Merkle-Hellman Knapsack Cryptosystem
 Merkle offered $100 award for breaking singly -
iterated knapsack
 Singly-iterated Merkle - Hellman KC was broken
by Adi Shamir in 1982
 At the CRYPTO ’83 conference, Adleman used an
Apple II computer to demonstrate Shamir’s
method
 Merkle offered $1000 award for breaking
multiply-iterated knapsack
 Multiply-iterated Merkle-Hellman knapsack was
broken by Brickell in 1985
Classical Knapsack Problem
 General 0-1 knapsack problem: given n items of
different values vi and weights wi, find the most
valuable subset of the items while the overall
weight does not exceed a given capacity W
Subset-Sum Problem
 Subset – Sum problem is a special case of
knapsack problem when a value of each item is
equal to its weight
 Input: set of positive integers: A = {a1, a2, …an}
and the positive integer S
 Output:


TRUE, if there is a subset of A that sums to S and
the subset itself
FALSE otherwise.
 The subset-sum problem is NP-hard
Easy Knapsack Problem
 An easy knapsack problem is one in which set
A = {a1, a2, …an} is a super-increasing sequence
 A super-increasing sequence is one in which the
next term of the sequence is greater than the sum of
all preceding terms:
a2 > a1, a3 > a1 + a2,…., an > a1 + a2 +…+ an-1
 Example: A= {1, 2, 4, 8, …2n-1} is super-increasing
sequence
Polynomial Time Algorithm for Easy
Knapsack Problem
 Input: A = {a1, …an} is super-increasing sequence, and S >0
 Output: TRUE and P – binary array of n elements, P[i] =1
means: ai belongs to subset of A that sums to S, P[0] = 0
otherwise. The algorithm returns FALSE if the subset
doesn’t exist
for i  n to 1
if S  ai
then P[i]  1 and S  S - ai
else
P[i]  0
if S != 0
then return (FALSE – no solution)
else return (P[1], P[2], …P[n]).
Example
 Input: A= {1, 2, 4, 8}, S = 11
 Solution:
 i = 4, S = 11 >= A[4] = 8, P[4]=1, S= S-A[4]=11-8=3
 i=3, S=3 < A[3]=4, P[3]=0
 i=2, S=3 >= A[2]=2, P[2]=1, S=S-A[2]=3-2=1
 i=1, S=1 >= A[1]=1 P[1]=1, S=S-A[1]=1-1=0
 Final answer: P[1]P[2]P[3]P[4]=1101
Merkle-Hellman Additive Knapsack
Cryptosystem
Alice:
1. Constructs the Knapsack cryptosystem
2. Publishes the public key
3. Receives the ciphertext
4. Decrypts the ciphertext using private key
Bob:
1. Encrypts the plaintext using public key
2. Sends the plaintext to Alice
Alice
Knapsack Cryptosystem Construction
 Chooses A = {a1, …an} super-increasing sequence,
A is a private (easy) knapsack
a1+ …+ an = E
 Chooses M - the next prime larger than E.
 Chooses W that satisfies 2  W < M and
(W, M) = 1(W is relatively prime with M)
 Computes Public (hard) knapsack B = {b1, ….bn},
where bi = Wai (mod M), 1  i  n
 Keeps Private Key: A, W, M
 Publishes Public key: B
Example: ALICE creates Public and
Private Keys
 Alice Private Key:



A= {1, 2, 4, 8} – super increasing
E = 1+2+4+8 = 15 and M = 17 first prime > 15
W = 7, 2  W < 17, and (7, 17) = 1
 Public Key:
(1*7) mod 17 = 7
(2*7) mod 17 = 14
(4*7) mod 17 = 28 mod 17 = 11
(8*7) mod 17= 56 mod 17 = 5
Public Key: B = {7, 14, 11, 5}
Bob – Encryption Process
 Binary Plaintext P breaks up into sets of n elements
long: P = {P1, …Pk}
n
 For each set Pi compute
Pb
ij
j
 Ci
j 1
 Ci is the ciphertext that corresponds to plaintext Pi
 C = {C1, …Ck) is ciphertext that corresponds to the
plaintext P
 C is sent to Alice
Example Continue: Bob Encryption
 Bob Encryption:
 Plaintext: 1101 0101 1110
 Bob breaks the plaintext into blocks of 4 digits (since the
public key has 4 numbers)
 P={(1101), (0101), (1110)}={P1, P2, P3}
 Ciphertext:
 For P1 you take 1101 and multiply by public key:
 C1= 1*7 + 1*14 + 0*11 + 1*5 = 26
 For P2 and P3 do the similar
 C2 = 0*7 + 1*14 + 0*11 + 1*5 = 19
 C3 = 1*7 +1*14 +1*11 + 0*5 = 32
 Bob Sends Alice the following ciphertext:
 C={26, 19, 32}
Alice – Decryption Process
 Computes w, the multiplicative inverse of W mod M:
wW  1 (mod M)
 The connection between easy and hard knapsacks:
Wai = bi (mod M) or wbi = ai (mod M) 1  i  n
 For each Ci computes: Si = wCi (mod M)
n
n
n
j 1
j 1
j 1
Si  wCi  w Pij b j   Pij wb j   Pij a j
 Plaintext Pi could be found using polynomial time
algorithm for easy knapsack
Example continue: Alice Decryption:
w = 5 – multiplicative inverse of 7 (mod 17)
 5*26 (mod 17) = 11
 5*19 (mod 17) = 10
 5* 32 (mod 17) = 7
 Plaintext:
 P1 = 1101 (11 = 1*1 + 1*2 +0*4 + 1*8)
 P2 = 0101 (10 = 0*1 + 1*2 + 0*4 + 1*8)
 P3 = 1110 (7 = 1*1 + 1*2 + 1*4 + 0*8)

Final Project
 For final project you will implement the additive knapsack
cryptosystem encryption, decryption and cryptanalysis.
 The project will be divided into 3 parts



Part I: Encryption and Decryption – Due Day Nov 29, 2010
– 50% of the grade
Part II: Dynamic Programming Algorithm Implementation
of Cryptanalysis (without backtracking) – Due Day Friday
Dec 10, 2010 – 40% of the grade
Part III: Dynamic Programming Algorithm Backtracking –
Due Day Friday Dec 10, 2010 – 10% of the grade
Part I – Encryption and Decryption –
Due Day Nov 29, 2010
 Write a program that can do either encryption or decryption. The






program must take two inputs.
The first input must be either 1 or 2, with 1 signaling encryption and 2
signaling decryption.
The second input depends on the first input.
In case of encryption, the second input - plaintext - is a binary string –
sequence of 0’s and 1’s. You can assume that plaintext string's length is
equal to public key sequence length and the maximal length of the
string is 16 bits.
In case of decryption, the second input - ciphertext - is a decimal
number.
Your program should generate the private key and the public key based
on the knapsack cryptosystem algorithm.
Your program should output the private and public keys as well as
encrypted or decrypted message accordingly. Also, print all
intermediate important results to test your program for correctness.
Part I Bonus
 BONUS – 10 points: plaintext string's length is an
exact multiple of the public key sequence length
 BONUS – 10 points: the plaintext is the string of
lower case letters. In this case your program first
will find the binary equivalent for each letter and
after that will use the regular algorithm.
Ciphertext Only Cryptanalytic Attack on MerkleHellman Knapsack: Dynamic Programming Algorithm
 Input:
B={b1, b2, … bn} – public key, C - ciphertext
 Output:
The binary array P – plaintext
 Algorithm: Let Q[i, j] be TRUE if there is a subset of first i elements of B
that sums to j, 0 ≤ i ≤ n , 0 ≤ j ≤ C
Step 1: Computation of P
Q[0][0]  TRUE
for j = 1 to C do: Q[0][j]  FALSE
for i = 1 to n do:
for j = 0 to C do:
if (j – B[i] < 0): Q[i][j] = Q[i-1][j]
else: Q[i][j] = Q[i-1][j-B[i]] or Q[i-1][j]
Step 2: Backtracking
Let P be an array of n + 1 elements initialized to 0
i  n, j  C
while i > 0:
if (j – B[i]) ≥ 0):
if (Q[i-1][j-B[i]] is True):
P[i]  P[i] + 1
j  j – B[i]
ii–1
else: i  i – 1
Output: array P, elements of P that equal to 1 construct a
desired subset of B that sums to C
EXAMPLE
Input: B={1, 4, 5, 2}, C =3
j=0
j=1
j=2
j=3
i=0
TRUE
FALSE
FALSE
FALSE
i=1
B[1] =1
TRUE
TRUE
FALSE
FALSE
i=2
B[2] = 4
TRUE
TRUE
FALSE
FALSE
i=3
B[3] = 5
TRUE
TRUE
FALSE
FALSE
i=4
B[4] = 2
TRUE
TRUE
TRUE
TRUE
Element is taken
Element is taken
Q[i-1][j-B[i]] or Q[i-1][j]