## The rise and fall of knapsack cryptosystems (1990)

Venue: | In Cryptology and Computational Number Theory |

Citations: | 50 - 1 self |

### BibTeX

@INPROCEEDINGS{Odlyzko90therise,

author = {A. M. Odlyzko},

title = {The rise and fall of knapsack cryptosystems},

booktitle = {In Cryptology and Computational Number Theory},

year = {1990},

pages = {75--88},

publisher = {A.M.S}

}

### Years of Citing Articles

### OpenURL

### Abstract

### Citations

712 | Factoring polynomials with rational coefficients - Lenstra, Lenstra, et al. - 1982 |

239 | Integer Programming with a Fixed Number of Variables
- Lenstra
- 1981
(Show Context)
Citation Context ...ution was to notice that this could be done in polynomial time by invoking H. W. Lenstra's theorem that the integer programming problem in a fixed number of variables can be solved in polynomial time =-=[20]-=-. This yields the k j i , 1sis5. Once the k j are found, one obtains an approximation to U/M froms- (2.6), and that lets one construct a pair (Us, Ms) with Us/Msclose to U/M such that the weights c j ... |

152 | Hiding Information and Signatures in Trapdoor Knapsacks
- Merkle, Hellman
- 1978
(Show Context)
Citation Context ...l only have to solve the easy knapsack. The most famous transformation of an easy secret knapsack into a seemingly more complicated public one is the modular multiplication used by Merkle and Hellman =-=[21]-=- in their basic knapsack cryptosystem. The receiver, who constructs the system to allow others to send information to her, starts with a superincreasing knapsack b 1 , ... , b n with b 1 ~ ~ 2 n , b j... |

117 |
A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms
- Schnorr
- 1987
(Show Context)
Citation Context ... than the worst-case bounds that have been proved for it. Furthermore, some improvements have been suggested, both in the way it is implemented [18, 23] and in the basic construction of the algorithm =-=[24, 25]-=-, which yield significant advantages in either speed or success in finding short vectors.s- Furthermore, these improvements suggest very strongly that one can obtain even better algorithms. Thus in ju... |

81 | Efficient cryptographic schemes provably as secure as subset sum
- Impagliazzo, Naor
- 1989
(Show Context)
Citation Context ...ractive of these is the Chor-Rivest system [7], which involves a combination of number theory ideas and knapsacks. It is described briefly in Section 4. Other recent applications of knapsacks include =-=[15]-=-. The search for secure knapsacks continues both because of the attractively high speed that knapsack systems offer, and because of the desire to have a wide variety of cryptosystems available. After ... |

64 |
A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem
- Shamir
- 1983
(Show Context)
Citation Context ... in the late 1970's. The final fall of knapsack cryptosystems can be dated to Shamir's announcement in the spring of 1982 of a polynomial time attack on the singly-iterated MerkleHellman cryptosystem =-=[26]-=-. This was quickly followed by a string of attacks on other knapsack cryptosystems, culminating in Brickell's attack on the multiply-iterated Merkle-Hellman system [4]. These attacks relied on the fac... |

44 |
Cryptanalysis: A Survey of Recent Results
- Brickell, Odlyzko
- 1992
(Show Context)
Citation Context ... knapsack problem can be solved efficiently. A large variety of knapsack cryptosystems have been shown to be insecure, most with the use of tools from the area of diophantine approximation. The paper =-=[6]-=- contains a survey of many of the systems that have been broken as well as descriptions of some of the attacks. For full details, the reader is advised to consult [6] and many of the references contai... |

41 | R.L.: A knapsack-type public key cryptosystem based on aritmethic in finite fields
- Chor, Rivest
- 1988
(Show Context)
Citation Context ...t just the cryptographic ones. While most knapsack cryptosystems have been broken, there are a few that so far have resisted all attacks. One of the most attractive of these is the Chor-Rivest system =-=[7]-=-, which involves a combination of number theory ideas and knapsacks. It is described briefly in Section 4. Other recent applications of knapsacks include [15]. The search for secure knapsacks continue... |

39 |
A more efficient algorithm for lattice basis reduction
- Schnorr
- 1988
(Show Context)
Citation Context ... than the worst-case bounds that have been proved for it. Furthermore, some improvements have been suggested, both in the way it is implemented [18, 23] and in the basic construction of the algorithm =-=[24, 25]-=-, which yield significant advantages in either speed or success in finding short vectors.s- Furthermore, these improvements suggest very strongly that one can obtain even better algorithms. Thus in ju... |

33 |
Breaking Iterated Knapsacks
- Brickell
- 1985
(Show Context)
Citation Context ...ated MerkleHellman cryptosystem [26]. This was quickly followed by a string of attacks on other knapsack cryptosystems, culminating in Brickell's attack on the multiply-iterated Merkle-Hellman system =-=[4]-=-. These attacks relied on the fact that the modular multiplication method does not disguise completely the easy knapsack that is the basis of the construction. In addition to the attacks on specific k... |

32 |
Solving Low Density Knapsacks
- Brickell
- 1984
(Show Context)
Citation Context ...ere are two attacks on so-called low-density knapsacks, namely those in which the weights a j are large. These attacks do not assume any particular structure in the knapsack. They are due to Brickell =-=[3]-=- and Lagarias and Odlyzko [18], respectively. As a result, both of the two basic fears about knapsack cryptosystems have been borne out; their constructions can often be unraveled, and in addition, ma... |

32 |
On the lagarias-odlyzko algorithm for the subset sum problem
- Frieze
- 1986
(Show Context)
Citation Context ...of many of the systems that have been broken as well as descriptions of some of the attacks. For full details, the reader is advised to consult [6] and many of the references contained there, such as =-=[3,4,5,8,11,16,17,18,22,26]-=-. The remainder of this paper is devoted to a description of one each of the two kinds of basic attacks that have been used. Section 2 describes the attack on the singly-iterated Merkle-Hellman crypto... |

26 | On Breaking Generalized Knapsack Public Key Cryptosystems - Adleman - 1983 |

25 |
A Note on the Complexity of Cryptography
- Brassard
- 1979
(Show Context)
Citation Context ...above, several other doubts were raised that applied specifically to knapsacks and other systems based on NP-complete problems. On the very abstract level, there was an interesting result of Brassard =-=[2]-=- which says essentially that if breaking a cryptosystem is NP-hard, then NP = Co-NP, which would be a very surprising complexity theory result. Thus if NPsCo-NP, then breaking the Merkle-Hellman crypt... |

22 |
Solving Low Density Subset Sum Problems
- Lagarias, Odlyzko
- 1985
(Show Context)
Citation Context ...led low-density knapsacks, namely those in which the weights a j are large. These attacks do not assume any particular structure in the knapsack. They are due to Brickell [3] and Lagarias and Odlyzko =-=[18]-=-, respectively. As a result, both of the two basic fears about knapsack cryptosystems have been borne out; their constructions can often be unraveled, and in addition, many cases of the general knapsa... |

20 | Knapsack-type public key cryptosystems and Diophantine approximation, (Extended Abstract
- Lagarias
- 1984
(Show Context)
Citation Context ...of many of the systems that have been broken as well as descriptions of some of the attacks. For full details, the reader is advised to consult [6] and many of the references contained there, such as =-=[3,4,5,8,11,16,17,18,22,26]-=-. The remainder of this paper is devoted to a description of one each of the two kinds of basic attacks that have been used. Section 2 describes the attack on the singly-iterated Merkle-Hellman crypto... |

16 | Cryptanalytic attacks on the multiplicative knapsack cryptosystem and on Shamir’s fast signature scheme
- Odlyzko
(Show Context)
Citation Context ...of many of the systems that have been broken as well as descriptions of some of the attacks. For full details, the reader is advised to consult [6] and many of the references contained there, such as =-=[3,4,5,8,11,16,17,18,22,26]-=-. The remainder of this paper is devoted to a description of one each of the two kinds of basic attacks that have been used. Section 2 describes the attack on the singly-iterated Merkle-Hellman crypto... |

15 | Succinct certificates for almost all subset sum problems - Furst, Kannan - 1989 |

9 |
The Cryptanalysis of Knapsack Cryptosystems," Applications of Discrete
- Brickell
- 1988
(Show Context)
Citation Context |

9 |
What Happened with Knapsack Cryptographic Schemes" Performance Limits
- Desmedt
- 1988
(Show Context)
Citation Context |

9 | Performance analysis of Shamir’s attack on the basic MerkleHellman knapsack public key cryptosystem, (Extended Abstract
- Lagarias
- 1984
(Show Context)
Citation Context |

7 |
Solving subset sum problems with the L algorithm
- Radziszowski, Kreher
- 1988
(Show Context)
Citation Context ...tice, however, the Lovasz algorithm performs much better than the worst-case bounds that have been proved for it. Furthermore, some improvements have been suggested, both in the way it is implemented =-=[18, 23]-=- and in the basic construction of the algorithm [24, 25], which yield significant advantages in either speed or success in finding short vectors.s- Furthermore, these improvements suggest very strongl... |

6 |
Johnson,"Computers and Intractability: A Guide to the Theory of NP - Completeness
- Garey
- 1979
(Show Context)
Citation Context ...original problem. Once x 1 is determined, we can go on and determine x 2 , x 3 , ..., one by one, and thus find at least one solution to (1.1). The general knapsack problem is known to be NP-complete =-=[13]-=-, and so it is thought to be quite hard. Being NP-complete means that if a polynomial time algorithm existed, there would also be polynomial time algorithms for all problems in the computational compl... |

5 |
Backtrack: An O(1) Expected Time Graph Coloring Algorithm
- Wilf
- 1984
(Show Context)
Citation Context ...easy to solve? Since the theory of NP-completeness deals with the worst-case situation, there is nothing to forbid this from happening, and many NP-complete problems are easy to solve on average, cf. =-=[27]-=-. Even if most instances of the general knapsack problem are hard, how can one be certain that the cryptanalyst will not be able to deduce from the public knapsack what the construction method was? In... |

3 |
Solving subset sum problems with the L 3 algorithm
- Radziszowski, Kreher
- 1988
(Show Context)
Citation Context ...e, however, the Lova sz ´ algorithm performs much better than the worst-case bounds that have been proved for it. Furthermore, some improvements have been suggested, both in the way it is implemented =-=[18, 23]-=- and in the basic construction of the algorithm [24, 25], which yield significant advantages in either speed or success in finding short vectors.s- 16 - Furthermore, these improvements suggest very st... |

2 |
Govaerts," "A Critical Analysis of the Security of Knapsack Public Key Algorithms
- Desmedt, Vandewalle, et al.
- 1984
(Show Context)
Citation Context ... due to A. Shamir [26]. Many of the crucial observations about the weaknesses of the basic Merkle-Hellman system had been made earlier by Eier and Lagger [10] and by Desmedt, Vandewalle, and Govaerts =-=[9]-=-. Before describing the Shamir attack, we will say a few words about the choice of parameters (1.4). If some of the b i , and therefore also M, are large, then the knapsack will be inefficient, since ... |

1 |
Trapdoors in Knapsack Cryptosystems," Cryptography
- Eier, Lagger
(Show Context)
Citation Context ...king of numerous other knapsack systems. It is due to A. Shamir [26]. Many of the crucial observations about the weaknesses of the basic Merkle-Hellman system had been made earlier by Eier and Lagger =-=[10]-=- and by Desmedt, Vandewalle, and Govaerts [9]. Before describing the Shamir attack, we will say a few words about the choice of parameters (1.4). If some of the b i , and therefore also M, are large, ... |

1 |
Fast Implementation of the Knapsack Cipher
- Henry
- 1981
(Show Context)
Citation Context ...d this would break the system. Other approaches have also been preposed. For example, one could take b i = 2 i - 1 , but hide this structure by a double iteration of the modular multiplication method =-=[14]-=-. This construction, however, which is more secure than what was presented above, was shown to be insecure by the author (unpublished) by the use of continued fractions. The moral to be drawn from the... |

1 | sz, ´ "Factoring Polynomials with Rational Coefficients," Mathematische Annalen 261 - Lenstra, Lenstra, et al. - 1982 |

1 |
Backtrack: An O( 1 ) Expected Time Graph Coloring Algorithm
- Wilf
- 1984
(Show Context)
Citation Context ...easy to solve? Since the theory of NP-completeness deals with the worst-case situation, there is nothing to forbid this from happening, and many NP-complete problems are easy to solve on average, cf. =-=[27]-=-. Even if most instances of the general knapsack problem are hard, how can one be certain that the cryptanalyst will not be able to deduce from the public knapsack what the construction method was? In... |