King Mongkut’s University of Technology Faculty of Information Technology Report: Knapsack Algorithm Prof. Reuven Aviv: Network Security (Winter 2008-9) Member Jarutorn Laokietkul (IMMIS) 50-7038-0-117 Sineenut Tonsaiphetch (IMMIS) 50-7038-0-026 Introduction Merkel and Hellman developed and encryption algorithm based on the knapsack problem. The knapsack problem suggests about a set of positive integers and a target sum, with the goal of finding a subset of the integers that summed to the target. The knapsack problem is NP-complete; implying that to solve it probably requires time exponential to the size of the problem The idea behind the Merkel-Hellman knapsack scheme is to encode a binary message as a solution to a knapsack problem, reducing the ciphertext to the target sum obtained by adding terms corresponding to 1s in the plaintext. That is, we convert blocks of plaintext to a knapsack sum by adding into the sum the terms that match with 1 bit in the plaintext. Knapsack Techniques In this section, we conclude about the detail of Merkel-Hellman techniques. 1. General Knapsacks Given a set of n weights W0, W1,…,Wn-1 and A target sum S. Then find a0,a1,…,an-1 where each ai ∑ {0,1} , so that Sum S= a0W0+a1W1+…+an-1Wn-1 For example Suppose that the weight are 85,13,9,7,47,27,99,86 and the desired sum is S=172. The problem is to find which of integers to select for the sum - Then a solution to solve the problem is given by a = (a0,a1,a2,a3,a4,a5,a6,a7) = (11001100) Weight a Selected Values 85 1 85 13 1 13 9 0 7 0 47 1 47 27 1 27 99 0 - With this solution, we can solve the problem by 85+13+47+27=172 86 0 Sum S=172 2. A superincreasing knapsacks It is similar to the general knapsacks except that when the weights are rearranged from least to greatest, each weight is greater than the sum of all preceding weights. For example, 3,6,11,25,46,95,200,411 It is a superincreasing knapsack. Solving a superincreasing knapsack problem is easy. Suppose we are given the set of weights and the sum S = 309. Solve: First, start with the largest weight and work toward the smallest to recover ai in linear time. Sum S Private Key Compare an Sum 309 411 S < 411 a7=0 309 309 200 S > 200 a6=1 309-200 = 109 109 95 S >95 a5=1 109-95 = 14 14 46 S < 46 a4=0 14 14 25 S < 25 a3=0 14 14 11 S > 11 a2=1 14-11 = 3 3 6 S<6 a1=0 3 3 3 S=3 a0=1 0 So, we find a=10100110 which can solve the problem by 200+95+11+3=309 Steps of Work The steps to construct a knapsack cryptosystem can conclude as follow, 1. Generate a superincreasing knapsack. 2. Convert the superincreasing knapsack into a general knapsack. 3. The public key is the general knapsack. 4. The private key is the superincreasing knapsack together with the conversion factors. For example 1. Choose the superincreasing knapsack. (2, 3, 7, 14, 30, 57, 120, 251) 2. Convert superincreasing into general knapsack, we use (a*m) mod n, a=member of superincreasing knapsack. m,n= relatively prime, in this example we choose m=41,n=491. n = greater than the sum of all elements in the superincreasing knapsack. The general knapsack is computed from the superincreasing knapsack by modular multiplication: Superincreasing(a) m n (a*m) mod n 2 41 491 82 3 41 491 123 7 41 491 287 14 41 491 83 30 41 491 248 57 41 491 373 120 41 491 10 251 41 491 471 The resulting general knapsack is (82, 123, 287, 83, 248, 373, 10, 471) 3. The public key is the general knapsack Public key: (82, 123, 287, 83, 248, 373, 10, 471). 4. The private key is the superincreasing knapsack together with the modular inverse of the conversion factor m, that is Private key: (2, 3, 7, 14, 30, 57, 120, 251) Then find inverse of m for doing decrypt the message m−1 mod n = 41−1 mod 491 = 12. From these equation, x=ap-2modp ;a=41,p=491 41x=1mod491 41*12=491+1 So inverse of m is 12 Encrypting a Message For example, Alice wants to encrypt Message M=150 for Bob then Alice convert it into binary message, so that we can get binary message like this, 150=1001 0110 Then Alice has a Bob’s public key (82, 123, 287, 83, 248, 373, 10, 471). Alice uses the 1 bits to select the elements of the general knapsack that are summed to give the ciphertext. In this case, Alice finds C=82+83+373+10=548 Decrypting a Message After that Bob gets a ciphertext C=548 from Alice and then uses his private key (2, 3, 7, 14, 30, 57, 120, 251) to decrypt Alice’s message. Cm-1 mod n=548*12 mod 491=193 Sum=193 (Doing Superincreasing) Sum S Private Key Compare an(Binary message) Sum 193 251 S<251 a7=0 193 193 120 S>120 a6=1 193-120=73 73 57 S>57 a5=1 73-57=16 16 30 S<30 a4=0 16 16 14 S>14 a3=1 16-14=2 2 7 S<7 a2=0 2 2 3 S<3 a1=0 2 2 2 S=2 a0=1 0 Binary Message that already doing decryption in this table is equal to 1001 0110 Then, Bob solves the superincreasing knapsack for 193 as in the table. Public Key 471 82 123 287 83 248 373 10 Private Key 3 7 2 14 30 57 120 251 Sum=2+14+57+120150 =193 Binary message 0 0 0 0 1 1 1 1 This is an easy problem from which Bob recovers the original message in binary 1001 0110 or, in decimal M=150. Advantage and Disadvantage • Efficient algorithm of the feasibility form of the problems helps to find such a solution easily • Easy to attack. Security of Knapsack - First, knapsack technique has been broken already by cryptanalysis but that not brute-force. - Public keys can reconstruct by use the superincreasing knapsack and found by Shamir and Zippel. - Many Knapsack variants also have been totally broken, it seems that Knapsack concept is not secure any more.