1 / 83

Lecture 10: Knapsack Problems and Public Key Crypto

Lecture 10: Knapsack Problems and Public Key Crypto. Wayne Patterson SYCS 654 Spring 2010. The Classical Knapsack Problem. Easily enough stated, this problem is one that turns out to be extremely difficult.

cutter
Download Presentation

Lecture 10: Knapsack Problems and Public Key Crypto

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 10: Knapsack Problems and Public Key Crypto Wayne Patterson SYCS 654 Spring 2010

  2. The Classical Knapsack Problem • Easily enough stated, this problem is one that turns out to be extremely difficult. • First, in English: I have a knapsack, and I know it (or I) can carry W pounds. I have a bunch of things I would like to take on a trip that weigh w1, w2, w3, …, wn pounds. • The problem: Is there a subset of the {w2, w3, …, wn} that will add exactly to W, in other words, that will allow me to carry the maximum possible weight.

  3. Knapsack = Subset Sum • Sometimes this problem is also called the “subset sum” problem. • Sometimes we are lucky and can find a very quick solution to the problem. • For example, with knapsack weight W, and objects that weigh { 1, 2, 4, 8, 16, 32, …, 2n }, we can answer the question very easily.

  4. The “Easy” Knapsack Sets • For the example given previously, of weights { 1, 2, 4, 8, 16, 32, …, 2n }, the solution to the knapsack problem is unique. • For every 0 W  2n+1 – 1, there is a unique solution, and for W  2n+1, there is no solution.

  5. Easy Knapsacks • Proof: (Binary string argument). For W  2n+1 – 1, W has a binary representation with n+1 bits. E.g., if n+1 = 4, 2n+1 – 1 = 15, and W is represented as 1111 (binary). • For arbitrary W  2n+1 – 1, represent W as a binary --- then all the weights corresponding to a 1-bit position can exactly fit into the knapsack.

  6. Example • Suppose the knapsack set is {1, 2, 4, 8, 16, 32, 64, 128} and W = 173. (W can go up to 255.) • Express W in binary: 173 = 101011012. Then the weights corresponding to the 1-bits will add to W: 1 0 1 0 1 1 0 1 128 + 32 + 8 + 4 + 1 = 173

  7. Super-increasing Knapsack Sets • Of course, in the preceding example, there will NOT be a solution to the knapsack problem if W > 255. • There is a more general class of “easy” knapsack problems, and basically the same algorithm will apply. We will call this class of problems the “super-increasing knapsack sets”.

  8. Super-increasing … • Suppose now we have a set of weights with the property that each weight is greater than the sum of the weights of all of its predecessors in order: • w2 > w1 • w3 > w1 + w2 • w4 > w1 + w2 + w3 and so on …

  9. Solving the Super-increasing knapsack problem • Let’s take as an example a set of weights: • { 3, 7, 19, 35, 72, 155, 367, 984 } • And suppose W = 1230. • The algorithm for solution is: set x = W, process the weights in descending order, if the weight is less than or equal the current value of x, subtract it and remember the weight. After you have processed all the weights, if you have a remainder of 0, you have a solution. If the remainder is not zero, there is no solution.

  10. The Computation • x = 1230 • (984 < x, subtract it) • 984 • x = 246 • (367 > x, don’t subtract) • (155 < x, subtract it) • 155 • x = 91 • (72 < x, subtract it) • 72 • x = 19 • (35 > x, don’t subtract) • (19  x, subtract it) • 19 • x = 0, done. So the solution is: { 984, 155, 72, 19 }

  11. General Knapsacks • So we’ve looked at the easy cases, where there is a fast algorithm to determine a solution. • Unfortunately, MOST knapsack sets are not nearly so nice. Consider: • { 347, 356, 387, 401, 422, 461, 479, 521 } and W = 1635.

  12. Brute Force • Now for this small a knapsack set (with only 8 weights), we can solve the problem by brute force. This means one sum calculation for every subset of the knapsack set. Since a set with cardinality n has 2n subsets, we can solve this with 2n = 256 tries. • But if the knapsack had 200 items, our brute force approach would require an estimated • 803,469,022,129,495,137,770,981,046,170,581,301,261,101,496,891,396,417,650,688 tries.

  13. I’m Still Working on it … • Unfortunately, despite the centuries that people have thought about this problem, no better solution has been found than brute force. • If you have studied complexity theory, you would know that the knapsack problem falls into the category of the most intractable problems, the category called NP-Complete.

  14. What’s That Got to Do with PKC? • Shortly after Diffie and Hellman (1976) described the concept of Public-Key Crypto with a public and private key, • Merkle and Hellman proposed the use of the knapsack problem to create a Public Key Cryptosystem.

  15. The Merkle-Hellman Knapsack PKC • First, for my private key, I will define a super-increasing knapsack set. • To make it interesting, the knapsack set will have n numbers, n = 100. To make sure the numbers are large enough not to be guessed, define w1 to be chosen at random in the interval [2100, 2101-1]; then each successive wi will be in the interval [2100+i-1, 2100+i-1]; in this way we guarantee that the knapsack set will have the super-increasing property.

  16. More Private Key then Public • So now we have our “easy” set {w1, …, w100 }, and next we find a prime number p > 2201 (thus larger than the sum of all the wi’s, and choose at random some m < p, and also compute m-1 (mod p). • Now create a “hard” knapsack set {w1*, …, w100* } by computing • wi* = m * wi (mod p). • The public key is the “hard” knapsack set {w1*, …, w100* }

  17. Encryption and Decryption • As we well know, every user creates his or her public key and publishes it. So to send a message of length 100 bits to a user, find his or her public knapsack, and add up the numbers corresponding to the 1-bits in the message. I.e., if the message is m = b1…b100, (b for bits), the encryption is: • b1 × w1* + b2× w2* + … + b100× w100* = c • (which is just a sum of some subset …) now send c.

  18. Decryption • When I receive c, I multiply it by m-1 and reduce mod p. This gives: • m-1× (b1 × w1* + b2 × w2* + … + b100 × w100*) = • b1 × m-1 × w1* + b2 × m-1 × w2* + … + b100 × m-1 × w100* = • b1 × w1+ b2 × w2+ … + b100 × w100 • Which is now a knapsack problem in our easy set, so solve it to get the values of the bi and therefore the message

  19. Example • Easy = { 1, 3, 7, 13, 26, 65, 119, 267} • The complete sum is 501, choose p = 523 and m = 467. Then m-1 = 28. • The hard knapsack set, or public key, will be 1 × 467 (mod 523), 3 × 467 (mod 523), etc. or: • Hard = Public = {467, 355, 131, 318, 113, 21, 135, 215}

  20. Encrypt the Bitstring 01001011 • The encryption is: • c = 0 × 467 + 1 × 355 + 0 ×131 + 0 × 318 + 1 × 113 + 0 × 21 + 1 × 135 + 1 × 215 • = 355 + 113 + 135 + 215 = 818 • To decrypt, multiply c × m-1 (mod p) = 818 × 28= 415 (mod p).

  21. If That was the end of the story … • But unfortunately it isn’t. Within a few years, it was discovered that Merkle Hellman knapsack systems were eminently breakable. And not only the Merkle Hellman systems, but any knapsack approach that depended on numbers in the knapsack set growing very fast. • So the crypto community fell out of love with knapsacks.

  22. But there was one knapsack approach left standing … • Let’s just remember good old Blaise Pascal and his triangle …

  23. Excursions in Computation Wayne Patterson Professor of Computer Science Howard University (wpatterson@howard.edu) SYCS Colloquium Series, March 26, 2010

  24. Something old SOMETHING NEW SOMETHING BORROWED SOMETHING BLUE

  25. Something old Pascal SOMETHING NEW PK Crypto SOMETHING BORROWED Goldbach SOMETHING BLUE ??????

  26. Abstract • The author is reminded of the old expression: “Something old, something new; something borrowed, something blue.” Although reluctant to suggest a presentation anything like a wedding ceremony, he will look anew at some old computational concepts involving the Pascal triangle; something new (to many) in a related application revisiting a public key crypto chestnut; borrowing some ideas from what is now usually described as “experimental mathematics”. Something blue? You’ll have to wait and see.

  27. The Pascal Triangle

  28. How Is It Built? • You will recall that each row in the Pascal triangle is the sequence of coefficients in the expansion of • Starting with the 0th row, (x+y)0 = 1 • And the kth element in the nth row being

  29. Three Perspectives • Often the best mathematical insights come from an ability to visualize the same phenomenon from multiple perspectives. • To illustrate this point, I am going to describe an example wherein the same underlying principle will have three separate expressions: one in a geometric representation, one in a combinatorial representation, and one in a binary string representation.

  30. Something old

  31. The Pascal Parallelogram

  32. A Mouse! • Consider a mouse that finds itself at the cornerstone of the parallelogram. • The mouse, whose name is “One”, wishes to escape to freedom by emerging from the top. • When the mouse moves up and to the right, the number “bypassed” is added to the mouse’s value (starting at One!). • If the mouse moves up and to the left, nothing is added.

  33. The Pascal Parallelogram The sequence of moves: Lets the mouse escape with a value of 1 + 35+20 + 10 + 4 = 70.

  34. Another Example The sequence of moves: Lets the mouse escape with a value of 1 + 15+10 + 3+ 2 = 31.

  35. Alternatively … • could be written more compactly by representing an “up to the right” by a “1” and “up to the left” by “0”. • The result of this is a bitstring, and so the figure on the left becomes: • 01101100 • Since each mouse move goes up by one row, all successful paths are of length 8 • And to go out the top, the mouse must make an equal number of “up rights” and “up lefts” • So our bitstring will be always of length 8 with 4 1-bits.

  36. An Isomorphism(I’ve always loved that word) • Clearly there is a 1-1 correspondence between paths that escape through the top and bitstrings of length 8 with 4 1-bits. • How many paths? How many such bitstrings? • Each such bitstring results from picking 4 positions out of 8 • But this is the definition of

  37. Peanut Butter and Jelly • PBJ • Let P = set of all paths through the parallelogram • Let B = set of all bitstrings of length 2n with n 1-bits • Let J = subset of N, natural numbers, =

  38. A 3-way Isomorphism We just need , since then the last piece will be    P  = Use the bits to tell the mouse where to go  = Add the path values = Track the mouse movements with bits B J   

  39. But  is … • Track back through the parallelogram. (52) = 1 + 35 + 10 + 6 + 0 = 52

  40. Something new

  41. Knapsacks Revisited • Knapsacks are dead for public key crypto, or mostly dead … • As Billy Crystal said in the “Princess Bride”: “mostly dead is partly alive” … • All the knapsacks previously studied were “low-density” • Methods of Brickell, Lagarias and Odlyzko depended on this density • So here’s a knapsack modelled on the Pascal parallelogram • That can’t be attacked by the low-density methods

  42. Create a Pascal-like Parallelogram • For the first row, choose a number pseudorandomly in the interval [1,2200]. • Second row: Each element pseudorandomly between [2200+1,2201] • For each succeeding row (i), let the kth element be chosen pseudorandomly in the interval • Create 200 rows • As with traditional knapsacks, find a large prime p and a multiplier m, and multiply each element in the parallelogram by m mod p.

  43. The Public and Private Keys • The public key is the transformed parallelogram • The private key is the original parallelogram, as well as m.

  44. Something borrowed

  45. Abstract • In recent years, a number of mathematicians have worked to develop new ways of thinking about their subject. These approaches, often described as "experimental mathematics," were simply not available to earlier generations of mathematicians, because they depend upon the ability to analyze the results of computations made feasible by appropriate mathematical software tools in order to formulate previously unthinkable hypotheses.

  46. Computational Number Theory • Number Theory • Purest branch of mathematics • Open problems can be explained to a non-mathematician • Among the most difficult to solve • As Jim Arthur has said: • “Andrew Wiles’s proof of Fermat’s Last Theorem, in a way that we would not have expected, caught people’s imagination. Books like the one on John Nash, A Beautiful Mind, have also brought a good deal of attention to mathematics. And of course in movies, mathematics has been chic in the last five or ten years.”

  47. Three Examples • We will look at two of the classical computational number theoretic problems: • Goldbach conjecture • n2+1-prime conjecture

  48. 1. Goldbach Conjecture • One of the greatest remaining conjectures in elementary number theory is the Goldbach conjecture, which in its most often quoted form is: • “Every even positive integer≥4 is the sum of two prime numbers”

  49. The Less Well-known Goldfinger Conjecture • “Every prime number > 11 is the sum of two composite numbers.” • I have been able to prove the Goldfinger Conjecture!

More Related