The basic Merkle-Hellman additive trapdoor knapsack public-key cryptosystem was recently shown to be insecure, and attacks have also been developed on stronger variants of it, such as the Graham-Shamir system and the iterated knapsack cryptosystem. This paper shows that some simple variants of another Merkle-Hellman system, the multiplicative knapsack cryptosystem, are insecure. It is also shown that the Shamir fast signature scheme can be broken quickly. Similar attacks can also be used to break the Scho .. bi-Massey authentication scheme. These attacks have not been rigorously proved to succeed, but heuristic arguments and empirical evidence indicate that they work on systems of practical size. Cryptanalytic attacks on the multiplicative knapsack cryptosystem and on Shamir's fast signature scheme A. M. Odlyzko AT&T Bell Laboratories Murray Hill, New Jersey 07974 1. Introduction One of the best-known public-key cryptosystems, the basic Merkle-Hellman additive trapdoor knapsack sys...

An n-dimensional lattice is the set of all integral linear combinations of n linearly independent vectors in R^m. One of the most studied algorithmic problems on lattices is the shortest vector problem (SVP): given a lattice, find the shortest non-zero vector in it. We prove that the shortest vector problem is NP-hard (for randomized reductions) to approximate within some constant factor greater than 1 in any norm l_p (p>1). In particular, we prove the NP-hardness of approximating SVP in the Euclidean norm within any factor less than sqrt 2. The same NP-hardness results hold for deterministic non-uniform reductions. A deterministic uniform reduction is also given under a reasonable number theoretic conjecture concerning the distribution of smooth numbers. In proving the NP-hardness of SVP we develop a number of technical tools that might be of independent interest. In particular, a lattice packing is constructed with the property that the number of unit spheres contained in an n-dimensional ball of radius greater then 1 + (sqrt 2) grows exponentially in n, a new constructive version of Sauer's lemma(a combinatorial result somehow related to the notion of VC-dimension) is presented, considerably simplifying all previously known constructions.

Abstract not found

We develop a general theory for representing information as sums of elements in a subset of the basic set A of numbers of cardinality n, often refered to as a "knapsack vector". How many numbers can be represented in this way depends heavily on A. The lower, resp. upper, bound for the cardinality of the set of representable numbers is quadratic, resp. exponential, in terms of n. We give an algorithm for the construction of a knapsack vector of any prescribed expressiveness (that is, the cardinality of the set of representable numbers), provided it falls within the range possible for expressiveness. Keywords: subset-sum, knapsack vector, expressiveness, injectivity Introduction Consider a finite set A of positive integers. Actually we need only the assumption that a commutative and an associative operation + is defined on A. Then each subset SA of A represents a number, namely, the sum of the elements of SA . If A has n elements, then at most 2 n numbers can be represented i...

Nous 6tudions ici la paral161isation de l’algorithme.L3 pour la r6duction des bases de u.%eaux. Sous le mod~le des architectures parallbles ~ m6moires distributes, l’algorithme propos6