1. KNAPSACK公開金鑰密碼學 Algorithms FINITE DEFINITENESS INPUT/OUTPUT GENERALITY
EFFECTIVENESS

2. NP-Complete 問題 到目前為止尚未有好的Algorithm， 可在Polynomial time解決。
如 0/1-Knapsack

5. an

7. 0/1 Knapsack problem (sum of subset)
已知一整數C及一向量A＝(a1，a2，…，an)
求一A之子集合，其和為C亦即求一二元之向量
M=(m1，m2，…，mn)使得C＝M×AT
Example
N=5，C=4，及A＝（1，10，5，22，3）
則M＝(1，1，0，0，1)

8. Simple Knapsack Problem
為一特例，其問題之解可以在Linear time求得
向量A內之元素呈Supper increasing，即
Example
N=5，C=14，及A=(1，3，5，10，22)
則 m5=0----因14<22
m4=1----因14>10
m3=0----因4<5
m2=1----因4>3
m1=1----因1= M=(1,1,0,1,0)

9. Merkle-Hellman Knapsack
將Simple Knapsack 轉成一般的0/1 Knapsack
選一個Simple Knapsack A=(a1, a2, …, an)
選一整數u，使得 u >
選一整數e為加密金鑰，e和u互質
計算解密金鑰d，e × d=1 mod u
轉換A為一般的0/1 Knapsack A
A=(e × A) mod u
Public Key = A
Trapdoor = d 和u (A=dA mod u)
密文C = M× AT

10. Merkle-Hellman Knapsack方法（續）
解密步驟
轉換密文C為可用Simple Knapsack求解之值C
C=d × C mod u
=d×MAT mod u
=d×M×(e×AT) mod u
=MAT
因A為Simple Knapsack，故M可以很快求得。

11. Example: Merkle-Hellman Knapsack
設A=(1, 3, 5, 10)，u=20和e=7，
則d=3
A=(7, 1, 15, 10)
設M＝13，以二進位法表示(1,1,0,1)
C=M×AT=7+1+10=18 解密
C=3×18 mod 20=14

12. Merkle-Hellman Knapsack方法的保密性
原先建議n=100，但Knapsack Problem可在T＝0 (2n/2)
時間解決，n=100，250=1015
使用一個processor約11574天可完成，1000個處理機
可在12天完成，故為安全起見，取n=200
Merkle-Hellman 建議使用多組e，d來重覆處A=eA。
雖然0/1 Knapsack 是NP-complete，但不意味著由
Simple Knapsack轉換之Problem一定是NP-complete

13. Graham-Shamir Knapsack 方法
和Merkle-Hellman Knapsack 相似，只有A`之結構稍有改變。
Aj=(Rj, Ij, Sj)以二進位表示之。
Rj, Sj: 為隨機亂數
Ij: 為第j 個bit為1，其他位置為0的單位元素。
Sj:前面的log2n位元值為0，以保證不會有進位產生。
((In, Sn), (In-1, Sn-1), …, (I1, S1))為一Simple Knapsack
找d, e, u, 和A的方法同Merkle-Hellman Knapsack法
優點：解密時可以由C中直接求得M。

14. Example: Graham-Shamir Knapsacks
j Rj Ij Sj
=a1
=a2
=a3
=a4
=a5
M=(0,1,0,0,1)
C`=M×AT=a2+a5
=(R2+R5, I2+I5, S2+S5)=
恰為明文

15. 數位簽章 ‧RSA Digital Signature
(R. L. Rivest, A. Shamir, and L. M. Adleman, 1978)
‧ElGamal Digital Signature
(T. ElGamal, 1985)
‧Schnorr’s Digital Signature
(C. P. Schnorr, 1989)
‧Blind Signature
(D. Chaum, 1983)

16. Introduction Three Basic Services of Cryptography
1. Secrecy (provided by cryptosystems)
2. Authenticity (provided by digital signature scheme)
3. Integrity (provided by digital signature scheme)
Two Famous Digital Signature Schemes
1. RSA Digital signature scheme (based on the factorization problem)
2. ElGamal digital signature scheme (based on the discrete logarithm)

17. Introduction
Applications:
Blind signature (for electronic commerce)

18. Check Message=?Message
Introduction
The Model of Digital Signature
Signer’s public key
Signer’s secret key
Verification
Function
Sign Function
Message
Signature
Message
Message
Check Message=?Message

19. RSA Public Key Cryptosystem and Digital Signature Scheme
Rivest, Shamir, and Adleman proposed in 1978
RSA Public Key Cryptosystem
◆ Security Basis: Factorization Problem.
◆ Construction:
1. Choose two large prime numbers P and Q, then compute
N=P×Q.
2. Select an integer e such that gcd(e, (N))=1.
3. Compute d such that e×d mod (N)=1.
4. Public key = (N, e).
5. Private key = (P, Q, d).

20. RSA Public Key Cryptosystem and Digital Signature Scheme
RSA Digital Signature Scheme
Sign Function: Signature S=Md mod N.
Verification Function: M=Se mod N.
Example
P=11,Q=13, N=143, and (143)=120.
e=103, then d=7 (for 103×7 mod 120=1 ).
Sign for M=3: S=37 mod 143=42.
Verification: M= Se mod N = mod 143=3.

21. ElGamal Public Key Cryptosystem and Digital Signature Scheme
ElGamal proposed in 1985
ElGamal Public Key Cryptosystem
◆ Security Basis: Discrete Logarithm Problem
1. If P is a large prime and g and y are integers, find x such that y=gx mod P.
2. The security restriction on P: P-1 must contain a large prime factor Q.
◆ Construction:
1. Choose a large prime number P and a generator g of GF(P).
2. Private key: a random integer x between 1 and P-1.
3. Public key: y=gx mod P.

22. ElGamal Public Key Cryptosystem and Digital Signature Scheme
ElGamal Digital Signature Scheme
Sign Function: Signature (r, s) for message M.
1. Select a random integer k between 1 and P-1 such that gcd(k, P-1)=1.
2. Compute r=gk mod P.
3. Compute s=k-1(M-xr) mod (P-1).
Verification Function:
Verify by checking whether gM mod P = (rs) ×(yr) mod P.
(rs) ×(yr)=g(M-xr) × gxr = g(M-xr)+xr=gM mod P.

23. ElGamal Public Key Cryptosystem and Digital Signature Scheme
Example
P=23, g=5.
x=3, then y=10 (for 53 mod 23=10 ).
Sign for the message M=8.
Select k=5 between 1 and 22 (P-1).
Compute r = gk mod P = 55 mod 23 = 20.
Compute s = k-1(M-xr) mod (P-1) = 5-1(8-3×20) mod 22 = 9×14 mod 22 = 16.
Verification:
gM= 58 mod 23 =16
(rs)(yr) mod P = 2016 × 1020 mod 23= 13×3 mod 23 = 16.

24. Schnorr’s Digital Signature Scheme
Sign Function: Signature (r, s) for message M.
1. Select a random integer k between 1 and P-1.
2. Compute r = h(M, gk mod P).
3. Compute s = k + x*r mod (P-1).
, where the secret key x  the public key y= g-x mod P
4. Send (M, r, s) to the receiver.
Verification Function:
Compute gk mod P=gsyr mod P.
Verify by checking whether r = h(M, gk mod P).

25. Blind Signature D. Chaum proposed in 1983
D. Chaum’s Blind Signature Scheme
◆ It uses the RSA algorithm.
Security Basis: Factorization Problem
◆ Construction:
Bob has a public key, e, a private key, d, and a public modulus, N. Alice wants Bob to sign message M blindly.
1. Alice chooses a random integer k between 1 and N. Then she blinds M by computing t = Mke mod N.
2. Bob signs t, td=(Mke)d mod N.
3. Alice unblinds td by computing s=td/k mod N = Md mod N. s is the signature of message M.

26. Blind Signature Property: Untraceable
Applications: Blind signature can be used in electronic cash system.
signs coins
database
Bank
1. t=SN×ke mod N
SN: Serial #
k: random number
2. t
7. Coin
3. td mod N
Consumer
Merchant
5. Coin
4. s=(td)/k mod N=SNd mod N
6. Verify the signature s
Coin: SN＋s