### Abstract

Albrecht et al. [1] at Crypto 2016 and Cheon et al. [4] at ANTS 2016 independently presented a subfield attack on overstretched NTRU problem. Their idea is to map the public key down to the subfield (by norm and trace map respectively) and hence obtain a lattice of smaller dimension for which a lattice reduction algorithm is efficiently applicable. At Eurocrypt 2017, Kirchner and Fouque proposed another variant attack which exploits the presence of orthogonal bases within the cyclotomic number rings and instead of using the matrix of the public key in the subfield, they use the multiplication matrix by the public key in the full field and apply a lattice reduction algorithm to a suitable projected lattice of smaller dimension. They also showed a tight estimation of the parameters broken by lattice reduction and implementation results that their attack is better than the subfield attack. In this paper, we exploit technical results from Kirchner and Fouque [12] for the relative norm of field elements in the subfield and we use Hermite factor for estimating the output of a lattice basis reduction algorithm in order to analyze general choice of parameters for the subfield attack by Albrecht et al. [1]. As a result, we obtain the estimation for better choices of the subfields for which the attack works with smaller modulus. Our experiment results show that we can attack overstretched NTRU with modulus smaller than that of Albrecht et al. and of Kirchner and Fouque.

Original language | English |
---|---|

Title of host publication | Information Security - 20th International Conference, ISC 2017, Proceedings |

Editors | Phong Q. Nguyen, Phong Q. Nguyen, Jianying Zhou |

Publisher | Springer Verlag |

Pages | 79-91 |

Number of pages | 13 |

ISBN (Print) | 9783319696584 |

DOIs | |

Publication status | Published - Jan 1 2017 |

Event | 20th International Conference on Information Security, ISC 2017 - Ho Chi Minh City, Viet Nam Duration: Nov 22 2017 → Nov 24 2017 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 10599 LNCS |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### Other

Other | 20th International Conference on Information Security, ISC 2017 |
---|---|

Country | Viet Nam |

City | Ho Chi Minh City |

Period | 11/22/17 → 11/24/17 |

### Fingerprint

### All Science Journal Classification (ASJC) codes

- Theoretical Computer Science
- Computer Science(all)

### Cite this

*Information Security - 20th International Conference, ISC 2017, Proceedings*(pp. 79-91). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10599 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-69659-1_5

**Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU.** / Duong, Dung Hoang; Yasuda, Masaya; Takagi, Tsuyoshi.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

*Information Security - 20th International Conference, ISC 2017, Proceedings.*Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10599 LNCS, Springer Verlag, pp. 79-91, 20th International Conference on Information Security, ISC 2017, Ho Chi Minh City, Viet Nam, 11/22/17. https://doi.org/10.1007/978-3-319-69659-1_5

}

TY - GEN

T1 - Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU

AU - Duong, Dung Hoang

AU - Yasuda, Masaya

AU - Takagi, Tsuyoshi

PY - 2017/1/1

Y1 - 2017/1/1

N2 - Albrecht et al. [1] at Crypto 2016 and Cheon et al. [4] at ANTS 2016 independently presented a subfield attack on overstretched NTRU problem. Their idea is to map the public key down to the subfield (by norm and trace map respectively) and hence obtain a lattice of smaller dimension for which a lattice reduction algorithm is efficiently applicable. At Eurocrypt 2017, Kirchner and Fouque proposed another variant attack which exploits the presence of orthogonal bases within the cyclotomic number rings and instead of using the matrix of the public key in the subfield, they use the multiplication matrix by the public key in the full field and apply a lattice reduction algorithm to a suitable projected lattice of smaller dimension. They also showed a tight estimation of the parameters broken by lattice reduction and implementation results that their attack is better than the subfield attack. In this paper, we exploit technical results from Kirchner and Fouque [12] for the relative norm of field elements in the subfield and we use Hermite factor for estimating the output of a lattice basis reduction algorithm in order to analyze general choice of parameters for the subfield attack by Albrecht et al. [1]. As a result, we obtain the estimation for better choices of the subfields for which the attack works with smaller modulus. Our experiment results show that we can attack overstretched NTRU with modulus smaller than that of Albrecht et al. and of Kirchner and Fouque.

AB - Albrecht et al. [1] at Crypto 2016 and Cheon et al. [4] at ANTS 2016 independently presented a subfield attack on overstretched NTRU problem. Their idea is to map the public key down to the subfield (by norm and trace map respectively) and hence obtain a lattice of smaller dimension for which a lattice reduction algorithm is efficiently applicable. At Eurocrypt 2017, Kirchner and Fouque proposed another variant attack which exploits the presence of orthogonal bases within the cyclotomic number rings and instead of using the matrix of the public key in the subfield, they use the multiplication matrix by the public key in the full field and apply a lattice reduction algorithm to a suitable projected lattice of smaller dimension. They also showed a tight estimation of the parameters broken by lattice reduction and implementation results that their attack is better than the subfield attack. In this paper, we exploit technical results from Kirchner and Fouque [12] for the relative norm of field elements in the subfield and we use Hermite factor for estimating the output of a lattice basis reduction algorithm in order to analyze general choice of parameters for the subfield attack by Albrecht et al. [1]. As a result, we obtain the estimation for better choices of the subfields for which the attack works with smaller modulus. Our experiment results show that we can attack overstretched NTRU with modulus smaller than that of Albrecht et al. and of Kirchner and Fouque.

UR - http://www.scopus.com/inward/record.url?scp=85035123118&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85035123118&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-69659-1_5

DO - 10.1007/978-3-319-69659-1_5

M3 - Conference contribution

AN - SCOPUS:85035123118

SN - 9783319696584

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 79

EP - 91

BT - Information Security - 20th International Conference, ISC 2017, Proceedings

A2 - Nguyen, Phong Q.

A2 - Nguyen, Phong Q.

A2 - Zhou, Jianying

PB - Springer Verlag

ER -