# Cryptanalysis of the Ajtai-Dwork cryptosystem

## Abstract

Recently, Ajtai discovered a fascinating connection between the worst-case complexity and the average-case complexity of some wellknown lattice problems. Later, Ajtai and Dwork proposed a cryptosystem inspired by Ajtai's work, provably secure if a particular lattice problem is difficult in the worst-case. We present a heuristic attack (to recover the private key) against this celebrated cryptosystem. Experiments with this attack suggest that in order to be secure, implementations of the Ajtai-Dwork cryptosystem would require very large keys, making it impractical in a real-life environment. We also adopt a theoretical point of view: we show that there is a converse to the Ajtai-Dwork security result, by reducing the question of distinguishing encryptions of one from encryptions of zero to approximating some lattice problems. In particular, this settles the open question regarding the NP-hardness of the Ajtai-Dwork cryptosystem: from a recent result of Goldreich and Goldwasser, our result shows that breaking the Ajtai-Dwork cryptosystem is not NP-hard, assuming the polynomial-time hierarchy does not collapse.

## Keywords

Short Vector Multinomial Formula Close Vector Problem Close Vector Problem Lattice Reduction Algorithm## References

- 1.L. M. Adleman. On breaking generalized knapsack public key cryptosystems. In
*Proc. 15th ACMSTOC*, pages 402–412, 1983.Google Scholar - 2.M. Ajtai. Generating hard instances of lattice problems. In
*Proc. 28th ACM STOC*, pages 99–108, 1996. Available at [11] as TR96-007.Google Scholar - 3.M. Ajtai. The shortest vector problem in
*L*_{2}is NP-hard for randomized reductions. In*Proc. 30th ACM STOC*, 1998. Available at [11] as TR97-047.Google Scholar - 4.M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In
*Proc. 29th ACM STOC*, pages 284–293, 1997. Available at [11] as TR96-065.Google Scholar - 5.S. Arora, L. Babai, J. Stern, and Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations.
*Journal of Computer and System Sciences*, 54(2):317–331, 1997.zbMATHMathSciNetCrossRefGoogle Scholar - 6.L. Babai. On Lovász lattice reduction and the nearest lattice point problem.
*Combinatorica*, 6:1–13, 1986.zbMATHMathSciNetGoogle Scholar - 7.E. Brickell. Breaking iterated knapsacks. In
*Proc. CRYPTO'84*, volume 196 of*LNCS*, pages 342–358, 1985.zbMATHMathSciNetGoogle Scholar - 8.J.-Y. Cai and A. P. Nerurkar. An improved worst-case to average-case connection for lattice problems. In
*Proc. 38th IEEE FOCS*, pages 468–477, 1997.Google Scholar - 9.D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities.
*J. of Cryptology*, 10(4):233–260, 1997.zbMATHMathSciNetCrossRefGoogle Scholar - 10.M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms.
*Computational Complexity*, 2:111–128, 1992.zbMATHMathSciNetCrossRefGoogle Scholar - 11.ECCC. http://www.eccc.uni-trier.de/eccc/. The Electronic Colloquium on Computational Complexity.Google Scholar
- 12.P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical report, Mathematische Instituut, University of Amsterdam, 1981. Report 81-04.Google Scholar
- 13.O. Goldreich.
*Foundations of Cryptography (Fragments of a Book)*. Weizmann Institute of Science, 1995. Available at [11].Google Scholar - 14.O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In
*Proc. 30th ACM STOC*, 1998. Available at [11] as TR97-031.Google Scholar - 15.O. Goldreich, S. Goldwasser, and S. Halevi. Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In
*Proc. of Crypto'97*, volume 1294 of*LNCS*, pages 105–111. Springer-Verlag, 1997. Available at [11] as TR97-018.Google Scholar - 16.A. Joux and J. Stern. Lattice reduction: a toolbox for the cryptanalyst. (to appear in J. of Cryptology).Google Scholar
- 17.J.C. Lagarias and A.M. Odlyzko. Solving low-density subset sum problems. In
*Proc. 24th IEEE FOCS*, pages 1–10. IEEE, 1983.Google Scholar - 18.A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients.
*Math. Ann.*, 261:515–534, 1982.zbMATHMathSciNetCrossRefGoogle Scholar - 19.P. Nguyen and J. Stern. Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In
*Proc. of Crypto '97*, volume 1294 of*LNCS*, pages 198–212. Springer-Verlag, 1997.Google Scholar - 20.P. Nguyen and J. Stern. A converse to the Ajtai-Dwork security proof and its cryptographic implications. Technical Report TR98-010, ECCC, 1998. Revision available at [11].Google Scholar
- 21.C.-P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms.
*Theoretical Computer Science*, 53:201–224, 1987.zbMATHMathSciNetCrossRefGoogle Scholar - 22.A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In
*Proc. 23rd IEEE FOCS*, pages 145–152, 1982.Google Scholar - 23.V. Shoup. Number Theory C++ Library (NTL) version 2.0. Can be obtained at http://www.cs.wisc.edu/~shoup/ntl/.Google Scholar
- 24.J. Stern. Secret linear congruential generators are not cryptographically secure. In
*Proc. 28th IEEE FOCS*, pages 421–426, 1987.Google Scholar