Naccache–Stern knapsack cryptosystem
The Naccache–Stern Knapsack cryptosystem is an atypical public-key cryptosystem developed by David Naccache and Jacques Stern in 1997. This cryptosystem is deterministic, and hence is not semantically secure. While unbroken to date, this system also lacks provable security.
System overview
[edit]This system is based on a type of knapsack problem. Specifically, the underlying problem is this: given integers c,n,p and v0,...,vn, find a vector such that
The idea here is that when the vi are relatively prime and much smaller than the modulus p this problem can be solved easily. It is this observation which allows decryption.
Key Generation
[edit]To generate a public/private key pair
- Pick a large prime modulus p.
- Pick a positive integer n and for i from 0 to n, set pi to be the ith prime, starting with p0 = 2 and such that Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "http://localhost:6011/en.wikipedia.org/v1/":): {\displaystyle \prod_{i=0}^np_i < p} .
- Pick a secret integer s < p-1, such that gcd(p-1,s) = 1.
- Set .
The public key is then p,n and v0,...,vn. The private key is s.
Encryption
[edit]To encrypt an n-bit long message m, calculate
where mi is the ith bit of the message m.
Decryption
[edit]To decrypt a message c, calculate
This works because the fraction
is 0 or 1 depending on whether pi divides cs mod p.
Security
[edit]The security of the trapdoor function relies on the difficulty of the following multiplicative knapsack problem: given recover the . Unlike additive knapsack-based cryptosystems, such as Merkle-Hellman, techniques like Euclidean lattice reduction do not apply to this problem.
The best known generic attack consists of solving the discrete logarithm problem to recover from , which is considered difficult for a classical computer. However, the quantum algorithm of Shor efficiently solves this problem. Furthermore, currently (2023), there is no proof that the Naccache-Stern knapsack reduces to the discrete logarithm problem.
The best known specific attack (in 2018) uses the birthday theorem to partially invert the function without knowing the trapdoor, assuming that the message has a very low Hamming weight.[1]
References
[edit]- ^ Anastasiadis, M.; Chatzis, N.; Draziotis, K.A. (October 2018). "Birthday type attacks to the Naccache–Stern knapsack cryptosystem". Information Processing Letters. 138: 39–43. doi:10.1016/j.ipl.2018.06.002.