Solving low-density subset sum problems
Journal of the ACM (JACM)
A knapsack type public key cryptosystem based on arithmetic in finite fields
Proceedings of CRYPTO 84 on Advances in cryptology
Elements of information theory
Elements of information theory
Improved low-density subset sum algorithms
Computational Complexity
The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem
Mathematics of Computation
Designs, Codes and Cryptography
Algorithms for quantum computation: discrete logarithms and factoring
SFCS '94 Proceedings of the 35th Annual Symposium on Foundations of Computer Science
Attacking the Chor-Rivest cryptosystem by improved lattice reduction
EUROCRYPT'95 Proceedings of the 14th annual international conference on Theory and application of cryptographic techniques
Adapting density attacks to low-weight knapsacks
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Cryptanalysis of a knapsack-based probabilistic encryption scheme
Information Sciences: an International Journal
Relationship between weight of plaintext and successful attacks in knapsack cryptosystems
Proceedings of the 2nd International Conference on Interaction Sciences: Information Technology, Culture and Human
Quadratic compact knapsack public-key cryptosystem
Computers & Mathematics with Applications
Hi-index | 0.00 |
Many knapsack cryptosystems have been proposed but almost all the schemes are vulnerable to lattice attack because of its low density. To prevent the lattice attack, Chor and Rivest proposed a low weight knapsack scheme, which made the density higher than critical density. In Asiacrypt2005, Nguyen and Stern introduced pseudodensity and proved that if the pseudo-density is low enough (even if the usual density is not low enough), the knapsack scheme can be broken by a single call of SVP/CVP oracle. However, the usual density and the pseudodensity are not sufficient to measure the resistance to the lattice attack individually. In this paper, we first introduce a new notion of density D, which naturally unifies the previous two densities. Next, we derive conditions for our density so that a knapsack scheme is vulnerable to lattice attack. We obtain a critical bound of density which depends only on the ratio of the message length and its Hamming weight. Furthermore, we show that if D