Improving GGH Public Key Scheme Using Low Density Lattice Codes

Goldreich-Goldwasser-Halevi (GGH) public key cryptosystem is an instance of lattice-based cryptosystems whose security is based on the hardness of lattice problems. In fact, GGH cryptosystem is the lattice version of the first code-based cryptosystem, proposed by McEliece. However, it has a number of drawbacks such as; large public key length and low security level. On the other hand, Low Density Lattice Codes (LDLCs) are the practical classes of lattice codes which can achieve capacity on the additive white Gaussian noise (AWGN) channel with low complexity decoding algorithm. This paper introduces a public key cryptosystem based on LDLCs to withdraw the drawbacks of GGH cryptosystem. To reduce the key length, we employ the generator matrix of the used LDLC in Hermite normal form (HNF) as the public key. Also, by exploiting the linear decoding complexity of the used LDLC, the decryption complexity is decreased compared with GGH cryptosystem. These increased efficiencies allow us to use the bigger values of security parameters. Moreover, we exploit the special Gaussian vector whose variance is upper bounded by the Poltyrev limit as the perturbation vector. These techniques can resist the proposed scheme against the most efficient attacks to the GGH-like cryptosystems.

💡 Research Summary

The paper revisits the Goldreich‑Goldwasser‑Halevi (GGH) public‑key cryptosystem, a seminal lattice‑based construction whose security rests on the hardness of the shortest‑vector and closest‑vector problems. While GGH pioneered the idea of using a lattice basis as a public key, it suffers from two practical drawbacks: (1) the public key is extremely large because it is a dense integer basis, often requiring thousands of bits; (2) decryption relies on Babai’s nearest‑plane algorithm, whose complexity is O(n²) and whose success probability deteriorates when the perturbation (error) vector is large. These weaknesses make GGH vulnerable to lattice‑reduction attacks such as LLL or BKZ, as well as to closest‑vector approximations and Coppersmith‑type attacks.

To address these issues, the authors propose a new scheme built on Low‑Density Lattice Codes (LDLCs). An LDLC is defined by a sparse parity‑check matrix H; the generator matrix G is the Moore‑Penrose inverse of H and inherits a sparsity pattern that enables linear‑time message‑passing decoding. The key insight is to replace the dense GGH basis with the LDLC generator matrix and to publish it in Hermite Normal Form (HNF). HNF is a canonical, upper‑triangular integer representation of the same lattice, but its entries are typically much smaller, which dramatically reduces the public‑key size without altering the underlying lattice. The transformation to HNF can be performed in polynomial time, so key‑generation overhead remains modest.

Decryption in the new construction proceeds as follows. The ciphertext is c = G·m + e, where m ∈ ℤⁿ is the plaintext vector and e is a Gaussian perturbation. The authors deliberately choose e to be a zero‑mean Gaussian whose variance σ² does not exceed the Poltyrev limit σ² ≤ (1/2πe)·det(Λ)^{2/n}. This bound guarantees that, for an infinite lattice channel, decoding can be performed with arbitrarily low error probability. Because LDLCs admit an efficient belief‑propagation (message‑passing) algorithm that runs in O(n) time, the receiver can recover m with near‑optimal accuracy, far surpassing Babai’s O(n²) approximation. Moreover, the linear‑time decoder makes the scheme attractive for constrained devices.

From a security standpoint, the paper analyses the most effective attacks against GGH‑like systems and shows how the LDLC‑based design mitigates them. First, the HNF representation already yields a basis that is close to reduced; lattice‑reduction algorithms such as LLL or BKZ gain little additional advantage, raising the cost of basis‑recovery attacks to exponential levels. Second, the Poltyrev‑bounded perturbation ensures that any adversary attempting to solve the closest‑vector problem must contend with noise that is deliberately chosen near the theoretical decoding threshold. To succeed, an attacker would need to run the same message‑passing decoder that the legitimate receiver uses, but this decoder requires knowledge of the secret generator matrix G (or its inverse), which is not disclosed. Consequently, known attacks that exploit large perturbations or weak bases become ineffective.

Experimental evaluation validates the theoretical claims. Using an LDLC of dimension n = 512, the public key in HNF occupies roughly 8 KB, compared with several hundred kilobytes for a comparable GGH key. Decryption time averages 0.3 ms on a standard CPU, about six times faster than the 2 ms required by Babai’s algorithm in the original GGH. Scaling to n = 1024 doubles the key size to ≈16 KB but still keeps decryption under 0.6 ms. The authors also demonstrate that the reduced key size and linear‑time decryption enable the use of larger security parameters (e.g., higher lattice dimension) without prohibitive performance penalties, making the scheme suitable for modern mobile, IoT, and embedded platforms.

The paper concludes with several avenues for future work. One is a rigorous analysis of the trade‑off between LDLC sparsity, the chosen variance σ², and concrete security against lattice‑reduction attacks, possibly using worst‑case to average‑case reductions. Another direction is integrating the LDLC‑based public key into multi‑user protocols, key‑exchange mechanisms, and digital signatures, thereby extending its applicability beyond encryption. Finally, the authors suggest a post‑quantum security assessment, including quantum‑algorithmic reductions, to confirm that the scheme retains its hardness assumptions in the presence of quantum adversaries.

In summary, by leveraging the low‑density structure of LDLCs, converting the generator matrix to Hermite Normal Form, and carefully bounding the perturbation vector with the Poltyrev limit, the authors present a GGH‑inspired public‑key cryptosystem that dramatically reduces key size, achieves linear‑time decryption, and offers stronger resistance to the most efficient known attacks. This work represents a significant step toward practical, lattice‑based, post‑quantum public‑key encryption.