E. F. Brickell, "Solving low density knapsacks", in Advances in Cryptology, Proceedings of Crypto '83, Plenum Press, New York, 1984, 25-37  Home/Search   Document Not in Database   Summary   Related Articles   Check

....to RSA until 1982, when Shamir [126] proposed a (heuristic) attack against the simplest version of the Merkle Hellman scheme. Shamir used Lenstra s integer programming algorithm [89, 90] but, the same year, Adleman [1] showed how to use LLL instead, making experiments much easier. Brickell [27, 28] later extended the attacks to the more general iterated Merkle Hellman scheme, and showed that MerkleHellman was insecure for all realistic parameters. The cryptanalysis of MerkleHellman schemes was the first application of lattice reduction in cryptology. Despite the failure of Merkle Hellman ....

E. F. Brickell. Solving low density knapsacks. In Proc. of Crypto '83. Plenum Press, 1984.

....to RSA. Shamir used Lenstra s integer programming algorithm but, the same year, Adleman ( Adl83] extended Shamir s work by treating the cryptographic problem as a lattice problem rather than a linear programming problem. Further improvements of these methods were obtained by Brickell ( Bri84, Bri85] by Lagarias and Odlyzko ( LO85] and, more recently by Coster, La Macchia, Odlyzko, Schnorr and the authors ( CJL 92] Lattice reduction has also been applied successfully in various other cryptographic contexts: against a version of Blum s protocol for exchanging secrets ( FHK ....

E. F. Brickell. Solving low density knapsacks. In D. C. Chaum, editor, Proceedings of CRYPTO 83, pages 25--37. Plenum Press, New York, 1984.

....system which has not yet been broken. The majority of the attacks on knapsack based cryptosystems have involved discovering the secret information hidden in the weights which allows the receiver A to decrypt the message quickly. However, there have been two independent attacks, one due to Brickell [6] and one due to Lagarias and Odlyzko [26] which attempt to solve all subset sum problems of a certain type, independent of the method in which the weights were chosen. These methods (and the newer result in [12] depend in theory only on the density of the subset sum problem to be solved. In ....

....majority of attacks on knapsack based cryptosystems exploit the specific constructions of the cryptosystems. Two algorithms have been proposed, however, which depend only on the properties of the subset sum problem and not on any specific method of construction. These algorithms, one by Brickell [6] and one by Lagarias and Odlyzko [26] show that almost all low density subset sum problem may be solved in polynomial time. The density d of a set of weights a 1 ; a n is defined by d = 3.2) For d 1 there will in general be many subsets of weight with the same sum s, so from an ....

E. F. Brickell, Solving low density knapsacks, Advances in Cryptology, Proceedings of Crypto '83, Plenum Press, New York (1984), 25-37.

....the unique alternative to RSA until 1982, when Shamir [106] proposed an attack against the simplest version of the MerkleHellman scheme. Shamir used Lenstra s integer programming algorithm [74] but, the same year, Adleman [1] showed how to use LLL instead, making experiments much easier. Brickell [21, 22] later extended the attacks to the more general iterated Merkle Hellman scheme, and showed that Merkle Hellman was insecure for all realistic parameters. The cryptanalysis of Merkle Hellman schemes was the first application of lattice reduction in cryptology. Despite the failure of ....

E. F. Brickell. Solving low density knapsacks. In Proc. of Crypto '83. Plenum Press, 1984.

....exists for this problem, it says little about the hardness of a random instance. Many NP Complete problems are known to have polynomial average case algorithms. The subset problem under the assumption that the inputs are chosen uniformly at random has been investigated in a number of papers [8, 12, 15, 27, 32]. For the case l(n) n Lagarias and Odlyzko [32] and Brickell [8] have shown a feasible algorithm which solves this problem for almost all instances of these dimensions. The Lagarias Odlyzko [32] and Brickell [8] algorithms mentioned above transform the subset sum problem into a shortest ....

....Many NP Complete problems are known to have polynomial average case algorithms. The subset problem under the assumption that the inputs are chosen uniformly at random has been investigated in a number of papers [8, 12, 15, 27, 32] For the case l(n) n Lagarias and Odlyzko [32] and Brickell [8] have shown a feasible algorithm which solves this problem for almost all instances of these dimensions. The Lagarias Odlyzko [32] and Brickell [8] algorithms mentioned above transform the subset sum problem into a shortest vector in lattice problem. A shortest vector in a lattice problem is: ....

[Article contains additional citation context not shown here]

E. F. Brickell, Solving low density knapsacks, Proc. Crypto 83, pp 25-37.

....cryptosystems based on the knapsack problem. Almost all of these have been broken by now, however. See [2, 3, 5, 15] for surveys of this field. Most of the attacks exploited specific constructions of the relevant cryptosystems. In addition, two algorithms have been proposed, one by Brickell [1] and the other by Lagarias and Odlyzko [11] which show that almost all low density subset sum problems can be solved in polynomial time. The density of a set of weights a 1 ; a n is defined by d = n log 2 max 1in a i : 2) The interesting case is d 1, since for d 1 there will in ....

....algorithms act like such an oracle. The analysis of [11] showed that availability of such an oracle would let the Lagarias Odlyzko algorithm solve almost all subset sum problems of density 0:6463 : but not higher than that. Similar analyses are not available for the Brickell algorithm [1], although it seems to require even lower densities. See also [8] In this note we analyze a simple modification of the part of the Lagarias Odlyzko algorithm that reduces the subset sum problem to a short vector in a lattice problem. We show that with this modification, a single call to a ....

E. F. Brickell, Solving low density knapsacks. Advances in Cryptology, Proceedings of Crypto '83, Plenum Press, New York (1984), 25-37.

....low exponents, and some future applications appear to require large exponents [3, 7] We analyze the generation schemes using standard assumptions. 9 1. 3 Lattice attacks on subset sum problems Subset sum constructions have been so successfully attacked by lattice reduction [16] based methods [5, 15, 8] that it is often considered risky to base cryptographic constructions on them. Our experiments show that the L 3 algorithm can be expected to solve subset sum problems up to about n = 40, where n is the size of the set from which subset sums are formed. Let be the length of the integers in ....

E. Brickell. Solving low density knapsacks. In Proceedings of CRYPTO '83, pages 25--37, New York, 1984. Plenum Press.

....exists for this problem, it says little about the hardness of a random instance. Many NP Complete problems are known to have polynomial average case algorithms. The subset problem under the assumption that the inputs are chosen uniformly at random has been investigated in a number of papers [8, 11, 14, 25, 28]. For the case l(n) n 2 , Lagarias and Odlyzko [28] and Brickell [8] have shown a feasible algorithm which solves this problem for almost all instances of these dimensions. The Lagarias Odlyzko [28] and Brickell [8] algorithms mentioned above transform the subset sum problem into a shortest ....

....Many NP Complete problems are known to have polynomial average case algorithms. The subset problem under the assumption that the inputs are chosen uniformly at random has been investigated in a number of papers [8, 11, 14, 25, 28] For the case l(n) n 2 , Lagarias and Odlyzko [28] and Brickell [8] have shown a feasible algorithm which solves this problem for almost all instances of these dimensions. The Lagarias Odlyzko [28] and Brickell [8] algorithms mentioned above transform the subset sum problem into a shortest vector in lattice problem. A shortest vector in a lattice problem is: ....

[Article contains additional citation context not shown here]

E. F. Brickell, Solving low density knapsacks, Proc. Crypto 83, pp 25-37.

....structure. Chapter 1. Introduction 6 The problem is said to have low density , if m n. Informally, if m 2 Omega Gamma n 2 ) there is an polynomial time algorithm solving Average case SS(n; m) with high probability [CJL 92] It is an improvement over the algorithms in [LO85] and [Bri83] All such algorithms use a reduction of SS into a shortest vector in a lattice approximation problem. The problem is said to have high density , if m n. For very small m, that is, informally for m 2 O(log n) there is a dynamic programming algorithm for Worst case SS(n; m) that runs in time ....

E. F. Brickell. Solving low density knapsacks. Proceedings Crypto '83, pages 25--37, 1983.

....the unique alternative to RSA until 1982, when Shamir [106] proposed an attack against the simplest version of the MerkleHellman scheme. Shamir used Lenstra s integer programming algorithm [74] but, the same year, Adleman [1] showed how to use LLL instead, making experiments much easier. Brickell [21, 22] later extended the attacks to the more general iterated Merkle Hellman scheme, and showed that Merkle Hellman was insecure for all realistic parameters. The cryptanalysis of Merkle Hellman schemes was the first application of lattice reduction in cryptology. Despite the failure of ....

E. F. Brickell. Solving low density knapsacks. In Proc. of Crypto '83. Plenum Press, 1984.

....cryptosystems. See [9] and [1] for surveys in this field) Almost all of these cryptosystems have been shown to be insecure. The majority of the attacks exploited specific constructions of the relevant cryptosystems. In addition, two independent algorithms have been proposed, one by Brickell [2] and the other by Lagarias and Odlyzko [6] which show that almost all Subset Sum problems of low density can be solved in polynomial time, where density is defined as the ratio between the size of the set, and the bit size of the largest of the set elements. The Brickell and Lagarias Odlyzko ....

E. F. Brickell, "Solving low density knapsacks", in Advances in Cryptology, Proceedings of Crypto '83, Plenum Press, New York, 1984, 25-37

....exploit low exponents, and some future applications appear to require large exponents [3, 7] We analyze the generation schemes using standard assumptions. Lattice attacks on subset sum problems: Subset sum constructions have been so successfully attacked by lattice reduction [18] based methods [4, 17, 8] that it is often considered risky to base cryptographic constructions on them. Our experiments show that the L 3 algorithm can be expected to solve subset sum problems up to about n = 40, where n is the size of the set from which subset sums are formed. Let be the length of the integers in ....

E. Brickell. Solving low density knapsacks. In Proceedings of Crypto'83, pages 25--37, New York, 1984. Plenum Press.

....scheme and on the multiply iterated Merkle Hellman system. Adleman s attack on the general multiply iterated knapsack systems does not seem to succeed [3,7] but other attacks on the doubly iterated knapsack schemes have been proposed by Adleman and Lagarias (see [7,14] Furthermore, Brickell [6] and Lagarias and the author [15] have developed attacks on low density knapsack cryptosystems. This paper develops attacks on several other public key cryptosystems. We show that it is easy to break the Shamir fast signature public key scheme [24] which is related to the Merkle Hellman additive ....

....log M) This problem is known to be NP complete [24] and so is presumed to be hard, at least in the worst case. There is some empirical evidence, backed by heuristics and in some cases by theoretical analyses, which indicates that many instances of this problem may be solvable in polynomial time [6,15]. In order to have a usable cryptosystem, however, it is necessary that the intended user should be able to utilize it, which means that he must be able to rapidly decode messages or sign them (in a signature scheme) In order to make this possible, the designers of the systems mentioned above ....

[Article contains additional citation context not shown here]

E. F. Brickell, Solving low density knapsacks, to appear in Proceedings of Crypto 83, to be published by Plenum Press.

....based on the knapsack problem. 2 Coster et al. Almost all of these have been broken by now, however. See [2, 3, 6, 17] for surveys of this field. Most of the attacks exploited specific constructions of the relevant cryptosystems. In addition, two algorithms have been proposed, one by Brickell [1] and the other by Lagarias and Odlyzko [13] which show that almost all low density subset sum problems can be solved in polynomial time. The density of a set of weights a 1 ; a n is defined by d = n log 2 max 1in a i : 1.2) The interesting case is d 1, since for d 1 there will in ....

....algorithms act like such an oracle. The analysis of [13] showed that availability of such an oracle would let the Lagarias Odlyzko algorithm solve almost all subset sum problems of density 0:6463 : but not higher than that. Similar analyses are not available for the Brickell algorithm [1], although it seems to require even lower densities. See also [9] In this note we analyze two simple modifications of the part of the LagariasOdlyzko algorithm that reduces the subset sum problem to a short vector in a lattice problem. We show that with either of these modifications, a single ....

E. F. Brickell, Solving low density knapsacks, in Advances in Cryptology, Proceedings of Crypto '83, Plenum Press, New York, 1984, 25-37. 16 Coster et al.

....breaking such a knapsack is no longer related to the P = NP question. Cryptography: Lecture Notes 73 In fact, history has not been kind to knapsack schemes; most of them have been broken by extremely clever analysis and the use of the powerful L 3 algorithm [114] for working in lattices. See [125, 163, 165, 2, 167, 110, 40, 134]. Some knapsack or knapsack like schemes are still unbroken. The Chor Rivest scheme [52] and the multiplicative versions of the knapsack [125] are examples. McEliece has a knapsack like public key cryptosystem based on error correcting codes [122] This scheme has not been broken, and was the ....

E. F. Brickell. Solving low density knapsacks. In D. Chaum, editor, Proc. CRYPTO 83, pages 25--37, New York, 1984. Plenum Press.

....cryptosystems based on the knapsack problem. Almost all of these have been broken by now, however. See [2, 3, 6, 17] for surveys of this field. Most of the attacks exploited specific constructions of the relevant cryptosystems. In addition, two algorithms have been proposed, one by Brickell [1] and the other by Lagarias and Odlyzko [13] which show that 2 Coster et al. almost all low density subset sum problems can be solved in polynomial time. The density of a set of weights a 1 ; a n is defined by d = n log 2 max 1in a i : 1.2) The interesting case is d 1, since for d ....

....an oracle. The analysis of [13] showed that availability of such an Subset Sum Algorithms 3 oracle would let the Lagarias Odlyzko algorithm solve almost all subset sum problems of density 0:6463 : but not higher than that. Similar analyses are not available for the Brickell algorithm [1], although it seems to require even lower densities. See also [9] In this note we analyze two simple modifications of the part of the LagariasOdlyzko algorithm that reduces the subset sum problem to a short vector in a lattice problem. We show that with either of these modifications, a single ....

E. F. Brickell, Solving low density knapsacks, in Advances in Cryptology, Proceedings of Crypto '83, Plenum Press, New York, 1984, 25-37.

....construction. In addition to the attacks on specific knapsack systems that have been developed, there are two attacks on so called low density knapsacks, namely those in which the weights a j are large. These attacks do not assume any particular structure in the knapsack. They are due to Brickell [3] and Lagarias and Odlyzko [18] respectively. As a result, both of the two basic fears about knapsack cryptosystems have been borne out; their constructions can often be unraveled, and in addition, many cases of the general knapsack problem can be solved efficiently. A large variety of knapsack ....

....with the use of tools from the area of diophantine approximation. The paper [6] contains a survey of many of the systems that have been broken as well as descriptions of some of the attacks. For full details, the reader is advised to consult [6] and many of the references contained there, such as [3,4,5,8,11,16,17,18,22,26]. The remainder of this paper is devoted to a description of one each of the two kinds of basic attacks that have been used. Section 2 describes the attack on the singly iterated Merkle Hellman cryptosystem. This attack allows the cryptanalyst to read encrypted messages just about as fast as ....

[Article contains additional citation context not shown here]

E. F. Brickell, "Solving low density knapsacks," Advances in Cryptology-Proc. Crypto 83, Plenum Press, New York, 1984, pp. 25-37.

....exists for this problem, it says little about the hardness of a random instance. Many NP Complete problems are known to have polynomial average case algorithms. The subset problem under the assumption that the inputs are chosen uniformly at random has been investigated in a number of papers [8, 12, 15, 27, 31]. For the case l(n) n 2 , Lagarias and Odlyzko [31] and Brickell [8] have shown a feasible algorithm which solves this problem for almost all instances of these dimensions. The Lagarias Odlyzko [31] and Brickell [8] algorithms mentioned above transform the subset sum problem into a shortest ....

....Many NP Complete problems are known to have polynomial average case algorithms. The subset problem under the assumption that the inputs are chosen uniformly at random has been investigated in a number of papers [8, 12, 15, 27, 31] For the case l(n) n 2 , Lagarias and Odlyzko [31] and Brickell [8] have shown a feasible algorithm which solves this problem for almost all instances of these dimensions. The Lagarias Odlyzko [31] and Brickell [8] algorithms mentioned above transform the subset sum problem into a shortest vector in lattice problem. A shortest vector in a lattice problem is: ....

[Article contains additional citation context not shown here]

E. F. Brickell, Solving low density knapsacks, Proc. Crypto 83, pp 25-37.

No context found.

E. F. Brickell, "Solving low density knapsacks", in Advances in Cryptology, Proceedings of Crypto '83, Plenum Press, New York, 1984, 25-37

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC