Characterizing overstretched NTRU attacks

Gabrielle De Micheli 1 , Nadia Heninger 1  and Barak Shani 1
  • 1 University of Pennsylvania, Pennsylvania, United States of America
Gabrielle De Micheli, Nadia Heninger and Barak Shani

Abstract

Overstretched NTRU is a variant of NTRU with a large modulus. Recent lattice subfield and subring attacks have broken suggested parameters for several schemes. There are a number of conflicting claims in the literature over which attack has the best performance. These claims are typically based on experiments more than analysis. In this paper, we argue that comparisons should focus on the lattice dimension used in the attack. We give evidence, both analytically and experimentally, that the subring attack finds shorter vectors and thus is expected to succeed with a smaller dimension lattice than the subfield attack for the same problem parameters, and also to succeed with a smaller modulus when the lattice dimension is fixed.

1 Introduction

NTRU is a public key cryptosystem [11] that serves as a basis for many cryptographic protocols (e.g. [9, 10, 14]) and is believed to remain secure in the presence of quantum computers. See the survey [23] for a complete description of the NTRU cryptosystem and its applications. In this paper, we consider the overstretched NTRU variant in the cyclotomic field K = ℚ[x]/(xn + 1), with n a power of 2. Let R = ℤ[x]/(xn + 1) be the ring of integers in K, and let Rq = ℤq[x]/(xn + 1) for some integer q that is super-polynomial in n. The private key consists of two polynomials f, gRq, with f invertible. The public key h is defined by h := gf–1. The coefficients of f and g are chosen to be small from a given distribution, most commonly the uniform distribution over {–1, 0, 1}. The (general) NTRU key recovery problem is to recover a, bRq with “sufficiently small” coefficients such that h = ba–1.

Cryptanalyses of NTRU. Coppersmith and Shamir [5] presented a lattice attack on NTRU. The lattice has dimension 2n, and in the context of this paper the attack works over the full field K. Later variants of this attack decrease the lattice dimension, resulting in feasible computations for larger parameters. The first cryptanalyses of overstretched NTRU were given independently by Albrecht et al. [1] and Cheon et al. [4]. These works present subfield attacks that exploit subfields in K. Their main result is that if q is exponentially large, the dimension can be much smaller and the attack runs in polynomial time.

Kirchner and Fouque [12] presented a subring attack against overstretched NTRU. This attack allows more flexibility in choosing different (larger) dimensions. Moreover, they proved that despite the larger dimension, the “full field” attack does not perform worse than the subfield and subring attacks.

Experimentally, the subring and subfield attacks are significantly faster than the full field attack. [12] compare to the experiments in [1] and conclude that if one wishes to minimize the ratio between n and q then the subring attack “performs better” than the subfield attack. Subsequent work by Duong et al. [8] conclude that for different choices of subfields, the subfield attack is not worse than the subring attack. These comparisons are mainly experimental and not analytic.

However, these works directly compare lattices of different dimensions and observe that the attack succeeds on a smaller modulus q for a given degree n using larger-dimension lattices. The benefit of this comparison is questionable, as it follows from [12] that the full field, which has the largest dimension, is expected to achieve the lowest ratio between n and q among all these lattice attacks. Furthermore, the point of the subfield and subring attacks is to decrease the dimension, so increasing the dimension is in opposition to the goal of the attack construction. While lattice dimension is not the only parameter that affects the running time or approximation factor of lattice basis reduction algorithms, in all of our experiments, as in the reported experiments of previous works, lattice dimension seems to play a crucial role in the actual running time.

Our results. The main goal of our work is to resolve the conflicting claims in previous work. We formally analyze the relative performance, focusing on the lattice dimension and use experiments to validate our analysis. Our focus on the lattice dimension follows our claim that this is the correct metric for comparison.

  1. We formally justify the projection technique of May [17] and May and Silverman [18], which is key to the subring attack. We formalize its necessary conditions, and explain its relation to standard assumptions on NTRU. This analysis fills a theoretical gap in prior work on the subring attack.
  2. We show that the subring lattice is expected to contain shorter vectors than the subfield lattice, which resolves the incompatible claims in prior work. In short, if this is the case, for fixed n and q, the subring attack can use projection to discard more equations and obtain a lower dimension lattice. Thus, for a given degree n and fixed lattice dimension, the subring attack is expected to succeed on a smaller modulus q.

Main result (Informal). Consider the NTRU problem with polynomial degreen. LetLbe a subfield ofKsuch that [K : L] = r, and let n′ = n/r. Then, for sufficiently largen, we have the following.

  1. For a lattice dimension 2n′, the subring lattice is expected to contain shorter vectors than the subfield lattice, and to solve the NTRU problem for smaller modulus. The ratio of the Euclidean norm of the respective vectors is approximately2r/(r+1). If these are the shortest vectors, then the ratio of the smallest feasible moduli for each attack approaches 2 asrincreases.
  2. For a modulusq, if we decrease the lattice dimension below 2nusing projection, the subring attack is expected to solve the NTRU problem with a smaller dimension lattice and a smaller block size for the BKZ algorithm than the subfield attack, by finding a non-zero integral multiple of the desired vectors.

Our analysis does not show that these desired vectors are the shortest vectors in the corresponding lattices. Thus, our bounds may not be tight. We present experimental evidence suggesting that these bounds are conservative. Our result focuses on the structure of the lattices more than actual implementations of the attacks. In particular, we fix the subfield index and analyze the asymptotics of the length of short vectors in the lattices. Implementations of the attacks would try to optimize the choice of the subfield with respect to the degree of the field. An analysis of such an optimization seems challenging.

2 Preliminaries

We denote the ring representation of an element by aR, and the vector representation by aZqn. The Euclidean norm ||f|| is the norm of the corresponding vector consisting of the polynomial coefficients, i.e. ||f||. We use [x]q to denote x mod q.

A number field is a finite field extension of ℚ. Its degree is [K : ℚ]. The ring of integers 𝓞 of a number field K is the set of algebraic integers contained in K. For any field K and subfield L of K, we define r = [K : L] to be the index of the subfield we consider. If n′ = [L : ℚ] and n = [K : ℚ], then r = n/n′.

Let ζm be a primitive mth root of unity. Let the mthcyclotomic field be K = ℚ(ζm), and m a power of 2. The mth cyclotomic polynomial is xn + 1, where n = ϕ(m) and ϕ is Euler’s phi function, and K ≅ ℚ[x]/(xn + 1).

Let K be a number field and L a subfield of K. Consider the map ma : xax, for an element aK and xL. The trace of aK, denoted TrK/L(a), is the trace of ma. The relative norm of aK, denoted NK/L(a), is the determinant of ma. The trace is additive and the norm is multiplicative. In particular, if K is a Galois extension of ℚ and we define G = Gal(K/L), then TrK/L(a) = ∑σGσ(a) and NK/L(a) = ∏σGσ(a). The embeddings σG permute or conjugate the coefficients of xK in the canonical embedding. Hence, ∀σG, ||σ(x)|| = ||x||. Let K be a number field and L a subfield of index r. When we enumerate the embeddings, we set σ1 = Id. To prevent confusion, while we use canonical embeddings, the norms are taken with respect to the coefficients.

A lattice is a discrete additive subgroup of ℝn. We will represent an n-dimensional lattice as an n × n matrix where the rows are given by the basis vectors bi, and write 𝓛(B) for the lattice generated by basis matrix B.

3 Characterization of NTRU attacks

We give a short presentation of the different attacks on NTRU. A comprehensive characterization of the attacks appears in the full version of this paper [6].

3.1 The full field attack

Coppersmith and Shamir [5] considered the following 2n × 2n matrix

Afull=InMh0qIn,

where In is the n-dimensional identity matrix and 𝓜h represents multiplication in R by the public key h. The lattice generated by Afull, which we call 𝓛(Afull), contains the vector (f, g) = (f0, …, fn–1, g0, …, gn–1), because (f0, …, fn–1)𝓜h (mod q) ≡ (g0, …, gn–1). The vector (f, g) has relatively small Euclidean norm, and is most likely a vector of the smallest non-zero length in the lattice 𝓛(Afull). Thus, the NTRU problem can be reduced to computing short vectors in 𝓛(Afull).

Coppersmith and Shamir [5] note that one can derive useful information to recover the secret key even when a multiple of (f, g) is found, for multiples of relatively small norm (yet larger than (f, g)). See [5] for more details. In fact, one can focus on finding a small multiple of f, since given αf, a small multiple of g can be found by computing αfh = αg. The different attacks exploit this fact, and aim to recover (a small multiple of) NK/L(f), for a subfield LK, which can be shown to have a relatively small Euclidean norm.

In the following descriptions, we use the term “f part” for the part of the vector corresponding to the identity matrix, and “g part” for the part corresponding to multiplication by h (or by NK/L(h) in the subfield lattice).

The subfield attacks [1, 4] The norm attack [1] uses the lattice generated by the rows of the 2n′ × 2n′ matrix

Asubfield=InMNK/L(h)0qIn,

where n′ is the degree of the subfield L and MNK/L(h) is an n′ × n′ matrix representing multiplication by NK/L(h) in L. This lattice contains the short vector (NK/L(f), NK/L(g)) = (∏σGσ(f), ∏σGσ(g)).

In the trace attack [4] one replaces 𝓜NK/L(h) with 𝓜TrK/L(h), the matrix representing multiplication by TrK/L(h) in L. We focus on the norm attack because it performs slightly better when the polynomials are balanced (that is, the polynomials f and g have approximately the same number of non-zero coefficients).

The subring attack [12] The subring attack can be divided into two steps. First, consider the the following (n′ + n) × (n′ + n) matrix

Asubring=InMh0qIn,

where Mh is an n′ × n matrix representing multiplication by h in L. This lattice contains the short vector (NK/L(f), NK/L(f)h) = (fσG∖{Id}σ(f), gσG∖{Id}σ(f)).

The dimension n′ + n is larger than 2n′, the subfield attack lattice dimension. The second step “projects” the lattice, i.e., deletes columns of Mh, to reduce the dimension. We denote the projected vector (NK/L(f), NK/L(f)h). For rigorous analysis, columns should be chosen independently. This approach offers more flexibility than the subfield attack by allowing one to choose dimensions greater than 2n′.

Previous comparison of the attacks. The size of the modulus q causes a tension between applications and security. Many applications, such as fully homomorphic encryption, need a relatively large modulus, but NTRU with a very large modulus can be broken in polynomial time, even with the Coppersmith-Shamir attack. Hence, it is important to analyze the relation between q and n when studying the security of cryptosystems that are based on overstretched NTRU.

In [1], the experimental results focus on finding the minimal modulus q for which the NTRU problem can be solved with the subfield attack on a fixed n using the LLL algorithm. The subsequent work [8, 12] followed this approach and directly compared to these experiments, both claiming to achieve “better results”. Moreover, [12, Theorem 9] shows that under some conditions, working over a subfield of smaller index (including the full field) will not give worse results despite the increase in dimension (however, see our experimental results for the full field compared to the other attacks in Table 2).

We claim that the lattice dimension, which strongly influences the attacks’ running time, should be central to the attack comparisons. This point has been overlooked in prior work, and thus it is not clear whether the different experiments remain comparable. Table 1 gives a series of experimental “improvements” that decrease q by modifying the dimension. We give results from previous papers and from our own experiments. We ran the subfield and the subring attack using our implementations of these attacks and used the projection technique to reduce the dimension of the lattice. Except for the case log(n) = 12, these comparisons are inconclusive when dimension is taken into account. For a detailed comparison, see the full version of this paper [6].

Table 1

Experimental comparisons between the subfield and subring attacks.

Attacklog nlog qlog rDimension
Subfield [1]111654256
Subring [12]111154638
Subfield [1]11953512
Subring [12]11813856
Subfield (our exp.)11812856
Subfield [8]117221024
Subring [12]121574686
Subring/Subfield (our exp.) (failed)121573686

4 Main results

Our main contribution is a full characterization of the various attacks on overstretched NTRU. In Section 4.1, we give a detailed analysis of the applicability of the projection technique to NTRU lattices. Having fully proven the subring attack, we compare it to the subfield attack in Section 4.2

4.1 The projection technique

The key to the projection technique is that the system of equations corresponding to fh = g is assumed to be overdetermined, so one can discard some of the equations. We formalize this assumption, relate it to standard assumptions on NTRU and derive concrete results. Some of these details are missing in [12, Section 3.2].

In the following, let 𝓛(A) be the lattice generated by any of the above attack matrices A, 𝓛′ be the projected lattice of dimension n′ + d, and 𝓜 the upper right quadrant of A. The discrepancy 𝓓(Γ) [7, 13] measures how equidistributed a sequence of points Γ = {γ1, …, γn} in the interval [0, 1] is. Formally defined, D(Γ)=supJ[0,1]T(J,n)n|J|, where the supremum is taken over all subintervals J of [0, 1], |J| is the length of J, and T(J, n) is the number of points γi in J for 1 ≤ in. Let 𝓣 be a sequence of elements in ℤn with the dot product. 𝓣 is Δ-homogenously distributed moduloq if for any a ∈ ℤn with at least one coordinate coprime to q, the discrepancy of {[at]q/q}t∈𝓣 is at most Δ. We would like to consider the columns of 𝓜 as a set of elements in 𝓣. However, this sequence is not Δ-homogenously distributed modulo q for small Δ: for example when 𝓜 = 𝓜h, hf = g does not distribute homogenously. We define the following weaker notion.

Definition 1

(Weak homogenous distribution). Letu ∈ 𝓞, B > 0, and 𝓣 be a sequence of elements inn. Then 𝓣 is (B, u)-weakly Δ-homogenously distributed modulo qif for anya ∉ 𝓞usuch that ||a|| < B, with at least one coordinate coprime toq, the discrepancy of the sequence {[at]q/q}t∈𝓣is at mostΔ.

Theorem 1

Forf, gRqleth = g/f. Suppose the columns of 𝓜hare (B, f)-weaklyΔ-homogenously distributed moduloq. Let 𝓛′ be an (n + d)-dimensional lattice as above. Then with probability at least 1 – (2B – 1)n((2B + 1)/q + Δ)dover the columns of 𝓜h, any vector (x, y) ∈ 𝓛′ s.t. ||(x, y)|| < Bsatisfies (x, [xh]q) = (αf, αg) for someα ∈ 𝓞. The result follows for the (n′ + d)-dimensional subring lattice 𝓛′ with the assumption taken over 𝓞L := 𝓞 ∩ L.

Proof

Suppose 0 ≠ (x, y) ∈ 𝓛′ and x ∉ 𝓞f. Let (xh)i denote the ith coefficient of [xh]q, 0 ≤ i < n. Suppose that ||(x, y)|| < B, so |xi| < B and |(xh)i| < B. Let P = Pr[|(xh)i| < B] for some i. By the assumption on h, P < 2B+1q + Δ. The dn rightmost columns in 𝓛′ correspond to coefficients of multiplication by h, so Pr[|(xh)i| < B for all the corresponding columns in 𝓛′] = Pd < ((2B + 1)/q + Δ)d, for d independently chosen columns. There are (2B – 1)n different possibilities for x such that |xi| < B, with 0 ≤ i < n. Hence, the probability over the chosen columns of 𝓜h in 𝓛′ that there exists a lattice point ||(x, y)|| < B with x ∉ 𝓞f is at most (2B – 1)nPd < (2B – 1)n((2B + 1)/q + Δ)d.□

Theorem 1 considers 𝓜h, and thus also Mh, as these are the cases of interest in [12, 17] respectively. However, it can be generalized to the other matrices 𝓜 described above. In general, it is not known that the columns of 𝓜h are (B, f)-weakly homogenously distributed for sufficiently small B. Understanding the distribution of h is extremely important as it underlies the security of NTRU. In general, h is not uniformly distributed in Rq, as can be seen from a simple information-theoretic argument. Hence, understanding the distribution of f–1 is important in order to understand the distribution of h. Banks and Shparlinski [2] studied how “well spread” the coefficients of f–1 are, that is, whether they “look and behave like random polynomials”. We remark that the desired property on h may follow from the behaviour of f–1, but this property is not well formed.

Moreover, it is standard to assume that h = g/f is indistinguishable from random in Rq, see [14]. We remark that this assumption has a strong relation with the weakly homogenous distribution of 𝓜h. Indeed, if the latter is not true, then one can pick a set of small polynomials a and analyze the distribution of {[at]q/q}t∈𝓜h to distinguish it from from a random h. Thus, under the indistinguishability assumption, this set of polynomials has to be negligibly small.

We ran experiments with ternary f, g and verified that the coefficients of [f–1]q equidistribute in ℤq and that 𝓜h is (B, f)-weakly homogenously distributed for sufficiently small B. For the rest of the paper, we rely on the following assumption.

Assumption 1

The set of columns 𝓜his (B, f)-weaklyO(q–1)-homogenously distributed moduloqforBq.

Corollary 1

Letf, gRqandh = g/f be NTRU private and public keys. Let 𝓛′ be the projected NTRU lattice of dimension n + d, whered ≥ (n log(2B + 1) + 1)/log(q/(2B + 1)). Under Assumption 1, any vector (x, y) ∈ 𝓛′ s.t. ||(x, y)|| < Bsatisfies (x, [xh]q) = (αf, αg) for someα ∈ 𝓞 with probability at least 1/2 + O(q–1) over the chosen columns of 𝓜h. The result follows for the (n′ + d)-dimensional subring lattice 𝓛′ with the assumption taken over 𝓞L := 𝓞 ∩ L.

Proof

Using notation from Theorem 1, the probability that there exists a lattice point ||(x, y)|| < B with x ∉ 𝓞 f is at most (2B+1)n+dqd+O(q1)=2(n+d)(log(2B+1))2dlog(q)+O(q1). Setting d ≥ (n log(2B + 1) + 1)/log(q/(2B + 1)) gives the result.□

Setting d as required in Corollary 1, observe that the dimension of 𝓛′ is n + d ≥ (n log(q) + 1)/(log(q/(2B + 1))). This is similar to the subring lattice in [12, Theorem 6]. Thus, Corollary 1 completes the missing details on the validity of the subring attack and, along with [12, Theorem 6], gives a complete analysis of the subring attack under Assumption 1. We formalize this result in the following theorem. Now, β denotes the block size in the BKZ [21] algorithm.

Theorem 2

(Adapted from Theorem 6 in [12]). Letf, gRqandh = g/fbe NTRU private and public keys satisfying Assumption 1. LetB = ||v|| wherev = (f, g) in the full field, v = (NK/L(f), NK/L(g)) in the subfield andv = (NK/L(f), NK/L(f)h) in the subring. Then forβlogβ=2nlogqlog(q/B)2one can find a multipleαvfor a non-zeroα ∈ 𝓞 with probability at least 1/2 + O(q–1) over the chosen columns of 𝓜.

4.2 Comparing ||NK/L(g)|| and ||NK/L(f)h||

In Section 3, we showed that a small vector in the subfield lattice is the vector (NK/L(f), NK/L(g)), while in the subring lattice the vector (NK/L(f), NK/L(f)h) is small. The f part of these vectors is the same. Our interest is therefore in the g part. Moreover, we know that NK/L(g) n′-dimension vector and NK/L(f)h is n-dimensional vector. We show that these two elements have the same Euclidean norm. It then follows that on average the coefficients of NK/L(g) are larger than the coefficients of NK/L(f)h. When we truncate the latter to n′ coordinates, its norm becomes smaller than the norm of NK/L(g). Using an assumption on the distribution of the coefficients of NK/L(g), we quantify the difference in size. More precisely, Theorem 3 shows, with no further assumptions, that when [K : L] = 2, the average size of the coefficients of NK/L(g) is expected to be 2 times the average size of the coefficients of NK/L(f)h. In Theorem 4, we generalize this result for any subfield such that [K : L] = r, and prove that the expected ratio of the average magnitude of the coefficients is r under Assumption 2 below. Our main results are given in Corollaries 2 and 3.

Claim 1

Letf, gbe two polynomials with coefficients chosen uniformly at random from the same set. Letf = (u1, …, um) andg = (w1, …, wn). Then, E[||f||2] = E[||g||2] if and only if the expectation of the square of the coefficients satisfiesE[ui2]=nmE[wi2].

In light of this result, our aim is to show that the ratio between ||NK/L(g)|| and ||NK/L(f)h|| tends to 1 as n increases. Then, we can conclude that the subring lattice of dimension 2n′ is expected to contain shorter vectors than the subfield lattice of the same dimension. We use random walks to model the coefficients of a product of two polynomials. A first case is for polynomials whose coefficients are drawn independently and uniformly from the set {–1, 0, 1}. A one-dimensional random walk over ℤ starts at 0 and at each step moves either +1 or –1 with equal probability. Let ai, for i = 1, …, n, denote independent random variables with value either +1 or –1 with uniform probability, and let w0 = 0 and wn=i=1nai. The series {wn} defines a random walk over ℤ. The expected distance after n steps is on the order of n. As n increases, the distribution of the series wn approaches the normal distribution. A second case is for polynomials whose coefficients are drawn from a Gaussian distribution: in a Gaussian random walk, we let ai follow the Gaussian distribution with standard deviation σ and mean zero. The expected distance after n steps is then on the order of σn. For further background, see [15]. We now consider the specific case of subfield LK of index 2.

Theorem 3

Letf, gRqbe two polynomials whose coefficients are drawn independently and uniformly from {–1, 0, 1}. LetNK/L(g) = (u1, …, un) andgσ2(f) = (w1, …, wn). Then E[ui2 | ui ≠ 0] = 8n/9 – 4/9 and E[wi2] = 4n/9. Thus, asngoes to infinity the ratio between the expected magnitude of the non-zero coefficients ofNK/L(g) andgσ2(f) tends to2in absolute value and the ratio of the expected squared Euclidean norms E[||NK/L(g)||2]/E[||gσ2(f)||2] tends to 1.

Proof

We start by comparing the expected size of the coefficients of NK/L(g) to those of gσ2(f). Let ai ∈ {–1, 0, 1} uniformly and independently at random and consider the polynomial g = an–1xn–1 + an–2xn–2 + … + a1x + a0Rq. Then σ2(g) = –an–1xn–1 + an–2xn–2 + … –a1x + a0. Each coefficient uk of NK/L(g) = gσ2(g) is a sum of n terms. For k odd, uk = 0, because each of the terms aiaj in this sum appears twice with opposite signs. For k even, uk=2i<j,i+jkmodn±aiaj+ak/22+a(n+k)/22, since each term aiaj with ij appears twice with similar sign. Then, we have E[aiajij]=0,E[ai2]=E[ai4]=2/3, and E[(aiaj)2] = 4/9 and for k even

E[uk2]=E[(2i<j,i+jkmodn±aiaj+ak/22+a(n+k)/22)2]=8n/94/9.

Now, let us repeat a very similar argument for gσ2(f), where σ2(f) is a polynomial of the form σ2(f) = bn–1xn–1 + bn–2xn–2 + … + b1x + b0, with bi ∈ {–1, 0, 1} uniformly and independently at random. Again, each coefficient wk of gσ2(f) is a sum of n terms. However, unlike the case above, there are no similar terms in this sum, and we have E[aibj] = 0 and E[(aibj)2] = 4/9. As above, we compute

E[wk2]=E[(i+jkmodnaibj)2]=i+jkmodnE[(aibj)2]=4n/9.

Thus the expected square of the Euclidean norms E[||NK/L(g)||2]=E[iui2]=iE[ui2]=4n2/92n/9 and E[||gσ2(f)||2] = E[∑iwi2] = 4n2/9.□

We would like to generalize this result to r > 2. While the coefficients of gσ2(g) and gσ2(f) can be expressed as random walks, and thus follow a Gaussian distribution, they may not be independent.

Assumption 2

Forr > 1, the coefficients ofNK/L(g), NK/L(f) andNK/L(f)hbehave as if they were independently chosen from a Gaussian distribution.

This assumption seems natural and allows us to prove Theorem 4, a generalisation of Theorem 3 to any r > 0. We experimentally verified that as n grows, the ratio of the norms tends to 1, as in Theorem 4, see Figure 1. From this, we directly get that the ratio of the average coefficient tends to r, see Claim 1.

Figure 1
Figure 1

Experimentally verifying that the ratio of the norms converges to 1.

Citation: Journal of Mathematical Cryptology 14, 1; 10.1515/jmc-2015-0055

Theorem 4

Letf, gRqandh = g/fbe NTRU private and public keys satisfying Assumption 2. For a subfieldLK, letNK/L(g) = (u1, …, un) andNK/L(f)h = (w1, …, wn). Then, asngoes to infinity the ratio between the expected magnitude of the non-zero coefficients ofNK/L(g) andNK/L(f)htends torin absolute value. In addition, the ratio of the expected squared Euclidean norms E[||NK/L(g)||2]/E[||NK/L(f)h||2] tends to 1 asngoes to infinity.

Proof

We give a proof by induction on the index r where the base case is proven in Theorem 3. Suppose the claim holds for index r, we show that it holds for [K : L] = 2r. First note that for a tower of fields LEK we have NK/L(a) = NE/L(NK/E(a)) for every aK (see [16, Theorem 2.29]). Consider the case [K : E] = r, [E : L] = 2, and denote G := NK/E(g) and F := NK/E(f). Then, NK/L(g) = NE/L(G) = Gσ2(G) and NK/L(f)h = NE/L(F)h = Fσ2(F)h = Gσ2(F), where σ2Gal(E/L) and G’ = Fh = NK/E(f)h. The previous case of the construction, i.e. [K : E] = r, shows that each (non-zero) coefficient of F, G and G′ follows a Gaussian distribution. Under Assumption 2 the coefficients can be considered to be independent. We can now repeat the process of Theorem 3. While G′ ∈ K, note that F, GE so they have n/r non-zero coefficients. Thus, similarly to Theorem 3, each non-zero coefficient of Gσ2(G) is approximately 2 multiplied by a Gaussian random walk with n/2r steps, while each coefficient of Gσ2(F) is a random walk with n/r steps. By the induction hypothesis, a coefficient of G is expected to be larger than coefficients of G′ by a factor of r for sufficiently large n. The result on the coefficients follows from evaluating the expected size of the random walks and the claim on the norms follows from Claim 1.□

The following corollary compares small vectors in the subfield and subring lattices of same dimensions, without using projection in the subfield lattice.

Corollary 2

LetBsubfield = ||(NK/L(f), NK/L(g))|| where [K : L] = r = n/n′. LetBsubringproj=||(NK/L(f),NK/L(f)h¯)||where the projection keeps 2ncoordinates. Under Assumptions 1 and 2, for sufficiently largenwe expect to haveBsubfield2Bsubringproj22rr+1.Moreover, suppose thatBsubfieldis the norm of the shortest vector in the subfield lattice, and denote byqsubfieldandqsubringthe modulus in the subfield and subfield attacks, respectively, that the BKZ algorithm can solve NTRU with a fixed block sizeβ. Thenqsubfieldqsubring2rr+1.

Proof

To simplify notation, we write coeff(f) to denote the average size of the coefficients of a polynomial f. We have Bsubfield2 = (n/r)(coeff(NK/L(f))2 + coeff(NK/L(g))2), and Bsubringproj2 = (n/r) (coeff(NK/L(f))2 + coeff(NK/L(f)h)2). We know that coeff(NK/L(f))2 ≈ coeff(NK/L(g))2 and from Theorem 4, we also know that coeff(NK/L(g))2r coeff(NK/L(f)h)2. BKZ is guaranteed to output a vector bounded by β2n′/βλ1(𝓛). The second result follows from bounding this value by q in both lattices.□

It follows that if we take the same lattice dimension in both attacks, the subring lattice contains vectors of smaller size. Therefore one can solve the NTRU problem using the subring attack with a smaller q. As mentioned in [1, Section 6], it is not known that Bsubfield is the norm of the shortest vector (see [12, Theorem 5]). Moreover, our experiments in Table 2 show that the ratio between qsubfield and qsubring grows with r. One possible explanation is that (NK/L(f), NK/L(f)h) is unbalanced, as we show its f part is much larger than the g part. Therefore, if there exists an integral multiple of this vector that decreases the size of the f part and increases the size of the g part so that the vector becomes balanced, the ratio between the feasible qs would increase.

Table 2

Experimentally determining the minimal q for each attack. For a fixed dimension, we compare the subring attack to the subfield attack without projection, and note whether the attack succeeded. In some cases the full field attack only succeeded with projection; (384;512) means we ran the full field attack in these two dimensions.

ParametersAttacks
log nDimension (Full/subfield)log rlog qFull fieldSubringSubfield
8(384;512)/256122Yes;NoYesYes
8(384;512)/256121NoYesNo
9(768;1024)/512134Yes;NoYesYes
9768/512132NoYesYes
9768/512131NoNoNo
91024/256240YesYesYes
91024/256238YesYesNo
91024/256237YesNoNo
91024/256236YesNoNo
102048/512252-YesYes
102048/512250-YesNo
102048/512249-NoNo
114096/512395-YesYes
114096/512392-YesNo
114096/512391-NoNo
114096/2564165-YesYes
114096/2564162-YesNo
114096/2564161-NoNo
124096/5124189-YesYes
124096/5124185-YesNo
124096/5124184-NoNo

If the systems of equations derived from the lattices given in Corollary 2 are overdetermined, we can project and get smaller lattices. Since the g part in the subring lattice is smaller than in the subfield one, the subring attack system is more determined than the subfield one.

The following corollary shows that one can use projection to discard more equations in the subring attack and achieve a lower dimension.

Corollary 3

With the notation from Theorem 2 and Corollary 2, setB := Bsubfield. Under Assumptions 1 and 2, for sufficiently largen, we can find a multipleαvfor some non-zeroα ∈ 𝓞 such that using BKZ with block sizeβon the lattice 𝓛′ of dimension n′ + d, we have the following two cases. If 𝓛′ is the subfield lattice, thenn+dnlog(q)+1log(q/(2B+1))andβlogβ=2nlogq(log(q/B))2,and if 𝓛′ is the subring lattice, thenn+dnlog(q)+1log(qr/(2r+2B+r)andβlogβ=2nlogq(log(2rq/r+1B)2.

4.2.1 Experimental results

We implemented all three attacks in Sage and experimentally compared them using Sage’s default LLL implementation. A success in our experiments is recovering a vector v such that ||v|| < q3/4. As noted by [12], we either get vectors which are roughly of size q, or vectors of size q that are short integral multiples of the private key. First, we fix the parameters (n, dimension, r) and compare the smallest modulus q that succeeded for each of the three attacks using LLL. Details are given in Table 2. Note that we do not apply the projection technique to the subfield attack in these experiments. The analysis of the subfield attack without projection is given in Corollary 2. Then, we compared the subring and subfield attacks by fixing (n, q, r) and comparing the smallest dimension that succeeded using LLL. For some of the lattices we used the projection technique by deleting the right-most columns until we reached the desired dimension. The difference is greater than our analysis predicts. Details are given in Table 3. The analysis of the subfield attack with projection is given in Corollary 3. Experiments were run on a single core of an Intel Xeon E5-2699 v3 running at 2.30GHz, with 128 GB of RAM.

Table 3

Experimentally determining the minimal dimension for each attack. For fixed parameters log n and log q, we compare the subfield and the subring attacks applied to a lattice of the same dimension, using the projection technique where applicable, and note whether the attack succeeded.

ParametersAttacksLLL reduction time (s)
log nlog qlog rDimensionSubfieldSubringSubfieldSubring
8221233YesYes715.4577.6
8221223NoYes454.5452.3
8221222NoNo456.5424.3
9703122YesYes132.6121.1
9703117NoYes116.2117.0
9703116NoNo108.7108.9
101504124YesYes344.8325.3
101504120NoYes298.6304.1
101504119NoNo290.2286.5
111654254YesYes15333.012423.7
111654249NoYes12708.712072.0
111654248NoNo12086.311722.8

Acknowledgement

We thank Shi Bai for some helpful discussions.

This material supported by the National Science Foundation under Grants No. CNS-1513671 and CNS-1651344 and by the ONR SynCrypt project. We are grateful to Cisco for donating the Cisco UCS servers used for our experiments.

References

  • [1]

    M. Albrecht, S. Bai, and L. Ducas. A Subfield Lattice Attack on Overstretched NTRU Assumptions. CRYPTO 2016.

  • [2]

    W.D. Banks and I.E. Shparlinski. Distribution of Inverses in Polynomial Rings. Indagationes Mathematicae, 12(3), 2001.

  • [3]

    D. Boneh and R. Venkatesan. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie–Hellman and Related Schemes. CRYPTO 1996.

  • [4]

    J. H. Cheon, J. Jeong, and C. Lee. An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low-Level Encoding of Zero. LMS Journal of Computation and Mathematics, 19(A): 2016.

  • [5]

    D. Coppersmith and A. Shamir. Lattice Attacks on NTRU. Eurocrypt ’97.

  • [6]

    G. De Micheli, N. Heninger, and B. Shani. Characterizing overstretched NTRU attacks. ePrint 2018/630

  • [7]

    M. Drmota and R. Tichy. Discrepancies and Applications.

  • [8]

    D. H. Duong, M. Yasuda, and T. Takagi. Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU. Information Security 2017.

  • [9]

    S. Garg, C. Gentry, and S. Halevi. Candidate Multilinear Maps from Ideal Lattices. EUROCRYPT 2013.

  • [10]

    J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte. NTRUSign: Digital Signatures Using the NTRU Lattice. CT-RSA 2003.

  • [11]

    J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A Ring-based Public Key Cryptosystem. Algorithmic Number Theory 1998.

  • [12]

    P. Kirchner and P.-A. Fouque. Revisiting Lattice Attacks on Overstretched NTRU Parameters. EUROCRYPT 2017.

  • [13]

    R. Kuipers and H. Niederreiter. Uniform Distribution of Sequences.

  • [14]

    A. López-Alt, E. Tromer, and V. Vaikuntanathan. On-the-fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. STOC ’12.

  • [15]

    G. F. Lawler and V. Limic. Random Walk: A Modern Introduction.

  • [16]

    R. Lidl and H. Niederreiter. Finite Fields. Cambridge University Press, 1997.

  • [17]

    A. May. Cryptanalysis of NTRU, 1999.

  • [18]

    A. May and J. H. Silverman. Dimension Reduction Methods for Convolution Modular Lattices. Cryptography and Lattices.

  • [19]

    G. Pataki and M. Tural. On Sublattice Determinants in Reduced Bases, 2008.

  • [20]

    P. Samuel. Algebraic Theory of Numbers. Hermann, 1970.

  • [21]

    C. P. Schnorr. A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms. Theor. Comput. Sci., 53(2-3):201–224, August 1987.

    • Crossref
    • Export Citation
  • [22]

    D. Stehlé and R. Steinfeld. Making NTRU as Secure as Worst-Case Problems over Ideal Lattices. EUROCRYPT 2011.

  • [23]

    R. Steinfeld. NTRU Cryptosystem: Recent Developments and Emerging Mathematical Problems in Finite Polynomial Rings. Walter de Gruyter, 2014.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1]

    M. Albrecht, S. Bai, and L. Ducas. A Subfield Lattice Attack on Overstretched NTRU Assumptions. CRYPTO 2016.

  • [2]

    W.D. Banks and I.E. Shparlinski. Distribution of Inverses in Polynomial Rings. Indagationes Mathematicae, 12(3), 2001.

  • [3]

    D. Boneh and R. Venkatesan. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie–Hellman and Related Schemes. CRYPTO 1996.

  • [4]

    J. H. Cheon, J. Jeong, and C. Lee. An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low-Level Encoding of Zero. LMS Journal of Computation and Mathematics, 19(A): 2016.

  • [5]

    D. Coppersmith and A. Shamir. Lattice Attacks on NTRU. Eurocrypt ’97.

  • [6]

    G. De Micheli, N. Heninger, and B. Shani. Characterizing overstretched NTRU attacks. ePrint 2018/630

  • [7]

    M. Drmota and R. Tichy. Discrepancies and Applications.

  • [8]

    D. H. Duong, M. Yasuda, and T. Takagi. Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU. Information Security 2017.

  • [9]

    S. Garg, C. Gentry, and S. Halevi. Candidate Multilinear Maps from Ideal Lattices. EUROCRYPT 2013.

  • [10]

    J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte. NTRUSign: Digital Signatures Using the NTRU Lattice. CT-RSA 2003.

  • [11]

    J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A Ring-based Public Key Cryptosystem. Algorithmic Number Theory 1998.

  • [12]

    P. Kirchner and P.-A. Fouque. Revisiting Lattice Attacks on Overstretched NTRU Parameters. EUROCRYPT 2017.

  • [13]

    R. Kuipers and H. Niederreiter. Uniform Distribution of Sequences.

  • [14]

    A. López-Alt, E. Tromer, and V. Vaikuntanathan. On-the-fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. STOC ’12.

  • [15]

    G. F. Lawler and V. Limic. Random Walk: A Modern Introduction.

  • [16]

    R. Lidl and H. Niederreiter. Finite Fields. Cambridge University Press, 1997.

  • [17]

    A. May. Cryptanalysis of NTRU, 1999.

  • [18]

    A. May and J. H. Silverman. Dimension Reduction Methods for Convolution Modular Lattices. Cryptography and Lattices.

  • [19]

    G. Pataki and M. Tural. On Sublattice Determinants in Reduced Bases, 2008.

  • [20]

    P. Samuel. Algebraic Theory of Numbers. Hermann, 1970.

  • [21]

    C. P. Schnorr. A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms. Theor. Comput. Sci., 53(2-3):201–224, August 1987.

    • Crossref
    • Export Citation
  • [22]

    D. Stehlé and R. Steinfeld. Making NTRU as Secure as Worst-Case Problems over Ideal Lattices. EUROCRYPT 2011.

  • [23]

    R. Steinfeld. NTRU Cryptosystem: Recent Developments and Emerging Mathematical Problems in Finite Polynomial Rings. Walter de Gruyter, 2014.

OPEN ACCESS

Journal + Issues

JMC is a forum for original research articles in the area of mathematical cryptology. Works in the theory of cryptology and articles linking mathematics with cryptology are welcome. Submissions from all areas of mathematics significant for cryptology are published, including but not limited to, algebra, algebraic geometry, coding theory, combinatorics, number theory, probability and stochastic processes.

Search

  • View in gallery

    Experimentally verifying that the ratio of the norms converges to 1.