Solving low-density subset sum problems
Journal of the ACM (JACM)
Proceedings of CRYPTO 84 on Advances in cryptology
Improved low-density subset sum algorithms
Computational Complexity
A public-key cryptosystem with worst-case/average-case equivalence
STOC '97 Proceedings of the twenty-ninth annual ACM symposium on Theory of computing
Computers and Intractability: A Guide to the Theory of NP-Completeness
Computers and Intractability: A Guide to the Theory of NP-Completeness
Performance Analysis of Shamir's Attack on the Basic Merkle-Hellman Knapsack Cryptosystem
Proceedings of the 11th Colloquium on Automata, Languages and Programming
Improving the Critical Density of the Lagarias-Odlyzko Attack Against Subset Sum Problems
FCT '91 Proceedings of the 8th International Symposium on Fundamentals of Computation Theory
On lattices, learning with errors, random linear codes, and cryptography
Proceedings of the thirty-seventh annual ACM symposium on Theory of computing
Public-key cryptosystems from the worst-case shortest vector problem: extended abstract
Proceedings of the forty-first annual ACM symposium on Theory of computing
A New Knapsack Public-Key Cryptosystem
IAS '09 Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 02
Public-key cryptographic primitives provably as secure as subset sum
TCC'10 Proceedings of the 7th international conference on Theory of Cryptography
New directions in cryptography
IEEE Transactions on Information Theory
Hiding information and signatures in trapdoor knapsacks
IEEE Transactions on Information Theory
A polynomial-time algorithm for breaking the basic Merkle - Hellman cryptosystem
IEEE Transactions on Information Theory
Hi-index | 0.00 |
In this paper, we revisit Shamir's well-known attack (and a variant due to Lagarias) on the basic Merkle-Hellman Knapsack cryptosystem (MH scheme). The main observation is that the superincreasing property of the secret key sequence $\boldsymbol{\mathfrak{a}}$ used in the original MH construction is not necessary for the attack. More precisely, the attack is applicable as long as there are sufficiently many secret key elements $\mathfrak{a}_i$ whose size is much smaller than the size of the secret modulus M. We then exploit this observation to give practical attacks on two recently introduced MH-like cryptosystems. Both schemes are particularly designed to avoid superincreasing sequences but still provide enough structure to allow for complete recovery of (equivalent) decryption keys. Similarly to Shamir's attack, our algorithms run in two stages and we need to solve different fixed-dimensional simultaneous Diophantine approximation problems (SDA). We implemented the attacks in Sage and heuristically solved the SDA by lattice reduction. We recovered secret keys for both schemes and various security levels in a matter of seconds.