Skip to main content

Section 10 Knapsack cryptosystems

The Knapsack problem is as follows. Given a collection of objects having both a weight and a kind of usefulness. Our goal is to fill a bag maximizing the usefulness of the items contained while restricted to an upper weight limit. General knapsack problems are difficult to solve, there is no known polynomial-time algorithm to handle these computations. However, in case of certain families the problem is easy to solve. Given objects with weights \(\omega_1,\omega_2,\ldots,\omega_n\) it is our goal to find binary variables \(v_1,v_2,\ldots,v_n\) such that

\begin{equation*} \sum_{i=1}^n v_i\omega_i=S, \end{equation*}

where \(S\) is the weight limit to reach. A super-increasing weight system satisfies the following inequalities

\begin{equation*} \sum_{i=1}^{k-1}\omega_i<\omega_{k}\mbox{ for }k=2,\ldots,n. \end{equation*}

For example if we take \(\omega_i=2^{i-1}\) for \(i=1,2,\ldots,n,\) then we obtain a super-increasing sequence. A greedy type algorithm is provided below implemented in SageMath.

Figure 10.1. Super-increasing knapsack

Here we obtain that \(89=1\cdot 1+0\cdot 2+0\cdot 4+1\cdot 8+1\cdot 16+0\cdot 32+1\cdot 64.\)

Subsection 10.1 Merkle–Hellman cryptosystem

The super-increasing knapsack is easy and general knapsacks are difficult that suggested the idea behind the Merkle-Hellman knapsack encryption. Let us see the details of this cryptosystem.

  • Alice chooses a super-increasing sequence \(\omega_1,\omega_2,\ldots,\omega_n\) and a prime \(p\) such that

    \begin{equation*} p>\sum_{i=1}^{n}\omega_i. \end{equation*}

    She also fix an integer \(1<r<p.\)

  • The public weights \(\Omega_1,\Omega_2,\ldots,\Omega_n\) are computed by the formula

    \begin{equation*} \Omega_i\equiv r\cdot\omega_i\pmod{p}. \end{equation*}

  • Bob only knows the general knapsack weights \(\Omega_1,\Omega_2,\ldots,\Omega_n\) and he wants to send the (binary) message \([b_1,b_2,\ldots,b_n].\) He computes

    \begin{equation*} M=\sum_{i=1}^n b_i\Omega_i, \end{equation*}

    that is the encrypted message. To encrypt longer messages, multiple blocks are encrypted.

  • Alice receives \(M\) and she can easily compute \(r^{-1} \pmod{p}\) by means of the extended Euclidean algorithm. She determines \(r^{-1}M\) and solves the super-increasing knapsack problem.

A SageMath implementation of the above procedure is as follows.

Figure 10.2. MerkleHellman

It creates a random super-increasing sequences and an appropriate prime number \(p\) and an integer \(1<r<p.\) A random binary message is also composed and the corresponding encrypted message is computed.

Subsection 10.2 Attack based on the LLL-algorithm

Unfortunately, the knapsack cryptosystem that has been introduced is not secure against cryptanalysis attacks as pointed out by Shamir. The problem can be reduced to find short vectors in lattices. The purpose of the Lenstra-Lenstra-Lovász (LLL) algorithm is exactly this. Let us consider the example given above. We define vectors in the following form

\begin{equation*} \begin{aligned} V_1&=&( 1, 0, 0, 0, 0, 0, 0, 0, 78),\\ V_2&=&( 0, 1 , 0, 0 , 0 , 0 , 0 , 0 , 136),\\ V_3&=&( 0, 0 , 1 , 0 , 0 , 0 , 0, 0 , 283),\\ V_4&=&( 0 , 0 , 0 , 1 , 0 , 0 , 0 , 0 , 899),\\ V_5&=&( 0 , 0 , 0 , 0 , 1 , 0 , 0 , 0 , 2533),\\ V_6&=&( 0 , 0 , 0 , 0 , 0 , 1 , 0 , 0, 7588),\\ V_7&=&( 0 , 0 , 0 , 0 , 0 , 0 , 1 , 0 , 22503),\\ V_8&=&( 0 , 0 , 0 , 0 , 0 , 0 , 0 , 1, 40389),\\ V_9&=&( 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0, -25036).\end{aligned} \end{equation*}

Our lattice is given by

\begin{equation*} \left\{V:\quad V=\sum_{i=1}^9 z_iV_i, z_i\in\mathbb{Z}\right\}. \end{equation*}

If we have a solution of the knapsack problem, then there exists a vector in the lattice having coordinates from the set \(\{0,1\},\) that is a short vector. Let us see a SageMath code to apply the LLL-algorithm to the knapsack problem.

Figure 10.3. LLLKnapsack

In the first row of the second matrix we see the binary message appearing.

Subsection 10.3 Chor-Rivest cryptosystem

Cryptosystems based on knapsack problems used to be popular in public key cryptography, however many variants have been shown insecure by lattice reduction techniques. The Chor-Rivest cryptosystem is one of the exceptions. We consider a finite field \(\mathbb{F}_q,\) where \(q=p^h\) for some prime number \(p\) and positive integer \(h\leq p.\) To represent elements of \(\mathbb{F}_q\) we fix a monic irreducible polynomial \(f(x)\) of degree \(h\) over \(\mathbb{F}_p.\) The polynomials of degree at most \(h-1\) over \(\mathbb{F}_p\) are the elements of \(\mathbb{F}_q.\) The product of two elements \(f_1(x)\) and \(f_2(x)\) is the polynomial \(f_1(x)f_2(x)\pmod{f(x)}\) of degree less than \(h.\) We determine a generator \(g(x)\) of \(\mathbb{F}_q.\) We compute certain discrete logarithms of the form

\begin{equation*} a_i=\log_{g(x)}(x+i), \end{equation*}

where \(i\in\mathbb{F}_p.\) We also take a random permutation \(\pi\) of the set \(\{0,1,\ldots,p-1\}\) and a random integer \(d\) for which \(0\leq d\leq p^h-2.\) We compute

\begin{equation*} c_i\equiv (a_{\pi(i)}+d)\pmod{p^h-1},\mbox{ where }0\leq i\leq p-1. \end{equation*}

The private key of Alice is given by \((f(x),g(x),d,\pi)\) and the public key is \((p,h,(c_0,c_1,\ldots,c_{p-1})).\) Let us describe the encryption.

  • Bob would like to send to Alice a binary message \(M = (M_0 , M_1 , \ldots , M_{p-1} )\) containing exactly \(h\) ones.

  • He computes

    \begin{equation*} c=\sum_{i=0}^{p-1}M_ic_i. \end{equation*}

    The ciphertext is \(c.\)

Alice receives \(c\) and follows the decryption algorithm given below.

  • She determines \(r\equiv (c-hd)\pmod{p^h-1}.\)

  • She computes \(s(x)\equiv g(x)^r\pmod{f(x)}.\)

  • She takes the monic polynomial \(t(x)=f(x)+s(x)\) of degree \(h.\)

  • She factors the polynomial \(t(x),\) let say she has

    \begin{equation*} t(x)=\prod_{j=1}^h (x+t_j). \end{equation*}

  • She applies the inverse of the permutation \(\pi\) to recover the positions of the ones in \(M.\)

This algorithm indeed will yield the original binary vector. This fact follows from the steps given below. We have that

\begin{equation*} \begin{aligned} s(x) & \equiv & g(x)^r\pmod{f(x)}\equiv \\ g(x)^{c-hd} & \equiv & g(x)^{\sum_{i=0}^{p-1}M_ic_i-hd} \equiv \\ g(x)^{\sum_{i=0}^{p-1}M_i( (a_{\pi(i)}+d))-hd} & \equiv & g(x)^{\sum_{i=0}^{p-1}M_ia_{\pi(i)}}\equiv\\ \prod_{i=0}^{p-1}\left(g(x)^{a_{\pi(i)}}\right)^{M_i}&\equiv &\prod_{i=0}^{p-1}(x+\pi(i))^{M_i}\pmod{f(x)}.\end{aligned} \end{equation*}

We obtain that

\begin{equation*} t(x)=s(x)+f(x)=\prod_{i=0}^{p-1}(x+\pi(i))^{M_i} \end{equation*}

and applying the inverse of \(\pi\) to the roots of \(t(x)\) gives the coordinates of \(M\) that are 1.

SageMath summary.
augment()

Returns a new matrix formed by appending the given matrix.

identity_matrix()

Returns the identity matrix of a given size.

Exercises 10.4 Exercises

1.

Generate a superincreasing sequence \(\{w_1,w_2,\ldots,w_6\}\) such that \(w_i\leq 2^i-2^{i-1}.\)

2.

We have the superincreasing sequence \(\{1, 2, 4, 10, 20, 40\}.\) Pack a knapsack weighing 53.

3.

Given a superincreasing sequence \(S=\{2,3,7,14,30,57,120,251\}.\) Transform \(S\) into a general knapsack with \(r=41\) and \(p=491.\) Encrypt the message \(m=10110111.\)

4.

We have the general knapsack \(\{82,123,287,83,248,373,10,471\}\) and a ciphertext is 548. Apply the LLL-algorithm to recover the original message.

5.

Alice and Bob use the Chor-Rivest cryptosystem with \(p=13,h=4,f(x)=x^4 + 3x^2 + 12x + 2\) and \(g(x)=x,d=3118.\) The private permutation is given by \(\pi=[1, 5, 6, 9, 0, 10, 11, 3, 2, 7, 8, 4, 12].\) Determine \((c_0,c_1,\ldots,c_{p-1})\) and encrypt the message \(M=(1,0,0,0,1,0,1,0,0,0,1,0,0).\)

6.

Decrypt the ciphertext obtained in the previous exercise.