Practical Cryptanalysis of a Public-Key Encryption Scheme Based on New Multivariate Quadratic Assumptions

  • Martin R. Albrecht
  • Jean-Charles Faugére
  • Robert Fitzpatrick
  • Ludovic Perret
  • Yosuke Todo
  • Keita Xagawa
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8383)


In this paper, we investigate the security of a public-key encryption scheme introduced by Huang, Liu and Yang (HLY) at PKC’12. This new scheme can be provably reduced to the hardness of solving a set of quadratic equations whose coefficients of highest degree are chosen according to a discrete Gaussian distributions. The other terms being chosen uniformly at random. Such a problem is a variant of the classical problem of solving a system of non-linear equations (PoSSo), which is known to be hard for random systems. The main hypothesis of Huang, Liu and Yang is that their variant is not easier than solving PoSSo for random instances. In this paper, we disprove this hypothesis. To this end, we exploit the fact that the new problem proposed by Huang, Liu and Yang reduces to an easy instance of the Learning With Errors (LWE) problem. The main contribution of this paper is to show that security and efficiency are essentially incompatible for the HLY proposal. That is, one cannot find parameters which yield a secure and a practical scheme. For instance, we estimate that a public-key of at least \(1.03~\textnormal{GB}\) is required to achieve 80-bit security against the simplest of our attacks. As a proof of concept, we present 3 practical attacks against all the parameters proposed by Huang, Liu and Yang. With the most efficient attack, we have been able to recover the private-key in roughly 5 minutes for the first challenge (i.e. Case 1) proposed by HLY and less than 30 minutes for the second challenge (i.e. Case2).


Lattice Reduction Homomorphic Encryption Dual Lattice Modulus Reduction Short Vector 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108 (1996)Google Scholar
  2. 2.
    Albrecht, M.R., Cid, C., Faugère, J.-C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Cryptology ePrint Archive, Report 2012/636 (2012),; Des. Codes Cryptogr. (2013)
  3. 3.
    Albrecht, M.R., Farshim, P., Faugère, J.-C., Perret, L.: Polly Cracker, revisited. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 179–196. Springer, Heidelberg (2011), Scholar
  4. 4.
    Albrecht, M.R., Fitzpatrick, R., Gopfert, F.: On the efficacy of solving lwe by reduction to unique-svp. Cryptology ePrint Archive, Report 2013/602 (2013),
  5. 5.
    Bardet, M.: Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. PhD thesis, Université Paris VI (2004)Google Scholar
  6. 6.
    Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner basis computation for semi-regular overdetermined sequences over F2 with solutions in F2. Technical Report 5049, INRIA (December 2003),
  7. 7.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proc. International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
  8. 8.
    Berbain, C., Gilbert, H., Patarin, J.: QUAD: A multivariate stream cipher with provable security. J. Symb. Comput. 44(12), 1703–1723 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of Learning with Errors. To appear STOC 2013 (2013)Google Scholar
  10. 10.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106. IEEE (2011)Google Scholar
  11. 11.
    Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, University of Innsbruck (1965)Google Scholar
  12. 12.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, pp. 75–83. ACM, New York (2002)CrossRefGoogle Scholar
  13. 13.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman (1979)Google Scholar
  15. 15.
    G.: GMP: The GNU multiple precision arithmetic library,
  16. 16.
    Goldstein, D., Mayer, A.: On the equidistribution of hecke points (2003)Google Scholar
  17. 17.
    Huang, Y.-J., Liu, F.-H., Yang, B.-Y.: Public-key cryptography from new multivariate quadratic assumptions. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 190–205. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Kannan, R.: Minkowski’s convex body theorem and integer programming. Mathematics of Operations Research 12(3), 415–440 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Khot, S.: Hardness of approximating the shortest vector problem in lattices. J. ACM 52(5), 789–808 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Lovász, L., Lenstra Jr., H.W., Lenstra, A.K.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for lwe-based encryption. IACR Cryptology ePrint Archive, 592 (2010)Google Scholar
  22. 22.
    Liu, Y.-K., Lyubashevsky, V., Micciancio, D.: On Bounded Distance Decoding for General Lattices. In: Díaz, J., Jansen, K., Rolim, J.D.P., Zwick, U. (eds.) APPROX 2006 and RANDOM 2006. LNCS, vol. 4110, pp. 450–461. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Lyubashevsky, V., Micciancio, D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 577–594. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  25. 25.
    Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: a cryptographic perspective. The Kluwer International Series in Engineering and Computer Science, vol. 671. Kluwer Academic Publishers, Boston (2002)CrossRefzbMATHGoogle Scholar
  26. 26.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  27. 27.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6) (2009)Google Scholar
  28. 28.
    Shoup, V.: NTL: A library for doing number theory,
  29. 29.
    Stéhle, D., et al.: fpLLL 4.0.4. fpLLL Development Team (2013),
  30. 30.
    Stein, W.A., et al.: Sage Mathematics Software (Version 5.2). The Sage Development Team (2012),
  31. 31.
    von Zur Gathen, J., Gerhard, J.: Modern computer algebra, 2nd edn. Cambridge University Press (2003)Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Martin R. Albrecht
    • 1
  • Jean-Charles Faugére
    • 3
    • 2
    • 4
  • Robert Fitzpatrick
    • 5
  • Ludovic Perret
    • 2
    • 3
    • 4
  • Yosuke Todo
    • 6
  • Keita Xagawa
    • 6
  1. 1.Technical University of DenmarkDenmark
  2. 2.POLSYS, UMR 7606, LIP6Sorbonne Universités, UPMC Univ Paris 06ParisFrance
  3. 3.Paris-Rocquencourt Center, POLSYS ProjectINRIAFrance
  4. 4.UMR 7606, LIP6CNRSParisFrance
  5. 5.Information Security GroupRoyal Holloway, University of LondonEghamUnited Kingdom
  6. 6.NTT Secure Platform LaboratoriesJapan

Personalised recommendations