2. Lecture 10: Knapsack Problems and Public Key Crypto Wayne Patterson SYCS 654 Spring 2010

3. The Classical Knapsack Problem Easily enough stated, this problem is one that turns out to be extremely difficult. First, in English: I have a knapsack, and I know it (or I) can carry W pounds. I have a bunch of things I would like to take on a trip that weigh w 1, w 2, w 3, …, w n pounds. The problem: Is there a subset of the {w 2, w 3, …, w n } that will add exactly to W, in other words, that will allow me to carry the maximum possible weight.

4. Knapsack = Subset Sum Sometimes this problem is also called the “subset sum” problem. Sometimes we are lucky and can find a very quick solution to the problem. For example, with knapsack weight W, and objects that weigh { 1, 2, 4, 8, 16, 32, …, 2 n }, we can answer the question very easily.

5. The “Easy” Knapsack Sets For the example given previously, of weights { 1, 2, 4, 8, 16, 32, …, 2 n }, the solution to the knapsack problem is unique. For every 0  W  2 n+1 – 1, there is a unique solution, and for W  2 n+1, there is no solution.

6. Easy Knapsacks Proof: (Binary string argument). For W  2 n+1 – 1, W has a binary representation with n+1 bits. E.g., if n+1 = 4, 2 n+1 – 1 = 15, and W is represented as 1111 (binary). For arbitrary W  2 n+1 – 1, represent W as a binary --- then all the weights corresponding to a 1-bit position can exactly fit into the knapsack.

7. Example Suppose the knapsack set is {1, 2, 4, 8, 16, 32, 64, 128} and W = 173. (W can go up to 255.) Express W in binary: 173 = 10101101 2. Then the weights corresponding to the 1- bits will add to W: 1 0 1 0 1 1 0 1 128 + 32 + 8 + 4 + 1 = 173

8. Super-increasing Knapsack Sets Of course, in the preceding example, there will NOT be a solution to the knapsack problem if W > 255. There is a more general class of “easy” knapsack problems, and basically the same algorithm will apply. We will call this class of problems the “super-increasing knapsack sets”.

9. Super-increasing … Suppose now we have a set of weights with the property that each weight is greater than the sum of the weights of all of its predecessors in order: w 2 > w 1 w 3 > w 1 + w 2 w 4 > w 1 + w 2 + w 3 and so on …

10. Solving the Super-increasing knapsack problem Let’s take as an example a set of weights: ◦ { 3, 7, 19, 35, 72, 155, 367, 984 } And suppose W = 1230. The algorithm for solution is: set x = W, process the weights in descending order, if the weight is less than or equal the current value of x, subtract it and remember the weight. After you have processed all the weights, if you have a remainder of 0, you have a solution. If the remainder is not zero, there is no solution.

11. The Computation x = 1230 (984 < x, subtract it) 984 x = 246 (367 > x, don’t subtract) (155 < x, subtract it) 155 x = 91 (72 < x, subtract it) 72 x = 19 (35 > x, don’t subtract) (19  x, subtract it) 19 x = 0, done. So the solution is: { 984, 155, 72, 19 }

12. General Knapsacks So we’ve looked at the easy cases, where there is a fast algorithm to determine a solution. Unfortunately, MOST knapsack sets are not nearly so nice. Consider: { 347, 356, 387, 401, 422, 461, 479, 521 } and W = 1635.

13. Brute Force Now for this small a knapsack set (with only 8 weights), we can solve the problem by brute force. This means one sum calculation for every subset of the knapsack set. Since a set with cardinality n has 2 n subsets, we can solve this with 2 n = 256 tries. But if the knapsack had 200 items, our brute force approach would require an estimated 803,469,022,129,495,137,770,981,046,170,58 1,301,261,101,496,891,396,417,650,688 tries.

14. I’m Still Working on it … Unfortunately, despite the centuries that people have thought about this problem, no better solution has been found than brute force. If you have studied complexity theory, you would know that the knapsack problem falls into the category of the most intractable problems, the category called NP-Complete.

15. What’s That Got to Do with PKC? Shortly after Diffie and Hellman (1976) described the concept of Public-Key Crypto with a public and private key, Merkle and Hellman proposed the use of the knapsack problem to create a Public Key Cryptosystem.

16. The Merkle-Hellman Knapsack PKC First, for my private key, I will define a super- increasing knapsack set. To make it interesting, the knapsack set will have n numbers, n = 100. To make sure the numbers are large enough not to be guessed, define w 1 to be chosen at random in the interval [2 100, 2 101 -1]; then each successive w i will be in the interval [2 100+i-1, 2 100+i -1]; in this way we guarantee that the knapsack set will have the super-increasing property.

17. More Private Key then Public So now we have our “easy” set {w 1, …, w 100 }, and next we find a prime number p > 2 201 (thus larger than the sum of all the w i ’s, and choose at random some m < p, and also compute m -1 (mod p). Now create a “hard” knapsack set {w 1 *, …, w 100 * } by computing w i * = m * w i (mod p). The public key is the “hard” knapsack set {w 1 *, …, w 100 * }

18. Encryption and Decryption As we well know, every user creates his or her public key and publishes it. So to send a message of length 100 bits to a user, find his or her public knapsack, and add up the numbers corresponding to the 1-bits in the message. I.e., if the message is m = b 1 …b 100, (b for bits), the encryption is: b 1 × w 1 * + b 2 × w 2 * + … + b 100 × w 100 * = c (which is just a sum of some subset …) now send c.

19. Decryption When I receive c, I multiply it by m -1 and reduce mod p. This gives: m -1 × (b 1 × w 1 * + b 2 × w 2 * + … + b 100 × w 100 *) = b 1 × m -1 × w 1 * + b 2 × m -1 × w 2 * + … + b 100 × m -1 × w 100 * = b 1 × w 1 + b 2 × w 2 + … + b 100 × w 100 Which is now a knapsack problem in our easy set, so solve it to get the values of the b i and therefore the message

20. Example Easy = { 1, 3, 7, 13, 26, 65, 119, 267} The complete sum is 501, choose p = 523 and m = 467. Then m -1 = 28. The hard knapsack set, or public key, will be 1 × 467 (mod 523), 3 × 467 (mod 523), etc. or: Hard = Public = {467, 355, 131, 318, 113, 21, 135, 215}

21. Encrypt the Bitstring 01001011 The encryption is: c = 0 × 467 + 1 × 355 + 0 ×131 + 0 × 318 + 1 × 113 + 0 × 21 + 1 × 135 + 1 × 215 = 355 + 113 + 135 + 215 = 818 To decrypt, multiply c × m -1 (mod p) = 818 × 28= 415 (mod p).

22. If That was the end of the story … But unfortunately it isn’t. Within a few years, it was discovered that Merkle Hellman knapsack systems were eminently breakable. And not only the Merkle Hellman systems, but any knapsack approach that depended on numbers in the knapsack set growing very fast. So the crypto community fell out of love with knapsacks.

23. But there was one knapsack approach left standing … Let’s just remember good old Blaise Pascal and his triangle …

25. Excursions in Computation Wayne Patterson Professor of Computer Science Howard University (wpatterson@howard.edu) SYCS Colloquium Series, March 26, 2010 24

26. 25

27. 26 Pascal PK Crypto Goldbach ??????

28. The author is reminded of the old expression: “Something old, something new; something borrowed, something blue.” Although reluctant to suggest a presentation anything like a wedding ceremony, he will look anew at some old computational concepts involving the Pascal triangle; something new (to many) in a related application revisiting a public key crypto chestnut; borrowing some ideas from what is now usually described as “experimental mathematics”. Something blue? You’ll have to wait and see. 27

29. 1 11 121 1331 14641 1510 51 1615201561 172135 2171 18285670562881

30. You will recall that each row in the Pascal triangle is the sequence of coefficients in the expansion of Starting with the 0 th row, (x+y) 0 = 1 And the kth element in the nth row being 29

31. Often the best mathematical insights come from an ability to visualize the same phenomenon from multiple perspectives. To illustrate this point, I am going to describe an example wherein the same underlying principle will have three separate expressions: one in a geometric representation, one in a combinatorial representation, and one in a binary string representation. 30

32. 31

33. 1 11 121 1331 14641 1510 51 1615201561 172135 2171 18285670562881 32

34. Consider a mouse that finds itself at the cornerstone of the parallelogram. The mouse, whose name is “One”, wishes to escape to freedom by emerging from the top. When the mouse moves up and to the right, the number “bypassed” is added to the mouse’s value (starting at One!). If the mouse moves up and to the left, nothing is added. 33

35. 1 11 121 1331 14641 1510 51 1615201561 172135 2171 18285670562881 34 The sequence of moves: Lets the mouse escape with a value of 1 + 35+20 + 10 + 4 = 70.

36. 1 11 121 1331 14641 1510 51 1615201561 172135 2171 18285670562881 35 The sequence of moves: Lets the mouse escape with a value of 1 + 15+10 + 3+ 2 = 31.

37. could be written more compactly by representing an “up to the right” by a “1” and “up to the left” by “0”. The result of this is a bitstring, and so the figure on the left becomes: 01101100 Since each mouse move goes up by one row, all successful paths are of length 8 And to go out the top, the mouse must make an equal number of “up rights” and “up lefts” So our bitstring will be always of length 8 with 4 1-bits. 36

38. Clearly there is a 1-1 correspondence between paths that escape through the top and bitstrings of length 8 with 4 1- bits. How many paths? How many such bitstrings? Each such bitstring results from picking 4 positions out of 8 But this is the definition of 37

39. PBJ Let P = set of all paths through the parallelogram Let B = set of all bitstrings of length 2n with n 1-bits Let J = subset of N, natural numbers, = 38

40. 39  = Use the bits to tell the mouse where to go  = Track the mouse move ments with bits  = Add the path value s      We just need , since then the last piece will be   

41. Track back through the parallelogram.  (52) = 40 01 11 121 1331 14641 510 5 152015 35 70 1 + 35 + 10 + 6 + 0 = 52

42. 41

43. Knapsacks are dead for public key crypto, or mostly dead … As Billy Crystal said in the “Princess Bride”: “mostly dead is partly alive” … All the knapsacks previously studied were “low-density” Methods of Brickell, Lagarias and Odlyzko depended on this density So here’s a knapsack modelled on the Pascal parallelogram That can’t be attacked by the low- density methods 42

44. For the first row, choose a number pseudorandomly in the interval [1,2 200 ]. Second row: Each element pseudorandomly between [2 200 +1,2 201 ] For each succeeding row (i), let the kth element be chosen pseudorandomly in the interval Create 200 rows As with traditional knapsacks, find a large prime p and a multiplier m, and multiply each element in the parallelogram by m mod p. 43

45. The public key is the transformed parallelogram The private key is the original parallelogram, as well as m. 44

46. 45

47. In recent years, a number of mathematicians have worked to develop new ways of thinking about their subject. These approaches, often described as "experimental mathematics," were simply not available to earlier generations of mathematicians, because they depend upon the ability to analyze the results of computations made feasible by appropriate mathematical software tools in order to formulate previously unthinkable hypotheses. 46

48. Number Theory ◦ Purest branch of mathematics ◦ Open problems can be explained to a non-mathematician ◦ Among the most difficult to solve As Jim Arthur has said: ◦ “Andrew Wiles’s proof of Fermat’s Last Theorem, in a way that we would not have expected, caught people’s imagination. Books like the one on John Nash, A Beautiful Mind, have also brought a good deal of attention to mathematics. And of course in movies, mathematics has been chic in the last five or ten years.” 47

49. We will look at two of the classical computational number theoretic problems: Goldbach conjecture n 2 +1-prime conjecture 48

50. One of the greatest remaining conjectures in elementary number theory is the Goldbach conjecture, which in its most often quoted form is: “Every even positive integer≥4 is the sum of two prime numbers” 49

51. “Every prime number > 11 is the sum of two composite numbers.” I have been able to prove the Goldfinger Conjecture! 50

52. Given any prime number p > 11, Either p  1 (mod 3) or p  2 (mod 3). If p  1 (mod 3), then p = 3k + 1 = 3(k-1) + 4 = 3*(k-1) + 2*2 If p  2 (mod 3), then p = 3k + 2 = 3(k-2) + 8 = 3*(k-2) + 2*4. Q. E. D. 51

53. (a) Patterson will be heading to Norway for the next Abel Prize ($980,000) or (b) The result will be formally announced on 01.04.2010 (European convention) 52

54. There was briefly a $1M prize for solving the Goldbach Conjecture Needless to say, it wasn’t claimed, and it’s now closing in on 200 years without solution Among the people who have recently looked at the Goldbach Conjecture is John Nash Also my Op-Ed in the Washington Post at the time of the release of “A Beautiful Mind”, regarding my interactions with him in my Princeton days, and other musings. 53

55. My interest has been to try to determine the difficulty of finding primes that add to a given, pseudo-randomly selected even number of varying magnitudes. For a given n = 4k+1, where k is odd, the first approach to the question involves testing the numbers 2k-1 and 2k+1 for primality. 54

56. maxbyexp=Table[0,{m,1,37},{n,1,2}]; Do[top=10^l; resul=Table[0,{i,1,500},{j,1,4}]; Do[od = 2*Random[Integer,{1,top/2}]+1; ev = 2*od; p = ev/2 +2;q=ev/2-2;i=1; While[(!(PrimeQ[p]&&PrimeQ[q])&&(p>0)),p=p-2;q=q+2; i=i+1]; resul[[k]]={i,ev,p,q},{k,1,500}];MatrixForm[resul];tr = Transpose[resul]; Print["For exponent ",l,", the largest i is ",Max[tr[[1]]]]; maxbyexp[[l-3]]={l,Max[tr[[1]]]},{l,4,40}]; Print[MatrixForm[maxbyexp]]; ListPlot[maxbyexp] 55

57. 56

58. 57

59. Maximum number of tests is 457 for a number of magnitude 10 96 Vs. 41,177 (for 2k-1,2k+1) and 46,317 for random odd numbers There is also a result that the maximum number of tests up to 10 14 is 735. 58

60. 59

61. Given the seeming efficiency of finding Goldbach pairs using lists of small primes, I wondered whether, given a selected interval of consecutive even numbers, the complete set of members in that interval could be covered by Goldbach pairs using the small primes And, if so, how large an interval, at what starting point, and using how large a list of small primes … 60

62. 61

63. 62

64. 63

65. 64

66. This number theoretic conjecture asserts that there are an infinite number of primes of the form n 2 +1. 1 2 + 1 = 2 2 2 + 1 = 5 4 2 + 1 = 17 6 2 + 1 = 37 10 2 + 1 = 101 14 2 + 1 = 197… 65

67. It might be noted that the first case where n 2 +1 is not prime for n even is 8 2 + 1 = 65, and that in general, n 2 + 1 will never be prime if n=2 (mod 10) or n=8 (mod 10), for n=8, since the last digit of n 2 will be 4, and the last digit of n 2 +1 will be 5. Thus we can limit ourselves to considerations for n, for n 2 +1 to be prime, to be n=0, 4, or 6 (mod 10). 66

68. As before, we selected numbers at random of varying magnitudes up to 10 500, and tested the values of n 2 +1 for primality 67

69. 68

70. Numbers of the form n 4 +1 form a proper subset of those of the form n 2 +1 Since numbers of the form n 4 +1 are more spread out along the number line than those of the form n 2 +1, it would be reasonable to expect that it would be harder to find primes of the form n 4 +1. 69

71. 1: Number of tries to find an n 2 +1- prime 2: Number of tries to find an n 4 +1- prime 3: Number of tries to find an n 8 +1- prime (abc): Least number of tries is a, second least b, most c. 70

72. Order /Test (123)(132)(213)(231)(312)(321) Total Cases 1161112291022100 21581828823100 310914251626100 415817291021100 71

73. To delve further into this, I thought selecting a specific sequence of n’s would be interesting in trying to find a sequence of primes (or composites). I was led to the sequence ◦ {10 k + 1 | k= 1, 2, …} ◦ 10000000000000 …… 0000000000000001 72

74. Observation 1: 10 k +1 is prime if k=1 or 2. Observation 2: 10 k +1 is divisible by 11 (and therefore composite) if k is positive and odd. (Use the old trick of computing the sum of the digits in the odd and even positions; if their difference is divisible by 11, so is the number.) Observation 3: 10 k +1 is composite (k>1) if k is not a power of 2. E.g. (10 14 + 1) = (10 2 + 1)(10 12 – 10 10 + 10 8 – 10 6 + 10 4 – 10 2 + 1) 73

75. In studying three well-known number- theoretic outstanding conjectures, we are able to discover some unexpected phenomena, and thus shed new light on these classical problems. Furthermore, these investigations are accessible to undergraduate mathematics students. 74

76. 75

77. This is Larry Bowa 76 He is the third-base coach for the Los Angeles Dodgers He wears blue He has a cryptosystem http://www.youtube.com/watch?v=x-S-eeInJVk&NR=1

78. An Important Cryptanalysis Financial share for World Series Winners (2008) = $18,417,358. Bowa communicates one of 9 signals to a runner or a batter: Plaintext = { Steal, Hold, StealOnOverflow, Take, Bunt, Swing, HitAndRun, RunAndHit, SqueezeBunt } 77

79. Base Coach Signals Signals have two components, typically: A number of body movements, BODY = {Belt, Clap, Hat, Leg, Nose, Shoulder, Wipe } And a “hot sign” ε [1, 10] So the key space is KEY = { (x, y) | x ε [1,10], y ε BODY } 78

80. Frequency of Occurrences in a Game 79 Situat ion/P lay StealHoldSteal OnOv erthr ow TakeBuntSwin g HitAn dRun RunA ndHit Sque eze 1 st, 2 nd, 1 st and 2nd 116 78116 3 rd, < 2 out 32 2-0, 3-0, 3-1 count s 64

81. Cryptanalysis Map succeeding signals in situation: runner on 1 st, 39% of time, or 116 times/game. Example: 80 12345678910 Shoul der BeltWipeBeltClapNoseBeltClapHatNose 12345678910 BeltWipeBeltClapShoul der HatBeltNoseWipeLeg

82. With One “Fixed Point”… Can exactly determine key with two readings. Number of messages = | KEY | = 7 10 = (6+1) 10 = 6 10 + 10 x 6 9 + 45 x 6 8 + 120 x 6 7 + … + 10 x 6 + 1 # of messages with 1 fixed point = 10 x 6 9 = 100,776,960 # of messages with ≥ 1 fixed point = 7 10 x 6 10 = 181,698,289 81

83. Probabilities Probability of exactly 1 fixed point = 0.555 Probability of more than 1 fixed point = 0.445 Probability of exactly 1 fixed point in 3 pitches = 1 – (0.445) 3 = 0.912 Probability of exactly 1 fixed point in 4 pitches = 1 – (0.445) 6 = 0.992 82

84. References Agrawal, M., N. Kayal and N. Saxena, PRIMES in P, (August 2002), http://www.cse.iitk.ac.in/users/manindra/primality.ps or http://www.cse.iitk.ac.in/news/primality.pdf. Bailey, David H. and Jonathan M. Borwein, Experimental Mathematics: Examples, Methods, and Implications, Notices of the American Mathematics Society, vol. 52, no. 5, May 2005, pp. 502-514. Brickell, E. F., "Solving low density knapsacks," Advances in Cryptology-Proc. Crypto 83, Plenum Press, New York, 1984, pp. 25-37. Chen, J.-R. and T.-Z. Wang, On the Goldbach Problem, Acta Math. Sinica 32, 1918, pp. 702-718. Cooper, Rodney H., Hunter-Duvar, Ron, and Patterson, Wayne, A More Efficient Public-Key Cryptosystem Using the Pascal Triangle, ICC `89, Boston, June 1989, pp. 1165-1169. Klamkin, M. S., Problem 63—12, SIAM Review, 5 (1963) 275-276. Lagarias, J. C. and A. M. Odlyzko, "Solving Low Density Subset Sum Problems," J. Assoc. Comp. Mach., vol. 32, 1985, pp. 229-246. Proc. 24th IEEE Symposium on Foundations of Computer Science, IEEE, 1983, pp. 1-10. Patterson, Wayne, An Exploration in ‘Experimental Mathematics’: Computing the Determinant Function, Proceedings of the Mid- Atlantic Consortium for Research in Mathematical Sciences, Ocean City, MD, 2004, to appear. Patterson, Wayne, “Experimentation in Computational Number Theory,” Proceedings of the Mid-Atlantic Consortium for Research in Mathematical Sciences, Orlando, FL, June 2005. Patterson, Wayne, Mathematical Cryptology, Rowman and Littlefield, 318 pp., 1987. Presidential Views: Interview with James Arthur, Notices of the American Mathematics Society, vol. 52, no. 3, March 2005, pp. 350-352. Richstein, J., Verifying the Goldbach Conjecture up to 4 ▪ 10 14, Math. Comp. 70:236 (2001) 1745-1749.. 83