Broadcast Attacks against Lattice-Based Cryptosystems

  • Thomas Plantard
  • Willy Susilo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5536)


In 1988, Håstad proposed the classical broadcast attack against public key cryptosystems. The scenario of a broadcast attack is as follows. A single message is encrypted by the sender directed for several recipients who have different public keys. By observing the ciphertexts only, an attacker can derive the plaintext without requiring any knowledge of any recipient’s secret key. Håstad’s attack was demonstrated on the RSA algorithm, where low exponents are used. In this paper, we consider the broadcast attack in the lattice-based cryptography, which interestingly has never been studied in the literature. We present a general method to rewrite lattice problems that have the same solution in one unique easier problem. Our method is obtained by intersecting lattices to gather the required knowledge. These problems are used in lattice based cryptography and to model attack on knapsack cryptosystems. In this work, we are able to present some attacks against both lattice and knapsack cryptosystems. Our attacks are heuristics. Nonetheless, these attacks are practical and extremely efficient. Interestingly, the merit of our attacks is not achieved by exploring the weakness of the trapdoor as usually studied in the literature, but we merely concentrate on the problem itself. As a result, our attacks have many security implications on most of the lattice-based or knapsack cryptosystems.


Broadcast attack lattice-based cryptosystem knapsack cryptosystem intersecting lattice 


  1. 1.
    Håstad, J.: Solving simultaneous modular equations of low degree. SIAM J. Comput. 17, 336–341 (1988)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: Security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Baudron, O., Pointcheval, D., Stern, J.: Extended notions of security for multicast public key cryptosystems. In: Welzl, E., Montanari, U., Rolim, J.D.P. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 499–511. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Merkle, R.C., Hellman, M.E.: Hiding information and signatures in trapdoor knapsacks. IEEE Transactions on Information Theory IT-24, 525–530 (1978)CrossRefGoogle Scholar
  5. 5.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory IT-22, 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Karp, K.M.: Reducibility among combinatorial problems. Complexity of Computer Computations (1972)Google Scholar
  7. 7.
    Shamir, A.: A polynomial time algorithm for breaking the basic merkle-hellman cryptosystem. In: CRYPTO, pp. 279–288 (1982)Google Scholar
  8. 8.
    Shamir, A.: A polynomial-time algorithm for breaking the basic merkle-hellman cryptosystem. IEEE Transactions on Information Theory 30, 699–704 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Adleman, L.M.: On breaking generalized knapsack public key cryptosystems (abstract). In: STOC, pp. 402–412 (1983)Google Scholar
  10. 10.
    Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. Journal of the ACM 32, 229–246 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Coster, M.J., LaMacchia, B.A., Odlyzko, A.M.: An improved low-density subset sum algorithm. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 54–67. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  12. 12.
    Coster, M.J., Joux, A., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.P., Stern, J.: Improved low-density subset sum algorithms. Computational Complexity 2, 111–128 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Schnorr, C.-P., Hörner, H.H.: Attacking the chor-rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  14. 14.
    Omura, K., Tanaka, K.: Density attack to the knapsack cryptosystems with enumerative source encoding. IEICE Trans. Fundam. Electron Commun. Comput. Sci. 87, 1564–1569 (2004)Google Scholar
  15. 15.
    Chor, B., Rivest, R.L.: A knapsack-type public key cryptosystem based on arithmetic in finite fields. IEEE Transactions on Information Theory 34, 901–909 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Okamoto, T., Tanaka, K., Uchiyama, S.: Quantum public-key cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 147–165. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    Odlyzko, A.M.: The rise and fall of knapsack cryptosystems. Cryptology and Computational Number Theory 42, 75–88 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Nguyen, P.Q., Stern, J.: Adapting density attacks to low-weight knapsacks. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 41–58. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Twenty-Ninth Annual ACM Symposium on the Theory of Computing (STOC 1997), pp. 284–293 (1997)Google Scholar
  20. 20.
    Nguyen, P.Q., Stern, J.: Cryptanalysis of the ajtai-dwork cryptosystem. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 223–242. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  21. 21.
    Goldreich, O., Goldwasser, S., Halevi, S.: Eliminating decryption errors in the ajtai-dwork cryptosystem. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 105–111. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  22. 22.
    Cai, J.-Y., Cusick, T.W.: A lattice-based public-key cryptosystem. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 219–233. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  23. 23.
    Kawachi, A., Tanaka, K., Xagawa, K.: Multi-bit cryptosystems based on lattice problems. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 315–329. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Regev, O.: Improved inapproximability of lattice and coding problems with preprocessing. In: IEEE Conference on Computational Complexity, pp. 363–370 (2003)Google Scholar
  25. 25.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)Google Scholar
  26. 26.
    Ajtai, M.: Representing hard lattices with o(n log n) bits. In: STOC, pp. 94–103 (2005)Google Scholar
  27. 27.
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reductions problems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  28. 28.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Network Progress Report 44, 114–116 (1978)Google Scholar
  29. 29.
    Nguyen, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from crypto 1997. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  30. 30.
    Fischlin, R., Seifert, J.P.: Tensor-based trapdoors for cvp and their application to public key cryptography. In: IMA Int. Conf., 244–257 (1999)Google Scholar
  31. 31.
    Micciancio, D.: Improving lattice based cryptosystems using the Hermite normal form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    Paeng, S.H., Jung, B.E., Ha, K.C.: A lattice based public key cryptosystem using polynomial representations. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 292–308. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  33. 33.
    Han, D., Kim, M.-H., Yeom, Y.: Cryptanalysis of the paeng-jung-ha cryptosystem from pkc 2003. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 107–117. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  34. 34.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  35. 35.
    Coppersmith, D., Shamir, A.: Lattice attacks on ntru. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  36. 36.
    Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems, A Cryptographic Perspective. Kluwer Academic Publishers, Dordrecht (2002)CrossRefzbMATHGoogle Scholar
  37. 37.
    Minkowski, H.: Geometrie der Zahlen. B. G. Teubner, Leipzig (1896)zbMATHGoogle Scholar
  38. 38.
    Cassels, J.W.S.: An Introduction to The Geometry of Numbers. Springer, Heidelberg (1959)CrossRefzbMATHGoogle Scholar
  39. 39.
    Lovász, L.: An Algorithmic Theory of Numbers, Graphs and Convexity. In: CBMS-NSF Regional Conference Series in Applied Mathematics, vol. 50. SIAM Publications, Philadelphia (1986)Google Scholar
  40. 40.
    Conway, J.H., Sloane, N.J.A.: Sphere Packings, Lattices and Groups. Springer, Heidelberg (1988)CrossRefzbMATHGoogle Scholar
  41. 41.
    Cohen, H.: A course in computational algebraic number theory. Graduate Texts in Mathematics, vol. 138. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  42. 42.
    Kannan, R., Bachem, A.: Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix. SIAM Journal of Computing 8, 499–507 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
  43. 43.
    Micciancio, D., Warinschi, B.: A linear space algorithm for computing the Hermite normal form. In: International Symposium on Symbolic Algebraic Computation (ISSAC 2001), pp. 231–236 (2001)Google Scholar
  44. 44.
    Ajtai, M.: The shortest vector problem in \(l_{\mbox{2}}\) is NP-hard for randomized reductions (extended abstract). In: Thirtieth Annual ACM Symposium on the Theory of Computing (STOC 1998), pp. 10–19 (1998)Google Scholar
  45. 45.
    Ajtai, M.: Generating random lattices according to the invariant distribution (2006)Google Scholar
  46. 46.
    Ajtai, M.: Random lattices and a conjectured 0 - 1 law about their polynomial time computable properties. In: FOCS, pp. 733–742 (2002)Google Scholar
  47. 47.
    Goldstein, D., Mayer, A.: On the equidistribution of Hecke points. Forum Mathematicum 15, 165–189 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  48. 48.
    Nguyen, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  49. 49.
    Nguyen, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  50. 50.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  51. 51.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  52. 52.
    Nguyen, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  53. 53.
    Schnorr, C.P.: Fast LLL-type lattice reduction. Information and Computation 204, 1–25 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  54. 54.
    Boas, P.V.E.: Another NP-complete problem and the complexity of computing short vectors in lattices. Technical Report 81-04, Mathematics Department, University of Amsterdam (1981)Google Scholar
  55. 55.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6, 1–13 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  56. 56.
    Schnorr, C.P.: Block reduced lattice bases and successive minima. Combinatorics, Probability & Computing 3, 507–522 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  57. 57.
    Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12, 415–440 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  58. 58.
    Murakami, Y., Nasako, T.: Knapsack public-key cryptosystem using chinese remainder theorem. IACR ePrint Archive (2007)Google Scholar
  59. 59.
    Bosma, W., Cannon, J., Playoust, C.: The magma algebra system. i. the user language. J. Symobolic Computation 24, 235–265 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  60. 60.
    Wang, B., Wu, Q., Hu, Y.: A knapsack-based probabilistic encryption scheme. Inf. Sci. 177, 3981–3994 (2007)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Thomas Plantard
    • 1
  • Willy Susilo
    • 1
  1. 1.Centre for Computer and Information Security Research School of Computer Science and Software EngineeringUniversity of WollongongAustralia

Personalised recommendations