|
 ABSTRACT
The subset sum problem is to decide whether or not the 0-l integer programming problem &Sgr;ni=l aixi = M, ∀I, xI = 0 or 1, has a solution, where the ai and M are given positive integers. This problem is NP-complete, and the difficulty of solving it is the basis of public-key cryptosystems of knapsack type. An algorithm is proposed that searches for a solution when given an instance of the subset sum problem. This algorithm always halts in polynomial time but does not always find a solution when one exists. It converts the problem to one of finding a particular short vector v in a lattice, and then uses a lattice basis reduction algorithm due to A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovasz to attempt to find v. The performance of the proposed algorithm is analyzed. Let the density d of a subset sum problem be defined by d = n/log2(maxi ai). Then for “almost all” problems of density d < 0.645, the vector v we searched for is the shortest nonzero vector in the lattice. For “almost all” problems of density d < 1/n, it is proved that the lattice basis reduction algorithm locates v. Extensive computational tests of the algorithm suggest that it works for densities d < dc(n), where dc(n) is a cutoff value that is substantially larger than 1/n. This method gives a polynomial time attack on knapsack public-key cryptosystems that can be expected to break them if they transmit information at rates below dc(n), as n → ∞.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
 |
1
|
|
| |
2
|
AFFLERBACH, U Minkowskische Reduktionsbedingungen fiir positiv definite quadratische Formen in 5 Variabeln. Monatsh. Math. 94 (1982), 1-8.
|
| |
3
|
|
| |
4
|
BRENTJES, A.J. Multi-dimensional continued fraction algorithms. Mathematical Centre Tract No. 145, Matematisch Centrum, Amsterdam, The Netherlands, 1981.
|
| |
5
|
BRICKELL, E. Are most low density knapsacks solvable in polynomial time? In Proceedings of the 14th Southeastern Conference on Combinatorics, Graph Theory, and Computing, 1983. Congressus Numerantium, Vol. 39, 1983, pp. 145-156.
|
| |
6
|
DIETER, U.How to calculate shortest vectors in a lattice. Math. Comput. 29 (1975), 827-833.
|
| |
7
|
FERGUSON, H. R. P., AND FORCADE, R. W.Multidimensional Euclidean algorithms. J. reine angew. Math. 344 (1982), 171-181.
|
| |
8
|
|
| |
9
|
|
| |
10
|
|
| |
11
|
LAGARIAS, J.C.Knapsack-type public key cryptosystems and Diophantine approximation, (Extended Abstract). In Advances in Cryptology, Proceedings of CRYPTO-83 (Santa Barbara, Aug.), D. Chaum, Ed. Plenum, New York, 1984, pp. 3-24.
|
| |
12
|
|
| |
13
|
LENSTRA, A.K., I.ENSTRA, H.W., JR., AND LOVASZ, L.Factoring polynomials with rational coefficients. Math. Annalen 261 (1982), 515-534.
|
| |
14
|
MAZO, J.E., AND ODLYZKO, A.M.Lattice points in high-dimensional spheres, paper in preparation.
|
| |
15
|
MERKLE, R.C., AND HELLMAN, M.E.Hiding information and signatures in trap-door knapsacks. IEEE Trans. Inf. Theory IT-24 (1978), 525-530.
|
| |
16
|
ODLYZKO, A.M.Cryptanalytic attacks on the multiplicative knapsack cryptosystem and on Shamir's fast signature scheme. IEEE Trans. Inf. Theory IT-30, 4 (July I984), 584-601.
|
| |
17
|
SHAMIR, A.A polynomial time algorithm for breaking the Merkle-Hellman cryptosystem. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1982, pp. 145-152.
|
| |
18
|
SHAMIR, A.Embedding cryptographic trapdoors in arbitrary knapsack systems. Inf. Proc. Lett. 17 (1983), 77-79.
|
| |
19
|
WILF, H.S.Backtrack: An O( 1 ) expected time algorithm for the graph coloring problem. Inf. Proc. Lett. 18 (1984), 11'9-121.
|
REVIEW
"Eugene D. Denman : Reviewer"
This paper discusses the subset sum problem: :9I where ai and M
are integers. This problem is NP-complete and is related to the public-key
cryptosystem of the knapsack type. The authors
more...
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
G.1