Combinatorial-Algebraic Cryptosystems

About twenty years ago, a combinatorial cryptosystem called the Merkle-Hellman Knapsack met with a great deal of enthusiastic acclaim [Hellman and Merkle 1978]. For message transmission it was much more efficient than its main competitor at the time, which was RSA. Moreover, it was thought to be almost provably secure. Whereas the security of RSA is based on the difficulty of factoring large integers, that of Merkle-Hellman is based on the conjecturally more difficult Subset Sum problem, which is known to be NP-complete (see Definition 4.6 of Chapter 2).