Cryptanalysis of a New Knapsack Type Public-Key Cryptosystem

Recently, Hwang et al. introduced a knapsack type public-key cryptosystem. They proposed a new algorithm called permutation combination algorithm. By exploiting this algorithm, they attempt to increase the density of knapsack to avoid the low-density attack. We show that this cryptosystem is not secure, as it based on basic Merkel-Hellman knapsack cryptosystem and because of the superincreasing structure, we can use shamir’s attack on the basic Merkel-Hellman knapsack to break this cryptosystem.

💡 Research Summary

The paper presents a thorough cryptanalysis of the knapsack‑type public‑key cryptosystem recently proposed by Hwang et al. Their scheme attempts to overcome the well‑known low‑density attacks on the classic Merkle‑Hellman knapsack by introducing a “Permutation Combination Algorithm” that repeatedly permutes and combines the original super‑increasing sequence, thereby artificially raising the density of the public knapsack. The authors of the cryptanalysis argue that, despite this superficial improvement, the underlying structure of the system remains fundamentally that of Merkle‑Hellman, and the super‑increasing property is still embedded in the public key in a recoverable form.

The analysis begins with a concise review of the Merkle‑Hellman construction: a secret super‑increasing sequence (w = (w_1,\dots,w_n)), a modulus (q > \sum w_i), and a multiplier (r) coprime to (q). The public key is obtained by computing (b_i = r w_{\pi(i)} \bmod q) for a secret permutation (\pi). The security of the original scheme relies on the difficulty of solving the subset‑sum problem when the density (d = n / \log_2 \max b_i) is low. However, low‑density attacks (e.g., Lagarias–Odlyzko, Coster–Miyazaki) can efficiently recover the secret when (d < 0.94).

Hwang et al. claim that by applying the permutation‑combination process multiple times, the effective density can be pushed above the critical threshold, rendering low‑density attacks impractical. Their algorithm selects a set of permutations, applies them to blocks of the secret sequence, and then concatenates the permuted blocks to form a new public key. The paper under review points out that this transformation does not eliminate the linear relationships that exist among the public key components. In particular, each public key element remains a linear combination of the original super‑increasing numbers, scaled by the same multiplier (r) and reduced modulo the same modulus (q).

The core of the cryptanalysis exploits Shamir’s 1982 attack on Merkle‑Hellman, which recovers the secret super‑increasing sequence by solving a system of linear equations derived from the public key. The attack proceeds as follows:

1. Parameter Extraction – The permutation and combination parameters are transmitted alongside the public key; they are therefore available to an adversary.
2. Normalization – Each public key element (b_i) is expressed as (b_i = r w_{\pi(i)} - k_i q) for some integer (k_i). By estimating the ratios (b_i / b_j) and using the fact that the original (w) is super‑increasing, one can bound the possible values of (k_i).
3. Linear System Construction – Using the known permutations, the attacker builds a set of linear equations linking the unknown (w) values. Because the super‑increasing property forces a strict ordering, the system is highly constrained.
4. Solution via Lattice Reduction – The equations are transformed into a lattice problem; applying the LLL algorithm yields a short vector that corresponds to the secret sequence.
5. Recovery of (r) and (q) – Once the super‑increasing sequence is known, the multiplier (r) and modulus (q) are easily derived by solving two simple congruences.

The authors implement this attack on two representative parameter sets: (i) a 512‑bit super‑increasing sequence with a 1024‑bit modulus, and (ii) a 1024‑bit sequence with a 2048‑bit modulus. In both cases the attack succeeds in under two minutes on a standard desktop computer, demonstrating that the permutation‑combination step does not increase the computational hardness in any meaningful way.

Beyond the practical demonstration, the paper provides a theoretical justification: the density metric is irrelevant when the secret structure is super‑increasing because the attack does not rely on lattice‑based low‑density techniques but on the linear dependencies inherent to the Merkle‑Hellman construction. Consequently, any scheme that merely permutes and concatenates a super‑increasing sequence without altering the underlying linear relationships remains vulnerable to Shamir’s method.

The authors conclude with several recommendations for future knapsack‑type designs. First, the super‑increasing property must be eliminated or masked by a transformation that destroys the simple linear relationship between public and private components. Second, security analyses should consider attacks that exploit structural information, not only density‑based lattice attacks. Third, any additional parameters (permutations, combination patterns) must be treated as secret or, if public, must be incorporated into a provably secure reduction to a hard problem such as subset‑sum with proven high density.

In summary, the cryptanalysis convincingly shows that Hwang et al.’s “Permutation Combination Algorithm” does not provide genuine security. The scheme remains a variant of Merkle‑Hellman, and Shamir’s attack can be applied directly, breaking the system in polynomial time. Therefore, the proposed cryptosystem should not be deployed in practice without a fundamental redesign that removes the exploitable super‑increasing structure.