Adapting Density Attacks to Low-Weight Knapsacks

  • Phong Q. Nguyễn
  • Jacques Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3788)


Cryptosystems based on the knapsack problem were among the first public-key systems to be invented. Their high encryption/ decryption rate attracted considerable interest until it was noticed that the underlying knapsacks often had a low density, which made them vulnerable to lattice attacks, both in theory and practice. To prevent low-density attacks, several designers found a subtle way to increase the density beyond the critical density by decreasing the weight of the knapsack, and possibly allowing non-binary coefficients. This approach is actually a bit misleading: we show that low-weight knapsacks do not prevent efficient reductions to lattice problems like the shortest vector problem, they even make reductions more likely. To measure the resistance of low-weight knapsacks, we introduce the novel notion of pseudo-density, and we apply the new notion to the Okamoto-Tanaka-Uchiyama (OTU) cryptosystem from Crypto ’00. We do not claim to break OTU and we actually believe that this system may be secure with an appropriate choice of the parameters. However, our research indicates that, in its current form, OTU cannot be supported by an argument based on density. Our results also explain why Schnorr and Hörner were able to solve at Eurocrypt ’95 certain high-density knapsacks related to the Chor-Rivest cryptosystem, using lattice reduction.


Knapsack Subset Sum Lattices Public-Key Cryptanalysis 


  1. 1.
    Bleichenbacher, D., Nguyên, P.Q.: Noisy polynomial interpolation and noisy Chinese remaindering. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 53. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  2. 2.
    Chor, B., Rivest, R.L.: A knapsack-type public key cryptosystem based on arithmetic in finite fields. IEEE Trans. Inform. Theory 34 (1988)Google Scholar
  3. 3.
    Coster, M.J., Joux, A., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.-P., Stern, J.: Improved low-density subset sum algorithms. Comput. Complexity 2, 111–128 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998); Additional information and updates at
  5. 5.
    Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. Journal of the Association for Computing Machinery (January 1985)Google Scholar
  7. 7.
    Lenstra Jr., H.W.: On the Chor-Rivest knapsack cryptosystem. J. of Cryptology 3, 149–155 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    May, A., Silverman, J.: Dimension Reduction Methods for Convolution Modular Lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, p. 110. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Mazo, J.E., Odlyzko, A.M.: Lattice points in high-dimensional spheres. Monatsh. Math. 110, 47–61 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Merkle, R., Hellman, M.: Hiding information and signatures in trapdoor knapsacks. IEEE Trans. Inform. Theory IT-24, 525–530 (1978)Google Scholar
  11. 11.
    Micciancio, D.: The hardness of the closest vector problem with preprocessing. IEEE Trans. Inform. Theory 47(3), 1212–1215 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Micciancio, D., Goldwasser, S.: Complexity of lattice problems: A cryptographic perspective. Kluwer Academic Publishers, Boston (2002)zbMATHGoogle Scholar
  13. 13.
    Nguyên, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto 1997. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)Google Scholar
  14. 14.
    Nguyên, P.Q., Shparlinski, I.E.: The Insecurity of the Digital Signature Algorithm with Partially Known Nonces. Journal of Cryptology 15(3), 151–176 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Nguyên, P.Q., Stehlé, D.: Floating-Point LLL Revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Nguyên, P.Q., Stern, J.: Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 198–212. Springer, Heidelberg (1997)Google Scholar
  17. 17.
    Nguyên, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, p. 146. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Odlyzko, A.M.: The rise and fall of knapsack cryptosystems. In: Cryptology and Computational Number Theory. Proc. of Symposia in Applied Mathematics, vol. 42, pp. 75–88. A.M.S (1990)Google Scholar
  19. 19.
    Okamoto, T., Tanaka, K., Uchiyama, S.: Quantum Public-Key Cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 147. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    Omura, K., Tanaka, K.: Density Attack to the Knapsack Cryptosystems with Enumerative Source Encoding. IEICE Trans. Fundamentals E84-A(1) (January 2001)Google Scholar
  21. 21.
    Schnorr, C.P., Hörner, H.H.: Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)Google Scholar
  22. 22.
    Vaudenay Cryptanalysis, S.: of the Chor-Rivest Cryptosystem. Journal of Cryptology 14, 87–100 (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Phong Q. Nguyễn
    • 1
  • Jacques Stern
    • 2
  1. 1.CNRS & École normale supérieure, DIParisFrance
  2. 2.École normale supérieure, DIParisFrance

Personalised recommendations