1
Security in ComputingChapter 12, Cryptography Explained
Part 5
Summary created byKirk Scott
2
• This set of overheads corresponds to the first portion of section 12.3 in the book
• The overheads for Chapter 12 roughly track the topics in the chapter
• Keep this in mind though:• On some topics I simply go over the book’s material• On other topics I expand on the book’s material in a
significant way• You are responsible not just for what’s in the book, but
also what’s in the overheads that’s not in the book
3
The Knapsack Problem and Merkle-Hellman Encryption
4
The Knapsack Problem and Superincreasing Knapsacks
• Given some set S = {a1, a2, a3, …, an}, ai >= 0, • Given some target sum T• Is there a vector V = (vi, v2, v3, …, vn) where vi is
either 0 or 1, such that:
• Given no additional information about S and T, the problem is NP complete.
Tva i
n
ii
1
5
• The knapsack problem might serve as the basis of a sound encryption system.
• The idea is to have some particular S• Let the plaintext consist of a sequence of binary digits
and let it play the role of V• And encode the plaintext as T, the vector product of S
and V. • Finding the vector V, the original plaintext, that led to
the sum T, the encryption, would be an NP-complete problem.
6
• This will not work if the intended receiver has to solve the NP complete problem in order to read the message.
• The question is how to turn this into a public key encryption system.
• Accomplishing this involves choosing a special kind of set, S, and doing a transformation on S and T.
7
• First, here is an example illustrating encryption:
• Let the set, or knapsack, be: (1, 2, 5, 9, 20, 43)• Let the plaintext be: (1, 0, 1, 0, 0, 1)• Then the elements of the sum would be: 1, 5,
43• And the encryption would be: T = 49
8
• The knapsack: (1, 2, 5, 9, 20, 43)• Observe that the knapsack has a special
characteristic. • Every element of the knapsack is greater than
the sum of all prior elements of the knapsack. • Mathematically:
1
1
k
iik aa
9
• A knapsack with this particular characteristic makes the solution of the decryption problem extremely easy.
• In other words, if the knapsack has this characteristic, finding V given T is not an NP-complete problem.
10
• Finding the vector V that corresponds to some sum T can be accomplished by working through S from the largest element to the smallest.
• If an element s of S is less than or equal to the current value of T, s has to be in the solution.
• This means that there is a corresponding 1 in the solution vector.
• You update T by subtracting s from it and going to the next smaller element of S.
11
• The fact that S is superincreasing makes this approach work.
• If s is less than T, s has to be in T because the sum of the remaining elements of S is even less than s.
• The decryption process for the example given above is shown on the following overhead.
12
• S = (1, 2, 5, 9, 20, 43)• T = 49• 43 is less than 49, so 43 is in the solution.• 49 – 43 = 6.• 20 and 9 are bigger than 6, so they are not in the solution.• 5 is less than 6, so 5 is in the solution.• 6 – 5 = 1.• 2 is bigger than 1, so it’s not in the solution.• 1 = 1, so the knapsack has a solution, 1 is in it, and the process is
complete.• The vector corresponding to the values in the sum is (1, 0, 1, 0, 0, 1).
13
• It is true that are values for T which would not have a solution.
• For example, you could find no V which gave 24 as a solution.
• However, this is not a problem because that implies that no plaintext V would ever result in 24 when multiplied by S.
14
2. Modular Arithmetic and Transforming Superincreasing Knapsacks
• Superincreasing knapsacks are also known as simple knapsacks because the solution to the knapsack problem using them is simple.
• For cryptographic purposes it is necessary to transform the knapsack so that it is not superincreasing.
• Such a knapsack is known as a hard knapsack because the general solution to the decryption problem is then NP-complete.
15
• In order for this to work, the transformation has to be invertible so that the intended receiver can convert the problem back to the simple one for decoding purposes.
• The Merkle-Hellman approach is to convert the knapsack using modular arithmetic.
• The math needed in order to do this will not be proven in this set of notes.
• Instead, it will just be introduced in the form of observations as needed along the way.
16
• Observation 1: • Given some set of superincreasing values, and given values
w and n:• Multiplying the elements of the set by w mod n in general
does not give back a superincreasing set of values. • For example:• S = (1, 3, 6), w = 5, n = 11• Transforming S by taking each element times 5 mod 11 gives:• (5, 4, 8)• This is clearly not a superincreasing sequence.
17
• It would be possible to pose such questions as:
• Can such a transformation ever give back a superincreasing sequence?
• Do the resulting sequences have other special properties even though they’re not superincreasing?
18
• It is not our purpose to try and answer these questions.
• It is sufficient to know that in general, it is probably possible to pick values for w and n that transform a knapsack into something non-superincreasing.
19
• Observation 2: • Even though we don’t have the details yet on
how to go back and forth between encryption and decryption and a hard knapsack and a simple knapsack, the claim was made that we’ll need the transformation to be invertible.
• If n is composite, then not all elements of the modular ring base n are invertible.
20
• If n and w are relatively prime, then w is invertible.
• If n is prime, then the modular structure is a field and all of its elements except 0 are invertible.
• In choosing w and n, it is sufficient simply to choose n prime, and it follows that multiplication by w in the modular field, no matter what w is, is invertible.
21
• Observation 3: • The general plan of action for implementing this
encryption is the following:• Encryption: • The transformed, hard knapsack is distributed as a
public key. • Messages encoded in them result in sequences of
integers. • To an outsider, the task of decoding the integers is NP-
complete.
22
• Decryption: • The corresponding simple knapsack and the
values w and n are held as the private key. • The intended receiver transforms the integers
of the encrypted message using w and n, and decrypts against the simple knapsack, which is not an NP-complete problem.
23
• It should be noted that the book emphasizes the simple knapsack as the private key.
• In fact, it’s w and n that are fundamental, because given the hard knapsack and w and n, you can obtain the simple knapsack.
24
• Also it is not possible to decode without having w and n, because the message itself has to be transformed using w and n before solving the knapsack problem.
• Finally, it is not possible to decode, in fact, without having the inverse of w, w-1.
• This can be derived from w and n, and in effect is also part of the “key” to the cipher.
25
• The book makes a comment that might be helpful in understanding how an NP-complete problem can be the basis for an encryption scheme.
• You might say that Merkle-Hellman knapsacks have an intentional trapdoor.
26
• Although the knapsack problem is NP-complete in general, knowledge of w and n allow decryption.
• The trapdoor, w and n, is not a fault that an outsider might capitalize on
• It’s an intentional part of the system that is the basis for decryption.
27
• Observation 4: • We still have the problem of choosing w and n. • We have established that n prime will suit our purposes. • That means that w will be any value less than n, but not
0 or 1. • We hope that our choice will result in a non-
superincreasing knapsack. • If it doesn’t, we should choose again. • (It’s unlikely that that will ever be necessary.)
28
• What other characteristics of w and n are necessary?
• n has to be greater than the largest element in S.
• If this is to be an invertible transformation in a modular field, it would not be possible to have a starting element which is not in the field.
29
• The book states without explanation that n should actually be greater than the sum of the elements of S.
• It is not clear to me why this additional constraint is necessary, but we will follow along and all examples will conform to this requirement, rather than the simpler requirement that n be larger than the largest element in S.
30
3. An Example
• This example gives an illustration of how to use Merkle-Hellman knapsacks for encoding.
• It also illustrates the use of inverses.• Start with the example already given above:• Plaintext: (1, 0, 1, 0, 0, 1)• S: (1, 2, 5, 9, 20, 43)
31
• We need a prime number n larger than the sum of the elements of S.
• The smallest prime number that meets that requirement is 83.
• We also need some w. • In order to make the multiplications easy, take
w = 10 for example.
32
• Then transform the knapsack by multiplying each element by 10 mod 83.
• The hard knapsack is:• H: (10, 20, 50, 7, 34, 15)• Observe that without taking special care in
choosing w, the new knapsack is not superincreasing.
• This characteristic is necessary. • The hard knapsack is the public key.
33
• Encode the plaintext using this knapsack:• Let the plaintext be: (1, 0, 1, 0, 0, 1)• Let the knapsack be: (10, 20, 50, 7, 34, 15)• Then the elements of the sum would be: 10,
50, 15• And the encryption would be: T = 75
34
• In order to go any further and illustrate decryption you need the inverse of w in the modular field base n.
• By Fermat’s theorem, w-1 = wn-2 mod n = 1081 mod 83.
• This is unpleasant from a computational point of view.
• Presumably, the extended Euclidean algorithm would be better.
35
• Luckily, simple searching quickly yields an inverse.
• Observe that 3 * 83 = 249 while 10 * 25 = 250. In other words:
• 10 * 25 = 3 * 83 + 1, or 10 * 25 mod 83 = 1. • In other words, the product of 10 and 25 gives
the multiplicative identity in the field. • By definition, then, 10 and 25 are inverses in the
field.
36
• The message was created using the hard knapsack.
• To decrypt the message using the simple knapsack, it’s necessary to invert the ciphertext in the modular field.
• This is the first step in decryption.• 75 * 25 mod 83 = 49.
37
• Strictly speaking you don’t have to retrieve the original knapsack S by inverting the elements of the public key.
• You just assume that you kept a copy. • You now decrypt T = 49 against this superincreasing
knapsack—a non NP-complete task. • What’s shown on the following overhead is simply a
repetition of the illustration of section 1 of these overheads.
38
• S = (1, 2, 5, 9, 20, 43)• T = 49• 43 is less than 49, so 43 is in the solution.• 49 – 43 = 6.• 20 and 9 are bigger than 6, so they are not in the solution.• 5 is less than 6, so 5 is in the solution.• 6 – 5 = 1.• 2 is bigger than 1, so it’s not in the solution.• 1 = 1, so the knapsack has a solution, 1 is in it, and the process is
complete.• The vector corresponding to the values in the sum is (1, 0, 1, 0, 0, 1).
39
• It’s clear that with only 6 elements in the knapsack and a value of n that is still relatively small, solving the NP-complete problem would be possible.
• The book discusses the magnitude of choices for the various parameters of the encryption scheme which make it resistant to attack.
• For example, if the knapsack contained in the vicinity of 200 elements, and the value of n required in the vicinity of 200 binary digits to express, this would not be a trivial problem.
40
• The book also discusses the possible weaknesses of this scheme.
• I do not propose to try and wade through the book’s explanation.
• It can be summarized in this way, however. • As noted before, just because a scheme is based
on an NP-complete problem, that doesn’t mean that the cryptanalyst is limited to brute force attacks.
41
• The real private key in this case consists of the values w and n with n known to be prime, and the length of the knapsack known.
• Coming up with an informed scheme for guessing n and w might be a fruitful approach to breaking the code.
42
• As a matter of fact, Merkle-Hellman encryption is essentially considered to be “broken” now.
• Cryptanalytic techniques have been developed which essentially mean it’s a step-by-step process of bounded complexity to eventually find the key.
43
• Although Merkle-Hellman knapsacks would baffle amateurs, no commercial grade system would now be implemented using them.
• Even without going through the details of the cryptanalysis, it’s a good example of how even schemes built on hard problems contain patterns or weaknesses that can be exploited.
44
The End
