MerkleHellman Knapsack Cryptosystem n Merkle offered 100 award

Merkle-Hellman Knapsack Cryptosystem n Merkle offered $100 award for breaking singly - iterated knapsack n Singly-iterated Merkle - Hellman KC was broken by Adi Shamir in 1982 n At the CRYPTO ’ 83 conference, Adleman used an Apple II computer to demonstrate Shamir’s method n Merkle offered $1000 award for breaking multiply -iterated knapsack n Multiply-iterated Merkle-Hellman knapsack was broken by Brickell in 1985

Classical Knapsack Problem n General 0 -1 knapsack problem: given n items of different values vi and weights wi, find the most valuable subset of the items while the overall weight does not exceed a given capacity W

Subset-Sum Problem n Subset – Sum problem is a special case of knapsack problem when a value of each item is equal to its weight n Input: set of positive integers: A = {a 1, a 2, …an} and the positive integer S n Output: TRUE, if there is a subset of A that sums to S and the subset itself n FALSE otherwise. n n The subset-sum problem is NP-hard

Easy Knapsack Problem n An easy knapsack problem is one in which set A = {a 1, a 2, …an} is a super-increasing sequence n A super-increasing sequence is one in which the next term of the sequence is greater than the sum of all preceding terms: a 2 > a 1, a 3 > a 1 + a 2, …. , an > a 1 + a 2 +…+ an-1 n Example: A= {1, 2, 4, 8, … 2 n-1} is super-increasing sequence

Polynomial Time Algorithm for Easy Knapsack Problem n Input: A = {a 1, …an} is super-increasing sequence, and S >0 n Output: TRUE and P – binary array of n elements, P[i] =1 means: ai belongs to subset of A that sums to S, P[0] = 0 otherwise. The algorithm returns FALSE if the subset doesn’t exist for i n to 1 if S ai then P[i] 1 and S S - ai else P[i] 0 if S != 0 then return (FALSE – no solution) else return (P[1], P[2], …P[n]).

Example n Input: A= {1, 2, 4, 8}, S = 11 n Solution: n i = 4, S = 11 >= A[4] = 8, P[4]=1, S= S-A[4]=11 -8=3 n i=3, S=3 < A[3]=4, P[3]=0 n i=2, S=3 >= A[2]=2, P[2]=1, S=S-A[2]=3 -2=1 n i=1, S=1 >= A[1]=1 P[1]=1, S=S-A[1]=1 -1=0 n Final answer: P[1]P[2]P[3]P[4]=1101

Merkle-Hellman Additive Knapsack Cryptosystem Alice: 1. Constructs the Knapsack cryptosystem 2. Publishes the public key 3. Receives the ciphertext 4. Decrypts the ciphertext using private key Bob: 1. Encrypts the plaintext using public key 2. Sends the plaintext to Alice

Alice Knapsack Cryptosystem Construction n Chooses A = {a 1, …an} super-increasing sequence, A is a private (easy) knapsack a 1+ …+ an = E n Chooses M - the next prime larger than E. n Chooses W that satisfies 2 W < M and (W, M) = 1(W is relatively prime with M) n Computes Public (hard) knapsack B = {b 1, …. bn}, where bi = Wai (mod M), 1 i n n Keeps Private Key: A, W, M n Publishes Public key: B

Example: ALICE creates Public and Private Keys n Alice Private Key: n A= {1, 2, 4, 8} – super increasing n E = 1+2+4+8 = 15 and M = 17 first prime > 15 n W = 7, 2 W < 17, and (7, 17) = 1 n Public Key: (1*7) mod 17 = 7 (2*7) mod 17 = 14 (4*7) mod 17 = 28 mod 17 = 11 (8*7) mod 17= 56 mod 17 = 5 Public Key: B = {7, 14, 11, 5}

Bob – Encryption Process n Binary Plaintext P breaks up into sets of n elements long: P = {P 1, …Pk} n For each set Pi compute n Ci is the ciphertext that corresponds to plaintext Pi n C = {C 1, …Ck) is ciphertext that corresponds to the plaintext P n C is sent to Alice

Example Continue: Bob Encryption n Bob Encryption: n Plaintext: 1101 0101 1110 n Bob breaks the plaintext into blocks of 4 digits (since the public key has 4 numbers) n P={(1101), (0101), (1110)}={P 1, P 2, P 3} n Ciphertext: n For P 1 you take 1101 and multiply by public key: n C 1= 1*7 + 1*14 + 0*11 + 1*5 = 26 n For P 2 and P 3 do the similar n C 2 = 0*7 + 1*14 + 0*11 + 1*5 = 19 n C 3 = 1*7 +1*14 +1*11 + 0*5 = 32 n Bob Sends Alice the following ciphertext: n C={26, 19, 32}

Alice – Decryption Process n Computes w, the multiplicative inverse of W mod M: w. W 1 (mod M) n The connection between easy and hard knapsacks: Wai = bi (mod M) or wbi = ai (mod M) 1 i n n For each Ci computes: Si = w. Ci (mod M) n Plaintext Pi could be found using polynomial time algorithm for easy knapsack

Example continue: Alice Decryption: w = 5 – multiplicative inverse of 7 (mod 17) n 5*26 (mod 17) = 11 n 5*19 (mod 17) = 10 n 5* 32 (mod 17) = 7 n Plaintext: n P 1 = 1101 (11 = 1*1 + 1*2 +0*4 + 1*8) n P 2 = 0101 (10 = 0*1 + 1*2 + 0*4 + 1*8) n P 3 = 1110 (7 = 1*1 + 1*2 + 1*4 + 0*8) n

Final Project n For final project you will implement the additive knapsack cryptosystem encryption, decryption and cryptanalysis. n The project will be divided into 3 parts n n n Part I: Encryption and Decryption– 80% of the grade Part II: Dynamic Programming Algorithm Implementation of Cryptanalysis (without backtracking) –– 10% of the grade Part III: Dynamic Programming Algorithm Backtracking –– 10% of the grade n Testing quiz will be done in class on Thursday, June 27 n If you have difficulties to implement Part II or/and Part III you can receive up to 3. 5 points for each part for solving testing quiz by hand.

Part I – Encryption and Decryption n Write a program that can do either encryption or decryption. The n n n program must take two inputs. The first input must be either 1 or 2, with 1 signaling encryption and 2 signaling decryption. The second input depends on the first input. In case of encryption, the second input - plaintext - is a binary string – sequence of 0’s and 1’s. You can assume that plaintext string's length is equal to public key sequence length and the maximal length of the string is 16 bits. In case of decryption, the second input - ciphertext - is a decimal number. Your program should generate the private key and the public key based on the knapsack cryptosystem algorithm. Your program should output the private and public keys as well as encrypted or decrypted message accordingly. Also, print all intermediate important results to test your program for correctness.

PART II: Ciphertext Only Cryptanalytic Attack on Merkle-Hellman Knapsack: Dynamic Programming Algorithm n Input: B={b 1, b 2, … bn} – public key, C - ciphertext n Output: The binary array P – plaintext n Algorithm: Let Q[i, j] be TRUE if there is a subset of first i elements of B that sums to j, 0 ≤ i ≤ n , 0 ≤ j ≤ C Step 1: Computation of P Q[0][0] TRUE for j = 1 to C do: Q[0][j] FALSE for i = 1 to n do: for j = 0 to C do: if (j – B[i] < 0): Q[i][j] = Q[i-1][j] else: Q[i][j] = Q[i-1][j-B[i]] or Q[i-1][j]

Step 2: Backtracking Let P be an array of n + 1 elements initialized to 0 i n, j C while i > 0: if (j – B[i]) ≥ 0): if (Q[i-1][j-B[i]] is True): P[i] + 1 j j – B[i] i i– 1 else: i i – 1 Output: array P, elements of P that equal to 1 construct a desired subset of B that sums to C

EXAMPLE Input: B={1, 4, 5, 2}, C =3 j=0 j=1 j=2 j=3 i=0 TRUE FALSE i=1 B[1] =1 TRUE FALSE i=2 B[2] = 4 TRUE FALSE i=3 B[3] = 5 TRUE FALSE i=4 B[4] = 2 TRUE Element is taken Q[i-1][j-B[i]] or Q[i-1][j]

Part I Bonus n BONUS – 10 points: plaintext string's length is an exact multiple of the public key sequence length n BONUS – 10 points: the plaintext is the string of lower case letters. In this case your program first will find the binary equivalent for each letter and after that will use the regular algorithm.