A.M. Odlyzko, "The rise and fall of knapsack cryptosystems", in Cryptology and Computational Number Theory, Proc. Symp. Appl. Math. 42, Amer. Math. Soc., 1990, 75-88  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... notably by Schnorr [121, 122] Those algorithms have proved invaluable in many areas of mathematics and computer science (see [91, 78, 132, 64, 36, 84] In particular, their relevance to cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [119, 29]) which were early alternatives to the RSA cryptosystem [120] The success of reduction algorithms at breaking various cryptographic schemes over the past twenty years (see [75] have arguably established lattice reduction techniques as the most popular tool in public key cryptanalysis. As a ....

....Despite the failure of Merkle Hellman cryptosystems, researchers continued to search for knapsack cryptosystems because such systems are very easy to implement and can attain very high encryption decryption rates. But basically, all knapsack cryptosystems have been broken (for a survey, see [119]) either by specific (often lattice based) attacks or by the low density attacks. The last significant candidate to survive was the Chor Rivest cryptosystem [35] broken by Vaudenay [135] in 1997 with algebraic (not lattice) methods. 3.2 Low density attacks on knapsacks We only describe the ....

A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Cryptology and Computational Number Theory, volume 42 of Proc. of Symposia in Applied Mathematics, pages 75--88. A.M.S., 1990.

.... and computer science (see [75, 64, 109, 52, 30, 69] In particular, their relevance to The technique is however polynomial time for fixed dimension, which was enough in [74] cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]) which were early alternatives to the RSA cryptosystem [100] The success of reduction algorithms at breaking various cryptographic schemes over the past twenty years (see [61] have arguably established lattice reduction techniques as the most popular tool in public key cryptanalysis. As a ....

....running time, for instance using the blocksize k = log d= log log d in [101] Note that there exist simple counter examples (see for instance [81] implement and can attain very high encryption decryption rates. But basically, all knapsack cryptosystems have been broken (for a survey, see [99]) either by specific (often lattice based) attacks or by the low density attacks. The last significant candidate to survive was the Chor Rivest cryptosystem [29] broken by Vaudenay [112] in 1997 with algebraic (not lattice) methods. 3.1 Low density attacks We only mention some of the links ....

A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Cryptology and Computational Number Theory, volume 42 of Proc. of Symposia in Applied Mathematics, pages 75--88. A.M.S., 1990.

....a subset of the numbers whose sum is T . Many schemes were suggested that use this problem as the basis for public key encryption. However, none of these schemes have been proven to be as secure as subset sum, and, in fact, most of them have been broken. See Brickell and Odlyzko [9] and Odlyzko [41] for a survey. The first to suggest using subset sum were Merkle and Hellman [36] and the only method for using subset sum in a public key protocol that has not been broken is Chor and Rivest s [11] The approach taken here is different in two ways. We are less ambitious, and are not attempting ....

A. M. Odlyzko, The rise and fall of knapsack cryptosystems, in Cryptology and Computational Number Theory, C. Pomerance ed., AMS Proc. Symp. Appl. Math, vol 42, 1990, pp. 75--88.

....a subset of the numbers whose sum is T . Many schemes were suggested that use this problem as the basis for public key encryption. However, none of these schemes have been proven to be as secure as subset sum, and, in fact, most of them have been broken. See Brickell and Odlyzko [9] and Odlyzko [37] for a survey. The first to suggest using it were Merkle and Hellman [32] and the only method that has not been broken is Chor and Rivest s [10] The approach taken here is different in two ways. We are less ambitious, and are not attempting to construct a public key cryptosystem. Many important ....

A. M. Odlyzko, The rise and fall of knapsack cryptosystems, in Cryptology and Computational Number Theory, C. Pomerance ed., AMS Proc. Symp. Appl. Math, vol 42, 1990, pp. 75--88.

....of Section 1.1 were taken from [LP98, Section 7.4] and [Gol98, Chapter 2] Other complexity theory references are [vLe90, Volume A] HU79] and [Pap94] Another cryptography reference is [Lub96] Parts of [Gol98] can also be found as [Gol99] Some parts of Section 1. 2 borrowed ideas from [Odl90] The greater part of the discussion of the solved instances of SS in Section 1.2.2 was taken from [IN96] A proof of Section 1.3.2 s Lemma 17 can be found in [TV91, p. 77] It can be proven similarly to the Gilbert Varshamov Bound [PW72, Section 4.1] An alternate discussion can be found in ....

A. M. Odlyzko. The rise and fall of knapsack cryptosystems, in cryptology and computational number theory. AMS Proc. Symp. Appl. Math, 42:75--88, 1990.

.... and computer science (see [75, 64, 109, 52, 30, 69] In particular, their relevance to 1 The technique is however polynomial time for fixed dimension, which was enough in [74] 2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]) which were early alternatives to the RSA cryptosystem [100] The success of reduction algorithms at breaking various cryptographic schemes over the past twenty years (see [61] have arguably established lattice reduction techniques as the most popular tool in public key cryptanalysis. As a ....

....running time, for instance using the blocksize k = log d= log log d in [101] 4 Note that there exist simple counter examples (see for instance [81] 7 implement and can attain very high encryption decryption rates. But basically, all knapsack cryptosystems have been broken (for a survey, see [99]) either by specific (often lattice based) attacks or by the low density attacks. The last significant candidate to survive was the Chor Rivest cryptosystem [29] broken by Vaudenay [112] in 1997 with algebraic (not lattice) methods. 3.1 Low density attacks We only mention some of the links ....

A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Cryptology and Computational Number Theory, volume 42 of Proc. of Symposia in Applied Mathematics, pages 75--88. A.M.S., 1990.

....have almost without exception been built on the assumed hardness of one of the three following problems: knapsacks, discrete logarithms in some groups, and integer factorization. Despite the NPcompleteness of the knapsack problem, all knapsack based systems have been broken (see the survey [24]) mainly due to the connection between lattice problems and knapsacks arising from cryptography. The narrowness of the remaining options has often been cited as a potential fragility of public key cryptography. Recently, Ajtai [1] found a surprising worst case average case connection for certain ....

A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 75--88. A.M.S., 1990.

....Here the LLL algorithm comes into play: it looks for short vectors by shortening the basis vectors. The LLL based approach is the most famous and well known approach to solving the Subset Sum problem. In fact it was one of the reasons for the fall of Subset Sum based public key cryptosystems. See [9] and [1] for surveys in this field) Almost all of these cryptosystems have been shown to be insecure. The majority of the attacks exploited specific constructions of the relevant cryptosystems. In addition, two independent algorithms have been proposed, one by Brickell [2] and the other by ....

A.M. Odlyzko, "The rise and fall of knapsack cryptosystems", in Cryptology and Computational Number Theory, Proc. Symp. Appl. Math. 42, Amer. Math. Soc., 1990, 75-88

....failure of Merkle Hellman cryptosystems, researchers continued to search for knapsack like cryptosystems because such systems are very easy to implement and can attain very high encryption decryption rates. But most of the proposed knapsack like cryptosystems have been broken (for a survey, see [12]) either by specific attacks or by the so called low density attacks. The density of a knapsack S = fa 1 ; a 2 ; an g is defined to be d = n N where N = max 1in log 2 a i . When the density is small (namely, less than 0:94: one can prove the knapsack problem can be solved using ....

A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 75--88. A.M.S., 1990.

....a subset of the numbers whose sum is T . Many schemes were suggested that use this problem as the basis for public key encryption. However, none of these schemes have been proven to be as secure as subset sum, and, in fact, most of them have been broken. See Brickell and Odlyzko [9] and Odlyzko [40] for a survey. The first to suggest using subset sum were Merkle and Hellman [35] and the only method for using subset sum in a public key protocol that has not been broken is Chor and Rivest s [11] The approach taken here is different in two ways. We are less ambitious, and are not attempting ....

A. M. Odlyzko, The rise and fall of knapsack cryptosystems, in Cryptology and Computational Number Theory, C. Pomerance ed., AMS Proc. Symp. Appl. Math, vol 42, 1990, pp. 75--88.

....in cryptography by Merkle and Hellman to implement public key encryption. Unfortunately, breaking the resulting scheme is not as hard as solving general SS, and in fact their scheme has been broken. A number of modifications have been made to their system in the hopes of making it more secure (see [Odly90] for a survey) and most of these systems have also been broken. Currently the popular consensus is that SS based public key encryption schemes are not to be trusted. Impagliazzo and Naor [ImNa89] have used SS in a less ambitious way. They have shown how to use SS to implement pseudorandom ....

A. Odlyzko, "The Rise and Fall of Knapsack Cryptosystems," in Cryptology and Computational Number Theory, in Cryptology and Computational Number Theory, Proceedings of Symposia in Applied Mathematics, Vol. 42, pp.75-88, 1990.

....problem is known to be NP complete [10] in its feasibility recognition form) and so is thought to be very hard in general. This has led to the invention of several public key cryptosystems based on the knapsack problem. 2 Coster et al. Almost all of these have been broken by now, however. See [2, 3, 6, 17] for surveys of this field. Most of the attacks exploited specific constructions of the relevant cryptosystems. In addition, two algorithms have been proposed, one by Brickell [1] and the other by Lagarias and Odlyzko [13] which show that almost all low density subset sum problems can be solved ....

A. M. Odlyzko, The rise and fall of knapsack cryptosystems, in Cryptology and Computational Number Theory, C. Pomerance, ed., Proc. Symp. Appl. Math. 42, Amer. Math. Soc., Providence, 1990, 75-88.

....i = s: 1.1) This problem is known to be NP complete [10] in its feasibility recognition form) and so is thought to be very hard in general. This has led to the invention of several public key cryptosystems based on the knapsack problem. Almost all of these have been broken by now, however. See [2, 3, 6, 17] for surveys of this field. Most of the attacks exploited specific constructions of the relevant cryptosystems. In addition, two algorithms have been proposed, one by Brickell [1] and the other by Lagarias and Odlyzko [13] which show that 2 Coster et al. almost all low density subset sum ....

A. M. Odlyzko, The rise and fall of knapsack cryptosystems, in Cryptology and Computational Number Theory, C. Pomerance, ed., Proc. Symp. Appl. Math. 42, Amer. Math. Soc., Providence, 1990, 75-88.

No context found.

A.M. Odlyzko, "The rise and fall of knapsack cryptosystems", in Cryptology and Computational Number Theory, Proc. Symp. Appl. Math. 42, Amer. Math. Soc., 1990, 75-88

No context found.

A.M. Odlyzko, "The rise and fall of knapsack cryptosystems", in Cryptology and Computational Number Theory, Proc. Symp. Appl. Math. 42, Amer. Math. Soc., 1990, 75-88

No context found.

A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In C. Pomerance, editor, Cryptology and computational number theory, volume 42 of Procedings of Symposia in Applied Mathematics, pages 75-88, Boulder, Colorado, 1989. AMS.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC