Public Key Systems 1 Merkle-Hellman Knapsack Public Key Systems 2 Merkle-Hellman Knapsack  One of first public key systems  Based on NP-complete problem.

Slides:



Advertisements
Similar presentations
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Advertisements

Public Key Cryptosystem
Example: Given a matrix defining a linear mapping Find a basis for the null space and a basis for the range Pamela Leutwyler.
Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
Section 4.1: Primes, Factorization, and the Euclidean Algorithm Practice HW (not to hand in) From Barr Text p. 160 # 6, 7, 8, 11, 12, 13.
22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Computational problems, algorithms, runtime, hardness
Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Public Key Systems Public Key Systems 1.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Orthogonality and Least Squares
Chapter 3 Encryption Algorithms & Systems (Part B)
6 6.3 © 2012 Pearson Education, Inc. Orthogonality and Least Squares ORTHOGONAL PROJECTIONS.
Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.
ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Lecture 5 Overview Does DES Work? Differential Cryptanalysis Idea – Use two plaintext that barely differ – Study the difference in the corresponding.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
CSCI 398 Research Topics in Computer Science Yana Kortsarts Computer Science Department Widener University Chester, PA.
8. Data Integrity Techniques
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
The RSA Algorithm Rocky K. C. Chang, March
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY COMP 425: Information Security CHAPTER 8 Public Key Crypto (Chapter 4 in the textbook) INFORMATION SECURITY.
Section 2.2: Affine Ciphers; More Modular Arithmetic Practice HW (not to hand in) From Barr Textbook p. 80 # 2a, 3e, 3f, 4, 5a, 7, 8 9, 10 (Use affinecipherbreaker.
10.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 10 Symmetric-Key Cryptography.
Section 4.3: Fermat’s Little Theorem Practice HW (not to hand in) From Barr Text p. 284 # 1, 2.
Computer System Security CSE 5339/7339
Merkle-Hellman Knapsack Cryptosystem Merkle offered $100 award for breaking singly - iterated knapsack Singly-iterated Merkle - Hellman KC was broken by.
RSA Ramki Thurimella.
Section 2.1: Shift Ciphers and Modular Arithmetic The purpose of this section is to learn about modular arithmetic, which is one of the fundamental mathematical.
4.1 Vector Spaces and Subspaces 4.2 Null Spaces, Column Spaces, and Linear Transformations 4.3 Linearly Independent Sets; Bases 4.4 Coordinate systems.
Chapter 4: Public Key Cryptography
Linear Equations in Linear Algebra
AN ORTHOGONAL PROJECTION
Section 2.1: Shift Ciphers and Modular Arithmetic Practice HW from Barr Textbook (not to hand in) p.66 # 1, 2, 3-6, 9-12, 13, 15.
1 1.3 © 2012 Pearson Education, Inc. Linear Equations in Linear Algebra VECTOR EQUATIONS.
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.
8.6. Knapsack Ciphers. The Concept At the core of the Knapsack cipher is the Knapsack problem: At the core of the Knapsack cipher is the Knapsack problem:
Merkle-Hellman Knapsack Cryptosystem
22C:19 Discrete Structures Integers and Modular Arithmetic Fall 2014 Sukumar Ghosh.
1 Network and Computer Security (CS 475) Modular Arithmetic and the RSA Public Key Cryptosystem Jeremy R. Johnson.
Hard Problems Some problems are hard to solve.  No polynomial time algorithm is known.  E.g., NP-hard problems such as machine scheduling, bin packing,
Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.
Hard Problems Sanghyun Park Fall 2002 CSE, POSTECH.
1 Section Congruences In short, a congruence relation is an equivalence relation on the carrier of an algebra such that the operations of the algebra.
CPS Computational problems, algorithms, runtime, hardness (a ridiculously brief introduction to theoretical computer science) Vincent Conitzer.
Introduction to Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
RSA Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Public Key Cryptosystem In Symmetric or Private Key cryptosystems the encryption and decryption keys are either the same or can be easily found from each.
CS/COE 1501 Recitation RSA Encryption/Decryption Extended Euclidean Algorithm Digital Signatures.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Hard Problems Some problems are hard to solve.  No polynomial time algorithm is known.  E.g., NP-hard problems such as machine scheduling, bin packing,
Revision. Cryptography depends on some properties of prime numbers. One of these is that it is rather easy to generate large prime numbers, but much harder.
Knapsack Cryptosystems
Knapsack Cryptosystems
Background: Lattices and the Learning-with-Errors problem
Input: A={a1, a2, … an} – public key, S - ciphertext
Poking Holes in Knapsack Cryptosystems
Public-Key (Asymmetric) Ciphers Part 2
Presentation transcript:

Public Key Systems 1 Merkle-Hellman Knapsack

Public Key Systems 2 Merkle-Hellman Knapsack  One of first public key systems  Based on NP-complete problem  Original algorithm is weak o Lattice reduction attack  Newer knapsacks are more secure o But nobody uses them… o Once bitten, twice shy

Public Key Systems 3 Knapsack Problem  Given a set of n weights W 0,W 1,...,W n-1 and a sum S, is it possible to find a i  {0,1} so that S = a 0 W 0 +a 1 W a n-1 W n-1 (technically, this is “subset sum” problem)  Example o Weights (62,93,26,52,166,48,91,141) o Problem: Find subset that sums to S = 302 o Answer: = 302  The (general) knapsack is NP-complete

Public Key Systems 4 Knapsack Problem  General knapsack (GK) is hard to solve  But superincreasing knapsack (SIK) is easy  In SIK each weight greater than the sum of all previous weights  Example o Weights (2,3,7,14,30,57,120,251) o Problem: Find subset that sums to S = 186 o Work from largest to smallest weight o Answer: = 186

Public Key Systems 5 Knapsack Cryptosystem 1. Generate superincreasing knapsack (SIK) 2. Convert SIK into “general” knapsack (GK) 3. Public Key: GK 4. Private Key: SIK plus conversion factors  Easy to encrypt with GK  With private key, easy to decrypt (convert ciphertext to SIK)  Without private key, must solve GK ?

Public Key Systems 6 Knapsack Cryptosystem  Let (2,3,7,14,30,57,120,251) be the SIK  Choose m = 41 and n = 491 with m and n relatively prime, n > sum of SIK elements  General knapsack 2  41 (mod 491) = 82 3  41 (mod 491) =  41 (mod 491) =  41 (mod 491) =  41 (mod 491) =  41 (mod 491) =  41 (mod 491) =  41 (mod 491) = 471  General knapsack: (82,123,287,83,248,373,10,471)

Public Key Systems 7 Knapsack Example  Private key: (2,3,7,14,30,57,120,251) m  1 mod n = 41  1 (mod 491) = 12  Public key: (82,123,287,83,248,373,10,471), n=491  Example: Encrypt = 548  To decrypt, o 548 · 12 = 193 (mod 491) o Solve (easy) SIK with S = 193 o Obtain plaintext

Public Key Systems 8 Knapsack Weakness  Trapdoor: Convert SIK into “general” knapsack using modular arithmetic  One-way: General knapsack easy to encrypt, hard to solve; SIK easy to solve  This knapsack cryptosystem is insecure o Broken in 1983 with Apple II computer o The attack uses lattice reduction  “General knapsack” is not general enough!  This special knapsack is easy to solve

Public Key Systems 9 Lattice Reduction  Many problems can be solved by finding a “short” vector in a lattice  Let b 1,b 2,…,b n be vectors in  m  All  1 b 1 +  2 b 2 +…+  n b n, each  i is an integer is a discrete set of points

Public Key Systems 10 What is a Lattice?  Suppose b 1 =[1,3] T and b 2 =[  2,1] T  Then any point in the plane can be written as  1 b 1 +  2 b 2 for some  1,  2   o Since b 1 and b 2 are linearly independent  We say the plane  2 is spanned by (b 1,b 2 )  If  1,  2 are restricted to integers, the resulting span is a lattice  Then a lattice is a discrete set of points

Public Key Systems 11 Lattice Example  Suppose b 1 =[1,3] T and b 2 =[  2,1] T  The lattice spanned by (b 1,b 2 ) is pictured to the right

Public Key Systems 12 Exact Cover  Exact cover  given a set S and a collection of subsets of S, find a collection of these subsets with each element of S is in exactly one subset  Exact Cover is a combinatorial problems that can be solved by finding a “short” vector in lattice

Public Key Systems 13 Exact Cover Example  Set S = {0,1,2,3,4,5,6}  Spse m = 7 elements and n = 13 subsets Subset: Elements:  Find a collection of these subsets with each element of S in exactly one subset  Could try all 2 13 possibilities  If problem is too big, try heuristic search  Many different heuristic search techniques

Public Key Systems 14 Exact Cover Solution  Exact cover in matrix form o Set S = {0,1,2,3,4,5,6} o Spse m = 7 elements and n = 13 subsets Subset: Elements: Solve: AU = B where u i  {0,1} subsets elementselements Solution: U = [ ] T m x 1 n x 1 m x n

Public Key Systems 15 Example  We can restate AU = B as MV = W where  The desired solution is U o Columns of M are linearly independent  Let c 0,c 1,c 2,…,c n be the columns of M  Let v 0,v 1,v 2,…,v n be the elements of V  Then W = v 0 c 0 + v 1 c 1 + … + v n c n Matrix M Vector W Vector V

Public Key Systems 16 Example  Let L be the lattice spanned by c 0,c 1,c 2,…,c n (c i are the columns of M)  Recall MV = W o Where W = [U,0] T and we want to find U o But if we find W, we have also solved it!  Note W is in lattice L since all v i are integers and W = v 0 c 0 + v 1 c 1 + … + v n c n

Public Key Systems 17 Facts  W = [u 0,u 1,…,u n-1,0,0,…,0]  L, each u i  {0,1}  The length of a vector Y   N is ||Y|| = sqrt(y 0 2 +y 1 2 +…+y N-1 2 )  Then the length of W is ||W|| = sqrt(u 0 2 +u 1 2 +…+u n-1 2 )  sqrt(n)  So W is a very short vector in L where o First n entries of W all 0 or 1 o Last m elements of W are all 0  Can we use these facts to find U ?

Public Key Systems 18 Lattice Reduction  If we can find a short vector in L, with first n entries all 0 or 1 and last m entries all 0, then we might have found U o Easy to test putative solution  LLL lattice reduction algorithm will efficiently find short vectors in a lattice  Less than 30 lines of pseudo-code for LLL!  No guarantee LLL will find a specific vector  But probability of success is often good

Public Key Systems 19 Knapsack Example  What does lattice reduction have to do with the knapsack cryptosystem?  Suppose we have o Superincreasing knapsack S = [2,3,7,14,30,57,120,251] o Suppose m = 41, n = 491  m  1 = 12 (mod n) o Public knapsack: t i = 41  s i (mod 491) T = [82,123,287,83,248,373,10,471]  Public key: T Private key: (S,m  1,n)

Public Key Systems 20 Knapsack Example  Public key: T Private key: (S,m  1,n) S = [2,3,7,14,30,57,120,251] T = [82,123,287,83,248,373,10,471] n = 491, m  1 = 12  Example: is encrypted as = 548  Then receiver computes 548  12 = 193 (mod 491) and uses S to solve for

Public Key Systems 21 Knapsack LLL Attack  Attacker knows public key T = [82,123,287,83,248,373,10,471]  Attacker knows ciphertext: 548  Attacker wants to find u i  {0,1} s.t. 82u u u 2 +83u u u 5 +10u u 7 = 548  This can be written as a matrix equation (dot product): T  U = 548

Public Key Systems 22 Knapsack LLL Attack  Attacker knows: T = [82,123,287,83,248,373,10,471]  Wants to solve: T  U = 548 where each u i  {0,1} o Same form as AU = B on previous slides o We can rewrite problem as MV = W where  LLL gives us short vectors in the lattice spanned by the columns of M

Public Key Systems 23 LLL Result  LLL finds short vectors in lattice of M  Matrix M ’ is result of applying LLL to M   Column marked with “  ” has the right form  Possible solution: U = [1,0,0,1,0,1,1,0] T  Easy to verify this is the plaintext!

Public Key Systems 24 Bottom Line  Lattice reduction is a surprising method of attack on knapsack  A cryptosystem is only secure as long as nobody has found an attack  Lesson: Advances in mathematics can break cryptosystems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.