A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU

To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meet-in-the-middle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in fact a continuum of more efficient attacks between these two attacks. We show that by combining lattice reduction and a meet-in-the-middle strategy one can reduce the number of loops in attacking the NTRUEncrypt private key from 284.2 to 260.3, for the k = 80 parameter set. In practice the attack is still expensive (dependent on ones choice of cost-metric), although there are certain space/time tradeoffs that can be applied. Asymptotically our attack remains exponential in the security parameter k, but it dictates that NTRUEncrypt parameters must be chosen so that the meet-in-the-middle attack has complexity 2k even after an initial lattice basis reduction of complexity 2k.

[1]  David Pointcheval,et al.  The Impact of Decryption Failures on the Security of NTRU Encryption , 2003, CRYPTO.

[2]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[3]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[4]  Claus-Peter Schnorr,et al.  Lattice Reduction by Random Sampling and Birthday Methods , 2003, STACS.

[5]  William Whyte,et al.  Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3 , 2005, IACR Cryptol. ePrint Arch..

[6]  C. A. Rogers,et al.  An Introduction to the Geometry of Numbers , 1959 .

[7]  Michael E. Pohst,et al.  On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications , 1981, SIGS.

[8]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[9]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[10]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[11]  Cynthia Dwork,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III , 2020, Annual International Cryptology Conference.

[12]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[13]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[14]  N. J. A. Sloane,et al.  Sphere Packings, Lattices and Groups , 1987, Grundlehren der mathematischen Wissenschaften.

[15]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[16]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[17]  A. Blokhuis SPHERE PACKINGS, LATTICES AND GROUPS (Grundlehren der mathematischen Wissenschaften 290) , 1989 .

[18]  Ravi Kannan,et al.  Succinct Certificates for Almost All Subset Sum Problems , 1989, SIAM J. Comput..

[19]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[20]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[21]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[22]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[23]  Nicolas Gama,et al.  Symplectic Lattice Reduction and NTRU , 2006, EUROCRYPT.

[24]  Adi Shamir,et al.  Lattice Attacks on NTRU , 1997, EUROCRYPT.

[25]  U. Fincke,et al.  Improved methods for calculating vectors of short length in a lattice , 1985 .

[26]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[27]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[28]  L. Mordell Review: J. W. S. Cassels, An introduction to the geometry of numbers , 1961 .

[29]  Nicholas A. Howgrave-Graham Computational mathematics inspired by RSA , 1998 .

[30]  Nicolas Gama,et al.  Rankin's Constant and Blockwise Lattice Reduction , 2006, CRYPTO.