By Topic

A critical analysis of the security of knapsack public-key algorithms

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)

The authors claim that the security of the Merkle-Hellman algorithm is greatly exaggerated. First, any enciphering key that is obtained from a superincreasing sequence has infinitely many superincreasing deciphering keys that can decipher all messages. This follows from the fact that the conditions on the transformation ^{\ast } w \bmod m require w/m to lie in a restricted set of intervals. Second, it is claimed that iterative transformations ^{\ast } w \bmod m may not increase the security. In the example that Merkle and Hellman used for "proving" the benefits of the iterative transformation, the security is completely ruined. Third, techniques are presented to crack one bit of the plaintext. These techniques apply to sets of enciphering keys introduced in this text, which contain all the Merkle-Hellman enciphering keys. Such bit-by-bit techniques also allow the construction of new enciphering keys. Fourth, some knapsacks that allow a one-to-one deciphering cannot be obtained from easy deciphering keys, e.g., superincreasing keys, even with infinitely many transformations ^{\ast } w \bmod m! If the worst cases of nondeterministic polynomial complete knapsack problems are always of this kind, the foundation of the security of the Merkle-Hellman algorithm is nonexistent. The cryptanalysis can be reduced to a problem of simultaneous diophantine approximations. A link is made with other recent results.

Published in:

Information Theory, IEEE Transactions on  (Volume:30 ,  Issue: 4 )