A critical analysis of the security of knapsack public-key algorithms

The authors claim that the security of the Merkle-Hellman algorithm is greatly exaggerated. First, any enciphering key that is obtained from a superincreasing sequence has infinitely many superincreasing deciphering keys that can decipher all messages. This follows from the fact that the conditions on the transformation require to lie in a restricted set of intervals. Second, it is claimed that iterative transformations may not increase the security. In the example that Merkle and Hellman used for "proving" the benefits of the iterative transformation, the security is completely ruined. Third, techniques are presented to crack one bit of the plaintext. These techniques apply to sets of enciphering keys introduced in this text, which contain all the Merkle-Hellman enciphering keys. Such bit-by-bit techniques also allow the construction of new enciphering keys. Fourth, some knapsacks that allow a one-to-one deciphering cannot be obtained from easy deciphering keys, e.g., superincreasing keys, even with infinitely many transformations If the worst cases of nondeterministic polynomial complete knapsack problems are always of this kind, the foundation of the security of the Merkle-Hellman algorithm is nonexistent. The cryptanalysis can be reduced to a problem of simultaneous diophantine approximations. A link is made with other recent results.