The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications
At Eurocrypt’98, Boyko, Peinado and Venkatesan presented simple and very fast methods for generating randomly distributed pairs of the form (x; g x mod p) using precomputation. The security of these methods relied on the potential hardness of a new problem, the so-called hidden subset sum problem. Surprisingly, apart from exhaustive search, no algorithm to solve this problem was known. In this paper, we exhibit a security criterion for the hidden subset sum problem, and discuss its implications on the practicability of the precomputation schemes. Our results are twofold. On the one hand, we present an efficient lattice-based attack which is expected to succeed if and only if the parameters satisfy a particular condition that we make explicit. Experiments have validated the theoretical analysis, and show the limitations of the precomputation methods. For instance, any realistic smart-card implementation of Schnorr’s identification scheme using these precomputations methods is either vulnerable to the attack, or less efficient than with traditional precomputation methods. On the other hand, we show that, when another condition is satisfied, the pseudo-random generator based on the hidden subset sum problem is strong in some precise sense which includes attacks via lattice reduction. Namely, using the discrete Fourier transform, we prove that the distribution of the generator’s output is indistinguishable from the uniform distribution. The two conditions complement each other quite well, and therefore form a convincing picture of the security level.
- 1.M. Ajtai. Generating hard instances of lattice problems. In Proc. 28th ACM STOC, pages 99–108, 1996. Extended version at http://www.eccc.uni-trier.de/eccc/.
- 2.V. Boyko, M. Peinado, and R. Venkatesan. Speeding up discrete log and factoring based schemes via precomputations. In Proc. of Eurocrypt’ 98, volume 1403 of LNCS, pages 221–235. Springer-Verlag, 1998.Google Scholar
- 3.E. Brickell, D.M. Gordon, K.S. McCurley, and D. Wilson. Fast exponentiation with precomputation. In Proc. of Eurocrypt’92, volume 658 of Lecture Notes in Computer Science, pages 200–207. Springer-Verlag, 1993.Google Scholar
- 6.P. de Rooij. On the security of the Schnorr scheme using preprocessing. In Proc. of Eurocrypt’91, volume 547 of LNCS, pages 71–80. Springer-Verlag, 1991.Google Scholar
- 7.P. de Rooij. Efficient exponentiation using precomputation and vector addition chains. In Proc. of Eurocrypt’94, volume 950 of Lecture Notes in Computer Science, pages 389–399. Springer-Verlag, 1995.Google Scholar
- 12.C.H. Lim and P.J. Lee. More flexible exponentiation with precomputation. In Proc. of Crypto’94, volume 839 of Lecture Notes in Computer Science, pages 95–107. Springer-Verlag, 1994.Google Scholar
- 13.National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.Google Scholar
- 14.P. Nguyen and J. Stern. Merkle-Hellman revisited: a cryptanalysis of the QuVanstone cryptosystem based on group factorizations. In Proc. of Crypto’97, volume 1294 of LNCS, pages 198–212. Springer-Verlag, 1997.Google Scholar
- 15.P. Nguyen and J. Stern. Cryptanalysis of a fast public key cryptosystem presented at SAC’ 97. In Proc. of SAC’ 98, LNCS. Springer-Verlag, 1998.Google Scholar
- 16.P. Nguyen and J. Stern. The Béguin-Quisquater server-aided RSA protocol from Crypto’ 95 is not secure. In Proc. of Asiacrypt’ 98, volume 1514 of LNCS, pages 372–379. Springer-Verlag, 1998.Google Scholar
- 20.C.P. Schnorr and H.H. Horner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Proc. of Eurocrypt’95, volume 921 of LNCS, pages 1–12. Springer-Verlag, 1995.Google Scholar
- 21.V. Shoup. Number Theory C++ Library (NTL) version 3.6. Can be obtained at http://www.shoup.net/ntl/.