Cryptanalysis of the Ajtai-Dwork cryptosystem

  • Phong Nguyen
  • Jacques Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


Recently, Ajtai discovered a fascinating connection between the worst-case complexity and the average-case complexity of some wellknown lattice problems. Later, Ajtai and Dwork proposed a cryptosystem inspired by Ajtai's work, provably secure if a particular lattice problem is difficult in the worst-case. We present a heuristic attack (to recover the private key) against this celebrated cryptosystem. Experiments with this attack suggest that in order to be secure, implementations of the Ajtai-Dwork cryptosystem would require very large keys, making it impractical in a real-life environment. We also adopt a theoretical point of view: we show that there is a converse to the Ajtai-Dwork security result, by reducing the question of distinguishing encryptions of one from encryptions of zero to approximating some lattice problems. In particular, this settles the open question regarding the NP-hardness of the Ajtai-Dwork cryptosystem: from a recent result of Goldreich and Goldwasser, our result shows that breaking the Ajtai-Dwork cryptosystem is not NP-hard, assuming the polynomial-time hierarchy does not collapse.


Short Vector Multinomial Formula Close Vector Problem Close Vector Problem Lattice Reduction Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    L. M. Adleman. On breaking generalized knapsack public key cryptosystems. In Proc. 15th ACMSTOC, pages 402–412, 1983.Google Scholar
  2. 2.
    M. Ajtai. Generating hard instances of lattice problems. In Proc. 28th ACM STOC, pages 99–108, 1996. Available at [11] as TR96-007.Google Scholar
  3. 3.
    M. Ajtai. The shortest vector problem in L 2 is NP-hard for randomized reductions. In Proc. 30th ACM STOC, 1998. Available at [11] as TR97-047.Google Scholar
  4. 4.
    M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc. 29th ACM STOC, pages 284–293, 1997. Available at [11] as TR96-065.Google Scholar
  5. 5.
    S. Arora, L. Babai, J. Stern, and Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. Journal of Computer and System Sciences, 54(2):317–331, 1997.zbMATHMathSciNetCrossRefGoogle Scholar
  6. 6.
    L. Babai. On Lovász lattice reduction and the nearest lattice point problem. Combinatorica, 6:1–13, 1986.zbMATHMathSciNetGoogle Scholar
  7. 7.
    E. Brickell. Breaking iterated knapsacks. In Proc. CRYPTO'84, volume 196 of LNCS, pages 342–358, 1985.zbMATHMathSciNetGoogle Scholar
  8. 8.
    J.-Y. Cai and A. P. Nerurkar. An improved worst-case to average-case connection for lattice problems. In Proc. 38th IEEE FOCS, pages 468–477, 1997.Google Scholar
  9. 9.
    D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology, 10(4):233–260, 1997.zbMATHMathSciNetCrossRefGoogle Scholar
  10. 10.
    M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Computational Complexity, 2:111–128, 1992.zbMATHMathSciNetCrossRefGoogle Scholar
  11. 11.
    ECCC. The Electronic Colloquium on Computational Complexity.Google Scholar
  12. 12.
    P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical report, Mathematische Instituut, University of Amsterdam, 1981. Report 81-04.Google Scholar
  13. 13.
    O. Goldreich. Foundations of Cryptography (Fragments of a Book). Weizmann Institute of Science, 1995. Available at [11].Google Scholar
  14. 14.
    O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. 30th ACM STOC, 1998. Available at [11] as TR97-031.Google Scholar
  15. 15.
    O. Goldreich, S. Goldwasser, and S. Halevi. Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In Proc. of Crypto'97, volume 1294 of LNCS, pages 105–111. Springer-Verlag, 1997. Available at [11] as TR97-018.Google Scholar
  16. 16.
    A. Joux and J. Stern. Lattice reduction: a toolbox for the cryptanalyst. (to appear in J. of Cryptology).Google Scholar
  17. 17.
    J.C. Lagarias and A.M. Odlyzko. Solving low-density subset sum problems. In Proc. 24th IEEE FOCS, pages 1–10. IEEE, 1983.Google Scholar
  18. 18.
    A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients. Math. Ann., 261:515–534, 1982.zbMATHMathSciNetCrossRefGoogle Scholar
  19. 19.
    P. Nguyen and J. Stern. Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In Proc. of Crypto '97, volume 1294 of LNCS, pages 198–212. Springer-Verlag, 1997.Google Scholar
  20. 20.
    P. Nguyen and J. Stern. A converse to the Ajtai-Dwork security proof and its cryptographic implications. Technical Report TR98-010, ECCC, 1998. Revision available at [11].Google Scholar
  21. 21.
    C.-P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987.zbMATHMathSciNetCrossRefGoogle Scholar
  22. 22.
    A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In Proc. 23rd IEEE FOCS, pages 145–152, 1982.Google Scholar
  23. 23.
    V. Shoup. Number Theory C++ Library (NTL) version 2.0. Can be obtained at Scholar
  24. 24.
    J. Stern. Secret linear congruential generators are not cryptographically secure. In Proc. 28th IEEE FOCS, pages 421–426, 1987.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Phong Nguyen
    • 1
  • Jacques Stern
    • 1
  1. 1.Laboratoire d'Informatiqueécole Normale SupérieureParis Cedex 05

Personalised recommendations