Cryptanalysis of an NTRU-based Proxy Encryption Scheme from ASIACCS'15

In ASIACCS 2015, Nu\(\tilde{\mathrm{n}}\)ez, Agudo, and Lopez proposed a proxy re-encryption scheme, NTRUReEncrypt, based on NTRU, which allows a proxy to translate ciphertext under the delegator’s public key into a re-encrypted ciphertext that can be decrypted correctly by delegatee’s private key. In addition to its potential resistance to quantum algorithm, the scheme was also considered to be efficient. However, in this paper we point out that the re-encryption process will increase the decryption error, and the increased decryption error will lead to a reaction attack that enables the proxy to recover the private key of the delegator and the delegatee. Moreover, we also propose a second attack which enables the delegatee to recover the private key of the delegator when he collects enough re-encrypted ciphertexts from a same message. We reevaluate the security of NTRUReEncrypt, and also give suggestions and discussions on potential mitigation methods.

[1]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[2]  Aloni Cohen What about Bob? The Inadequacy of CPA Security for Proxy Reencryption , 2017, IACR Cryptol. ePrint Arch..

[3]  David Pointcheval,et al.  The Impact of Decryption Failures on the Security of NTRU Encryption , 2003, CRYPTO.

[4]  William Whyte,et al.  Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches , 2009, ACNS.

[5]  Nick Howgrave-Graham,et al.  IEEE P1363.1 Draft 10: Draft Standard for Public Key Cryptographic Techniques Based on Hard Problems over Lattices. , 2008 .

[6]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[7]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[8]  Ran Canetti,et al.  Chosen-ciphertext secure proxy re-encryption , 2007, CCS '07.

[9]  Thomas Plantard,et al.  Reaction Attack on Outsourced Computing with Fully Homomorphic Encryption Schemes , 2011, ICISC.

[10]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[11]  Javier López,et al.  NTRUReEncrypt: An Efficient Proxy Re-Encryption Scheme Based on NTRU , 2015, AsiaCCS.

[12]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[13]  Xavier Boyen,et al.  Key-Private Proxy Re-encryption under LWE , 2013, INDOCRYPT.

[14]  Peter Schwabe,et al.  High-speed key encapsulation from NTRU , 2017, IACR Cryptol. ePrint Arch..

[15]  Keisuke Tanaka,et al.  Proxy Re-Encryption based on Learning with Errors (Mathematical Foundation of Algorithms and Computer Science) , 2010 .

[16]  William Whyte,et al.  Choosing Parameters for NTRUEncrypt , 2017, CT-RSA.

[17]  Tanja Lange,et al.  NTRU Prime: Reducing Attack Surface at Low Cost , 2017, SAC.

[18]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.

[19]  Scott R. Fluhrer,et al.  Cryptanalysis of ring-LWE based key exchange with key share reuse , 2016, IACR Cryptol. ePrint Arch..