Pick a knapsack size $n$ and a target ciphertext-bit budget. The applet samples a superincreasing secret sequence, picks a multiplier $r$ and modulus $m$, and publishes $a_i = r \cdot w_i \bmod m$. The density $d = n / \log_2(\max a_i)$ tells us whether the Lagarias–Odlyzko attack will succeed.
Precision warning. This applet runs LLL with floating-point Gram–Schmidt
coefficients and BigInt basis entries. For $n > 16$ the GSO floats lose precision and the
attack may produce a near-shortest vector that does not decode to ${0,1}$ bits.
For research use, run a rational LLL (fpLLL) outside the browser.
Press "Generate key" to start.
2. Run LLL on the Lagarias–Odlyzko lattice
Lagarias–Odlyzko (1985). For density $d \lesssim 0.94$, build the lattice
with basis vectors $\boldsymbol{b}_i = N \cdot e_i + a_i \cdot e_{n+1}$ for $i = 1, \ldots, n$,
and $\boldsymbol{b}_{n+1} = \tfrac{N}{2} \cdot \boldsymbol{1}_n - S \cdot e_{n+1}$, where
$N$ is a large enough integer (we take $N = \lceil \tfrac{1}{2}\sqrt{n}\rceil$).
A short vector in this lattice has the form $(\pm N(2x_i - 1), 0)$, revealing the bits.