Basic Merkle-Hellman

Knapsack cryptosystem
Crypto analysis by Shamir
By: Kanmogne Pekam Linda

Introduction
In 1976 the idea of public key
cryptosystem was introduced by Diffie
and Hellman
In 1978 Merkle-Hellman Knapsack public
key Cryptosystem is published
in 1982 Adi Shamir's broke the basic
Merkle-Hellman Knapsack Cryptosystem

NP-Complete
A problem Z is said to be NP-Complete if:
Z is NP: Meaning there is a
nondeterministic turing machine that can
solve the problem in polynomial time
And Z is NP-Hard: every NP problem R
can be reduced to Z.

knapsack problem
Which coins should we put in the bag such
that the total value of the bag is a big as
possible but the total weight at most 15 kg?

Knapsack problem: formal

definition
input: n items, ui and wi Z+, 1 i n, are
resp value and weight of ith item, and the
sum W Z+
Problem: if exists vector x = (x1,...,xn ) ,
xi {0,1} such that:
- Maximize uixi for i: 1,...,n
- Subject to wixi W for i: 1,...,n
This problem is known to be NP-Complete

Super increasing sequence

Vector sequence a = (a1, a2, , aj, , an) is
said to be super increasing if :
aj > ai for i: 1,, j-1, with j n.
Example:
(1, 2, 4, 6) is not super increasing
because 6 1+2+4
(1, 2, 4, 8) is super increasing
because 8 > 1+2+4

Easy and Hard Knapsack

A Knapsack problem is easy if the knapsack
vector w = (w1,...,wn) weights of the n items
form a super increasing sequence :
=> wj > wi for i: 1,, j-1, with j n.
=> wixi = W is solvable in polynomial time
The knapsack vector is hard otherwise and
then finding xi is an NP-Complete problem

Subset-sum problem
It is a particular case of Knapsack problem
Giving n items with weight vector
w = (w1, w2,, wn) , wi Z+ , for i : 1,...,n
and S Z+ the sum.
find subset wj of wi such that
S = wj for j: 1,,p (p n)
=> finding vector x = (x1,...,xn ), xi {0, 1} st:
S = wixi = w1x1+ w2x2+...+ wnxn for i: 1,...,n
if xi = 1 : wi wj, else , wi wj

Subset-Sum problem - 2
The subset-sum problem (w, S) is known to
be NP-Complete
However if the initial weight vector w has
a super increasing, the problem (w, S) can
be solved in O(n).

Solving Super increasing

knapsack
input:
- n items, super increasing weights vector
w = (w1, w2,, wn)
- Sum S Z+
Problem: find vector x = (x1,...,xn ), xi {0, 1}
such that S = wixi = w1x1+ w2x2+...+ wnxn

Solving Super increasing

knapsack
Algorithm to solve a Subst-Sum problem
with a super increasing weights vector:
for i = n downto 1
{ If S wi then { xi = 1; S = S - wi; } else xi = 0; }
return (x1, x2,..., xn).

Solution if exists is unique!

Running time: O(n)

Merkle-Hellman Knapsack
Cryptosystem: Idea
Encoded message as solution to knapsack
problem.

MH -> Key Generation

n-bit message
Choose a super increasing vector
ai : {a1, a2,, an}

Choose a number q such that q > ai for

1 i n. q is call the modulus

choose a number r such that r and q are
coprime: gcd (r,q) = 1. r is called the
multiplier.

MH -> Key generation -2

Now we compute the vector bi : (b1, b2,,
bn) such that: bi = r ai mod(q)
The keys:
Public key: is bi
Private key: is (ai, q, r)

, 0 bi < q

MH -> Encryption
n-bit message mi : { m1 , m2 ,, mn}
Public key bi : {b1, b2,, bn}
Encrypted message is: C = mi bi

(E)

for 1 i n, with 0 C < q

(E) is NP-Complete knapsack problem : bi is
a hard-Knapsack

MH -> Decryption

Private key: (ai, q, r).

Message integer C = mi bi for 1 i n.

Compute r-1 inverse of r modulo q using

the Extended Euclidean Division

MH -> Decryption -2
We compute C = C r-1 mod(q)
=> C = mi bi r-1 mod(q), with bi = r aimod(q)
=> ai = r-1 bi mod(q)
=> C = mi ai mod(q)
q > ai and mi {0,1}, mi ai < q
=> C= mi ai (E')
(E') easy to solve as ai has a super
increasing.

MH -> Example

Message "hello", n = 7 bits

ai : {3, 5, 15, 25, 54, 110, 225} i: 1,...,7
q > ai => q = 439 and r = 10
bi = ai r mod (q) => bi : {30, 50, 150, 250,
101, 222, 55)}
Encryption:
h = 1001000 => Ch= hibi = 30 + 250 = 280
e = 1100101 => Ce= eibi = 30 + 50 + 101 +
55 = 236

MH -> Example - 2
l = 1101100 => Cl= libi = 30 + 50 + 250 +
101 = 431
o = 1101111 => Cl= libi = 30 + 50 + 250 +
101 + 222 + 55 = 708
So the encrypted message is M = (280, 236,
431, 431, 708).
Decryption of Ch = 280
r-1 of r modulo q is 44 (10x44 = 1 mod(q))

MH -> Example - 3
Ch' = Ch r-1 mod (q)
=> Ch' = 280x44 mod (439) = 28
ai : {3, 5, 15, 25, 54, 110, 225}
Algo to solve the super increasing
knapsack problem:
- The largest element
for j = n downto 1
of ai Ch' is 25 => h4 = 1 { If s a then { xi = 1; s = s - ai; } else
xi = 0; }
Ch' = 28 - 25 = 3
return (x1, x2,..., xn).
a1 Ch' => h1 = 1, Ch' = 3 - 3 = 0
=> hi : 1001000
i

MH- Crypto analysis: Assumptions

n
d: expansion factor: Ratio between size of
the ciphertext over the size of the
plaintext . d > 1 is fixed
d = 2 for the Basic MH : M = 200, n = 100
q0 and bi grow linearly with n
a1 2-n+1, ai 2-n+i-1
q0 2-dn , bi < q0

MH- Crypto analysis: Trapdoor

pair
Shamir algorithm find trapdoor pair w and q,
with w = r-1 mod (q) such that given the
public key bi, we can compute a super
increasing vector si st:
si= w bi mod( q) and with q > si
There is at least one solution by
construction w0, q0!!

MH- Crypto analysis: Trapdoor

pair -2
(w, q) can be different from (w0, q0), but will
still decrypt the message.
Proof:
- encrypted message C = mi bi
- C' = C w mod (q) with si = w bi mod( q)
=> C' = mi bi w mod(q) = mi si mod (q)
=> C' = mi si (D), q > si , mi: {0,1}
(si super increasing => (D) easy to solve )

MH- Cryptanalysis: Step 1

q0 is unknown
We study the curves : w bi mod( q0), i:1..n
for real multipliers
0 w < q0 ,
w bi mod( q0) graph
has a sawtooth form

Minimum: w bi mod( q0) = 0

MH- Cryptanalysis: Step 1 - 2

The slope of the sawtooth curves is bi
Minimum is reached when biw = xq0
=> w = xq0/bi, with 0 w < q0
=> 0 x < bi-1: there is bi minima
distance between two successive minima
is q0/bi
for i = 1, wo is such that a1 = wob1mod(q0)
=> a1 = wob1 - xq0,

MH- Cryptanalysis: Step 1 - 3

=>a1/b1 = wo - xq0/b1 , a1 2dn-n , b1< q02dn
`=> wo - xq0/b1 2-n: distance between wo
and the xth closest minimum to the left wx1
of the b1 curves is at most 2-n.
wo and wx1 are closed to each other

MH- Cryptanalysis: Step 1 - 4

Similarly for i = 2, the distance between
wo and the yth closest minimum to the left
of the b2 curves wy2 is at most 2-n+1
w0 and wy2 are also really closed
=> wx1 and wy2 are also closed
=> distance factor between w0 and closest
minimum to left of the ith curves is : 2-n + i - 1
=> There is a point where all the minima at
are closed to each other.

MH- Cryptanalysis: Step 2

If we superimpose bi curves, there would an
interval (s) where all minina of bi curves are
closed to each other meaning closed to w0

MH- Cryptanalysis: Step 2 - 2

So instead of finding wo, we can compute
the accumulation points of the super
imposes bi curves
Choose l out of n curves to superimpose.
what is should be the value of l?
Shamir proved that l is not dependant on
n but instead on the factor d = M/n
l = d+2 is enough to estimate the
accumulation points

MH - Cryptanalysis : Step 3

We pick l bi curves
the pth minimum of b1 is pq0/b1,
we don't have q0
Observation: the location of accumulation
points depend on b1 and not on tq0

MH-Cryptanalysis : step 3 - 2
we can get rid of q0 by dividing the
function by q0
=> biv mod(1) with v = w/q0 , 0 v < 1
=> slope is unchanged: bi
=> the distance between two consecutives
minima : 1/bi
=> distance between wo and the bi minima
will be reduced by 2dn, => vo -vi 2-dn-n+i-1

MH-Cryptanalysis : step 3 - 3
for i=1, the pth minimum of b1 curve is an
accumulation point if it is closed enough to all other
neighboring bi minima

MH-Cryptanalysis : step 3 - 4
=> This gives the following system :
(l-1) inequalities equations
l unknow value p, q , rintegers
, : allowable deviation between pth
minimum and other minima.
2 < p/b1 q/b2 < - 2
3 < p/b1 r/b3 < - 3

1 p < b1-1, 1 q < b2-1

1 p < b1-1, 1 r < b3-1

MH-Cryptanalysis : step 3 - 5
Multiplying the inequalities by their denominators
gives:

2 < pb2 qb1 < - 2

1 p < b1-1, 1 q < b2-1

3 < pb3 rb1 < - 3

1 p < b1-1, 1 r < b3-1

Since the number of variable is fixed , We can

apply the Lenstra's algorithm to find p values.
running time is O(nF(l)), F(l) grows exponentially
with l, but l is small (l = 4 for the Basic MH) .

MH-Cryptanalysis : step 3 - 6
Using the Lenstra integer programming will
output all possible value of p, satisfying the
inequalities system
The number of accumulation points k should
not exceed 100 else the algorithm is aborted.
This condition make sure the algorithm runs in
polynomial time.
Example: all bi are similar => all minima are
accumulation points

MH-Cryptanalysis : step 4
p found in step 3:
[p/b1, (p+1)/b1]: interval between 2
successive minima of b1
v1,...,v1 : the list of coordinates of
discontinuity points of all n curves lying in
the sorted order in this interval
We divide [p/b1, (p+1)/b1] in subintervals
such as [vt, vt+1).

MH-Cryptanalysis : step 4 - 2
in [vt, vt+1), each bi curves is a line
segment.
=> the ith linear segment : vbi + Cti where Cti
: number of bi minima in (0, vt] , vt v < vt+1

MH-Cryptanalysis : step 4 - 3
v = Cti/bi
Conditions: v trapdoor ratio w/q if:
modulus Size: (vbi + Cti ) < 1 i: 1,...,n
Superincreasing: (vbi + Cti ) >(vbj + Ctj )
for i: 2,...,n and j: 1,...,i-1
The solution to this system of linear inequalities
in v, is possible non empty subinterval of
[vt, vt+1).

MH-Cryptanalysis : step 4 -4
There would be at least one non empty
subintervals by construction
The membership of w/q to this subinterval
for some p, t value is a necessary and
sufficient condition for w and q to be a
trapdoor pair.

MH-Cryptanalysis : step 5
We have the ratio (s) w/p = k, with k real
value
We need w, p
Diophantine approximation: For a given real
value k, output the rational number w/q such
that w/q is an approximated value of k.

With w, q, and bi we can compute si

The new private key is then ( si, q, w)

MH- Crypto analysis: Performance

The most consuming part of the algorithm is the
Lenstra's algorithm to find p values. running
time is polynomial time in n but exponential
in l.

Thank you for your attention!!!