Analytical Observations on Knapsack Cipher 0/255
aa r X i v : . [ c s . CR ] D ec Analytical Observations on Knapsack Cipher 0 / Ashish Jain, Narendra S. Chaudhari
Department of Computer Science and Engineering, Indian Institute of Technology Indore, India
Abstract
We observed few important facts that concerns with the new proposal of knapsack cipher 0 / N ). In this paper, we show thatthe knapsack cipher 0 /
255 can be solved in the same time that is required for solving the basic knapsack-cipher proposed by Merkleand Hellman [2]. In other words we claim that the improved version proposed by Pham [1] is technically same as the basic Merkleand Hellman Knapsack-based cryptosystem.
Keywords:
Knapsack Cipher 0 /
1. Introduction
The trapdoor knapsack used for hiding information and sig-nature is a knapsack-based cryptosystem, first proposed byMerkle and Hellman [2] in 1978. This public key encryptionproposal has been thoroughly investigated owing to a high com-putational e ffi ciency (at that time). The motivation of its designis converting superincreasing knapsack sequence into a com-putationally hard sequence. Though, the basic version was bro-ken by Shamir in 1984 [3]. Despite of failure of previous allknapsack Public Key Cryptosystems (PKC), two new knapsackPKC proposed by Wang et al [4] and Murakami et al [5] in 2007and 2008, respectively. However, very recently both has beenbroken by peng at al [6] by mounting lattice-based attack.Shor [7] showed that, the security of most PKC proposed sofar depends on the di ffi culty of integer factorization problem ordiscrete logarithm problem. However, these problems can beeasily solved using quantum computers. Knapsack problem isone that cannot be easily solved using quantum computers.Now a days there is requirement of light weight, high-speedand highly secure cryptography algorithms for electronic com-merce [8]. So, recently an improvement to the basic knapsackcryptosystem is proposed in the captioned paper “The improve-ment of the knapsack cipher” by Pham[1]. However, duringthe critical analysis of [1], it was observed that even though theauthor claimed the time complexity to be O(256 N ) for solvingtrapdoor knapsack 0 / / /
255 is described, comments on the
Email address: [email protected], [email protected] (Ashish Jain, Narendra S. Chaudhari) knapsack cipher 0 /
255 is given in Sect. 3 followed by conclu-sion in Sec. 4.
2. Description of the Knapsack cipher 0 / In any PKC system, public key is publicized by the designer(e.g. by Alice), so that using public key sender (e.g. Bob)encrypts the plaintext and sends it over a (insecure) com-munication channel. Upon receiving the encrypted message(ciphertext b ), the receiver (Alice) decrypts the ciphertext b using her own private key ( A key that is used by the designerto generate the public key). In the case of Merkle-Hellmanknapsack-based PKC, the trapdoor knapsack A = a , a , ..., a n (set of natural numbers) is publicized as the public key (Atypical value of n is 100 and a typical size of each a i is200 bits). Let, the sender have a message of length n as abit string or simply X = x , x , ..., x n { x i ∈ , } . The senderfirst compute the sum b and then sends it via the public channel.where: b = P ni = a i ∗ x i Both the receiver and the potential eavesdropper knows thepublic encryption vector A and the ciphertext b . Their task is tofind which subsets of the a i sums up to b . This is an instanceof the knapsack problem, which is known to be nondeterminis-tic polynomial time complete (NP-Complete). This problem isdi ffi cult for the eavesdropper but easy for the receiver becauseshe have the private key ( A ′ , w ′ and mod m ) i.e. easy knapsack,inverse of multiplier and modular m respectively.To achieve a compromise between speed and security, thevector A of size n can be cut to a small size by a factor of1 / f (i.e. N = n ∗ (1 / f )) without changing the size of X ( i.e.n). Since the size of A is reduced but the size of X remainsunchanged, we must allow each x i to take on values from theset { f -1 } . These modifications are possible if thedesigner performs the following steps. Preprint submitted to Elsevier January 13, 2018 . The designer chooses a superincreasing vector A ′ = ( a ′ , a ′ , ..., a ′ N ). Let, N = n ∗ (1 / f )2. Select a modular m > P Ni = a ′ i .3. Choose a multiplier w in between 1 and m -1 so that ( w , m )must be co-prime.4. Generate a vector A of size N as a , a , ..., a N (here, a i = w ∗ a ′ i mod m ).5. Publicize the vector A .It is clear from the above steps that the result of modifica-tion is a reduction in the volume of transmitted data withoutchanging the size of vector X . As a result, the time required fortransmitting data is reduced by a factor of 1 / f. However, an im-portant fact is that the complexity of solving trapdoor knapsack A is remains unchanged by allowing the above modification.If the size of vector X is 96 and f = = / =
12, thatallows each x i to take on values from the set { } .Actually, the knapsack cipher 0 /
255 is ( A ′ ) and the trapdoorknapsack is ( A ) in the captioned paper “The improvement ofthe knapsack cipher” proposed by Pham [1].
3. Comments on the Knapsack Cipher 0 / It is noteworthy that the knapsack problem is more general.In fact, the knapsack-based cryptosystem is a specific instanceof the knapsack problem that is called integer partitioning prob-lem.During critical analysis of Merkle and Hellman paper[2], weobserved an important fact in section V (Compressing the Pub-lic File). n =
100 is the bottom end of the usable range for securesystem. But, to maintain a balance between speed and security,the vector X must be 100 bits long while n can be reduced tosay 20 ( N = / x i to take on values in the set {
0, 1, 2,...,31 } insteadof { } . However, the original equation 1 must be modified toequation 2. a ′ i > i − X j = a ′ j (1) a ′ i > ∗ i − X j = a ′ j (2) Example :Transmitting 20 Kbits on a low-speed 300 bit / sec takes morethan a minute. But if the transmitted data is reduced by a factorof 8 to about 2.5 Kbits. Then, the transmission process willtakes less than 8 seconds. This is accomplished by reducing thenumber of a i to 12 elements . Since the size of vector X is 96,then for each element a i , we must reserve 8 bits in vector X i.e.each x i to take any values in 0 to 255 (2 −
1) . If the reductions in number of a i is represented by N and the size of vector X is 96. then N = / = Let n is the length of vector X .Case-I: If the length of publicized vector A keep same as thelength of the vector X { x i ∈ , } , then trapdoor knapsack A canbe solved in time O(2 n ).e.g. Let, length( X ) = length( A ) =
96 and x i ∈ { , } . Then, thetime required for searching solution exhaustively = O(2 ).Case-II: If the length of publicized vector A is reduced as(1 / f)*length( X ), then x i ∈ { , , , ..., f − } . As a result, thetrapdoor knapsack A can be solved in time O((2 f ) N ), here N = n ∗ / f .e.g. Let, length( X ) =
96 and x i ∈ { , , ..., } , then N =
12. However, the time taken for searching solutionexhaustively = O((2 ) ).From Case-I and Case-II, it is clear thatO(2 ) = O((2 ) ) = O(256 )In general: O(2 n ) = O(256 N ).where N = n /
8, i.e. the reduction in number of elements by 1 /
4. Conclusion
The author of [1] has defined a “super-increasing vectorlevel 2” as V ′ = ( v , v , ..., v n ). If we keep the length ofpublicized vector V and the vector X is the same, but, since x i ∈ { , , ..., } , such a knapsack cryptosystem is practicallynot possible. In the knapsack cipher 0 / V is reduced to a factor(1 / f), then it results in a hike for speedby a factor(f). An important fact is that even the transmissionspeed will be improved, the e ffi ciency of solving trapdoor knap-sack remains the same. We would like to add some more factsis that the first serious attack on the basic version of Merkleand Hellman cryptosystem was mounted by shamir in 1984 [3]by exploiting the special structure of the sequence of knapsack.The basic tool for analysis was sawtooth curves (function of Va i ( mod m )). In which, accumulation points of the minima of l sawtooth curves is found by dividing both coordinates of thecurve by modular m . In this way, we get the sawtooth curveof the function of Va i ( mod m and 0 ≤ V <
1, the attack is applicable to anyknapsack cipher 0 / f . References [1] Pham, T.A.. The improvement of the knapsack cipher. Computer Com-munications 2011;34(3):342–343.[2] Merkle, R., Hellman, M.. Hiding information and signatures in trapdoorknapsacks. Information Theory, IEEE Transactions on 1978;24(5):525–530.
3] Shamir, A.. A polynomial-time algorithm for breaking the basicmerkle-hellman cryptosystem. Information Theory, IEEE Transactions on1984;30(5):699–704.[4] Wang, B., Wu, Q., Hu, Y.. A knapsack-based probabilistic encryptionscheme. Information Sciences 2007;177(19):3981–3994.[5] Murakami, Y., Katayanagi, K., Kasahara, M.. A new class of cryptosys-tems based on chinese remainder theorem. In: Information Theory andIts Applications, 2008. ISITA 2008. International Symposium on. IEEE;2008, p. 1–6.[6] Peng, L., Hu, L., Xu, J., Xie, Y., Zuo, J.. Analysis of two knapsackpublic key cryptosystems. IET Communications 2013;7(15):1638–1643.[7] Shor, P.W.. Polynomial-time algorithms for prime factorization and dis-crete logarithms on a quantum computer. SIAM journal on computing1997;26(5):1484–1509.[8] Hamilton, S.. E-commerce for the 21st century. Computer 1997;30(5):44–47.3] Shamir, A.. A polynomial-time algorithm for breaking the basicmerkle-hellman cryptosystem. Information Theory, IEEE Transactions on1984;30(5):699–704.[4] Wang, B., Wu, Q., Hu, Y.. A knapsack-based probabilistic encryptionscheme. Information Sciences 2007;177(19):3981–3994.[5] Murakami, Y., Katayanagi, K., Kasahara, M.. A new class of cryptosys-tems based on chinese remainder theorem. In: Information Theory andIts Applications, 2008. ISITA 2008. International Symposium on. IEEE;2008, p. 1–6.[6] Peng, L., Hu, L., Xu, J., Xie, Y., Zuo, J.. Analysis of two knapsackpublic key cryptosystems. IET Communications 2013;7(15):1638–1643.[7] Shor, P.W.. Polynomial-time algorithms for prime factorization and dis-crete logarithms on a quantum computer. SIAM journal on computing1997;26(5):1484–1509.[8] Hamilton, S.. E-commerce for the 21st century. Computer 1997;30(5):44–47.