Merkle-Hellman

Merkle-Hellman (MH) was one ofearliest public key cryptosystems. Although its ideaselegant,far simpler than RSA,has been broken. MHbased onsubset sum problem (a special case ofknapsack problem): givenlistnumbers andthird number, which issum ofsubsetthese numbers, determinesubset. In general, this problemknownbe NP-hard; however, theresome 'easy' instances which can be solved efficiently. The Merkle-Hellmanbased on transforming an easy instance intodifficult instance,back again. It was broken by Shamir, not by attackingknapsack problem, but rather by breakingconversion from an easy knapsack tohard one. The algorithmas follows:

KEY GENERATION - To encrypt n-bit messages, choosesuperincreasing sequence

w = (w₁, w₂, ..., w_n)

of n natural numbers (excluding zero). (A superincreasing sequence issequencewhich every elementgreater thansumall previous elements.) Pickrandom integer q, such that q > w_n, andrandom integer r coprimeq. Now calculatesequence

β = (β₁, β₂, ..., β_n)

where β_i = rw_i (mod q). The public keyβ, whileprivate key(w, q, r).

ENCRYPTION - To encrypt an n-bit message

α = (α₁, α₂, ..., α_n) ,

where α_i isi-th bit ofmessage, calculate

.

The cryptogram thenc.

DECRYPTION - Calculate s = r^-1 (mod q),c' = c*s (mod q). The knapsack problem (w, c') can be solvedlinear time.

See public key cryptography