E. F. Brickell. Breaking iterated knapsacks. In G. R. Blakley and D. Chaum, editors, Advances in cryptology - Proceedings of CRYPTO '84, volume 196 of Lecture Notes in Computer Science, pages 342-358, Santa Barbara, California, USA, Aug. 1984. Springer-Verlag.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....to RSA until 1982, when Shamir [126] proposed a (heuristic) attack against the simplest version of the Merkle Hellman scheme. Shamir used Lenstra s integer programming algorithm [89, 90] but, the same year, Adleman [1] showed how to use LLL instead, making experiments much easier. Brickell [27, 28] later extended the attacks to the more general iterated Merkle Hellman scheme, and showed that MerkleHellman was insecure for all realistic parameters. The cryptanalysis of MerkleHellman schemes was the first application of lattice reduction in cryptology. Despite the failure of Merkle Hellman ....

E. F. Brickell. Breaking iterated knapsacks. In Proc. of Crypto '84, volume 196 of LNCS. Springer-Verlag, 1985.

....to RSA. Shamir used Lenstra s integer programming algorithm but, the same year, Adleman ( Adl83] extended Shamir s work by treating the cryptographic problem as a lattice problem rather than a linear programming problem. Further improvements of these methods were obtained by Brickell ( Bri84, Bri85] by Lagarias and Odlyzko ( LO85] and, more recently by Coster, La Macchia, Odlyzko, Schnorr and the authors ( CJL 92] Lattice reduction has also been applied successfully in various other cryptographic contexts: against a version of Blum s protocol for exchanging secrets ( FHK 88] ....

E. F. Brickell. Breaking iterated knapsacks. In G. R. Blakley and D. C. Chaum, editors, Proceedings CRYPTO 84, pages 342--358. Springer, 1985. Lecture Notes in Computer Science No. 196.

....integer programming algorithm but, the same year, Adleman ( Adl83] extended Shamir s work by treating the cryptographic problem as a lattice problem rather than a linear programming problem. Further improvements of these methods were obtained by Lagarias and Odlyzko ( LO83] by Brickell ( Bri85] and, more recently by Coster, La Macchia, Odlyzko, Schnorr and the authors 92] Lattice reduction has also been applied successfully in various other cryptographic contexts: against a version of Blum s protocol for exchanging secrets ( FHK 88] against truncated linear congruential ....

E. F. Brickell. Breaking iterated knapsacks. In G. R. Blakley and D. C. Chaum, editors, Proceedings CRYPTO 84, pages 342--358. Springer, 1985. Lecture Notes in Computer Science No. 196.

....the unique alternative to RSA until 1982, when Shamir [106] proposed an attack against the simplest version of the MerkleHellman scheme. Shamir used Lenstra s integer programming algorithm [74] but, the same year, Adleman [1] showed how to use LLL instead, making experiments much easier. Brickell [21, 22] later extended the attacks to the more general iterated Merkle Hellman scheme, and showed that Merkle Hellman was insecure for all realistic parameters. The cryptanalysis of Merkle Hellman schemes was the first application of lattice reduction in cryptology. Despite the failure of ....

E. F. Brickell. Breaking iterated knapsacks. In Proc. of Crypto '84, volume 196 of LNCS. Springer-Verlag, 1985.

....based on number theory. The first attempt was to use NP hard problems in combinatorics like Merkle Hellman Knapsack [24] and its modifications. Though many cryptographers have been pessimistic about combinatorial cryptography after the breakdown of the Knapsack type PKC s by Shamir [30] Brickell [9], Lagarias [22] Odlyzko [26] Vaudenay [35] and others, and after the appearance of Brassard theorem [8] there may still be some hopes as Koblitz has noted in [21] The other systems that are worth to mention are the quantum cryptography proposed by Bennet and Brassard [4] and the lattice ....

E. F. Brickell, Breaking iterated knapsacks, Advances in Cryptology, Proceedings of Crypto '84, Lecture Notes in Computer Science 196, ed. G. R. Blakley and D. Chaum, Springer-Verlag (1985), 342--358.

....so that the diculty of breaking such a knapsack is no longer related to the P = NP question. 17 In fact, history has not been kind to knapsack schemes; most of them have been broken by extremely clever analysis and the use of the powerful L 3 algorithm [104] for working in lattices. See [114, 140, 142, 1, 144, 100, 32, 122]. Some knapsack or knapsack like schemes are still unbroken. The Chor Rivest scheme [39] and the multiplicative versions of the knapsack [114] are examples. McEliece has a knapsack like publickey cryptosystem based on error correcting codes [113] This scheme has not been broken, and was the ....

E. F. Brickell. Breaking iterated knapsacks. In G. R. Blakley and D. C. Chaum, editors, Proceedings CRYPTO 84, pages 342-358, Springer, 1985. Lecture Notes in Computer Science No. 196.

....the random subset sum problem is NP complete, specific cases of the subset sum problem have been shown to be weak and easily broken. For example, Brickell broke the Merkle Hellman subset sum based public key encryption protocol using the Lenstra Lenstra Lovasc lattice basis reduction algorithm [3]. However the Merkle Hellman protocol uses subset sum problems of density 1 2 and L 3 appears to work only on low density (less than .93) problems. Impagliazzo and Naor [5] argue that if subset sum is hard then it can be used for pseudo random generation. They suggest also that the functions ....

E. F. Brickell, Breaking iterated knapsacks, in Advances in Cryptology: Proceedings of Crypto '84, G. R. Blakley and D. Chaum, eds., Berlin, 1985, Springer-Verlag, pp. 342--358. Lecture Notes in Computer Science Volume 196.

....the unique alternative to RSA until 1982, when Shamir [106] proposed an attack against the simplest version of the MerkleHellman scheme. Shamir used Lenstra s integer programming algorithm [74] but, the same year, Adleman [1] showed how to use LLL instead, making experiments much easier. Brickell [21, 22] later extended the attacks to the more general iterated Merkle Hellman scheme, and showed that Merkle Hellman was insecure for all realistic parameters. The cryptanalysis of Merkle Hellman schemes was the first application of lattice reduction in cryptology. Despite the failure of ....

E. F. Brickell. Breaking iterated knapsacks. In Proc. of Crypto '84, volume 196 of LNCS. Springer-Verlag, 1985.

....on the computational hardness of the problem on which it is based, but also on the performances that it displays in terms of speed, key size, expansion rate, etc. It is also related to the fact that, so far, use of lattices in cryptography has been directed at successfully breaking schemes [1, 22, 7, 17, 10, 24, 16, 9]: experiments have shown that lattice reduction algorithms behave surprisingly well and can provide much better approximations to SVP or CVP than expected. At this point, it was natural to ask whether or not the security level offered by the Ajtai Dwork cryptosystem is exactly measured by the ....

E. Brickell. Breaking iterated knapsacks. In Proc. CRYPTO'84, volume 196 of LNCS, pages 342--358, 1985.

....integer programming algorithm but, the same year, Adleman ( Adl83] extended Shamir s work by treating the cryptographic problem as a lattice problem rather than a linear programming problem. Further improvements of these methods were obtained by Lagarias and Odlyzko ( LO83] by Brickell ( Bri85] and, more recently by Coster, La Macchia, Odlyzko, Schnorr and the authors ( CJL 92] Lattice reduction has also been applied successfully in various other cryptographic contexts: against a version of Blum s protocol for exchanging secrets ( FHK 88] against truncated linear ....

E. F. Brickell. Breaking iterated knapsacks. In G. R. Blakley and D. C. Chaum, editors, Proceedings CRYPTO 84, pages 342--358. Springer, 1985. Lecture Notes in Computer Science No. 196.

....by (1 ffl) n for any fixed ffl 0. These algorithms naturally give an esitmate on sh(L) up to a factor of 2 n Gamma1 2 resp. 1 ffl) n . The L 3 algorithm was used in successfull attacks on different knapsack cryptosystems. cf. Adleman [Ad] Lagarias and Odlyzko [LaOd] Brickell [Br]) Lattices, where the shortest vector is unique in a sense similar to that of (P2) play an important role (see [LaOd] The polynomial factor of (P2) is substituted by an exponential one. The definition of the random class. Since a lattice is an infinite set we have to fix a finite ....

E.F. Brickell, "Breaking iterated knapsacks", in: Advances in Cryptology, Proceedings of CRYPTO 84, Springer, Berlin, 1985

....so that the difficulty of breaking such a knapsack is no longer related to the P = NP question. In fact, history has not been kind to knapsack schemes; most of them have been broken by extremely clever analysis and the use of the powerful L 3 algorithm [104] for working in lattices. See [114, 140, 142, 1, 144, 100, 32, 122]. Some knapsack or knapsack like schemes are still unbroken. The Chor Rivest scheme [39] and the multiplicative versions of the knapsack [114] are examples. McEliece has a knapsack like publickey cryptosystem based on error correcting codes [113] This scheme has not been broken, and was the ....

E. F. Brickell. Breaking iterated knapsacks. In G. R. Blakley and D. C. Chaum, editors, Proceedings CRYPTO 84, pages 342--358, Springer, 1985. Lecture Notes in Computer Science No. 196.

....arithmetic. Finally bits are chosen from this sum and output as part of the keystream. The sequences produced have good period and linear complexity properties. However, it seems that the bad name acquired by other specific knapsack based systems during the early days of public key cryptography [124, 14] makes many people wary of any knapsack based system. There do not appear to be, however, any results in the literature on the successful cryptanalysis of this generator. 28 Stream Ciphers 7.4.3 PKZIP PKZIP is a widely used compression function that has an option allowing stream cipher ....

E.F. Brickell. Breaking iterated knapsacks. In G.R. Blakley and D. Chaum, editors, Advances in Cryptology --- Crypto '84, pages 342--358, Springer-Verlag, New York, 1985.

.... dated to Shamir s announcement in the spring of 1982 of a polynomial time attack on the singly iterated MerkleHellman cryptosystem [26] This was quickly followed by a string of attacks on other knapsack cryptosystems, culminating in Brickell s attack on the multiply iterated Merkle Hellman system [4]. These attacks relied on the fact that the modular multiplication method does not disguise completely the easy knapsack that is the basis of the construction. In addition to the attacks on specific knapsack systems that have been developed, there are two attacks on so called low density ....

....with the use of tools from the area of diophantine approximation. The paper [6] contains a survey of many of the systems that have been broken as well as descriptions of some of the attacks. For full details, the reader is advised to consult [6] and many of the references contained there, such as [3,4,5,8,11,16,17,18,22,26]. The remainder of this paper is devoted to a description of one each of the two kinds of basic attacks that have been used. Section 2 describes the attack on the singly iterated Merkle Hellman cryptosystem. This attack allows the cryptanalyst to read encrypted messages just about as fast as ....

E. F. Brickell, "Breaking Iterated Knapsacks," Advances in Cryptology-Proc. Crypto 84, Springer-Verlag, Berlin, 1985, pp. 342-358.

No context found.

E. F. Brickell. Breaking iterated knapsacks. In G. R. Blakley and D. Chaum, editors, Advances in cryptology - Proceedings of CRYPTO '84, volume 196 of Lecture Notes in Computer Science, pages 342-358, Santa Barbara, California, USA, Aug. 1984. Springer-Verlag.

No context found.

Brickell, E. F. Breaking iterated knapsacks. In Advances in Cyrptology: Proceedings of Crypto '84 (1985), Springer, pp. 342--358.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC