Merkle–Hellman knapsack cryptosystem

The concept of public key cryptography was introduced by Whitfield Diffie and Martin Hellman in 1976.^[3] At that time they proposed the general concept of a "trap-door one-way function", a function whose inverse is computationally infeasible to calculate without some secret "trap-door information"; but they had not yet found a practical example of such a function. Several specific public-key cryptosystems were then proposed by other researchers over the next few years, such as RSA in 1977 and Merkle-Hellman in 1978.^[4]

Merkle–Hellman is a public key cryptosystem, meaning that two keys are used, a public key for encryption and a private key for decryption. It is based on the subset sum problem (a special case of the knapsack problem).^[5] The problem is as follows: given a set of integers ${\displaystyle A}$  and an integer ${\displaystyle c}$ , find a subset of ${\displaystyle A}$  which sums to ${\displaystyle c}$ . In general, this problem is known to be NP-complete. However, if ${\displaystyle A}$  is superincreasing, meaning that each element of the set is greater than the sum of all the numbers in the set lesser than it, the problem is "easy" and solvable in polynomial time with a simple greedy algorithm.

In Merkle–Hellman, decrypting a message requires solving an apparently "hard" knapsack problem. The private key contains a superincreasing list of numbers ${\displaystyle W}$ , and the public key contains a non-superincreasing list of numbers ${\displaystyle B}$ , which is actually a "disguised" version of ${\displaystyle W}$ . The private key also contains some "trapdoor" information that can be used to transform a hard knapsack problem using ${\displaystyle B}$  into an easy knapsack problem using ${\displaystyle W}$ .

Unlike some other public key cryptosystems such as RSA, the two keys in Merkle-Hellman are not interchangeable; the private key cannot be used for encryption. Thus Merkle-Hellman is not directly usable for authentication by cryptographic signing, although Shamir published a variant that can be used for signing.^[6]

1. Choose a block size ${\displaystyle n}$ . Integers up to ${\displaystyle n}$  bits in length can be encrypted with this key.
2. Choose a random superincreasing sequence of ${\displaystyle n}$  positive integers Template:Bi The superincreasing requirement means that ${\displaystyle w_{k}>\sum _{i=1}^{k-1}w_{i}}$ , for ${\displaystyle 1<k\leq n}$ .
3. Choose a random integer ${\displaystyle q}$  such that Template:Bi
4. Choose a random integer ${\displaystyle r}$  such that ${\displaystyle \gcd(r,q)=1}$  (that is, ${\displaystyle r}$  and ${\displaystyle q}$  are coprime).
5. Calculate the sequence Template:Bi where ${\displaystyle b_{i}=rw_{i}{\bmod {q}}}$ .

The public key is ${\displaystyle B}$  and the private key is ${\displaystyle (W,q,r)}$ .

Let ${\displaystyle m}$  be an ${\displaystyle n}$ -bit message consisting of bits ${\displaystyle m_{1}m_{2}\dots m_{n}}$ , with ${\displaystyle m_{1}}$  the highest order bit. Select each ${\displaystyle b_{i}}$  for which ${\displaystyle m_{i}}$  is nonzero, and add them together. Equivalently, calculate Template:Bi The ciphertext is ${\displaystyle c}$ .

To decrypt a ciphertext ${\displaystyle c}$ , we must find the subset of ${\displaystyle B}$  which sums to ${\displaystyle c}$ . We do this by transforming the problem into one of finding a subset of ${\displaystyle W}$ . That problem can be solved in polynomial time since ${\displaystyle W}$  is superincreasing.

1. Calculate the modular inverse of ${\displaystyle r}$  modulo ${\displaystyle q}$  using the Extended Euclidean algorithm. The inverse will exist since ${\displaystyle r}$  is coprime to ${\displaystyle q}$ . Template:Bi The computation of ${\displaystyle r'}$  is independent of the message, and can be done just once when the private key is generated.
2. Calculate Template:Bi
3. Solve the subset sum problem for ${\displaystyle c'}$  using the superincreasing sequence ${\displaystyle W}$ , by the simple greedy algorithm described below. Let Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle X=(x_{1},x_{2},\dots ,x_{k})} be the resulting list of indexes of the elements of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle W} which sum to Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c'} . (That is, Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c'=\sum _{i=1}^{k}w_{x_{i}}} .)
4. Construct the message Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} with a 1 in each Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle x_{i}} bit position and a 0 in all other bit positions: Template:Bi

This simple greedy algorithm finds the subset of a superincreasing sequence Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle W} which sums to Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c'} , in polynomial time:

1. Initialize Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle X} to an empty list.
2. Find the largest element in Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle W} which is less than or equal to Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c'} , say Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle w_j} .
3. Subtract: Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c' := c' - w_j} .
4. Append Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle j} to the list Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle X} .
5. Remove Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle w_j} from the superincreasing sequence Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle W}
6. If Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c'} is greater than zero, return to step 2.

Create a key to encrypt 8-bit numbers by creating a random superincreasing sequence of 8 values: Template:Bi The sum of these is 706, so select a larger value for Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle q} : Template:Bi Choose Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} to be coprime to Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle q} : Template:Bi

Construct the public key Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle B} by multiplying each element in Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle W} by Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} modulo Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle q} :

Template:Bi

Hence Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle B = ( 295, 592, 301, 14, 28, 353, 120, 236 )} .

Let the 8-bit message be Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m = 97 = 01100001_2} . We multiply each bit by the corresponding number in Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle B} and add the results:

  0 * 295
+ 1 * 592
+ 1 * 301
+ 0 * 14
+ 0 * 28
+ 0 * 353
+ 0 * 120
+ 1 * 236
    = 1129

The ciphertext Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c} is 1129.

To decrypt 1129, first use the Extended Euclidean Algorithm to find the modular inverse of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} mod Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle q} : Template:Bi

Compute Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c' = c r' \bmod q = 1129*442 \bmod 881 = 372} .

Use the greedy algorithm to decompose 372 into a sum of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle w_i} values: Template:Bi Thus Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle 372 = 354 + 11 + 7 = w_8 + w_3 + w_2} , and the list of indexes is Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle X = (8,3,2)} . The message can now be computed as Template:Bi

TemplateStyles' src attribute must not be empty.

In 1984 Adi Shamir published an attack on the Merkle-Hellman cryptosystem which can decrypt encrypted messages in polynomial time without using the private key.^[7] The attack analyzes the public key Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle B = (b_1, b_2, \dots, b_n)} and searches for a pair of numbers Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle u} and Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} such that Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (u b_i \bmod m)} is a superincreasing sequence. The Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (u,m)} pair found by the attack may not be equal to Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (r',q)} in the private key, but like that pair it can be used to transform a hard knapsack problem using Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle B} into an easy problem using a superincreasing sequence. The attack operates solely on the public key; no access to encrypted messages is necessary.

Shamir's attack on the Merkle-Hellman cryptosystem works in polynomial time even if the numbers in the public key are randomly shuffled, a step which is usually not included in the description of the cryptosystem, but can be helpful against some more primitive attacks.

In 2025, Bi presented an improved algorithm that recovers a partial super-increasing sequence as an equivalent private key. By applying the LLL algorithm to a specially constructed small-dimension lattice, they recover the plaintext in under one second on a standard laptop. ^[8]

Template:Cryptography navbox