Abstract
Recently, Ajtai discovered a fascinating connection between the worst-case complexity and the average-case complexity of some wellknown lattice problems. Later, Ajtai and Dwork proposed a cryptosystem inspired by Ajtai's work, provably secure if a particular lattice problem is difficult in the worst-case. We present a heuristic attack (to recover the private key) against this celebrated cryptosystem. Experiments with this attack suggest that in order to be secure, implementations of the Ajtai-Dwork cryptosystem would require very large keys, making it impractical in a real-life environment. We also adopt a theoretical point of view: we show that there is a converse to the Ajtai-Dwork security result, by reducing the question of distinguishing encryptions of one from encryptions of zero to approximating some lattice problems. In particular, this settles the open question regarding the NP-hardness of the Ajtai-Dwork cryptosystem: from a recent result of Goldreich and Goldwasser, our result shows that breaking the Ajtai-Dwork cryptosystem is not NP-hard, assuming the polynomial-time hierarchy does not collapse.
Chapter PDF
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
L. M. Adleman. On breaking generalized knapsack public key cryptosystems. In Proc. 15th ACMSTOC, pages 402–412, 1983.
M. Ajtai. Generating hard instances of lattice problems. In Proc. 28th ACM STOC, pages 99–108, 1996. Available at [11] as TR96-007.
M. Ajtai. The shortest vector problem in L 2 is NP-hard for randomized reductions. In Proc. 30th ACM STOC, 1998. Available at [11] as TR97-047.
M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc. 29th ACM STOC, pages 284–293, 1997. Available at [11] as TR96-065.
S. Arora, L. Babai, J. Stern, and Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. Journal of Computer and System Sciences, 54(2):317–331, 1997.
L. Babai. On Lovász lattice reduction and the nearest lattice point problem. Combinatorica, 6:1–13, 1986.
E. Brickell. Breaking iterated knapsacks. In Proc. CRYPTO'84, volume 196 of LNCS, pages 342–358, 1985.
J.-Y. Cai and A. P. Nerurkar. An improved worst-case to average-case connection for lattice problems. In Proc. 38th IEEE FOCS, pages 468–477, 1997.
D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology, 10(4):233–260, 1997.
M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Computational Complexity, 2:111–128, 1992.
ECCC. http://www.eccc.uni-trier.de/eccc/. The Electronic Colloquium on Computational Complexity.
P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical report, Mathematische Instituut, University of Amsterdam, 1981. Report 81-04.
O. Goldreich. Foundations of Cryptography (Fragments of a Book). Weizmann Institute of Science, 1995. Available at [11].
O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. 30th ACM STOC, 1998. Available at [11] as TR97-031.
O. Goldreich, S. Goldwasser, and S. Halevi. Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In Proc. of Crypto'97, volume 1294 of LNCS, pages 105–111. Springer-Verlag, 1997. Available at [11] as TR97-018.
A. Joux and J. Stern. Lattice reduction: a toolbox for the cryptanalyst. (to appear in J. of Cryptology).
J.C. Lagarias and A.M. Odlyzko. Solving low-density subset sum problems. In Proc. 24th IEEE FOCS, pages 1–10. IEEE, 1983.
A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients. Math. Ann., 261:515–534, 1982.
P. Nguyen and J. Stern. Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In Proc. of Crypto '97, volume 1294 of LNCS, pages 198–212. Springer-Verlag, 1997.
P. Nguyen and J. Stern. A converse to the Ajtai-Dwork security proof and its cryptographic implications. Technical Report TR98-010, ECCC, 1998. Revision available at [11].
C.-P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987.
A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In Proc. 23rd IEEE FOCS, pages 145–152, 1982.
V. Shoup. Number Theory C++ Library (NTL) version 2.0. Can be obtained at http://www.cs.wisc.edu/~shoup/ntl/.
J. Stern. Secret linear congruential generators are not cryptographically secure. In Proc. 28th IEEE FOCS, pages 421–426, 1987.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nguyen, P., Stern, J. (1998). Cryptanalysis of the Ajtai-Dwork cryptosystem. In: Krawczyk, H. (eds) Advances in Cryptology — CRYPTO '98. CRYPTO 1998. Lecture Notes in Computer Science, vol 1462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0055731
Download citation
DOI: https://doi.org/10.1007/BFb0055731
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-64892-5
Online ISBN: 978-3-540-68462-6
eBook Packages: Springer Book Archive