Merkle-Hellman revisited: A cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1294)


Cryptosystems based on the knapsack problem were among the first public key systems to be invented and for a while were considered quite promising. Basically all knapsack cryptosystems that have been proposed so far have been broken, mainly by means of lattice reduction techniques. However, a few knapsack-like cryptosystems have withstood cryptanalysis, among which the Chor-Rivest scheme [2] even if this is debatable (see [16]), and the Qu-Vanstone scheme proposed at the Dagstuhl'93 workshop [13] and published in [14]. The Qu-Vanstone scheme is a public key scheme based on group factorizations in the additive group of integers modulo n that generalizes Merkle-Hellman cryptosystems. In this paper, we present a novel use of lattice reduction, which is of independent interest, exploiting in a systematic manner the notion of an orthogonal lattice. Using the new technique, we successfully attack the Qu-Vanstone cryptosystem. Namely, we show how to recover the private key from the public key. The attack is based on a careful study of the so-called Merkle-Hellman transformation.


Knapsack Problem Complete Lattice Lattice Reduction Message Space Weak Block 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    E. Brickell. Are most low density polynomial knapsacks solvable in polynomial time? In Proc. 14th Southeastern Conference on Combinatorics, Graph Theory, and Computing, 1983.Google Scholar
  2. [2]
    B. Chor and R.L. Rivest. A knapsack-type public key cryptosystem based on arithmetic in finite fields. IEEE Trans. Inform. Theory, 34, 1988.Google Scholar
  3. [3]
    H. Cohen. A course in computational algebraic number theory. Springer-Verlag, Berlin, 1993.zbMATHGoogle Scholar
  4. [4]
    M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Comput. Complexity, 2:111–128, 1992.zbMATHCrossRefMathSciNetGoogle Scholar
  5. [5]
    P. M. Gruber and C. G. Lekkerkerker. Geometry of numbers. North-Holland, Amsterdam, 1969.Google Scholar
  6. [6]
    A. Joux. La réduction des réseaux en cryptographie. PhD thesis, école Polytechnique, 1993.Google Scholar
  7. [7]
    A. Joux and J. Stern. Lattice reduction: a toolbox for the cryptanalyst. (to appear in J. of Cryptology).Google Scholar
  8. [8]
    A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients. Math. Ann., 261:515–534, 1982.zbMATHCrossRefMathSciNetGoogle Scholar
  9. [9]
    J. Martinet. Les réseaux parfaits des espaces euclidiens (perfect lattices in euclidean spaces). Editions Masson, 1996.Google Scholar
  10. [10]
    R. Merkle and M. Hellman. Hiding information and signatures in trapdoor knapsacks. IEEE Trans. Inform. Theory, IT-24:525–530, September 1978.CrossRefGoogle Scholar
  11. [11]
    P. L. Montgomery. Square roots of products of algebraic numbers. Draft of June, 1995.Google Scholar
  12. [12]
    A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 75–88. A.M.S., 1990.Google Scholar
  13. [13]
    M. Qu and S. A. Vanstone. New public-key cryptosystem based on the subset factorizations in Z n. (to appear).Google Scholar
  14. [14]
    M. Qu and S. A. Vanstone. The knapsack problem in cryptography. In Finite Fields: Theory, Applications, and Algorithms, volume 168 of Contemporary Mathematics, pages 291–308. A.M.S., 1994.Google Scholar
  15. [15]
    C.-P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987.zbMATHCrossRefMathSciNetGoogle Scholar
  16. [16]
    C.P. Schnorr and H.H. Hörner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Advances in Cryptology: Proceedings of Eurocrypt' 95, volume 921 of LNCS, pages 1–12. Springer-Verlag, 1995.Google Scholar
  17. [17]
    A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In Proceedings of the 23rd Annual Symposium on the Foundations of Computer Science (IEEE), pages 145–152, 1982.Google Scholar

Copyright information

© Springer-Verlag 1997

Authors and Affiliations

  1. 1.école Normale SupérieureLaboratoire d'InformatiqueParis, Cedex 05

Personalised recommendations