A simple and efficient attack on the Merkle-Hellman knapsack cryptosystem

Abstract

The Merkle-Hellman knapsack cryptosystem was one of the two earliest public key cryptosystems, which was invented by Merkle and Hellman in 1978. One can recover the equivalent keys by using Shamir’s method. The most time-consuming part of Shamir’s attack is to recover the critical intermediate parameters by solving an integer programming problem with a fixed number of variables, whose worst-case complexity is exponential of the number of variables. In this paper, we present an improved algorithm to analyze the basic Merkle-Hellman public key cryptosystem. The main idea is to recover a partial super-increasing sequence as equivalent private key, which is the main difference from Shamir’s. More precisely, we first obtain a super-increasing sequence by invoking the LLL algorithm on a special lattice with a small dimension. We can recover most part of the plaintext from the tail by solving the super-increasing knapsack problem. Finally, we get the first part of plaintext by solving a size-reduced knapsack problem. Experimental data shows that one can recover the whole plaintext in less than 1 second on a laptop for the typical parameters of the Merkle-Hellman cryptosystem, whose time complexity is reduced by a polynomial level compared with Shamir’s algorithm.

1 Introduction

Merkle-Hellman cryptosystem, which is a kind of public key cryptosystem, was proposed by Merkle and Hellman in 1978 [1]. Its security was based on the hardness of the knapsack problem. This scheme used super-increasing sequences and modular multiplication to construct a trapdoor, making it easy to decrypt with the private key. Attacks on this cryptographic system can be divided into two main categories: one is to directly solve the knapsack problem, and the other is to find equivalent keys.

Many algorithms have been proposed to solve the knapsack problem. In 1985, Lagarias and Odlyzko proposed a direct way to use lattices to solve the subset sum problem [2]. This method does not rely on any properties of the subset sum instance and only works when the density is sufficiently small. In 1991, Coster, Joux, LaMacchia, Odlyzko, Schnorr and Stern [3]made a small adjustment to the original method, raising the upper limit of applicable density from 0.6463 to 0.9408. However, there are no efficient lattice-based methods for solving the knapsack problem with density close to 1. For this case, the state-of-the-art algorithm is proposed by Schroeppel and Shamir [4], which runs in $O(n$ $·$ 2^n/2) time and uses $O(n$ $·$ 2^n/4) bits of memory. This algorithm runs in the same time as the basic birthday-based algorithm for knapsack problem introduced by Horowitz and Sahni [5], but has much lower memory requirements. In 2010, Howgrave-Graham and Joux proposed two new algorithms that improve this bound [6], reducing the running time further with reasonable heuristics. Besides, intelligent algorithms such as genetic algorithm [7, 8] and ant colony algorithm [9] are also used to crack the Merkle-Hellman cryptosystem.

Another way to break the Merkle-Hellman cryptosystem is to solve the private key. In 1982, Shamir proposed an algorithm to break it in polynomial time [10]. Shamir noticed an "unusual" relationship between parameters, whose essence is that modular multiplication cannot perfectly hide the information of the private key. In 2019, Liu and Bi proposed an attack based on lattice [11]. They use orthogonal lattice technique as the main tool and obtain a $\mathit{\text{O}}({\mathit{\text{n}}}^7)$ speed-up compared with Shamir’s algorithm.

Currently, National Institute of Standards and Technology (NIST) is collecting post-quantum algorithms from all over the world, and knapsack ciphers are a promising class of candidate algorithms. The hardness of the knapsack problem is NP-complete and it can resist the attack of a quantum computer. Some improved knapsack algorithms have been proposed in recent years [12–15]. In this paper, we propose an improved method based on Shamir’s attack for cracking the Merkle-Hellman cryptosystem, which is helpful to the cryptanalysis of knapsack-based schemes.

1.1 Contributions

In this paper, we contribute to the body of knowledge on lattice-based attacks on the Merkle-Hellman cryptosystem by presenting an improved algorithm. Our approach differs from previous works in that we focus on recovering a partial super-increasing sequence as the equivalent private key, which is a novel way of utilizing the lattice reduction results. By invoking the LLL algorithm on a specially constructed small-dimensional lattice, we are able to bypass the most time-consuming integer programming step in Shamir’s attack, thereby achieving a significant reduction in time complexity.

Let n denote the number of the public key elements of the Merkle-Hellman cryptosystem and L is the length of input. l is the number of variables we use. In our improved method, the most time-consuming part is finding equivalent $M^{\prime }$ and $U^{\prime }$ by invoking the LLL algorithm [16]. Its complexity depends on the LLL algorithm, which is $\mathit{\text{O}}({\mathit{\text{l}}}^6{\mathit{\text{L}}}^3)$ for classical LLL and can be further reduced using ${\mathit{\text{L}}}^2$ algorithm [17]. In our attack, we choose l = 20. Note that $L=O(n)$ and $l=O(1)$, the time complexity of our attack is $\mathit{\text{O}}({\mathit{\text{n}}}^3)$, and the complexity of Shamir’s attack is $O(n^{15}n\log n)$, which means we get a $\mathit{\text{O}}({\mathit{\text{n}}}^{13})$ speed-up compared with Shamir’s algorithm.

Our work not only advances the understanding of how lattice theory can be applied to break the Merkle-Hellman cryptosystem but also provides new insights into the potential weaknesses of similar knapsack-based cryptographic schemes. The experimental results that demonstrate the efficiency of our attack further highlight the importance of considering lattice-based attacks when evaluating the security of cryptographic algorithms, especially in the context of post-quantum cryptography where the relevance of such attacks is expected to grow.

1.2 Organization

We organize the paper as follows. In Section 2, we recall the background on lattice theory, the Merkle-Hellman cryptosystem and Shamir’s attack algorithm. Section 3 shows our improved method that recovers the equivalent keys. Section 4 provides the experimental data of this method. Finally, we conclude the paper in Section 5.

2 Preliminary

2.1 Lattice

There exist n linearly independent vectors $\mathbf{\text{B}}=\{{\mathbf{\text{b}}}_1,{\mathbf{\text{b}}}_2,...,{\mathbf{\text{b}}}_n\}\subset {ℝ}^m$. A lattice generated by $\mathbf{\text{B}}$ is the set of all the integer linear combinations of the basis vectors.

$$ℒ(\mathbf{\text{B}})=\{\sum x_i{\mathbf{\text{b}}}_i:x_i\in \mathbb{Z}\}$$

A classic problem related to lattice is SVP (shortest vector problem): find a non-zero vector with the shortest Euclidean norm in lattice. The length of the shortest non-zero vector in lattice $ℒ$ is denoted by ${\lambda }_1(ℒ)$.

Definition 1 (SVP). Given a basis of a lattice $ℒ$, find a non-zero vector $𝐮\in ℒ$, such that $\parallel 𝐮\parallel \le \parallel 𝐯\parallel$ for any vector $𝐯\in ℒ⧵\{\mathbf{0}\}$.

The length of the shortest vector in the lattice is denoted by ${\lambda }_1$, and the Gaussian heuristic can be used to estimate its value. Gaussian heuristic says that in a random lattice, the length of the shortest vector is approximately:

$${\lambda }_1\approx \frac{{\Gamma (n/2+1)}^{1/n}}{\sqrt{\pi }}·{(det\left(ℒ\right))}^{1/n}\approx \sqrt{\frac{n}{2\pi e}}·{(det\left(ℒ\right))}^{1/n}$$

where $\Gamma \left(x\right)$ is the gamma function.

Given the basis $\mathbf{\text{B}}$ of lattice $ℒ$, the LLL algorithm [16] can output a set of short vectors in polynomial time, which is called LLL-reduced basis. Let $({𝐛}_1,\dots ,{𝐛}_n)$ be an LLL-reduced basis of a lattice $ℒ$. Then:

1. $\Vert {𝐛}_1\Vert \le 2^{\frac{n-1}{4}}(det(ℒ)){ }^{\frac{1}{n}}$.

2. $\Vert {𝐛}_1\Vert \le 2^{\frac{n-1}{2}}{\lambda }_1(ℒ)$.

2.2 Knapsack problem

Definition 2 (Knapsack Problem). Given a set of non-negative integers $a_1,a_2,\cdots ,a_n$, and a value sum s from a subset of the whole set, determine the subset to sum s.

Formally, the knapsack problem is given a set of non-negative integers $a_1,a_2,\cdots ,a_n$ and finds $x_1,x_2,\cdots ,x_n\in \{0,1\}$ such that ${\sum }_{i=1}^n{a}_i{x}_i=s$.

The knapsack problem is a well-known NP-complete problem. In recent years, new algorithms have been proposed to solve this problem, whose time complexity and the space complexity are all exponential of n [6, 18, 19]. However, there is one kind of easy knapsack problem we define below.

Definition 3 (Super-increasing Knapsack Problem). Given a set of non-negative integers $a_1,a_2,\cdots ,a_n$, and a value sum s from a subset of the whole set, where $a_i>{\sum }_{j=1}^{i-1}{a}_j$, determine the subset to sum s.

It is easy to solve a super-increasing knapsack. Simply take the total weight of the knapsack s and compare it with the largest weight a_n in the sequence. If s<a_n, then it is not in the knapsack, i.e.x_n = 0, otherwise, x_n = 1. Subtract a_n from the total s, and compare with the next highest number. Keep working this way until the total reaches zero.

2.3 Basic Merkle-Hellman cryptosystem

Here we have a brief introduction to the basic Merkle-Hellman cryptosystem. Alice wants to send a message m to Bob by utilizing the Merkle-Hellman cryptosystem.

Key generation:

Bob selects a super-increasing sequence $\mathbf{\text{b}}=\{b_1,b_2,...,b_n\}$, which satisfies $b_i>{\sum }_{j=1}^{i-1}{b}_j$ for any $i\in (1,n]$. Chooses integer M,W s.t. $M>{\sum }_{i=1}^n{b}_i$ and $gcd(M,W)=1$. Calculate

$$a_i\equiv b_{i}W(modM).$$

Then Bob’s public key as $\mathbf{\text{a}}=(a_1,a_2,...,a_n)$, and Bob’s private key is $(\mathbf{\text{b}},W,M)$.

Encryption:

Alice wants to send the plaintext message $\mathbf{\text{m}}=(x_1,x_2,...,x_n)\in \{0,1{\}}^n$ to Bob. Alice inquires about Bob’s public key and then encrypts the message m as follows.

$$c={\displaystyle \sum _{i=1}^n}{x}_i{a}_i.$$

The ciphertext is c.

Decryption:

Bob receives the ciphertext c, calculates $c^{\prime }=c{W}^{-1}(modM)$.

Note that

$$c^{\prime }=c{W}^{-1}(modM)={\displaystyle \sum _{i=1}^n}{x}_i{a}_i{W}^{-1}(modM)={\displaystyle \sum _{i=1}^n}{x}_i{b}_i(modM).$$

Because that $M>{\sum }_{i=1}^n{b}_i$, then one have $c^{\prime }={\sum }_{i=1}^n{x}_i{b}_i$.

Bob can recover the plaintext message m by solving the super-increasing subset sum problem, which is easy.

2.4 Shamir’s attack

The core idea of the algorithm is to discover the "unusual" relationship between the parameters. Let us first consider the size of each parameter in the cryptosystem. a_i is a dn bit number and typical values of d and n are 2 and 100, respectively, so a_i is generally 200 bits. M’s size is 200 bits and b_i is chosen as dn−n + i−1, which is n + i−1 bits in general situations.

Note that $U=W^{-1}(modM)$, so the size of U is also 200 bits. From $b_i=a_{i}U(modM)$, then there is a positive integer k_i such that

$$b_i=a_{i}U-k_{i}M$$ (1)

Compared with a_iU, the left side of the equation is a relatively small number, indicating that a_iU and k_iM are of the same order of magnitude, so k_i is also 200 bits. It can be obtained by Eq 1:

$$|\frac{U}{M}-\frac{k_i}{a_i|}=\frac{b_i}{M{a}_i}\le \frac{2^{n+i-1}}{2^{4n}}=2^{-3n+i-1}$$

We denote the number of a_i we use by l, for 1<i<l, we have

$$|\frac{k_i}{a_i}-\frac{k_1}{a_1|}\le 2^{-3n+i-1}+2^{-3n}\le 2^{-3n+l}$$

This indicates that

$$|k_i{a}_1-k_1{a}_i|\le 2^{n+l}$$ (2)

We can observe from Eq 2 that the difference between two 4n bit numbers is a less than 2n bit number, which is a very unusual thing. Shamir pointed out that when l>d + 1, the integer programming problem can be used to find several sets of solutions in polynomial time. Once we get the value of k₁, we can try to construct $(W^{\prime },M^{\prime })$ pairs such that

$$b_i^{\prime }=a_i{W}^{\prime -1}(mod{M}^{\prime }),0<b_i^{\prime }<M^{\prime },1\le i\le n$$

become a super-increasing sequence, thereby cracking the Merkle-Hellman cryptosystem. The time complexity of this attack is O(n^l + 10LlogL) [20], where L is the length of the input.

3 Cryptanalysis

3.1 Observation of short vectors

Note that $a_i=W*b_i\mathrm{mod}M,i=1,\dots ,n$, we have $b_i=W^{-1}*a_i\mathrm{mod}M,i=1,\dots ,n$. Let $k_i\in \mathbb{Z}$ be the quotient such that $b_i=W^{-1}{a}_i+M{k}_i$. The equations imply that

$$\frac{b_1{a}_2-b_2{a}_1}{M}=k_1{a}_2-k_2{a}_1$$ (3)

$$\frac{b_1{a}_i-b_i{a}_1}{M}=k_1{a}_i-k_i{a}_1,3\le i\le n.$$ (4)

Take n = 100. Consider the bit length of the first few integers of the sequence S_i, which is less than $99+i$, it is far less than the bit length of a_i, which is about 200. We try to recover the first l–1 integers $\frac{b_1{a}_i-b_i{a}_1}{M},i=2,\dots ,l$. By the right part of the above equations, we define ${\mathbf{h}}_{\mathbf{1}}=(-a_1,\dots ,0),{\mathbf{h}}_{\mathbf{2}}=(0,-a_1,\dots ,0),\dots ,{\mathbf{h}}_{\mathbf{l}\mathbf{-}\mathbf{1}}=(0,\dots ,-a_1)$, ${\mathbf{h}}_{\mathbf{l}}=(a_2,\dots ,a_l)$. Then we apply LLL algorithm on the lattice $ℒ({\mathbf{h}}_{\mathbf{1}},\dots ,{\mathbf{h}}_{\mathbf{l}})$.

Define the following matrix:

$$H=\left[\begin{array}{cccc}-a_1& 0& \cdots & 0\\ 0& -a_1& \cdots & 0\\ ⋮& ⋮& \ddots & ⋮\\ 0& 0& \cdots & -a_1\\ a_2& a_3& \cdots & a_l\end{array}\right]$$

Obviously, the rank of lattice $ℒ$ is l–1, and ${\mathbf{h}}_{\mathbf{1}},\dots ,{\mathbf{h}}_{\mathbf{l}}$ is not a basis of the lattice. Therefore, the first short vector of the output of LLL algorithm is a zero vector. Besides, the norm of vector

$$(\frac{b_1{a}_2-b_2{a}_1}{M},\frac{b_1{a}_3-b_3{a}_1}{M},\cdots ,\frac{b_1{a}_l-b_l{a}_1}{M})$$

in lattice $ℒ$ is unusually small according to Eq 2 and Eq 4. It is the second shortest vector in the output, and the other l–2 vectors are much longer than the second one. The experiment data confirms our assumption.

Define

$$S_i=a_i{k}_1-k_i{a}_1$$ (5)

From Eq 3 and Eq 4, we have

$$(k_2,k_3,...,k_l,k_1)H=(S_2,S_3,...,S_l)$$

then the vector $(S_2,S_3,...,S_l)$ is the shortest in lattice $ℒ$. Because that we choose l is small, sometimes choosing l = 10, the rank of lattice $ℒ$ is l–1, one can recover $S_i,2\le i\le l$ very quickly.

Lemma 1. Let $ℒ$ be the lattice generated by the basis matrix H. The target vector $𝐒=(S_2,\dots ,S_l)$ defined above is the shortest vector in the lattice $ℒ$ , where $S_i=a_i{k}_1-k_i{a}_1$,provided l > 3.

Proof: The target vector $𝐒=(S_2,\dots ,S_l)$ is defined as $S_i=a_i{k}_1-k_i{a}_1$ for $2\le i\le l$, where $|S_i|\le 2^{n+l}$ by Eq. (2). Its Euclidean norm satisfies:

$$\Vert 𝐒\Vert \le \sqrt{l-1}·2^{n+l}=O(2^{n+l})$$

According to the lattice basis H, the determinant of lattice $ℒ$ is calculated as:

$$det(ℒ)=a_1^{l-2}\approx {\left(2^{2n}\right)}^{l-2}=2^{2n(l-2)}$$

By the Gaussian heuristic, the expected shortest vector length in lattice $ℒ$ is:

$${\lambda }_1(ℒ)\approx \sqrt{\frac{l-1}{2\pi e}}·det(ℒ{)}^{1/(l-1)}=O\left(2^{\frac{2n(l-2)}{l-1}}\right)$$

Obviously, when l>3, $2^{n+l}<2^{\frac{2n(l-2)}{l-1}}$, and the ratio of the Gaussian heuristic-predicted shortest vector length to the target vector length exhibits a monotonic increase with growing parameter l, demonstrating asymptotic divergence behavior.

Therefore, the target vector is the shortest vector in the lattice $ℒ$ provided l > 3. $◻$

Remark 1. Note that the LLL algorithm guarantees that the first reduced basis vector ${𝐛}_1$ satisfies:$\Vert {𝐛}_1\Vert \le 2^{(l-2)/4}$ $·$ $det{(ℒ)}^{1/(l-1)}=O\left(2^{2n}\right)$. It is well-known that the LLL algorithm performs well when the dimension of the lattice is smaller than 50. From Lemma 1, one can recover the target vector S by utilizing LLL algorithm when l is not big. The gap between the length of the target vector and the expected length of Gaussian heuristic becomes larger, then LLL algorithm will recover the target vector much more easily. It is validated by the experimental data.

Our approach shares similarities with the one presented in [21], yet it differs in two aspects. Firstly, our lattice has a lower dimension. Secondly, we offer a more rigorous theoretical analysis ensuring the lattice’s ability to find the target vector.

3.2 Recover the equivalent key

We all know that one can solve the super-increasing knapsack problem in n times arithmetic operations. Shamir’s method aims to recover the whole group of the equivalent keys, and then recover the plaintext based on the equivalent keys. In this paper, we propose a method to recover the whole group of equivalent keys except the first small part of the equivalent keys, and then, we can recover most of the plaintext from the tail. After that, one can easily search for the remaining part of the plaintext, because the size of the knapsack problem is quite small.

From the last subsection, one can obtain $S_2,...,S_l$ and $k_1^{\prime },k_2^{\prime },...,k_l^{\prime }$ by using the LLL lattice reduction algorithm. Notice that $k_i^{\prime }$ may be equal to the original k_i or not, but as long as it satisfies the relationship $S_i=a_i{k}_1^{\prime }-k_i^{\prime }{a}_1$, it will not affect our successful cracking of the cryptosystem. For convenience, we will not distinguish k_i and $k_i^{\prime }$ in the following, and they will all be recorded as k_i.

Interestingly, we observe that there exists a fixed integer i₀, the sequence $S_{i_0},S_{i_0+1},...,S_n$ forms a super-increasing sequence, which is an important property of the equivalent key we are looking for. Therefore, we regard S_i as the private key b_i. The relationship between b_i and a_i is Eq 1. For S_i and a_i, we can find an equation (5) with the same structure . Therefore, we obtain the equivalent key:

$${\mathbf{\text{b}}}^{\prime }=(S_1,S_2,\cdots ,S_{i_0},\cdots ,S_n)$$

$$U^{\prime }=k_1$$

$$M^{\prime }=a_1$$

Lemma 2. In the parameters defined above, there exists an integer i₀ to be determined, such that $S_{i_0},S_{i_0+1},...,S_n$ forms a super-increasing sequence.

Proof: It can be derived from Eq 1 (5) that

$$M{S}_i=b_i{a}_1-b_1{a}_i$$

As long as it is proved that MS_i is a super-increasing sequence, we can get that S_i is also a super-increasing sequence. Let’s calculate that

$$\begin{gathered} M{S}_{i+1}-{\displaystyle \sum _{k=1}^i}M{S}_k=b_{i+1}{a}_1-b_1{a}_{i+1}-{\displaystyle \sum _{k=1}^i}(b_k{a}_1-b_1{a}_k) \\ =a_1(b_{i+1}-{\displaystyle \sum _{k=1}^i}{b}_k)+b_1({\displaystyle \sum _{k=1}^i}{a}_k-a_{i+1}) \end{gathered}$$ (6)

Note that b_i forms a super-increasing sequence, so $a_1(b_{i+1}-{\displaystyle \sum _{k=1}^i}{b}_k)>0$. For the second term, there exists an integer i₀, such that for any i>i₀,

$${\displaystyle \sum _{k=1}^i}{a}_k>a_{i+1}.$$ (7)

In the following we will prove that when $i\ge 10$, Eq 7 is true with a probability close to 1.

Consider a sequence of i independent random variables $a_1,a_2,\dots ,a_i$, where each a_k ($k=1,2,\dots ,i$) represents a random integer uniformly chosen from the discrete interval $[0,M-1]$. Let $R_i=a_1+a_2+\cdots +a_i$ denote the sum of these i random integers. Each a_k is a discrete random variable, and its expectation and variance are derived from the properties of a uniform distribution. Specifically, the expectation of a_k is given by:

$$E(a_k)=\frac{M-1}{2},$$

which is the mean of the uniform distribution over $[0,M-1]$. The variance of a_k is:

$$\text{Var}(a_k)=\frac{(M-1)M}{12}.$$

Since R_i is the sum of i independent and identically distributed random variables, the expectation and variance of R_i are:

$$E(R_i)=i·E(a_k)=i·\frac{M-1}{2},$$

and

$$\text{Var}(R_i)=i·\text{Var}(a_k)=i·\frac{(M-1)M}{12}.$$

To compute P(R_i>M), we use the Central Limit Theorem (CLT), which states that the sum of a sufficiently large number of independent and identically distributed random variables converges to a normal distribution. Consequently, R_i can be approximated as:

$$R_i~𝒩(E(R_i),\text{Var}(R_i)).$$

By standardizing R_i into the standard normal variable Z, we write:

$$Z=\frac{R_i-E(R_i)}{\sqrt{\text{Var}(R_i)}}.$$

The probability P(R_i>M) is then expressed as:

$$P(R_i>M)=P(Z>\frac{M-E(R_i)}{\sqrt{\text{Var}(R_i)}}).$$

Substituting $E(R_i)=i·\frac{M-1}{2}$ and $\text{Var}(R_i)=i·\frac{(M-1)M}{12}$, the argument of the standard normal cumulative distribution function (CDF) becomes:

$$\frac{M-i·\frac{M-1}{2}}{\sqrt{i·\frac{(M-1)M}{12}}}.$$

Finally, the probability P(R_i>M) is expressed as:

$$P(R_i>M)=1-\Phi \left(\frac{M-i·\frac{M-1}{2}}{\sqrt{i·\frac{(M-1)M}{12}}}\right),$$

where $\Phi (x)$ denotes the CDF of the standard normal distribution. This formulation provides the exact probability of the sum of the i random integers exceeding M, based on their uniform distribution over $[0,M-1]$.

For the specific case where i = 10 and M is a 200-bit integer, substituting these values into the formula gives the standardized value:

$$Z=\frac{M-10·\frac{M-1}{2}}{\sqrt{10·\frac{(M-1)M}{12}}}.$$

Numerically approximating this for M = 2²⁰⁰, we find:

$$P({\displaystyle \sum _{k=1}^i}{a}_k>a_{i+1})\ge P(R_{10}>M)\approx 0.999994.$$

It should be noted that the Central Limit Theorem is most accurate when the number of summands i is sufficiently large. For i = 10, the approximation is reasonable but not exact. Nonetheless, for practical purposes, the CLT-based approximation remains highly effective, particularly for large M, where the relative error becomes negligible.

In summary, the above analysis shows that when $i\ge 10$, ${\sum }_{k=1}^i{a}_k-a_{i+1}>0$ holds with a probability close to 1. $◻$

Remark 2. Here we use another method to give a lower bound on the probability that Eq 7 holds.If we can prove that ${\sum }_{k=1}^i{a}_k>M$, then ${\sum }_{k=1}^i{a}_k>a_{i+1}$ must be true. The necessary condition for ${\sum }_{k=1}^i{a}_k>M$ is that at least two of $a_1,a_2,...,a_i$ are greater than M/2. Since $a_i\equiv b_{i}W(modM)$ , M is very large, a can be approximately regarded as uniformly randomly selected from [0,M–1]. Then it is easy to calculate

$$P({\displaystyle \sum _{k=1}^i}{a}_k>a_{i+1})\ge 1-\frac{i+1}{2^i}.$$

According to the above analysis, this probability rises as i increases and when i = 10, the probability that Eq 7 being true is not less than 98.9%.

Based on this parameters setting, one can recover the plaintext $(m_{i_0},m_{i_0+1},\cdots ,m_n)$. For the remaining unknown part $m_1,m_2,\cdots ,m_{i_0-1}$, we can solve a knapsack problem with size i₀−1, i.e.

$${\displaystyle \sum _{i=1}^{i_0-1}}{a}_i{m}_i=c-{\displaystyle \sum _{i=i_0}^n}{a}_i{m}_i$$

This size-reduced problem can be solved easily. Because i₀ is usually not larger than 5 in the practical cryptanalysis, whose probability exceeds 96%. See the experimental section later for details.

It can be seen from Remark 2 that the probability lower bound corresponding to the constant value of i₀ is independent of n and its size is O(1), so the complexity of exhaustively enumerating $m_1,m_2,\cdots ,m_{i_0-1}$ is also O(1). According to Lemma 2 and Remark 2, the theoretical probability of $i_0\le 10$ is 99.9994%, and the probability lower bound of $i_0\le 10$ and $i_0\le 20$ is 98.9258% and 99.9938% respectively. In the experiment, the appropriate parameter setting can ensure that i₀ is all within 10, so 10 can be regarded as the "actual effective upper bound" of i₀. In Remark 2, the lower bound of the probability corresponding to i₀ decreases exponentially with its increase. Therefore, the theoretical upper bound of i₀ will be a small integer, and an exhaustive search of this scale can be easily performed.

Finally, we recover the whole plaintext of the basic Merkle-Hellman cryptosystem. The whole description of our attack is given in Algorithm 1 below.

Algorithm 1. Our algorithm for breaking basic Merkle-Hellman cryptosystem.

Require: Public key $\mathbf{\text{a}}$ and Ciphertext c.

Ensure: Message $\mathbf{\text{m}}$.

1: Construct the lattice basis matrix H mentioned in Sect.3.1.

2: Invoke the LLL algorithm to obtain a set of reduced basis.

3: Select the last coefficient corresponding to the shortest

  non-zero vector as k₁.

4: Let n be the length of public key.

5: $U^{\prime }\leftarrow k_1,M^{\prime }\leftarrow a_1$.

9: Determine i₀, such that the sequence $b_{i_0},b_{i_0+1},...,b_n$ form a

  super-increasing sequence.

10: $c^{\prime }=c·U^{\prime }mod{M}^{\prime }$.

11: Obtain $m_{i_0},m_{i_0+1},\cdots ,m_n$ by solving the super-increasing

  knapsack problem.

12: Solve the size-reduced knapsack problem

  ${\sum }_{i=1}^{i_0-1}{a}_i{m}_i=c-{\sum }_{i=i_0}^n{a}_i{m}_i$ by enumeration the

  $m_i,1\le i\le i_0-1$.

The most time-consuming part of our method is invoking the LLL algorithm to recover k₁. The lattice basis matrix H is $l\times (l-1)$, and the complexity of invoking classical LLL algorithm on lattice H is $\mathit{\text{O}}({\mathit{\text{l}}}^6{\mathit{\text{L}}}^3)$. Note that the value of l is a small integer and $L=O(n)$, so the time complexity of this attack is $\mathit{\text{O}}({\mathit{\text{n}}}^3)$.

BKZ algorithm [22] has stronger reduction capabilities than the LLL algorithm in practice. However, the dimension of our lattice is a small constant. The LLL algorithm can easily find the target vector from the lattice. The BKZ algorithm is a waste of talent here and can not bring any improvement. Therefore, we use the LLL algorithm instead of the BKZ algorithm in our method.

4 Experiments

According to Lemma 2, there exists an integer i₀, such that the sequence $S_{i_0},S_{i_0+1}\mathrm{\backslash allowbreak}...,S_n$ forms a super-increasing sequence. Experiment data validates Lemma 2. We find that the first few elements of $S_i,i<i_0$ are not always super-increasing. This will lead to incorrect decryption of the first few bits when solving this partially super-increasing knapsack problem directly. Fortunately, there is an upper limit for the number of error bits in decryption. When the size of plaintext is 100 bits, errors are usually concentrated in the first 5 bits in most cases, and rarely up to around 10 bits, which can be obtained by exhaustive methods by solving the size-reduced knapsack problem. Note that the S₁ given by our algorithm is always 0, and the ciphertext obtained when the coefficient x₁ is 0 and 1 in the subset sum problem is the same, so the first bit of plaintext can only be obtained by exhaustion.

In the experiment, we choose n = 100, $l=10,20$ and the size of the message is 100 bits. We define T as the number of message bits the algorithm successfully recovered. To check the effect of our method, we generate 1000 sets of public keys and ciphertext of Merkle-Hellman knapsack cryptosystem for each group of parameters. $prop(T\ge c)$ denotes the proportion of instances that successfully recover c bits.

Case I, we do not consider the final step of Algorithm.1, i.e. solving the size-reduced knapsack problem. The specific experiment data are shown in Table 1.When n = 100, experimental results show that the success rate of restoring 99 bits is stable at 84%, and the success rate of restoring 90 bits is up to 98.9% when l = 10. When l = 20, experimental data show that the success rate of restoring 99 bits is stable at over 85%, and the success rate of restoring 90 bits is up to 99.5%. It should be noted that when T = 99, we consider that all the plaintexts have been recovered, because the first plaintext can only be recovered by enumeration.

Table 1. Success rate of case I.

n	100		200		300
l	10	20	10	20	10	20
$prop(T\ge 90)$	98.9%	99.5%	99.4%	100%	99.7%	99.8%
$prop(T\ge 99)$	84.0%	85.0%	82.4%	86.8%	83.7%	81.3%

Moreover, we examine the performance of the algorithm when n = 200 and n = 300 in Table 1. We find that when the scale of the system becomes larger, our method can still achieve excellent results. The probability of correctly recovering the plaintext is over 99%. As we have theoretically analyzed,the dimension of lattice H will not change as n increases, so the probability of successfully cracking the private key will not change significantly.

The conclusion we can draw is that the more public key used, the more plaintext bits T can be correctly recovered. However, l = 20 is enough. At this time, the failure probability of recovering 90% of the plaintext bits is negligible. The remaining plaintext of less than 10 bits can be obtained through exhaustive search.

Case II, we run the whole Algorithm 1. For the parameters n = 100, $l=10,20$, the size of the message is 100 bits, and the success rate is $100\%$. We can recover the plaintext for each set of parameters. Experimental data show that i₀ is mostly concentrated in $1~5$ when $l=10,20$. The value of i₀ is shown in Table 2.

Table 2. Distribution of i₀.

${\mathit{i}}_{\mathbf{0}}$	1	2	3	4	5	6	7	8	9	10	$\mathbf{11}\mathit{~}\mathbf{20}$	20+
l = 10	720	0	155	51	36	11	6	7	6	0	0	8
l = 20	741	0	153	49	30	16	6	5	0	0	0	0

We can see that in 1000 sets of data, more than $96\%$ of S can form a super-increasing sequence after removing the first five digits at most no matter l is 10 or 20. The case of 20 +  indicates that the decryption failed. When l = 10, there is a probability of 8 out of 1000, and there is no failure when l = 20. Since the first element of S is 0, there is no case of i₀ = 2. The experimental data also validates Lemma 2.

We used the same computing power to run Shamir’s algorithm and our algorithm. The running time of the two algorithms is shown in Table 3. As we can see, the running time of our algorithm is very short, which is much more efficient than Shamir’s. Moreover, as the size of n increases, the running efficiency of our algorithm is very little affected. This is because the lattice dimension used to solve the intermediate variables in our algorithm does not change with the increase of n. Accordingly, the increase of n has a very small impact on the complexity of lattice basis reduction, and the running time will not change significantly. Therefore, our algorithm can still perform well when n is large.

Table 3. Comparison of running time.

n	Running time of shamir’s algorithm(h)	Running time of our algorithm(s)
100	$5.84\times {10}^6$	0.13
200	$1.01\times {10}^9$	0.16
300	$1.72\times {10}^{10}$	0.21

In summary, the more information of the public key we use, the higher the success rate should be. From Table 2, one can choose l = 20 conservatively for the typical parameters of the Merkle-Hellman cryptosystem. In this case, i₀ will be smaller than 10 for the overwhelming probability, that one can recover the whole plaintext by solving a reduced knapsack problem with size smaller than 10.

5 Conclusion

Our paper presents a novel approach to cryptanalyzing the Merkle-Hellman Knapsack Cryptosystem, one of the earliest public-key cryptosystems. Our improvement lies in an enhanced algorithm that significantly reduces the time complexity for key recovery compared to Shamir’s method. By leveraging the LLL lattice reduction algorithm on a specially constructed lattice, we efficiently identify a partial super-increasing sequence, which serves as the equivalent private key. This approach allows for the rapid decryption of the plaintext message, with experimental data indicating a recovery time of less than 1 second on a standard laptop for typical parameters of the Merkle-Hellman cryptosystem.

The significance of this work mainly lies in two aspects: it not only provides a more efficient method for analyzing the security of Merkle-Hellman cryptosystem but also contributes to the broader field of cryptanalysis by offering insights into the potential vulnerabilities of knapsack-based cryptographic schemes. This could have implications for the ongoing development of post-quantum cryptographic algorithms, as the knapsack problem’s resistance to quantum attacks makes it a promising candidate for future secure communication protocols.

For future research, we propose several directions. First, it would be beneficial to explore the application of our method to other knapsack-based schemes and assess its generalizability. Besides, further optimization of the LLL algorithm for our specific use case could lead to even more significant performance gains. Lastly, the development of new cryptographic schemes that build upon the lessons learned from attacks like ours is essential to staying ahead in the ever-evolving field of cryptography.

Supporting information

S1 File. Main code.

The experimental code of the algorithm in this paper and the environment configuration required to run the code.

(zip)

Data Availability

All relevant data are within the manuscript and its Supporting Information files.

Funding Statement

This work was supported by the National Key Research and Development Program of China (No. 2024YFB4504700, 2022YFB2902202), the National Key Laboratory of Security Communication Foundation (No. 2024,6142103042408), the Youth Science and Technology Innovation Talent Support Program Project of Beijing University of Posts and Telecommunications (No. 2023ZCJH10).