Revisiting Lattice Attacks on overstretched NTRU parameters

Transcription

1 Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT /01/17 1

2 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring Attack 3. Simplification and Generalization 4. Prediction of our Attacks 2

3 NTRUEncrypt Key Generation R = Z[X]/(X n + 1), modulus q, width σ Sample f D R,σ (invertible mod q) Encrypt m {0, 1} Decrypt c R q Sample g D R,σ Publish h = [g/f] q Sample s, e D R,χ, D R,χ Return c = 2(h s + e) + m m = f c = 2(g s + f e) + f m Return m mod 2 = f m mod 2 3

4 NTRU lattice Λ q h Recovering the secret key from the public key A = ( ) qin M h 0 I n The lattice Λ q h defined by A an NTRU instance for parameters R, q, σ has dimension 2n and volume q n If h were uniformly random, the Gaussian heuristic predicts the shortest vectors of Λ q h have norm nq While f g nσ nq unusually short vectors: n vectors rotated of (f, g), (x i f, x i g). SS11 : for σ q, h is statistically indistinguisable from uniform, but NTRU chooses f, g { 1, 0, 1} n! 4

5 NTRU lattice Λ q h Recovering the secret key from the public key A = ( ) qin M h 0 I n The lattice Λ q h defined by A an NTRU instance for parameters R, q, σ has dimension 2n and volume q n If h were uniformly random, the Gaussian heuristic predicts the shortest vectors of Λ q h have norm nq While f g nσ nq unusually short vectors: n vectors rotated of (f, g), (x i f, x i g). SS11 : for σ q, h is statistically indistinguisable from uniform, but NTRU chooses f, g { 1, 0, 1} n! 4

6 NTRU lattice Λ q h Recovering the secret key from the public key A = ( ) qin M h 0 I n The lattice Λ q h defined by A an NTRU instance for parameters R, q, σ has dimension 2n and volume q n If h were uniformly random, the Gaussian heuristic predicts the shortest vectors of Λ q h have norm nq While f g nσ nq unusually short vectors: n vectors rotated of (f, g), (x i f, x i g). SS11 : for σ q, h is statistically indistinguisable from uniform, but NTRU chooses f, g { 1, 0, 1} n! 4

7 NTRU lattice Λ q h Recovering the secret key from the public key A = ( ) qin M h 0 I n The lattice Λ q h defined by A an NTRU instance for parameters R, q, σ has dimension 2n and volume q n If h were uniformly random, the Gaussian heuristic predicts the shortest vectors of Λ q h have norm nq While f g nσ nq unusually short vectors: n vectors rotated of (f, g), (x i f, x i g). SS11 : for σ q, h is statistically indistinguisable from uniform, but NTRU chooses f, g { 1, 0, 1} n! 4

8 NTRU Assumptions and Applications Definition (NTRU Assumption) It is hard to find a short vector in the R-module Λ q h = {(x, y) R2 s.t. hx y = 0 mod q} R = Z[X]/(P(X)) and the promise a short solution (f, g) exists. The NTRU assumption has been used for signature scheme: BLISS (Ducas, Durmus, Lepoint, Lyubashevsky), based on IBE (Ducas, Prest, Lyubashevsky) fully homomorphic encryption: LTV (Lopez-Alt, Tromer and Vaikuntanathan), YASHE (Bos, Lauter, Loftus, Naehrig) multilinear Maps from Ideal Lattices: GGH13 With very large modulus q compared to NTRUEncrypt! 5

9 NTRU Assumptions and Applications Definition (NTRU Assumption) It is hard to find a short vector in the R-module Λ q h = {(x, y) R2 s.t. hx y = 0 mod q} R = Z[X]/(P(X)) and the promise a short solution (f, g) exists. The NTRU assumption has been used for signature scheme: BLISS (Ducas, Durmus, Lepoint, Lyubashevsky), based on IBE (Ducas, Prest, Lyubashevsky) fully homomorphic encryption: LTV (Lopez-Alt, Tromer and Vaikuntanathan), YASHE (Bos, Lauter, Loftus, Naehrig) multilinear Maps from Ideal Lattices: GGH13 With very large modulus q compared to NTRUEncrypt! 5

10 NTRU Assumptions and Applications Definition (NTRU Assumption) It is hard to find a short vector in the R-module Λ q h = {(x, y) R2 s.t. hx y = 0 mod q} R = Z[X]/(P(X)) and the promise a short solution (f, g) exists. The NTRU assumption has been used for signature scheme: BLISS (Ducas, Durmus, Lepoint, Lyubashevsky), based on IBE (Ducas, Prest, Lyubashevsky) fully homomorphic encryption: LTV (Lopez-Alt, Tromer and Vaikuntanathan), YASHE (Bos, Lauter, Loftus, Naehrig) multilinear Maps from Ideal Lattices: GGH13 With very large modulus q compared to NTRUEncrypt! 5

11 Current Attacks on NTRU Recovering a short enough vector larger than (f, g) is sufficient to recover the secret key Finding a o(q) vector would break many applications such as encryption Previous Lattice attacks: 1. Direct Approach: we need a strong lattice reduction and NTRU is still secure 2. May increases the λ 1 (L)/λ 2 (L) by avoiding the rotated vectors and reduces the dimension by projecting the lattice 3. Howgrave-Graham combines lattice-reduction and MITM: first reduces a submatrice in the middle of the lattice L Asymptotically BKW variant: heuristic complexity of 2Θ(n/ log log q) 6

12 Current Attacks on NTRU Recovering a short enough vector larger than (f, g) is sufficient to recover the secret key Finding a o(q) vector would break many applications such as encryption Previous Lattice attacks: 1. Direct Approach: we need a strong lattice reduction and NTRU is still secure 2. May increases the λ 1 (L)/λ 2 (L) by avoiding the rotated vectors and reduces the dimension by projecting the lattice 3. Howgrave-Graham combines lattice-reduction and MITM: first reduces a submatrice in the middle of the lattice L Asymptotically BKW variant: heuristic complexity of 2Θ(n/ log log q) 6

13 Current Attacks on NTRU Recovering a short enough vector larger than (f, g) is sufficient to recover the secret key Finding a o(q) vector would break many applications such as encryption Previous Lattice attacks: 1. Direct Approach: we need a strong lattice reduction and NTRU is still secure 2. May increases the λ 1 (L)/λ 2 (L) by avoiding the rotated vectors and reduces the dimension by projecting the lattice 3. Howgrave-Graham combines lattice-reduction and MITM: first reduces a submatrice in the middle of the lattice L Asymptotically BKW variant: heuristic complexity of 2Θ(n/ log log q) 6

14 Subfield Attack Lattice reduction in a subfield to attack the NTRU assumption for large moduli q and σ < q 1/4 Strategy: Reducing the dimension allows faster algorithms 1. Map a NTRU instance to the chosen subfield (dim. n/2) 2. Apply lattice reduction 3. Lift the solution to the full field Albrecht, Bai, Ducas rediscovered this attack already sketched by Gentry, Szydlo, Jonsson, Nguyen and Stern Cheon, Jeong and Lee discovered a variant using the Trace instead of the Norm Work with any coefficient of the characteristic polynomial 7

15 Subfield Attack Lattice reduction in a subfield to attack the NTRU assumption for large moduli q and σ < q 1/4 Strategy: Reducing the dimension allows faster algorithms 1. Map a NTRU instance to the chosen subfield (dim. n/2) 2. Apply lattice reduction 3. Lift the solution to the full field Albrecht, Bai, Ducas rediscovered this attack already sketched by Gentry, Szydlo, Jonsson, Nguyen and Stern Cheon, Jeong and Lee discovered a variant using the Trace instead of the Norm Work with any coefficient of the characteristic polynomial 7

16 Subfield Attack Lattice reduction in a subfield to attack the NTRU assumption for large moduli q and σ < q 1/4 Strategy: Reducing the dimension allows faster algorithms 1. Map a NTRU instance to the chosen subfield (dim. n/2) 2. Apply lattice reduction 3. Lift the solution to the full field Albrecht, Bai, Ducas rediscovered this attack already sketched by Gentry, Szydlo, Jonsson, Nguyen and Stern Cheon, Jeong and Lee discovered a variant using the Trace instead of the Norm Work with any coefficient of the characteristic polynomial 7

17 Cyclotomic Number Field K = Q[ω n ] Q[X]/(Φ n (X)) where ω n = exp(2iπ/n) L = Q(ω n + ω n ): maximal real subfield of K of dim. (n 1)/2 Conjugate: ā = a 0 + ϕ(n) 1 i=1 a i X ϕ(n) i for a = ϕ(n) 1 i=0 a i X i N K/L (a) = aā L More generally, if L subfield of K of dim. m and r = n/m, N K/L (a) = Π σ H σ(a) for H fixing L Ring of integers: O K = Z[ω n ] = {a K : fq a Z[X]} where is the monic irreducible minimal polynomial of a over Q f a Q Ideal go K can be represented by a lattice: multiplication matrix by g in O K 8

18 Cyclotomic Number Field K = Q[ω n ] Q[X]/(Φ n (X)) where ω n = exp(2iπ/n) L = Q(ω n + ω n ): maximal real subfield of K of dim. (n 1)/2 Conjugate: ā = a 0 + ϕ(n) 1 i=1 a i X ϕ(n) i for a = ϕ(n) 1 i=0 a i X i N K/L (a) = aā L More generally, if L subfield of K of dim. m and r = n/m, N K/L (a) = Π σ H σ(a) for H fixing L Ring of integers: O K = Z[ω n ] = {a K : fq a Z[X]} where is the monic irreducible minimal polynomial of a over Q f a Q Ideal go K can be represented by a lattice: multiplication matrix by g in O K 8

19 Cyclotomic Number Field K = Q[ω n ] Q[X]/(Φ n (X)) where ω n = exp(2iπ/n) L = Q(ω n + ω n ): maximal real subfield of K of dim. (n 1)/2 Conjugate: ā = a 0 + ϕ(n) 1 i=1 a i X ϕ(n) i for a = ϕ(n) 1 i=0 a i X i N K/L (a) = aā L More generally, if L subfield of K of dim. m and r = n/m, N K/L (a) = Π σ H σ(a) for H fixing L Ring of integers: O K = Z[ω n ] = {a K : fq a Z[X]} where is the monic irreducible minimal polynomial of a over Q f a Q Ideal go K can be represented by a lattice: multiplication matrix by g in O K 8

20 Analysis Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (N K/L (f), N K/L (g)) is contained in this lattice. expect short vector q n/(2n) 2n/(2πre) = qn/(πre) For L real subfield of K, if f > n and as f f f 2 = n, but since n q/2, the attack does not work on NTRU parameters But with very large modulus q, N K/L (f) = f f is smaller than the expected short vector! 9

21 Analysis Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (N K/L (f), N K/L (g)) is contained in this lattice. expect short vector q n/(2n) 2n/(2πre) = qn/(πre) For L real subfield of K, if f > n and as f f f 2 = n, but since n q/2, the attack does not work on NTRU parameters But with very large modulus q, N K/L (f) = f f is smaller than the expected short vector! 9

22 Analysis Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (N K/L (f), N K/L (g)) is contained in this lattice. expect short vector q n/(2n) 2n/(2πre) = qn/(πre) For L real subfield of K, if f > n and as f f f 2 = n, but since n q/2, the attack does not work on NTRU parameters But with very large modulus q, N K/L (f) = f f is smaller than the expected short vector! 9

23 Subfield attack Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (f = N K/L (f), g = N K/L (g)) Λ(A norm ) f (σn) r where r = [K : L] solution returned by BKZ: (x, y ) β Θ(n/βr) (nσ) Θ(r) if (x, y ) < q/ (f, g ), (x, y ) = v(f, g ) for v O L Efficient: small dimension (2n/r) and lifting the solution to K 10

24 Subfield attack Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (f = N K/L (f), g = N K/L (g)) Λ(A norm ) f (σn) r where r = [K : L] solution returned by BKZ: (x, y ) β Θ(n/βr) (nσ) Θ(r) if (x, y ) < q/ (f, g ), (x, y ) = v(f, g ) for v O L Efficient: small dimension (2n/r) and lifting the solution to K 10

25 Subfield attack Condition to work: q = β Θ(2n/(rβ)) n Θ(r) when σ = poly(n) 1. Faster than the direct attack with dim. 2n when q super-polynomial: Subfield: β/ log β = Θ(n log n/ log 2 q) for r = Θ(log q/ log n) Direct: β/ log β = Θ(n/ log q) Reparations 2. Quasi-polynomial time when q is exponential in n R = Z[X]/(X p X 1) as suggested by Bernstein et al.: NTRUprime K = Q(ζ p + ζ p ) with safe prime p: Galois with no subfield 11

26 Subfield attack Condition to work: q = β Θ(2n/(rβ)) n Θ(r) when σ = poly(n) 1. Faster than the direct attack with dim. 2n when q super-polynomial: Subfield: β/ log β = Θ(n log n/ log 2 q) for r = Θ(log q/ log n) Direct: β/ log β = Θ(n/ log q) Reparations 2. Quasi-polynomial time when q is exponential in n R = Z[X]/(X p X 1) as suggested by Bernstein et al.: NTRUprime K = Q(ζ p + ζ p ) with safe prime p: Galois with no subfield 11

27 New Subring Attack ( qi A = n M O ) L h 0 I n/r Original lattice but we put M O L h For any g O, N K/L (g) go O L in a subring of O K We show that (fn K/L (g)/g, N K/L (g)) Λ(A) and is short Efficiency? Subfield attack dim. is 2n/r instead n + n/r? 12

28 New Subring Attack Runtime of lattice reduction depends on the dimension and approx. factor (slope of the line) Increase the volume of the lattice Use a projected lattice to reduce the dimension! 13

29 New Subring Attack Runtime of lattice reduction depends on the dimension and approx. factor (slope of the line) Increase the volume of the lattice Use a projected lattice to reduce the dimension! 13

30 New Subring Attack ( qi A = n M O ) L h 0 I n/r This approach is more flexible: it allows to reduce the dimension and the number of coordinates! Projected Lattice: extract the last d rows and columns Heuristic: If the algorithm finds a vector shorter than the Minkowski bound, it is a multiple of the key if log σ = Θ(log n), poly-time algo when q = 2 Ω( n log log n) if σ = Θ( n), faster algo. as soon as q n Θ( log log n) β/ log β = Θ(n log σ/ log 2 q) and d 2n/r 14

31 New Subring Attack ( qi A = n M O ) L h 0 I n/r This approach is more flexible: it allows to reduce the dimension and the number of coordinates! Projected Lattice: extract the last d rows and columns Heuristic: If the algorithm finds a vector shorter than the Minkowski bound, it is a multiple of the key if log σ = Θ(log n), poly-time algo when q = 2 Ω( n log log n) if σ = Θ( n), faster algo. as soon as q n Θ( log log n) β/ log β = Θ(n log σ/ log 2 q) and d 2n/r 14

32 Simplification and Generalization Are these attacks better than other practical attacks NTRU: the lattice reduction step of the hybrid attack? ( qi A = n M O ) K h 0 I n There are n short vectors rotated of (f, g), (x i f, x i g). Finding a vector in a sublattice of low volume for lattice reduction algo. depends on the rank of the sublattice Previous analysis restrict to the special case of rank one Pataki & Tural: the volume of the sublattice generated by r vectors is larger than the product of the r smallest GS norms 15

33 Simplification and Generalization Are these attacks better than other practical attacks NTRU: the lattice reduction step of the hybrid attack? ( qi A = n M O ) K h 0 I n There are n short vectors rotated of (f, g), (x i f, x i g). Finding a vector in a sublattice of low volume for lattice reduction algo. depends on the rank of the sublattice Previous analysis restrict to the special case of rank one Pataki & Tural: the volume of the sublattice generated by r vectors is larger than the product of the r smallest GS norms 15

34 Simplification and Generalization Are these attacks better than other practical attacks NTRU: the lattice reduction step of the hybrid attack? ( qi A = n M O ) K h 0 I n There are n short vectors rotated of (f, g), (x i f, x i g). Finding a vector in a sublattice of low volume for lattice reduction algo. depends on the rank of the sublattice Previous analysis restrict to the special case of rank one Pataki & Tural: the volume of the sublattice generated by r vectors is larger than the product of the r smallest GS norms 15

35 Simplification and Generalization Are these attacks better than other practical attacks NTRU: the lattice reduction step of the hybrid attack? ( qi A = n M O ) K h 0 I n 1. We reduce the middle of the matrix A 2. Same efficiency w/o subfield with an orthogonal basis of O Recovery: half of fo and go and heuristically the middle matrix is a basis of (f, g)o 16

36 Experiments on NTRU log n log q log r Success Method Coordinates Origin Yes ABD Yes Ours No Ours Yes ABD Yes Ours No Ours No Ours 860 YASHE Yes Ours No Ours Yes ABD Yes Ours 430 YASHE Yes Ours No Ours Yes Ours 512 Dowlin Yes Ours 470 YASHE 17

37 Experiments and Prediction log n log q log r Success Method Coordinates Origin Yes Ours 470 YASHE Yes Ours 512 Doroz Yes Ours 660 YASHE Yes Ours 820 YASHE log n Prediction log r

38 Experiments on NTRUprime with Large Moduli log n log q l Success Yes Yes No Yes No Yes No Yes Yes Yes log n l Prediction

39 Conclusion Provable Security and Attack The property that we use is present until σ nq Stehlé and Steinfeld prove security for σ n 3 q Attack: more efficient on NTRU than Ring-LWE σ q/n Standard cryptography (signature, key exchange and IBE) use modulus q n 2 and attack doesn t apply 20

40 Conclusion Subfield attack and our subring attack are slower than the direct attack with projection We broke many instantiations of FHE schemes in practice First time: n rotated small vectors are useful to analyze the security of NTRU! 21