Criticism of Knapsack Encryption Scheme

In this paper, we analyze a knapsack schemes. The one is suggested by Su, which is relied on a new method entitled permutation combination method. We demonstrate that this permutation method is useless to the security of the scheme. Since the special super increasing construction, we can break this scheme employ the algorithm provided by Shamir scheme. Finally, we provide an enhanced version of Su scheme to avoid these attacks.

💡 Research Summary

**
The paper titled “Criticism of Knapsack Encryption Scheme” examines the public‑key cryptosystem proposed by Su, which combines an elliptic‑curve discrete logarithm problem with a knapsack (subset‑sum) construction. The authors claim that Su’s “permutation combination method” does not actually improve security and that the scheme remains vulnerable to classic attacks on knapsack‑based cryptosystems.

First, the authors review the original Merkle‑Hellman (MH) scheme, emphasizing that its secret key consists of a super‑increasing vector B, two integers w and p, and a permutation π. The public key is generated as a_i = (w·b_{π(i)} mod p). They point out that Su’s construction essentially follows this pattern: a super‑increasing vector v is chosen, then transformed by a permutation and modular multiplication, and finally combined with elliptic‑curve parameters. Because the underlying secret structure is still super‑increasing, Shamir’s 1984 polynomial‑time attack (which solves the integer‑programming problem for a fixed number of variables) can be applied. The paper argues that even though the permutation π is unknown, an attacker can invoke Lenstra’s algorithm n times to recover the hidden permutation and consequently reconstruct the private key.

Second, the authors discuss low‑density attacks. The density d of a knapsack is defined as d = n / log₂(max a_i). When d < 0.94·10⁻⁸, the Coster‑Joux‑Odlyzko‑Schnorr‑Stern algorithm can find the shortest vector in the associated lattice, effectively solving the subset‑sum problem. Su’s parameters lead to a lattice of dimension 1025, which is large enough to make LLL‑based reduction impractical, but the authors note that the low density still makes the scheme theoretically vulnerable. They claim that for moderate n, a direct low‑density attack works; for larger n, Shamir’s method remains feasible.

The paper then introduces a “known z attack”. In Su’s encryption, the ciphertext contains values derived from the binary vector x (e.g., the sum of selected public‑key elements). If an adversary can recover the intermediate vector z (which corresponds to the positions where x_i = 1), equation (5.1) can be inverted to obtain the original message. Recovering z is reduced to solving a Merkle‑Hellman‑type knapsack, which the authors claim is possible using the same Shamir or low‑density techniques described earlier.

To mitigate these weaknesses, the authors propose a minor modification: when x_i = 1, the encryption routine adds an extra term before applying the permutation, thereby obscuring the direct relationship between the ciphertext and the original binary vector. They argue that this change prevents the known z attack because the attacker would need to solve an elliptic‑curve discrete logarithm problem (EC‑DL) to retrieve the missing information. However, the modification does not alter the underlying super‑increasing structure, so Shamir’s attack remains applicable.

In the conclusion, the authors reiterate that Su’s scheme overestimates its security level. By combining Shamir’s polynomial‑time attack with low‑density lattice attacks, an adversary can recover the private key and decrypt messages. The paper’s references are largely limited to classic knapsack and lattice‑reduction literature, lacking discussion of more recent developments such as quantum‑resistant knapsack designs or modern lattice‑based cryptanalysis.

Overall, the paper provides a useful survey of known attacks on knapsack‑based cryptosystems and correctly identifies that Su’s permutation does not eliminate the fundamental weaknesses of a super‑increasing secret. Nevertheless, the analysis suffers from several shortcomings: the “known z attack” is described qualitatively without concrete complexity estimates; the proposed fix is superficial and does not address the core structural flaw; experimental validation is absent; and the manuscript contains numerous typographical and notation errors that hinder readability. Consequently, while the paper reinforces the well‑known lesson that super‑increasing knapsacks are insecure, it offers limited novel insight into securing such schemes.