merkle-hellman knapsack

Download Merkle-Hellman Knapsack

Post on 01-Jan-2016




1 download

Embed Size (px)


Merkle-Hellman Knapsack. Merkle-Hellman Knapsack. One of first public key systems Based on NP-complete problem Original algorithm is weak Lattice reduction attack Newer knapsacks are more secure But nobody uses them… Once bitten, twice shy. Knapsack Problem. - PowerPoint PPT Presentation



Public Key Systems 1Merkle-Hellman KnapsackPublic Key Systems 2Merkle-Hellman KnapsackOne of first public key systemsBased on NP-complete problemOriginal algorithm is weakLattice reduction attackNewer knapsacks are more secureBut nobody uses themOnce bitten, twice shyPublic Key Systems 3Knapsack ProblemGiven a set of n weights W0,W1,...,Wn-1 and a sum S, is it possible to find ai {0,1} so thatS = a0W0+a1W1 +...+ an-1Wn-1(technically, this is subset sum problem)Example Weights (62,93,26,52,166,48,91,141)Problem: Find subset that sums to S = 302Answer: 62+26+166+48 = 302The (general) knapsack is NP-completePublic Key Systems 4Knapsack ProblemGeneral knapsack (GK) is hard to solveBut superincreasing knapsack (SIK) is easyIn SIK each weight greater than the sum of all previous weightsExampleWeights (2,3,7,14,30,57,120,251) Problem: Find subset that sums to S = 186Work from largest to smallest weight Answer: 120+57+7+2 = 186Public Key Systems 5Knapsack Cryptosystem Generate superincreasing knapsack (SIK) Convert SIK into general knapsack (GK) Public Key: GK Private Key: SIK plus conversion factors Easy to encrypt with GKWith private key, easy to decrypt (convert ciphertext to SIK)Without private key, must solve GK ?Public Key Systems 6Knapsack CryptosystemLet(2,3,7,14,30,57,120,251) be the SIKChoose m = 41 and n = 491 with m and n relatively prime, n > sum of SIK elementsGeneral knapsack2 41 (mod 491) = 823 41 (mod 491) = 1237 41 (mod 491) = 28714 41 (mod 491) = 8330 41 (mod 491) = 24857 41 (mod 491) = 373120 41 (mod 491) = 10251 41 (mod 491) = 471 General knapsack: (82,123,287,83,248,373,10,471)Public Key Systems 7Knapsack ExamplePrivate key: (2,3,7,14,30,57,120,251) m1 mod n = 411 (mod 491) = 12Public key: (82,123,287,83,248,373,10,471), n=491Example: Encrypt 10010110 82 + 83 + 373 + 10 = 548To decrypt, 548 12 = 193 (mod 491)Solve (easy) SIK with S = 193Obtain plaintext 10010110Public Key Systems 8Knapsack WeaknessTrapdoor: Convert SIK into general knapsack using modular arithmeticOne-way: General knapsack easy to encrypt, hard to solve; SIK easy to solveThis knapsack cryptosystem is insecureBroken in 1983 with Apple II computerThe attack uses lattice reductionGeneral knapsack is not general enough!This special knapsack is easy to solvePublic Key Systems 9Lattice ReductionMany problems can be solved by finding a short vector in a latticeLet b1,b2,,bn be vectors in m All 1b1+2b2++nbn, each i is an integer is a discrete set of pointsPublic Key Systems 10What is a Lattice?Suppose b1=[1,3]T and b2=[2,1]TThen any point in the plane can be written as 1b1+2b2 for some 1,2 Since b1 and b2 are linearly independentWe say the plane 2 is spanned by (b1,b2)If 1,2 are restricted to integers, the resulting span is a latticeThen a lattice is a discrete set of pointsPublic Key Systems 11Lattice ExampleSuppose b1=[1,3]T and b2=[2,1]T The lattice spanned by (b1,b2) is pictured to the right

Public Key Systems 12Exact CoverExact cover given a set S and a collection of subsets of S, find a collection of these subsets with each element of S is in exactly one subsetExact Cover is a combinatorial problems that can be solved by finding a short vector in latticePublic Key Systems 13Exact Cover ExampleSet S = {0,1,2,3,4,5,6}Spse m = 7 elements and n = 13 subsetsSubset: 0 1 2 3 4 5 6 7 8 9 10 11 12Elements: 013 015 024 025 036 124 126 135 146 1 256 345 346Find a collection of these subsets with each element of S in exactly one subsetCould try all 213 possibilitiesIf problem is too big, try heuristic searchMany different heuristic search techniquesPublic Key Systems 14

Exact Cover SolutionExact cover in matrix formSet S = {0,1,2,3,4,5,6}Spse m = 7 elements and n = 13 subsetsSubset: 0 1 2 3 4 5 6 7 8 9 10 11 12Elements: 013 015 024 025 036 124 126 135 146 1 256 345 346Solve: AU = Bwhere ui {0,1}subsetselementsSolution:U = [0001000001001]Tm x 1n x 1m x nPublic Key Systems 15

ExampleWe can restate AU = B as MV = W whereThe desired solution is U Columns of M are linearly independentLet c0,c1,c2,,cn be the columns of MLet v0,v1,v2,,vn be the elements of VThen W = v0c0 + v1c1 + + vncnMatrix MVector WVector VPublic Key Systems 16ExampleLet L be the lattice spanned by c0,c1,c2,,cn (ci are the columns of M)Recall MV = WWhere W = [U,0]T and we want to find UBut if we find W, we have also solved it!Note W is in lattice L since all vi are integers and W = v0c0 + v1c1 + + vncnPublic Key Systems 17FactsW = [u0,u1,,un-1,0,0,,0] L, each ui {0,1}The length of a vector Y N is||Y|| = sqrt(y02+y12++yN-12)Then the length of W is ||W|| = sqrt(u02+u12++un-12) sqrt(n)So W is a very short vector in L whereFirst n entries of W all 0 or 1Last m elements of W are all 0Can we use these facts to find U?Public Key Systems 18Lattice ReductionIf we can find a short vector in L, with first n entries all 0 or 1 and last m entries all 0, then we might have found UEasy to test putative solutionLLL lattice reduction algorithm will efficiently find short vectors in a latticeLess than 30 lines of pseudo-code for LLL!No guarantee LLL will find a specific vectorBut probability of success is often goodPublic Key Systems 19Knapsack ExampleWhat does lattice reduction have to do with the knapsack cryptosystem?Suppose we haveSuperincreasing knapsackS = [2,3,7,14,30,57,120,251]Suppose m = 41, n = 491 m1 = 12 (mod n)Public knapsack: ti = 41 si (mod 491)T = [82,123,287,83,248,373,10,471]Public key: TPrivate key: (S,m1,n) Public Key Systems 20Knapsack ExamplePublic key: TPrivate key: (S,m1,n) S = [2,3,7,14,30,57,120,251]T = [82,123,287,83,248,373,10,471]n = 491, m1 = 12Example: 10010110 is encrypted as82+83+373+10 = 548Then receiver computes 548 12 = 193 (mod 491) and uses S to solve for 10010110Public Key Systems 21Knapsack LLL AttackAttacker knows public key T = [82,123,287,83,248,373,10,471]Attacker knows ciphertext: 548Attacker wants to find ui {0,1} s.t.82u0+123u1+287u2+83u3+248u4+373u5+10u6+471u7 = 548This can be written as a matrix equation (dot product): T U = 548Public Key Systems 22

Knapsack LLL AttackAttacker knows: T = [82,123,287,83,248,373,10,471]Wants to solve: T U = 548 where each ui {0,1} Same form as AU = B on previous slidesWe can rewrite problem as MV = W whereLLL gives us short vectors in the lattice spanned by the columns of MPublic Key Systems 23LLL ResultLLL finds short vectors in lattice of MMatrix M is result of applying LLL to MColumn marked with has the right formPossible solution: U = [1,0,0,1,0,1,1,0]TEasy to verify this is the plaintext!

Public Key Systems 24Bottom LineLattice reduction is a surprising method of attack on knapsackA cryptosystem is only secure as long as nobody has found an attackLesson: Advances in mathematics can break cryptosystems