9

Can the knapsack be used in cryptography in a secure sense (described below)?

Knapsack problem: Given some number $X$ and a set $W$ of weights $w_1, w_2, ... w_n$, find a subset $S$ of $W$ (if it exists) whose weights sum to $X$.

Even though this problem is NP hard, there exist "pseudo-polynomial-time" algorithms for it and the average case hardness is questionable. So I am not sure how secure the knapsack is in reality.

I want to use the knapsack in a symmetric key sense (like a hash function), and NOT in a public key scheme, so there are no restrictions on $X$ and $W$. Uniqueness of solution is also not required. The only requirement is that finding any such $S$ should be hard. So my qustions are:

  • Is there a strategy for choosing $W$ and $X$ that makes the problem hard?
  • What are the practical values of $W$ and $X$ that make the problem hard?

EDIT: I don't need the strategy to also give me a solution $S$. The solution is never needed. The use-case requires finding any solution to be hard. The person generating the problem need not know the solution. Additionally, given the problem, it should not be easy for anyone to decide if a solution exists or not.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
Jus12
  • 1,679
  • 1
  • 12
  • 21

1 Answers1

5

It may be possible to use the knapsack problem to build a secure cryptosystem, though experience suggests it is tricky and delicate. There are many known algorithms for attacking the knapsack problem, which may or may not work, depending upon the specific parameters you choose. Therefore, the security of the scheme will depend on the specific parameter values you use (e.g., the exact strategy you use for choosing all values, and the sizes of each value).

If you choose the weights $w_1,\dots,w_n$ independently and uniformly at random from a large enough space, and if $n$ is large enough, and if $S$ is chosen at random, then I suspect this should be secure (it'll probably be computationally infeasible to find $S$). But I couldn't tell you exactly what parameter choices you'd need to make. You'd need to read up on all known attacks on knapsack problems, including LLL-based algorithms and generalized birthday-based methods. At minimum, I expect you need the weights to be (say) at least 256 bits long and $n \ge 160$, but I don't know if that is sufficient for security.

Are you using this only for one-wayness? Can you use a standard one-way function (e.g., SHA256) instead, in lieu of the knapsack problem? Or are you taking advantage of the special structure of the knapsack problem?

D.W.
  • 36,982
  • 13
  • 107
  • 196