 Cryptology

 Merkle-Hellman knapsack cryptosystem

 Merkle-Hellman additive knapsack

cryptosystem
 Merkle-Hellman multiplicative

knapsack cryptosystem
 Merkle-Hellman multipy-iterated

knapsack cryptosystem
 Advanced knapsack cryptosystems
 Additional Research Topics
 Data Structures and Algorithms
 Dynamic Programming Technique
 Bioinformatics Algorithms.
 Visualization.

 Visualization of the Advanced Data

Structures and Graph Algorithms
 Exploring Advanced Sorting Algorithms.
 Visualization
 Public Key Cryptosystem
 In Symmetric or Private Key cryptosystems the encryption
and decryption keys are either the same or can be easily
found from each other.
 Public Key Cryptosystem (PKC) was introduced in 1976 by
Diffie and Hellman [2]. In PKC different keys are used for
encryption and decryption.

Alice:
Bob
1. Chooses secret (private) key
1. Uses Public Key to encrypt
2. Create and publishes public key
the message
3. Receives ciphertext
2. Sends ciphertext – encrypted
4. Decrypts ciphertext using secret
message to Alice
key to recover the plaintext –
original message
 Public Key Cryptosystem

1978: First Two Implementation

Merkle-Hellman
RSA: Knapsack Cryptosystem [1]
Rivest-Shamir-Adleman [3]
Based on the
Based on integer subset-sum problem,
factorization variant of knapsack problem

Additive Multiplicative Multiply-Iterated

Knapsack Knapsack Knapsack
Cryptosystem Cryptosystem Cryptosystem
 Merkle-Hellman Knapsack
Cryptosystem Example
 Alice: Private Key
 Private Key: A = {1, 2, 4, 8}, M = 17, W = 7, w = 5
 Public Key: B ={7, 14, 11, 5}
 Bob: Encryption
 Plaintext 1101
 Ciphertext = 7 + 14 + 5 = 26
 Alice: Decryption
 5*26 (mod 17) = 11
 11 = 1*1 + 1*2 +0*4 + 1*8
 Plaintext: 1101
 Bob
Alice

Creates Decrypts
Cryptosystem Ciphertext Plaintext:
P=1101

Private Key
A = {1, 2, 4, 8} Public Key
M = 17, W = 7 B ={7, 14, 11, 5} Encryption:
w=5 Using Public Key
1*7 +1* 14 +0*11+1* 5 = 26

Decryption:
5*26 (mod 17) = 11
11 = 1*1 + 1*2 + 0*4 + 1*8 Ciphertext:
26

Plaintext:
1101
Merkle-Hellman Knapsack Cryptosystem
 1982: Single iteration Merkle - Hellman Knapsack
Cryptosystem was broken by Adi Shamir [4,5,6]

 1983: At the CRYPTO ’83 , Adleman used an

Apple II computer to demonstrate Shamir’s
method [8]

 1985: Multiple iteration Merkle-Hellman

knapsack was broken by Brickell [9], a system of
40 iterations was breaking in about an hour of
Cray-1 time
Merkle-Hellman Knapsack Cryptosystem

 History has not been kind to knapsack schemes [11]

Lecture Notes on Cryptography, S. Goldwasser, M. Bellare
 Merkle offered $100 award for breaking singly - iterated
knapsack
 Singly-iterated Merkle - Hellman KC was broken by Adi
Shamir in 1982 [4,5,6] using Hendrik W. Lenstra’s
polynomial time algorithm [7] for the integer
programming problem when the number of variables is
fixed. 
 At the CRYPTO ’83 conference, Adleman used an Apple II
computer to demonstrate Shamir’s method [8]
 Merkle offered $1000 award for breaking multiply-iterated
knapsack
 Multiply-iterated Merkle-Hellman knapsack was broken
by Brickell in 1985 [9]
 Classical Knapsack Problem
 General 0-1 knapsack problem: given n items of
different values vi and weights wi, find the most
valuable subset of the items while the overall
weight does not exceed a given capacity W

 The knapsack problem is NP-hard [10]

 The knapsack problem could be solved in pseudo-

polynomial time through dynamic programming
 Subset-Sum Problem
 Subset – Sum problem is a special case of
knapsack problem when a value of each item is
equal to its weight
 Input: set of positive integers: A = {a1, a2, …an}
and the positive integer S
 Output:
 TRUE, if there is a subset of A that sums to S and
the subset itself
 FALSE otherwise.
 The subset-sum problem is NP-hard
 Easy Knapsack Problem
 An easy knapsack problem is one in which set
A = {a1, a2, …an} is a super-increasing sequence

 A super-increasing sequence is one in which the

next term of the sequence is greater than the sum of
all preceding terms:
a2 > a1, a3 > a1 + a2,…., an > a1 + a2 +…+ an-1

 Example: A= {1, 2, 4, 8, …2n-1} is super-increasing

sequence
 Polynomial Time Algorithm for Easy
Knapsack Problem
 Input: A = {a1, …an} is super-increasing sequence, S
 Output: TRUE and P – binary array of n elements, P[i] =1
means: ai belongs to subset of A that sums to S, P[0] = 0
otherwise. The algorithm returns FALSE if the subset
doesn’t exist
for i  n to 1   
if S  ai
then P[i]  1 and S  S - ai
    else P[i]  0
if S != 0
then return (FALSE – no solution)
else return (P[1], P[2], …P[n]). 
Merkle-Hellman Additive Knapsack
Cryptosystem

Alice:
1. Constructs the Knapsack cryptosystem
2. Publishes the public key
3. Receives the ciphertext
4. Decrypts the ciphertext using private key

Bob:
1. Encrypts the plaintext using public key
2. Sends the plaintext to Alice
 Alice
Knapsack Cryptosystem Construction
 Chooses A = {a1, …an} super-increasing sequence,
A is a private (easy) knapsack
a1+ …+ an = E
 Chooses M - the next prime larger than E.
 Chooses W that satisfies 2  W < M and (W, M) = 1
 Computes Public (hard) knapsack B = {b1, ….bn},
where bi = Wai (mod M), 1  i  n
 Keeps Private Key: A, W, M
 Publishes Public key: B
 Bob – Encryption Process
 Binary Plaintext P breaks up into sets of n elements
long: P = {P1, …Pk}
n

 For each set Pi compute P b

j 1
ij j  Ci

 Ci is the ciphertext that corresponds to plaintext Pi

 C = {C1, …Ck) is ciphertext that corresponds to the
plaintext P
 C is sent to Alice
 Alice – Decryption Process
 Computes w, the multiplicative inverse of W mod M:
wW  1 (mod M)
 The connection between easy and hard knapsacks:
Wai = bi (mod M) or wbi = ai (mod M) 1  i  n
 For each Ci computes: Si = wCi (mod M)
n n n
S i  w C i  w  Pij b j  Pij w b j   Pij a j
j 1 j 1 j 1

 Plaintext Pi could be found using polynomial time

algorithm for easy knapsack
 Example
 Alice Private Key:
 A= {1, 2, 4, 8}, M = 17, W = 7, 2  W < 17, (7, 17) = 1

 Public Key:
B={7 mod 17, 14 mod 17, 28 mod 17, 56 mod 17}={7, 14, 11, 5}
 Bob Encryption:
 Plaintext: 1101
 Ciphertext = 7 + 14 + 5 = 26
 Alice Decryption:
 w = 5 – multiplicative inverse of 7 (mod 17)
 5*26 (mod 17) = 11
 Plaintext: 1101 (11 = 1*1 + 1*2 +0*4 + 1*8)
 Ciphertext Only Cryptanalytic Attack on Merkle-
Hellman Knapsack: Dynamic Programming Algorithm

 Input: B={b1, b2, … bn} – public key, C - ciphertext

 Output: The binary array P – plaintext
 Algorithm: Let Q[i, j] be TRUE if there is a subset of first i elements of B
that sums to j, 0 ≤ i ≤ n , 0 ≤ j ≤ C
Step 1: Computation of P

Q[0][0]  TRUE
for j = 1 to C do: Q[0][j]  FALSE
for i = 1 to n do:
for j = 0 to C do:
if (j – B[i] < 0): Q[i][j] = Q[i-1][j]

else: Q[i][j] = Q[i-1][j-B[i]] or Q[i-1][j]

 Step 2: Backtracking
Let P be an array of n + 1 elements initialized to 0
i  n, j  C
while i > 0:
if (j – B[i]) ≥ 0):
if (Q[i-1][j-B[i]] is True):
P[i]  P[i] + 1
j  j – B[i]
ii–1

else: i  i – 1

Output: array P, elements of P that equal to 1 construct a

desired subset of B that sums to C
 EXAMPLE
Input: B={1, 4, 5, 2}, C =3
j=0 j=1 j=2 j=3
i=0 TRUE FALSE FALSE FALSE

i=1 TRUE TRUE FALSE FALSE

B[1] =1 Element is taken

i=2 TRUE TRUE FALSE FALSE

B[2] = 4
i=3 TRUE TRUE FALSE FALSE
B[3] = 5
i=4 TRUE TRUE TRUE TRUE
B[4] = 2 Element is taken

Q[i-1][j-B[i]] or Q[i-1][j]
 Merkle-Hellman Multiplicative
Knapsack Cryptosystem
 Alice:
 Chooses set of relatively prime numbers

P = {p1, …pn} – private (easy) knapsack

 Chooses prime M > p1* …* pn
 Chooses primitive root b mod M
 Computes the public (hard) knapsack
A = {a1, ….an}, where ai is discrete logarithm of pi to base b:
p i  b a i (mod M )
1  ai < M, such that:
 Private Key: P, M, b
 Public Key: A
 Merkle-Hellman Multiplicative
Knapsack Cryptosystem- Encryption
 Binary Plaintext T breaks up into sets of n elements
long: T = {T1, …Tk}
n

 For each set Ti compute T a

j 1
ij j  Ci

 Ci is the ciphertext that corresponds to plaintext Ti

 C = {C1, …Ck) is ciphertext that corresponds to the
plaintext T
 C is sent to Alice
 Merkle-Hellman Multiplicative
Knapsack Cryptosystem- Decryption
 For each Ci computes S i  b C (mod M ) i

 Si is a subset product of the easy knapsack:

n

 Tij a j n n n
Ci Tij a j a j Tij Tij
Si  b b j 1
 b   (b )   p j (mod M )
j 1 j 1 j 1

 Tij = 1 if and only if pj divides Si

 Merkle-Hellman Multiplicative
Knapsack Example
 Easy (Private) Knapsack: P = {2, 3, 5, 7}
 M = 211, b = 17
 Hard (Public) Knapsack: A= {19, 187, 198, 121}
2  1719(mod 211), 3  17187(mod 211),
5  17198(mod 211), 7  17121(mod 211)
 Plaintext: T = 1101
 Ciphertext: C = 327 = 19 + 187 + 121
 Decryption: S = 42 = 17327(mod 211)
 42 = 21 * 31 *50 * 71
 Plaintext: 1101
 Multiply-Iterated Merkle-Hellman
Knapsack Cryptosystem
 A = {a1, …an} super-increasing sequence,
A is a private (easy) knapsack, a1+ …+ an = E
 For the m-times iterated knapsack cryptosystem: set of m
multiplier-modulus pairs (wi, Mi), 1  i  m
m m m
 To construct a public key knapsack: B  { b1 , b 2 ,..., b n }

w1 bi1  a i (mod M 1 ), 1  i  n, M 1  E
n
w 2 bi2  bi1 (mod M 2 ), 1  i  n, M 2   a 1i
i 1
.....
n
w m bim  bim  1 (mod M m ), 1  i  n, M m   a im  1
i 1
 Multiply-Iterated Merkle-Hellman
Knapsack Cryptosystem Example
 A={1, 2, 4, 8}- super-increasing sequence (easy)
knapsack, m = 3 (number of iterations)
 1st iteration: M1 = 17, W1 = 7, w1= 5
B1 ={7 mod 17, 14 mod 17, 28 mod 17, 56 mod 17}={7, 14, 11, 5}
 2nd iteration: M2 = 41, W2 = 18, w2= 16
B2 ={126 mod 41, 252 mod 41, 198 mod 41, 90 mod 41}={3, 6, 34, 8}
 3rd iteration: M2 = 53, W2 = 25, w2= 17
B3 ={75 mod 53, 150 mod 53, 850 mod 53, 200 mod 53}={22, 44, 2, 41}
 Public Key: {22, 44, 2, 41}
 REFERENCES
1. R. C. Merkle, M. E. Hellman,  Hiding Information and Signatures in Trapdoor
Knapsacks, IEEE Transactions on Information Theory, vol. IT-24, 1978, pp.
525-530.
2. W. Diffie, M. E. Hellman,  New Directions in Cryptography,  IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November 1976, pp.
644-654.
3. R. L. Rivest, A. Shamir, and L. M. Adleman.  A Method for Obtaining Digital
Signatures and Public-Key Cryptosystems.  Communications of the ACM, vol.
21, no. 2, 1978, pp. 120-126
4. Adi Shamir.  A Polynomial-time Algorithm for Breaking the Basic Merkle-
Hellman Cryptosystem.  Proceedings of the IEEE Symposium on Foundations
of Computer Science.  IEEE, New York, 1982, pp. 145-152.
5. Adi Shamir.  A Polynomial Time Algorithm for Breaking the Basic Merkle-
Hellman Cryptosystem.  In David Chaum, Ronald L. Rivest, Alan T. Sherman.
editors, Advances in Cryptology – CRYPTO ’82.  Plenum, New York, 1983.
6. Adi Shamir.  A Polynomial-time Algorithm for Breaking the Basic Merkle-
Hellman Cryptosystem.  IEEE Transactions on Information Theory, vol. IT-30,
no. 5, September 1984, pp. 699-704.
 REFERENCES
7. Hendrik W. Lenstra Jr,  Integer Programming with a Fixed Number of Variables, 
Mathematics and Operations Research, vol. 8, no. 4, 1983, pp. 538-548
8. Ming Kin Lai, Knapsack Cryptosystems: The Past and the Future,
http://www.cecs.uci.edu/~mingl/knapsack.html
9. Ernest F. Brickell,  Breaking Iterated Knapsacks.  In G. R. Blakley, David C. Chaum,
editors, Advances in Cryptology – CRYPTO ’84, Lecture Notes in Computer Science,
vol. 196.  Springer, Berlin, 1985, pp. 342-358.
10. M. Carey and D.S. Johnson, Computers and Intractability: A guide to the Theory of
NP-Completeness, Freeman, 1979
11. Lecture Notes on Cryptography, S. Goldwasser, M. Bellare
12. J. C. Lagarias, Performance Analysis of Shamir’s Attack on the Basic Merkle-Hellman
Knapsack Cryptosystem.  Proceedings of the 11th International Colloquium on
Automata, Languages and Programming, Lecture Notes in Computer Science, vol. 172. 
Springer, Berlin, 1984.
13. A. M. Odlyzko.  The Rise and Fall of Knapsack Cryptosystems.  In Carl Pomerance,
editor, Cryptology and Computational Number Theory, Proceedings of Symposia in
Applied Mathematics, vol. 42.  American Mathematics Society, Providence, RI, 1990,
pp. 75-88, http://www.dtc.umn.edu/~odlyzko/doc/complete.html
14. A. M. Odlyzko.  Cryptanalytic Attacks on the Multiplicative Knapsack Cryptosystem
and on Shamir’s Fast Signature Scheme.  IEEE Transactions on Information Theory, IT-
30, 1984, pp. 594-601, http://www.dtc.umn.edu/~odlyzko/doc/complete.html