Knapsack Cipher

0-1 knapsack problem Given a positive integer C and a vector A=(a 1,...,a n ) of positive integers, find a subset of the elements of A that sum to C; that is, find a binary vector M=(m 1,...,m n ) such that C=AM, or

Example of 0-1 knapsack problem Let n=5, C =14, and A=(1,10,5,22,3). Then M=(1,1,0,0,1) is a solution. The knapsack problem is an NP- complete problem. The best known algorithms for solving arbitrary instances of size n required O(2 n/2 ) time and O(2 n/4 ) space.

Special class of knapsack problem a special class of knapsack problems, referred to as simple knapsack, that can be solved in linear time. In a simple knapsack, the elements a i (i=1,...,n) are super increasing so that This implies that

Example of simple knapsack problem A’=(1,3,5,10,22) A’ is a simple vector snap(14, A’) gives the solution (1,1,0,1,0).

Algorithm for simple knapsack

Introduction Merkle and Hellman proposed a scheme whose security depends on the difficulty of solving the 0-1 knapsack problem. Merkle and Hellman show how to convert a simple knapsack into a trapdoor knapsack that is hard to solve without additional information.

Algorithm First, a simple knapsack vector A’=(a 1 ’,...a n ’) is selected. This allows an easy solution to a problem C’=A’M. Next, an integer u is chosen such that

Algorithm Then an integer w is chosen such that gcd(u,w)=1, and the inverse w -1 of w mod u is computed using w -1 =inv(w,u). Finally, the vector A’ is transformed into a hard knapsack vector A=wA’ mod u; that is a 1 =w*a i ’ mod u. Now, solving C=AM is difficult.

Algorithm With the knowledge of the trapdoor information w-1 and u, the problem can be transformed into the easy problem: C’=w -1 C mod u = w -1 AM mod u = w -1 (wA)M mod u =A’ M’ mod u = A’ M.

Public-Key system public-key: A secret-key: A’ trapdoor information u and w -1 A’=w -1 A mod u E A, D A denote the enciphering and deciphering; C=E A (M)=AM D A (C)=snap(w -1 C mod u, A’)=M.

Example Let A’=(1,3,5,10), u=20, and w=7. Then w -1 =3. The simple vector A’ is transformed into the “hard” vector A=(7*1 mod 20, 7*3 mod 20, 7*5 mod 20, 7*10 mod 20)=(7,1,15,10) Let M=13, which is the binary vector (1,1,0,1) （二進位表示法） Then C=E A (M)=7+1+10=18 D A (C)=D A (18)=snap(3*18 mod 20, A’) =snap(14, A’)=(1,1,0,1)=13.

length of N Merkle and Hellman originally suggested that using n=100 or more. The best known algorithms for solving arbitrary instances of size n required O(2 n/2 ) time and O(2 n/4 ) space. For n=100, 2 50 =10 15 For n=200, =10 30

Example of

Graham-Shamir Knapsacks Graham and Shamir independently discovered a way of obscuring the super increasing property of trapdoor knapsacks. A Graham-Shamir trapdoor knapsack vector A’(a1’,...,an’) has the property that each aji has the following binary representation: aj’=(R j, I j, S j ) where Rj and Sj are long random bit strings, I j is a bit string of length n such that the jth high- order bits is 1 and the remaining n-1 bits are 0.

Graham-Shamir Knapsacks Each random bit string S j has log 2 n 0’s in its high-order bit position so that summing does not cause them to overflow into the area of the I j ’s. Thus, a sum C’=A’M has the binary representation: C’ =(R, M, S),where Notice that the vector of bit strings(( I n, S n ),...,(I 1,S 1 ))

Example of Graham-Shamir

Graham-Shamir A trapdoor knapsack vector A’ is converted to a hard knapsack vector A as in the MerKle-Hellamn scheme;(by picking u and w and computing A=wA’ mod u). A message M is enciphered by computing C’=E A (M)=AM. C is deciphered by computing C’= w -1 C mod u and extracting from C’ the bits representing M.