Cryptanalysis of the Knapsack Generator

  • Simon Knellwolf
  • Willi Meier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6733)


The knapsack generator was introduced in 1985 by Rueppel and Massey as a novel LFSR-based stream cipher construction. Its output sequence attains close to maximum linear complexity and its relation to the knapsack problem suggests strong security. In this paper we analyze the security of practically relevant instances of this generator as they are recommended for the use in RFID systems, for example. We describe a surprisingly effective guess and determine strategy, which leads to practical attacks on small instances and shows that the security margin of larger instances is smaller than expected. We also briefly discuss a variant of the knapsack generator recently proposed by von zur Gathen and Shparlinski and show that this variant should not be used for cryptographic applications.


knapsack stream cipher pseudorandom generator 


  1. 1.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Cole, P.H., Ranasinghe, D.C.: Networked RFID systems and lightweight cryptography: raising barriers to product counterfeiting. Springer, Heidelberg (2007)Google Scholar
  3. 3.
    von zur Gathen, J., Shparlinski, I.: Predicting Subset Sum Pseudorandom Generators. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 241–251. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    von zur Gathen, J., Shparlinski, I.: Subset sum pseudorandom numbers: fast generation and distribution. J. Math. Crypt. 3, 149–163 (2009)MathSciNetzbMATHGoogle Scholar
  5. 5.
    Golic, J.D., Salmasizadeh, M., Dawson, E.: Fast Correlation Attacks on the Summation Generator. J. Cryptology 13(2), 245–262 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Hoffstein, J., Pipher, J., Silverman, J.H.: An introduction to mathematical cryptography. Springer, Heidelberg (2008)zbMATHGoogle Scholar
  7. 7.
    Howgrave-Graham, N., Joux, A.: New Generic Algorithms for Hard Knapsacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 235–256. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Impagliazzo, R., Naor, M.: Efficient Cryptographic Schemes Provably as Secure as Subset Sum. J. Cryptology 9(4), 199–216 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Klapper, A., Goresky, M.: Feedback Shift Registers, 2-Adic Span, and Combiners with Memory. J. Cryptology 10(2), 111–147 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Lee, D.H., Kim, J., Hong, J., Han, J.W., Moon, D.: Algebraic Attacks on Summation Generators. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 34–48. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Meier, W., Staffelbach, O.: Correlation Properties of Combiners with Memory in Stream Ciphers. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 204–213. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  12. 12.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (2001)zbMATHGoogle Scholar
  13. 13.
    Merkle, R., Hellman, M.: Hiding information and signatures in trapdoor knapsacks. IEEE Transactions Information Theory 24(5), 525–530 (1978)CrossRefGoogle Scholar
  14. 14.
    Rueppel, R.A.: Correlation Immunity and the Summation Generator. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 260–272. Springer, Heidelberg (1986)Google Scholar
  15. 15.
    Rueppel, R.A.: Analysis and Design of Stream Ciphers. Springer, Heidelberg (1986)CrossRefzbMATHGoogle Scholar
  16. 16.
    Rueppel, R.A., Massey, J.L.: Knapsack as a nonlinear function. In: IEEE Intern. Symp. of Inform. Theory, vol. 46 (1985)Google Scholar
  17. 17.
    Shamir, A.: A Polynomial Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem. In: CRYPTO, pp. 279–288 (1982)Google Scholar
  18. 18.
    Shoup, V.: NTL: A Library for doing Number Theory,
  19. 19.
    Siegenthaler, T.: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Transactions on Information Theory 30(5), 776–780 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Staffelbach, O., Meier, W.: Cryptographic Significance of the Carry for Ciphers Based on Integer Addition. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 601–613. Springer, Heidelberg (1991)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Simon Knellwolf
    • 1
  • Willi Meier
    • 1
  1. 1.FHNWSwitzerland

Personalised recommendations