Attacks on the AJPS Mersenne-Based Cryptosystem

  • Koen de BoerEmail author
  • Léo Ducas
  • Stacey Jeffery
  • Ronald de Wolf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)


Aggarwal, Joux, Prakash and Santha recently introduced a new potentially quantum-safe public-key cryptosystem, and suggested that a brute-force attack is essentially optimal against it. They consider but then dismiss both Meet-in-the-Middle attacks and LLL-based attacks. Very soon after their paper appeared, Beunardeau et al. proposed a practical LLL-based technique that seemed to significantly reduce the security of the AJPS system. In this paper we do two things. First, we show that a Meet-in-the-Middle attack can also be made to work against the AJPS system, using locality-sensitive hashing to overcome the difficulty that Aggarwal et al. saw for such attacks. We also present a quantum version of this attack. Second, we give a more precise analysis of the attack of Beunardeau et al., confirming and refining their results.


Locality Sensitive Hashing MITM Attack Quantum Search Algorithm Gaussian Heuristic Approximate Collision 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors wish to thank David Naccache, Antoine Joux and Marc Beunardeau for helpful discussions, and the anonymous PQCrypto reviewers for useful feedback. LD is supported by a NWO Veni Innovational Research Grant under project number 639.021.645. SJ is supported by an NWO WISE Grant and an NWO Veni Innovational Research Grant under project number 639.021.752. RdW is partially supported by ERC Consolidator Grant 61530-QPROGRESS.

Supplementary material


  1. 1.
    Aggarwal, D., Joux, A., Prakash, A., Santha, M.: A new public-key cryptosystem via Mersenne numbers. Cryptology ePrint Archive, Report 2017/481 (2017).
  2. 2.
    Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. Cryptology ePrint Archive, Report 2017/815 (2017).
  3. 3.
    Ambainis, A.: Quantum search with variable times. Theory Comput. Syst. 47(3), 786–807 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of 27th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA 2016), pp. 10–24 (2016)Google Scholar
  5. 5.
    Bernstein, D.J., Jeffery, S., Lange, T., Meurer, A.: Quantum algorithms for the subset sum problem. In: Proceedings of 5th International Conference on Post-Quantum Cryptography (PQCrypto 2013), pp. 16–33 (2013)Google Scholar
  6. 6.
    Beunardeau, M., Connolly, A., Géraud, R., Naccache, D.: On the hardness of the Mersenne low Hamming ratio assumption. In: Progress in Cryptology - LATINCRYPT 2017 (2017).
  7. 7.
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschr. Phys. 46(4–5), 493–505 (1998)CrossRefGoogle Scholar
  8. 8.
    Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. In: Quantum Computation and Quantum Information: A Millennium. AMS Contemporary Mathematics Series Millennium, vol. 305, pp. 53–74. AMS (2002)Google Scholar
  9. 9.
    Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. ACM SIGACT News 28, 14–19 (1997). arXiv:quant-ph/9705002CrossRefGoogle Scholar
  10. 10.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). Scholar
  11. 11.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of 28th Annual ACM Symposium on the Theory of Computing (STOC 1996), pp. 212–219 (1996)Google Scholar
  12. 12.
    Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). Scholar
  14. 14.
    Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). Scholar
  15. 15.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: A meet-in-the-middle attack on an NTRU private key. Technical report, NTRU Cryptosystems, June 2003Google Scholar
  16. 16.
    Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: Proceedings of 30th Symposium on Theory of Computing (STOC 1998) (1998)Google Scholar
  17. 17.
    Laarhoven, T.: Search problems in cryptography. Ph.D. thesis, Eindhoven University of Technology (2015).
  18. 18.
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). Scholar
  19. 19.
    Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2–3), 375–400 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Nguyen, P.Q.: Hermite’s constant and lattice algorithms. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. ISC, pp. 19–69. Springer, Heidelberg (2009). Scholar
  22. 22.
    Nguyen, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006). Scholar
  23. 23.
    Wang, H., Ma, Z., Ma, C.: An efficient quantum meet-in-the-middle attack against NTRU-2005. Chin. Sci. Bull. 58, 3514–3518 (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Koen de Boer
    • 1
    Email author
  • Léo Ducas
    • 1
  • Stacey Jeffery
    • 1
    • 2
  • Ronald de Wolf
    • 1
    • 2
    • 3
  1. 1.CWIAmsterdamThe Netherlands
  2. 2.QuSoftAmsterdamThe Netherlands
  3. 3.University of AmsterdamAmsterdamThe Netherlands

Personalised recommendations