New Generic Algorithms for Hard Knapsacks

  • Nick Howgrave-Graham
  • Antoine Joux
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6110)


In this paper, we study the complexity of solving hard knapsack problems, i.e., knapsacks with a density close to 1 where lattice-based low density attacks are not an option. For such knapsacks, the current state-of-the-art is a 31-year old algorithm by Schroeppel and Shamir which is based on birthday paradox techniques and yields a running time of \(\tilde{O}(2^{n/2})\) for knapsacks of n elements and uses \(\tilde{O}(2^{n/4})\) storage. We propose here two new algorithms which improve on this bound, finally lowering the running time down to either \(\tilde{O} (2^{0.385\, n})\) or \(\tilde{O} (2^{0.3113\, n})\) under a reasonable heuristic. We also demonstrate the practicality of these algorithms with an implementation.


Knapsack Problem Priority Queue Lattice Reduction Memory Complexity Early Abort 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ajtai, M.: The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract). In: 30th ACM STOC, Dallas, Texas, USA, May 23–26, pp. 10–19. ACM Press, New York (1998)Google Scholar
  2. 2.
    Camion, P., Patarin, J.: The Knapsack hash function proposed at Crypto’89 can be broken. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 39–53. Springer, Heidelberg (1991)Google Scholar
  3. 3.
    Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: An algorithmic point of view. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Coster, M.J., Joux, A., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.-P., Stern, J.: Improved low-density subset sum algorithms. Computational Complexity 2, 111–128 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Open problem garden,
  7. 7.
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. Freeman, San Francisco (1979)zbMATHGoogle Scholar
  8. 8.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM STOC, Bethesda, MD, USA, May 2009, pp. 169–178. ACM Press, New York (2009)Google Scholar
  9. 9.
    Hirschorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Horowitz, E., Sahni, S.: Computing partitions with applications to the knapsack problem. J. Assoc. Comp. Mach. 21(2), 277–292 (1974)zbMATHMathSciNetGoogle Scholar
  11. 11.
    Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Howgrave-Graham, N., Joux, A.: New generic algorithms for hard knapsacks, or
  13. 13.
    Impagliazzo, R., Naor, M.: Efficient cryptographic schemes provably as secure as subset sum. Journal of Cryptology 9(4), 199–216 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Joux, A., Granboulan, L.: A practical attack against knapsack based hash functions (extended abstract). In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 58–66. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  15. 15.
    Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. J. Assoc. Comp. Mach. 32(1), 229–246 (1985)zbMATHMathSciNetGoogle Scholar
  16. 16.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: Swifft: A modest proposal for fft hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Merkle, R., Hellman, M.: Hiding information and signatures in trapdoor knapsacks. IEEE Trans. Information Theory 24(5), 525–530 (1978)CrossRefGoogle Scholar
  19. 19.
    Nguyen, P.Q., Shparlinski, I.E., Stern, J.: Distribution of modular sums and the security of the server aided exponentiation. Progress in Computer Science and Applied Logic 20, 331–342 (2001); Final Proceedings of Cryptography and Computational Number Theory workshop, Singapore (1999)MathSciNetGoogle Scholar
  20. 20.
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theoretical Computer Science 53, 201–224 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Schroeppel, R., Shamir, A.: A T = O(2n/2), S = O(2n/4) algorithm for certain NP-complete problems. In: FOCS, pp. 328–336 (1979)Google Scholar
  22. 22.
    Schroeppel, R., Shamir, A.: A T = O(2n/2), S = O(2n/4) algorithm for certain NP-complete problems. SIAM Journal on Computing 10(3), 456–464 (1981)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Shamir, A.: A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology – CRYPTO 1982, Santa Barbara, CA, USA, pp. 279–288. Plenum Press, New York (1983)Google Scholar
  24. 24.
    Stinson, D.R.: Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem. Math. Comput. 71(237), 379–391 (2002)zbMATHMathSciNetGoogle Scholar
  25. 25.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Nick Howgrave-Graham
    • 1
  • Antoine Joux
    • 2
  1. 1. Arlington
  2. 2.DGA and Université de Versailles Saint-Quentin-en-Yvelines, UVSQ PRISMVersailles cedexFrance

Personalised recommendations