Abstract
In a recent paper [1], Aggarwal, Joux, Prakash, and Santha (AJPS) describe an ingenious public-key cryptosystem mimicking NTRU over the integers. This algorithm relies on the properties of Mersenne primes rather than polynomial rings. The security of the AJPS cryptosystem relies on the conjectured hardness of the Mersenne Low Hamming Ratio Assumption, defined in [1].
This work shows that AJPS’ security estimates are too optimistic and describes an algorithm allowing to recover the secret key from the public key much faster than foreseen in [1].
In particular, our algorithm is experimentally practical (within the reach of the computational capabilities of a large organization), at least for the parameter choice \(\{n=1279,h=17\}\) conjectured in [1] as corresponding to a \(2^{120}\) security level. The algorithm is fully parallelizable.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
That is, the length of a number, once its leading zeros are discarded.
- 2.
\(1279-\sigma (1279,17)\approx 75\) bits.
- 3.
Since n is odd, we must accept a ± 1 excess.
- 4.
There is room for improvement here as well, since rejection sampling is a very inefficient approach. Nevertheless it will be sufficient for our discussion, and any approach to generating such partitions would work without impacting the analysis.
- 5.
We ignore the fact that we sample without replacement here, as \(h \ll n\). Under this conservative approximation, all the bits are sampled uniformly and independently, and may fall with probably 1/2 either in a type 0 or a type 1 block.
- 6.
Other implementations are of course possible and do not affect the analysis. For other classical sampling without replacement algorithms, the reader may consult [5].
- 7.
Experiments with random partitions show that this number is quite variable and follows a Poisson distribution, with a correct partition being typically found earlier, with an average of \(2^{17}\) tries.
References
Aggarwal, D., Joux, A., Prakash, A., Santha, M.: A new public-key cryptosystem via Mersenne numbers. Cryptology ePrint Archive, Report 2017/481 (2017). http://eprint.iacr.org/2017/481
Joux, A.: Algorithmic Cryptanalysis. CRC Press, Boca Raton (2009)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
Nguyen, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_12
Stanton, D., White, D.: Constructive Combinatorics. Springer Science & Business Media, Berlin (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Beunardeau, M., Connolly, A., Géraud, R., Naccache, D. (2019). On the Hardness of the Mersenne Low Hamming Ratio Assumption. In: Lange, T., Dunkelman, O. (eds) Progress in Cryptology – LATINCRYPT 2017. LATINCRYPT 2017. Lecture Notes in Computer Science(), vol 11368. Springer, Cham. https://doi.org/10.1007/978-3-030-25283-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-25283-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25282-3
Online ISBN: 978-3-030-25283-0
eBook Packages: Computer ScienceComputer Science (R0)