New Generic Algorithms for Hard Knapsacks

  • Nick Howgrave-Graham
  • Antoine Joux
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6110)


In this paper, we study the complexity of solving hard knapsack problems, i.e., knapsacks with a density close to 1 where lattice-based low density attacks are not an option. For such knapsacks, the current state-of-the-art is a 31-year old algorithm by Schroeppel and Shamir which is based on birthday paradox techniques and yields a running time of \(\tilde{O}(2^{n/2})\) for knapsacks of n elements and uses \(\tilde{O}(2^{n/4})\) storage. We propose here two new algorithms which improve on this bound, finally lowering the running time down to either \(\tilde{O} (2^{0.385\, n})\) or \(\tilde{O} (2^{0.3113\, n})\) under a reasonable heuristic. We also demonstrate the practicality of these algorithms with an implementation.


  1. 1.
    Ajtai, M.: The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract). In: 30th ACM STOC, Dallas, Texas, USA, May 23–26, pp. 10–19. ACM Press, New York (1998)Google Scholar
  2. 2.
    Camion, P., Patarin, J.: The Knapsack hash function proposed at Crypto’89 can be broken. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 39–53. Springer, Heidelberg (1991)Google Scholar
  3. 3.
    Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: An algorithmic point of view. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Coster, M.J., Joux, A., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.-P., Stern, J.: Improved low-density subset sum algorithms. Computational Complexity 2, 111–128 (1992)MATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Open problem garden,
  7. 7.
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. Freeman, San Francisco (1979)MATHGoogle Scholar
  8. 8.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM STOC, Bethesda, MD, USA, May 2009, pp. 169–178. ACM Press, New York (2009)Google Scholar
  9. 9.
    Hirschorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Horowitz, E., Sahni, S.: Computing partitions with applications to the knapsack problem. J. Assoc. Comp. Mach. 21(2), 277–292 (1974)MATHMathSciNetGoogle Scholar
  11. 11.
    Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Howgrave-Graham, N., Joux, A.: New generic algorithms for hard knapsacks, or
  13. 13.
    Impagliazzo, R., Naor, M.: Efficient cryptographic schemes provably as secure as subset sum. Journal of Cryptology 9(4), 199–216 (1996)MATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Joux, A., Granboulan, L.: A practical attack against knapsack based hash functions (extended abstract). In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 58–66. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  15. 15.
    Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. J. Assoc. Comp. Mach. 32(1), 229–246 (1985)MATHMathSciNetGoogle Scholar
  16. 16.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: Swifft: A modest proposal for fft hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Merkle, R., Hellman, M.: Hiding information and signatures in trapdoor knapsacks. IEEE Trans. Information Theory 24(5), 525–530 (1978)CrossRefGoogle Scholar
  19. 19.
    Nguyen, P.Q., Shparlinski, I.E., Stern, J.: Distribution of modular sums and the security of the server aided exponentiation. Progress in Computer Science and Applied Logic 20, 331–342 (2001); Final Proceedings of Cryptography and Computational Number Theory workshop, Singapore (1999)MathSciNetGoogle Scholar
  20. 20.
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theoretical Computer Science 53, 201–224 (1987)MATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Schroeppel, R., Shamir, A.: A T = O(2n/2), S = O(2n/4) algorithm for certain NP-complete problems. In: FOCS, pp. 328–336 (1979)Google Scholar
  22. 22.
    Schroeppel, R., Shamir, A.: A T = O(2n/2), S = O(2n/4) algorithm for certain NP-complete problems. SIAM Journal on Computing 10(3), 456–464 (1981)MATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Shamir, A.: A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology – CRYPTO 1982, Santa Barbara, CA, USA, pp. 279–288. Plenum Press, New York (1983)Google Scholar
  24. 24.
    Stinson, D.R.: Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem. Math. Comput. 71(237), 379–391 (2002)MATHMathSciNetGoogle Scholar
  25. 25.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Nick Howgrave-Graham
    • 1
  • Antoine Joux
    • 2
  1. 1. Arlington
  2. 2.DGA and Université de Versailles Saint-Quentin-en-Yvelines, UVSQ PRISMVersailles cedexFrance

Personalised recommendations