǫ si for 1 ≤ i ≤ s is a t mo s t sq s in gener al. In the pr esent situation, the s um P i p s ǫ si = p s || ǫ s || 1 of all the rests is at most q s M − 1 . In other words, an eavesdropper who tries to break the system lo oks for an integer q s such that the rests of the div isions of the x si by q s are unusualy small: the sum of the s rests is at most q s M − 1 . There is hop efully a one wa y function here. It is easy to construct a couple of integers ( x, q ) such that the rest of the division of x by q is s mall. But once x is given, it is not e a sy to ﬁnd back an integer q such that the r est of the division of x by q is small. F or instance, to obtain a rest which is at mo st 1 10 n of the diviso r q , choose any y , q ∈ N , 0 ≤ ǫ ≤ q / 10 n and put x = q y + ǫ . As a function of q , the num b e r o f op er ations to compute x is O ( l og 2 ( q )). If x is given and Eve knows that ther e is a q satisfying x = q y + ǫ , 1 0 n ǫ < q , trying succes sivly all p ossible divisors 1 , . . . , q req uires O ( q ) op era tio ns. Thu s, in the a bs ence of a q uic k algo rithm to ﬁnd q , there is a g ain of an exp onential factor here. In our choice o f pa rameters, the num b ers q i will be larg e to make the most of this adv a ntage. Construction of the matrix ǫ The matrix ǫ of the pr iv ate k ey should be quickly inv ertible, for instance tria ngular, to facilitate decryp- tion (see corollary 7). But a triangular ma trix ǫ , or an y matrix with a lo t o f n ull co eﬃcients, would be a bad choice. Indeed, if ǫ is sparse, ther e are tw o comp onents c, c ′ of x s = q s x s − 1 + p s ǫ s = ( ...., c, ...., c ′ , .... ) whose gcd is a multiple o f q s , or q s itself. After several a ttempts, the eavesdropper could ﬁnd q s . The same problem o ccurs if the comp onents of ǫ s are to o small or well lo calis ed b y a law of repartition. If x s = ( . . . , c, . . . , c ′ , ... ), there is a natural a ttempt to ﬁnd q s : test for the gcd of ( c − ǫ ′ , c ′ − ǫ ′′ ) for several v a lues of ǫ ′ , ǫ ′′ . Summing up, the matr ix ǫ sho uld sa tisfy the tw o following conditions: • its c o eﬃcient s are diﬃcult tolo calize, • solving ǫm = O is fast. If the co e ﬃcie n ts of the matrix ǫ are ch os en randomly , it takes time to so lve ǫm = O . If we choo se a low er tr iangular matrix L , an upper tria ng ular matrix U with random uniform co eﬃcients, a nd cho ose ǫ = LU , then it is eas y to so lve the system but the co eﬃcients of ǫ a re not rando m uniform and this non uniformity co uld be used to cryptanalys e the s ystem as e x plained ab ov e. Thu s there is a compro mise to ﬁnd betw een the amount of time require d to compute and invert ǫ and the uniformit y in the co eﬃcients o f ǫ . Our approa ch to ﬁnd the compro mise is to consider an upp er triangular matrix U with random co eﬃcients and to deform it using elemen tary op eratio ns (pro po sition 8). Let L , N ∈ M s × s ( N ) b e the low er tr iangular matrices deﬁned b y L ii = N ii = 1 , L i, 1 = 1 , N n,i = 1 and all other co e ﬃcie nts equal to zero . If σ is a p ermutation of { 1 , . . . , s } , we deno te by M σ the per mut atio n ma trix deﬁned by M i,σ ( i ) = 1 and M ij = 0 otherwise. Prop ositio n 8. L et U ∈ M s × s ( N ) b e an upp er invertible triangular matrix with c o eﬃcients u ij , i ≤ j chosen r andomly in { 1 , . . . , x } and σ, τ b e p ermutations of { 1 , . . . , s } . Then every ent ry e of the matrix ǫ ( s, x ) = M σ LU N M τ veriﬁes 0 ≤ e ≤ 4 x . In p articular, the norm of the lines ǫ i satisfy || ǫ i || 1 ≤ 4 sx . Pr o of. The action of the p ermutations σ, τ p ermute the co eﬃcients of L U N so o ne can supp ose σ = τ = I denti ty . An en try in U is in { 0 , . . . , x } . The left multiplication with L replaces a line L i , i > 1 7 with L i + L 1 . The right m ultiplication with N r eplaces a co lumn C i , i < s with C i + C s . Thus a n entry of LU N is in { 0 , . . . , 4 x } . 1.3 Suggested choice for the parameters In this se c tion, sugg e stions for our lis t of parameter s M , s ∈ N , ǫ ∈ M s × s ( N ), p 1 , . . . , p s , q 1 , . . . , q s ∈ N , x 0 ∈ M 1 × s ( N ) are g iven. W e ﬁx tw o integers s, p as bas ed parameters . The o ther parameter s ar e constant or functions of s and p . The lev el o f security depends o n the size of s and p . T o giv e an idea of the size of the num b ers inv o lved, s > 300 and p > 10 6 are sensible choices. Suggested c hoice for the para me ters as constan ts or functions of s, p : • M = 2 • ǫ = ǫ ( s, [ p/ 4 s ]) is the rando m ma tr ix considered in pro po sition 8. • p i = 1 , q i chosen ra ndo mly in [ p + 1 , 2 p ] (uniform law) • x 0 has entries chosen randomly in [0 , 2 s ] (uniform law) Comments on the c hoices . The choice M = 2 is to make the system as simple as p ossible. Moreover, Shamir has shown that compact k napsack cryptosy s tems (ie. those with messag e s in { 0 , . . . , M − 1 } s and small M ) tend to b e more secure [10]. The reason for the choice of the matrix ǫ has b een g iven b efore prop ositio n 8 (compromise b etw ee n randomness a nd inversibilit y). Note that the r equired co ndition ( M − 1) || ǫ i || λ i < 1 is sa tisﬁed by prop osition 8. As to the choice of λ i = p i q i , we hav e ex plained that q i is la rge to make the most of the one wa y function. Lo oking a t the r ecursive deﬁnition of x i , it app ears that the x i ’s a re lar ge when p i is larg e. Thu s we take p i = 1 to limit the size of the key . The entries of the initial vector x 0 are chosen r andomly in [0 , 2 s ] so that the density of the knapsa ck cryptosystem asso ciated to x 0 is expected close to o ne. If the density is low er, there could b e a lo w density attack on x 0 , and maybe an attack on x s as x s is a mo diﬁcation of x 0 . On the other hand, it is not clear that a higher density is danger ous. It could even be a b e tter choice. Exp eriments are needed to decide. Thus we prop ose a v aria nt of higher density: V arian t fo r the choice o f parameters • x 0 has entries chosen randomly in { 0 , . . . , s 5 } . • All other par ameters are chosen as befo r e. 1.4 Complexit y results The complexity of the cr yptosystem is describ ed in the following theor em, using the ﬁrst v ar iant for the choice of par a meters (ie. x 0 has entries in { 0 , . . . , 2 s } ). W e denote by siz e ( A ) the num b er of bits needed to stor e an element A and by ti me ( A ) the num b er of ele men tar y o pe r ations needed to co mpute A . Recall that, for all ǫ > 0 , co mputing a multiplication of tw o integers p and q takes time ( pq ) = O ( siz e ( p ) + siz e ( q )) 1+ ǫ ) e le mentary op erations [5 ]. Moreov er , the complexity o f a division is the same as the complexity o f a multiplication. 8 Theorem 9. Supp ose that s = o ( p ) . Then: Size of the public key x s : O ( s 2 log 2 ( p )) Size of the private key ǫ, q i , σ, τ : O ( s 2 log 2 ( p )) Encryption time: O ( s 2 log 2 ( p )) De cryption t ime: O ( s 2 log 2 ( p )) 1+ ǫ Cr e ation time of the public key: O ( s 3 log 2 ( p ) 1+ ǫ ) Density of the knapsack asso ciate d with x s : 1 / log 2 ( p ) . Pr o of. • || ǫ i || ∞ ≤ p • siz e ( || ǫ i || ∞ ) = O (log 2 ( p )) • siz e ( ǫ i ) ≤ s siz e ( || ǫ i || ∞ ) = O ( s log 2 ( p )) • siz e ( ǫ ) = P i siz e ( ǫ i ) = O ( s 2 log 2 ( p )) • siz e ( q 1 , . . . , q s ) = O ( s log 2 ( p )) • siz e ( σ ) = siz e ( τ ) = time ( σ ) = time ( τ ) = O ( s log 2 ( s )) • size ( priv ate k ey ) = siz e ( ǫ, q 1 , . . . , q s , σ, τ ) = O ( s 2 log 2 ( p )) • || x i = q i x i − 1 + ǫ i || ∞ ≤ | q i ||| x i − 1 || ∞ + || ǫ i || ∞ ≤ 2 p || x i − 1 || ∞ + p thus || x i || ∞ ≤ 3 i p i || x 0 || ∞ . • siz e ( || x i || ∞ ) = O ( i log 2 ( p ) + siz e ( || x 0 || ∞ )) = O ( i log 2 ( p ) + s ) • siz e ( x i ) ≤ s siz e ( || x i || ∞ ) = O ( is log 2 ( p ) + s 2 ) • size ( public k ey ) = siz e ( x s ) = O ( s 2 log 2 ( p )) • encryption time = siz e ( publ ic k ey ) = O ( s 2 log 2 ( p )) • time ( x i ) = O ( siz e ( q i ) 1+ ǫ + siz e ( x i − 1 ) 1+ ǫ + siz e ( ǫ i )) = O ( siz e ( x i − 1 ) 1+ ǫ ) = O (( is log 2 ( p ) + s 2 ) 1+ ǫ ) ≤ O (( s 2 l og 2 ( p ) 1+ ǫ )) • time ( public k ey ) = P time ( x i ) = O (( s 3 log 2 ( p )) 1+ ǫ ) • time ( N i = [ N i +1 /q i ]) = O ( siz e ( q i ) 1+ ǫ + siz e ( N i +1 ) 1+ ǫ ) = O (log 2 ( p ) 1+ ǫ + siz e ( x i +1 m ) 1+ ǫ ) ≤ O (log 2 ( p ) 1+ ǫ + siz e ( s || x i +1 || ∞ ) 1+ ǫ ) = O ( i log 2 ( p ) + s ) 1+ ǫ ≤ O (( s log 2 ( p )) 1+ ǫ ) • time ( N 0 , . . . , N s ) = O (log 2 ( p ) s 2 ) 1+ ǫ . • time ( O i = ( N i − q i N i − 1 )) = O ( time ( N i )) • time ( N 0 , . . . , N s , O 1 , . . . , O s ) = time ( N 0 , . . . , N s ) = O (log 2 ( p ) s 2 ) 1+ ǫ T o solve the linea r ǫm = O with ǫ = M σ LU N M τ . we ﬁrs t suppo se that ǫ = U (ie. M σ = L = N = M τ = I d ). The entries e in ǫ and O satisfy si z e ( e ) = O (log 2 ( p )). Since ǫ = U is tria ng ular, solving the sy s tem takes a time τ = O ( s 2 log 2 ( p )) 1+ ǫ . W e hav e time ( decr y p tion ) = time ( N 1 , . . . , N s , O 1 , . . . , O s , sol v i ng ( ǫ.m = O )), thus the decryption takes O ( s 2 log 2 ( p )) 1+ ǫ op erations. Since inv erting M σ , L, N , M τ require O ( s 2 ) op erations, replacing ǫ = U b y ǫ = M σ LU N M τ do es not change the complexity . Remark 10. • These the or etic al r esu lts ar e c onsistent with the ex p erimental r esults of the intr o- duction. 2 Second system 2.1 Description of the system Since the size of the key is a bit larg e, w e prop ose a second system to reduce the s iz e of the k ey . The implicit o ne wa y function is the same as befor e. W e only c hang e the priv ate k ey a nd ta ke a sup e rincreasing sequence instead of a n invertible matrix. • List o f parameters: M , s ∈ N , ǫ ∈ N s , p 1 , q 1 ∈ N , x 0 ∈ M 1 × s ( N ), a p ermutation σ of { 1 , . . . , s } 9 • Message to b e transm i tted: a column vector m ∈ { 0 , 1 , . . . , M − 1 } s . • Priv ate k ey: • A p ermutation σ of { 1 , . . . , s } • A row matrix ǫ ∈ M 1 × s ( N ) such that the s e quence ǫ σ (1) , . . . , ǫ σ ( s ) is a sup erincr e asing se- quence. • A p ositive ra tio nal num b er λ 1 = p 1 q 1 , such that ( M − 1) λ 1 || ǫ || 1 < 1. • Construction: Cho os e a ra ndom row v ector x 0 ∈ N s . Deﬁne the r ow vector x 1 by x 1 = q 1 x 0 + p 1 ǫ . • Public key: x 1 • Cyphered message : x 1 m ∈ N . Notation 11. We denote by C the cyphering function { 0 , 1 , . . . , M − 1 } s → N , m 7→ C ( m ) = x 1 .m Prop ositio n 12. The function C is inje ct ive. It suﬃces to e xplain how to decypher to pr ov e the pr o po sition. W e deﬁne N 1 , N 0 , and O as follows • N 1 = C ( m ) = x 1 m • N 0 = [ N 1 q 1 ] • O = ( N 1 − q 1 N 0 ) /p 1 . • Let N b e the co lumn vector with e ntries N 0 , N 1 . • Let X b e the matrix with rows x 0 , x 1 . The same pro of as for prop ositio n 6 shows: Prop ositio n 13. The initial message m veriﬁes X m = N , ǫm = O . Now, since ǫ σ ( i ) is a sup erincreasing seq uence, the map m 7→ ǫm is injective and the for mula to decypher m e xpresses m σ ( i ) by decr e a sing inductio n on i ≤ s . Prop ositio n 14. • m σ ( s ) = 1 if O ≥ ǫ σ ( s ) and m σ ( s ) = 0 otherwise • m σ ( i ) = 1 if O − P j >i ǫ σ ( j ) m σ ( j ) ≥ ǫ σ ( i ) and 0 otherwise. 2.2 Suggestion for t he choice of the parameters The par ameters s and p dep end on the requir ed level of secur it y a nd the other pa rameters a re constant or functions of s and p . V ar iant 1. C ho o se: • ǫ σ (1) ∈ [0 , p [ , ǫ σ (2) ∈ [ p, 2 p [ , . . . , ǫ σ ( s ) ∈ [(2 s − 1 − 1) p, 2 s − 1 p [ (uniform law) • x 0 in [0 , p ] (uniform law) • p 1 = 1, M = 2 • q 1 ∈ [2 s p, 2 s +1 p ] (uniform law) V ar iant 2. C ho o se • x 0 in [0 , 2 s ] (uniform law) • the other par ameters as ab ov e. 2.3 Complexit y results As b efor e , w e supp ose that the parameter s s and p satisfy s = o ( p ). F or the pa rameters chosen as in v aria nt 1, we hav e: Theorem 15. Size of t he public key x 1 : O ( s 2 + s log 2 ( p )) Size of the private key : O ( s 2 + s log 2 ( p )) 10 Encryption time: O ( s 2 + s log 2 ( p )) De cryption t ime: O ( s 2 + log 2 ( p ) 1+ ǫ ) Time to cr e ate the public key: O ( s 2 + log 2 ( p ) 1+ ǫ ) Density of the knapsack asso ciate d with x s : 1 1+ 2 s + 2 log 2 ( p ) s ) . F or the parameters chosen as in v aria n t 2, we hav e: Theorem 16. Size of t he public key x 1 : O ( s 2 log 2 ( p )) Size of the private key : O ( s 2 + s log 2 ( p )) Encryption time: O ( s 2 + s log 2 ( p )) De cryption t ime: O ( s 2 + log 2 ( p ) 1+ ǫ ) Time ne e de d t o cr e ate the public key: O ( s 2 + s log 2 ( p )) Density of the knapsack asso ciate d with x s : 1 2+ 2 s + log 2 ( p ) s ) . F or brevity , we include the pro of only for v a r iant 1. Pr o of. (for v ariant 1). • || x 1 = q 1 x 0 + ǫ || ∞ ≤ 2 s +1 p || x 0 || ∞ + || ǫ || ∞ ≤ 2 s +1 p 2 + 2 s − 1 p < 2 s +2 p 2 • size ( public k ey ) = siz e ( x 1 ) ≤ s siz e ( || x 1 || ∞ ) = O ( s 2 + s log 2 ( p )). • siz e ( ǫ ) ≤ s log 2 ( p ) + 1 + 2 + · · · + ( s − 1) = O ( s 2 + s log 2 ( p )). • siz e ( q 1 ) = O ( s + l og 2 ( p )) • siz e ( x 0 ) = O ( l og 2 ( p )) • siz e ( σ ) = O ( s log 2 ( s )) • size ( priv ate k ey ) = siz e ( x 0 , q 1 , ǫ, σ ) = O ( s 2 + s log 2 ( p )). • encryption time = siz e ( publ ic k ey ) = O ( s 2 + s log 2 ( p )) • siz e ( N 1 ) ≤ l og 2 ( s || x 1 || ∞ ) = O ( s + log 2 ( p )). • time ( N 0 ) ≤ O ( siz e ( N 1 ) 1+ ǫ + siz e ( q 1 ) 1+ ǫ ) = O ( s 1+ ǫ + log 2 ( p ) 1+ ǫ ) • N 0 ≤ N 1 q 1 ≤ 2 s +2 sp 2 2 s p = 4 sp • siz e ( N 0 ) = O (log 2 ( s ) + log 2 ( p )). • time ( O ) = O ( siz e ( N 1 ) + siz e ( q 1 ) 1+ ǫ + siz e ( N 0 ) 1+ ǫ ) = O ( s 1+ ǫ + log 2 ( p ) 1+ ǫ ) since s ≤ p . • O − P j >i ǫ σ ( j ) m σ ( j ) ≤ P j ≤ i ǫ σ ( j ) ≤ p + 2 p + · · · + 2 i − 1 p < 2 i p . • time ( m σ ( i ) in prop osition 14) = siz e ( O − P j >i ǫ σ ( j ) m σ ( j ) ) = O ( i + log 2 ( p )) • time ( m ) = P s i =1 time ( m σ ( i ) ) = O ( s log 2 ( p ) + 1 + 2 + · · · + s ) = O ( s log 2 ( p ) + s 2 ). • decryption time = time ( N 0 , O , m ) = O ( s 2 + log 2 ( p ) 1+ ǫ ). • time ( public k ey ) = time ( q 1 x 0 + ǫ ) = O ( time ( ǫ )+ time ( q 1 )+ time ( x 0 )+ siz e ( q 1 ) 1+ ǫ + siz e ( x 0 ) 1+ ǫ + siz e ( ǫ )) = O ( siz e ( q 1 ) 1+ ǫ + siz e ( x 0 ) 1+ ǫ + siz e ( ǫ )) s ince ti me ( ǫ ) = O ( siz e ( ǫ )) a nd simila rly for q 1 and x 0 . Thus time ( pub l ic k ey ) = O ( s 2 + log 2 ( p ) 1+ ǫ ) • density ( k na psack ) = s log 2 ( || x 1 || ∞ ) > s s +2+2 log 2 ( p ) = 1 1+ 2 s + 2 log 2 ( p ) s . 3 Third system Two cryptosy stems hav e b een c onstructed so far. In the second s ystem, the key is shorter than in the ﬁrst one, but the sys tem co uld b e less secure be cause o f the sup erincreas ing seq ue nc e . This se ction pre sent s a hybrid s ystem, a compromise betw een the tw o previous sys tems. W e still use a sup erincre a sing sequence to shor ten the key as in the second system, but the matrix ǫ has s everal lines as in the ﬁrst system to hide more carefully the sup er inc r easing s equence. Hop efully , this is a go o d compromise b etw ee n security a nd le ng th of the key . 11 • List of parameter s: M , s ∈ N , ǫ ∈ M 2 × s ( N ), p 1 , q 1 , p 2 , q 2 ∈ N , x 0 ∈ M 1 × s ( N ), σ a p ermutation of { 1 , . . . , s } . • Message to b e transm i tted: a column vector m ∈ { 0 , 1 , . . . , M − 1 } s . • priv ate k ey: • A p ermutation σ of { 1 , . . . , s } • An in vertible 2 × s matrix ǫ with entries in N such that the r ow µ = ǫ 2 − ǫ 1 is a s uper increasing sequence with resp ect to the permutation σ , ie. µ σ (1) , . . . , µ σ ( s ) is a sup erincr easing sequence. • Tw o p os itiv e r ational n umbers λ i = p i q i , such that ( M − 1) λ i || ǫ i || < 1. • Construction: Choose a r andom row vector x 0 ∈ N s . Deﬁne the row v ectors x 1 , x 2 by x 1 = q 1 x 0 + p 1 ǫ 1 , x 2 = q 2 x 1 + p 2 ǫ 2 • Public key: x 2 • Cyphered message : N 2 = x 2 m ∈ N . T o decypher, we deﬁne N 1 , N 0 and O 2 , O 1 as b efore, and ω = O 2 − O 1 : • Compute N 1 and N 0 with the for m ula N i − 1 = [ N i q i ]. • Compute O i = ( N i − q i N i − 1 ) /p i . • Compute ω = O 2 − O 1 • Let N =   N 0 N 1 N 2 .   ∈ M 3 × 1 ( N ) a nd X =   x 0 x 1 x 2   ∈ M 3 × s ( N ) The same pro of as for prop ositio n 6 shows: Prop ositio n 17. The initial message m veriﬁes X m = N , ǫm = O , µm = ω . Now, since µ is a sup e rincreasing sequence, the map m 7→ µm is injective and the formula to decy pher is as in pr op osition 14. 4 Securit y results In this section, we analyse the security of the second cryptog raphic system (section 2). W e concentrate our a tten tion on this system b ecause it is the easiest system to attack: the key is short and no s p ecia l eﬀort has b een do ne to hide the sup erincrea sing s equence. W e r ecall the notations. The pr iv ate key is q , ǫ 1 , . . . , ǫ n , x 0 , σ where x 0 = ( v 1 , . . . , v s ), ǫ σ ( i ) is a sup e rincreasing sequence and P s i =1 ǫ i < q . The public key is x 1 = ( w 1 , . . . , w s ) where w i = q v i + ǫ i . Obviously , ǫ i = w i − [ w i q ], a nd σ is determined by ǫ . In other words, the whole pr iv ate key is determined by q . W e thus ca ll q the priv ate key . 4.1 Unicit y of t he pseudo-k ey It is not necessar y to ﬁnd the pr iv ate key q to cryptana lyse. Any num b er q ′ with the same prop erties as q would do the job. W e call such a num b er a pseudo -key . Ex plicitly , in our co nt ext, a pseudo-key is an integer q ′ such that the num b ers v ′ i , r i deﬁned by the euclidean divisio ns w i = q ′ v ′ i + r i verify P s i =1 r i < q ′ and ( r i ) is a sup erincr easing sequence up to p ermutation. If there are many pseudo-keys, it is easier to attack the system. F or insta nc e , in the Mer kell-Hellman mo dular knapsack cr yptanalysed b y Shamir-Adleman, there were many pseudo- keys. The strategy o f Shamir was to ﬁnd a pseudo-key . The exp eriments made o n o ur cry pto system show that us ua lly the pse udo-key is unique. W e chose random instances o f the par a meters and we coun t the pe r centage of cases where the pseudo-key is unique. Those results sug gest that when s > 200 , whic h are the cases considered in practice, the pseudo-key should b e unique and equa l to the priv ate key with high pro babilit y . 12 Prop ositio n 18. Consider the se c ond cryptosystem, variant 2. The r esults of the exp eriments ar e as fol lows. • s = 5 , 2 0 < p < 35 , the pseudo-key is u nique in 2 % of the c ases. • s = 6 , 3 0 < p < 45 , the pseudo-key is u nique in 46 % of the c ases. • s = 7 , 3 0 < p < 45 , the pseudo- key is un ique in 79 % of the c ases. • s = 8 , 4 0 < p < 55 , the pseudo-key is u nique in 96 % of the c ases. Besides this computation, we wan t to explain why we exp ect a unique pse udo -key when s is larg e enough. F or a ﬁx ed q ′ , the rests r i = w i mo d q ′ are num b ers b etw een 0 . . . q ′ − 1. In the a bsence of relation betw een w i and q ′ , these rests are exp ected to follo w a uniform law o f repartition in { 0 , . . . , q ′ − 1 } . Of course the exac t law of r i = w i mo d q ′ depe nd on the law of w i (hence of the law of q , v i , ǫ i as w i = q v i + ǫ i ) a nd of the choice of q ′ , but a uniform law is an approximation for the law o f r i . If one acce pts this a pproximation, the next prop osition is an estimatio n of the probability to ﬁnd a q such that the s um of the r e sts is b ounded by q , a s re q uired for a pseudo -key . Prop ositio n 19. L et q ≥ 2 . Consider t he r ests r 1 ( q ) , . . . , r s ( q ) wher e r i ( q ) = w i mod q . S upp ose that r 1 ( q ) , . . . , r s ( q ) fol low indep en dant uniform laws with values in { 0 , . . . , q − 1 } . The pr ob ability P t hat P s i =1 r i ( q ) ≤ q − 1 satisﬁes P ≤ ( 3 4 ) s − 1 Lemma 20. L et a 1 ≥ a 2 ≥ · · · ≥ a n and p 1 ≤ p 2 ≤ · · · ≤ p n . Then n P n i =1 a i p i ≤ ( P n i =1 a i )( P n i =1 p i ) . Pr o of. of the lemma ( P n i =1 a i )( P n i =1 p i ) − n P n i =1 a i p i = P n i =1 a i p i + P i = n i =1 a i P k = n k =1 ,k 6 = i p k − P n i =1 a i p i − ( n − 1) P n i =1 a i p i = P n i =1 P k = n k =1 ,k 6 = i a i ( p k − p i ) = P 1 ≤ i> s . L et S st the n umb er of sup erincr e asing se quen c es r 1 , . . . , r s with sum t and C st the n umb er of se quenc es with sum t . Then C st S st is asymptotic al ly e qual t o 1 2 s ( s − 1) 2 when t tends to inﬁ nity. Pr o of. The num b er o f sequences r 1 , . . . , r s with sum t is  t + s − 1 s − 1  and is equiv alent to t s − 1 s − 1! . Remark that S st = P i =[ p/ 2] i =1 S s − 1 i . By induction o n s , S st is equiv a le nt to t s − 1 ( s − 1)!2 s ( s − 1) 2 . Summing up the situation, a n umber q is a pseudo-key if the s um of the rests r i ( q ) is less than q and if these res ts form a sup erincr easing sequence. By pr op osition 19, the probability for the ﬁrst c o ndition is less than ( 3 4 ) s − 1 . And by prop osition 21, the pr obability that the s econd co ndition is satisﬁed is around 1 2 s ( s − 1) 2 . In particular we exp ect a unique pseudo key q when the num ber of p os sible v a lues for q is asymp- totically do minated by ( 4 3 ) s − 1 2 s ( s − 1) 2 . This is the case for the se cond system we hav e constr ucted with the sugge sted choices of par ameters and this gives a n ex planation to the results o f pr op osition 18. 13 This is only a heur istic arg ument (there could b e obvious pse udo -keys asso ciated to the priv ate key q , for instance q − 1 , q + 1 or 2 q ). Howev er, the ge ne r al picture is that the unicity of the ps e udo-key veriﬁed empirically in prop osition 18 should b e easy to repr o duce with other families and o ther choices of par a meters. 4.2 Finding a pseudo-k ey is as diﬃcult as factorising an in teger In this sectio n, we show that the problem o f ﬁnding the exac t v alue o f the pr iv ate key q is a s diﬃcult as factorizing a int eg e r n , pr o duct o f tw o primes. Mo r e prec isely , we show that an easie r problem (ﬁnding a pseudo-key with the help of s ome extra - information ) is a s diﬃcult as the factor isation o f n , in the sense of a probabilistic r eduction. There ar e s everal problems, dep ending on whether one wan ts to compute one key or all keys, a nd depe nding on the information given as input. • Input of problem 1: the public key w 1 , . . . , w s . Problem 1: compute all the pseudo -keys q • Input of problem 2: the public key w 1 , . . . , w s . Problem 2: compute one pseudo-key q • Input of problem 3: the public key w 1 , . . . , w s and integers r 1 < · · · < r s − 1 , a ra ng e [ a , b ]. P roblem 3: co mpute all pseudo-keys q suc h that the res ts of the divisio ns w i = q v i + ǫ i , s atisfy ǫ i = r i for 0 < i < s and ǫ s ∈ [ a, b ]. • Input of problem 4: the public key w 1 , . . . , w s and integers r 1 < · · · < r s − 1 , a ra ng e [ a , b ]. P roblem 4: co mpute one ps eudo-key q such that the r ests of the divisions w i = q v i + ǫ i , s atisfy ǫ i = r i for 0 < i < s and ǫ s ∈ [ a, b ]. Obviously , it is more diﬃcult to ﬁnd all the keys than to ﬁnd o ne key , and the problem is ea sier when more information is given as input, a s long as the deﬁnition of “more diﬃcult” is sens ible ( p olynomial time reduction, probabilistic po lynomial time reduction ...). In particula r, if > stands for “mor e diﬃcult” then pr obl em 1 > prob le m 2, and pr obl em 1 > pr obl em 3 > pr obl em 4 in the a bove list. Ther e is no pr ov en relation b eween pr obl em 2 and p robl em 4. Ho wev er, when the pseudo-key is unique, then probl e m 1 = p robl em 2 and the eas iest pro blem in the list is P robl em 4. The previous section explained why the pseudo-key is unique for ma ny cryptos y stems. Thus the s e curity of the system r elies on the diﬃcult y to s olve P r obl em 4. W e show that so lving P r obl em 4 is as diﬃcult as fac torising a pro duct of t wo primes. • Input of problem 5: an integer n which is a pro duct of tw o primes. Problem 5 : Find the fa ctors p, q of n . Theorem 22. If it is p ossible to solve P r obl em 4 in p olynomial t ime (with r esp e ct to the length of the input data), t hen ∀ η > 0 , it is p ossible t o solve P robl em 5 in p olynomial time with a pr ob ability of suc c ess at le ast 1 − η . Pr o of. Let n b e an integer. W e ma ke a p olyno mia l time pro ba bilistic reduction to P robl em 4 to get the factoris ation o f n = pq . Cho ose any sup erincreasing sequence 0 < r 1 < · · · < r s − 1 . Firs t, try to divide n by a ll elements q with 1 < q ≤ 3 P s − 1 i =1 r i . If this do es n’t succeed, then a ll the divis ors q o f n satisfy q > 3 P s − 1 i =1 r i . Let w i = n + r i for 1 ≤ i ≤ s − 1. Le t r b e an in teger such that ( 2 3 ) r < η . Let w s 1 , . . . , w sr be int ege r s c hos e n ra ndomly in the range ] n 2 , n [. With these r num b ers , we consider r pr oblems P 1 , . . . , P r . The proble m P k is P robl em 4 w ith input w 1 , . . . , w s − 1 , w sk , r 1 , . . . , r s − 1 , a = 0 , b = [ n 2 ]. Let q b e a prop er divisor of n = pq . It satisﬁes q > 3 P i = s − 1 i =1 r i . Th us, for ea ch k , there is a probability x > 1 3 that w sk mo d q satisﬁes P s − 1 i =1 r i < w sk mod q < q . Remar k that (1 − x ) r < ( 2 3 ) r < η . Then, with probability a t least (1 − η ), amo ng the r random choices w s 1 , . . . , w sr for w s , one of them w sk satisﬁes P s − 1 i =1 r i < w sk mod q < q . W e denote by ( ∗ ) this conditio n. T o c o nclude, it suﬃces to show that one ca n ﬁnd a fa ctorisation of n in p olynomial time when ( ∗ ) is satisﬁed. 14 W e thus supp ose that one pr o blem P k in the list P 1 , . . . , P r satisﬁes the condition ( ∗ ). Since r i < q , the eq uality w i = q p + r i is the euc lidea n division o f w i by q when 0 < i < s . Since the rest ǫ sk of the division w sk = q [ w sk /q ] + ǫ sk satisﬁes ǫ sk > P s − 1 i =1 r i and ǫ sk < q ≤ n 2 , it follows that a prop er divisor q of n is a solution to pr oblem P k . Recipro cally , a solution q of P k is a divis or of n diﬀerent from 1 since w 1 mo d q = r 1 . This diviso r of n is not n since the condition ǫ sk ∈ [ a, b ] is not s atisﬁed for q = n . Thus a poly nomial time algor ithm that solves P rob le m 4 returns a strict diviso r q of n when applied to P k . Hence the factorisa tion of n in p olynomial time. A pr iori, we don’t know which problem P k satisﬁes ( ∗ ) in the list P 1 , . . . , P r . W e thus run a multi- threaded a lgorithm which tr ies to so lve in para llel the problems P 1 , . . . , P r and which stops as so o n as it ﬁnds a solution for o ne pr oblem. 4.3 Comparing LLL attacks on x 0 and x 1 The previous sections hav e explor ed the secur it y of the key . It remains to ana ly se the secur it y of the system with r esp ect to heuristic attacks. As mos t heuristic attacks o f knapsack cry ptosystems r ely on v aria nt s of the LLL algo rithm, we analyse the se curity of the system for LLL- based heur istic attacks. The kna psack problem is NP- c omplete and exper iments show that the heuris tic attacks fail when the encryptio n is done with a well c hosen general key x 0 . In our system, the encryption is realised with a key x 1 = q x 0 + ǫ which is a mo diﬁcation o f x 0 , and it co uld happ e n that the key x 1 is less secur e than x 0 . Thus we lo ok for a security r esult asserting that the key x 1 is as secur e as x 0 for LLL-attacks. The key x 1 could b e w ea ker than x 0 for tw o r easons: • the heuristic a lgorithm used to break the system c o uld perfor m faster for a messa g e encr ypted with x 1 than with a message encrypted with x 0 • The heuristic could fail for a message encrypted with x 0 but co uld succeed for the sa me mes sage encrypted using x 1 . W e ﬁx an algor ithm to attack the ciphertexts. T o measur e the s pee d of the algorithm, w e denote by n ( N ) the num be r of steps of the algo rithm when the attack is run on the ciphertext N . T o measure the probability of success of the a lgorithm, we introduce the sym b ol R ( N ) which is the result of the attack ( R ( N ) = m if the atta ck succee ds and recov ers the plain text mes s age m , R ( N ) = F AI L U R E otherwise). As the algorithm depends on a matrix M chosen randomly in the unit ball B (1), the precise notations ar e n M ( N ) and R M ( N ). The tw o keys x 0 and x 1 yield tw o ciphertex ts N 0 and N 1 . The following theor e m says that the key x 1 = q x 0 + ǫ is a s secur e as x 0 bo th fro m s p eed cons ideration and pro babilit y o f succe s s of the attack. Both the num b ers of steps n and the retur ne d message R are unc hange d when replacing x 0 with x 1 provided that tw o conditions a re satisﬁed: the matrix M must live in a dense op en subset and || ǫ || | q | m ust be small enough. These tw o co nditio ns a re compatible with the practice: M is chosen randomly and falls with high probability in a de ns e op en s ubset and || ǫ || | q | is small by the very c o nstruction of o ur cryptosystem. Theorem 23. ∀ m, ∀ x 0 , t her e exists a dense op en su bset V ⊂ B (1) , ther e exists η > 0 su ch that ∀ M ∈ V , ∀ x 1 = q x 0 + ǫ with || ǫ || | q | < η : • n M ( N 0 ) = n M ( N 1 ) • R M ( N 0 ) = R M ( N 1 ) . The key arg umen ts of o ur pro of are as follows: • The e lemen ts x 1 and x 0 are close as p oints of the pr o jective spac e • The L LL algo rithm can b e factorized to g ive an action o n the pro jective lev el 15 • The num ber o f steps in the algor ithm and the result of the a lgorithm are functions of the input which a re lo ca lly co nstant on a de ns e o pen subset. In pa rticular, r eplacing x 0 with x 1 do es not change the num b er of s teps and the r esult when x 0 and x 1 are suﬃciently clo se. Though the a lg orithm r equired for the attack is ﬁxed, its precise for m is not imp orta nt. The key p oint is that it relies on the LLL algor ithm and tha t the additiona l data M requir ed to r un the algor ithm is chosen ra ndomly . Similar theore ms can b e o btained with other heuristics relying on the LLL algorithm. Thu s, b esides the precis e attack co nsidered, o ur theorem sug gests that repla cing the public key x 0 with x 1 do es not exp os e our system to LLL-based attacks. 4.3.1 The LLL-algorithm This section shows that the output o f the LLL - algorithm dep ends contin uously of the input when the input takes v alue in a dense o p en subset. This is no t clear a prior i, since the op er ations p erformed during the LLL alg o rithm include non contin uo us functions ( integer par ts). W e in tro duce a class of a lgorithms that we call ana lytic. The LLL a lgorithm is an analytic algo rithm. Analytic algo rithms can include no n con tinuous functions in the pr o cess but their output dep e nds co nt inuously (in fact analytica lly) of the input when the input is general enough. Recall that the LLL algor ithm takes for input a ba sis ( b 1 , . . . , b n ) o f a lattice L ⊂ R m and co mputes a reduced basis ( c 1 , . . . , c n ). W e refer to [6 ] fo r details. Deﬁnition 24. Consider an algorithm which makes op er ations on a datum D ∈ U wher e U ⊂ R n is an op en set (e ach s t ep of the algori thm is a mo diﬁc ation of the value of the datum D ). S upp ose that the algorithm is deﬁne d by a numb er of states 0 , 1 , . . . , s and for e ach state i by: • a function f i : U → R • two functions T + i : U → U and T − i : U → U • two inte gers i + and i − in { 0 , . . . , s } . The algorithm starts in state 1 with datum D the input of the algorithm. If the algorithm is in st ate i , the datum is D and f i ( D ) > 0 (r esp. f i ( D ) ≤ 0 ), then it go es to state i + (r esp. i − ) with the datum T + i ( D ) (r esp. T − i ( D ) ). The algorithm t erminates in state 0 and r etu rns t he value of the datum D when it terminates. By c onvention, we put 0 + = 0 − = 0 , T + 0 = T − 0 = I dentity U , f 0 = 1 . The algorithm is c al le d analytic if: • the test functions f i : U → R ar e analytic • the tr ansformation functions T + i : U → U and T − i : U → U ar e analytic on a dense op en subset U i ⊂ U such that V i = U \ U i is a close d analytic subset • F or every D in U , the algorithm t erminates. Prop ositio n 25. The LLL alo gorithm is analytic. Pr o of. W e use the des cription of the alg orithm describ ed in [6], page 11 9. The datum D handled by the algorithm is a bas is ( b 1 , . . . , b n ) of a lattice L . It takes v alues in the ope n subset U ⊂ ( R m ) n parametrising the n -tuples of linearly independent vectors. All the tests functions f i which app ear in the a lgorithm of [6] are analy tic (they a re even alg ebraic functions on U ). All the functions involv ed in the handling of the basis b i (whic h cor r esp ond to our functions T + i and T − i ) ar e alge br aic to o, exce pt for an integer part [ x ] which is analytic o n the dense op en set x / ∈ N . Theorem 26 . L et A : U → U b e t he output function asso ciate d to an analytic algorithm ie. for D ∈ U , the value of A ( D ) is the ou t put of an analytic algorithm with input D . Then ther e ex ists a dense op en subset V ⊂ U such that • A : V → U is analytic 16 • the numb er of steps to c ompute the output A ( D ) is lo c al ly c onstant for D ∈ V . Pr o of. W e keep the notations of deﬁnition 24. In pa r ticular, the algor ithm starts in state 1 a nd ends in state 0. A sign function ǫ of length l eng th ( ǫ ) = k is by deﬁnition a function ǫ : { 1 , . . . , k } 7→ { + , −} . W e a sso ciate to a ny sign function of length k a ﬁnite sequence n 0 ( ǫ ) , . . . , n k ( ǫ ) constructed with the int ege r s i + and i − of the ana ly tic a lgorithm. Explicitly n 0 ( ǫ ) = 1, n 1 ( ǫ ) = n 0 ( ǫ ) ǫ (1) , . . . , n k ( ǫ ) = n k − 1 ( ǫ ) ǫ ( k ) . W e use below the notation n i instead of n i ( ǫ ) to shorten the notation. L e t A ǫ : U → U , A ǫ = T ǫ ( k ) n k − 1 ◦ · · · ◦ T ǫ (2) n 1 ◦ T ǫ (1) n 0 . Let g ǫ : U → R , g ǫ = f n k ◦ A ǫ . W e deﬁne by induction on k = l eng th ( ǫ ) a set W ǫ such that • W ǫ ⊂ U is a n op en inclusion • A ǫ : W ǫ → U is analytic. • D ∈ W ǫ ⇒ the successive states s 0 , . . . , s k of the algor ithm A applied with input D are s 0 = n 0 ( ǫ ) = 1, s 1 = n 1 ( ǫ ),. . . , s k = n k ( ǫ ). Moreov er , the v alue of the datum after the algorithm arrives in state n k ( ǫ ) is A ǫ ( D ). • ∪ length ( ǫ )= k W ǫ is dense in U . W e s tart the induction with k = 0, using the conv ent ion that there is a unique function ǫ deﬁned on a set with k = 0 element and that A ǫ = I d . Then W ǫ = U obviously satisﬁes the lis t of requir ed c onditions. Let now k > 0. L e t τ : { 1 , . . . , k − 1 } 7→ { + , − } b e the restric tio n of ǫ to { 1 , . . . , k − 1 } . Let W τ + = W τ ∩ { D ∈ U, g τ ( D ) > 0 } ∩ ( A τ ) − 1 ( U n k − 1 ) where U n k − 1 is the op en subset of U where T + n k − 1 and T − n k − 1 are a nalytic. Similar ly , let W τ − = W τ ∩ { D ∈ U, g τ ( D ) < 0 } ∩ ( A τ ) − 1 ( U n k − 1 ). The disjoint union W τ + ` W τ − is dense in W τ since the diﬀerence is included in the closed analytic subset ( g τ = 0 ) ∪ A − 1 τ ( U − U n k − 1 ). Let W ǫ = W τ + if ǫ ( k ) = + and W ǫ = W τ − if ǫ ( k ) = − . Since W τ + ∪ W τ − is dense in W τ and since ∪ length ( τ )= k − 1 W τ is dense in U by induction, we obtain the dens ity of ∪ length ( ǫ )= k W ǫ in U . The other claims o f the list are satisﬁed by construction. Let W k = ∪ ǫ of length k W ǫ . The intersection V = ∩ k ≥ 0 W k is equa l to the disjoint union a k,ǫ,leng th ( ǫ )= k, n k =0 ,n k − 1 6 =0 W ǫ . The set V is op en as a union of ope n sets, and it is dense in U by Ba ire’s theorem. On each o pen subset W ǫ app earing in the disjoint union, the algor ithm applied to D returns A ǫ ( D ) whic h is a nalytic and the nu mber of steps of the algorithm is l e ng th ( ǫ ), th us it is constant on each op en set of the disjoint union. Prop ositio n 27. Le t b 1 , . . . , b n b e a b asis of a latt ic e L ⊂ R m , m ≥ n . L et ( c 1 , . . . , c n ) = LLL ( b 1 , . . . , b n ) b e the r e duc e d b asis c ompute d by t he LLL algorithm. Ther e exists a dense op en subset U ⊂ ( R m ) n such that • U 7→ ( R m ) n , ( b i ) 7→ ( c i ) is c ontinuous. • U → N , ( b i ) 7→ num b er of st eps of the LLL -algorithm is lo c al ly c onstant. Pr o of. F ollows from pro po s ition 25 and theor em 2 6. Corollary 28. L et ψ : U → S L n ( Z ) , ( b 1 , . . . , b n ) 7→ M such that   c 1 . . . c n   = M   b 1 . . . b n   is lo c al ly c onstant . Pr o of. The map is contin uous with v alues a disc r ete set. 17 4.3.2 The heuristic attac k Let w 1 , . . . , w s ∈ N b e a public key . Let m ∈ { 0 , 1 } s be a pla intext messa ge and N = P s i =1 m i w i be the asso ciated ciphertext. The following attack is well known. Heuristic A ttac k 1. • Cho ose λ = 2 − 2 s min ( w i ) • Apply the LLL a lgorithm to the la ttice gener ated by the rows b i of the matr ix D =       λ 0 . . . 0 w 1 0 λ . . . 0 w 2 . . . . . . . . . . . . . . . 0 0 . . . λ w s 0 0 0 0 N       . A ny vector c i of the reduced basis is a linea r co mb inatio n: c i = P j = s +1 j =1 r ij b j • F or ea ch v ector c i of the reduce d basis, chec k if the set r ij , j ≤ s (or − r ij ) is equal to m (ie. chec k if r ij = 0 or 1, and if P j = s j =1 r ij w j = N ) In the ab ov e attack, the precise v alue of the co eﬃcients of the matrix D is not impo rtant. The precise shap e of D ha s b een chosen to sp eed-up the computations and simplify the presentation, but is not r equired by theoretical considera tions. The attack could start with any inv ertible matrix w ho se s ﬁrst co lumns contain small n umbers and whose la st column is close to the la st column of D . Thus the following attack is more genera l a nd na tural. Heuristic attac k 2. • Cho ose λ = 2 − 2 s min ( w i ) • Cho ose co eﬃcients m ij , i, j ≤ s + 1 with | m ij | ≤ 1. Let M = ( m ij ) b e the corres p onding matrix. • Let X =       0 0 . . . 0 w 1 0 0 . . . 0 w 2 . . . . . . . . . . . . . . . 0 0 . . . 0 w s 0 0 0 0 N       . Apply the LLL algorithm to the lattice gener ated b y the rows b i of the matrix D = X + λM =       λm 11 . . . λm 1 s w 1 + λm 1 ,s +1 λm 21 . . . λm 2 s w 2 + λm 2 ,s +1 . . . . . . . . . . . . . . . λm s 1 . . . λm ss w s + λm s,s +1 λm s +1 , 1 λm s +1 ,s N + λm s +1 ,s +1       . An y vector c i of the r educed basis is a linear co mb inatio n: c i = P j = s +1 j =1 r ij b j and the co eﬃcients r ij can b e computed during the LLL algo rithm. • F or each vector c i of the reduced basis, chec k if the set r ij , j ≤ s or − r ij , j ≤ s is equal to m . 4.3.3 Pro of of the theorem Consider a plain text messag e m . It can b e encrypted with the gener ic key x 0 = ( v 1 , . . . , v s ) or with the key x 1 = q x 0 + ǫ = ( w 1 , . . . , w s ). The tw o cipher texts asso ciated with the keys x 0 and x 1 are denoted by N 0 and N 1 . W e c ompare b elow how these tw o encr yptions resist to “Heuristic attack 2 ” pr esented ab ov e. F or this algor ithm, we need a r andom matrix M in the unit ba ll B (1 ). Recall that we called n M ( N ) the nu mber of steps o f the algor ithm when the attac k is done o n the ciphertext N . Simila rly , we deﬁned R M ( N ) to b e the result of the attack ( R M ( N ) = m if the attack recovers the plain text messag e m and R M ( N ) = F AI LU R E otherwise). 18 Theorem 29. ∀ m, ∀ x 0 , t her e exists a dense op en su bset V ⊂ B (1) , ther e exists η > 0 su ch that ∀ M ∈ V , ∀ x 1 = q x 0 + ǫ with || ǫ || | q | < η : • n M ( N 0 ) = n M ( N 1 ) • R M ( N 0 ) = R M ( N 1 ) . Pr o of. W e keep the notations X , λ, D = X + λM introduced in the descr iption of the attack. These data dep end on the public key x = ( w i ). W e denote b y X 0 , λ 0 , D 0 and X 1 , λ 1 , D 1 these data fo r the keys x 0 and x 1 . If C ( ǫ, q ) is the matrix deﬁned by X 1 = q ( X 0 + C ( ǫ, q )), then C ( ǫ, q )) → 0 when || ǫ || | q | → 0. If M is a matrix with lines b 1 , . . . , b s , a nd if ( c 1 , . . . , c s ) = LLL ( b 1 , . . . , b s ) is the reduced ba sis computed by the LLL- algorithm, w e a dopt a matrix notation and we deno te by LL L ( M ) the matrix with lines c 1 , . . . , c s . W e denote by ψ ( M ) the matrix that gives the ba se change ie. LLL ( M ) = ψ ( M ) .M . Finally , we denote by n ( M ) the num b er of steps to p erform the LL L - algorithm on the lines of M . According to pr op osition 2 7 and corolla ry 28, ther e exists a dense op en subset U whe r e LLL is contin uo us and where n and ψ are lo cally consta n t. Let V = U − X 0 λ 0 ∩ B (1). Thus V is a dense op en subset in B (1) wher e the map ψ 0 : M 7→ ψ ( D 0 ( M )) is contin uous. Mor eov er, the num b er of steps of the alg orithm whic h co mputes ψ 0 is loc a lly constant on V . The analy s is of the LLL algorithm given in [6] shows that it is a “pro jective algorithm” ie, in sy mbo ls: if ρ ∈ R , we have LLL ( ρM ) = ρLLL ( M ), ψ ( ρM ) = ψ ( M ) a nd n ( ρM ) = n ( M ). By deﬁnition o f the a ttack considered, the res ult R M ( N i ) of the attack is a function of the co eﬃcient s r ij which a ppea r in the matrix ψ ( D i ( M )). In par ticular, if ψ ( D 0 ( M )) = ψ ( D 1 ( M )), then R M ( N 0 ) = R M ( N 1 ). ψ ( D 1 ( M )) = ψ ( q ( X 0 + C ( ǫ, q )) + λ 1 M ) = ψ ( X 0 + C ( ǫ, q ) + λ 1 M q ) = ψ ( X 0 + λ 0 ( λ 1 M qλ 0 + C ( ǫ ,q ) λ 0 )) = ψ 0 ( λ 1 M qλ 0 + C ( ǫ ,q ) λ 0 ). When || ǫ || | q | → 0, the a rgument of ψ 0 tends to M . Since M is in the op en set of contin uity of ψ 0 , and since ψ 0 is loc a lly co nstant, ψ 0 ( λ 1 M qλ 0 + C ( ǫ ,q ) λ 0 ) = ψ 0 ( M ) = ψ ( D 0 ( M )) if || ǫ || | q | is small enough. Since n is lo cally cons ta n t to o, one ca n do a similar r e asoning with n instead of ψ to show that n M ( N 0 ) = n ( D 0 ( M )) = n ( D 1 ( M )) = n M ( N 1 ). References [1] L. Baba i. O n Lov´ asz’ lattice re ductio n and the near est lattice p oint problem. Co mbinatoric a , 6(1):1–13 , 1986 . [2] E. F. Br ick e ll and A. M. Odly zko. C r yptanalysis: a survey of recent results. In Contemp or ary cryptolo gy , pa ges 501 –540. IEEE , New Y or k, 1992 . [3] Ernest F. Brick ell. Breaking itera ted knapsa cks. In A dvanc es in cryptolo gy (Santa Barb ar a, Calif., 1984) , volume 19 6 of L e ctu r e Notes in Comput. Sci. , pag e s 34 2–358 . Springer, Berlin, 1985. [4] Oded Goldreich, Shaﬁ Go ldw as s er, and Shai Halevi. Public- key crypto s ystems fr om lattice r eduction problems. In Ad vanc es in cryptolo gy—CR YPTO ’97 (Sant a Barb ar a, CA, 1997 ) , v olume 12 94 of L e cture Notes in Comput. Sci. , pa ges 1 12–13 1. Springer , Berlin, 1 997. [5] Donald E. Knuth. The art of c omput er pr o gr amming. Vol. 2: Seminu meric al algorithms . Addison- W esley Publishing Co., Reading, Mass .- London-Don Mills, Ont, 196 9. 19 [6] Alfred J. Menezes , Paul C. v an Oorschot, and Scott A. V anstone. Handb o ok of applie d crypto gr aphy . CRC Press Ser ie s on Discrete Mathematics and its Applications. CRC Press , Bo ca Raton, FL, 19 97. With a foreword by Ronald L. Rivest. [7] Ralph C. Merkle a nd Ma rtin E. Hellman. Hiding informatio n a nd sig na tures in trap do or knapsacks. In S e cur e c ommunic ations and asymmetric cryptosystems , volume 69 o f AA AS Sel. Symp os. Ser. , pages 197– 215. W es tview, Boulder , CO, 1982 . [8] Phong Q. Nguyen and Jacques Stern. The tw o faces of lattices in cryptolo g y . In Crypto gr aphy and lattic es (Pr ovidenc e, RI, 2001) , volume 2146 of L e ctur e Notes in Comput. Sci. , pages 146 –180. Springer, Berlin, 20 01. [9] A. M. Odlyzko. The r ise and fall of k na psack cr yptosystems. In Cryptolo gy and c omputational numb er the ory (Boulder, CO, 1989) , volume 42 of Pr o c. Symp os. A ppl. Math. , page s 75–8 8. Amer. Math. So c., Pr ovidence, RI, 199 0. [10] Adi Shamir. On the cr ypto complexity of knapsack systems. In Confer enc e R e c or d of t he Eleventh Annual ACM S ymp osium on The ory of Computing (Atlanta, Ga., 1979) , pag es 118– 129. A CM, New Y or k, 1979 . [11] Adi Shamir. A p o lynomial time algor ithm for br e aking the basic Merkle-Hellman cryptosystem. In 23r d annual symp osium on foundatio ns of c omputer scienc e (Chi c ago, Il l., 1982) , page s 1 45–1 5 2. IEEE, New Y ork, 19 82. [12] Serge V audenay . Cryptanalysis of the Chor -Rivest cryptos ystem. In A dvanc es in cryptolo gy— CR YPTO ’98 (Santa Barb ar a, CA, 1998) , v olume 1462 of L e ctur e Notes in Comput. Sci. , pages 243–2 56. Springer, Ber lin, 1998. 20

Knapsack cryptosystems built on NP-hard instance

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment