Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto ’97
Recent results of Ajtai on the hardness of lattice problems have inspired several cryptographic protocols. At Crypto ’97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the closest vector problem in a lattice, which is known to be NP-hard. We show that there is a major flaw in the design of the scheme which has two implications: any ciphertext leaks information on the plaintext, and the problem of decrypting ciphertexts can be reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.
KeywordsError Vector Reduction Algorithm Lattice Reduction Vector Problem Invertible Matrice
- 1.M. Ajtai. Generating hard instances of lattice problems. In Proc. 28th ACM STOC, pages 99–108, 1996. Available at  as TR 96-007.Google Scholar
- 2.M. Ajtai. The shortest vector problem in L2 is NP-hard for randomized reductions. In Proc. 30th ACM STOC, 1998. Available at  as TR 97-047.Google Scholar
- 3.M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc. 29th ACM STOC, pages 284–293, 1997. Available at  as TR 96-065.Google Scholar
- 5.M. Bellare and D. Micciancio. A new paradigm for collision-free hashing: Incrementality at reduced cost. In Proc. of Eurocrypt’ 97, volume 1233 of LNCS. Springer-Verlag, 1997.Google Scholar
- 6.J. Blomer and J.-P. Seifert. On the complexity of computing short linearly independent vectors and short bases in a lattice. In Proc. 31th ACM STOC, 1999. To appear.Google Scholar
- 7.J.-Y. Cai and A. P. Nerurkar. An improved worst-case to average-case connection for lattice problems. In Proc. 38th IEEE FOCS, pages 468–477, 1997.Google Scholar
- 8.H. Cohen. A course in computational algebraic number theory. Springer, 1995. 2nd Edition.Google Scholar
- 9.I. Dinur, G. Kindler, and S. Safra. Approximating-CVP to within almostpolynomial factors is NP-hard. In Proc. 39th IEEE FOCS, pages 99–109, 1998. Available at  as TR 98-048.Google Scholar
- 10.ECCC. http://www.eccc.uni-trier.de/eccc/. The Electronic Colloquium on Computational Complexity.
- 11.P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical report, Mathematische Instituut, University of Amsterdam, 1981. Report 81-04.Google Scholar
- 12.O. Goldreich. Private communication, Jan. 99.Google Scholar
- 13.O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. 30th ACM STOC, 1998. Available at  as TR97-031.Google Scholar
- 14.O. Goldreich, S. Goldwasser, and S. Halevi. Challenges for the GGH-Cryptosystem. Available at http://theory.lcs.mit.edu/~shaih/challenge.html.
- 15.O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. Available at  as TR 96-056., 1996.Google Scholar
- 16.O. Goldreich, S. Goldwasser, and S. Halevi. Public-key cryptosystems from lattice reduction problems. In Proc. of Crypto’97, volume 1294 of LNCS, pages 112–131. Springer-Verlag, 1997. Available at  as TR96-056.Google Scholar
- 17.O. Goldreich, D. Micciancio, S. Safra, and J.-P. Seifert. Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Available at  as TR 99-002.Google Scholar
- 18.The LIDIA Group. LiDIA-a library for computational number theory. Can be obtained at http://www-jb.cs.uni-sb.de/LiDIA/linkhtml/lidia/lidia.html.
- 21.R.J. McEliece. A public-key cryptosystem based on algebraic number theory. Technical report, Jet Propulsion Laboratory, 1978. DSN Progress Report 42-44.Google Scholar
- 22.D. Micciancio. The shortest vector problem is NP-hard to approximate within some constant. In Proc. 39th IEEE FOCS, 1998. Available at  as TR98-016.Google Scholar
- 23.P. Nguyen and J. Stern. Cryptanalysis of the Ajtai-Dwork Cryptosystem. In Proc. of Crypto’ 98, volume 1462 of LNCS, pages 223–242. Springer-Verlag, 1998.Google Scholar
- 26.C-P. Schnorr, M. Fischlin, H. Koy, and A. May. Lattice attacks on GGHCryptosystem. Rump session of Crypto’ 97.Google Scholar
- 27.C.P. Schnorr and H.H. Horner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Proc. of Eurocrypt’95, volume 921 of LNCS, pages 1–12. Springer-Verlag, 1995.Google Scholar
- 28.V. Shoup. Number Theory C++ Library (NTL) version 3.6. Can be obtained at http://www.shoup.net/ntl/.