We show very efficient constructions for a pseudo-random generator and for a universal one-way hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudo-random generators can be used for private key encryption and universal one-way hash functions for signature schemes). The increase in efficiency in our construction is due to the fact that many bits can be generated/hashed with one application of the assumed one-way function. All our construction can be implemented in NC using an optimal number of processors. Part of this work done while both authors were at UC Berkeley and part when the second author was at the IBM Almaden Research Center. Research supported by NSF grant CCR 88 - 13632. A preliminary version of this paper appeared in Proc. of the 30th Symp. on Foundations of Computer Science, 1989. 1 Introduction Many cryptosystems are based on the intractability of such number theoretic problems such as factoring and discrete logarit...

. The general subset sum problem is NP-complete. However, there are two algorithms, one due to Brickell and the other to Lagarias and Odlyzko, which in polynomial time solve almost all subset sum problems of sufficiently low density. Both methods rely on basis reduction algorithms to find short non-zero vectors in special lattices. The Lagarias-Odlyzko algorithm would solve almost all subset sum problems of density ! 0:6463 : : : in polynomial time if it could invoke a polynomial-time algorithm for finding the shortest non-zero vector in a lattice. This paper presents two modifications of that algorithm, either one of which would solve almost all problems of density ! 0:9408 : : : if it could find shortest non-zero vectors in lattices. These modifications also yield dramatic improvements in practice when they are combined with known lattice basis reduction algorithms. Key words. subset sum problems; knapsack cryptosystems; lattices; lattice basis reduction. Subject classifications. 1...

Lattices are regular arrangements of points in n-dimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra -Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist public-key cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.

Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.

Recent results of Ajtai on the hardness of lattice problems have inspired several cryptographic protocols. At Crypto '97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the closest vector problem in a lattice, which is known to be NP-hard. We show that there is a major flaw in the design of the scheme which has two implications: any ciphertext leaks information on the plaintext, and the problem of decrypting ciphertexts can be reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.

Despite their popularity, lattice reduction algorithms remain mysterious in many ways. It has been widely reported that they behave much more nicely than what was expected from the worst-case proved bounds, both in terms of the running time and the output quality. In this article, we investigate this puzzling statement by trying to model the average case of lattice reduction algorithms, starting with the celebrated Lenstra-Lenstra-Lovász algorithm (L³). We discuss what is meant by lattice reduction on the average, and we present extensive experiments on the average case behavior of L³, in order to give a clearer picture of the differences/similarities between the average and worst cases. Our work is intended to clarify the practical behavior of L³ and to raise theoretical questions on its average behavior.

. Cryptosystems based on the knapsack problem were among the first public key systems to be invented and for a while were considered quite promising. Basically all knapsack cryptosystems that have been proposed so far have been broken, mainly by means of lattice reduction techniques. However, a few knapsack-like cryptosystems have withstood cryptanalysis, among which the Chor-Rivest scheme [2] even if this is debatable (see [16]), and the Qu-Vanstone scheme proposed at the Dagstuhl'93 workshop [13] and published in [14]. The Qu-Vanstone scheme is a public key scheme based on group factorizations in the additive group of integers modulo n that generalizes Merkle-Hellman cryptosystems. In this paper, we present a novel use of lattice reduction, which is of independent interest, exploiting in a systematic manner the notion of an orthogonal lattice. Using the new technique, we successfully attack the Qu-Vanstone cryptosystem. Namely, we show how to recover the private key from the public k...

Abstract. The paper extends the idea of negative representations of information for enhancing privacy. Simply put, a set DB of data elements can be represented in terms of its complement set. That is, all the elements not in DB are depicted and DB itself is not explicitly stored. We review the negative database (NDB) representation scheme for storing a negative image compactly and propose a design for depicting a multiple record DB using a collection of NDBs—in contrast to the single NDB approach of previous work. Finally, we present a method for creating negative databases that are hard to reverse in practice, i.e., from which it is hard to obtain DB, by adapting a technique for generating 3-SAT formulas. 1

Ajtai recently found a random class of lattices of integer points for which he could prove the following worst-case/average-case equivalence result: If there is a probabilistic polynomial time algorithm which finds a short vector in a random lattice from the class, then there is also a probabilistic polynomial time algorithm which solves several problems related to the shortest lattice vector problem (SVP) in any n-dimensional lattice. Ajtai and Dwork then designed a public-key cryptosystem which is provably secure unless the worst case of a version of the SVP can be solved in probabilistic polynomial time. However, their cryptosystem suffers from massive data expansion because it encrypts data bit-by-bit. Here we present a public-key cryptosystem based on similar ideas, but with much less data expansion.

The paper introduces the concept of a negative database, in which a set of records DB is represented by its complement set. That is, all the records not in DB are represented, and DB itself is not explicitly stored. After introducing the concept, several results are given regarding the feasibility of such a scheme and its potential for enhancing privacy. It is shown that a database consisting of n, l-bit records can be represented negatively using only O(ln) records. It is also shown that membership queries for DB can be processed against the negative representation in time no worse than linear in its size and that reconstructing the database DB represented by a negative database NDB given as input is an NP-hard problem when time complexity is measured as a function of the size of NDB.