New Attacks for Knapsack Based Cryptosystems

  • Gottfried Herold
  • Alexander Meurer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7485)


In this paper, we revisit Shamir’s well-known attack (and a variant due to Lagarias) on the basic Merkle-Hellman Knapsack cryptosystem (MH scheme). The main observation is that the superincreasing property of the secret key sequence \(\boldsymbol{\mathfrak{a}}\) used in the original MH construction is not necessary for the attack. More precisely, the attack is applicable as long as there are sufficiently many secret key elements \(\mathfrak{a}_i\) whose size is much smaller than the size of the secret modulus M.

We then exploit this observation to give practical attacks on two recently introduced MH-like cryptosystems. Both schemes are particularly designed to avoid superincreasing sequences but still provide enough structure to allow for complete recovery of (equivalent) decryption keys. Similarly to Shamir’s attack, our algorithms run in two stages and we need to solve different fixed-dimensional simultaneous Diophantine approximation problems (SDA). We implemented the attacks in Sage and heuristically solved the SDA by lattice reduction. We recovered secret keys for both schemes and various security levels in a matter of seconds.


Knapsack Cryptosystem Merkle-Hellman Shamir’s attack Diophantine approximation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Merkle, R.C., Hellman, M.E.: Hiding Information and Signatures in Trapdoor Knapsacks. IEEE Transactions on Information Theory IT-24(5) (September 1978)Google Scholar
  3. 3.
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-CompletenessGoogle Scholar
  4. 4.
    Brickell, E.F.: Solving Low Density Knapsacks. In: Chaum, D. (ed.) Advances in Cryptology, Proceedings of CRYPTO 1983, pp. 25–37. Plenum Press, New York (1983)Google Scholar
  5. 5.
    Brickell, E.F., Lagarias, J.C., Odlyzko, A.M.: Evaluation of the Adleman Attack on Multiply Iterated Knapsack Cryptosystems. In: Chaum, D. (ed.) Advances in Cryptology, Proceedings of CRYPTO 1983, pp. 39–42. Plenum Press, New York (1983)Google Scholar
  6. 6.
    Lagarias, J.C.: Knapsack Public Key Cryptosystems and Diophantine Approximation. In: Chaum, D. (ed.) Advances in Cryptology, Proceedings of CRYPTO 1983, pp. 3–23. Plenum Press, New York (1983)Google Scholar
  7. 7.
    Lenstra, H.W.: Integer Programming with a Fixed Number of Variables. Mathematics of Operations Research 8(4) (November 1983)Google Scholar
  8. 8.
    Brickell, E.F.: Breaking Iterated Knapsacks. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 342–358. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  9. 9.
    Lagarias, J.C.: Performance Analysis of Shamir’s Attack on the Basic Merkle-Hellman Knapsack Cryptosystem. In: Paredaens, J. (ed.) ICALP 1984. LNCS, vol. 172, pp. 312–323. Springer, Heidelberg (1984)CrossRefGoogle Scholar
  10. 10.
    Shamir, A.: A Polynomial-Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem. IEEE Transactions on Information Theory IT-30(5) (September 1984)Google Scholar
  11. 11.
    Lagarias, J.C., Odlyzko, A.M.: Solving Low-Density Subset Sum Problems. Journal of the ACM 32(1), 229–246 (1985)MathSciNetzbMATHCrossRefGoogle Scholar
  12. 12.
    Brickel, E.F., Odlyzko, M.: Cryptanalysis: A Survey of Recent Results. Proceedings of the IEEE 76(5), 578–593 (1988)CrossRefGoogle Scholar
  13. 13.
    Odlyzko, A.M.: The rise and fall of knapsack cryptosystems. In: Cryptology and Computational Number Theory. Proc. Symp. Appl. Math., vol. 42, pp. 75–88. Am. Math. Soc. (1990)Google Scholar
  14. 14.
    Joux, A., Stern, J.: Improving the Critical Density of the Lagarias-Odlyzko Attack Against Subset Sum Problems. In: Budach, L. (ed.) FCT 1991. LNCS, vol. 529, pp. 258–264. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  15. 15.
    Coster, M.J., Joux, A., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.-P., Stern, J.: Improved Low-Density Subset Sum Algorithms. In: Computational Complexity, vol. 2, pp. 111–128 (1992)Google Scholar
  16. 16.
    Ajtai, M., Dwork, C.: A Public-Key Cryptosystem with Worst-Case/Average-Case Equivalence. In: Proceedings of the Twenty-Ninth Annual ACM Symposium on the Theory of Computing, STOC, pp. 284–293 (1997)Google Scholar
  17. 17.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, STOC, pp. 84–93 (2005)Google Scholar
  18. 18.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC, pp. 333–342 (2009)Google Scholar
  19. 19.
    Zhang, W., Wang, B., Hu, Y.: A New Knapsack Public-Key Cryptosystem. In: 2009 International Conference on Information Assurance and Security (IAS), vol. 2, pp. 53–56 (2009)Google Scholar
  20. 20.
    Kobayashi, K., Tadaki, K., Kasahara, M., Tsujii, S.: A knapsack cryptosystem based on multiple knapsacks. In: 2010 International Symposium on Information Theory and its Applications (ISITA), pp. 428–432 (October 2010)Google Scholar
  21. 21.
    Lyubashevsky, V., Palacio, A., Segev, G.: Public-Key Cryptographic Primitives Provably as Secure as Subset Sum. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 382–400. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  22. 22.
    Herold, G., Meurer, A.: New Attacks for Knapsack Based Cryptosystems. Full Version,

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Gottfried Herold
    • 1
  • Alexander Meurer
    • 1
  1. 1.Horst Görtz Institut für IT-SicherheitRuhr-Universität BochumGermany

Personalised recommendations