The first problem that makes the public encryption method possible is the so called Knapsack Problem.
Mathematicians are interested in this problem even without its cryptography applications. The task is to put many different small items into a knapsack but we would like to have it as full as possible so we need an algorithmic method for deciding what to put into the knapsack.
It is clear even for the first reading that if we have many items and a large knapsack we will need long time for coming up with an optimal solution.
Formally, let be a vector containing positive integers and also a positive integer. We need to determine a set of values such that their sum is . We can surely get the result by the trial and error method so we need at most attempts. In case of 10 items it takes only 1024 checks. However, for 300 pieces we already face a “difficult” problem.
Knapsack
For cryptography applications we definitely need a case of the Knapsack Problem for which the packing is simple. We can imagine such a convenient situation.
Let each item be of such a size that the sum of the preceding items in the list fit in but does not fully fill. In this case the packing is simple. We need to take the biggest possible item that fits into the knapsack. It is clear that if we leave out this one, all the remaining can fill up only less amount of space. Then for the remaining available space we take again the biggest available item and we continue similarly. In a few steps it becomes whether an exact packing is possible or not.
In 1982 Ralph Merkle constructed a public key cipher method based on the Knapsack problem. He bet 1000 dollars that the code is unbreakable.
For the more exact treatment we need the definition of super-increasing vectors. In the followings we assume that the lowercase letters indicate positive integers.
Let the vector be super-increasing, if all elements of the vector is greater than the sum of preceeding elements, i.e.
Let’s see now the underlying idea. For the sake of simplicity we assume that we would like to encrypt the pairs of symbols and we have a super-increasing vector of size 10, .
Let symbol correspond to and to . Similarly for other symbols of the alphabet we use the 5 bit binary representation of the code number of the letter. Thus for the pair we have the
vector.
Next we calculate the dot product of and . Clearly, only those components of the super-increasing vector contribute to the product that have a corresponding 1 in the other vector. Therefore we get an integer number, from which only those could get back the encrypted message, who know which components of the vector are in the sum. Then we can give a bitvector, in which we have a 1 if the corresponding element of is in the sum, 0 otherwise. After that, reconstructing the message is just a simple decoding step.
For super-increasing vectors this task is a simple one. Following the previously mentioned method in the general case we can do the following. Given an super-increasing vector and assuming that the coded message (consisting of 0s and 1s) is exactly an dimensional rowvector. Let’s denote the value of the dot product by . Deciphering then goes this way: we check whether the inequality holds or not. If yes, then last component of the vector is a 1, if not, then that component is a 0. Then is defined by
Continuing similarly to we get the 1s and 0s. These are going to be the coded symbols. Decoding can be done easily by a lookup table.
Clearly, if the vector is public then encryption is very easy. From now on we talk about the solution of the problem when we decompose an number as a sum of the components in the vector.
The trouble is that the encryption is also very easy for the illegal user as well, and that contradicts our goals.
We have to investigate how we can “damage” the vector in a way that it does not look super-increasing any more, but we can reconstruct the original vector. This would fulfill the aim of public key coding since decomposing a number over an arbitrary number is indeed a very difficult problem, given that the components are big enough and there are sufficiently many of them.
Knapsack
These informally defined notions mean that we need to choose a vector such that selecting the components for the sum would take disproportionally long time. For the illegal user it is difficult, but for the person knowing the super-increasing vector it is very is easy to calculate the solution by using the previous method.
Let choose a natural number such that
This is obviously much bigger than any since was a super-increasing vector. Let be a natural number such that . We call the modulus and the multiplier.
From the choice of it follows that there exists a natural number such that
After these choices we calculate products and reduce them , thus we get values . The resulting vector is then a public key. is not super-increasing, therefore despite knowing the public key decryption is still troublesome.
The series of operations on the vector is called strong modular multiplication with respect to and . The secret trapdoor consists of the and values. With these the legal user can easily get the vector from . At the same time the “preimage” can also be calculated from the value yielded by the encryption process.
This then can be deciphered based on . To show the correctness and the usage of the method we have the
The Knapsack problem has at most 1 solution.
3.
If there is a solution for the problem, then it is the same as the solution for . Proof. The first statement are obvious from the algorithm given above.
For the third statement let’s suppose that there exists an -bit vector which is a solution for the problem, i.e. . Thus
Since is greater than the component sum of the inequality holds. Moreover also holds due to the definition of . Clearly follows, which means that is the same as the unique solution of the problem. This proves the second statement as well. □
Knapsack
Ralph Merkle lost the 1000 dollar bet. Adi Shamir immediately broke one version of the code, but this was not enough for winning.
Adi Shamir
In 1985 Ernest Brickell succeeded to find a quick algorithm for the Knapsack problem, therefore he succeeded to break the previously described cipher method.