An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero

Let f and g be polynomials of a bounded Euclidean norm in the ring Z[X]/⟨X+1⟩. Given the polynomial [f/g]q ∈ Zq[X]/⟨X+1⟩, the NTRU problem is to find a, b ∈ Z[X]/⟨X + 1⟩ with a small Euclidean norm such that [a/b]q = [f/g]q. We propose an algorithm to solve the NTRU problem, which runs in 2 2 λ) time when ∥g∥, ∥f∥, and ∥g−1∥ are within some range. The main technique of our algorithm is the reduction of a problem on a field to one in a subfield. Recently, the GGH scheme, the first candidate of a (approximate) multilinear map, was found to be insecure by the Hu–Jia attack using low-level encodings of zero, but no polynomial-time attack was known without them. In the GGH scheme without low-level encodings of zero, our algorithm can be directly applied to attack this scheme if we have some top-level encodings of zero and a known pair of plaintext and ciphertext. Using our algorithm, we can construct a level-0 encoding of zero and utilize it to attack a security ground of this scheme in the quasi-polynomial time of its security parameter using the parameters suggested by [GGH13].

[1]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[2]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.

[3]  Dan Boneh,et al.  Applications of Multilinear Forms to Cryptography , 2002, IACR Cryptol. ePrint Arch..

[4]  Nick Howgrave-Graham,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.

[5]  Damien Stehlé,et al.  Terminating BKZ , 2011, IACR Cryptol. ePrint Arch..

[6]  Vinod Vaikuntanathan,et al.  On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption , 2012, STOC '12.

[7]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[8]  Michael Naehrig,et al.  Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme , 2013, IMACC.

[9]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[10]  Jean-Sébastien Coron,et al.  Practical Multilinear Maps over the Integers , 2013, CRYPTO.

[11]  Jung Hee Cheon,et al.  Cryptanalysis of the Multilinear Map over the Integers , 2014, EUROCRYPT.

[12]  Ron Steinfeld,et al.  GGHLite: More Efficient Multilinear Maps from Ideal Lattices , 2014, IACR Cryptol. ePrint Arch..

[13]  Mehdi Tibouchi,et al.  Cryptanalysis of GGH15 Multilinear Maps , 2016, CRYPTO.

[14]  Martin R. Albrecht,et al.  Implementing Candidate Graded Encoding Schemes from Ideal Lattices , 2015, ASIACRYPT.

[15]  Craig Gentry,et al.  Graph-Induced Multilinear Maps from Lattices , 2015, TCC.

[16]  Daniel Dadush,et al.  Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract , 2014, STOC.

[17]  Jean-Sébastien Coron,et al.  New Multilinear Maps Over the Integers , 2015, CRYPTO.

[18]  Jung Hee Cheon,et al.  Cryptanalysis of the New CLT Multilinear Maps , 2015, IACR Cryptol. ePrint Arch..

[19]  Martin R. Albrecht,et al.  A Subfield Lattice Attack on Overstretched NTRU Assumptions - Cryptanalysis of Some FHE and Graded Encoding Schemes , 2016, CRYPTO.

[20]  Brice Minaud,et al.  Cryptanalysis of the New CLT Multilinear Map over the Integers , 2016, EUROCRYPT.

[21]  Eric Miles,et al.  Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 , 2016, CRYPTO.

[22]  Yupu Hu,et al.  Cryptanalysis of GGH Map , 2016, EUROCRYPT.