Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto ’97

  • Phong Nguyen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1666)


Recent results of Ajtai on the hardness of lattice problems have inspired several cryptographic protocols. At Crypto ’97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the closest vector problem in a lattice, which is known to be NP-hard. We show that there is a major flaw in the design of the scheme which has two implications: any ciphertext leaks information on the plaintext, and the problem of decrypting ciphertexts can be reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.


Error Vector Reduction Algorithm Lattice Reduction Vector Problem Invertible Matrice 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Ajtai. Generating hard instances of lattice problems. In Proc. 28th ACM STOC, pages 99–108, 1996. Available at [10] as TR 96-007.Google Scholar
  2. 2.
    M. Ajtai. The shortest vector problem in L2 is NP-hard for randomized reductions. In Proc. 30th ACM STOC, 1998. Available at [10] as TR 97-047.Google Scholar
  3. 3.
    M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc. 29th ACM STOC, pages 284–293, 1997. Available at [10] as TR 96-065.Google Scholar
  4. 4.
    L. Babai. On Lovász lattice reduction and the nearest lattice point problem. Combinatorica, 6:1–13, 1986.MATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    M. Bellare and D. Micciancio. A new paradigm for collision-free hashing: Incrementality at reduced cost. In Proc. of Eurocrypt’ 97, volume 1233 of LNCS. Springer-Verlag, 1997.Google Scholar
  6. 6.
    J. Blomer and J.-P. Seifert. On the complexity of computing short linearly independent vectors and short bases in a lattice. In Proc. 31th ACM STOC, 1999. To appear.Google Scholar
  7. 7.
    J.-Y. Cai and A. P. Nerurkar. An improved worst-case to average-case connection for lattice problems. In Proc. 38th IEEE FOCS, pages 468–477, 1997.Google Scholar
  8. 8.
    H. Cohen. A course in computational algebraic number theory. Springer, 1995. 2nd Edition.Google Scholar
  9. 9.
    I. Dinur, G. Kindler, and S. Safra. Approximating-CVP to within almostpolynomial factors is NP-hard. In Proc. 39th IEEE FOCS, pages 99–109, 1998. Available at [10] as TR 98-048.Google Scholar
  10. 10.
    ECCC. The Electronic Colloquium on Computational Complexity.
  11. 11.
    P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical report, Mathematische Instituut, University of Amsterdam, 1981. Report 81-04.Google Scholar
  12. 12.
    O. Goldreich. Private communication, Jan. 99.Google Scholar
  13. 13.
    O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. 30th ACM STOC, 1998. Available at [10] as TR97-031.Google Scholar
  14. 14.
    O. Goldreich, S. Goldwasser, and S. Halevi. Challenges for the GGH-Cryptosystem. Available at
  15. 15.
    O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. Available at [10] as TR 96-056., 1996.Google Scholar
  16. 16.
    O. Goldreich, S. Goldwasser, and S. Halevi. Public-key cryptosystems from lattice reduction problems. In Proc. of Crypto’97, volume 1294 of LNCS, pages 112–131. Springer-Verlag, 1997. Available at [10] as TR96-056.Google Scholar
  17. 17.
    O. Goldreich, D. Micciancio, S. Safra, and J.-P. Seifert. Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Available at [10] as TR 99-002.Google Scholar
  18. 18.
    The LIDIA Group. LiDIA-a library for computational number theory. Can be obtained at
  19. 19.
    R. Impagliazzo and M. Naor. Efficient cryptographic schemes provably as secure as subset sum. Journal of Cryptology, 9(4):199–216, 1996.MATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients. Math. Ann., 261:515–534, 1982.MATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    R.J. McEliece. A public-key cryptosystem based on algebraic number theory. Technical report, Jet Propulsion Laboratory, 1978. DSN Progress Report 42-44.Google Scholar
  22. 22.
    D. Micciancio. The shortest vector problem is NP-hard to approximate within some constant. In Proc. 39th IEEE FOCS, 1998. Available at [10] as TR98-016.Google Scholar
  23. 23.
    P. Nguyen and J. Stern. Cryptanalysis of the Ajtai-Dwork Cryptosystem. In Proc. of Crypto’ 98, volume 1462 of LNCS, pages 223–242. Springer-Verlag, 1998.Google Scholar
  24. 24.
    A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 75–88. A.M.S., 1990.MathSciNetGoogle Scholar
  25. 25.
    C.-P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987.MATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    C-P. Schnorr, M. Fischlin, H. Koy, and A. May. Lattice attacks on GGHCryptosystem. Rump session of Crypto’ 97.Google Scholar
  27. 27.
    C.P. Schnorr and H.H. Horner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Proc. of Eurocrypt’95, volume 921 of LNCS, pages 1–12. Springer-Verlag, 1995.Google Scholar
  28. 28.
    V. Shoup. Number Theory C++ Library (NTL) version 3.6. Can be obtained at

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Phong Nguyen
    • 1
  1. 1.École Normale SupérieureLaboratoire d’InformatiqueParis Cedex 05France

Personalised recommendations