At Crypto 2018, Aggarwal, Joux, Prakash and Santha (AJPS) described a new public-key encryption scheme based on Mersenne numbers. Shortly after the publication of the cryptosystem, Beunardeau et al. described an attack with complexity 𝓞(2^{2h}). In this paper, we describe an improved attack with complexity 𝓞(2^{1.75h}).

MSC 2010:
94A60

At Crypto 2018, Aggarwal, Joux, Prakash and Santha (AJPS) described a new public-key encryption scheme based on arithmetic modulo Mersenne numbers [2]. A Mersenne prime is a prime integer *p* of the form *p* = 2^{n} − 1, where *n* is a prime. The arithmetic modulo *p* has good properties, and one can establish a correspondence between integers modulo *p* and binary strings of length *n*, up to 0^{n} ∼ 1^{n}. In particular, one can define the *Hamming weight* of a number as the Hamming weight of the unique binary string associated to it, i.e. the number of ones in its binary representation. In the earliest version of their work, the authors presented a public-key encryption scheme (AJPS-1) somewhat similar to the NTRU cryptosystem, but based on a new assumption, the *Mersenne low Hamming ratio assumption*. Its security relies on the following assumption: given *H* = *F*/*G* mod *p*, where the binary representation of *F* and *G* modulo *p* has low Hamming weight, then *H* looks pseudorandom; namely, it is hard to distinguish *H* from a random integer modulo *p*.

Even though the authors claimed that the known lattice attacks against NTRU would not apply, very soon, Beunardeau et al. [3] described a lattice-based attack against the first AJPS proposal. The attack complexity is 𝓞(2^{2h}), where *h* is the Hamming weight of *F* and *G*. The attack was further analyzed in [4]; the authors also described a meet-in-the-middle attack against AJPS-1 based on locality-sensitive hash functions to obtain collisions; they showed that the lattice attack from [3] is more efficient.

Since AJPS-1 allows to encrypt only a single bit at a time, it is not very efficient. However, in a later version of the article, published at Crypto 2018 [2], Aggarwal et al. described a variant (AJPS-2) that encrypts many bits at a time, with much larger security parameters to prevent the lattice attack.

In this paper, we describe a variant of the Beunardeau et al. attack against AJPS-2, with improved complexity 𝓞(2^{1.75h}) instead of 𝓞(2^{2h}). Instead of recovering the private key, our attack only breaks the indistinguishability of ciphertexts.

In this section, we recall the two versions of the AJPS cryptosystems; see [2] for further details.

Let *p* = 2^{n} − 1 be a Mersenne prime, where *n* itself is prime. Let *h* be an integer. Let *F* and *G* be two random integers modulo *p* with Hamming weight *h* such that 4*h*^{2} < *n* ≤ 16*h*^{2}. Then the public key is pk = *H* = *F*/*G* mod *p* and the private key is sk = *G*. To encrypt, choose two random integers *A* and *B* of Hamming weight *h*. Encrypt the bit *b* as

To decrypt, compute *d* = Ham(*C* ⋅ *G*). Output 0 if *d* ≤ 2*h*^{2}; otherwise, output 1.

Decryption works because

which has Hamming weight at most 2*h*^{2} if *b* = 0, and at least *n* − 2*h*^{2} if *b* = 1. Namely, for any number *x* of Hamming weight *h*, the integer *x* ⋅ 2^{z} mod *p* for *z* ≥ 0 is a cyclic shift of *x*, and therefore its Hamming weight remains unchanged. Therefore, the Hamming weight of *A* ⋅ *F* is at most *h*^{2}, and the Hamming weight of *B* ⋅ *G* is also at most *h*^{2}; therefore, the Hamming weight of *C* ⋅ *G* is at most 2*h*^{2} for *b* = 0.

Let *n* be a positive integer such that *p* = 2^{n} − 1 be a Mersenne prime. Let *h* ∈ ℕ be such that 10*h*^{2} < *n* ≤ 16*h*^{2}. Let *F*, *G* be two random integers modulo *p* with Hamming weight *h*, and let *R* be a random integer modulo *p*. Set

To encrypt a message *m* ∈ {0, 1}^{h}, first generate three random integers *A*, *B*_{1}, *B*_{2} modulo *p*, with Hamming weight *h*. Then, using the encoding algorithm 𝓔 : {0, 1}^{h} → {0, 1}^{n} of an error correcting code (𝓔, 𝓓), compute the ciphertext

To decrypt, compute 𝓓((*F* ⋅ *C*_{1}) ⊕ *C*_{2}), where 𝓓 is the corresponding decoding algorithm.

Decryption works because

and therefore the Hamming distance between *A* ⋅ *T* + *B*_{2} and *F* ⋅ *C*_{1} is expected to be low, which enables to recover *m* with good probability.

Beunardeau et al. described an attack against AJPS-1 in [3] that recovers the private key from the public key. More precisely, they consider the following problem.

(Mersenne low Hamming ratio search problem (MLHSP)). Let *p* = 2^{n} − 1 be an *n*-bit Mersenne prime and *h* an integer. Let *F*, *G* be two *n*-bit random strings with Hamming weight *h*. Given *H* = *F*/*G* mod *p*, recover *F* and *G*.

Their basic attack is based on the following observation. With probability 2^{−2h}, we have both *F* <
*G* <
*H* = *F*/*G* mod *p*, one can recover *F* and *G* by applying LLL in dimension 2. In the original proposal [1], it was recommended to take *h* = 17 for *λ* = 120 bits of security. However, here we have an attack that recovers the private key from the public key with probability 2^{−34}; see also [4] for a detailed analysis.

More precisely, one considers the lattice 𝓛 generated by the rows of the matrix

We have that det 𝓛 = *p*; hence, by the Gaussian heuristic, it contains a vector of norm
*G*, *F*) is a short vector of the lattice. Therefore, if both *F* <
*G* <
*F* and *G*; since *F* and *G* have Hamming weight *h*, this happens with probability 2^{−2h}.

We note that a similar attack can also be applied to the encryption equation *C* = (−1)^{b} ⋅ (*A* ⋅ *H* + *B*). Namely, if both *A* <
*B* <
*A* and *B* by applying LLL in dimension 3, hence the plaintext bit *b*. Indeed, we have that only one between (*H*, *C*) and (−*H*, *C*) is an instance of the following problem.

(Mersenne low Hamming combination search problem (MLHCSP)). Let *p* = 2^{n} − 1 be an *n*-bit Mersenne prime, *h* an integer, *R* a uniformly random *n*-bit string, and let *F*, *G* have Hamming weight *h*. Given the pair (*R*, *F* ⋅ *R* + *G* mod *p*), find *F*, *G*.

Given *R* and *T* = *F* ⋅ *R* + *G* mod *p*, a variant attack recovers *F*, *G* with probability 2^{−2h}. More precisely, the attack works by considering the lattice 𝓛 of row vectors

We have that (
*F*, *G*) belongs to the lattice 𝓛. Moreover,
*F* <
*G* <
*F* and *G* by applying LLL to the lattice 𝓛.

The basic attack from [3] is only a weak-key attack that recovers the private key from the public key with probability 2^{−2h} over the set of possible public keys. Similarly, the above variant attack against the encryption equation can only decrypt a fraction 2^{−2h} of the ciphertexts. Therefore, the authors extended their attack by considering random partitions, with higher-dimensional lattices. In that case, the attack can recover the private key from any public key, solving MLHSP, with complexity 𝓞(2^{2h}). The same partition strategy can be used for the MLHCSP with the same complexity. In our improved attack in the next section, we will also use random partitions.

We describe our new attack against AJPS-2. We consider the previous encryption equation

Given the public key (*R*, *T*) and a ciphertext (*C*_{1}, *C*_{2}), our attack can distinguish between *m* = 0 and *m* ≠ 0. Assume that *m* = 0 and 𝓔(*m*) = 0. In that case, we have

We claim that if *A*, *B*_{1} and *B*_{2} are less than
*A*, *B*_{1} and *B*_{2} with LLL. Namely, we consider the lattice of row vectors

We have that
*A*, *B*_{1}, *B*_{2}). Therefore if *A*, *B*_{1} and *B*_{2} are less than
*A*, *B*_{1} and *B*_{2} by applying LLL to 𝓛.

Since *A* has Hamming weight *h*, the probability that *A* <
*B*_{1} and *B*_{2}. The success probability of the attack is therefore

which gives a slightly better success probability than the original attack with 2^{−2h}. Therefore, using the same partition technique as in [3], the attack complexity to break the indistinguishability of any ciphertext is 𝓞(2^{1.75h}) instead of 𝓞(2^{2h}).

We show that, using the same random partition technique as in [3], we can break the indistinguishability property of *any* ciphertext (*C*_{1}, *C*_{2}), whereas the basic attack above only works when *A*, *B*_{1} and *B*_{2} are less than

We consider the set [*n*] = {0, 1, …, *n* − 1}. We say that
*interval*-*like partition* if it is a partition of [*n*] such that the sets are of the form *P _{i}* = {

and letting *d _{i}* the number represented by

Consider *P*, *Q*, *S* three interval-like partitions of [*n*] of cardinality *k*, *ℓ* and *j*, respectively. Let *R*, *T*, *C*_{1}, *C*_{2}, *A*, *B*_{1}, *B*_{2} be as in AJPS-2. We define a family of embedded lattices parameterized with respect to *β*,*P*, *Q*, *S* as

for some *scaling factor**β* ∈ ℤ. The dimension of 𝓛_{β,P,Q,S} is *d* = *k* + *ℓ* + *j* + 1, and a basis of this lattice is given by rows of the matrix

We claim that we can recover *A*, *B*_{1}, *B*_{2} by using a lattice of the family {𝓛_{β,P,Q,S}}. We define the *secret vector* to be

where

We will use the notations *a* = (*a*_{1}, …, *a _{k}*),

In the following, we determine under which conditions the secret vector **s** is the unique shortest vector of the lattice 𝓛_{β,P,Q,S}. Given *A*, *B*_{1}, *B*_{2}, we say that the triple (*P*, *Q*, *S*) of partitions of [*n*] is a *lucky triple* if there exists a scaling factor *β* ∈ ℕ such that the secret vector **s** is the unique shortest vector of 𝓛_{β,P,Q,S}. In that case, 𝓛_{β,P,Q,S} will be said to be a *lucky lattice* respect to *A*, *B*_{1}, *B*_{2}. In other words, we aim to establish sufficient conditions under which a lattice 𝓛_{β,P,Q,S} is lucky given a ciphertext *C* = (*C*_{1}, *C*_{2}) such that 𝓔(*m*) = 0.

The volume of 𝓛_{β,P,Q,S} is

We write *β* = 2^{tn}; thus we have vol(𝓛_{β,P,Q,S}) ≃ 2^{(2+t)n}. By the Gaussian heuristic, we obtain the following estimate of the length of the shortest vector of 𝓛_{β,P,Q,S}:

Since the Hamming weight of *A*, *B*_{1}, *B*_{2} is the same, we take *k* = *j* = *ℓ*. We note that the lattice 𝓛_{β,P,Q,S} contains intrinsic short vectors **u** = (0, …, 0, 2^{g}, −1, 0, …, 0) whose norm is ≃ 2^{g} when *g* is of the form *p _{i}* −

In low dimensions, we can assume that LLL recovers the shortest vector **s** of the lattice. From (4.1), we must therefore ensure

where *d* = 3*k* + 1 is the lattice dimension. We expect the entries of the secret vector to be about of the same size for a lucky triple; hence we take the scaling factor *β* such that *β*=2^{tn} ≃ ∥**e**∥. Then we have approximately

which gives
*P*, *Q*, *S*) of partitions

It remains to evaluate the probability to find a lucky triple of partitions (*P*, *Q*, *S*). It is actually easier to assume that the partitions (*P*, *Q*, *S*) are fixed and the ciphertext *C* = (*C*_{1}, *C*_{2}) is random. In that case, from the bound (4.2), each of the *h* bits from the integers *A*, *B*_{1} and *B*_{2} must land in one of the subintervals of length
*k* partition intervals. For a single bit, this happens with probability roughly
^{−1.75h}. Therefore, the number of partitions to try before finding a lucky one is approximately 𝓞(2^{1.75h}) instead of 𝓞(2^{2h}) in the original attack from [3].

In the latest version of the paper, the authors recommended to take for *λ* bit of security *h* = *λ* in order to prevent possible improvements of the Beunardeau et al. attack. Then our attack does not affect the choice of parameter proposed in [2].

We have performed some practical experiments for various values of bitsize *n* and Hamming weight *h* of AJPS-2 in order to compare our new attack with the original Beunardeau et al. attack. For both attacks, since we do not know a priori the optimal size of the partition *k* to recover the secret, we perform a repeated loop over all possible 1 ≤ *k* ≤ *h*. We summarize our results in Table 1, showing that our attack indeed requires fewer partitions than the original attack.

Table 1

h |
n |
log_{2}(ȳ) |
log_{2}(Ȳ) |
---|---|---|---|

3 | 127 | 6.5 | 7.4 |

6 | 521 | 13.0 | 14.5 |

7 | 607 | 14.6 | 16.5 |

9 | 1279 | 14.9 | 16.4 |

[1] D. Aggarwal, A. Joux, A. Prakash and M. Santha, A new public-key cryptosystem via Mersenne numbers, Cryptology ePrint Archive (2017), https://eprint.iacr.org/2017/481. Search in Google Scholar

[2] D. Aggarwal, A. Joux, A. Prakash and M. Santha, A new public-key cryptosystem via Mersenne numbers, in: *Advances in Cryptology*—*CRYPTO 2018*, Lecture Notes in Comput. Sci. 10993, Springer, Berlin (2018), 459–482. Search in Google Scholar

[3] M. Beunardeau, A. Connolly, R. Géraud and D. Naccache, On the hardness of the Mersenne low Hamming ratio assumption, Cryptology ePrint Archive (2017), https://eprint.iacr.org/2017/522. Search in Google Scholar

[4] K. de Boer, L. Ducas, S. Jeffery and R. de Wolf, Attacks on the AJPS Mersenne-based cryptosystem, in: *Post*-*Quantum Cryptography*—*PQCrypto 2018*, Lecture Notes in Comput. Sci. 10786, Springer, Cham (2018), 101–120. Search in Google Scholar

© 2020 Jean-Sébastien Coron, Agnese Gini, published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.