Naccache–Stern knapsack cryptosystem

The Naccache–Stern Knapsack cryptosystem is an atypical public-key cryptosystem developed by David Naccache and Jacques Stern in 1997. This cryptosystem is deterministic, and hence is not semantically secure. While unbroken to date, this system also lacks provable security.

System Overview

This system is based on a type of knapsack problem. Specifically, the underlying problem is this: given integers ''c'',''n'',''p'' and ''v''₀,...,''v''_''n'', find a vector $x \in \^n$ such that
:$c \equiv \prod_^n v_i^ \mod p$

The idea here is that when the ''v''_''i'' are relatively prime and much smaller than the modulus ''p'' this problem can be solved easily. It is this observation which allows decryption.

Key Generation

To generate a public/private key pair

*Pick a large prime modulus ''p''.
*Pick a positive integer ''n'' and for ''i'' from 0 to ''n'', set ''p''_''i'' to be the ''i''th prime, starting with ''p''₀ = 2 and such that $\prod_^np_i < p$.
*Pick a secret integer ''s'' < ''p''-1, such that gcd(''p''-1,''s'') = 1.
*Set v_i = \sqrt \mod p.

The public key is then ''p'',''n'' and ''v''₀,...,''v''_''n''. The private key is ''s''.

Encryption

To encrypt an ''n''-bit long message ''m'', calculate

:$c = \prod_^n v_i^ \mod p$

where ''m''_''i'' is the ''i''th bit of the message ''m''.

Decryption

To decrypt a message ''c'', calculate

:$m = \sum_^n \frac \times \left( \gcd(p_i,c^s \mod p) -1 \right)$

This works because the fraction

:$\frac$

is 0 or 1 depending on whether ''p''_''i'' divides ''c''^''s'' mod ''p''.

See also

*Merkle–Hellman knapsack cryptosystem
* Graham–Shamir knapsack cryptosystem

References

Original PaperRecent bandwidth improvement

{{DEFAULTSORT:Naccache-Stern knapsack cryptosystem
Public-key encryption schemes