440 likes | 554 Views
Security in Computing Chapter 12, Cryptography Explained Part 5. Summary created by Kirk Scott. This set of overheads corresponds to the first portion of section 12.3 in the book The overheads for Chapter 12 roughly track the topics in the chapter Keep this in mind though:
E N D
Security in ComputingChapter 12, Cryptography ExplainedPart 5 Summary created by Kirk Scott
This set of overheads corresponds to the first portion of section 12.3 in the book • The overheads for Chapter 12 roughly track the topics in the chapter • Keep this in mind though: • On some topics I simply go over the book’s material • On other topics I expand on the book’s material in a significant way • You are responsible not just for what’s in the book, but also what’s in the overheads that’s not in the book
The Knapsack Problem and Superincreasing Knapsacks • Given some set S = {a1, a2, a3, …, an}, ai >= 0, • Given some target sum T • Is there a vector V = (vi, v2, v3, …, vn) where vi is either 0 or 1, such that: • Given no additional information about S and T, the problem is NP complete.
The knapsack problem might serve as the basis of a sound encryption system. • The idea is to have some particular S • Let the plaintext consist of a sequence of binary digits and let it play the role of V • And encode the plaintext as T, the vector product of S and V. • Finding the vector V, the original plaintext, that led to the sum T, the encryption, would be an NP-complete problem.
This will not work if the intended receiver has to solve the NP complete problem in order to read the message. • The question is how to turn this into a public key encryption system. • Accomplishing this involves choosing a special kind of set, S, and doing a transformation on S and T.
First, here is an example illustrating encryption: • Let the set, or knapsack, be: (1, 2, 5, 9, 20, 43) • Let the plaintext be: (1, 0, 1, 0, 0, 1) • Then the elements of the sum would be: 1, 5, 43 • And the encryption would be: T = 49
The knapsack: (1, 2, 5, 9, 20, 43) • Observe that the knapsack has a special characteristic. • Every element of the knapsack is greater than the sum of all prior elements of the knapsack. • Mathematically:
A knapsack with this particular characteristic makes the solution of the decryption problem extremely easy. • In other words, if the knapsack has this characteristic, finding V given T is not an NP-complete problem.
Finding the vector V that corresponds to some sum T can be accomplished by working through S from the largest element to the smallest. • If an element s of S is less than or equal to the current value of T, s has to be in the solution. • This means that there is a corresponding 1 in the solution vector. • You update T by subtracting s from it and going to the next smaller element of S.
The fact that S is superincreasing makes this approach work. • If s is less than T, s has to be in T because the sum of the remaining elements of S is even less than s. • The decryption process for the example given above is shown on the following overhead.
S = (1, 2, 5, 9, 20, 43) • T = 49 • 43 is less than 49, so 43 is in the solution. • 49 – 43 = 6. • 20 and 9 are bigger than 6, so they are not in the solution. • 5 is less than 6, so 5 is in the solution. • 6 – 5 = 1. • 2 is bigger than 1, so it’s not in the solution. • 1 = 1, so the knapsack has a solution, 1 is in it, and the process is complete. • The vector corresponding to the values in the sum is (1, 0, 1, 0, 0, 1).
It is true that are values for T which would not have a solution. • For example, you could find no V which gave 24 as a solution. • However, this is not a problem because that implies that no plaintext V would ever result in 24 when multiplied by S.
2. Modular Arithmetic and Transforming Superincreasing Knapsacks • Superincreasing knapsacks are also known as simple knapsacks because the solution to the knapsack problem using them is simple. • For cryptographic purposes it is necessary to transform the knapsack so that it is not superincreasing. • Such a knapsack is known as a hard knapsack because the general solution to the decryption problem is then NP-complete.
In order for this to work, the transformation has to be invertible so that the intended receiver can convert the problem back to the simple one for decoding purposes. • The Merkle-Hellman approach is to convert the knapsack using modular arithmetic. • The math needed in order to do this will not be proven in this set of notes. • Instead, it will just be introduced in the form of observations as needed along the way.
Observation 1: • Given some set of superincreasing values, and given values w and n: • Multiplying the elements of the set by w mod n in general does not give back a superincreasing set of values. • For example: • S = (1, 3, 6), w = 5, n = 11 • Transforming S by taking each element times 5 mod 11 gives: • (5, 4, 8) • This is clearly not a superincreasing sequence.
It would be possible to pose such questions as: • Can such a transformation ever give back a superincreasing sequence? • Do the resulting sequences have other special properties even though they’re not superincreasing?
It is not our purpose to try and answer these questions. • It is sufficient to know that in general, it is probably possible to pick values for w and n that transform a knapsack into something non-superincreasing.
Observation 2: • Even though we don’t have the details yet on how to go back and forth between encryption and decryption and a hard knapsack and a simple knapsack, the claim was made that we’ll need the transformation to be invertible. • If n is composite, then not all elements of the modular ring base n are invertible.
If n and w are relatively prime, then w is invertible. • If n is prime, then the modular structure is a field and all of its elements except 0 are invertible. • In choosing w and n, it is sufficient simply to choose n prime, and it follows that multiplication by w in the modular field, no matter what w is, is invertible.
Observation 3: • The general plan of action for implementing this encryption is the following: • Encryption: • The transformed, hard knapsack is distributed as a public key. • Messages encoded in them result in sequences of integers. • To an outsider, the task of decoding the integers is NP-complete.
Decryption: • The corresponding simple knapsack and the values w and n are held as the private key. • The intended receiver transforms the integers of the encrypted message using w and n, and decrypts against the simple knapsack, which is not an NP-complete problem.
It should be noted that the book emphasizes the simple knapsack as the private key. • In fact, it’s w and n that are fundamental, because given the hard knapsack and w and n, you can obtain the simple knapsack.
Also it is not possible to decode without having w and n, because the message itself has to be transformed using w and n before solving the knapsack problem. • Finally, it is not possible to decode, in fact, without having the inverse of w, w-1. • This can be derived from w and n, and in effect is also part of the “key” to the cipher.
The book makes a comment that might be helpful in understanding how an NP-complete problem can be the basis for an encryption scheme. • You might say that Merkle-Hellman knapsacks have an intentional trapdoor.
Although the knapsack problem is NP-complete in general, knowledge of w and n allow decryption. • The trapdoor, w and n, is not a fault that an outsider might capitalize on • It’s an intentional part of the system that is the basis for decryption.
Observation 4: • We still have the problem of choosing w and n. • We have established that n prime will suit our purposes. • That means that w will be any value less than n, but not 0 or 1. • We hope that our choice will result in a non-superincreasing knapsack. • If it doesn’t, we should choose again. • (It’s unlikely that that will ever be necessary.)
What other characteristics of w and n are necessary? • n has to be greater than the largest element in S. • If this is to be an invertible transformation in a modular field, it would not be possible to have a starting element which is not in the field.
The book states without explanation that n should actually be greater than the sum of the elements of S. • It is not clear to me why this additional constraint is necessary, but we will follow along and all examples will conform to this requirement, rather than the simpler requirement that n be larger than the largest element in S.
3. An Example • This example gives an illustration of how to use Merkle-Hellman knapsacks for encoding. • It also illustrates the use of inverses. • Start with the example already given above: • Plaintext: (1, 0, 1, 0, 0, 1) • S: (1, 2, 5, 9, 20, 43)
We need a prime number n larger than the sum of the elements of S. • The smallest prime number that meets that requirement is 83. • We also need some w. • In order to make the multiplications easy, take w = 10 for example.
Then transform the knapsack by multiplying each element by 10 mod 83. • The hard knapsack is: • H: (10, 20, 50, 7, 34, 15) • Observe that without taking special care in choosing w, the new knapsack is not superincreasing. • This characteristic is necessary. • The hard knapsack is the public key.
Encode the plaintext using this knapsack: • Let the plaintext be: (1, 0, 1, 0, 0, 1) • Let the knapsack be: (10, 20, 50, 7, 34, 15) • Then the elements of the sum would be: 10, 50, 15 • And the encryption would be: T = 75
In order to go any further and illustrate decryption you need the inverse of win the modular field base n. • By Fermat’s theorem, w-1 = wn-2 mod n = 1081 mod 83. • This is unpleasant from a computational point of view. • Presumably, the extended Euclidean algorithm would be better.
Luckily, simple searching quickly yields an inverse. • Observe that 3 * 83 = 249 while 10 * 25 = 250. In other words: • 10 * 25 = 3 * 83 + 1, or 10 * 25 mod 83 = 1. • In other words, the product of 10 and 25 gives the multiplicative identity in the field. • By definition, then, 10 and 25 are inverses in the field.
The message was created using the hard knapsack. • To decrypt the message using the simple knapsack, it’s necessary to invert the ciphertext in the modular field. • This is the first step in decryption. • 75 * 25 mod 83 = 49.
Strictly speaking you don’t have to retrieve the original knapsack S by inverting the elements of the public key. • You just assume that you kept a copy. • You now decrypt T = 49 against this superincreasing knapsack—a non NP-complete task. • What’s shown on the following overhead is simply a repetition of the illustration of section 1 of these overheads.
S = (1, 2, 5, 9, 20, 43) • T = 49 • 43 is less than 49, so 43 is in the solution. • 49 – 43 = 6. • 20 and 9 are bigger than 6, so they are not in the solution. • 5 is less than 6, so 5 is in the solution. • 6 – 5 = 1. • 2 is bigger than 1, so it’s not in the solution. • 1 = 1, so the knapsack has a solution, 1 is in it, and the process is complete. • The vector corresponding to the values in the sum is (1, 0, 1, 0, 0, 1).
It’s clear that with only 6 elements in the knapsack and a value of n that is still relatively small, solving the NP-complete problem would be possible. • The book discusses the magnitude of choices for the various parameters of the encryption scheme which make it resistant to attack. • For example, if the knapsack contained in the vicinity of 200 elements, and the value of n required in the vicinity of 200 binary digits to express, this would not be a trivial problem.
The book also discusses the possible weaknesses of this scheme. • I do not propose to try and wade through the book’s explanation. • It can be summarized in this way, however. • As noted before, just because a scheme is based on an NP-complete problem, that doesn’t mean that the cryptanalyst is limited to brute force attacks.
The real private key in this case consists of the values w and n with n known to be prime, and the length of the knapsack known. • Coming up with an informed scheme for guessing n and w might be a fruitful approach to breaking the code.
As a matter of fact, Merkle-Hellman encryption is essentially considered to be “broken” now. • Cryptanalytic techniques have been developed which essentially mean it’s a step-by-step process of bounded complexity to eventually find the key.
Although Merkle-Hellman knapsacks would baffle amateurs, no commercial grade system would now be implemented using them. • Even without going through the details of the cryptanalysis, it’s a good example of how even schemes built on hard problems contain patterns or weaknesses that can be exploited.