Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU

Dung Hoang Duong, Masaya Yasuda, Tsuyoshi Takagi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Albrecht et al. [1] at Crypto 2016 and Cheon et al. [4] at ANTS 2016 independently presented a subfield attack on overstretched NTRU problem. Their idea is to map the public key down to the subfield (by norm and trace map respectively) and hence obtain a lattice of smaller dimension for which a lattice reduction algorithm is efficiently applicable. At Eurocrypt 2017, Kirchner and Fouque proposed another variant attack which exploits the presence of orthogonal bases within the cyclotomic number rings and instead of using the matrix of the public key in the subfield, they use the multiplication matrix by the public key in the full field and apply a lattice reduction algorithm to a suitable projected lattice of smaller dimension. They also showed a tight estimation of the parameters broken by lattice reduction and implementation results that their attack is better than the subfield attack. In this paper, we exploit technical results from Kirchner and Fouque [12] for the relative norm of field elements in the subfield and we use Hermite factor for estimating the output of a lattice basis reduction algorithm in order to analyze general choice of parameters for the subfield attack by Albrecht et al. [1]. As a result, we obtain the estimation for better choices of the subfields for which the attack works with smaller modulus. Our experiment results show that we can attack overstretched NTRU with modulus smaller than that of Albrecht et al. and of Kirchner and Fouque.

Original languageEnglish
Title of host publicationInformation Security - 20th International Conference, ISC 2017, Proceedings
EditorsPhong Q. Nguyen, Phong Q. Nguyen, Jianying Zhou
PublisherSpringer Verlag
Pages79-91
Number of pages13
ISBN (Print)9783319696584
DOIs
Publication statusPublished - Jan 1 2017
Event20th International Conference on Information Security, ISC 2017 - Ho Chi Minh City, Viet Nam
Duration: Nov 22 2017Nov 24 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10599 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other20th International Conference on Information Security, ISC 2017
CountryViet Nam
CityHo Chi Minh City
Period11/22/1711/24/17

Fingerprint

Subfield
Attack
Lattice Reduction
Public key
Modulus
Lattice Basis Reduction
Cyclotomic numbers
Norm
Orthogonal Basis
Matrix multiplication
Hermite
Trace
Experiments
Ring
Output
Experiment

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Duong, D. H., Yasuda, M., & Takagi, T. (2017). Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU. In P. Q. Nguyen, P. Q. Nguyen, & J. Zhou (Eds.), Information Security - 20th International Conference, ISC 2017, Proceedings (pp. 79-91). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10599 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-69659-1_5

Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU. / Duong, Dung Hoang; Yasuda, Masaya; Takagi, Tsuyoshi.

Information Security - 20th International Conference, ISC 2017, Proceedings. ed. / Phong Q. Nguyen; Phong Q. Nguyen; Jianying Zhou. Springer Verlag, 2017. p. 79-91 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10599 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Duong, DH, Yasuda, M & Takagi, T 2017, Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU. in PQ Nguyen, PQ Nguyen & J Zhou (eds), Information Security - 20th International Conference, ISC 2017, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10599 LNCS, Springer Verlag, pp. 79-91, 20th International Conference on Information Security, ISC 2017, Ho Chi Minh City, Viet Nam, 11/22/17. https://doi.org/10.1007/978-3-319-69659-1_5
Duong DH, Yasuda M, Takagi T. Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU. In Nguyen PQ, Nguyen PQ, Zhou J, editors, Information Security - 20th International Conference, ISC 2017, Proceedings. Springer Verlag. 2017. p. 79-91. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-69659-1_5
Duong, Dung Hoang ; Yasuda, Masaya ; Takagi, Tsuyoshi. / Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU. Information Security - 20th International Conference, ISC 2017, Proceedings. editor / Phong Q. Nguyen ; Phong Q. Nguyen ; Jianying Zhou. Springer Verlag, 2017. pp. 79-91 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{c079e06634764f9cbee9c5de5a022e54,
title = "Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU",
abstract = "Albrecht et al. [1] at Crypto 2016 and Cheon et al. [4] at ANTS 2016 independently presented a subfield attack on overstretched NTRU problem. Their idea is to map the public key down to the subfield (by norm and trace map respectively) and hence obtain a lattice of smaller dimension for which a lattice reduction algorithm is efficiently applicable. At Eurocrypt 2017, Kirchner and Fouque proposed another variant attack which exploits the presence of orthogonal bases within the cyclotomic number rings and instead of using the matrix of the public key in the subfield, they use the multiplication matrix by the public key in the full field and apply a lattice reduction algorithm to a suitable projected lattice of smaller dimension. They also showed a tight estimation of the parameters broken by lattice reduction and implementation results that their attack is better than the subfield attack. In this paper, we exploit technical results from Kirchner and Fouque [12] for the relative norm of field elements in the subfield and we use Hermite factor for estimating the output of a lattice basis reduction algorithm in order to analyze general choice of parameters for the subfield attack by Albrecht et al. [1]. As a result, we obtain the estimation for better choices of the subfields for which the attack works with smaller modulus. Our experiment results show that we can attack overstretched NTRU with modulus smaller than that of Albrecht et al. and of Kirchner and Fouque.",
author = "Duong, {Dung Hoang} and Masaya Yasuda and Tsuyoshi Takagi",
year = "2017",
month = "1",
day = "1",
doi = "10.1007/978-3-319-69659-1_5",
language = "English",
isbn = "9783319696584",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "79--91",
editor = "Nguyen, {Phong Q.} and Nguyen, {Phong Q.} and Jianying Zhou",
booktitle = "Information Security - 20th International Conference, ISC 2017, Proceedings",
address = "Germany",

}

TY - GEN

T1 - Choosing Parameters for the Subfield Lattice Attack Against Overstretched NTRU

AU - Duong, Dung Hoang

AU - Yasuda, Masaya

AU - Takagi, Tsuyoshi

PY - 2017/1/1

Y1 - 2017/1/1

N2 - Albrecht et al. [1] at Crypto 2016 and Cheon et al. [4] at ANTS 2016 independently presented a subfield attack on overstretched NTRU problem. Their idea is to map the public key down to the subfield (by norm and trace map respectively) and hence obtain a lattice of smaller dimension for which a lattice reduction algorithm is efficiently applicable. At Eurocrypt 2017, Kirchner and Fouque proposed another variant attack which exploits the presence of orthogonal bases within the cyclotomic number rings and instead of using the matrix of the public key in the subfield, they use the multiplication matrix by the public key in the full field and apply a lattice reduction algorithm to a suitable projected lattice of smaller dimension. They also showed a tight estimation of the parameters broken by lattice reduction and implementation results that their attack is better than the subfield attack. In this paper, we exploit technical results from Kirchner and Fouque [12] for the relative norm of field elements in the subfield and we use Hermite factor for estimating the output of a lattice basis reduction algorithm in order to analyze general choice of parameters for the subfield attack by Albrecht et al. [1]. As a result, we obtain the estimation for better choices of the subfields for which the attack works with smaller modulus. Our experiment results show that we can attack overstretched NTRU with modulus smaller than that of Albrecht et al. and of Kirchner and Fouque.

AB - Albrecht et al. [1] at Crypto 2016 and Cheon et al. [4] at ANTS 2016 independently presented a subfield attack on overstretched NTRU problem. Their idea is to map the public key down to the subfield (by norm and trace map respectively) and hence obtain a lattice of smaller dimension for which a lattice reduction algorithm is efficiently applicable. At Eurocrypt 2017, Kirchner and Fouque proposed another variant attack which exploits the presence of orthogonal bases within the cyclotomic number rings and instead of using the matrix of the public key in the subfield, they use the multiplication matrix by the public key in the full field and apply a lattice reduction algorithm to a suitable projected lattice of smaller dimension. They also showed a tight estimation of the parameters broken by lattice reduction and implementation results that their attack is better than the subfield attack. In this paper, we exploit technical results from Kirchner and Fouque [12] for the relative norm of field elements in the subfield and we use Hermite factor for estimating the output of a lattice basis reduction algorithm in order to analyze general choice of parameters for the subfield attack by Albrecht et al. [1]. As a result, we obtain the estimation for better choices of the subfields for which the attack works with smaller modulus. Our experiment results show that we can attack overstretched NTRU with modulus smaller than that of Albrecht et al. and of Kirchner and Fouque.

UR - http://www.scopus.com/inward/record.url?scp=85035123118&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85035123118&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-69659-1_5

DO - 10.1007/978-3-319-69659-1_5

M3 - Conference contribution

AN - SCOPUS:85035123118

SN - 9783319696584

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 79

EP - 91

BT - Information Security - 20th International Conference, ISC 2017, Proceedings

A2 - Nguyen, Phong Q.

A2 - Nguyen, Phong Q.

A2 - Zhou, Jianying

PB - Springer Verlag

ER -