Attacks on the AJPS Mersenne-Based Cryptosystem
Aggarwal, Joux, Prakash and Santha recently introduced a new potentially quantum-safe public-key cryptosystem, and suggested that a brute-force attack is essentially optimal against it. They consider but then dismiss both Meet-in-the-Middle attacks and LLL-based attacks. Very soon after their paper appeared, Beunardeau et al. proposed a practical LLL-based technique that seemed to significantly reduce the security of the AJPS system. In this paper we do two things. First, we show that a Meet-in-the-Middle attack can also be made to work against the AJPS system, using locality-sensitive hashing to overcome the difficulty that Aggarwal et al. saw for such attacks. We also present a quantum version of this attack. Second, we give a more precise analysis of the attack of Beunardeau et al., confirming and refining their results.
The authors wish to thank David Naccache, Antoine Joux and Marc Beunardeau for helpful discussions, and the anonymous PQCrypto reviewers for useful feedback. LD is supported by a NWO Veni Innovational Research Grant under project number 639.021.645. SJ is supported by an NWO WISE Grant and an NWO Veni Innovational Research Grant under project number 639.021.752. RdW is partially supported by ERC Consolidator Grant 61530-QPROGRESS.
- 1.Aggarwal, D., Joux, A., Prakash, A., Santha, M.: A new public-key cryptosystem via Mersenne numbers. Cryptology ePrint Archive, Report 2017/481 (2017). http://eprint.iacr.org/2017/481
- 2.Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. Cryptology ePrint Archive, Report 2017/815 (2017). https://eprint.iacr.org/2017/815
- 4.Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of 27th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA 2016), pp. 10–24 (2016)Google Scholar
- 5.Bernstein, D.J., Jeffery, S., Lange, T., Meurer, A.: Quantum algorithms for the subset sum problem. In: Proceedings of 5th International Conference on Post-Quantum Cryptography (PQCrypto 2013), pp. 16–33 (2013)Google Scholar
- 6.Beunardeau, M., Connolly, A., Géraud, R., Naccache, D.: On the hardness of the Mersenne low Hamming ratio assumption. In: Progress in Cryptology - LATINCRYPT 2017 (2017). http://eprint.iacr.org/2017/522
- 8.Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. In: Quantum Computation and Quantum Information: A Millennium. AMS Contemporary Mathematics Series Millennium, vol. 305, pp. 53–74. AMS (2002)Google Scholar
- 11.Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of 28th Annual ACM Symposium on the Theory of Computing (STOC 1996), pp. 212–219 (1996)Google Scholar
- 15.Howgrave-Graham, N., Silverman, J.H., Whyte, W.: A meet-in-the-middle attack on an NTRU private key. Technical report, NTRU Cryptosystems, June 2003Google Scholar
- 16.Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: Proceedings of 30th Symposium on Theory of Computing (STOC 1998) (1998)Google Scholar
- 17.Laarhoven, T.: Search problems in cryptography. Ph.D. thesis, Eindhoven University of Technology (2015). http://www.thijs.com/docs/phd-final.pdf