The Knapsack Hash Function proposed at Crypto’89 can be broken

Abstract: Ivan Damgkd [4] suggested at Crypto'89 concrete examples of hash functions among which a knapsack scheme. We will here show that a probabilistic algorithm can break this scheme with a number in the region of Z3' computations. That number of operations is feasible in realistic time with modern computers. Thus the proposed hash function is not very secure. Among those computations a substantial number can be performed once for all. A faster result can be obtained since parallelism is easy. Moreover, ways to exte… Show more

“…Thus, to solve the knapsack problem, we construct the set S (1) containing all possible sums of the first n/2 elements and S (2) be the set obtained by subtracting from the target S any of the possible sums of the last n/2 elements. Searching for collisions between the two sets, we discover all the solutions of the knapsack problem.…”

“…This can be done in time and memoryÕ(2 n/2 ) by fully computing the two sets, sorting them and looking up for collisions. In [21,22], Schroeppel and Shamir show that, in order to find these collisions, it is not necessary to store the full sets S (1) and S (2) . Instead, they generate them on the fly using priority queues (based either on heaps or a Adelson-Velsky and Landis trees), requiring memoryÕ(2 n/4 ).…”

“…L is the set of ( q3 i=q2+1 i a i , q2+1···q3 ) with q2+1···q3 ∈ {0, 1} q3−q2 ; -S (2) R is the set of ( n i=q3+1 i a i , q3+1···n ) with q3+1···n ∈ {0, 1} n−q3 . With these notations, solving the knapsack problem amounts to finding four elements σ (…”

“…A similar idea was previously used by Camion and Patarin in [2] to attack the knapsack based hash function of [5]. In this paper, we introduce two new algorithms that improve upon the algorithm of Schroeppel and Shamir to solve knapsack problems.…”

New Generic Algorithms for Hard Knapsacks

“…Thus, to solve the knapsack problem, we construct the set S (1) containing all possible sums of the first n/2 elements and S (2) be the set obtained by subtracting from the target S any of the possible sums of the last n/2 elements. Searching for collisions between the two sets, we discover all the solutions of the knapsack problem.…”

“…This can be done in time and memoryÕ(2 n/2 ) by fully computing the two sets, sorting them and looking up for collisions. In [21,22], Schroeppel and Shamir show that, in order to find these collisions, it is not necessary to store the full sets S (1) and S (2) . Instead, they generate them on the fly using priority queues (based either on heaps or a Adelson-Velsky and Landis trees), requiring memoryÕ(2 n/4 ).…”

“…L is the set of ( q3 i=q2+1 i a i , q2+1···q3 ) with q2+1···q3 ∈ {0, 1} q3−q2 ; -S (2) R is the set of ( n i=q3+1 i a i , q3+1···n ) with q3+1···n ∈ {0, 1} n−q3 . With these notations, solving the knapsack problem amounts to finding four elements σ (…”

“…A similar idea was previously used by Camion and Patarin in [2] to attack the knapsack based hash function of [5]. In this paper, we introduce two new algorithms that improve upon the algorithm of Schroeppel and Shamir to solve knapsack problems.…”

New Generic Algorithms for Hard Knapsacks

“…Impagliazzo and Naor summarize the state of the art in [50]. A different class of attacks are the algebraic attacks proposed by Camion and Patarin [14] and optimized by Patarin in [66]; these attacks tend to work better when n (n). The scheme of Damgård [26] has been broken both using LLL [52] and using algebraic techniques [66].…”

The State of Cryptographic Hash Functions

References