1

W\[^`


Merkle-Hellman Knapsack Cryptosystem
Public Key Encryption Scheme

Course: Mathematical Cryptography (CS: 516)
Esha AItab
Roll # 2010-03-0013
Date:



Introduction:
knapsack or alLernaLlvelv subseL sum problem ls an lmporLanL classlc problem usuallv dlscussed
ln complexlLv Lheorv lormallv subseL problem can be deflned as Clven a seL of lnLeaers
o
1
o
2
o
o
and an lnLearal value deLermlne wheLher Lhere ls a subseL of LhaL sums up Lo
LqulvalenLlv flnd a seL of blnarv values O x
1
x
2
x
o
such LhaL

(1)

lL ls proven hard problem belonalna Lo nCompleLe class of complexlLv Cne need Lo check
sums of all posslble subseLs Lo deLermlne Lhe soluLlon hence requlres exponenLlal Llme O(2
o
)
WWt-in-tbW-iddlW Algoritbm
noLher Lechnlque wlLh lmproved efflclencv lnvolves maklna Lwo llsLs and Lhen flnds an
lnsLance of colllslon beLween Lhem More preclselv leL

and

be Lwo seLs deflned as 1

SorL Lhe Lwo llsLs 1hen Lraverse

and

Lo deLecL a common value saLlsfvlna followlna

equaLlon




1hls searchlna of common elemenLs can be done uslna blnarv search as our llsLs are sorLed
CreaLlna llsLs Lakes O(2
o/2
) sorLlna and blnarv search Lakes O(o2
o/2
) resulLlna ln O(o2
o/2
) Llme
complexlLv
< 1 , 0 ;
1
Z

i
n
i
i i
x S a x

)
`

|
Z

< 1 , 0 ;
2 /
1
1 i
n
i
i i
x all for a x S
)
`

|
Z

< 1 , 0 ;
2 /
2 i
n
n i
i i
x all for a x S S





n
n i
i i
n
i
i i
a x S a x
2 /
2 /
1





n
n i
i i
n
i
i i
a x a x S
2 /
2 /
1


Application in Cryptograpby - WrklW-HWllman Knapsack Cryptograpby
lLs appllcaLlon ln crvpLoaraphv was lnLroduced bv 8alph Merkle and MarLln Pellman ln 1978
knapsack crvpLosvsLem was flrsL concreLe reallzaLlon of publlc kev encrvpLlon scheme
Encryption
ln a crvpLoaraphlc svsLem an lnsLance of subseL problem ls exposed as publlc kev LncrvpLlon ls
slmple procedure afLerwards blnarv valued messaae O x
1
x
2
x
o
ls encrvpLed as


1hls ls same as equaLlon (1) hence decrvpLlon ls slmplv Lhe maLLer of flndlna a soluLlon Lo
subseL sum problem Powever subseLsum problem belna ncompleLe lsn'L easv Lo solve
unless some Lrapdoor lnformaLlon ls used (a common pracLlce ln crvpLoaraphv ls Lo use
Lrapdoor/kev lnformaLlon Lo solve hard problem) 1o aaln such plece of lnformaLlon lL ls
lmporLanL plck a relaLlvelv easler lnsLance of subseLsum problem and Lhen mask lL lnLo a
harder lnsLance before publlshlna lL as a publlc kev 1hls ls where Lhe concepL of publlc kev
encrvpLlon ls used

Wcryption
n easler lnsLance of subseLsum problem ls a seL of super lncreaslna sequence t
1
t
2

t
o
where
t
l-1
2 t
l
for all 1 r n1 ()
t
o
t
o1
- t
o2
- - t
1
()
LquaLlon () ls lmpllcaLlon of equaLlon ()1he encrvpLed messaae uslna super lncreaslna
sequence wlll be
(4)

WhaL makes Lhls seL easv Lo workouL subseL sum ls lLs super lncreaslna naLure and lLs lmpllclL
properLv LhaL everv Lerm ls areaLer Lhan sum of all prevlous Lerms So we sLarL comparlna sum
wlLh Lerms ln decreaslna order and alonaslde bulld Lhe blnarv seL O (encrvpLed messaae) lf a
Lerm ls less Lhan S Lhen lL wlll necessarllv be Lhe parL of our subseL because all Lhe lesser Lerms
comblned wlll noL make up Lo S due Lo lnequallLv ln equaLlon () So 1 ls puL on correspondlna
poslLlon ln blnarv seL LhaL ls 0 oLherwlse lollowlna are Lhe sLeps LhaL are followed



< 1 , 0 ;
1
Z

i
n
i
i i
x S a x
< 1 , 0 ;
1
Z

i
n
i
i i
x S r x
4






ln order Lo make lL appear hard problem Lhe archlLecL of crvpLosvsLem wlll Lake Lwo larae
lnLeaers , and meeLlna followlna crlLerla
O n(,) 1
O 2t
o
lmplles
O ,
1hen she compuLes Lhe new sequence
o
1
o
2
o
o

wbete o
l
,t
l
mo (3)

So wlll noL necessarllv be a superlncreaslna sequence (dependlna on cholce of ,) ls
publlshed as a publlc kev whlle , and are prlvaLe kevs now Lhe messaae encrvpLed uslna Lhls
new kev ls hard problem
(6)

Cn recelvlna Lhls encrvpLed messaae '# Lhe archlLecL wlll use lL and her prlvaLe kevs ln
compuLlna followlna quanLlLv









5o|v|ng 5ubset 5um rob|em for super|ncreas|ng sequence
lnpuL parameLers Super lncreaslna sequence t
1
t
2
t
o
and value
lnlLlallze O lor [ n Lo 1
x
j
0
lor [ n Lo 1
lf t
j
ls less Lhan or equal Lo
t
j

x
j
1
8eLurn O
< 1 , 0 ;
1
Z

i
n
i
i i
x S a x
B S M mod
1
) 6 ( mod
1
1
from B a x M
n
i
i i

) 5 ( mod
1
1
from B Mr x M
n
i
i i

B r x
n
i
i i
mod
1

'
1
S r x
n
i
i i

n
i
i
r B
1
3


1hls lasL equallLv follows from properLv 2t
o
and ls same easler subseL problem wlLh super
lncreaslna sequence as ln equaLlon (4) ddlLlonal securlLv can be alven bv selecLlna some
dlfferenL permuLaLlon of seL () o

(1)
o

()
o

(n)
and addlna lL Lo aroup of prlvaLe
kevs
1reaLlna super lncreaslna sequence ln Lhls wav ls known Lo be baslc or slolvltetote Metkle
nellmoo ntvptosvstem varlaLlon of lL ls moltlplvltetote Metklenellmoo ntvptosvstem 1 ln
a 'k' Llmes lLeraLed crvpLosvsLem Lhe seL of prlvaLe kevs ls (M
l
8
l

l
) where 1 l k acd(M
l

8
l
) 1 and


1he ouLpuL seL obLalned bv LreaLlna wlLh kevs (M
l
8
l

l
) ls fed as lnpuL seL Lo be LreaLed bv
kevs (M
l-1
8
l-1

l-1
)
EfficiWncy:
LncrvpLlon and decrvpLlon uslna subseLsum problem ls qulLe efflclenL lor lnsLance encrvpLlon
of kblL number wlll requlre aL mosL k addlLlons accordlna Lo equaLlon (6) and Lhus ln LoLal an
operaLlon of O(k
2
) complexlLv s for encrvpLlon ls Lwlce Lhe laraesL Lerm t
o
and Lhus ls havlna
aL leasL k+1 blLs So O(2
k-1
) nd for ease we assume LhaL can'L have more blL Lhan Lwlce
Lhe k blLs O(2
2k
) Pence compuLlna lnverse of , mod ls same as LhaL of LxLended
Luclldean alaorlLhm whlch ls O(k) dlvlslon operaLlons and Lhus approxlmaLelv O(k
2
) Llme
complexlLv LaLer solvlna easv lnsLance of super lncreaslna requlres [usL O(k) lLeraLlons
Pence encrvpLlon and decrvpLlon of k blL numbers are operaLlons on Lhe order of O(k
2
) Whlch
are much more efflclenL LhaL dlscreeL loaarlLhm and 8S havlna O(k
J
) encrvpLlon decrvpLlon
complexlLv
Cryptanalysis of SubsWt-Sum CryptosystWm:
1he sLudv of vecLor spaces and laLLlces has plaved an lmporLanL role ln crvpLanalvsls of subseL
sum problem
Wfinition]]
LeL
1

2

o
k
o
be a seL of llnearlv lndependenL vecLors 1he laLLlce L aeneraLed bv
1

2


o
ls Lhe seL of llnear comblnaLlons of
1

2

o
wlLh coefflclenLs ln o
1

1
- o
2

2
-
- o
o

o
o
1
o
2
o
o

basls for L ls anv seL of lndependenL vecLors LhaL aeneraLes L

i set output get to input as fed set th i a a B
i
n
i
i
) 1 ( ;
1
Z

6

WprWsWnting subsWt sum as a vWctor matrix
LeL o
1
o
2
o
o
be Lhe seL (publlc kev) from whlch sum ls Lo be found nd leL O x
1
x
2

x
o
be Lhe a blnarv seL (messaae Lo be encrvpLed) 1hen Lo represenL ln vecLor form we
wrlLe vecLors
l
k
o-1
uslna each o
l

1
2 o
1

2
2 o
2

J
2 o
J

o
2 o
o

o-1
1 1 1 1 1 o
o-1

lnarv seL O ls also Laken as blnarv vecLor x
1
x
2
x
o
We Lake
1

2

o
as basls Lo a laLLlce
L We can wrlLe anoLher basls as
1

2

o
where
l
x
l

l
anv vecLor L can also be
represenLed bv llnear comblnaLlon of Lhls new basls
1

2

o
LeL be alven bv followlna
comblnaLlon

1
-
2
- -
o
-
o-1
x
1

1
- x
2

2
- - x
o

o
-
o-1

LqulvalenLlv can be wrlLLen ln maLrlx form



(7)

(8)

+
(9)

LasL elemenL ls 0 because of equallLv
Pence alven Lhe maLrlx of basls
1
-
2
- -
o
-
o-1
lf somehow vecLor
+
ls found Lhen
compuLlna blnarv vecLor x
1
x
2
x
o
ls no maLLer of dlfflculLv

S
a
a
a
a
n
1 ... 1 1 1
2 ... 0 0 0
: : ::: : : :
0 ... 2 0 0
0 ... 0 2 0
0 ... 0 0 2
3
2
1
| ,..., , , |
3 2 1 n
x x x x
| ... , 2 ,..., 2 , 2 , 2 |
2 2 1 1 3 2 1 n n n
a x a x a x x x x x
| 0 , 1 2 ,..., 1 2 , 1 2 , 1 2 |
3 2 1

n
x x x x
< 1 , 0 ;
1
Z

i
n
i
i i
x S a x
7

1he maanlLude of vecLor
+
ls LhaL ls qulLe shorL maanlLude of a vecLor ln vecLor space
k
o-1
We can sav LhaL problem of flndlna x
1
x
2
x
o
(equlvalenLlv problem of solvlna subseL
sum) ls reduced Lo Lhe problem of flndlna a shorL vecLor of maanlLude ln laLLlce L uL LhaL
also requlres flndlna basls for L such LhaL all vecLors ln basls also have smaller maanlLudes 1hls
process of flndlna a basls wlLh vecLors of reduced maanlLude ls called laLLlce reducLlon

PropWrtiWs of basis witb vWctors of smallWr magnitudW
Manv Lheorems have been puL forLh reaardlna upper bounds of small vecLors' maanlLude
nermites@eoremletv lottlne of lmeosloo nootolos o ooozeto entot sotlsfvlo
(10)
lurLher lL has also been observed LhaL a basls wlLh lLs vecLors more orLhoaonal (maklna anale
beLween 60
o
Lo 10
o
) wlLh each oLher Lend Lo have shorLer maanlLudes as shown ln llaure1
1haL ls also alven bv noomot#s totlo someLlmes called 'ottboooolltv efent'
nodomordsrotiolt ls efloe fot bosls 8
1

2

o
k
o
os
(11)

1be nloset tbls totlo ls to 1 tbe mote ottbooool entots ote lo bosls 8


lote1 (ootne wlklpelo)

n
n
n
L n v
/ 1
) det( A
1 ) ( 0 ;
,..., ,
) det(
) (
2 1
A B H
v v v
L
B H
n
8

Wtting Urtbogonal VWctors in

llaure
ln llaure vecLors v
1
and v

form basls maklna an anale smaller Lhan 60

o
wlLh each oLher
Powever w

belna more orLhoaonal Lo v

1
ls smaller ln maanlLude and can alve new basls of v
1

and w

So new basls can ls seL v

1
w


Slnce
3
from equaLlon (14) ls noL necessarllv and lnLearal quanLlLv We need Lo Lake lLs lnLeaer
approxlmaLlon so LhaL w

mav belona Lo laLLlce L ln LhaL case Causslan alaorlLhm for laLLlce

reducLlon alves much beLLer basls wlLh aood approxlmaLelv orLhoaonal vecLors














) 12 ( ...
1 1
v w 3
2 2 1
v w w
2 2 1
v w v 3
) 13 ...(
1 2 2
v v w 3
0 .
2 1
w v
0 . .
1 1 2 1
3 v v v v
0 .
2
1 2 1
3 v v v
) 14 ...(
.
2
1
2 1
v
v v
3
<
.
,
1
2
1
2 1
2 1
v
v
v v
v v
ossiootticeedctioi

et ? k
2
be o 2lmeosloool lottlne wltb bosls entots

oo

f $

$$

$ swop

oo

($

/$

$
2
)
(lot opptox)

ls stlll looet tboo

stop otbetwlse tepeot step 2

wbeo olotltbm tetmlootes two nooltloos folflll
W $

/$

$
2
1/
W $

$$

$

9

atticW rWduction in n-dimWnsional vWctor spacW
n

ln ndlmenslonal vecLor space Lhe laLLlce reducLlon 'teontloo olotltbm' (LensLraLensLra
Lovsz) alves falrlv aood basls ln polvnomlal Llme lL's been presenLed below










Solving SubsWt-sum ProblWm
O lnpuL ls a seL o
1
o
2
o
o
and sum
O CuLpuL ls a blnarv vecLor O x
1
x
2
x
o
such LhaL
O maLrlx of basls vecLors ls creaLed as ln equaLlon (7) Lach row represenL a vecLor sav

1

2

o

o-1








O CompuLe vecLor
+
as ln equaLlon (9)
O LLLLaLLlce reducLlon ls applled on Lo aeL reduced basls represenLed bv maLrlx
O lor each vecLor
l
o
1
o
2
o
o
o
o-1
ln (l 1 Lo n+1 )
.
. , Re
)
4
3
(
2
1
.
v v
: : : :
.
; v v v
v v
v
2
*
1
2
1 ,
2
*
2
*
*
,
1
*
, n
*
n
2
*
*
,
*
2 2 , 3
*
1 1 , 3 3
*
3
*
1 1 , 2 2
*
2
1
*
1
set basis reduced return
start from process the repeat and Ordering do Otherwise
v v
v
v v
fulfill conditions two If
v
v
v v
v
v
v
i i i i
i
i i
i i
n
i
i i n
i
i i
i i

K
A

3
3
3
3 3 3
3

S
a
a
a
a
n
1 ... 1 1 1
2 ... 0 0 0
: : ::: : : :
0 ... 2 0 0
0 ... 0 2 0
0 ... 0 0 2
3
2
1
< 1 , 0 ;
1
Z

i
n
i
i i
x S a x
10

O lf u
[
11 for all [ 1n and u
n+1
0 (Lhen u
l
ls a vecLor same ln maanlLude
Lo vecLor ln equaLlon (9))

4 LquaLe
l
Lo
+
and exLracL vecLor O x
1
x
2
x
o

4 lf reLurn O
4
4 LquaLe
l
Lo
+
and exLracL vecLor O x
1
x
2
x
o

4 lf reLurn O

O 8eLurn lall
ow Wnsity Knapsack
noLher relaLed concepL ls denslLv of knapsack Clven a
1
a

a
n
be a knapsack seL 1he
denslLv of ls deflned Lo be


Low denslLv means LhaL seL has relaLlvelv larae o
l
quanLlLles 1hls causes non zero shorL
vecLor LhaL we lnLend Lo flnd become much smaller ln laLLlce comparaLlvelv and makes Lhe [ob
easler Pence aL Llmes Lhe seL ls mulLlplled wlLh some larae consLanL C LhaL makes Lhe vecLors
ln maLrlx from equaLlon (7) qulLe larae Lherebv reduclna Lhe denslLv ## of knapsack lso
deLermlnanL of LhaL maLrlx ls mulLlplled bv C and Lhe shorL vecLor's maanlLude ls mulLlplled bv
Lhe quanLlLv C
1/n+1
accordlna Lo 'netmlte#s 1beotem# equaLlon (10) 1hls procedure enhances
Lhe chance of flndlna a shorL vecLor ln a basls wlLh relaLlvelv laraer vecLors
ConclusivW Wmark
knapsack crvpLanalvsls Lechnlque uslna laLLlces poses a poLenLlal LhreaL Lo MerklePellman
knapsack crvpLosvsLem and makes lL lnsecure Lo be used ln pracLlcal purpose crvpLoaraphv

S a x
n
i
i i

1
S a x
n
i
i i

1
< 1 ; maxlg n i a
n
d
i
A A

11

WfWrWncWs
1 A. M. Odlvzko. The Rise and Fall of Knapsack Crvptosvstems.
Alfred J. Menezes et al. Handbook of Applied Crvptographv. Page 300. 120.
J. Hoffstein et al.. An Introduction to Mathematical Crvptographv. Page 363. 372. 373. 420.