References
1. Mathematical simulation of reaches of the Krasnoyarsk impoundment / V. A. Sapozhnikov [et al.] // Association of subjects of the Russian Federation and a wildlife management problem in Prienisejsky Siberia : theses and materials of reports of inter-regional scientifically-practical conference / KSU. Krasnoyarsk, 2005. P. 296-298.
2. Borodin, A. L., Raspopov V. E. Numerical identification of coefficients of mathematical model of an ecosystem of a reservoir // Joint issue. Computing technologies. T. 13. Herald of the KazSU of AL-FARABI. A series of the mathematics, the mechanics, the informatics. Vol. 3 (58). Almaty-Novosibirsk, 2008. P. 302-306.
3. Gubanov V. G. Biotic circulation and interaction of trophic links in artificial and natural biosystems : diss. dr. phys.-math. sciences. Krasnoyarsk, 2004.
4. Petrov J. S. Special-purpose software for carrying out of computing experiments at mathematical modeling of water ecosystems // YOUTH AND THE SCIENCE: the XXI-st century BEGINNING : Materials of the All-Russia scientific and technical conf. of students, postgraduate students and young scientists. In 4 p. P. 1 / SFU. Krasnoyarsk, 2009. P. 78-80.
5. Kozhevnikova N. A., Phytoplankton of a deep-water part of a Krasnoyarsk impoundment // Alkologia. № 2. 2002. P. 39-40.
6. ShChur L. A. Structure and functional characteristics of bacterial plankton and phytoplankton in ecosystems of reservoirs of different type : diss. dr. biol. sciences. Krasnoyarsk, 2006.
7. Belolipetsky V. M., Genova S. N., Gurevich K. J. Platform for research of dynamics of hydrophysical and radio ecological characteristics of river system // Computing technologies / the Siberian Branch of the Russian Academy of Science. Vol. 6, № 2. 2001. P. 14-24.
© Petrov Y. S., Raspopov V. E., 2010
V. V. Podkolzin, V. O. Osipyan Kuban State University, Russia, Krasnodar
ON PROPERTIES OF KNAPSACK SYSTEMS OF INFORMATION PROTECTION WITH THE OPEN KEY IN Zp
Properties of sequences of numbers expressed through components of a knapsack vector are investigated. Properties of isomorphic and similar knapsack systems of information protection are analyzed. Methods of increasing cryptographic security of knapsack systems of information protection with an open key are presented.
Keywords: a knapsack vector, isomorphism, cryptoanalysis, density, injectivity.
Let’s express a set of natural numbers {0, 1, ..., p-1} through Zp and a set of all numerical sets of length n with
components from Zp. through ZUp .
A knapsack problem for set w e N and vector A = (a1,
a2, ..., an), where aieN, I = 1...n, if there is an equation solution
AxT = w
has the solution in Zp
(1)
j-1
• >Y, (p -1) ai
i-1
j
2... n
(2)
A knapsack vector A = (a1, a2, ..., an) is a nondecreasing one if its components are ordered according to the rule ai-1 < a„ I = 2. n. Accordingly, the vector is increasing if its components are ordered according to the rule ai-1 <a„ I = 2. n.
Definition. Let’s call vector AA = (8 i, 82, ..., 8p) a variation of vector A = (a1, a2, ..., an) (ai e N, I = 1...n) in Zp, For its components the following correlations are carried out:
we will call vector A of equations (1) a knapsack vector.
A knapsack vector A = (a1, a2, ..., an) is an injective one if for any natural w the equation (1) has not more than one solution. A knapsack vector which has two elements ai = aj, I £ j, is not injective. Injectivity of a knapsack vector allows to speak about uniqueness of restoration of the original text according to the cryptogram. Supergrowing knapsack vectors are the simplest injective knapsack vectors from the point of view of understanding and algorithmization. For their components in Zp the following relationships are carried out:
j-1
81 - a1, 8j = aj (p - 1)a<, j = 2-n.
(3)
On the basis of vector AA it is possible to define a knapsack vector A in Zp corresponding to it:
a1 - 81, i-1 i-1
at - 8,- + (p - 1)X aj - 8,- + (p -1)£ p‘-j-18j,
j-1 j-1
I = 2-n. (4)
Let’s express a set of various values w for which equation (1) has the solution through |a (p, A). Capacity |a (p, A) does not exceed pn since the quantity of various
i-1
vectors in Z p is equal to pn. Value | , (p, A) | reaches the upper boundary, if
Vxj, x2e ZP X ^ x2 ^ Ax1T^ Ax2T. (5)
Thus, capacity , (p, A) reaches the upper boundary only when vector A is injective. Really, if vector A is injective, then correlations (5) are carried out and the
number of various values AxT(xe Z") is equal to the
From symmetry AW,pA) it follows that any we W, (p, A) can be presented in two ways:
number of various elements in Zp, i. e. pn. On the other hand, if |, (p, A)| = pn, then there is a one-to-one depentanizer between elements , (p, A) and Z", and
dp(A) =
= _j^CpiA)j_
n
S (p-l)a,.
(6)
density of a knapsack vector A in Zp.
The density defines the relation of capacity, (p, A)
n
to the length of a cut [0, S (p -1)ai ]. It is obvious that
i=1
n
V xe Z"p is a value AxT e [0, S(p -1)a,- ]. Thus,
i=1
0 <dp (A) < 1. Moreover for injective knapsack vectors the density is equal to 1 only when all components of a variation of vector A are equal to unit [1], and cryptoanalysis of such knapsack systems consists in finding p.
Wx = AxT, wx e , (p, A) corresponds to each set
x = (a1, a2, ..., an) e Z"p . We will write out the sequence
W,(p, A) = (wo, W1, w2, ..., Wk), where Wi = Ax,t,
n
xi = (a 1, a2, ..., a„), i = Saip"-', I = 1 ... k, k = pn—1.
i=1
If vector A is not injective in W, (p, A) there are two values w, = w, I4 j. We will designate sequence AW, (p, A) = (m1, m2, ..., mk), where mt = w, — w—1 (I = 1.. ,pn—1).
The sequence AW, (p, A) is symmetric with respect to the middle and can be defined recursively relative to the dimension of a knapsack vector A.
Let An = (a1, a2, ..., an) (at e N, I = 1...n) be a knapsack vector. Vector An+1 = (a1, a2, ..., an, an+1) is received fromAn by adding the component an + 1eN. Then
A W, (p, An + 1)
(AW, (p, An), Sn + 1,
A W, (p, An), Sn + 1, A W, (p, An), ., Sn + 1 A W, (p, A")),
where 8n + 1, AW, (p, An) is repeatedp— 1 times.
The sequence AW, (p, A) describes distances between the elements of sequence W, (p, A), i. e. its “sparseness”, and, hence, is the characteristic of , (p, A).
w= Saja,= S(p - 1)ak - S Pi-
j=1 k=1 i=1
(7)
hence equation (1) for any w e , (p, A) has only one solution. From the latter follows an injectivity of knapsack vector A.
Definition. Let’s call the value
where a;, Pi e Zp, I = 1. n.
Lemma 1. An = (a1, a2, ..., an) is an injective knapsack vector, where at e N, I = 1...n. A vectorAn + 1 = (a1, a2, ..., an, an+1) is received from An by adding the component
an + 1 eN, AAn + 1 = (8 1, 82, ..., Sn, 8n + 1) is a variation of vector An+1 and Sn + 1> 0. Then An + 1 = (a1, a2, ..., an, an+1) is an injective knapsack vector.
The proof.
Let’s show that V wx e, (p, An+1) equation (1) has only one solution.
As wx belongs to set , (p, An + 1) it follows that
3x = (a 1, a2, ., an, an + 1) e Z”p+1 for which wx = An + 1xT is carried out.
1. If an + 1 = 0, then wx e, (p, An) and (1) has the only solution because of injectivity of An;
2. Let 0 <an + 1 <p. As Sn + 1> 0 then any element , (p, An) is less than an+1. Thus, if there is unique an+1 and w'x e , (p, An) then wx = a n+1an + 1 + w'x and consequently equation (1) has the only solution.
From randomness wx e, (p, An + 1) it follows that An + 1 is an injective knapsack vector.
Lemma 2. An = (a1, a2, ..., an) is an injective increasing knapsack vector, where ateN, I = 1...n. Vector An + 1 = = (a1, a2, ..., an, an+1) is received from An by adding the component an+1eN, AAn+1 = (81, 82, ..., Sn, Sn+1) is a variation of vector An+1 and Sn+1 < 0.
Vector An+1 = (a1, a2, ..., an, an+1) is an injective increasing knapsack vector if the following equation is carried out:
(an (p 1)a, <Sn+1) & (| Sn+1 I ^ W , (2p-1, An)).
j=1
The proof.
First of all we will define a condition at which An + 1 will be increasing. Since An is an increasing vector, it is necessary to follow the condition
n
an < an+1 (p—1)a . + Sn+1.
j=1 j
Hence
n
an-S (p - 1)a. < Sn + 1.
j=1
Let An + 1 = (a1, a2, ..., an, an + 1) be increasing, but not injective, i. e. let there exist rax e, (p, An + 1), then the equation (1) does not have only one solution. From the injectivity of An and properties of sequences W, (p, An) and W, (p, An + 1) it follows that all such rax belong to cuts
n
[an + 1 + k an + 1, S(p-1)a ■ + k an + 1], where k = 0... p-2.
j=1 j
i=1
Also, if
nn
an+1 = S ( p - 1)a j + S n+1 <®x <S (p-1)a ■ (8)
j=1 j=1 1
j=1
®x = an+1 + Spjaj = I S(p - 1)ak + Sn+1 | + SP
j=1
jj
where PieZp, I = 1...n, 0 < a <p-1.
As rax belongs to set , (p, An) and validity (7) we have:
®x = Sy jaj = S (p-1)ak-S?.
j=1
j=1
where y, P,eZp, I = 1.n.
Thus, there is an equality:
S(p-1)ak-S<Pjaj = S(p - 1)ak + Sn
k=1 j=1 k=1
nn
+ Spjaj- Sn + 1= S(Pj + P)aj .
j=1
j=1
= Sa a ©SPa- = S
Y tai
(9)
a1 - S1, a, - Si +(p - 1)S 1
J- j-1c
b1 = S'1, bt = Si + (p -1)
j=1 i-1
p,-2s '1+S p' - j-1lSj
j=2
, I = 2. n.
Then
b1 = 81 + e , bi = Si +(p -1)
r i-1 A
i-2 . V ' i-j-1
p e + S p 1
j=1
j
v
/
and equation (1) has more than one solution for rax, then the equation (1) also has more than one solution for rax + k an + 1, where k = 0.p-2, and on the contrary.
On the basis of the above-stated information we will consider rax satisfying (8), then rax e, (p, An) and (Ox e, (p, An+1).
As ox belongs to set , (p, An+1) we have:
b1 = a1 + e, bi = ai + (p — 1) p 2 e,
I = 2...n, e = e (A, B).
And the following correlation is valid :
(10)
S (p - 1)bi = (p - 1)(a1 + e) + S (p - 1)(ai + (p -1)p -2e) = i=1 i=2
= S (p - 1)ai + (p - 1)e(1 + ^ p -2) =
i=1 i=2
j-1
j-2
= S (p - 1)ai + (p - 1)ep
On the basis of properties of sequences W
(11)
, (p, A)
and
W, (p, B) it is possible to draw a conclusion that W, (p, B) is received from W, (p, A) by “recursive scaling” on e relative to nodal values (a2, ..., an), and each value at is displaced according to (10). Sequence AW, (p, B) is received from
AW,
, (p, A)
by replacement of all occurrences S1 on S1 + e.
From the latter equality it follows that —Sn + 1 e W, (2p—1, An). Hence, for injectivity of vector An + 1, | Sn + 11 g W, (2p-1, An) is necessary.
Then we we will define an addition operation © on set , (p, A) of knapsack vector A = (a1, a2, ..., an) as follows:
Vw1, w2 e, (p,) w = w1©w2 =
where y, = (a i + P i) modp; ah P, eZp, I = 1. n.
The set ,(p, A) with an addition operation © forms an additive finite Abelian group (,(p, A), ©).
Definition. Two knapsack vectors A = (a1, a2, ..., an) and B = (b1, b2, ..., bk), whose variation vectors AA and AB differ only in the value of the first component are isomorphic ones. We will denote them as A«B if there is an isomorphismf: ,(p, A) ^,(p, B).
Two knapsack vectors can be isomorphic only when they have identical dimension and |, (p, A)| = |, (p, B)|.
Let’s consider two isomorphic knapsack vectors A = (a1, a2, ..., an) and B = (b1, b2, ..., bk). From (4) we have:
If for knapsack vectors A = (a1, a2, ..., an), B = (b1, b2, ..., bn) and C = (c1, c2, ..., cn) A«B and B«C are carried out then A«C. Really, due to bijectivity f:, (p, A)^, (p, B) and g:, (p, B)—(p, C) it follows that h = g°f: , (p, A) — , (p, C) is bijective and e (A, C) = e (A, B) + + e (B, C).
Isomorphism of knapsack vectors is an equivalence relation, and, hence, a set of isomorphic vectors forms an equivalence class. In each class there is a vector for which the coefficient of isomorphism with any other vector of this class is non-negative. Let’s call such a vector a base vector of an equivalence class.
Let © = (91, 02, ..., 9n) be a base vector of some equivalence class and A = (a1, a2, ..., an) be an arbitrary element of the same class, i. e. ©«A, e (©, A) > 0. As |, (p, A)|=|, (p, ©)| from density definition of a knapsack vector in Zp we have:
|, (p,)| = dp (A) (p -1)a, =
i=1
= dp (©) S(p -1)9i = |, (p, ©)|.
i=1
Owing to (11) it follows that:
dp (A) S (p -1)ai =dp (A) (S (p - 1)9i + e(p -1)p"-2) =
i=1 i=1
= dp (©) S (p - 1)0i.
i=1
From the latter we will express dp (©):
Let’s call value e (A, B) = 8'1 — S1 a coefficient of isomorphism of two vectors A and B.
dp (©) =dp (A)
1 +
e p
where e = e (©, A).
i=1 J
i=1
dp (©) = dp (A)(1+k e (©, A)),
where
k=^
S9i
cont.
(12)
Thus, the basic vector has the greatest density among all vectors of its equivalence class.
In case if the basic vector © is supergrowing then vector A is also supergrowing. Really from (2) and (10) we have:
S (p -1)a, = (p -1)(91 + e) + S (p -1)(9, + (p -1)p -2e) = i=1 i= 2
= S (p -1)91 + (p - 1)e(1 + S p -2) <
i=1 i=2
< 9 j + (p - 1)epJ-2 = aj, e = e (©, A).
From the latter inequality it follows that for any equivalence class with a basic supergrowing vector there is a knapsack vector from the given class for any positive coefficient of isomorphism. Generally the given statement is not true. For example, for an injective vector (15, 42, 51, 83) there is no isomorphic vector in Z2 with an isomorphism coefficient equal to 10 since vector (25, 52, 71, 123) is not injective.
Thus, KSPI with knapsack vector A is possible to transform into equivalent KSPI with a knapsack vector ©, where © is a basic vector of an equivalence class of vector A . The expediency of the given transformation is caused by smaller volume of calculations , (p, ©) and memory expenses. For example, to store each element , (2, A) of supergrowing knapsack vector A = (45, 69, 218, 415, 796, 1752, 3588, 7375, 17897, 36073) 17 bits of memory are necessary, and to store corresponding values of a basic vector © = (1, 25, 130, 239, 444, 1048, 2180, 4559, 12265, 24809) 16 bits for each are enough. If values of a knapsack vector components are great and if there is corresponding dimension then the memory capacity necessary to store elements , (p, A) can exceed the sizes of standard types of programming languages and consequently will demand additional procedures for storage and performance of operations with such “big” numbers which, naturally, causes the increase in time and memory expenses. In particular for the above-stated example to store values , (2, B) of supergrowing vector B = (444444444, 444444468, 888889016, 1777778011, 3555555988, 7111112136, 14222224356, 28444448911, 56888900969, 11377780227) belonging to the same class of equivalence already 38 bits are necessary for each.
Theorem. Let A = (a1, a2, ..., an) be an injective knapsack vector with dimension n and t f 0 be an integer value. Then, an injective knapsack vector with dimension n by means of whose components in Zp all elements of a set are expressed {w + t\w e, (p,)} does not exist.
The proof.
Let's assume that an injective knapsack vector B = (b1, b2,..., bn) exists. Then {w+^w e, (pA)} E , (p, B).
1. t > 0. Then |, (p, B)| > |, (p, A)| + 1 since zero is included in , (p, B), but is not included in {w + tw e , (p,)}. But due to injectivity of vectors A and B |, (p, B)| = |, (p, A)| is carried out. As we can see there is contradiction.
2. t < 0. Since 0 e , (pA), t e , (p, B) that contradicts b,eN, i=1, ..., n.
Thus, updating of KSPI by way of changing the numerical value of a crypto text leads to increase in the complexity of its crypto analysis.
Definition. Two knapsack vectors A = (a1, a2, ..., an) and B = (b1, b2, ..., bn) are similar, we will denote them AsB only when there is a mutually single-valued transformationf: A—B such that:
- VaeA f (Ca) = Cf (a), where Ce Z;
- Va ', a ”e A , f (a ' + a ") =f (a ') + f (a ") is carried out.
Two vectors one of which is received from another by strong modular multiplication can serve as an example of two similar injective knapsack vectors.
Let us investigate the properties of two similar injective knapsack vectors A = (a1, a2, ..., an) and B = (b1, b2, ..., bn) the transformation of which is defined by function f (x) = cx in some field where c is some constant:
f (a,) = ca,= b,, I = 1...n,
Vwa e, (p,) f (wa) = f (aiai) i=1
n n n
= Saif (a) = Sai(ca,) = Sab .
i=1 i=1 i=1
Densities of such vectors are connected by a correlation:
dp (B) =
|,p (B^ |,p (A^ |, p (A)|
» n I n
S (p-1)bi S (p -1)cai c|S (p -1)a
dp (A) = c dp (B).
(13)
Sequences W, (p, A) and W, (p, B) possess properties defined by a correlation (10). The elements of sequences AW, (p, A) and AW, (p, B) are connected as follows:
m, = chi, I = 1.n, where m, eA W, (p, b), h, eA W, (p, a)
The most widely known are systems of information protection with an open key and with a knapsack on the basis of a secret key [2] in which a vector received from a knapsack vector by strong modular multiplication by values of a secret key is used as an open key. It is possible to perform the crypto analysis of such systems by analytical or statistical methods, or by means of the analysis of an open key.
Analytical methods are based on methods of decisions of equation (1) on the basis of known values from ,(p,). Applicability of the given methods is based on volumes of done calculations. The upper boundary of a number of solutions (1) is presented in [3] and generally is a NP-full problem.
i=1
Statistical methods are based on statistical characteristics of elements of a natural language or other language of the original text and the statistics of crypto text elements. The main objective of such methods is to find a mutually single-valued correspondence between the elements of an original text and a cipher text rather than to find a knapsack vector. They are applicable only in the presence of statistical volumes of cipher texts.
Methods of crypto analysis of an open key consist in restoration of a KSPI knapsack vector according to an open key vector. In particular, for two supergrowing knapsack vectors, received one from another by means of strong modular multiplication, A. Shamir offers an algorithm of finding a knapsack vector A KSPI if vector B [2] is known.
On the basis of knapsack vectors properties described above it is possible to formulate the following results:
1. Crypto analysis of KSPI can be made not only on the basis of statistics of cipher texts elements values, but also on distribution of values. As the probability of occurrences of elements AW, (p, A) sequences of knapsack vector A = (a1, a2, ..., an) in Zp is a constant value for the set dimension n, the table of probabilities is calculated at the stage of preliminary preparation of crypto analysis. The analysis of cipher texts is made on the basis of differences between pairs of values of its elements. In this case a number of various values of a cipher text elements is more important than the volume of known cipher texts. The construction of an injective knapsack vector is carried out on the basis of properties W, (p, A) and Lemma 1.
2. The applicability of statistical methods of cipher texts analysis is based on its volume. Therefore if volumes of such information are small then the given methods are practically inapplicable. Updating KSPI with one knapsack vector into a system with dynamically generated knapsack vectors [4; 5] leads to practical inapplicability of statistical methods of cipher texts analysis.
To increase the cryptographic security of classical systems of information protection with an open key and with a knapsack it is necessary not only to use isomorphic and similar knapsack vectors, but also to change values of exits of the enciphering block of KSPI by value of some
constant. For example, having altered a classical system of information protection with an open key and with a knapsack on the basis of a secret key (m, t) [2], it is possible to raise the system cryptographic security essentially.
Let’s consider a simple example. Let A = (2, 5, 6) be an injective increasing knapsack vector. Before the definition of an open key - vector B, we will apply function f (x) = x2 — x to the elements of vector A and considering that f (2) = 2, f (5) = 20, f (6) = 30, we will receive A' = (2, 20, 30). Using pair m = 220 and t = 17 as a secret key [2] we will receive open key B = (34, 120, 70) by strong modular multiplication [2]. A crypto analysis of vector B according to A. Shamir’s algorithm can lead only to reception of a supergrowing vector A' [2] in which cipher texts w = 7 is inadmissible. Thus, the use of a secret key (m, t, f (x)) leads to the fact, that known methods of the analysis of an information protection system with an open key, in particular, those using strong modular multiplication, are inapplicable or demand additional expenses concerning transformation search fx).
References
1. Osipyan V. O. Development of methods of information transmission and security systems construction. Krasnodar, 2004.
2. Salomaa A. Cryptography with an open key. M. : World, 1995.
3. Podkolzin V. V., Osipyan V. O. Upper boundary of a number of solutions of a generalized task of a knapsack on a set point // Actual problems of information technologies safety : materials of III International theoretical and practical conf. / edited by O. N. Zhdanov, V. V. Zolotarev ; Siberian state aerospace university. Krasnoyarsk, 2009. P. 30-33.
4. Podkolzin V. V. A model of information security system with an open key on the basis of dynamic generation of a knapsack vector. M. : OPandPM, 2009. Vol. 16. Issue 5. P. 913-914.
5. Podkolzin V. V., Osipyan V. O. Of one modification of information security task with an open key on the basis of a generalized knapsack point. M. : OPandPM, 2009, Vol. 16. Issue 5. P. 905.
© Podkolzin V. V., Osipyan V. O., 2010