Cryptanalysis of the Ajtai - Dwork

Recently, Ajtai discovered a fascinating connection between the worst-case complexity and the average-case complexity of some well-known lattice problems. Later, Ajtai and Dwork proposed a cryptosystem inspired by Ajtai's work, provably secure if a particular lattice problem is diicult in the worst-case. We present a heuristic attack (to recover the private key) against this celebrated cryptosystem. Experiments with this attack suggest that in order to be secure, implementations of the Ajtai-Dwork cryptosystem would require very large keys, making it impractical in a real-life environment. We also adopt a theoretical point of view: we show that there is a converse to the Ajtai-Dwork security result , by reducing the question of distinguishing encryptions of one from encryptions of zero to approximating some lattice problems. In particular , this settles the open question regarding the NP-hardness of the Ajtai-Dwork cryptosystem: from a recent result of Goldreich and Gold-wasser, our result shows that breaking the Ajtai-Dwork cryptosystem is not NP-hard, assuming the polynomial-time hierarchy does not collapse.