Incoming copy pasta:

Merkle puzzles are an approach to solving the difficult problem of key-distribution over an untrusted medium.

Let’s say Bob wants to securely communicate with Alice.

Alice creates 1000 unique pairs of a unique Identifier, and a key: 1000 x (identifier, key)
Alice encrypts each pair separately with relatively weak encryption - encryption((identifier, key), randomWeakKey)
Alice then sends all 1000 encrypted blobs to Bob
Bob chooses one encrypted blob at random and brute forces every password until it is cracked
Bob is left with a unique identifier and a key. Maybe : (sausage, A3D19F)
Bob encrypts the message with the key, and then tells Alice is he using the key corresponding to the ID ‘sausage’
Alice looks up ‘sausage’ on her list, and finds the corresponding key
Alice decodes the message using the key A3D19F

For an attacker to intercept and decrypt their communications, they would require the corresponding key. Though an attacker can see the unique identifier ‘sausage’, they still don’t know which key that ID corresponds to, as each of the pairs is encrypted.

The attacker is forced to brute force all 1000 encrypted packets until they discover the packet with the unique identifier ‘sausage’. On some occasions they may be fortunate and discover the correct key on their first attempt, and on others they will be unlucky and have to brute force all 1000 packets. But on average they will decrypt the correct packet after n/2 times, or 500 packets.


From this excerpt, I would summarise the Merkle challenge like this:

  • Party A creates a collection of random identifiers are encrypted with a key, and sends this to Party B
  • Party B cracks the encryption of one of the identifier-key pairs
  • Party B sends a cracked-key-encrypted message with the cracked ID to Party A
  • Party A looks up the key corresponding to the ID, and decrypts the message

What's good

Because of the large number of ID/key pairs, it makes brute force decryption much harder.
It works well for our Party B, because they have the choice of randomly selecting a ID/key pair to use.

Third parties would have to guess that exact same ID/key pair, as well as to also crack it - to be able to get the key and read the plaintext messages. Really really really small chance (for a big big big range)

What's (not) good

This is a rudimentary way of protecting data from being read, quickly.
With enough time (or better technology), Merkle puzzles only delay the inevitable.

But then again, you could technically brute-force a public/private key pair…

I guess, there is a limit to how long something will take before it becomes futile.

One thing you could do, is to have different collections of generated ID/key pairs that will generate faster than the time it would take to crack the key.

And of course, try not to reuse keys.