Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 – 05/01/17 1
Plan 1. Background on NTRU and Previous Attacks 2. A New Subring Attack 3. Simplifjcation and Generalization 4. Prediction of our Attacks 2
NTRUEncrypt 3 Key Generation R = Z [ X ] / ( X n + 1 ) , modulus q , width σ ▶ Sample f ← D R ,σ (invertible mod q ) ▶ Sample g ← D R ,σ ▶ Publish h = [ g / f ] q Encrypt m ∈ { 0 , 1 } ▶ Sample s , e ← D R ,χ , D R ,χ ▶ Return c = 2 ( h · s + e ) + m Decrypt c ∈ R q ▶ m ′ = f · c = 2 ( g · s + f · e ) + f · m ▶ Return m ′ mod 2 = f · m mod 2
4 0 Recovering the secret key from the public key h I n qI n M h NTRU lattice Λ q ( ) A = ▶ The lattice Λ q h defjned by A an NTRU instance for parameters R , q , σ has dimension 2 n and volume q n ▶ If h were uniformly random, the Gaussian heuristic predicts h have norm ≈ √ nq the shortest vectors of Λ q ▶ While ∥ f ∥ ≈ ∥ g ∥ ≈ √ n σ ≪ √ nq ▶ unusually short vectors: n vectors rotated of ( f , g ) , ( x i f , x i g ) . SS11 : for σ ≈ √ q , h is statistically indistinguisable from uniform, but NTRU chooses f , g ∈ {− 1 , 0 , 1 } n !
4 0 Recovering the secret key from the public key h I n qI n M h NTRU lattice Λ q ( ) A = ▶ The lattice Λ q h defjned by A an NTRU instance for parameters R , q , σ has dimension 2 n and volume q n ▶ If h were uniformly random, the Gaussian heuristic predicts h have norm ≈ √ nq the shortest vectors of Λ q ▶ While ∥ f ∥ ≈ ∥ g ∥ ≈ √ n σ ≪ √ nq ▶ unusually short vectors: n vectors rotated of ( f , g ) , ( x i f , x i g ) . SS11 : for σ ≈ √ q , h is statistically indistinguisable from uniform, but NTRU chooses f , g ∈ {− 1 , 0 , 1 } n !
4 0 Recovering the secret key from the public key h I n qI n M h NTRU lattice Λ q ( ) A = ▶ The lattice Λ q h defjned by A an NTRU instance for parameters R , q , σ has dimension 2 n and volume q n ▶ If h were uniformly random, the Gaussian heuristic predicts h have norm ≈ √ nq the shortest vectors of Λ q ▶ While ∥ f ∥ ≈ ∥ g ∥ ≈ √ n σ ≪ √ nq ▶ unusually short vectors: n vectors rotated of ( f , g ) , ( x i f , x i g ) . SS11 : for σ ≈ √ q , h is statistically indistinguisable from uniform, but NTRU chooses f , g ∈ {− 1 , 0 , 1 } n !
4 0 Recovering the secret key from the public key h I n qI n M h NTRU lattice Λ q ( ) A = ▶ The lattice Λ q h defjned by A an NTRU instance for parameters R , q , σ has dimension 2 n and volume q n ▶ If h were uniformly random, the Gaussian heuristic predicts h have norm ≈ √ nq the shortest vectors of Λ q ▶ While ∥ f ∥ ≈ ∥ g ∥ ≈ √ n σ ≪ √ nq ▶ unusually short vectors: n vectors rotated of ( f , g ) , ( x i f , x i g ) . SS11 : for σ ≈ √ q , h is statistically indistinguisable from uniform, but NTRU chooses f , g ∈ {− 1 , 0 , 1 } n !
NTRU Assumptions and Applications Defjnition (NTRU Assumption) The NTRU assumption has been used for Lyubashevsky), based on IBE (Ducas, Prest, Lyubashevsky) Vaikuntanathan), YASHE (Bos, Lauter, Loftus, Naehrig) With very large modulus q compared to NTRUEncrypt! 5 It is hard to fjnd a short vector in the R -module Λ q h = { ( x , y ) ∈ R 2 s.t. hx − y = 0 mod q } R = Z [ X ] / ( P ( X )) and the promise a short solution ( f , g ) exists. ▶ signature scheme: BLISS (Ducas, Durmus, Lepoint, ▶ fully homomorphic encryption: LTV (Lopez-Alt, Tromer and ▶ multilinear Maps from Ideal Lattices: GGH13
NTRU Assumptions and Applications Defjnition (NTRU Assumption) The NTRU assumption has been used for Lyubashevsky), based on IBE (Ducas, Prest, Lyubashevsky) Vaikuntanathan), YASHE (Bos, Lauter, Loftus, Naehrig) With very large modulus q compared to NTRUEncrypt! 5 It is hard to fjnd a short vector in the R -module Λ q h = { ( x , y ) ∈ R 2 s.t. hx − y = 0 mod q } R = Z [ X ] / ( P ( X )) and the promise a short solution ( f , g ) exists. ▶ signature scheme: BLISS (Ducas, Durmus, Lepoint, ▶ fully homomorphic encryption: LTV (Lopez-Alt, Tromer and ▶ multilinear Maps from Ideal Lattices: GGH13
NTRU Assumptions and Applications Defjnition (NTRU Assumption) The NTRU assumption has been used for Lyubashevsky), based on IBE (Ducas, Prest, Lyubashevsky) Vaikuntanathan), YASHE (Bos, Lauter, Loftus, Naehrig) With very large modulus q compared to NTRUEncrypt! 5 It is hard to fjnd a short vector in the R -module Λ q h = { ( x , y ) ∈ R 2 s.t. hx − y = 0 mod q } R = Z [ X ] / ( P ( X )) and the promise a short solution ( f , g ) exists. ▶ signature scheme: BLISS (Ducas, Durmus, Lepoint, ▶ fully homomorphic encryption: LTV (Lopez-Alt, Tromer and ▶ multilinear Maps from Ideal Lattices: GGH13
Current Attacks on NTRU to recover the secret key encryption 1. Direct Approach: we need a strong lattice reduction and NTRU is still secure and reduces the dimension by projecting the lattice 3. Howgrave-Graham combines lattice-reduction and MITM: fjrst reduces a submatrice in the middle of the lattice L 6 ▶ Recovering a short enough vector larger than ( f , g ) is suffjcient ▶ Finding a o ( q ) vector would break many applications such as ▶ Previous Lattice attacks: 2. May increases the λ 1 ( L ) /λ 2 ( L ) by avoiding the rotated vectors Asymptotically BKW variant: heuristic complexity of 2 Θ( n / log log q )
Current Attacks on NTRU to recover the secret key encryption 1. Direct Approach: we need a strong lattice reduction and NTRU is still secure and reduces the dimension by projecting the lattice 3. Howgrave-Graham combines lattice-reduction and MITM: fjrst reduces a submatrice in the middle of the lattice L 6 ▶ Recovering a short enough vector larger than ( f , g ) is suffjcient ▶ Finding a o ( q ) vector would break many applications such as ▶ Previous Lattice attacks: 2. May increases the λ 1 ( L ) /λ 2 ( L ) by avoiding the rotated vectors Asymptotically BKW variant: heuristic complexity of 2 Θ( n / log log q )
Current Attacks on NTRU to recover the secret key encryption 1. Direct Approach: we need a strong lattice reduction and NTRU is still secure and reduces the dimension by projecting the lattice 3. Howgrave-Graham combines lattice-reduction and MITM: fjrst reduces a submatrice in the middle of the lattice L 6 ▶ Recovering a short enough vector larger than ( f , g ) is suffjcient ▶ Finding a o ( q ) vector would break many applications such as ▶ Previous Lattice attacks: 2. May increases the λ 1 ( L ) /λ 2 ( L ) by avoiding the rotated vectors Asymptotically BKW variant: heuristic complexity of 2 Θ( n / log log q )
Subfjeld Attack 2. Apply lattice reduction 3. Lift the solution to the full fjeld by Gentry, Szydlo, Jonsson, Nguyen and Stern instead of the Norm 7 ▶ Lattice reduction in a subfjeld to attack the NTRU assumption for large moduli q and σ < q 1 / 4 ▶ Strategy: Reducing the dimension allows faster algorithms 1. Map a NTRU instance to the chosen subfjeld (dim. n / 2) ▶ Albrecht, Bai, Ducas rediscovered this attack already sketched ▶ Cheon, Jeong and Lee discovered a variant using the Trace ▶ Work with any coeffjcient of the characteristic polynomial
Subfjeld Attack 2. Apply lattice reduction 3. Lift the solution to the full fjeld by Gentry, Szydlo, Jonsson, Nguyen and Stern instead of the Norm 7 ▶ Lattice reduction in a subfjeld to attack the NTRU assumption for large moduli q and σ < q 1 / 4 ▶ Strategy: Reducing the dimension allows faster algorithms 1. Map a NTRU instance to the chosen subfjeld (dim. n / 2) ▶ Albrecht, Bai, Ducas rediscovered this attack already sketched ▶ Cheon, Jeong and Lee discovered a variant using the Trace ▶ Work with any coeffjcient of the characteristic polynomial
Subfjeld Attack 2. Apply lattice reduction 3. Lift the solution to the full fjeld by Gentry, Szydlo, Jonsson, Nguyen and Stern instead of the Norm 7 ▶ Lattice reduction in a subfjeld to attack the NTRU assumption for large moduli q and σ < q 1 / 4 ▶ Strategy: Reducing the dimension allows faster algorithms 1. Map a NTRU instance to the chosen subfjeld (dim. n / 2) ▶ Albrecht, Bai, Ducas rediscovered this attack already sketched ▶ Cheon, Jeong and Lee discovered a variant using the Trace ▶ Work with any coeffjcient of the characteristic polynomial
Cyclotomic Number Field a i X i 8 ▶ K = Q [ ω n ] ≃ Q [ X ] / (Φ n ( X )) where ω n = exp ( 2 i π/ n ) ▶ L = Q ( ω n + ¯ ω n ) : maximal real subfjeld of K of dim. ( n − 1 ) / 2 a = a 0 + ∑ ϕ ( n ) − 1 a i X ϕ ( n ) − i for a = ∑ ϕ ( n ) − 1 ▶ Conjugate: ¯ i = 1 i = 0 ▶ N K / L ( a ) = a ¯ a ∈ L ▶ More generally, if L subfjeld of K of dim. m and r = n / m , N K / L ( a ) = Π σ ∈ H σ ( a ) for H fjxing L ▶ Ring of integers: O K = Z [ ω n ] = { a ∈ K : f a Q ∈ Z [ X ] } where Q is the monic irreducible minimal polynomial of a over Q f a ▶ Ideal g O K can be represented by a lattice: multiplication matrix by g in O K
Recommend
More recommend
