Merkle-Hellman

Merkle-Hellman (MH) was one of the earliest public key cryptosystems and was invented by Ralph Merkle and Martin Hellman in 1978. [Ralph Merkle and Martin Hellman, Hiding Information and Signatures in Trapdoor Knapsacks, "IEEE Trans. Information Theory", 24(5), September 1978, pp525–530.] Although its ideas are elegant, and far simpler than RSA, it has been broken. [Adi Shamir, A Polynomial Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem. CRYPTO 1982, pp279–288. http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C82/279.PDF]

Description

Merkle-Hellman is an asymmetric-key cryptosystem, meaning that for communication, two keys are required: a public key and a private key. Furthermore, unlike RSA, it is one-way -- the public key is used only for encryption, and the private key is used only for decryption. Thus it is unusable for authentication by cryptographic signing.

The Merkle-Hellman system is based on the subset sum problem (a special case of the knapsack problem): given a list of numbers and a third number, which is the sum of a subset of these numbers, determine the subset. In general, this problem is known to be NP-complete. However, if the set of numbers (called the knapsack) is superincreasing -- that is, each element of the set is greater than the sum of all the numbers before it -- the problem is 'easy' and solvable in polynomial time with a simple greedy algorithm.

Key generation

In Merkle-Hellman, the keys are comprised of knapsacks. The public key is a 'hard' knapsack, and the private key is an 'easy', or superincreasing, knapsack, combined with two additional numbers, a multiplier and a modulus, which were used to convert the superincreasing knapsack into the hard knapsack. These same numbers are used to transform the sum of the subset of the hard knapsack into the sum of the subset of the easy knapsack, which is solvable in polynomial time.

Encryption

To encrypt a message, a subset of the hard knapsack is chosen by comparing it with a set of bits (the plaintext), equal in length to the key, and making each term in the public key that corresponds to a 1 in the plaintext an element of the subset, while ignoring the terms corresponding to 0 terms in the plaintext. The elements of this subset are added together, and the resulting sum is the ciphertext.

Decryption

Decryption is possible because the multiplier and modulus used to transform the easy, superincreasing knapsack into the public key can also be used to transform the number representing the ciphertext into the sum of the corresponding elements of the superincreasing knapsack. Then, using a simple greedy algorithm, the easy knapsack can be solved using O(n) arithmetic operations, which decrypts the message.

Mathematical Method

Key generation

To encrypt "n"-bit messages, choose a superincreasing sequence

:"w" = ("w"₁, "w"₂, ..., "w"_"n")

of "n" nonzero natural numbers. Pick a random integer "q", such that

"q">$sum\_\{i\; =\; 1\}^n\; w\_i$,

and a random integer, "r", such that gcd("r","q") = 1.

"q" is chosen this way to ensure the uniqueness of the ciphertext. If it is any smaller, more than one plaintext may encrypt to the same ciphertext. "r" must be coprime to "q" or else it will not have an inverse mod "q". The existence of the inverse of "r" is necessary so that decryption is possible.

Now calculate the sequence :β = (β₁, β₂, ..., β_"n")where :β_"i" = "rw"_"i" mod "q". The public key is β, while the private key is ("w", "q", "r").

Encryption

To encrypt an "n"-bit message

:α = (α₁, α₂, ..., α_"n"),

where α_"i" is the "i"-th bit of the message and α_"i" {0, 1}, calculate

:. The cryptogram then is "c".

Decryption

In order to decrypt a ciphertext "c" a receiver has to find the message bits α_"i" such that they satisfy:. This would be a hard problem if the β_"i" were random values because the receiver would have to solve an instance of the subset sum problem, which is known to be NP-hard. However, the values β_"i" were chosen such that decryption is easy if the private key ("w", "q", "r") is known.

The key to decryption is to find an integer "s" that is the modular inverse of "r" modulo "q". That means "s" satisfies the equation "s" "r" mod "q"=1 or equivalently there exist an integer "k" such that "sr" = "kq" + 1. Since "r" was chosen such that gcd("r","q")=1 it is possible to find "s" and "k" by using the Extended Euclidean algorithm. Next the receiver of the ciphertext "c" computes: $c\text{'}equiv\; cs\; pmod\{q\}.$Hence: Because of "rs" mod q = 1 and β_"i" = "rw"_"i" mod "q" follows: Hence : $c\text{'}\; equiv\; sum\_\{i\; =\; 1\}^n\; alpha\_i\; w\_ipmod\{q\}.$The sum of all values "w"_i is smaller than "q" and hence is also in the interval [0,"q"-1] .Thus the receiver has to solve the subset sum problem : $c\text{'}\; =\; sum\_\{i\; =\; 1\}^n\; alpha\_i\; w\_i.$This problem is easy because "w" is a super-increasing sequence. Take the largest element in "w", say "w"_"k". If "w"_"k" > "c' ", then α_"k" = 0, if "w"_"k"≤"c' ", then α_"k" = 1. Then, subtract "w"_"k"×α_"k" from "c' ", and repeat these steps until you have figured out α.

References