8.6. Knapsack Ciphers8.6. Knapsack Ciphers

The ConceptThe Concept At the core of the Knapsack cipher is the At the core of the Knapsack cipher is the

Knapsack problemKnapsack problem: :

Given positive integers aGiven positive integers a11, a, a22,…,a,…,ann & S, & S,

which of the awhich of the aii integers add up to S. integers add up to S.

As an equation, solve for As an equation, solve for xxii either either 11 or or 00: :

S = aS = a11 x x11 + a + a22 x x22 + … + a + … + ann x xnn

Example: aExample: a11 = 2, a = 2, a22=3, a=3, a33=4, a=4, a44=7, a=7, a55=11, a=11, a66=13, a=13, a77=16 and S=18 =16 and S=18 Solutions: 16+2, 13+3+2, 11+4+3, 11+7, thusSolutions: 16+2, 13+3+2, 11+4+3, 11+7, thus (1,0,0,0,0,0,1); (1,1,0,0,0,1,0); (0,1,1,0,1,0,0); (0,0,0,1,1,0,0)(1,0,0,0,0,0,1); (1,1,0,0,0,1,0); (0,1,1,0,1,0,0); (0,0,0,1,1,0,0)

S = aS = a11 x x11 + a + a22 x x22 + … + a + … + ann x xn n

complexitycomplexity Good vs. Bad Good vs. Bad Difficult Calculations when n is large:Difficult Calculations when n is large:

Trial and Error Trial and Error 2 2nn possibilities for (x possibilities for (x11,x,x22,…,x,…,xnn))

infeasible to find all the infeasible to find all the solutions when n=100 or more solutions when n=100 or more

Easier to find solution for certain aEasier to find solution for certain a11, a, a22,…,a,…,ann::

aajj=2=2J-1J-1 SS = a= a11 x x11 + a + a22 x x22 + … + a + … + ann x xnn

= 2= 200 x x11 + + 2211 x x22 + … + + … + 22n-1n-1 x xnn

= x= xnn … x … x2 2 xx11 on binary form (base 2)on binary form (base 2)

Thus for the solution is:Thus for the solution is:

write S in the binary form! write S in the binary form!

Super Increasing SequencesSuper Increasing Sequences A type of sequence aA type of sequence a11, a, a22,…,a,…,ann for which it is for which it is

easier but not trivial to solve knapsack problemseasier but not trivial to solve knapsack problems super increasing sequence if super increasing sequence if

jjthth term > sum of the preceding values term > sum of the preceding values

ΣΣkk

(j-1) (j-1) aakk < a < aj j

forfor j = 2,3,…,nj = 2,3,…,n

Example1: Example1: (2, 3, 7, 13, 28) is super increasing (2, 3, 7, 13, 28) is super increasing(2, 3, 4, 7, 11, 13, 16) is not(2, 3, 4, 7, 11, 13, 16) is not

Example2 (pb 3): Example2 (pb 3): aaj+1j+1 > 2a > 2ajj super increasing sequence super increasing sequence Example3 (pb 2): Example3 (pb 2): aajj < 2 < 2j-1j-1 NOT NOT super increasing sequencesuper increasing sequence

Example of solving Knapsack problem Example of solving Knapsack problem for super increasing sequencefor super increasing sequence

((aa11=2, a=2, a22=3, a=3, a33=7, a=7, a44=13, a=13, a55=28) and S=40=28) and S=40 S≥ aS≥ a55 xx55 = 1 = 1 since asince a11+a+a22+a+a33+a+a44< a< a55=28=28

S- xS- x5 5 aa5 5 = 12 < a= 12 < a44 =13 =13 xx4 4 =0=0

S- (xS- (x5 5 aa5 5 + x+ x4 4 aa4 4 )=12 ≥ a)=12 ≥ a33 xx33 = 1 = 1

S- (xS- (x5 5 aa5 5 + x+ x4 4 aa4+ 4+ xx3 3 aa3 3 )=5 ≥ a)=5 ≥ a22 xx22 = 1 = 1

S- (xS- (x5 5 aa5 5 + x+ x4 4 aa44+x+x3 3 aa3 3 + x+ x3 3 aa3 3 )=2 ≥ a)=2 ≥ a11 xx11 = 1 = 1

Solution: (1,1,1,0,1)Solution: (1,1,1,0,1)

Super Increasing AlgorithmSuper Increasing Algorithm

SS = a= a11 x x11 + a + a22 x x22 + … + a + … + ann x xnn

n

nn aSif

aSifx

0

1

j

n

jkkk

j

n

jkkk

j

aaxSif

aaxSif

x

1

1

0

1

Public cryptosystem: Knapsack Ciphers Public cryptosystem: Knapsack Ciphers based on super increasing sequencesbased on super increasing sequences

Merkle and Hellman [MeHe78]. Merkle and Hellman [MeHe78]. Based on a transformed not super increasing sequence Based on a transformed not super increasing sequence

bb11, b, b22,…,b,…,bnn

from a simple super increasing from a simple super increasing

aa11, a, a22,…,a,…,ann

GivenGiven m> 2 a m> 2 ann andand ( (ωω,m)=1 ,m)=1 findfind ώώ

ώ ωώ ω ≡1(mod m) ≡1(mod m) ώ ώ ≡≡ ω ωΦΦ(m)-1 (m)-1 (mod m) (mod m)

Then Find Then Find bbjj

bbjj ≡ ≡ ωω a ajj (mod m) (mod m) aajj ≡ ≡ ώώ b bjj (mod m) (mod m)

ObservationsObservations IF S= bIF S= b11 x x11 + b + b22 x x22 + … + b + … + bnn x xnn ThenThen

ώώ S S ≡ ≡ ώώ b b11 x x1 1 + …+ + …+ ώώ b bnn x xnn

≡ ≡ aa11 xx1 1 + …+ a+ …+ ann xxnn (mod m)(mod m)

bb11, b, b22,…,b,…,bnn is not super increasing is not super increasing not easy to solve not easy to solve S= bS= b11 x x11 + +

bb22 x x22 + … + b + … + bnn x xnn

aa11, a, a22,…,a,…,ann is super increasing is super increasing easy to solve easy to solve

SS00= a= a11 x x11 + a + a22 x x22 + … + a + … + ann x xnn

wherewhere ώώ S S ≡ S≡ S00(mod m)(mod m)

One needs to know One needs to know m, m, ωω & & ώώ

Knapsack Cipher MethodKnapsack Cipher Method ChooseChoose a a11, a, a22,…,a,…,aN N along with along with

values for values for mm with with m>2am>2aNN, ,

and and ωω with ( with (ω, mω, m)=1)=1 ((bb11,…, b,…, bNN) is made public. ) is made public. Plaintext Plaintext PP is transformed into is transformed into

binary equivalentbinary equivalent using the using the table on the left (page 319).table on the left (page 319).

PP in binary is in binary is splitsplit into into segments of lensegments of length gth NN (if not (if not divisible by N, add 1s)divisible by N, add 1s)

Each segment will play the Each segment will play the role of role of (x(x11,x,x22,…,x,…,xNN))

Knapsack Cipher Method (cont.)Knapsack Cipher Method (cont.) For each segment For each segment (x(x11,x,x22,…,x,…,xNN) ) inin P, P, compute compute

S= bS= b11 x x11 + b + b22 x x22 + … + b + … + bNN x xNN CC= Ciphertext = Ciphertext

= the set of = the set of SS generated from each generated from each (x(x11,x,x22,…,x,…,xNN) ) inin P P

= difficult to find (x= difficult to find (x11,x,x22,…,x,…,xNN) from S) from S

Decryption when Decryption when mm & & ωω (thus (thus ώώ) are known) are known::

easy to solve for easy to solve for (x(x11,x,x22,…,x,…,xNN) ) with with

SS00= a= a11 x x11 + a + a22 x x22 + … + a + … + ann x xnn

wherewhere ώώ S S ≡ S≡ S00(mod m)(mod m)

ExampleExample P=BUY NOW=P=BUY NOW=000010000110100101001100011000011010110101110011101011010110 A=(3,5,9,20,44); m=89; A=(3,5,9,20,44); m=89; ωω=67=67 P= ([P= ([0,0,0,0,1],[0,0,0,0,1],[1,0,1,0,0],[1,0,1,0,0],[1,1,0,0,0],[1,1,0,0,0],[0,1,1,0,1],[0,1,1,0,1],[0,1,1,1,0],[0,1,1,1,0],[1,0,1,1,0])1,0,1,1,0])

= matrix notation= matrix notation

Encryption Encryption (B(BTT = transpose of B = Vertical vector B) = transpose of B = Vertical vector B) B≡B≡ ω ω A (mod 89) = (23,68,69,5,11) A (mod 89) = (23,68,69,5,11) C= PBC= PBTT = (11, 92,91,148,142,97 ) = (11, 92,91,148,142,97 )

Decryption:Decryption: ώ ώ ≡≡ ω ωΦΦ(m)-1 (m)-1 (mod m) =67(mod m) =678787= 4 (mod 89)= 4 (mod 89) SS00 ≡ ≡ ώώ S (mod m) S (mod m) ≡ 4*C = (44, 368, 364, 592, 568, 388)≡ 4*C = (44, 368, 364, 592, 568, 388)

≡ ≡ [44, 12, 8, 58, 34, 32] [44, 12, 8, 58, 34, 32] (mod 89) (mod 89) Use Knapsack algorithm to solve SUse Knapsack algorithm to solve S00= a= a11 x x11 + a + a22 x x22 + … + a + … + ann x xnn

For example: For example: 44= 44(1) 44= 44(1) 00001 00001 B B

12=9 (1) + 3(1)12=9 (1) + 3(1) 1010010100 U U

8= 3(1)+ 5 (1) 8= 3(1)+ 5 (1) 11000 11000 Y Y

CryptanalysisCryptanalysis Knapsack Ciphers were a popular form of public key Knapsack Ciphers were a popular form of public key

cryptography.cryptography. In 1982, Shamir (see [Sh84] & [Od 90]) In 1982, Shamir (see [Sh84] & [Od 90]) efficient efficient

method to solve method to solve S= bS= b11 x x11 + b + b22 x x22 + … + b + … + bNN x xNN, , thus find thus find xx11xx22…x…xNN from the from the transformedtransformed public key public key bb11bb22 …b …bNN

There exists an algorithmto find the solution using There exists an algorithmto find the solution using O(P(n)) O(P(n)) bit operations where bit operations where PP is a polynomial instead of is a polynomial instead of the exponential time the exponential time

Adjustments can be made to protect it from such Adjustments can be made to protect it from such weaknesses, such as using several successive weaknesses, such as using several successive transformations with transformations with (ω(ωii,m,mii) ) to form to form bb11bb22 …b …bNN