Practical Cryptanalysis of a Public-Key Encryption Scheme Based on Non-linear Indeterminate Equations at SAC 2017

  • Keita Xagawa
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)


We investigate the security of a public-key encryption scheme, the Indeterminate Equation Cryptosystem (IEC), introduced by Akiyama, Goto, Okumura, Takagi, Nuida, and Hanaoka at SAC 2017 as post-quantum cryptography. They gave two parameter sets PS1 \((n,p,\deg X,q) = (80,3,1,921601)\) and PS2 \((n,p,\deg X,q) = (80,3,2,58982400019)\).

The paper gives practical key-recovery and message-recovery attacks against those parameter sets of IEC through lattice basis-reduction algorithms. We exploit the fact that \(n = 80\) is composite and adopt the idea of Gentry’s attack against NTRU-Composite (EUROCRYPT2001) to this setting. The summary of our attacks follows:
  • On PS1, we recover 84 private keys from 100 public keys in 30–40 s per key.

  • On PS1, we recover partial information of all message from 100 ciphertexts in a second per ciphertext.

  • On PS2, we recover partial information of all message from 100 ciphertexts in 30 s per ciphertext.

Moreover, we also give message-recovery and distinguishing attacks against the parameter sets with prime n, say, \(n = 83\). We exploit another subring to reduce the dimension of lattices in our lattice-based attacks and our attack succeeds in the case of \(\deg X = 2\).

  • For PS2’ \((n,p,\deg X,q) = (83,3,2,68339982247)\), we recover 7 messages from 10 random ciphertexts within 61,000 s \(\approx \) 17 h per ciphertext.

  • Even for larger n, we can find short vectors from lattices to break the underlying assumption of IEC. In our experiment, we can found such vector within 330,000 s \(\approx \) 4 days for \(n = 113\).


Public-key encryption Indeterminate Equations Cryptosystem Post-quantum cryptography 



The author would like to thank Akiyama, Goto, Okumura, Takagi, Nuida, and Hanaoka for their kindness and fruitful discussions. The author would like to thank anonymous reviewers of PQCrypto 2018 for their valuable comments. The author finally would like to thank the XFARM Team for providing their could.

Supplementary material


  1. [ADPS16]
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security Symposium 2016, pp. 327–343. USENIX Association (2016).
  2. [AG06]
    Akiyama, K., Goto, Y.: A public-key cryptosystem using algebraic surfaces. In: PQCrypto 2006, pp. 119–138 (2006).
  3. [AGM09]
    Akiyama, K., Goto, Y., Miyake, H.: An algebraic surface cryptosystem. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 425–442. Springer, Heidelberg (2009). Scholar
  4. [AGO+17a]
    Akiyama, K., Goto, Y., Okumura, S., Takagi, T., Nuida, K., Hanaoka, G., Shimizu, H., Ikematsu, Y.: Giophantus. Technical report, National Institute of Standards and Technology (2017).
  5. [AGO+17b]
    Akiyama, K., Goto, Y., Okumura, S., Takagi, T., Nuida, K., Hanaoka, G., Shimizu, H., Ikematsu, Y.: A public-key encryption scheme based on non-linear indeterminate equations (Giophantus). Cryptology ePrint Archive, Report 2017/1241 (2017).
  6. [AGO+18]
    Akiyama, K., Goto, Y., Okumura, S., Takagi, T., Nuida, K., Hanaoka, G.: A public-key encryption scheme based on non-linear indeterminate equations. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 215–234. Springer, Cham (2018). Scholar
  7. [AGVW17]
    Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). Scholar
  8. [Aki17]
    Akiyama, K.: Private communication, 04 October 2017Google Scholar
  9. [BDGL15]
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. IACR Cryptology ePrint Archive 2015:1128 (2015)Google Scholar
  10. [Che13]
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Thèse de doctorat dirigée par Nguyen, Phong-Quang Informatique Paris 7 (2013)Google Scholar
  11. [CS97]
    Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997). Scholar
  12. [Gen01]
    Gentry, C.: Key recovery and message attacks on NTRU-composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 182–194. Springer, Heidelberg (2001). Scholar
  13. [GPV08]
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Dwork, C. (ed.) STOC 2008, pp. 197–206. ACM (2008).
  14. [Sil01]
    Silverman, J.H.: Wraps, gaps, and lattice constants. Technical report 11, version 2, NTRU Cryptosystems (2001)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.NTT Secure Platform LaboratoriesMusashino-shiJapan

Personalised recommendations