In [None]:
# Whole example is "heavily inspired" by http://www.math.ucsd.edu/~crypto/Projects/JenniferBakker/Math187/

# The knapsack problem comes has a criminal motivation - there is a burglar, who tries to steal goods of as much value as possible while not breaking safety rules - i.e. there is a limit of how heavy burdens is a person legally allowed to manipulate

# in the knapsack problem we are thus given items with their values and weights and a backpack, that is only capable of taking a set amount of weight before breaking (or just a weak thief)

# in general this problem is known to be hard - it is NP-complete, as such, there were attempts to use this hardness for good by utilising it for cryptosystems, before LLL, it worked rather well

# the idea is - while the problem is hard in general there are easy instances there are some, which are easy - e.g. those arising from the so called superincreaing sequences - here superincreasing means, that every term is strictly greater than the sum of all preceding ones. E.g. the powers 2^n, 3^n...

# for these backpacks, the problem can be solved by the greedy algorithm (note the similarity of writing numbers in a given base in big endian).

# but these are too easy for the attacker to break, therefore, it is necessary to mask them

# the idea is then to encode a message into items - item in backpack - 1, item not in backpack - 0

In [None]:
message = "101100111"

S = [2, 5, 9, 21, 45, 103, 215, 450, 946] # our superincreasing backpack - our secret key
p = 2003 # as is standard in cryptography, we will not work in the ring of integers, but in a ring modulo p
m = 1289 # our masking coefficient
m = randint(1,p)
m_inv = pow(m,p-2,p) # our "demasking coefficient"
print(m, m_inv)

NameError: ignored

In [None]:
T = [(s*m) % p for s in S] # the masked backpack - the public key
print(T)

C = sum([T[i] for i in range(len(T)) if message[i] == "1"])
print(C)

[575, 436, 1586, 1030, 1921, 569, 721, 1183, 1570]
6665


In [None]:
# the honest reciever of the encrypted message will know the demasking coefficient, will demask the message, and then will use the greedy algorithm to reconstruct the original message

# probably something like this:
C_hon = C
C_hon = (C*m_inv) % p

reconstructed_message = []
for i in range(len(S)-1,-1,-1):
    if C_hon >= S[i]:
        C_hon -= S[i]
        reconstructed_message.append("1")
    else:
        reconstructed_message.append("0")

reconstructed_message.reverse()

reconstructed_message = "".join(c for c in reconstructed_message)

print(message, reconstructed_message)

print(reconstructed_message == message)

101100111 101100111
True


In [None]:
# however, we are not the good guys, and we want to be able to decrypt the message even when we do not have the demasking coefficient, nor the superincreasing backpack

# actually the only thing we will have is the masked backpack and the ciphertext (just like an attacker would)

# as such we will generate a matrix in using the ciphertext and the masked backpack, and then use LLL


M = identity_matrix(len(S)).augment(vector([0]*len(S)))
last_row = vector(T + [-C])
M = M.stack(last_row, subdivide = True)
print(M.T)

In [None]:
# In the reduced matrix we are looking for a 0/1 vector - that is a vector probably encoding the original message
(M.T).LLL()

NameError: name 'M' is not defined

In [None]:
l = []
for i in range(10):
    if i%2 == 0:
        l.append(i)
print(l)

[0, 2, 4, 6, 8]


In [None]:
l = [cislo for cislo in range(10) if cislo%2 == 0]
print(l)

[0, 2, 4, 6, 8]
