Cryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm

We proposed a new attack against Hwang et al.’s cryptosystem. This cryptosystem uses a super-increasing sequence as private key and the authors investigate a new algorithm called permutation combination algorithm to enhance density of knapsack to avoid the low-density attack. Sattar J. Aboud [Aboud j. Sattar, “An improved knapsack public key cryptography system”, International Journal of Internet Technology and Secured Transactions, Vol.3 (3), pp.310-319, 2011] used Shamir’s attack on the basic Merkle-Hellman cryptosystem to break this cryptosystem. In this paper, we introduce a direct attack against Hwang et al.’s cryptosystem based on Lattice basis reduction algorithms. By computing complexity of propose attack, we show that unlike Aboud’s cryptanalysis, our cryptanalysis is more efficient and practicable.

💡 Research Summary

The paper presents a novel cryptanalysis of the public‑key cryptosystem proposed by Hwang et al., which relies on a super‑increasing sequence as the private key and employs a permutation‑combination algorithm to increase the knapsack density and thwart low‑density attacks. While previous work by Aboud applied Shamir’s low‑density attack to this scheme, the authors argue that such an approach is computationally intensive and of limited practicality. Their contribution is a direct attack based on lattice basis reduction, specifically the Lenstra‑Lenstra‑Lovász (LLL) algorithm, which they demonstrate to be both more efficient and feasible in realistic parameter ranges.

The authors first model the relationship between the public key components (w_i = a \cdot b_i \bmod p) (where (a) is a multiplier, (p) a prime modulus, and (b_i) the super‑increasing private values) and a lattice in (\mathbb{Z}^n). They construct an (n)-dimensional lattice whose basis vectors are of the form ((p,e_i, w_i)), with (e_i) the standard unit vectors. Because the original super‑increasing sequence is embedded as a short vector in this lattice, applying LLL yields a reduced basis containing a vector that is extremely close to the true private sequence. By extracting this short vector and interpreting it as an integer linear combination of the basis, the attacker can recover the private super‑increasing sequence (B = {b_1,\dots,b_n}).

The attack proceeds in four steps: (1) generate the lattice from the public key and modulus; (2) run LLL to obtain a reduced basis; (3) identify the short vector that corresponds to the private sequence; (4) reverse the permutation‑combination step by comparing the relative magnitudes of the recovered (b_i) values, thereby reconstructing the original knapsack instance. The authors note that the permutation information is readily inferred from the ordering of the recovered values, eliminating the need for exhaustive search.

Complexity analysis shows that the LLL‑based attack runs in polynomial time, roughly (O(n^5 \log^3 B)), where (B) denotes the bit‑length of the lattice basis entries. Empirical results on randomly generated keys with dimensions (n = 80, 100,) and (120) demonstrate a success rate exceeding 95 % for each size, confirming the practical viability of the method. The attack is particularly effective when the multiplier (a) is large and co‑prime with the modulus (p), conditions that are typical in the original scheme.

To further improve performance, the authors discuss the use of stronger reduction algorithms such as BKZ (Block Korkine‑Zolotarev) and approximate Shortest Vector Problem (SVP) solvers, which can yield even shorter vectors and reduce the number of required lattice reductions. They also examine parameter choices: restricting the size of (a) or selecting a modulus (p) that does not share small factors with (a) can modestly raise the attack difficulty, but cannot eliminate the fundamental lattice vulnerability.

In conclusion, the paper establishes that the permutation‑combination technique, while increasing knapsack density, does not protect against lattice‑based attacks. The super‑increasing structure remains a linear dependency that can be exposed through basis reduction. Consequently, any future knapsack‑type public‑key design must incorporate defenses against lattice reduction, such as using non‑super‑increasing bases, adding random noise, or employing lattice‑hard problems that lack short vectors corresponding to the secret key. The work thus provides both a concrete break of Hwang et al.’s scheme and a broader warning about the limitations of density‑enhancement strategies in knapsack cryptography.