Merkle–Hellman knapsack cryptosystem explained

The Merkle–Hellman knapsack cryptosystem was one of the earliest public key cryptosystems. It was published by Ralph Merkle and Martin Hellman in 1978. A polynomial time attack was published by Adi Shamir in 1984. As a result, the cryptosystem is now considered insecure.^[1] ^[2]

History

The concept of public key cryptography was introduced by Whitfield Diffie and Martin Hellman in 1976.^[3] At that time they proposed the general concept of a "trap-door one-way function", a function whose inverse is computationally infeasible to calculate without some secret "trap-door information"; but they had not yet found a practical example of such a function. Several specific public-key cryptosystems were then proposed by other researchers over the next few years, such as RSA in 1977 and Merkle-Hellman in 1978.^[4]

Description

Merkle–Hellman is a public key cryptosystem, meaning that two keys are used, a public key for encryption and a private key for decryption. It is based on the subset sum problem (a special case of the knapsack problem).^[5] The problem is as follows: given a set of integers

and an integer

, find a subset of

which sums to

. In general, this problem is known to be NP-complete. However, if

is superincreasing, meaning that each element of the set is greater than the sum of all the numbers in the set lesser than it, the problem is "easy" and solvable in polynomial time with a simple greedy algorithm.

In Merkle–Hellman, decrypting a message requires solving an apparently "hard" knapsack problem. The private key contains a superincreasing list of numbers

, and the public key contains a non-superincreasing list of numbers

, which is actually a "disguised" version of

. The private key also contains some "trapdoor" information that can be used to transform a hard knapsack problem using

into an easy knapsack problem using

Unlike some other public key cryptosystems such as RSA, the two keys in Merkle-Hellman are not interchangeable; the private key cannot be used for encryption. Thus Merkle-Hellman is not directly usable for authentication by cryptographic signing, although Shamir published a variant that can be used for signing.^[6]

Key generation

1. Choose a block size

. Integers up to

bits in length can be encrypted with this key.

2. Choose a random superincreasing sequence of

positive integers

W=(w_1,w_2,...,w_n)

The superincreasing requirement means that

w_k>

	k-1
\sum
	i=1

w_i

, for

1<k\len

3. Choose a random integer

such that

	n
\sum
	i=1

w_i

4. Choose a random integer

such that

\gcd(r,q)=1

(that is,

and

are coprime).

5. Calculate the sequence

B=(b_1,b_2,...,b_n)

where

b_i=rw_i\bmodq

The public key is

and the private key is

(W,q,r)

Encryption

Let

be an

-bit message consisting of bits

m₁m₂...m_n

, with

m₁

the highest order bit. Select each

b_i

for which

m_i

is nonzero, and add them together. Equivalently, calculate

	n
\sum
	i=1

m_ib_i

.The ciphertext is

Decryption

To decrypt a ciphertext

, we must find the subset of

which sums to

. We do this by transforming the problem into one of finding a subset of

. That problem can be solved in polynomial time since

is superincreasing.

1. Calculate the modular inverse of

modulo

using the Extended Euclidean algorithm. The inverse will exist since

is coprime to

r':=r^-1\pmodq

The computation of

is independent of the message, and can be done just once when the private key is generated.

2. Calculate

c':=cr'\bmodq

3. Solve the subset sum problem for

using the superincreasing sequence

, by the simple greedy algorithm described below. Let

X=(x_1,x_2,...,x_k)

be the resulting list of indexes of the elements of

which sum to

. (That is,

c'=

	k
\sum
	i=1

w
	x_i

4. Construct the message

with a 1 in each

x_i

bit position and a 0 in all other bit positions:

	k
\sum
	i=1

	n-x_i
2

Solving the subset sum problem

This simple greedy algorithm finds the subset of a superincreasing sequence

which sums to

, in polynomial time:

1. Initialize

to an empty list.

2. Find the largest element in

which is less than or equal to

, say

w_j

3. Subtract:

c':=c'-w_j

4. Append

to the list

5. Remove

w_j

from the superincreasing sequence

6. If

is greater than zero, return to step 2.

Example

Key generation

Create a key to encrypt 8-bit numbers by creating a random superincreasing sequence of 8 values:

W=(2,7,11,21,42,89,180,354)

The sum of these is 706, so select a larger value for

q=881

.Choose

to be coprime to

r=588

Construct the public key

by multiplying each element in

modulo

\begin{align} &(2*588)\bmod881=295\\ &(7*588)\bmod881=592\\ &(11*588)\bmod881=301\\ &(21*588)\bmod881=14\\ &(42*588)\bmod881=28\\ &(89*588)\bmod881=353\\ &(180*588)\bmod881=120\\ &(354*588)\bmod881=236 \end{align}

Hence

B=(295,592,301,14,28,353,120,236)

Encryption

Let the 8-bit message be

m=97=01100001₂

. We multiply each bit by the corresponding number in

and add the results: 0 * 295 + 1 * 592 + 1 * 301 + 0 * 14 + 0 * 28 + 0 * 353 + 0 * 120 + 1 * 236 = 1129The ciphertext

is 1129.

Decryption

To decrypt 1129, first use the Extended Euclidean Algorithm to find the modular inverse of

mod

r'=r^-1\bmodq=588^-1\bmod881=442

Compute

c'=cr'\bmodq=1129*442\bmod881=372

Use the greedy algorithm to decompose 372 into a sum of

w_i

values:

\begin{align} c'&=372\\ &w₈=354\le372\\ c'&=372-354=18\\ &w₃=11\le18\\ c'&=18-11=7\\ &w₂=7\le7\\ c'&=7-7=0 \end{align}

Thus

372=354+11+7=w₈+w₃+w₂

, and the list of indexes is

X=(8,3,2)

. The message can now be computed as

	3
\sum
	i=1

	n-x_i
2

=2^8-8+2^8-3+2^8-2=1+32+64=97

Cryptanalysis

In 1984 Adi Shamir published an attack on the Merkle-Hellman cryptosystem which can decrypt encrypted messages in polynomial time without using the private key. ^[7] The attack analyzes the public key

B=(b_1,b_2,...,b_n)

and searches for a pair of numbers

and

such that

(ub_i\bmodm)

is a superincreasing sequence. The

(u,m)

pair found by the attack may not be equal to

(r',q)

in the private key, but like that pair it can be used to transform a hard knapsack problem using

into an easy problem using a superincreasing sequence. The attack operates solely on the public key; no access to encrypted messages is necessary.

Shamir's attack on the Merkle-Hellman cryptosystem works in polynomial time even if the numbers in the public key are randomly shuffled, a step which is usually not included in the description of the cryptosystem, but can be helpful against some more primitive attacks.

References

Book: Schneier, Bruce . 1996 . Applied Cryptography . New York . John Wiley & Sons . 0-471-12845-7.
Book: Stinson, Douglas R. . 1995 . Cryptography: Theory and Practice . Boca Raton . CRC Press . 0-8493-8521-0.
New directions in cryptography. IEEE Transactions on Information Theory . 22. 6. 644. 10.1109/TIT.1976.1055638. Whitfield Diffie. Martin Hellman. 1976. 10.1.1.37.9720.
Merkle. Ralph. Hellman. Martin. 1978. Hiding information and signatures in trapdoor knapsacks. IEEE Transactions on Information Theory. 24. 5. 525–530. 10.1109/TIT.1978.1055927.
Web site: Merkle-Hellman Knapsack Cryptosystem . 2002-03-02. William. Cherowitzo. Math 5410 - Modern Cryptology. 2019-08-18.
Adi . Shamir . A Fast Signature Scheme . July 1978 . MIT Laboratory for Computer Science Technical Memorandum . 79 . MIT/LCS/TM–107. 15240 . 1978STIN...7915240S .
Shamir. Adi. 1984. A polynomial-time algorithm for breaking the basic Merkle - Hellman cryptosystem. IEEE Transactions on Information Theory. 30. 5. 699–704. 10.1109/SFCS.1982.5.