Knapsack public – key encryption
Introduction
• In 1976, the idea of public key cryptography was introduced by Diffie and
Hellman;
• Later, other implementations of public-‐key cryptosystems were introduced, and these implementation and be put into two categories
– Public key cryptosystems based on hard number theoretic problems
– Public key cryptosystems related to knapsack problem.
PKC related to knapsack problems
• Merkle-‐Hellman system
• Graham-‐Shamir cryptosystem
• Morii-‐Kasahara cryptosystem
Knapsack type cryptosystem
• Are based on finding solution to S=Σ xi ai, where ai is an element of a set A={ai | 0≤ai≤n-‐1}, S is non negative integer, and xi is a non
negative integer such that weight Σxi
Merkle-‐Hellman knapsack cryptosystem
• Find binary n-‐vector x such that S=x*a, if x exists.
• Solution for the problem can be checked in at most n
additions
• But finding solution requires number of operation that grows
exponentially in n.
• Best published method for solving problem requires 2^(n/2)
complexity both in memory and time.
• Degree of difficulty of the problem is crucially dependent on
choice of a
• If a = (1, 2, 4 , …, 2^(n-‐1)), then solving for x is equal to finding binary representation of S.
• For all i x is also easily found
• xn = 1 iff S ≥an, and for i=n-‐1,n-‐2,…,1 xi=1 iff
• Choosing ai independently and uniformly from the integers
between [1 ,2^n] generates a difficult problem with
probability tending to one as n tends to infinity
• Trapdoor knapsack in very careful choice of a, lets publisher to easily solve for any x, and prevent others from
finding solution.
• Ex.
The user K generates a trapdoor knapsack vector a(K)
and places to public file with his name and address, if
someone will wish to send him the information x, then that
person will send S=x*a(K).
• Then receiver will find x from S, and no one else can find
Trapdoor knapsack construction • Designer will choose m and w, s.t. w is an invertible modulo of m
(gcd(m,w)=1), then
• Select a’ that will allow solution of S’=a’*x
• To get a trapdoor knapsack transform a’ into:
As ai pseudo-‐randomly distributed;
It will be difficult to solve problem without knowing w and m,
even if a is public.
Designer will compute as:
When m> Σai’
Example
• n=5; m=8443; • a’= (171, 196,457,1191,2410) • w=2550, w^(-‐1) = 3950
• Then will find a=(5457,1663,216,6013,7439), given S=1663+6013+7439=15115
• Using = 3950*15115 mod8443 =3797
• As S’>a’5, designer determines x5=1; • Using x4=1, x3=0, x2=1, x1=0;
• Which is also correct solution for S=a*x;
• Good to use n=100, because its bottom end of the usable range of secure system.
• It is good to choose
• m uniformly between 2^201+1 and 2^202-‐1;
• a’1 uniformly from the range [1, 2^100];
• a’2 uniformly from [2^100+1, 2*2^100];
• a’3 uniformly from [3*2^100+1, 4*2^100]
• a’i uniformly from [(2^(i-‐1)-‐1)*2^100=1,2^(i-‐1)*2^100];
• a’100 uniformly from [(2^99-‐1)*2^100=1, 2^99*2^100];
• w’ uniformly from [2, m-‐2] and then divided by gcd(w’,m) to get w
• The main reason why to choose this numbers is because attacker has at least 2^100 possibilities to each of this
parameters.
• ai will be distributed pseudo-‐randomly between 1 and m-‐1,
and will require 202-‐bit representation.
• S is also require 202-‐bit representation, that will result 2,09:1
data expansion from x to S
Multiplicative trapdoor knapsack (Naccache-‐Stern cryptosystem)
• n=4, m=257, a’=(2,3,5,7), base of the log b=131;
a=(80,183,81,195) => 131^80=2 mod257, 131^183 = 3 mod257
If S=183+81=264, and need to find soluMon to S=a*x,
S’=131^264 mod 257 = 15 = (2^0)*(3^1)*(5^1)*(7*0)
This implies that x= (0, 1, 1, 0)
• it is necessary that
It will be hard to attacker to to solve problem only by knowing public
information a and not knowing the trapdoor information m, a’, b
• To ensure that the system is secure n=100, a’i is a random 100-‐bit
prime number and m≈10 000 bit long
Attackers
• Shamir was the first one who successfully broke Merkle-‐Hellman’s system.
• Brickell also found a way to attack this system
• Odlyzko broke cryptosystem when multiplicative knapsack
was used
This cryptosystem is not suitable for generating digital
signatures.
Graham-‐Shamir cryptosystem
• Purpose: To eliminate the potential weaknesses of Merkle-‐Hellman
cryptosystem represented by the small values of easy knapsack vector
weights;
• Idea: To use structured number, where low-‐ordered parts are super
increasing sequence and high ordered parts are string of random bits;
Example
• ai = (2,3,6)
• binary representation: 2=010; 3=011; 6=110;
• b1=101 010 = 42; 101-‐>randomly chosen
• b2=011 011 = 27; 011 -‐>randomly chosen
• b3=111 110 = 62; 111-‐> randomly chosen
Knapsack (42, 27, 111) is larger than (2,3,6) and the super
increasing sequence is hidden and that’s why new knapsack is more
secure.
• This cryptosystem was broken by Adleman, who used lattice
reduction;
Morii-‐Kasahara Cryptosystem
• Very similar to Merkle-‐Hellman’s multiplicative knapsack scheme;
• But in Merkle-‐Hellman version uses multiplicative knapsack
as easy and additive as hard knapsack, in Morii-‐Kasahara uses
only multiplicative knapsack.
• Uses discrete log problem in its construction;
Morii-‐Kasahara Cryptosystem
• Secret keys:
ü vector a=(a1,a2,..,am) where gcd(ai,aj)=1;
ü Encryption key e where gcd(p-‐1, e) =1;
ü Decryption key d where e*d= 1 mod (p-‐1);
• Public keys:
ü Prime modulus p where p>Πai
ü Vector c where c=a^e mod p;
Morii-‐Kasahara Cryptosystem
• Encryption:
where x=(x1,x2,…,xm) is a message;
• Decryption:
Example
• a=(2, 3, 5, 7); m=211; where m>Πai=2*3*5*7=210; • pick p=211 and e=19 such that gcd(p-‐1,e)=1 mod(p-‐1);
• compute d=199
• Transform easy knapsack to hard knapsack by c=a^e mod p,
c=(164,39,14,85)
• Assuming that x=(1, 1, 0, 1) and using encrypMon formula
S= 164^1 * 39^1 * 14^0 * 85^1 = 24 (mod211);
• To decipher transform S to S’=S^d (mod p) = 124 ^199 mod 211=42
• Easy knapsack 2^(x1) * 3^(x2) * 5^(x3) * 7^(x4) = 42;
Evaluation of knapsack cryptosystem
• Most of knapsack cryptosystems were broken.
• Knapsack is NP complete problem, if someone create
knapsack cryptosystem that will feat the difficulty of the
knapsack problem, it will better than those based on int
factorization and discrete logarithm.
• This cryptosystem offers high speed. Ex. when weight n=100
Merkle-‐Hellman system is >100 faster than RSA
References and Recommendations
1. . R.C.Merkle, and M.E.Hellman, “Hiding Information and Signatures in Trapdoor Knapsacks”.IEEE
Trans.inf.Theory vol.24, 1978, 525-‐530
2. Shamir, A., “A polynomial time algorithm for breaking the basic Merkle-‐Hellman cryptosystem” Proc. 23rd
Annual Foundations of Computer Science, 1982.
3. M.Morii and M.Kasahara, “New public key cryptosystem using discrete logarithms over GF(P),” IEICE
Trans,.vol.J71-‐D, no.2, pp448-‐453, Feb 1988.
4.S. Kiuchi, Y.Murakami and M.Kasahara, “New Multiplicative Knapsack-‐type public key cryptosystem,” IEICE
Trans.vol.E84-‐A,no.1, January 2001.
5.M.Kin Lai, “Knapsack cryptosystems: The Past and the future”, march 2001
6.Y.Murakami and T.Nasako, “Knapsack public-‐key cryptosystem using Chinese remainder theorem”, 2007
Quiz
• 1. Who invented the idea of knapsack cryptosystem;
• 2. What does “Super increasing sequence” mean?
• 3. What is the main reason in Merkle-‐Hellman’s system choosing n=100?
• 4.What is the formula of encrypting plaintext message in knapsack type cryptosystem?
• 5. Who was the first person who broke Merkle and Hellman’s scheme?
Top Related