Generalized Compact Knapsacks Are Collision Resistant

  • Vadim Lyubashevsky
  • Daniele Micciancio
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4052)


In (Micciancio, FOCS 2002), it was proved that solving the generalized compact knapsack problem on the average is as hard as solving certain worst-case problems for cyclic lattices. This result immediately yielded very efficient one-way functions whose security was based on worst-case hardness assumptions. In this work, we show that, while the function proposed by Micciancio is not collision resistant, it can be easily modified to achieve collision resistance under essentially the same complexity assumptions on cyclic lattices. Our modified function is obtained as a special case of a more general result, which yields efficient collision-resistant hash functions based on the worst-case hardness of various new problems. These include new problems from algebraic number theory as well as classic lattice problems (e.g., the shortest vector problem) over ideal lattices, a class of lattices that includes cyclic lattices as a special case.


Hash Function Expansion Factor Ideal Lattice Algebraic Number Theory Cyclic Lattice 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aharonov, D., Regev, O.: Lattice problems in NP ∩ coNP. Journal of the ACM 52(5), 749–765 (2005)CrossRefMathSciNetGoogle Scholar
  2. 2.
    M. Ajtai. Generating hard instances of lattice problems. In STOC, pages 99–108, 1996.Google Scholar
  3. 3.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)Google Scholar
  4. 4.
    Biham, E., Chen, R., Joux, A., Carribault, P., Jalby, W., Lemuet, C.: Collisions of SHA-0 and Reduced SHA-1. In: EUROCRYPT (2005)Google Scholar
  5. 5.
    Cai, J., Nerurkar, A.: An improved worst-case to average-case connection for lattice problems. In: FOCS, pp. 468–477 (1997)Google Scholar
  6. 6.
    Chor, B., Rivest, R.L.: A knapsack type public-key cryptosystem based on arithmetic in finite fields. IEEE Trans. Inform. Theory 34(5), 901–909 (1988)CrossRefMathSciNetGoogle Scholar
  7. 7.
    Damgard, I.: A design principle for hash functions. In: CRYPTO 1989, pp. 416–427 (1989)Google Scholar
  8. 8.
    Dinur, I.: Approximating SVP  ∞  to within almost-polynomial factors is NP-hard. Theor. Comput. Sci. 285(1), 55–71 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci. 60(3) (2000)Google Scholar
  10. 10.
    Hoffstein, J., Pipher, J., Silverman, J.H.: Ntru: A ring-based public key cryptosystem. In: ANTS, pp. 267–288 (1998)Google Scholar
  11. 11.
    Joux, A., Granboulan, L.: A practical attack against knapsack based hash functions. In: EUROCRYPT 1994, pp. 58–66 (1994)Google Scholar
  12. 12.
    Lenstra, A.K., Lenstra, J.H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)CrossRefMathSciNetGoogle Scholar
  13. 13.
    Merkle, R.C., Hellman, M.E.: Hiding information and signatures in trapdoor knapsacks. IEEE Transactions on Information Theory IT-24, 525–530 (1978)CrossRefGoogle Scholar
  14. 14.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. In: Computational Complexity (to appear preliminary version in FOCS 2002).Google Scholar
  15. 15.
    Micciancio, D.: Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor. SIAM J. on Computing 34(1), 118–169 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Micciancio, D., Goldwasser, S.: Complexity Of Lattice Problems: A Cryptographic Perspective. Kluwer Academic Publishers, Dordrecht (2002)zbMATHGoogle Scholar
  17. 17.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: SIAM J. on Computing, (to appear preliminary version in FOCS 2004)Google Scholar
  18. 18.
    Peikert, C., Rosen, A.: Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices. In: TCC (2006)Google Scholar
  19. 19.
    Prasolov, V.V.: Polynomials. Algorithms and Computation in Mathematics, vol. 11. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  20. 20.
    Schnorr, C.P.: A hierarchy of polynomial time basis reduction algorithms. Theoretical Computer Science 53, 201–224 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Shamir, A.: A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. IEEE Transactions on Information Theory IT-30(5), 699–704 (1984)CrossRefMathSciNetGoogle Scholar
  22. 22.
    Vaudenay, S.: Cryptanalysis of the Chor–Rivest cryptosystem. Journal of Cryptology 14(2), 87–100 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis for Hash Functions MD4 and RIPEMD. In: EUROCRYPT (2005)Google Scholar
  24. 24.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: EUROCRYPT (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Vadim Lyubashevsky
    • 1
  • Daniele Micciancio
    • 1
  1. 1.University of CaliforniaSan DiegoUSA

Personalised recommendations