TY - GEN

T1 - Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU

AU - Duong, Dung Hoang

AU - Yasuda, Masaya

AU - Takagi, Tsuyoshi

N1 - Funding Information:
Acknowledgments. We are grateful for the anonymous reviewers for their useful comments and suggestions. The first author would like to thank Martin Albrecht, Shi Bai and Paul Kirchner, for their kindness and helpful discussions. This work was supported by JST CREST Grant Number JPMJCR14D6, Japan. The first author thanks the Japanese Society for the Promotion of Science (JSPS) for financial support under grant KAKENHI 16K17644.
Publisher Copyright:
© 2017, Springer International Publishing AG.

PY - 2017

Y1 - 2017

N2 - Albrecht et al. [1] at Crypto 2016 and Cheon et al. [4] at ANTS 2016 independently presented a subfield attack on overstretched NTRU problem. Their idea is to map the public key down to the subfield (by norm and trace map respectively) and hence obtain a lattice of smaller dimension for which a lattice reduction algorithm is efficiently applicable. At Eurocrypt 2017, Kirchner and Fouque proposed another variant attack which exploits the presence of orthogonal bases within the cyclotomic number rings and instead of using the matrix of the public key in the subfield, they use the multiplication matrix by the public key in the full field and apply a lattice reduction algorithm to a suitable projected lattice of smaller dimension. They also showed a tight estimation of the parameters broken by lattice reduction and implementation results that their attack is better than the subfield attack. In this paper, we exploit technical results from Kirchner and Fouque [12] for the relative norm of field elements in the subfield and we use Hermite factor for estimating the output of a lattice basis reduction algorithm in order to analyze general choice of parameters for the subfield attack by Albrecht et al. [1]. As a result, we obtain the estimation for better choices of the subfields for which the attack works with smaller modulus. Our experiment results show that we can attack overstretched NTRU with modulus smaller than that of Albrecht et al. and of Kirchner and Fouque.

AB - Albrecht et al. [1] at Crypto 2016 and Cheon et al. [4] at ANTS 2016 independently presented a subfield attack on overstretched NTRU problem. Their idea is to map the public key down to the subfield (by norm and trace map respectively) and hence obtain a lattice of smaller dimension for which a lattice reduction algorithm is efficiently applicable. At Eurocrypt 2017, Kirchner and Fouque proposed another variant attack which exploits the presence of orthogonal bases within the cyclotomic number rings and instead of using the matrix of the public key in the subfield, they use the multiplication matrix by the public key in the full field and apply a lattice reduction algorithm to a suitable projected lattice of smaller dimension. They also showed a tight estimation of the parameters broken by lattice reduction and implementation results that their attack is better than the subfield attack. In this paper, we exploit technical results from Kirchner and Fouque [12] for the relative norm of field elements in the subfield and we use Hermite factor for estimating the output of a lattice basis reduction algorithm in order to analyze general choice of parameters for the subfield attack by Albrecht et al. [1]. As a result, we obtain the estimation for better choices of the subfields for which the attack works with smaller modulus. Our experiment results show that we can attack overstretched NTRU with modulus smaller than that of Albrecht et al. and of Kirchner and Fouque.

UR - http://www.scopus.com/inward/record.url?scp=85035123118&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85035123118&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-69659-1_5

DO - 10.1007/978-3-319-69659-1_5

M3 - Conference contribution

AN - SCOPUS:85035123118

SN - 9783319696584

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 79

EP - 91

BT - Information Security - 20th International Conference, ISC 2017, Proceedings

A2 - Nguyen, Phong Q.

A2 - Nguyen, Phong Q.

A2 - Zhou, Jianying

PB - Springer Verlag

T2 - 20th International Conference on Information Security, ISC 2017

Y2 - 22 November 2017 through 24 November 2017

ER -