## 1 Introduction

NTRU is a public key cryptosystem [11] that serves as a basis for many cryptographic protocols (e.g. [9, 10, 14]) and is believed to remain secure in the presence of quantum computers. See the survey [23] for a complete description of the NTRU cryptosystem and its applications. In this paper, we consider the *overstretched* NTRU variant in the cyclotomic field *K* = ℚ[*x*]/(*x ^{n}* + 1), with

*n*a power of 2. Let

*R*= ℤ[

*x*]/(

*x*+ 1) be the ring of integers in

^{n}*K*, and let

*R*= ℤ

_{q}_{q}[

*x*]/(

*x*+ 1) for some integer

^{n}*q*that is super-polynomial in

*n*. The private key consists of two polynomials

**f**,

**g**∈

*R*, with

_{q}**f**invertible. The public key

**h**is defined by

**h**:=

**g**

**f**

^{–1}. The coefficients of

**f**and

**g**are chosen to be small from a given distribution, most commonly the uniform distribution over {–1, 0, 1}. The (general) NTRU key recovery problem is to recover

**a**,

**b**∈

*R*with “sufficiently small” coefficients such that

_{q}**h**=

**ba**

^{–1}.

**Cryptanalyses of NTRU**. Coppersmith and Shamir [5] presented a lattice attack on NTRU. The lattice has dimension 2*n*, and in the context of this paper the attack works over the full field *K*. Later variants of this attack decrease the lattice dimension, resulting in feasible computations for larger parameters. The first cryptanalyses of overstretched NTRU were given independently by Albrecht et al. [1] and Cheon et al. [4]. These works present *subfield attacks* that exploit subfields in *K*. Their main result is that if *q* is exponentially large, the dimension can be much smaller and the attack runs in polynomial time.

Kirchner and Fouque [12] presented a *subring attack* against overstretched NTRU. This attack allows more flexibility in choosing different (larger) dimensions. Moreover, they proved that despite the larger dimension, the “full field” attack does not perform worse than the subfield and subring attacks.

Experimentally, the subring and subfield attacks are significantly faster than the full field attack. [12] compare to the experiments in [1] and conclude that if one wishes to minimize the ratio between *n* and *q* then the subring attack “performs better” than the subfield attack. Subsequent work by Duong et al. [8] conclude that for different choices of subfields, the subfield attack is not worse than the subring attack. These comparisons are mainly experimental and not analytic.

However, these works directly compare lattices of different dimensions and observe that the attack succeeds on a smaller modulus *q* for a given degree *n* using larger-dimension lattices. The benefit of this comparison is questionable, as it follows from [12] that the full field, which has the largest dimension, is expected to achieve the lowest ratio between *n* and *q* among all these lattice attacks. Furthermore, the point of the subfield and subring attacks is to decrease the dimension, so increasing the dimension is in opposition to the goal of the attack construction. While lattice dimension is not the only parameter that affects the running time or approximation factor of lattice basis reduction algorithms, in all of our experiments, as in the reported experiments of previous works, lattice dimension seems to play a crucial role in the actual running time.

**Our results**. The main goal of our work is to resolve the conflicting claims in previous work. We formally analyze the relative performance, focusing on the lattice dimension and use experiments to validate our analysis. Our focus on the lattice dimension follows our claim that this is the correct metric for comparison.

- We formally justify the projection technique of May [17] and May and Silverman [18], which is key to the subring attack. We formalize its necessary conditions, and explain its relation to standard assumptions on NTRU. This analysis fills a theoretical gap in prior work on the subring attack.
- We show that the subring lattice is expected to contain shorter vectors than the subfield lattice, which resolves the incompatible claims in prior work. In short, if this is the case, for fixed
*n*and*q*, the subring attack can use projection to discard more equations and obtain a lower dimension lattice. Thus, for a given degree*n*and fixed lattice dimension, the subring attack is expected to succeed on a smaller modulus*q*.

**Main result** (Informal). *Consider the NTRU problem with polynomial degree**n*. *Let**L**be a subfield of**K**such that* [*K* : *L*] = *r*, *and let n*′ = *n/r*. *Then*, *for sufficiently large**n*, *we have the following*.

*For a lattice dimension*2*n*′,*the subring lattice is expected to contain shorter vectors than the subfield lattice*,*and to solve the NTRU problem for smaller modulus. The ratio of the Euclidean norm of the respective vectors is approximately* .$\begin{array}{c}\sqrt{2r/(r+1)}\end{array}$ *If these are the shortest vectors*,*then the ratio of the smallest feasible moduli for each attack approaches*2*as**r**increases*.*For a modulus**q*,*if we decrease the lattice dimension below*2*n*′*using projection*,*the subring attack is expected to solve the NTRU problem with a smaller dimension lattice and a smaller block size for the BKZ algorithm than the subfield attack*,*by finding a non-zero integral multiple of the desired vectors*.

Our analysis does not show that these desired vectors are the shortest vectors in the corresponding lattices. Thus, our bounds may not be tight. We present experimental evidence suggesting that these bounds are conservative. Our result focuses on the structure of the lattices more than actual implementations of the attacks. In particular, we fix the subfield index and analyze the asymptotics of the length of short vectors in the lattices. Implementations of the attacks would try to optimize the choice of the subfield with respect to the degree of the field. An analysis of such an optimization seems challenging.

## 2 Preliminaries

We denote the ring representation of an element by **a** ∈ *R*, and the vector representation by *a* ∈ **f**|| is the norm of the corresponding vector consisting of the polynomial coefficients, i.e. ||*f*||. We use [*x*]_{q} to denote *x* mod *q*.

A *number field* is a finite field extension of ℚ. Its degree is [*K* : ℚ]. The ring of integers 𝓞 of a number field *K* is the set of algebraic integers contained in *K*. For any field *K* and subfield *L* of *K*, we define *r* = [*K* : *L*] to be the index of the subfield we consider. If *n*′ = [*L* : ℚ] and *n* = [*K* : ℚ], then *r* = *n*/*n*′.

Let *ζ _{m}* be a primitive

*m*root of unity. Let the

^{th}*m*

^{th}*cyclotomic field*be

*K*= ℚ(

*ζ*), and

_{m}*m*a power of 2. The

*m*cyclotomic polynomial is

^{th}*x*+ 1, where

^{n}*n*=

*ϕ*(

*m*) and

*ϕ*is Euler’s phi function, and

*K*≅ ℚ[

*x*]/(

*x*+ 1).

^{n}Let *K* be a number field and *L* a subfield of *K*. Consider the map *m _{a}* :

*x*↦

*ax*, for an element

*a*∈

*K*and

*x*∈

*L*. The trace of

*a*∈

*K*, denoted

*Tr*

_{K/L}(

*a*), is the trace of

*m*. The relative norm of

_{a}*a*∈

*K*, denoted

*N*

_{K/L}(

*a*), is the determinant of

*m*. The trace is additive and the norm is multiplicative. In particular, if

_{a}*K*is a Galois extension of ℚ and we define

*G*=

*Gal*(

*K*/

*L*), then

*Tr*

_{K/L}(

*a*) = ∑

_{σ∈G}

*σ*(

*a*) and

*N*

_{K/L}(

*a*) = ∏

_{σ∈G}

*σ*(

*a*). The embeddings

*σ*∈

*G*permute or conjugate the coefficients of

*x*∈

*K*in the canonical embedding. Hence, ∀

*σ*∈

*G*, ||

*σ*(

*x*)|| = ||

*x*||. Let

*K*be a number field and

*L*a subfield of index

*r*. When we enumerate the embeddings, we set

*σ*

_{1}= Id. To prevent confusion, while we use canonical embeddings, the norms are taken with respect to the coefficients.

A *lattice* is a discrete additive subgroup of ℝ^{n}. We will represent an *n*-dimensional lattice as an *n* × *n* matrix where the rows are given by the basis vectors *b _{i}*, and write 𝓛(

*B*) for the lattice generated by basis matrix

*B*.

## 3 Characterization of NTRU attacks

We give a short presentation of the different attacks on NTRU. A comprehensive characterization of the attacks appears in the full version of this paper [6].

### 3.1 The full field attack

Coppersmith and Shamir [5] considered the following 2*n* × 2*n* matrix

where **I _{n}** is the

*n*-dimensional identity matrix and 𝓜

_{h}represents multiplication in

*R*by the public key

**h**. The lattice generated by

*A*, which we call 𝓛(

_{full}*A*), contains the vector (

_{full}*f*,

*g*) = (

*f*

_{0}, …,

*f*

_{n–1},

*g*

_{0}, …,

*g*

_{n–1}), because (

*f*

_{0}, …,

*f*

_{n–1})𝓜

_{h}(mod

*q*) ≡ (

*g*

_{0}, …,

*g*

_{n–1}). The vector (

*f*,

*g*) has relatively small Euclidean norm, and is most likely a vector of the smallest non-zero length in the lattice 𝓛(

*A*). Thus, the NTRU problem can be reduced to computing short vectors in 𝓛(

_{full}*A*).

_{full}Coppersmith and Shamir [5] note that one can derive useful information to recover the secret key even when a multiple of (**f**, **g**) is found, for multiples of relatively small norm (yet larger than (**f**, **g**)). See [5] for more details. In fact, one can focus on finding a small multiple of **f**, since given ** αf**, a small multiple of

**g**can be found by computing

**=**

*α*fh**. The different attacks exploit this fact, and aim to recover (a small multiple of)**

*α*g*N*

_{K/L}(

**f**), for a subfield

*L*⊆

*K*, which can be shown to have a relatively small Euclidean norm.

In the following descriptions, we use the term “*f* part” for the part of the vector corresponding to the identity matrix, and “*g* part” for the part corresponding to multiplication by **h** (or by *N*_{K/L}(**h**) in the subfield lattice).

**The subfield attacks [1, 4]** The *norm* attack [1] uses the lattice generated by the rows of the 2*n*′ × 2*n*′ matrix

where *n*′ is the degree of the subfield *L* and *n*′ × *n*′ matrix representing multiplication by *N*_{K/L}(**h**) in *L*. This lattice contains the short vector (*N*_{K/L}(**f**), *N*_{K/L}(**g**)) = (∏_{σ∈G}*σ*(**f**), ∏_{σ∈G}*σ*(**g**)).

In the *trace* attack [4] one replaces 𝓜_{NK/L(h)} with 𝓜_{TrK/L(h)}, the matrix representing multiplication by *Tr*_{K/L}(**h**) in *L*. We focus on the norm attack because it performs slightly better when the polynomials are *balanced* (that is, the polynomials **f** and **g** have approximately the same number of non-zero coefficients).

**The subring attack [12]** The subring attack can be divided into two steps. First, consider the the following (*n*′ + *n*) × (*n*′ + *n*) matrix

where *n*′ × *n* matrix representing multiplication by **h** in *L*. This lattice contains the short vector (*N*_{K/L}(**f**), *N*_{K/L}(**f**)**h**) = (**f**∏_{σ∈G∖{Id}}*σ*(**f**), **g**∏_{σ∈G∖{Id}}*σ*(**f**)).

The dimension *n*′ + *n* is larger than 2*n*′, the subfield attack lattice dimension. The second step “projects” the lattice, i.e., deletes columns of *N*_{K/L}(**f**), *N*_{K/L}(**f**)**h***n*′.

**Previous comparison of the attacks**. The size of the modulus *q* causes a tension between applications and security. Many applications, such as fully homomorphic encryption, need a relatively large modulus, but NTRU with a very large modulus can be broken in polynomial time, even with the Coppersmith-Shamir attack. Hence, it is important to analyze the relation between *q* and *n* when studying the security of cryptosystems that are based on overstretched NTRU.

In [1], the experimental results focus on finding the minimal modulus *q* for which the NTRU problem can be solved with the subfield attack on a fixed *n* using the LLL algorithm. The subsequent work [8, 12] followed this approach and directly compared to these experiments, both claiming to achieve “better results”. Moreover, [12, Theorem 9] shows that under some conditions, working over a subfield of smaller index (including the full field) will not give worse results despite the increase in dimension (however, see our experimental results for the full field compared to the other attacks in Table 2).

We claim that the lattice dimension, which strongly influences the attacks’ running time, should be central to the attack comparisons. This point has been overlooked in prior work, and thus it is not clear whether the different experiments remain comparable. Table 1 gives a series of experimental “improvements” that decrease *q* by modifying the dimension. We give results from previous papers and from our own experiments. We ran the subfield and the subring attack using our implementations of these attacks and used the projection technique to reduce the dimension of the lattice. Except for the case log(*n*) = 12, these comparisons are inconclusive when dimension is taken into account. For a detailed comparison, see the full version of this paper [6].

## 4 Main results

Our main contribution is a full characterization of the various attacks on overstretched NTRU. In Section 4.1, we give a detailed analysis of the applicability of the projection technique to NTRU lattices. Having fully proven the subring attack, we compare it to the subfield attack in Section 4.2

### 4.1 The projection technique

The key to the projection technique is that the system of equations corresponding to **f** ⋅ **h** = **g** is assumed to be overdetermined, so one can discard some of the equations. We formalize this assumption, relate it to standard assumptions on NTRU and derive concrete results. Some of these details are missing in [12, Section 3.2].

In the following, let 𝓛(*A*) be the lattice generated by any of the above attack matrices *A*, 𝓛′ be the projected lattice of dimension *n*′ + *d*, and 𝓜 the upper right quadrant of *A*. The *discrepancy* 𝓓(*Γ*) [7, 13] measures how equidistributed a sequence of points *Γ* = {*γ*_{1}, …, *γ _{n}*} in the interval [0, 1] is. Formally defined,

*J*of [0, 1], |

*J*| is the length of

*J*, and

*T*(

*J*,

*n*) is the number of points

*γ*in

_{i}*J*for 1 ≤

*i*≤

*n*. Let 𝓣 be a sequence of elements in ℤ

^{n}with the dot product. 𝓣 is

*Δ*-

*homogenously distributed modulo*

*q*if for any

*a*∈ ℤ

^{n}with at least one coordinate coprime to

*q*, the discrepancy of {[

*a*⋅

*t*]

_{q}/

*q*}

_{t∈𝓣}is at most

*Δ*. We would like to consider the columns of 𝓜 as a set of elements in 𝓣. However, this sequence is not

*Δ*-homogenously distributed modulo

*q*for small

*Δ*: for example when 𝓜 = 𝓜

_{h},

**h**⋅

**f**=

**g**does not distribute homogenously. We define the following weaker notion.

(Weak homogenous distribution). *Let**u* ∈ 𝓞, *B* > 0, *and* 𝓣 *be a sequence of elements in* ℤ^{n}. *Then* 𝓣 *is* (*B*, *u*)-weakly *Δ*-homogenously distributed modulo *q**if for any**a* ∉ 𝓞*u**such that* ||*a*|| < *B*, *with at least one coordinate coprime to**q*, *the discrepancy of the sequence* {[*a* ⋅ *t*]_{q}/*q*}_{t∈𝓣}*is at most**Δ*.

*For*** f**,

**∈**

*g**R*

_{q}*let*

**=**

*h**.*

**g/f***Suppose the columns of*𝓜

_{h}

*are*(

*B*,

**)-**

*f**weakly*

*Δ*-

*homogenously distributed modulo*

*q*.

*Let*𝓛′

*be an*(

*n*+

*d*)-

*dimensional lattice as above. Then with probability at least*1 – (2

*B*– 1)

^{n}((2

*B*+ 1)/

*q*+

*Δ*)

^{d}

*over the columns of*𝓜

_{h},

*any vector*(

*x*,

*y*) ∈ 𝓛′

*s.t*. ||(

*x*,

*y*)|| <

*B*

*satisfies*(

*x*, [

*xh*]

_{q}) = (

*αf*,

*αg*)

*for some*

*α*∈ 𝓞.

*The result follows for the*(

*n*′ +

*d*)-

*dimensional subring lattice*𝓛′

*with the assumption taken over*𝓞

_{L}:= 𝓞 ∩

*L*.

Suppose 0 ≠ (*x*, *y*) ∈ 𝓛′ and *x* ∉ 𝓞*f*. Let (*xh*)_{i} denote the *i*th coefficient of [*xh*]_{q}, 0 ≤ *i* < *n*. Suppose that ||(*x*, *y*)|| < *B*, so |*x _{i}*| <

*B*and |(

*xh*)

_{i}| <

*B*. Let

*P*= Pr[|(

*xh*)

_{i}| <

*B*] for some

*i*. By the assumption on

**h**,

*P*<

*Δ*. The

*d*≤

*n*rightmost columns in 𝓛′ correspond to coefficients of multiplication by

**h**, so Pr[|(

*xh*)

_{i}| <

*B*for all the corresponding columns in 𝓛′] =

*P*< ((2

^{d}*B*+ 1)/

*q*+

*Δ*)

^{d}, for

*d*independently chosen columns. There are (2

*B*– 1)

^{n}different possibilities for

*x*such that |

*x*| <

_{i}*B*, with 0 ≤

*i*<

*n*. Hence, the probability over the chosen columns of 𝓜

_{h}in 𝓛′ that there exists a lattice point ||(

*x*,

*y*)|| <

*B*with

*x*∉ 𝓞

*f*is at most (2

*B*– 1)

^{n}

*P*< (2

^{d}*B*– 1)

^{n}((2

*B*+ 1)/

*q*+

*Δ*)

^{d}.□

Theorem 1 considers 𝓜_{h}, and thus also _{h} are (*B*, **f**)-weakly homogenously distributed for sufficiently small *B*. Understanding the distribution of **h** is extremely important as it underlies the security of NTRU. In general, **h** is not uniformly distributed in *R _{q}*, as can be seen from a simple information-theoretic argument. Hence, understanding the distribution of

**f**

^{–1}is important in order to understand the distribution of

**h**. Banks and Shparlinski [2] studied how “well spread” the coefficients of

**f**

^{–1}are, that is, whether they “look and behave like random polynomials”. We remark that the desired property on

**h**may follow from the behaviour of

**f**

^{–1}, but this property is not well formed.

Moreover, it is standard to assume that **h** = **g**/**f** is indistinguishable from random in *R _{q}*, see [14]. We remark that this assumption has a strong relation with the weakly homogenous distribution of 𝓜

_{h}. Indeed, if the latter is not true, then one can pick a set of small polynomials

*a*and analyze the distribution of {[

*a*⋅

*t*]

_{q}/

*q*}

_{t∈𝓜h}to distinguish it from from a random

**h**. Thus, under the indistinguishability assumption, this set of polynomials has to be negligibly small.

We ran experiments with ternary **f**, **g** and verified that the coefficients of [**f**^{–1}]_{q} equidistribute in ℤ_{q} and that 𝓜_{h} is (*B*, **f**)-weakly homogenously distributed for sufficiently small *B*. For the rest of the paper, we rely on the following assumption.

*The set of columns* 𝓜_{h}*is* (*B*, ** f**)-

*weakly*

*O*(

*q*

^{–1})-

*homogenously distributed modulo*

*q*

*for*

*B*≪

*q*.

*Let*** f**,

**∈**

*g**R*

_{q}*and*

**=**

*h**𝓛′*

**g/f**be NTRU private and public keys. Let*be the projected NTRU lattice of dimension n*+

*d*,

*where*

*d*≥ (

*n*log(2

*B*+ 1) + 1)/log(

*q*/(2

*B*+ 1)).

*Under Assumption 1*,

*any vector*(

*x*,

*y*) ∈ 𝓛′

*s.t*. ||(

*x*,

*y*)|| <

*B*

*satisfies*(

*x*, [

*xh*]

_{q}) = (

*αf*,

*αg*)

*for some*

*α*∈ 𝓞

*with probability at least*1/2 +

*O*(

*q*

^{–1})

*over the chosen columns of*𝓜

_{h}.

*The result follows for the*(

*n*′ +

*d*)-

*dimensional subring lattice*𝓛′

*with the assumption taken over*𝓞

_{L}:= 𝓞 ∩

*L*.

Using notation from Theorem 1, the probability that there exists a lattice point ||(*x*, *y*)|| < *B* with *x* ∉ 𝓞 *f* is at most *d* ≥ (*n* log(2*B* + 1) + 1)/log(*q*/(2*B* + 1)) gives the result.□

Setting *d* as required in Corollary 1, observe that the dimension of 𝓛′ is *n* + *d* ≥ (*n* log(*q*) + 1)/(log(*q*/(2*B* + 1))). This is similar to the subring lattice in [12, Theorem 6]. Thus, Corollary 1 completes the missing details on the validity of the subring attack and, along with [12, Theorem 6], gives a complete analysis of the subring attack under Assumption 1. We formalize this result in the following theorem. Now, *β* denotes the block size in the BKZ [21] algorithm.

(Adapted from Theorem 6 in [12]). *Let** f*,

*∈*

**g***R*

_{q}*and*

*=*

**h****/**

*g*

*f**be NTRU private and public keys satisfying Assumption 1. Let*

*B*= ||

*v*||

*where*

*v*= (

**f**,

**g**)

*in the full field*,

*v*= (

*N*

_{K/L}(

**),**

*f**N*

_{K/L}(

**))**

*g**in the subfield and*

*v*= (

*N*

_{K/L}(

**),**

*f**N*

_{K/L}(

**)**

*f***)**

*h**in the subring. Then for*

*one can find a multiple*

*αv*

*for a non*-

*zero*

*α*∈ 𝓞

*with probability at least*1/2 +

*O*(

*q*

^{–1})

*over the chosen columns of*𝓜.

### 4.2 Comparing ||*N*_{K/L}(g)|| and ||*N*_{K/L}(f)h||

In Section 3, we showed that a small vector in the subfield lattice is the vector (*N*_{K/L}(**f**), *N*_{K/L}(**g**)), while in the subring lattice the vector (*N*_{K/L}(**f**), *N*_{K/L}(**f**)**h**) is small. The *f* part of these vectors is the same. Our interest is therefore in the *g* part. Moreover, we know that *N*_{K/L}(**g**) *n*′-dimension vector and *N*_{K/L}(**f**)**h** is *n*-dimensional vector. We show that these two elements have the same Euclidean norm. It then follows that on average the coefficients of *N*_{K/L}(**g**) are larger than the coefficients of *N*_{K/L}(**f**)**h**. When we truncate the latter to *n*′ coordinates, its norm becomes smaller than the norm of *N*_{K/L}(**g**). Using an assumption on the distribution of the coefficients of *N*_{K/L}(**g**), we quantify the difference in size. More precisely, Theorem 3 shows, with no further assumptions, that when [*K* : *L*] = 2, the average size of the coefficients of *N*_{K/L}(**g**) is expected to be *N*_{K/L}(**f**)**h**. In Theorem 4, we generalize this result for any subfield such that [*K* : *L*] = *r*, and prove that the expected ratio of the average magnitude of the coefficients is

*Let**f*, *g**be two polynomials with coefficients chosen uniformly at random from the same set. Let**f* = (*u*_{1}, …, *u _{m}*)

*and*

*g*= (

*w*

_{1}, …,

*w*).

_{n}*Then*, E[||

*f*||

^{2}] = E[||

*g*||

^{2}]

*if and only if the expectation of the square of the coefficients satisfies*

In light of this result, our aim is to show that the ratio between ||*N*_{K/L}(**g**)|| and ||*N*_{K/L}(**f**)**h**|| tends to 1 as *n* increases. Then, we can conclude that the subring lattice of dimension 2*n*′ is expected to contain shorter vectors than the subfield lattice of the same dimension. We use random walks to model the coefficients of a product of two polynomials. A first case is for polynomials whose coefficients are drawn independently and uniformly from the set {–1, 0, 1}. A one-dimensional random walk over ℤ starts at 0 and at each step moves either +1 or –1 with equal probability. Let *a _{i}*, for

*i*= 1, …,

*n*, denote independent random variables with value either +1 or –1 with uniform probability, and let

*w*

_{0}= 0 and

*w*} defines a random walk over ℤ. The expected distance after

_{n}*n*steps is on the order of

*n*increases, the distribution of the series

*w*approaches the normal distribution. A second case is for polynomials whose coefficients are drawn from a Gaussian distribution: in a Gaussian random walk, we let

_{n}*a*follow the Gaussian distribution with standard deviation

_{i}*σ*and mean zero. The expected distance after

*n*steps is then on the order of

*σ*

*L*⊆

*K*of index 2.

*Let*** f**,

**∈**

*g**R*

_{q}*be two polynomials whose coefficients are drawn independently and uniformly from*{–1, 0, 1}.

*Let*

*N*

_{K/L}(

**) = (**

*g**u*

_{1}, …,

*u*)

_{n}*and*

*g**σ*

_{2}(

**) = (**

*f**w*

_{1}, …,

*w*).

_{n}*Then*E[

*u*≠ 0] = 8

_{i}*n*/9 – 4/9

*and*E[

*n*/9.

*Thus*,

*as*

*n*

*goes to infinity the ratio between the expected magnitude of the non*-

*zero coefficients of*

*N*

_{K/L}(

**)**

*g**and*

*g**σ*

_{2}(

**)**

*f**tends to*

*in absolute value and the ratio of the expected squared Euclidean norms*E[||

*N*

_{K/L}(

**)||**

*g*^{2}]/E[||

*g**σ*

_{2}(

**)||**

*f*^{2}]

*tends to 1*.

We start by comparing the expected size of the coefficients of *N*_{K/L}(**g**) to those of **g***σ*_{2}(**f**). Let *a _{i}* ∈ {–1, 0, 1} uniformly and independently at random and consider the polynomial

**g**=

*a*

_{n–1}

*x*

^{n–1}+

*a*

_{n–2}

*x*

^{n–2}+ … +

*a*

_{1}

*x*+

*a*

_{0}∈

*R*. Then

_{q}*σ*

_{2}(

**g**) = –

*a*

_{n–1}

*x*

^{n–1}+

*a*

_{n–2}

*x*

^{n–2}+ … –

*a*

_{1}

*x*+

*a*

_{0}. Each coefficient

*u*of

_{k}*N*

_{K/L}(

**g**) =

**g**

*σ*

_{2}(

**g**) is a sum of

*n*terms. For

*k*odd,

*u*= 0, because each of the terms

_{k}*a*in this sum appears twice with opposite signs. For

_{i}a_{j}*k*even,

*a*with

_{i}a_{j}*i*≠

*j*appears twice with similar sign. Then, we have

*a*)

_{i}a_{j}^{2}] = 4/9 and for

*k*even

Now, let us repeat a very similar argument for **g***σ*_{2}(**f**), where *σ*_{2}(**f**) is a polynomial of the form *σ*_{2}(**f**) = *b*_{n–1}*x*^{n–1} + *b*_{n–2}*x*^{n–2} + … + *b*_{1}*x* + *b*_{0}, with *b _{i}* ∈ {–1, 0, 1} uniformly and independently at random. Again, each coefficient

*w*of

_{k}**g**

*σ*

_{2}(

**f**) is a sum of

*n*terms. However, unlike the case above, there are no similar terms in this sum, and we have E[

*a*] = 0 and E[(

_{i}b_{j}*a*)

_{i}b_{j}^{2}] = 4/9. As above, we compute

Thus the expected square of the Euclidean norms **g***σ*_{2}(**f**)||^{2}] = E[∑_{i}*n*^{2}/9.□

We would like to generalize this result to *r* > 2. While the coefficients of **g***σ*_{2}(**g**) and **g***σ*_{2}(**f**) can be expressed as random walks, and thus follow a Gaussian distribution, they may not be independent.

*For**r* > 1, *the coefficients of**N*_{K/L}(** g**),

*N*

_{K/L}(

**)**

*f**and*

*N*

_{K/L}(

**)**

*f*

*h**behave as if they were independently chosen from a Gaussian distribution*.

This assumption seems natural and allows us to prove Theorem 4, a generalisation of Theorem 3 to any *r* > 0. We experimentally verified that as *n* grows, the ratio of the norms tends to 1, as in Theorem 4, see Figure 1. From this, we directly get that the ratio of the average coefficient tends to

*Let*** f**,

**∈**

*g**R*

_{q}*and*

**=**

*h***/**

*g*

*f**be NTRU private and public keys satisfying Assumption 2. For a subfield*

*L*⊆

*K*,

*let*

*N*

_{K/L}(

**) = (**

*g**u*

_{1}, …,

*u*)

_{n}*and*

*N*

_{K/L}(

**)**

*f***= (**

*h**w*

_{1}, …,

*w*).

_{n}*Then*,

*as*

*n*

*goes to infinity the ratio between the expected magnitude of the non*-

*zero coefficients of*

*N*

_{K/L}(

**)**

*g**and*

*N*

_{K/L}(

**)**

*f*

*h**tends to*

*in absolute value. In addition, the ratio of the expected squared Euclidean norms*E[||

*N*

_{K/L}(

**)||**

*g*^{2}]/E[||

*N*

_{K/L}(

**)**

*f***||**

*h*^{2}]

*tends to 1 as*

*n*

*goes to infinity*.

We give a proof by induction on the index *r* where the base case is proven in Theorem 3. Suppose the claim holds for index *r*, we show that it holds for [*K* : *L*] = 2*r*. First note that for a tower of fields *L* ⊆ *E* ⊆ *K* we have *N*_{K/L}(**a**) = *N*_{E/L}(*N*_{K/E}(**a**)) for every **a** ∈ *K* (see [16, Theorem 2.29]). Consider the case [*K* : *E*] = *r*, [*E* : *L*] = 2, and denote **G** := *N*_{K/E}(**g**) and **F** := *N*_{K/E}(**f**). Then, *N*_{K/L}(**g**) = *N*_{E/L}(**G**) = **G****G**) and *N*_{K/L}(**f**)**h** = *N*_{E/L}(**F**)**h** = **F****F**)**h** = **G**′ **F**), where *Gal*(*E/L*) and **G’** = **Fh** = *N*_{K/E}(**f**)**h**. The previous case of the construction, i.e. [*K* : *E*] = *r*, shows that each (non-zero) coefficient of **F**, **G** and **G**′ follows a Gaussian distribution. Under Assumption 2 the coefficients can be considered to be independent. We can now repeat the process of Theorem 3. While **G**′ ∈ *K*, note that **F**, **G** ∈ *E* so they have *n/r* non-zero coefficients. Thus, similarly to Theorem 3, each non-zero coefficient of **G****G**) is approximately 2 multiplied by a Gaussian random walk with *n*/2*r* steps, while each coefficient of **G**′ **F**) is a random walk with *n/r* steps. By the induction hypothesis, a coefficient of **G** is expected to be larger than coefficients of **G**′ by a factor of *n*. The result on the coefficients follows from evaluating the expected size of the random walks and the claim on the norms follows from Claim 1.□

The following corollary compares small vectors in the subfield and subring lattices of same dimensions, without using projection in the subfield lattice.

*Let**B _{subfield}* = ||(

*N*

_{K/L}(

**),**

*f**N*

_{K/L}(

**))||**

*g**where*[

*K*:

*L*] =

*r*=

*n*/

*n*′.

*Let*

*where the projection keeps*2

*n*′

*coordinates. Under Assumptions 1 and 2*,

*for sufficiently large*

*n*

*we expect to have*

*Moreover*,

*suppose that*

*B*

_{subfield}*is the norm of the shortest vector in the subfield lattice, and denote by*

*q*

_{subfield}*and*

*q*

_{subring}*the modulus in the subfield and subfield attacks*,

*respectively*,

*that the BKZ algorithm can solve NTRU with a fixed block size*

*β*.

*Then*

To simplify notation, we write coeff(*f*) to denote the average size of the coefficients of a polynomial *f*. We have *n*/*r*)(coeff(*N*_{K/L}(**f**))^{2} + coeff(*N*_{K/L}(**g**))^{2}), and *n*/*r*) (coeff(*N*_{K/L}(**f**))^{2} + coeff(*N*_{K/L}(**f**)**h**)^{2}). We know that coeff(*N*_{K/L}(**f**))^{2} ≈ coeff(*N*_{K/L}(**g**))^{2} and from Theorem 4, we also know that coeff(*N*_{K/L}(**g**))^{2} ≈ *r* coeff(*N*_{K/L}(**f**)**h**)^{2}. BKZ is guaranteed to output a vector bounded by *β*^{2n′/β}*λ*_{1}(𝓛). The second result follows from bounding this value by

It follows that if we take the same lattice dimension in both attacks, the subring lattice contains vectors of smaller size. Therefore one can solve the NTRU problem using the subring attack with a smaller *q*. As mentioned in [1, Section 6], it is not known that *B _{subfield}* is the norm of the shortest vector (see [12, Theorem 5]). Moreover, our experiments in Table 2 show that the ratio between

*q*and

_{subfield}*q*grows with

_{subring}*r*. One possible explanation is that (

*N*

_{K/L}(

**f**),

*N*

_{K/L}(

**f**)

**h**

*f*part is much larger than the

*g*part. Therefore, if there exists an integral multiple of this vector that decreases the size of the

*f*part and increases the size of the

*g*part so that the vector becomes balanced, the ratio between the feasible

*q*s would increase.

**Experimentally determining the minimal q for each attack**. For a fixed dimension, we compare the subring attack to the subfield attack without projection, and note whether the attack succeeded. In some cases the full field attack only succeeded with projection; (384;512) means we ran the full field attack in these two dimensions.

Parameters | Attacks | |||||
---|---|---|---|---|---|---|

log n | Dimension (Full/subfield) | log r | log q | Full field | Subring | Subfield |

8 | (384;512)/256 | 1 | 22 | Yes;No | Yes | Yes |

8 | (384;512)/256 | 1 | 21 | No | Yes | No |

9 | (768;1024)/512 | 1 | 34 | Yes;No | Yes | Yes |

9 | 768/512 | 1 | 32 | No | Yes | Yes |

9 | 768/512 | 1 | 31 | No | No | No |

9 | 1024/256 | 2 | 40 | Yes | Yes | Yes |

9 | 1024/256 | 2 | 38 | Yes | Yes | No |

9 | 1024/256 | 2 | 37 | Yes | No | No |

9 | 1024/256 | 2 | 36 | Yes | No | No |

10 | 2048/512 | 2 | 52 | - | Yes | Yes |

10 | 2048/512 | 2 | 50 | - | Yes | No |

10 | 2048/512 | 2 | 49 | - | No | No |

11 | 4096/512 | 3 | 95 | - | Yes | Yes |

11 | 4096/512 | 3 | 92 | - | Yes | No |

11 | 4096/512 | 3 | 91 | - | No | No |

11 | 4096/256 | 4 | 165 | - | Yes | Yes |

11 | 4096/256 | 4 | 162 | - | Yes | No |

11 | 4096/256 | 4 | 161 | - | No | No |

12 | 4096/512 | 4 | 189 | - | Yes | Yes |

12 | 4096/512 | 4 | 185 | - | Yes | No |

12 | 4096/512 | 4 | 184 | - | No | No |

If the systems of equations derived from the lattices given in Corollary 2 are overdetermined, we can project and get smaller lattices. Since the *g* part in the subring lattice is smaller than in the subfield one, the subring attack system is more determined than the subfield one.

The following corollary shows that one can use projection to discard more equations in the subring attack and achieve a lower dimension.

*With the notation from Theorem 2 and Corollary 2*, *set**B* := *B _{subfield}*.

*Under Assumptions 1 and 2*,

*for sufficiently large*

*n*,

*we can find a multiple*

*αv*

*for some non*-

*zero*

*α*∈ 𝓞

*such that using BKZ with block size*

*β*

*on the lattice*𝓛′

*of dimension n*′ +

*d*,

*we have the following two cases. If*𝓛′

*is the subfield lattice*,

*then*

*and if*𝓛′

*is the subring lattice*,

*then*

*and*

### 4.2.1 Experimental results

We implemented all three attacks in Sage and experimentally compared them using Sage’s default LLL implementation. A success in our experiments is recovering a vector *v* such that ||*v*|| < *q*^{3/4}. As noted by [12], we either get vectors which are roughly of size *q*, or vectors of size *n*, dimension, *r*) and compare the smallest modulus *q* that succeeded for each of the three attacks using LLL. Details are given in Table 2. Note that we do not apply the projection technique to the subfield attack in these experiments. The analysis of the subfield attack without projection is given in Corollary 2. Then, we compared the subring and subfield attacks by fixing (*n*, *q*, *r*) and comparing the smallest dimension that succeeded using LLL. For some of the lattices we used the projection technique by deleting the right-most columns until we reached the desired dimension. The difference is greater than our analysis predicts. Details are given in Table 3. The analysis of the subfield attack with projection is given in Corollary 3. Experiments were run on a single core of an Intel Xeon E5-2699 v3 running at 2.30GHz, with 128 GB of RAM.

**Experimentally determining the minimal dimension for each attack**. For fixed parameters log *n* and log *q*, we compare the subfield and the subring attacks applied to a lattice of the *same* dimension, using the projection technique where applicable, and note whether the attack succeeded.

Parameters | Attacks | LLL reduction time (s) | |||||
---|---|---|---|---|---|---|---|

log n | log q | log r | Dimension | Subfield | Subring | Subfield | Subring |

8 | 22 | 1 | 233 | Yes | Yes | 715.4 | 577.6 |

8 | 22 | 1 | 223 | No | Yes | 454.5 | 452.3 |

8 | 22 | 1 | 222 | No | No | 456.5 | 424.3 |

9 | 70 | 3 | 122 | Yes | Yes | 132.6 | 121.1 |

9 | 70 | 3 | 117 | No | Yes | 116.2 | 117.0 |

9 | 70 | 3 | 116 | No | No | 108.7 | 108.9 |

10 | 150 | 4 | 124 | Yes | Yes | 344.8 | 325.3 |

10 | 150 | 4 | 120 | No | Yes | 298.6 | 304.1 |

10 | 150 | 4 | 119 | No | No | 290.2 | 286.5 |

11 | 165 | 4 | 254 | Yes | Yes | 15333.0 | 12423.7 |

11 | 165 | 4 | 249 | No | Yes | 12708.7 | 12072.0 |

11 | 165 | 4 | 248 | No | No | 12086.3 | 11722.8 |

We thank Shi Bai for some helpful discussions.

This material supported by the National Science Foundation under Grants No. CNS-1513671 and CNS-1651344 and by the ONR SynCrypt project. We are grateful to Cisco for donating the Cisco UCS servers used for our experiments.

## References

- [1]↑
M. Albrecht, S. Bai, and L. Ducas. A Subfield Lattice Attack on Overstretched NTRU Assumptions. CRYPTO 2016.

- [2]↑
W.D. Banks and I.E. Shparlinski. Distribution of Inverses in Polynomial Rings. Indagationes Mathematicae, 12(3), 2001.

- [3]
D. Boneh and R. Venkatesan. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie–Hellman and Related Schemes. CRYPTO 1996.

- [4]↑
J. H. Cheon, J. Jeong, and C. Lee. An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low-Level Encoding of Zero. LMS Journal of Computation and Mathematics, 19(A): 2016.

- [6]↑
G. De Micheli, N. Heninger, and B. Shani. Characterizing overstretched NTRU attacks. ePrint 2018/630

- [8]↑
D. H. Duong, M. Yasuda, and T. Takagi. Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU. Information Security 2017.

- [9]↑
S. Garg, C. Gentry, and S. Halevi. Candidate Multilinear Maps from Ideal Lattices. EUROCRYPT 2013.

- [10]↑
J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte. NTRUSign: Digital Signatures Using the NTRU Lattice. CT-RSA 2003.

- [11]↑
J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A Ring-based Public Key Cryptosystem. Algorithmic Number Theory 1998.

- [12]↑
P. Kirchner and P.-A. Fouque. Revisiting Lattice Attacks on Overstretched NTRU Parameters. EUROCRYPT 2017.

- [14]↑
A. López-Alt, E. Tromer, and V. Vaikuntanathan. On-the-fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. STOC ’12.

- [18]↑
A. May and J. H. Silverman. Dimension Reduction Methods for Convolution Modular Lattices. Cryptography and Lattices.

- [19]
G. Pataki and M. Tural. On Sublattice Determinants in Reduced Bases, 2008.

- [20]
P. Samuel. Algebraic Theory of Numbers. Hermann, 1970.

- [21]↑
C. P. Schnorr. A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms. Theor. Comput. Sci., 53(2-3):201–224, August 1987.

- [22]
D. Stehlé and R. Steinfeld. Making NTRU as Secure as Worst-Case Problems over Ideal Lattices. EUROCRYPT 2011.

- [23]↑
R. Steinfeld. NTRU Cryptosystem: Recent Developments and Emerging Mathematical Problems in Finite Polynomial Rings. Walter de Gruyter, 2014.