A Differential Knapsack Scheme with No Trapdoor ...

Viewer
Transcript

SCIS 2011 The 2011 Symposium on Cryptography and Information Security Kokura, Japan, Jan. 25-28, 2011 The Institute of Electronics, Information and Communication Engineers

All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to SCIS 2011 does not prevent future submissions to any journals or conferences with proceedings.

A Diﬀerential Knapsack Scheme with No Trapdoor Sequence. Yasuyuki Murakami

∗

Masao Kasahara

†

Abstract— The present authors made an attempt to use as few trapdoor as possible in the secret sequence by using a probabilistic encryption. In this paper, by further pursuing this course, we present a probabilistic diﬀerential knapsack PKC with no trapdoor in the secret sequence. We also discuss on the security of the proposed scheme and show that the proposed scheme is secure against the low-density attack and the attack of computing secret key. Furthermore, we give challenge problems of the proposed scheme. We also upload challenge problems on https://sites.google.com/site/cryptochallege/. Keywords: knapsack public-key cryptosystem, diﬀerential knapsack scheme, probabilistic encryption, no trapdoor sequence, low-density attack.

1

Introduction

encryption. We shall also discuss on the security of the proposed scheme. Furthermore, we shall give challenge problems of the proposed scheme.

The security of most of the public-key cryptosystem depends on the diﬃculty of the factoring problem, the discrete logarithm problem or the elliptic curve discrete logarithm problem. It is shown that the quantum computer can solve these problems in polynomial time[1]. However, it is believed that the quantum computer cannot solve NP-hard problems. For this reason, it is desired to investigate another class of PKC’s that is based on the diﬃculty of an NP-hard problem. The subset sum problem is to ﬁnd the solution (x1 , x2 , . . . , xn ) ∈ {0, 1}n such that C = a1 x1 + a2 x2 + · · · + an xn for given positive integers a1 , a2 , . . . , an and C which is the sum of a subset of the ai . This problem is known to be NP-hard. Thus, the subset sum problem is expected to be one of the diﬃcult problems against the quantum computer. The public-key cryptosystem using the subset sum problem will be referred to as the knapsack scheme. In 1978, the ﬁrst knapsack PKC was proposed by Merkle and Hellman(MH)[2]. Unfortunately MH scheme was broken by Shamir’s attack[3, 4] and the Low-Density Attack (LDA)[5, 6, 7]. Although MH scheme was broken, the idea of using a super-increasing sequence as the trapdoor is very simple and interesting. It is relatively easy to avoid LDA by letting the density high. However, it is rather diﬃcult to avoid the attack of computing secret key from the public key, because some kind of the trapdoor sequence is required. The present authors made an attempt to use as few trapdoor as possible in the secret sequence[8] by using a probabilistic encryption. In this paper, we shall present a diﬀerential knapsack PKC with no trapdoor in the secret sequence by using the method of the probabilistic ∗ †

2

Subset Sum Problem

The subset sum problem (SSP) is described as follows: Problem 1 (SSP) Find the solution (x1 , x2 , . . . , xn ) ∈ {0, 1}n such that C = a1 x1 +a2 x2 +· · ·+an xn for given positive integers a1 , a2 , . . . , an and C. It is shown that SSP is NP-hard. Deﬁnition 1 (Density) The density d of SSP is deﬁned by d=

n . log2 max ai

(1)

Assumption 1 It is diﬃcult to solve SSP of the density d > 1. We deﬁne the double subset sum problem (DSSP) as follows: Problem 2 (DSSP) Find the solution (x1 , x2 , . . . , xn ) ∈ {0, 1}n such that C = a1 x1 + a2 x2 + · · · + an xn and C 0 = a01 x1 + a02 x2 + · · · + a0n xn for given positive integers a1 , a2 , . . . , an , a01 , a02 , . . . , a0n , C and C 0 . Deﬁnition 2 (Density) The density D of DSSP is deﬁned by D=

n . log2 max ai + log2 max bi

(2)

Assumption 2 It is diﬃcult to solve DSSP of the density D > 1.

Osaka Electro-Communication University, 18-8, Hatsu-cho, Neyagawa-shi, Osaka, 572-8530, [email protected] Osaka Gakuin University, 2-36-1, Kishibe Minami, Suita-shi, Osaka, 564-8511, [email protected]

1

3

Proposed Scheme

3.1

3.4

Let the intermediate messages M and M 0 be deﬁned by

Preliminaries

List of the symbols: p, q v, w si , tj ai , bj , cj mi rj (C1 , C2 )

Decryption

: Secret prime moduli. : Secret positive integers. : Secret random u-bit positive integers. : Public key. : Message sequence. mi ∈ {0, 1} : Random binary sequence. rj ∈ {0, 1} : Ciphertext.

M=

n ∑

si mi .

(10)

i=1

M0 =

n ∑

si mi +

k ∑

tj rj .

(11)

j=1

i=1

Let the intermediate noise message N be deﬁned by

for i = 1, 2, . . . , n and j = 1, 2, . . . , k.

N=

3.2 Key Generation

k ∑

tj rj .

(12)

j=1

Since M 0 = v −1 C1 mod p and N = w−1 C2 mod q holds Public key : ai , bj , cj from Eqs.(3) and (4), M can be obtained by the legiti(i = 1, 2, . . . , n, j = 1, 2, . . . , k). mate receiver as M = M 0 − N . The message sequence Secret key : si , tj , v, p, w, q mi can be recovered by solving the subset sum prob(i = 1, 2, . . . , n, j = 1, 2, . . . , k). lem of Eq.(10). It should be noted that any attacking method for knapsack schemes or any solving method of the subset sum problem can be used for this purpose. We shall give some examples of the decryption below. Step 1: Decide parameters k, n and u such that n < u < n + k and n k. It is recommended that 3.4.1 Decryption with Exhaustive Search n ≤ 60 for decrypting the message. The exhaustive search is usually used for attack by Step 2: Generate u-bit positive integers si at random searching plaintext at all possibilities. However, we can for i = 1, 2, . . . , n. use the exhaustive search for decryption. It is recommended that n ≤ 32 in order to use the exhaustive Step 3: Generate u-bit positive integers tj at random search to decrypt the message in a practical time. for j = 1, 2, . . . , k. 3.4.2 Decryption with Space-Time Trade-oﬀ AtStep 4: Generate a prime number p such that tack k n ∑ ∑ In general, the computation time can be reduced by tj > p/2. (3) si + p> increasing the memory use. This type of attacks is j=1 i=1 called the space-time trade-oﬀ attack. We can reasonably assume that the time complexity of√O(N ) can be Step 5: Generate an odd number 0 < v < p. divided into the time complexity of O( N ) and the √ Step 6: Generate a prime number q such that space complexity of O( N ). In the proposed scheme, we can also use this attack k ∑ for decryption. We recommend that n ≤ 64 in order tj > q/2. (4) q> to decrypt the message with the space-time trade-oﬀ j=1 attack. Step 7: Generate an odd number 0 < w < q. 3.4.3 Decryption with LDA Step 8: Compute ai , bj , cj as follows: We also use LDA in order to decrypt the message. The plaintext message can be decrypted with LDA for ai = vsi mod p i = 1, 2, . . . , n; (5) the lattice spanned by the following row matrix: bj = vtj mod p j = 1, 2, . . . , k; (6)   1 −λs1 cj = wtj mod q j = 1, 2, . . . , k. (7)   ..  . −λs2    3.3 Encryption  ..  .. ,  . .   The ciphertext (C1 , C2 ) is given by  1 −λsn  k n −1/2 · · · · · · −1/2 λM ∑ ∑ bj rj , (8) ai mi + C1 = √ where λ is an appropriate integer such that λ > n. j=1 i=1 In this case, the density dM is given by k ∑ cj rj . (9) C2 = n dM = ' δ, j=1 log2 max(s1 , s2 , . . . , sn )

O

O

2

5

where we let δ = n/u. It is known that the knapsack schemes of low-density can be broken with LDA. This means that LDA can be used for decryption when the parameter δ is conﬁgured to be suﬃciently low.

4

Security considerations

In this section, we shall discuss on the security of the proposed scheme. 5.1

Toy Example

Security based on SSP

It is seen that the security of the proposed scheme is based on SSP or DSSP under the following assumption.

In this section, we present a toy example. Let n = 4, k = 12 and u = 6.

Assumption 3 Let s1 , s2 , . . . , sn are random ∑n positive integers. Let ai = vsi mod p where p > i=1 si and v is a random positive integer such that gcd(v, p) = 1. Then the sequence a1 , a2 , . . . , an is indistinguishable from a random sequence of the same size.

[Secret Key]

s = (60, 57, 62, 63) t = (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)

5.2

(v, p) = (702, 797) (w, q) = (217, 547) [Public Key]

a = (469, 326, 33, 612) b = (47, 626, 408, 190, 769, 551, 333, 115, 694, 476, 258, 40) c = (303, 461, 72, 230, 388, 546, 157, 315, 473, 84, 242, 400)

Security against LDA

In the knapsack schemes, the density d is given by n , d = log2 max(a1 , a2 , . . . , an ) ∑n when the ciphertext C is given by C = i=1 ai mi . It is known that the knapsack schemes of d < 0.9408 can be broken with LDA for the lattice spanned by the following row matrix[7] :   1 −λa1   ..  . −λa2     ..  .. ,  . .     1 −λan  −1/2 · · · · · · −1/2 λC √ where λ is an appropriate integer such that λ > n.

O

O

[Encryption]

m = (1, 0, 1, 1) r = (0, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 0) C1 = 1 · 469 + 0 · 326 + 1 · 33 + 1 · 612 + 0 · 47 + 0 · 626 + 0 · 408 + 1 · 190 + 1 · 769 + 1 · 551 + 0 · 333 + 0 · 115 + 1 · 694 + 1 · 476 + 0 · 258 + 0 · 40 = 2188 C2 = 0 · 303 + 0 · 461 + 0 · 72 + 1 · 230 + 1 · 388 + 1 · 546 + 0 · 157 + 0 · 315 + 1 · 473 + 1 · 84 + 0 · 242 + 0 · 400 = 933

5.2.1 Security against conventional LDA In the proposed scheme, log2 p and log2 q can be estimated by log2 p ' u + log2 (n + k) and log2 q ' u+dlog2 ke, respectively. Therefore, log2 ai , log2 bi and log2 ci can be estimated by log2 ai ' u + log2 (n + k); log2 bi ' u + log2 (n + k); log2 ci ' u + log2 k,

(13) (14) (15)

respectively. Let the densities of the subset sum problem of Eqs. (8) and (9) be d1 and d2 , respectively. In order to solve the subset sum problem of Eq.(8), we can consider the following matrix:   1 −λa1  ..  ..  . .     −λan     −λb1  .    . . .. ..      1 −λbk  −1/2 · · · · · · · · · −1/2 λC1

[Decryption] M 0 = 2188 · 579−1 mod 797 = 319

O

N = 933 · 158−1 mod 547 = 134 M = M 0 − N = 319 − 134 = 185

O

M = 185 = 1 · 60 + 0 · 57 + 1 · 62 + 1 · 63 m = (1, 0, 1, 1)

Thus, the density d1 can be estimated by d1 3

=

n+k . u + log2 (n + k)

From the condition of the parameters, it is seen that d1 > 1 can be realized. Similarly, in order to solve the subset sum problem of Eq.(9), we can consider the following matrix:   −λc1 1   ..  . −λc2     ..  .. .  . .     1 −λck  −1/2 · · · · · · −1/2 λC2

If this problem is diﬃcult, the secret key is considered to be secure. We would like to oﬀer this problem as the open problem.

Thus, the density d2 can be estimated by

5.4

Problem 3 Find the sequence sj from given two sequences bj and cj such that bj = vsj mod p; cj = wsj mod q,

O

for j = 1, 2, . . . , k, where p and q are prime numbers and v and w are random positive integers.

O

d2

=

5.5

5.2.2 Security against LDA for DSSP LDA for knapsack PKC based on DSSP uses the following matrix:   1 −λa1 0  .. ..  ..  . . .      −λa 0 n     −λb −λc 1 1 ,    . . . .. .. ..      1 −λbk −λck  −1/2 · · · · · · · · · −1/2 λC1 λC2

O

6

Conclusion

In this paper, we have proposed a diﬀerential knapsack PKC with no trapdoor in the secret sequence. We have also discussed on the security of the proposed scheme and shown that the proposed scheme is secure against the low-density attack and the attack of computing secret key. In Appendix A, we have given challenge problems of the proposed scheme.

Thus, the density D of this problem can be estimated by n+k . 2(u + log2 (n + k))

From the condition of the parameters, it is seen that D > 1 can be realized when n + k > 2(u + log2 (n + k)).

Acknowledgement

5.2.3 Secure parameters against LDA In the proposed scheme, the densities can be made higher as one desires. From k n, it is seen that d1 > d2 > D holds. Thus, it is necessary that D > 1 in order to be secure against the LDAs under Assumptions 1 and 2. For practical use, we can reasonably assume that n+ k < 1024. In this case, D > 1 can be achieved when k ≥ 2u and n > 20. We recommend that k ≥ 3n, u = k/2 as the secure parameters. For example, n = 32, u = 48, k = 96 as small parameters, n = 48, u = 72, k = 144 as middle parameters and n = 64, u = 96, k = 192 as large parameters. We thus see that our scheme would be secure against the low-density attack. 5.3

Security against Space-Time Trade-oﬀ Attack

In general, the computation time can be reduced by increasing the memory use. This type of attacks is called the space-time trade-oﬀ attack. We can reasonably assume that the time complexity of√O(N ) can be divided into the time √ complexity of O( N ) and the space complexity of O( N ). Thus, we strongly recommend that k ≥ 160 in order to be secure against the space-time trade-oﬀ attack.

O

=

Security against Exhaustive Search

The exhaustive search is an attack by searching plaintext at all possibilities. It requires a great investment of time to search for 80 bits even by the latest computers. We strongly recommend that k ≥ 80 in order to be secure against the exhaustive search.

k . u + log2 k

From the condition of the parameters, it is seen that d2 > 1 can be realized.

D

(16) (17)

This work was supported by SCOPE (Strategic Information and Communications R&D Promotion Programme) from the Ministry of Internal Aﬀairs and Communications of Japan.

References [1] W.P. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” IEEE Computer Society Press, 1994. [2] R.C. Merkle and M.E. Hellman, “Hiding information and signatures in trapdoor knapsacks,” IEEE Trans. Inf. Theory, IT-24(5), pp.525–530, 1978. [3] A. Shamir, “A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem,” Proc. Crypto’82, LNCS, pp.279–288, Springer-Verlag, Berlin, 1982.

Security on Secret Sequence

It is seen that the security on secret sequence sj is based on the following problem: 4

[4] A. Shamir, “A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem,” IEEE Trans. Inf. Theory, IT-30, pp.699– 704, 1984.

b = (83620310010, 223614853339, 226003214335, 186359051986, 13496315590, 130548976725, 104598480243, 209141559072, 217314437730, 43483209137, 238610604132, 120159482351, 186572495170, 35170767658, 249342922184, 161760828350, 190129139886, 30881767533, 13779145084, 34409297518, 45110170249, 194738962627, 155610621774, 78723472639, 148124998742, 237752146260, 56053951064, 9309488386, 159311771721, 222170038604, 118163137547, 15119998671, 242567083346, 70907295680, 47827499800, 106023804218, 132452241743, 11606571931, 191828534939, 202759668108, 145471078549, 142056041974, 224463426455, 47195801912, 223703503119,

[5] E.F. Brickell, “Solving low density knapsacks,” Proc. Crypto’83, LNCS, pp.25–37, SpringerVerlag, Berlin, 1984. [6] J.C. Lagarias and A.M. Odlyzko, “Solving Low Density Subset Sum Problems,” J. Assoc. Comp. Math., vol.32, pp.229–246, Preliminary version in Proc. 24th IEEE, 1985. [7] M.J. Coster, B.A. LaMacchia, A.M. Odlyzko and C.P. Schnorr, “An Improved Low-Density Subset Sum Algorithm,” Advances in Cryptology Proc. EUROCRYPT’91, LNCS, pp.54–67. Springer-Verlag, Berlin, 1991. [8] Y. Murakami, M. Kasahara, “A probabilistic knapsack public-key cryptosystem,” SITA2010, 30 2.pdf, pp.615–618, Nov. 2010.

A

183832562858, 220712788837, 15589650540, 191679796891, 188136169029, 225313189507,

Challenge Problems

In this appendix, let us summarize the challenge problems that are uploaded in https://sites.google.com/ site/cryptochallege/. A.1

248643194300, 197531508900, 60292630773, 30164994189, 191684386615, 140143693644, 48727844607, 44414672342, 107018727121, 113097415122, 46557287177, 50589776541, 121786573481)

Tiny Challenge Problem c = (121241627057, 86597823605, 100744354525, 38943664179, 111300798756, 201876799958, 163721328201, 22826233702, 181782526821, 132933677244, 17087847953, 89262025545, 55172703731, 158680774212, 100674136055, 112620885471, 112700299377, 102093694665, 8980623695, 11065240966, 146548959346, 129148141811, 151692311883, 30056293536, 179388708367, 65287068151, 68003819847, 45882987758, 81518242999, 71829102672, 121593788798, 122914902622, 90958036169, 117809803435, 32700424065, 173032984713, 8240146575, 142963350638, 110823365953, 73913823283, 112068285511, 113629865395, 166668364561, 23473765585, 165347896199, 153820775881, 30729236452, 154314815042, 8452163877, 32448123349, 85750032480, 157550059434, 3976873238, 56510086266, 55712604854, 135085766541, 190566810997, 147293219444, 41613054193, 96510534756, 137911800028, 75141970430, 81058892244, 71951067077)

The parameters: n = 16, k = 64, u = 32. (C1 , C2 ) = (4666937316375, 2796590903058) a = (125250452749, 152977162396, 96491863167, 171210345469, 22364367078, 134113003897, 121819833438, 240796076848, 186905184873, 46182814006, 210911468724, 89835991865, 61879153605, 181526825784, 28821334820, 212898734153)

5

A.2

Challenge Problem

c= (14548483284277665, 19835384523669892, 9044238839289195,

The parameters: n = 32, k = 96, u = 48.

17491872409524378, 18927643152027183, 3974263875651325, 12570520606656469, 13951103574035736, 3912765679875295,

(C1 , C2 ) = (871877717413279796, 491703444026800858)

10030944228504111, 19100459329359336, 13096161948832399, 13069673181861236, 18040412685780966, 16768248009947137,

a=

8227787515674791, 8839222933077223, 19176368612783325,

(18959749290241378, 10042556243492864, 11605847068757366, 15936251986284755, 6003095662976770, 15918510339773819, 25299676590075619, 11104293890690754, 18210818453175349, 5742824780313451, 21325932050319610, 5463773980017019,

16319447956362720, 1562196069041652, 14419049771019785, 6421634244534403, 2599039458466331, 8948460106472617, 14197975672816058, 3303819341811120, 17721053717535832, 11490665639579187, 9701509495011789, 12922890274353640,

3035469351990936, 24830099620770435, 10657422783841804, 6073211150636535, 17227068487696348, 21166333486312883, 849778776151226, 17507600901157720, 15047324848242902,

7984489589210731, 62455671491922, 8039521161220329, 5698838934902128, 5694957074225226, 18353317018773447, 3871416555474831, 7373932835567758, 183013472101433,

5483721704311020, 23332300550933603, 14507318643995269, 19531552487076590, 23272112740968675, 12424662740618038, 19810654579291588, 3752089204752660, 10896890134224410, 22917778394639693, 15280555157670829)

7704245097422064, 5971827815019252, 596088599898088, 19207142111003030, 8507085480697361, 1026958909269349, 1085293032471752, 13268812886683805, 4537328201121126, 13475266255212677, 10979009661975300, 7837017996274956, 11101081750198831, 7384376993631473, 5451489040566797,

b=

13569284531083019, 5595205676901933, 5269795762388898,

(534696213823797, 8398925396165147, 712594429943906,

20030952204274990, 3993206997462717, 19270759312243688,

24329447094977168, 4370842427211515, 5198419173850416, 15812485266176409, 18971133895691522, 2499089748722255, 12923788407431827, 17709682070579570, 6239664265813409, 20537833567357433, 14755241316445866, 15960984643819605, 15732928373706127, 14290354633899441, 25288933666670271, 19792808043963170, 18927636430674610, 16209389720609034, 12471446974012867, 9974762297855813, 19208943505931794, 3116008122915085, 15198101026151700, 5111444477810440,

10435731167403560, 18799358976284635, 105700150118439, 20025159598328256, 3797521255403524, 14191752519270401, 10674621166193094, 20202215779460477, 8550526473656954, 16439980887936603, 18329884943220666, 1840321248226978, 10496403375920417, 10628079441749853, 920669289013461, 185034718439532, 17352140534532621, 14211513831254308, 11461687206276897, 13210977992930593, 15388230979434434, 18158791657939038, 5654894452097607, 15897560675933941,

9833964343298884, 7205488414330492, 5168109019409490, 15538237221113052, 24327597993569936, 15905659099233193, 24668373872238736, 26220466538765368, 26862991650019226, 1723091137894689, 20323284969011637, 19389110276281156, 18618848902646060, 24484533454494569, 5890063723936499, 20653090258305191, 5421017428085112, 8495338441207195, 20353702388991227, 4353467037263218, 12700830093576023, 20030381463509765, 10958528253484272, 18723637900807504, 10807574574936634, 23701327561068750, 24762783714552317, 10441839217081041, 1563260874038310, 11876907301911481, 16431074588579909, 13483541833195496, 8704873089812025, 2621303685753001, 5451555017156420, 24050429623361330, 13648432742069066, 1751998750451837, 25125536828569821, 25806248996443285, 21501378284467855, 5693815673480496, 18145471448519064, 22592630870191026, 24220799443088512, 19890400377991569, 7974338846902584, 8467347034832646, 12561889982131253, 16569662926917420, 4313918087206621, 2855493803421102, 26582923585725631, 9193334305625713, 5474160349760342, 14686196890303112, 21927057233651373, 24861836593635589, 4008863840643522, 22883289869694420, 24507390003101894, 20133770883766296, 6311383274592623, 1185340288268660, 4507015016452662, 3222806030608972, 8433081593938151, 76728092111580, 11613266510038963)

6

12377687536275535, 16571562352397156, 9805767088646245, 1725996988104218, 17914072294974268, 16959729441547404, 868422763247512, 16203528472589264, 2215592730305578, 20138939009207270, 9251435126151301, 8972747244154664)