A Subfield Lattice Attack on Overstretched NTRU Assumptions - Cryptanalysis of Some FHE and Graded Encoding Schemes

The subfield attack exploits the presence of a subfield to solve overstretched versions of the NTRU assumption: norming the public key h down to a subfield may lead to an easier lattice problem and any sufficiently good solution may be lifted to a short vector in the full NTRU-lattice. This approach was originally sketched in a paper of Gentry and Szydlo at Eurocrypt'02 and there also attributed to Jonsson, Nguyen and Stern. However, because it does not apply for small moduli and hence NTRUEncrypt, it seems to have been forgotten. In this work, we resurrect this approach, fill some gaps, analyze and generalize it to any subfields and apply it to more recent schemes. We show that for significantly larger moduli -- a case we call overstretched -- the subfield attack is applicable and asymptotically outperforms other known attacks. This directly affects the asymptotic security of the bootstrappable homomorphic encryption schemes LTV and YASHE which rely on a mildly overstretched NTRU assumption: the subfield lattice attack runs in sub-exponential time $$2^{O\lambda /\log ^{1/3}\lambda }$$ invalidating the security claim of $$2^{\varTheta \lambda }$$ . The effect is more dramatic on GGH-like Multilinear Maps: this attack can run in polynomial time without encodings of zero nor the zero-testing parameter, yet requiring an additional quantum step to recover the secret parameters exactly. We also report on practical experiments. Running LLL in dimension 512 we obtain vectors that would have otherwise required running BKZ with block-size 130 in dimension 8192. Finally, we discuss concrete aspects of this attack, the condition on the modulus q to guarantee full immunity, discuss countermeasures and propose open questions.

[1]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[2]  Damien Stehlé,et al.  Analyzing Blockwise Lattice Algorithms Using Dynamical Systems , 2011, CRYPTO.

[3]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[4]  Ron Steinfeld,et al.  Making NTRU as Secure as Worst-Case Problems over Ideal Lattices , 2011, EUROCRYPT.

[5]  Pierre Samuel,et al.  Algebraic theory of numbers , 1971 .

[6]  Damien Stehlé,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[7]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[8]  Chris Peikert,et al.  How (Not) to Instantiate Ring-LWE , 2016, SCN.

[9]  Thomas Johansson,et al.  Improved algorithms for finding low-weight polynomial multiples in $$\mathbb {F}_{2}^{}[x]$$F2[x] and some cryptographic applications , 2014, Des. Codes Cryptogr..

[10]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.

[11]  Hendrik W. Lenstra,et al.  Revisiting the Gentry-Szydlo Algorithm , 2014, CRYPTO.

[12]  Jean-Sébastien Coron,et al.  Practical Multilinear Maps over the Integers , 2013, CRYPTO.

[13]  Berk Sunar,et al.  Homomorphic AES evaluation using the modified LTV scheme , 2016, Des. Codes Cryptogr..

[14]  Claus Fieker,et al.  Subexponential class group and unit group computation in large degree number fields , 2014, LMS J. Comput. Math..

[15]  Kristin E. Lauter,et al.  Provably Weak Instances of Ring-LWE , 2015, CRYPTO.

[16]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[17]  J. M. Pollard,et al.  Theorems on factorization and primality testing , 1974, Mathematical Proceedings of the Cambridge Philosophical Society.

[18]  Jung Hee Cheon,et al.  An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero , 2016, IACR Cryptol. ePrint Arch..

[19]  Martin R. Albrecht,et al.  Implementing Candidate Graded Encoding Schemes from Ideal Lattices , 2015, ASIACRYPT.

[20]  Pierre-Alain Fouque,et al.  An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices , 2015, IACR Cryptol. ePrint Arch..

[21]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[22]  Yupu Hu,et al.  Cryptanalysis of GGH Map , 2016, EUROCRYPT.

[23]  Vinod Vaikuntanathan,et al.  On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption , 2012, STOC '12.

[24]  Shai Halevi,et al.  Algorithms in HElib , 2014, CRYPTO.

[25]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[26]  Jean-François Biasse,et al.  Subexponential time relations in the class group of large degree number fields , 2014, Adv. Math. Commun..

[27]  Thomas Johansson,et al.  Improved algorithms for finding low-weight polynomial multiples in F 2 [ x ] and some cryptographic applications , 2014 .

[28]  Brian D. Sittinger The probability that random algebraic integers are relatively r-prime , 2010 .

[29]  Ronald Cramer,et al.  Recovering Short Generators of Principal Ideals in Cyclotomic Rings , 2016, EUROCRYPT.

[30]  Joseph H. Silverman,et al.  NSS: An NTRU Lattice-Based Signature Scheme , 2001, EUROCRYPT.

[31]  Wouter Castryck,et al.  Provably Weak Instances of Ring-LWE Revisited , 2016, EUROCRYPT.

[32]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[33]  William Whyte,et al.  Choosing Parameters for NTRUEncrypt , 2017, CT-RSA.

[34]  Kristin E. Lauter,et al.  Weak Instances of PLWE , 2014, Selected Areas in Cryptography.

[35]  Hao Chen,et al.  Attacks on Search RLWE , 2015, IACR Cryptol. ePrint Arch..

[36]  Ron Steinfeld,et al.  GGHLite: More Efficient Multilinear Maps from Ideal Lattices , 2014, IACR Cryptol. ePrint Arch..

[37]  Nigel P. Smart,et al.  Which Ring Based Somewhat Homomorphic Encryption Scheme is Best? , 2015, CT-RSA.

[38]  Craig Gentry Key Recovery and Message Attacks on NTRU-Composite , 2001, EUROCRYPT.

[39]  Léo Ducas,et al.  FHEW: Bootstrapping Homomorphic Encryption in Less Than a Second , 2015, EUROCRYPT.

[40]  William Whyte,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.

[41]  Giacomo Micheli,et al.  ON THE MERTENS–CESÀRO THEOREM FOR NUMBER FIELDS , 2014, Bulletin of the Australian Mathematical Society.

[42]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[43]  M. Taylor INTRODUCTION TO CYCLOTOMIC FIELDS(Graduate Texts in Mathematics, 83) , 1983 .

[44]  Adrien Hauteville,et al.  New algorithms for decoding in the rank metric and an attack on the LRPC cryptosystem , 2015, 2015 IEEE International Symposium on Information Theory (ISIT).

[45]  Nicolas Gama,et al.  Finding short lattice vectors within mordell's inequality , 2008, STOC.

[46]  Adi Shamir,et al.  Lattice Attacks on NTRU , 1997, EUROCRYPT.

[47]  Jean-Sébastien Coron,et al.  Advances in Cryptology EUROCRYPT 2016 : 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part I , 2016 .

[48]  Fang Song,et al.  Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields , 2016, SODA.

[49]  Fang Song,et al.  A quantum algorithm for computing the unit group of an arbitrary degree number field , 2014, STOC.

[50]  Claus Fieker,et al.  On solving relative norm equations in algebraic number fields , 1997, Math. Comput..

[51]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[52]  Giacomo Micheli,et al.  On Mertens-Ces\`aro Theorem for Number Fields , 2014 .

[53]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[54]  Daniele Micciancio,et al.  Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[55]  Michael Naehrig,et al.  A Comparison of the Homomorphic Encryption Schemes FV and YASHE , 2014, AFRICACRYPT.

[56]  László Lovász,et al.  Algorithmic theory of numbers, graphs and convexity , 1986, CBMS-NSF regional conference series in applied mathematics.

[57]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[58]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[59]  P. Campbell,et al.  SOLILOQUY: A CAUTIONARY TALE , 2014 .

[60]  Michael Naehrig,et al.  Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme , 2013, IMACC.