An Efficient Broadcast Attack against NTRU

Transcription

1 An Efficient Broadcast Attack against NTRU Jianwei Li, Yanbin Pan, Mingjie Liu, Guizhen Zhu Institute for Advanced Study, Tsinghua University Beijing 00084, China {lijianwei0, liu-mj07, Key Laboratory of Mathematics Mechanization Academy of Mathematics and Systems Science,Chinese Academy of Sciences Beijing 0090, China November 4, 0 Abstract The NTRU cryptosystem is the most practical scheme known to date In this paper, we first discuss the ergodic-linearization algorithm against GGH, then naturally deduce a new and uniform broadcast attack against several variants of NTRU: for every recipient s ciphertext, isolate out the blinding value vector, then do derandomization directly and entirety by using inner product, afterwards by using some properties of circular matrix together with linearization we obtain three linear congruence equations of the form a T Y = s mod q with N + [ N ] variables Hence only if the number of the independent recipients ciphertexts/public-keys pairs reaches N + [ N ] can we work out these variables and recover the plaintext in O(N 3 ) arithmetic operations successfully The experiment evidence indicates that our algorithm can efficiently broadcast attack against NTRU with the highest security parameters To the best of our knowledge, this is the most efficient broadcast attack against NTRU This is an algebraic broadcast attack, which is based on the special structure of the blinding value space L r Key words: Broadcast attack, NTRU, GGH, derandomization, linerization, circular matrix Introduction In 998, Hoffstein, Pipher and Silverman [] presented a public key cryptosystem based on polynomial algebra called NTRU, denoted by NTRU-998 The security of NTRU comes from the interaction of the polynomial mixing system with the independence of reduction modulo p and q The NTRU cryptosystem is the most practical scheme known to date It features reasonably short, easily created keys, high speed, and low memory requirements In 00, Hoffstein and Silverman [] put forward another instance of NTRU, denoted by NTRU-00, by employing different parameter sets In 005, Howgrave-Graham, Silverman and Whyte [3] gave the third instance of NTRU, denoted by NTRU-005 The best attack known against NTRU is based on lattice reduction, but this does not imply that lattice reduction is necessary to break NTRU Coppersmith and Shamir [4] pointed out that the security of Supported by the National Natural Science Foundation of China (Grant No60908, and 63303) Supported in part by the National Natural Science Foundation of China (Grant No0785, and 60800) and in part by 973 Project (No0CB3040)

2 NTRU is related, but not equivalent, to the hardness of some lattice problems Jaulmes and Joux [5] showed that they are able to conduct a chosen-ciphertext attack that recovers the secret key from a few ciphertexts/cleartexts pairs with good probability This is very dangerous Most of the ciphertext-only attacks [6, 7, 8] against NTRU rely on the underlying lattice s special cyclic structure In 988, Hästad [9] proposed the first broadcast attack against public key cryptosystems The scenario of a broadcast attack is as follows A single message is encrypted by the sender directed for multiple recipients who have different public keys By observing the ciphertexts only, an attacker can derive the plaintext without requiring any knowledge of any recipient s secret key In 009, Plantard and Susilo [0] first considered the broadcast attack against the lattice-based publickey cryptosystems and also gave some heuristic attacks However, they showed that NRTU may resist their broadcast attacks, since half of its message is random Very recently, Pan and Deng [] give the first broadcast attack against NTRU using the ergodiclinearization algorithm [, 3, 4] The main idea of ergodic-linearization technique is used in practical cryptanalysis: use interpolation formula to even out the noise to derive a set of precise nonlinear equations, then introduce new variables for the monomials and obtain a linear system in the new variables And Pan and Deng [] pointed out that some other lattice-based cryptosystems, such as [5], can not resist the broadcast attack either In this paper, we find that for NTRU the inner product (r, r) = r T r is a constant, where r is a vector consisting of the coefficients of r(x) L r Hence, we eliminate the blinding value vector r directly and entirety by doing inner product Afterwards by using some properties of the circular matrix together with linearization we obtain three linear congruence equations of the form a T Y = s mod q with N +[ N ] variables from every recipient s ciphertext It can be easily used to give a very efficient broadcast attack against several variants of NTRU: NTRU-998, NTRU-00 with an odd d g, NTRU-00 with q = d r, NTRU-005 with gcd(q, d g ) = and NTRU-005 with q d r Since the number of variables is small, the experiment evidence indicates that one can efficiently broadcast attack against NTRU with the big parameters Our algorithm is based on the special structure of the blinding value space L r It s also a ciphertext-only attacks Besides, we find that the error vector in the original GGH cryptosystem and the modified error vector in GGH-009 have the same special structure Hence, we first discuss the broadcast attacks against the original GGH and GGH-009 by amending the ergodic-linearization algorithm [, 3, 4], then naturally deduce the broadcast attack against NTRU The remainder of the paper is organized as follows Section gives some preliminaries In Section 3, we describe the broadcast attack against NTRU Section 4 gives a short conclusion Preliminaries We denote the integer ring by Z and denote the residue class ring Z/qZ by Z q We use bold letters to denote vectors, in column notation If v is a vector, then we denote the i-th entry of v by v i GGH We briefly review the original GGH cryptosystem, for more details see [6] A GGH cryptosystem comprises of the following algorithms Setup: Generate a good basis R Z N N and compute a bad basis B Z N N of a lattice L, such that L(R) = L(B) Provide B as public key and keep R as private basis Encryption: To encrypt a message vector m Z N, use the bad basis to compute c = Bm + r ()

3 where r is an error vector uniformly chosen from { σ, σ} N Decryption: Use the good basis to compute m = B R R c and r = c Bm Notice that the original GGH cryptosystem is semantically insecure, because one can check if a ciphertext c corresponds to a plaintext m by computing c Bm Furthermore, it s obvious that r i = σ for i = 0,,, N and r T r = Nσ This fact can be used to discuss the broadcast attack against the original GGH cryptosystem, which differs from the general method in [0] The original GGH cryptosystem was attacked and broken severely by Nguyen in 999 [7], and Nguyen pointed out that for safety, one can choose the entries of the error vector r at random in [ σ,, σ] instead of {±σ} Afterwards the other propositions were made using the same principle [8, 9, 0] In addition, Yanbin Pan et al in [5] presented a new lattice-based public-key cryptosystem mixed with a knapsack and used the module strategy, which is also a GGH-type cryptosystem, denoted by GGH-009 It has reasonable key size and quick encryption and decryption Its decryption algorithm is: for any message m {0, } N, first we uniformly choose a vector r from {0, } N, then compute the ciphertext: c = Bm + r mod p, where p is a prime satisfying certain conditions For more details see [5] We find that the modified error vector in GGH-009 has the same special structure as that in the original GGH cryptosystem NTRU We give a simple description of the NTRU-998 cryptosystem, for more details see [] The NTRU cryptosystem depends on three integer parameters (N, p, q) and four sets L f, L g, L r, L m of polynomials of degree N with small integer coefficients, where L f, L g is called Private Key spaces, L m is called Plaintext space, L r is called Blinding Value space In addition, N must be an odd prime, otherwise the lattice attacks can be improved due to non-trivial factors of X N (see []) We choose p, q such that gcd(p, q) = and p is much smaller than q Denote the ring Z[x]/(x N ) by R and the multiplication in R by in this paper We work over the ring R Key Generation: Step Choose f L f, g L g such that there exists F q, F p R satisfying f F q = mod q and f F p = mod p Step Let h = p F q g mod q Public Key: h, p, q Private Key: f, F p Encryption: To encrypt m L m, we first choose an r L r randomly, then compute the ciphertext: Decryption: First we compute a = f c c = h r + m mod q () mod q = pg r + f m mod q then we choose the coefficients of a in the interval from q to q By the fact that all the coefficients of pg r + f m may be in the interval from q to q, we almost get a = pg r + f m 3

4 Then we recover the message m by computing m = F p a mod p Since there exists several variants of NTRU, this has made the analysis of NTRU a tricky task, as in [] However, in this paper, we give a uniform broadcast attack against NTRU Mol and Yung in [] summarized the main instantiations of NTRU in the table below: Variant q p L f L g L m L r F Ref NTRU-998 k [ N, N] 3 L(d f, d f ) L(d g, d g ) L m L(d r, d r ) - [] NTRU-00 k [ N, N] + x + p F B(d g) B B(d r ) B(d F ) [] NTRU-005 prime + p F B(d g ) B B(d r ) B(d F ) [3] where L m = {m R: m has coefficients lying between (p ) and (p )}, L(d, d ) = {F R : F has d coefficients equal, d coefficients equal, the rest 0}, B denotes the set of all polynomials with binary coefficients, B(d) = {F R : F has d coefficients equal, the rest 0} Remark : Let us focus attention on the blinding value space L r We find that the inner product r T r = r0 + r + + r N { dr f or NTRU 998; = d r f or NTRU 00 and NTRU 005 is a constant, where r = (r 0, r,, r N ) T is a vector corresponding to r(x) L r Note that increasing the number of recipient s ciphertext can t change plaintext vector m, but increases the number of blinding value vector r respectively It s is a heavy curse of recovering the plaintext vector m Hence, we should eliminate the blinding value vector or error vector r 3 The Linear Form of NTRU and Circular Matrix In NTRU, for a polynomial f R, we can represent f as It is equivalent to f = N i=0 f i x i f = ( f 0, f,, f N ) T It s easy to verify the corresponding vector of f g in R is f 0 f N f f f 0 f f N f N f 0 g 0 g g N In particular, even if f i or g j are functions about x, the formula above also holds Thus, we have the equivalent linear form of the formula () where c = Hr + m mod q (3) h 0 h N h h h 0 h H = h N h N h 0 4

5 is a circular matrix in Zq N N Obviously, H T is also a circular matrix over Zq N N As needed, we only consider the circular matrix over Zq N N For simplicity, we give the following convention: h N+i = h i, H N+i,N+ j = H i, j Clearly, if H Zq N N is a circular matrix if and only if H i, j = H N j+i+,, for i, j {,,, N} And there are the following fundamental lammas (see [3]) Lemma If H Zq N N over Zq N N is an invertible circular matrix over Zq N N, then H is also a circular matrix Lemma If G, H Zq N N are circular matrixs, then GH is also a circular matrix In particular, H T H is a symmetric circular matrix We show how to get H and H T H in O(N ) arithmetic operations respectively in Appendix A Of course, if N is taken to be large, then it might be faster to use Fast Fourier Transforms to compute products H T H in O(N log N) operations However, it doesn t impact the final complexity What s more, it s easy to prove the following theorem Theorem 3 If G, H Zq N N are circular matrixes, which are corresponding to g = N i=0 g ix i and h = N i=0 h ix i respectively, then GH = I mod q if and only if g h = over Z q [x]/(x N ), where I is an identity matrix of order N 4 The Proportion of the Matrices of Rank n in Z (n+l) n q Here, we discuss a general problem: how big is l, then the linear system L Y = S mod q only has a single solution with very high probability? Of course, the vector S Z n+l q, the (random) matrix L Z (n+l) n q and the modulus q are known and we know that there is at least one solution Clearly, that there is a single solution is equivalent to that the rank of L equals to n Now, we distinguish two cases: For the case l = 0, if the matrix L is invertible modulo q, then there is only one solution Nguyen in [7] gave the following result estimating the proportion of invertible matrices modulo q among all matrices: Theorem 4 Let q be a power of prime p Consider the ring of n n matrices with entries in Z q Then the proportion of invertible matrices (ie, with determinant coprime to q) is equal to: n ( p k ) k= For the case l = or, it s easy to obtain the following generalization of Theorem 3 in [7]: Theorem 5 Let F q be the finite field with q elements, where q is a prime power The proportion of matrices of rank n in the set of (n + l) n matrices with entries in F q is equal to: n+l k=l+ ( q k ), l =, For the sake of completeness, detailed proof is provided in Appendix B Note that the above proportions converge quickly to their limit The result of numerical experiment shows that the proportion can be considered as constant for high dimensions (higher than 50) Table gives numerical results for the case l = 0,, and 5

6 Table The proportion of the matrices of rank n in Z (n+l) n q q l = l = l = It shows that if l = 0, the random matrix L is invertible modq with non-negligible probability, and with very high probability for p > 59 And we see that for the case l =, there is a single solution with very high probability 3 The Broadcast Attacks against NTRU 3 Analyse the ergodic-linearization algorithm against GGH We first analyse the ergodic-linearization algorithm [, 3, 4] against the original GGH, which naturally deduce the broadcast attacks against NTRU For the formula (), we do the ergodic on the error set to get N ( j=0 It s equivalent to do square: N B i+, j+ m j c i σ)( N ( j=0 B i+, j+ m j c i + σ) = 0, i = 0,,, N B i+, j+ m j c i ) = σ, i = 0,,, N (3) j=0 Then we assign m 0, m 0m,, m 0 m N, m, m m,, m m N,, m N, m 0, m,, m N new variables {y i } N +3N This linearization will produce N linear equations from every recipient s ciphertext in the form of a T i Y = σ c i, i = 0,,, N, where Y = (y, y,, y N +3N ) T What s more, a 0, a,, a N are linearly independent, unless there exists c i = 0 to make them linearly dependent possibly Hence, we need at least N+3 recipients ciphertexts and the corresponding public keys to obtain a system of linear congruence equations L Y = S, where L is a N +3N N +3N matrix, and S is a constant vector And we can find m by solving the above set of linear equations over Z Another way is to take the sum of the equation (3) for i = 0,,, N, which is equivalent to do the inner product (c Bm) T (c Bm) = r T r Note that r T r = Nσ, we get m T B T Bm c T Bm = Nσ c T c (3) Then we treat (3) in the same way as above This linearization will produce one linear equation from every recipient s ciphertext in the form of a T Y = Nσ c T c Hence, we need at least N +3N recipients ciphertexts/public-keys pairs to obtain a system of linear congruence equations L Y = S Obviously, for another encoding method Br + m = c, first we get det(l(r))r = Bc Bm, 6

7 then we can do something similar For GGH-009, we modify the decryption equation to get c = Bm + r mod p Let ĉ = c (,,, ) T, ˆB = B and ˆr = r (,,, ) T, then we have ĉ = ˆBm + ˆr mod p, (33) where ˆr {, } N Then we can treat (33) in the same way as that for the original GGH Remark : Obviously, doing the inner product is worse than doing square, because the public key B has no good global property as the matrix Ĥ in NTRU, which is an invertible circular matrix Nonetheless, this method naturally deduces the broadcast attack against NTRU 3 How to do the Broadcast Attacks against NTRU According to Subsection 3, it s equivalent to consider the linear form of NTRU over Z q If H is invertible in Z N N q, obviously we can easily get the equation below from (3) Let Ĥ = H, b = H c mod q, then we have H m + r = H c mod q Ĥm + r = b mod q (34) Usually, H is invertible in Zq N N with high probability in NTRU-00 with an odd d g and NTRU-005 with gcd(q, d g ) = (the proportion of invertible elements is close to, which can be computed as in [4]) Hence, we can easily choose H which is invertible, then get an invertible circular matrix Ĥ and it requires O(N ) arithmetic operations from Lemma Another way to estimate whether H is invertible in Zq N N or not is to observe whether gcd(det(l), q) = or not However, for NTRU-00 with an even d g and NTRU-005 with q d g, H is not invertible We need some extra restrictions: q d r, to get an invertible H In addition, H is not invertible in NTRU-998 Luckily, the public key h is pseudo-invertible" modq with overwhelming probability More precisely, there is the following result [5] Lemma 3 For any public key h in NTRU-998, there exists a polynomial h R with overwhelming probability such that for any r L r h h r = r mod q It requires O(N ) arithmetic operations It also holds true for NTRU-00 with q = d r and NTRU-005 with q d r One takes NTRU-005 with q d r as an example to explain how to find h in polynomial time as follows If gcd(q, d g ) =, then H is invertible in Zq N N with high probability, as mentioned in [4] Hence, we can assume that q d g Since R q = Z q [x]/(x N ) is isomorphic to P P where P = Z q [x]/(x ) and P = Z q [x]/(x N + x N + + ), we have φ : R q P P 7

8 Since h() = 0 mod q, we have φ(h) = (0, h) (therefore h is not invertible in R q ), where h denotes the reduction of h modulo x N + x N + + Note that x N + x N + + is an irreducible polynomial, the proportion that the (random) h is invertible in P with very high probability (it s equal to q N ) We denote its inverse in P by h, then h h = over P Using Extended Euclidean Algorithm for x N + x N + + and h in Z q [x], we can get h with O(N ) arithmetic operations (see [6], pp7-7, Corollary 46) Meanwhile, using the above algorithm, we compute polynomials u and v satisfying (x N + x N + + )u + (x )v = Then the Chinese Remainder Theorem tells us that h = φ ((, h)) = (x N + x N + + )u + (x )v h = + (x )v( h ) mod(x N ) in R q and it uses O(N ) arithmetic operations Since φ(h h) = (, h)(0, h) = (0, ), we can set h h = ω(x)(x N + x N + + ) + mod q, where ω(x) satisfies Nω() + = 0 mod q Hence, together with q d r, for r B(d r ) we have Let then we have h h r ω(x) + ω(x) ω(x) ω(x) ω(x) + ω(x) = (, x,, x N ) r mod q ω(x) ω(x) ω(x) + = (, x,, x N )r = r mod q h 0 h N h h H h 0 h = h N h N h 0 H m + r = H c mod q from (3) Note that h = φ ((, h)) is the invertible element of h, then H is an invertible circular matrix from Theorem 3 Similarly, let Ĥ = H, b = H c mod q, then we also get the formula (34) With the analysis above, it s natural to get the follow theorem Theorem 3 Given a uniformly random instance of NTRU-998, NTRU-00 with an odd d g, NTRU- 00 with q = d r, NTRU-005 with gcd(q, d g ) = and NTRU-005 with q d r, ie for any message m, ciphertext c, public key H (or polynomial h) and the corresponding blinding value vector r, there exists a polynomial time algorithm that on input H or h outputs an invertible circular matrix Ĥ with very high probability, such that Ĥm + r = b mod q, where b = Ĥc mod q It requires O(N ) arithmetic operations Based on Theorem 3, we can obtain the following main theorem 8

9 Theorem 33 For the NTRU-998 (also NTRU-00 with an odd d g, NTRU-00 with q = d r, NTRU- 005 with gcd(q, d g ) = and NTRU-005 with q d r ) cryptosystem with enough (reaches O( 3N )) independent recipients ciphertexts and corresponding public keys known, there exists a polynomial time algorithm to recover the plaintext successfully Proo f Algorithm consist of three steps Step Separating r from Hr and Derandomization By the Theorem 3, we can get r = b Ĥm mod q Then, we do the inner product Note that r T r = d is a constant, we get (b Ĥm) T (b Ĥm) = r T r mod q m T Ĥ T Ĥm b T Ĥm = d b T b mod q (35) From Lemma (), Ĥ T Ĥ is a symmetric circular matrix Step Linearization We linearize the equations (35) Let d b T b = s, b T Ĥ = (w 0, w,, w N ) and a 0 a N a a Ĥ T a 0 a Ĥ = a N a N a 0 where a i = a N i, for i {0,,, N } From (35), we can get a 0 (m 0 + m + + m N ) + a (m m 0 + m m + + m 0 m N ) + + a N (m N m 0 + m 0 m + + m N m N ) w 0 m 0 w m w N m N = s mod q (36) Let x i = m i m 0 + m i+ m + + m N m N i + m 0 m N i + + m i m N, for i = 0,,, N Note that N is an odd prime, a i = a N i and x i = x N i for i {0,,, N }, then the formula (36) is equivalent to a 0 x 0 + a x + + a [ N ] x [ N ] w 0m 0 w m w N m N = s mod q (37) Of course, even if N is even, we can easily obtain the same result Furthermore, NTRU is easily seen to be semantically insecure, since r() = 0 in NTRU-998 or r() = d r in NTRU-00 and NTRU-005 From formula (), we get h()r() + m() = c() mod q, For several variants of NTRU, we distinguish three cases: For NTRU-998, we can easily get m 0 + m + + m N = c() mod q (38) 9

10 and The formula above is equivalent to (m 0 + m + + m N ) = (c()) mod q By combining the formulae (37) and (39), we can get x 0 + x + + x [ N ] = c() mod q (39) (a a 0 )x + + (a [ N ] a 0)x [ N ] w 0m 0 w m w N m N = s a 0 c() mod k (30) What s more, there is a positive integer u such that u divides the greatest common divisor of all the coefficients but u+ can not If u k, then the equation (30) is noneffective And in fact u = holds for very high probability We just use those samples in which u =, so we have (a a 0 )x + + (a [ N ] a 0)x [ N ] w 0m 0 w m w N m N = s a 0c() mod k Notice that the formula (38) can be obtained from any other recipient s ciphertext Hence we need at least N + [ N ] recipients ciphertexts and the corresponding public keys to obtain a system of linear congruence equations L Y = S mod k, where L is a (N + [ N ]) (N + [ N ]) matrix, Y = (x, x,, x [ N ], m 0, m, + m N ) T and S is a constant vector However, in the practical experiments, we take L Z Q (N+[ N ]) q to guarantee that the rank of L equals to N + [ N ], where Q = N + [ N ] + l, l N Fortunately, in practice scheme q = 8, 56 or other larger number of the form k, Table in Section 4 indicates that even if we take l =, the rank of the random matrix L equals to N + [ N ] with very high probability (close to ) For NTRU-00 with an odd d g and NTRU-00 with q = d r, since m i = m i holds for m i {0, }, we have a x +a x + +a [ N ] x [ N ]+(a 0 w 0 )m 0 +(a 0 w )m + +(a 0 w N )m N = s mod q (3) Similar to NTRU-998, we can easily get and The formula above is equivalent to m 0 + m + + m N = c() d r h() mod q (3) (m 0 + m + + m N ) = (c() d r h()) mod q x + x + + x [ N ] = c() d rh() )(c() d r h()) mod q By combining the formulae (3) and (3), we can get a x + a x + + a [ N ] x [ N ] w 0m 0 w m w N m N = s a 0 (c() d r h()) mod q There is a positive integer u such that u divides the greatest common divisor of all the coefficients but u+ can not Similar to NTRU-998, u = holds for very high probability We just use those samples in which u =, so we have a x + a x + + a [ N ] x [ N ] w 0m 0 w m w N m N = s a 0(c() d r h()) 0 mod k

11 and x + x + + x [ N ] = c() d rh() )(c() d r h()) mod k (33) Notice that the two formulae (3) and (33) can be obtained from any other recipient s ciphertext Hence, we need at least N + [ N ] recipients ciphertexts/public-keys to obtain a system of linear congruence equations L Y = S mod k, where L is a (N + [ N ]) (N + [ N ]) matrix, Y = (x, x,, x [ N ], m 0, m, + m N ) T and S is a constant vector However, in the practical experiments, we take L Z Q (N+[ N ]) q to guarantee that the rank of L equals to N + [ N ], where Q = N + [ N ] + l, l N Table in Section 4 indicates that even if we take l =, the rank of L equals to N + [ N ] with very high probability (close to ) For NTRU-005 with gcd(q, d g ) = and NTRU-005 with q d r, since m i = m i holds for m i {0, }, similar to NTRU-00, we have and m 0 + m + + m N = c() d r h() mod q, (34) x + x + + x [ N ] = c() d rh() )(c() d r h()) mod q (35) a x +a x + +a [ N ] x [ N ] w 0m 0 w m w N m N = s a 0 (c() d r h()) mod q (36) Since q is a odd prime, there exist the inverse of mod q Thus, the formulae (35) and (36) are equivalent to x + x + + x [ N ] = s mod q (37) and a x + a x + + a [ N ] x [ N ] w 0m 0 w m w N m N = s mod q (38) Notice that the two formulae (34) and (37) can be obtained from any other recipient s ciphertext Hence, we need at least N+[ N ] recipients ciphertexts/public-keys to obtain a system of linear congruence equations L Y = S mod q, where L is a (N+[ N ]) (N+[ N ]) matrix, Y = (x, x,, x [ N ], m 0, m, + m N ) T and S is a constant vector However, in the practical experiments, we take L Z Q (N+[ N ]) q to guarantee that the rank of L equals to N + [ N ], where Q = N + [ N ] + l, l N NTRU-005 in [3] takes q = 97, 5, 367 or larger primes in practice scheme, Table indicates that even if we take l = 0, the rank of L equals to N + [ N ] with very high probability (close to ) Step 3 Solving the system of linear congruence equations We use Gaussian elimination to solve L Y = S mod q and the output (m 0, m, + m N ) is the plaintext m It requires O(N 3 ) arithmetic operations (see [7], pp47-48, Algorithm ) More accurately, since L Z (N+[ N ]+l) (N+[ N ]) q and the rank of L equals to

12 N + [ N ], we apply Gaussian elimination to (L S) mod q and get u u u n v u u n v n u nn v n 0 0 l 0 } {{ } n }{{} (39) where n = N + [ N ] and u ii 0, i =,,, n Thus, we use back substitution method to solve m N, m N,, m, not the whole Y Another way is to use the Hermite Normal Form For L = (L, L,, L N+[ N ]), we set L = (L [ N ]+, L [ N ]+,, L N+[ N ], L, L,, L [ N ] ) and Y = (m 0, m,, m N, x, x,, x [ N ] )T We compute the Hermite Normal Form B of L T : B = L T U, where U Z (n+l) (n+l) q is a unimodular matrix (see [7], pp69, Algorithm 46), then get B T Y = U T S mod q by multiplying U T, finally by iteration solve m 0, m,, m N in turn, not the whole Y Specifically, we have the following result (l N): Variant N the number of variables Recipients Binary length Time NTRU-998 N N + [ N ] = O(3N/) N + [ N ] + l O(log N + log(q ) + ) O(N3 ) NTRU-00 N N + [ N ] = O(3N/) N + [ N ] + l O(log N + log(q ) + ) O(N3 ) NTRU-005 N N + [ N ] = O(3N/) N + [ N ] + l O(log N + log(q ) + ) O(N3 ) Pan and Dent in [] give the following result: Variant N the number of variables Recipients Time NTRU-998 N O(N 3 /6) O(N /6) O(N 9 ) NTRU-00 N O(N /) O(N/) O(N 6 ) NTRU-005 N O(N /) O(N/) O(N 6 ) Remark 3: Compare the two tables above, our method is very efficient in the number of variables and time complexity In particular, for NTRU-998 our method is very efficient and better than that in [] We eliminate the blinding value vector r directly and entirety by doing the inner product from every recipient s ciphertext, differ from eliminating r by using ergodic in [] Clearly, our algorithm also holds in the case that N is even However, it doesn t work against NTRU with encryption padding 4 Experimental Results All experiments were performed on a Windows XP system with a 93 GHz Pentium 4 processor and 4 GByte RAM using Shoup s NTL library version 54 [8] We implemented the broadcast attacks against three variants of NTRU For NTRU-998 and NTRU- 00, we adopted the algorithms for u = In our experiments, we always obtained an matrix L, whose the rank equals to N + [ N ] And the number of recipients is just a little more than the number of variables (denoted by T) Since the number of variables is small, the experiment evidence indicates that our algorithm can efficiently broadcast attack against NTRU with the big parameters Some results against NTRU with the highest security parameters are listed below:

13 Variant N q p d f d g d r T Recipients Rank(L) Result NTRU success NTRU success NTRU success 5 Conclusion In this paper, we first discuss Ding s algorithm against GGH, then naturally deduce new and uniform broadcast attacks against several variants of NTRU, which is based on the special structure of blinding value space L r From which we can see two main lines to study the algebraic broadcast attacks: one is decreasing the number of variables; the other is increasing the number of equations Now, the main question is that how to do the broadcast attacks against NTRU, GGH and other cryptosystems more efficiently if the error vectors lack of the special structure References [] J Hoffstein, J Pipher, and JH Silverman NTRU: A Ring-Based Public Key Cryptosystem, in Proc of Algorithmic Number Theory (Lecture Notes in Computer Science), JP Buhler, Ed Berlin, Germany: Springer-Verlag, 998, vol 43, pp [] J Hoffstein, and JH Silverman Optimizations for NTRU Technical report, NTRU Cryptosystems (June 000), available at [3] N Howgrave-Graham, JH Silverman, and W Whyte Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3 Technical Report, NTRU Cryptosystems 005 [4] D Coppersmith, and A Shamir Lattice attacks on NTRU, in Proc of EuroCrypt 97 (Lecture Notes in Computer Science), W Fumy, Ed Berlin, Germany: Springer, 997, Vol 33 pp 5-6 [5] E Jaulmes, and A Joux A Chosen-Ciphertext Attack against NTRU Advances in Cryptology- CRYPTO 000, Lecture Notes in Computer Science, 000, Volume 880/000, 0-35 [6] A May, and JH Silverman Dimension Reduction Methods for Convolution Modular Lattices, in Proc of Cryptography and Lattices (Lecture Notes in Computer Science), JH Silverman, Ed Berlin, Germany: Springer- Verlag, 00, vol 46, pp 0-5 [7] N Howgrave-Graham, JH Silverman, and W Whyte A Meet- In-The-Meddle Attack on an NTRU Private Key Technical Report, available at http: //wwwntrucom/cryptolab/tech noteshtm 004 [8] N Howgrave-Graham A hybrid lattice-reduction and meet-in-the-middle attack against NTRU In Proc of CRYPTO 007, pp 50-69, 007 [9] J Hästad Solving simultaneous modular equations of low degree SIAM J Comput 7 (988) [0] T Plantard, and W Susilo Broadcast attacks against lattice-based cryptosystems (ACNS 009) [] Y Pan, and Y Deng A broadcast attack against NTRU using Ding s Algorithm, available at 3

14 [] G V Bard Algebraic Cryptanalysis Springer, 009 [3] S Arora, and R Ge Learning Parities with Structured Noise, TR0-066, April 00 [4] J Ding Solving LWE Problem with Bounded Errors in Polynomial Time, available at [5] Y Pan, Y Deng, Y Jiang, and Z Tu A New Lattice-Based Cryptosystem Mixed with a Knapsack Cryptology eprint Archive, Report 009/337, available at http: //eprintiacrorg/009/337 [6] O Goldreich, S Goldwasser, and S Halevi Public-key cryptosystems from lattice reductions problems In: Kaliski Jr, BS (ed) CRYPTO 997 LNCS, vol 94, pp -3 Springer, Heidelberg (997) [7] P Q Nguyen Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from crypto 997 In: Wiener, M (ed) CRYPTO 999 LNCS, vol 666, pp Springer, Heidelberg (999) [8] R Fischlin, and J P Seifert Tensor-based trapdoors for cvp and their application to public key cryptography In: IMA Int Conf pp (999) [9] D Micciancio Improving lattice based cryptosystems using the Hermite normal form In: Silverman, JH (ed) CaLC 00 LNCS, vol 46, pp 6-45 Springer, Heidelberg (00) [0] S H Paeng, B E Jung, and K C Ha A lattice based public key cryptosystem using polynomial representations In: Desmedt, YG (ed) PKC 003 LNCS, vol 567, pp Springer, Heidelberg (003) [] C Gentry Key Recovery and Message Attacks on NTRU-Composite In Proc of Eurocrypt 0, LNCS 045, pages 8-94 Springer-Verlag, 00 [] P Mol, and M Yung Recovering NTRU Secret Key from Inversion Oracle, In Proc of PKC , 8-36 [3] P J Davis Circulant Matrices New York: John Wiley and Sons Co, 979 [4] J Hoffstein, and J H Silverman Invertibility in truncated polynomial rings Technical report, NTRU Cryptosystems, October 998 Report #009, version, available at [5] P Nguyen, and D Pointcheval Analysis and Improvements of NTRU Encryption Padding In Proc of Crypto 0, Berlin: Springer-Verlag, 00, vol 44, pp 0-5 [6] Joachim von zur Gathen, and Jurgen Gerhard Modern computer algebra (nd ed) Cambridge, UK; New York, NY, USA: Cambridge University Press, 003,pages [7] H Cohen A course in computational algebraic number theory New York : Springer-Verlag, c993 [8] V Shoup NTL: A library for doing number theory Available at 4

15 Appendix A: How to get H and H T H We set g = (g 0, g,, g N ) T satisfying h 0 h N h h h 0 h h N h N h 0 g 0 g g N 0 = mod q, 0 then g has a unique solution over Zq N since H C N N is invertible over Zq N N It requires O(N ) arithmetic operations (see [7], pp47-49, Algorithm ) Then g 0 g N g g H g 0 g = g N g N g 0 Because, for any vector v = (v 0, v,, v N ) T, we denote by v (i) its i-cycle: { v (i) v i = 0; = (v N i, v N i+,, v N, v 0, v,, v N i ) T, i {,,, N } Then Hg (i) = E i+ mod q, where E i is a column vector whose i-th entry is and else are 0 If G, H Zq N N are circular matrixs, for i, j {,,, N}, we have (GH) i, j = g i h N j+ + g i h N j+ + + g i h N j N = g l h N j+i l, l=0 (GH) N j+i+, = g N j+i h 0 + g N j+i h + + g N j+i+ h N N = g l h N j+i l l=0 Hence, (GH) i, j = (GH) N j+i+,, for i, j {,,, N}, ie GH is also a circular matrix In particular, H T H is a symmetric circular matrix Hence, (H T H) i, = (H T H),i = (H T H) N+ i,, for i {,,, N} It s sufficient to calculate {(H T H),, (H T H),,, (H T H) [ N ]+, }, which requires (N )([ N ] + ) arithmetic operations Appendix B: Proof of Theorem 5 Theorem 5 is equivalent to consider the set of n (n + l) matrices with entries in F q We count the number of matrices of the form (b, b,, b n+ ) of rank n, where b i Z n q Denote by B k the subspace spanned by b, b,, b k, with the convention B 0 being the nullspace Recall that a k-dimensional subspace has cardinality q k For each family (b, b,, b n+ ) of rank n, there exists a unique i such that b, b,, b i are linearly independent, b i B i, and for all j > i, b j B j There are i k=0 (qn q k ) 5

16 possibilities for b, b,, b i There are q i choices for b i And there are n k=i (qn q k ) possibilities for b i+, b i+,, b n+ It follows that the total number of families is: n+ n q i i= n+ (q n q k ) = q n(n+) ( q k ) k=0 Now, consider a family (b, b,, b n+ ) of rank n There exists a unique (i, j) with i < j such that b, b,, b i are linearly independent, b i B i, for all i < t < j, b t B t, b j B j and for all t > j, b t B t That way, we know the dimension of B t for all t, and therefore, the number of (b, b,, b n+ ) corresponding to a given (i, j) is: i (q n q k ) q i k=0 j 3 k=i It follows that the total number of families of rank n is: Then computer the double sum: n n+ (q n q k ) k=0 k= (q n q k ) q j i= n+ j=i+ q i+ j 3 n k= j (q n q k ) n+ i= n+ j=i+ q i+ j 3 = n+ i= q i+n q i q = (qn+ )(q n+ ) (q )(q ) Therefore, the number of families is: q n(n+) n+ ( q k ) Note: The proof above is modelled on the proof of Theorem 3 in [7] k=3 6