Abstract
Aggarwal, Joux, Prakash and Santha recently introduced a new potentially quantum-safe public-key cryptosystem, and suggested that a brute-force attack is essentially optimal against it. They consider but then dismiss both Meet-in-the-Middle attacks and LLL-based attacks. Very soon after their paper appeared, Beunardeau et al. proposed a practical LLL-based technique that seemed to significantly reduce the security of the AJPS system. In this paper we do two things. First, we show that a Meet-in-the-Middle attack can also be made to work against the AJPS system, using locality-sensitive hashing to overcome the difficulty that Aggarwal et al. saw for such attacks. We also present a quantum version of this attack. Second, we give a more precise analysis of the attack of Beunardeau et al., confirming and refining their results.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Numbers of the form \(N = 2^n-1\) with \(n \in \mathbb {N}\) are called Mersenne numbers. If, additionally, \(N = 2^n-1\) is prime, it is called a Mersenne prime. For the purposes of the AJPS cryptosystem, N doesn’t need to be prime, but n does.
- 2.
Random variable X majorizes random variable Y, if \(\mathbb {P}[X>t]\ge \mathbb {P}[Y>t]\) for all t.
References
Aggarwal, D., Joux, A., Prakash, A., Santha, M.: A new public-key cryptosystem via Mersenne numbers. Cryptology ePrint Archive, Report 2017/481 (2017). http://eprint.iacr.org/2017/481
Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. Cryptology ePrint Archive, Report 2017/815 (2017). https://eprint.iacr.org/2017/815
Ambainis, A.: Quantum search with variable times. Theory Comput. Syst. 47(3), 786–807 (2010)
Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of 27th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA 2016), pp. 10–24 (2016)
Bernstein, D.J., Jeffery, S., Lange, T., Meurer, A.: Quantum algorithms for the subset sum problem. In: Proceedings of 5th International Conference on Post-Quantum Cryptography (PQCrypto 2013), pp. 16–33 (2013)
Beunardeau, M., Connolly, A., Géraud, R., Naccache, D.: On the hardness of the Mersenne low Hamming ratio assumption. In: Progress in Cryptology - LATINCRYPT 2017 (2017). http://eprint.iacr.org/2017/522
Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschr. Phys. 46(4–5), 493–505 (1998)
Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. In: Quantum Computation and Quantum Information: A Millennium. AMS Contemporary Mathematics Series Millennium, vol. 305, pp. 53–74. AMS (2002)
Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. ACM SIGACT News 28, 14–19 (1997). arXiv:quant-ph/9705002
Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_3
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of 28th Annual ACM Symposium on the Theory of Computing (STOC 1996), pp. 212–219 (1996)
Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: A meet-in-the-middle attack on an NTRU private key. Technical report, NTRU Cryptosystems, June 2003
Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: Proceedings of 30th Symposium on Theory of Computing (STOC 1998) (1998)
Laarhoven, T.: Search problems in cryptography. Ph.D. thesis, Eindhoven University of Technology (2015). http://www.thijs.com/docs/phd-final.pdf
Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_1
Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2–3), 375–400 (2015)
Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
Nguyen, P.Q.: Hermite’s constant and lattice algorithms. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. ISC, pp. 19–69. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02295-1_2
Nguyen, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006). https://doi.org/10.1007/11792086_18
Wang, H., Ma, Z., Ma, C.: An efficient quantum meet-in-the-middle attack against NTRU-2005. Chin. Sci. Bull. 58, 3514–3518 (2013)
Acknowledgments
The authors wish to thank David Naccache, Antoine Joux and Marc Beunardeau for helpful discussions, and the anonymous PQCrypto reviewers for useful feedback. LD is supported by a NWO Veni Innovational Research Grant under project number 639.021.645. SJ is supported by an NWO WISE Grant and an NWO Veni Innovational Research Grant under project number 639.021.752. RdW is partially supported by ERC Consolidator Grant 61530-QPROGRESS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Experiments
A Experiments
Since our MITM attack is not fully provable due to the presence of Heuristics 1 and 2, we provide some experimental verifications. The python scripts of those experiments are available at https://github.com/lducas/MiTM-Mersenne.
One tweak in our implementation is that when w is odd, we do not split our space exactly into two equal parts. Instead we choose \(w_1 = \lfloor w/2 \rfloor \), \(w_2 = w - w_1\), and then choose \(n_1, n_2\), such that \(\left( {\begin{array}{c}n_1\\ w_1\end{array}}\right) \approx \left( {\begin{array}{c}n_2\\ w_2\end{array}}\right) \). We will also simulate the quantum case, and choose \(w_1 = \lceil w/3 \rceil \), \(w_2 = w - w_1\), and then choose \(n_1, n_2\), such that \(\left( {\begin{array}{c}n_1\\ w_1\end{array}}\right) ^2 \approx \left( {\begin{array}{c}n_2\\ w_2\end{array}}\right) \). In both the classical and quantum case, we set \(B = \lfloor \log _2 \left( {\begin{array}{c}n_1\\ w_1\end{array}}\right) \rfloor \).
1.1 A.1 Verification of Heuristic 2
We recall that Heuristic 2 states that the number of collisions \( c = |\{(g_1,g_2) \in S_1\times S_2: \mathcal {H}(g_1h)=\mathcal {H}(-g_2h)\}|\) is approximately given by \(c' = |S_1|\cdot |S_2| 2^{-B}\). We measure the ratio \(r = c / c'\) experimentally, over 100 samples for each dimension n. Infrequently, this ratio may get as large as 3, yet for 90% of the experiments, it was very close to 1. Figure 1 below shows the \(9^{th}\) decile of r as n grows.
1.2 A.2 Running time and success probability
In Figs. 2 and 3, we report on the practical efficiency of our attack and compare it to our heuristic prediction. Note that in the quantum regime, the success probability of this MITM attack in practice is sometimes significantly larger than the theoretical prediction. This is most likely due to the fact that our analysis is done for one particular solution, while certain rotations of the same key may be found as well if its bits are properly balanced with respect to the split \(\mathbb F_2^n = G_1 \oplus G_2\).
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
de Boer, K., Ducas, L., Jeffery, S., de Wolf, R. (2018). Attacks on the AJPS Mersenne-Based Cryptosystem. In: Lange, T., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2018. Lecture Notes in Computer Science(), vol 10786. Springer, Cham. https://doi.org/10.1007/978-3-319-79063-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-79063-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-79062-6
Online ISBN: 978-3-319-79063-3
eBook Packages: Computer ScienceComputer Science (R0)