Merkle offered 100 award for breaking singly iterated knapsack Singlyiterated Merkle Hellman KC was broken by Adi Shamir in 1982 At the CRYPTO 83 conference Adleman used an Apple II computer to demonstrate Shamirs method ID: 326950
Download Presentation The PPT/PDF document "Merkle-Hellman Knapsack Cryptosystem" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Merkle-Hellman Knapsack Cryptosystem
Merkle offered $100 award for breaking singly - iterated knapsack
Singly-iterated Merkle - Hellman KC was broken by Adi Shamir in 1982
At the CRYPTO ’83 conference, Adleman used an Apple II computer to demonstrate Shamir’s method
Merkle offered $1000 award for breaking multiply-iterated knapsack
Multiply-iterated Merkle-Hellman knapsack was broken by Brickell in 1985Slide2
Classical Knapsack Problem
General 0-1 knapsack problem: given
n
items of different values
v
i
and weights
w
i
, find the most valuable subset of the items while the overall weight does not exceed a given capacity WSlide3
Subset-Sum Problem
Subset – Sum problem is a special case of knapsack problem when a value of each item is equal to its weight
Input: set of positive integers:
A
= {
a
1
,
a
2
, …
a
n
} and the positive integer
S
Output:
TRUE, if there is a subset of
A
that sums to
S
and the subset itself
FALSE otherwise.
The subset-sum problem is NP-hardSlide4
Easy Knapsack Problem
An easy knapsack problem is one in which set
A
= {
a
1
,
a
2
, …
a
n
} is a super-increasing sequence
A super-increasing sequence is one in which the next term of the sequence is greater than the sum of all preceding terms:
a
2
>
a
1
,
a
3
>
a
1
+
a
2
,….,
a
n
>
a
1
+
a
2
+…+
a
n
-1
Example: A= {1, 2, 4, 8, …2
n-
1
} is super-increasing sequenceSlide5
Polynomial Time Algorithm for Easy Knapsack Problem
Input:
A
= {
a
1
, …
a
n
} is super-increasing sequence, and
S >
0
Output: TRUE and
P
– binary array of n elements,
P
[
i
] =1 means:
a
i
belongs to subset of
A
that sums to
S
,
P
[0] = 0 otherwise.
The algorithm returns FALSE if the subset doesn’t exist
for
i
n
to
1
if
S
a
i
then
P
[
i
]
1
and
S
S
-
a
i
else
P
[
i
]
0
if
S
!= 0
then return
(FALSE – no solution)
else return
(
P
[1],
P
[2], …
P
[
n
]). Slide6
Example
Input: A= {1, 2, 4, 8}, S = 11
Solution:
i = 4, S = 11 >= A[4] = 8, P[4]=1, S= S-A[4]=11-8=3
i=3, S=3 < A[3]=4, P[3]=0
i=2, S=3 >= A[2]=2, P[2]=1, S=S-A[2]=3-2=1
i=1, S=1 >= A[1]=1 P[1]=1, S=S-A[1]=1-1=0
Final answer: P[1]P[2]P[3]P[4]=1101Slide7
Merkle-Hellman Additive Knapsack Cryptosystem
Alice:
1. Constructs the Knapsack cryptosystem
2. Publishes the public key
3. Receives the ciphertext
4. Decrypts the ciphertext using private key
Bob:
Encrypts the plaintext using public key
Sends the plaintext to AliceSlide8
Alice Knapsack Cryptosystem Construction
Chooses
A
= {
a
1
, …
a
n
} super-increasing sequence,
A
is a private (easy) knapsack
a
1
+ …+
a
n
= E
Chooses
M
- the next prime larger than
E
.
Chooses
W
that satisfies 2
W
<
M
and
(
W
,
M
) = 1(W is relatively prime with M)
Computes Public (hard) knapsack
B
= {
b
1
, ….
b
n
}, where
b
i
= Wa
i
(
mod
M),
1
i n
Keeps Private Key:
A, W, M
Publishes Public key
: BSlide9
Example: ALICE creates Public and Private Keys
Alice Private Key:
A
= {1, 2, 4, 8} – super increasing
E =
1+2+4+8
=
15 and
M
= 17 first prime > 15
W
= 7, 2
W
< 17, and (7, 17) = 1
Public Key:
(
1*7) mod 17 = 7
(2*7) mod 17 = 14
(4*7) mod 17 = 28 mod 17 = 11
(8*7) mod 17= 56 mod 17 = 5
Public Key: B = {7, 14, 11, 5}Slide10
Bob – Encryption Process
Binary Plaintext
P
breaks up into sets of
n
elements long:
P
= {
P
1
, …
P
k
}
For each set
Pi
compute
C
i
is the ciphertext that corresponds to plaintext
P
i
C = {C1, …Ck) is ciphertext that corresponds to the plaintext PC is sent to AliceSlide11
Example Continue: Bob Encryption
Bob Encryption:
Plaintext: 1101 0101 1110
Bob breaks the plaintext into blocks of 4 digits (since the public key has 4 numbers)
P={(1101), (0101), (1110)}={P1, P2, P3}
Ciphertext:
For P1 you take 1101 and multiply by public key:
C1= 1*7 + 1*14 + 0*11 + 1*5 = 26
For P2 and P3 do the similar
C2 = 0*7 + 1*14 + 0*11 + 1*5 = 19
C3 = 1*7 +1*14 +1*11 + 0*5 = 32
Bob Sends Alice the following ciphertext:
C={26, 19, 32}Slide12
Alice – Decryption Process
Computes
w
, the multiplicative inverse of
W
mod
M
:
wW
1 (mod
M
)
The connection between easy and hard knapsacks:
Wa
i
=
b
i
(mod
M
) or
wbi = ai (mod M
)
1
i n
For each Ci computes: Si = wCi (mod M)Plaintext Pi could be found using polynomial time algorithm for easy knapsackSlide13
Example continue: Alice Decryption:
w
= 5 – multiplicative inverse of 7 (mod 17)
5*26 (mod 17) = 11
5*19 (mod 17) = 10
5* 32 (mod 17) = 7
Plaintext:
P1 = 1101 (11 = 1*1 + 1*2 +0*4 + 1*8)
P2 = 0101 (10 = 0*1 + 1*2 + 0*4 + 1*8)
P3 = 1110 (7 = 1*1 + 1*2 + 1*4 + 0*8)Slide14
Final Project
For final project you will implement the additive knapsack cryptosystem encryption, decryption and cryptanalysis.
The project will be divided into 3 parts
Part I: Encryption and
Decryption– 80
% of the grade
Part II: Dynamic Programming Algorithm Implementation of Cryptanalysis (without backtracking)
–– 10
% of the grade
Part III: Dynamic Programming Algorithm Backtracking
––
10% of the
grade
Testing quiz will be done in class on Thursday, June 27
If you have difficulties to implement Part II or/and Part III you can receive up
to 3.5
points for each part for solving testing quiz by hand.Slide15
Part I – Encryption and Decryption
Write a program that can do either encryption or decryption. The program must take two inputs.
The first input must be either 1 or 2, with 1 signaling encryption and 2 signaling decryption.
The second input depends on the first input.
In case of encryption, the second input - plaintext - is a binary string – sequence of 0’s and 1’s. You can assume that plaintext string's length is equal to public key sequence length and the maximal length of the string is 16 bits.
In case of decryption, the second input - ciphertext - is a decimal number.
Your program should generate the private key and the public key based on the knapsack cryptosystem algorithm.
Your program should output the private and public keys as well as encrypted or decrypted message accordingly. Also, print all intermediate important results to test your program for correctness.Slide16
PART II: Ciphertext
Only Cryptanalytic Attack on
Merkle
-Hellman Knapsack: Dynamic Programming Algorithm
Input:
B
={b
1
, b
2
, … b
n
} – public key,
C - ciphertext
Output:
The binary array P – plaintext
Algorithm:
Let
Q
[
i, j] be TRUE if there is a subset of first i elements of B that sums to j, 0 ≤ i ≤ n , 0 ≤ j ≤ C
Step 1: Computation of P
Q
[0][0]
TRUEfor j = 1 to C do: Q[0][j] FALSE for i = 1 to n do: for j = 0 to C do: if (j – B
[
i
] < 0): Q[
i
][
j
] = Q[
i
-1][
j
]
else: Q[
i
][
j
] = Q[
i
-1][
j
-B[
i
]]
or
Q[
i
-1][
j
]
Slide17
Step 2: Backtracking
Let
P
be an array of
n
+ 1 elements initialized to 0
i
n
,
j
C
while i > 0:
if (j –
B
[i]) ≥ 0):
if (
Q[i-1][j-B[i]] is True): P[i] P[i] + 1
j
j –
B
[i] i i – 1 else: i i – 1Output: array P, elements of P that equal to 1 construct a desired subset of B that sums to CSlide18
EXAMPLE
Input: B={1, 4, 5, 2}, C =3
Q[i-1][j-B[i]]
or
Q[i-1][j]
j = 0
j = 1
j = 2
j = 3
i = 0
TRUE
FALSE
FALSE
FALSE
i = 1
B[1] =1
TRUE
TRUE
Element is taken
FALSE
FALSE
i = 2
B[2] = 4
TRUE
TRUE
FALSE
FALSE
i = 3
B[3] = 5
TRUE
TRUE
FALSE
FALSE
i = 4
B[4] = 2
TRUE
TRUE
TRUE
TRUE
Element is takenSlide19
Part I Bonus
BONUS – 10 points: plaintext string's length is an exact multiple of the public key sequence length
BONUS – 10 points: the plaintext is the string of lower case letters. In this case your program first will find the binary equivalent for each letter and after that will use the regular algorithm.