An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero

Transcription

1 An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University (SNU), Republic of Korea Abstract. Let h and g be polynomials of bounded Euclidean norm in the ring Z[X]/ X n + 1. Given polynomial [h/g] Z [X]/ X n + 1, the NTRU problem is to find a, b Z[X]/ X n + 1 with small Euclidean norm such that [a/b] = [h/g]. We propose an algorithm to solve the NTRU problem which runs in 2Õ(n/log2 ) time when g, h and g 1 are in some range. The main techniue of our algorithm is to reduce a problem on a field to one in a subfield. Recently, the GGH scheme, the first candidate of a (approximate) multilinear map, was known to be insecure by the Hu-Jia attack using encodings of zero, but no polynomial time attack was known without them. Our algorithm can be directly applied to construct level-0 encodings of zero and so utilized to attack the GGH scheme without encodings of zero in polynomial time of its security parameter. Keywords: NTRU, GGH Multilinear Maps, Ideal Lattice, Shortest Vector Problem 1 Introduction The NTRU problem is to find a pair of small polynomial whose ratio matches up to given a ratio of two small polynomials [HPS98]. After introduced for the security of a public key encryption scheme NTRU, the assumption that this NTRU problem is to be hard to solve, so-called NTRU assumption, has been used for the security grounding of various cryptographic schemes such as signature schemes [HHGP + 03,DDLL13], fully homomorphic encryption [LATV12,BLLN13] and candidates for cryptographic multi-linear maps [GGH13,LSS14,ACLL14]. Not broken until now, the NTRU assumption is getting more attention as one of the candidates for the post-uantum public-key crypto system. A variant of NTRU problem can be stated as follows: Problem 1 (A variant of NTRU Problem) Let ϕ n (X) Z[X] be a polynomial of degree n, Z be an integer, and let D, N and B be real numbers. The NTRU Problem NT RU ϕn,,d,n,b is to find a, b R := Z[X]/ ϕ n (X) with Euclidean norm smaller than B such that [b/a] = f for given a polynomial f = [h/g], where h and g are sampled from R and have Euclidean norms bounded by D and N, respectively.

2 2 In the original NTRU problem, h and g are sampled from the some distribution of R. We consider the variant version to attack multilinear maps [GGH13]. In this paper, we propose a polynomial time reduction from NT RU ϕn,,d,n,b into NT RU ϕn/2,,d 1,N 1,B 1 where ϕ n = X n + 1, B = min{ 2D n, 2N n }, D 1 = D 2 n/2, N 1 = 2ND n/2, and B 1 = min{ 2D t n, 2N t n, 2nN 2 g 1 n } for a power n of 2. Our algorithm is to reduce the problem defined over a ring Z[X]/ X n +1 to one over a subring Z[X]/ X n/2 +1. After applying repeatedly, we then use lattice reduction algorithms to find a short element. Since the latter has smaller dimension, lattice reduction algorithms reuire less running time to produce a short element, which results in an algorithm on the NTRU problem. It runs in ) time when g, h and g 1 are in some range. For 2Õ(n/log2 example, when n = λ 2 and log = λ, the running time is of polynomial in λ. As an application of our work, we propose an attack of the GGH multilinear maps [GGH13] without any encodings of zero. The GGH maps were proposed by Garg et al. and broken by so called a zeroizing attack by Hu and Jia [HJ15]. Since their attack extensively utilizes encodings of zero, it does not work without them and no polynomial time attack was known without them until recently (Refer to the related work subsection for concurrent and independent works on this problem). Our algorithm can be directly applied to construct level-0 encodings of zero. We then can utilize them to attack the GGH scheme without encodings of zero in polynomial time of its security parameter. Our GGH attack reuires one known plaintext/ciphertext pair as well as public parameters. Technical overview. A natural approach for the NTRU problem is to convert it to a Shortest Vector Problem (SVP) in an ideal lattice. Let ϕ n (X) = X n + 1 when n is a power of 2. For any polynomial f = [h/g] = n 1 f i X i R := Z[X]/ X n + 1, one may consider it as a vector (f 0,, f n 1 ) T. Then, the product gf = n 1 g i X i f of two polynomials f and g in R is contained in a lattice M f generated by {f, Xf,, X n 1 f}. We aim to obtain an element g Z[X]/ ϕ(x) satisfying g and [ gf] are small. To obtain such a g Z[X]/ ϕ(x), one can naturally contemplate the following column lattice: ( ) I 0 Λ f =, M f I where I is the identity matrix of size n and M f is a basis matrix of M f juxtaposed by {f, Xf,, X n 1 f}. Given a lattice vector u = (u 0,, u 2n 1 ) T of Λ f satisfying u i < /2 for n i 2n 1, we take g = n 1 u i X i and h = n 1 u n+i X i so that h = [g f] and f = [h /g ]. Therefore, if one can find a small lattice point u such that n 1 u i 2 h n and 2n 1 i=n u i 2 g, it becomes a solution n

3 3 of NT RU ϕ,,d,n,b. However, the dimension 2n of the lattice is too large for most applications, where the hardness of the NTRU problem comes from. To overcome this obstacle, we consider a subfield K m of K 0 := Q[X]/ X n +1 with extension degree m, and the trace of f K 0 over K m : [ m ] m Tr(f) = σ i (f) = i (h) i=1 i=1(σ m σ j (g))/ σ i (g). j i i=1 Since the numerator and denominator are elements in K m bounded by m h g m 1 n m and g m n m, respectively, if they are smaller than, we can draw another instance of the NTRU problem on K m, where the dimension of Λ Tr(f) is that of Λ f divided by m. Optimizing the m so that finding a small vector of the reduced lattice is possible with BKZ algorithm, one can reach the our results. Multilinear Maps. After Boneh and Silverberg [BS02] suggested a concept of cryptographic multilinear maps and their applications such as multipartite Diffie- Hellman and an efficient broadcast encryption in 2002, it has been a long lasting open uestion to construct cryptographic multilinear maps. In 2013, after about one decade, approximate cryptographic multilinear maps are first proposed by Garg, Gentry, and Halevi (GGH) [GGH13]. Not much later, second and third cryptographic multilinear maps are suggested by Coron, Lepoint, and Tibouchi (CLT) [CLT13], and Craig Gentry, Sergey Gorbunov, and Shai Halevi [GGH15], respectively. However, none of them have a reduction to standard hardness problem such as subset sum problem. In fact, the first two schemes with low level encodings of zero are known to be insecure [CHL + 15,HJ15], so called zeroizing attack. The last candidate is also broken [Cor15]. Although the fixed scheme of [CLT13] is proposed by the same authors of [CLT15] to resist zeroizing attack against the CLT scheme, it is also shown to be insecure [CLR15]. On the other hand, both [GGH13] scheme and [CLT13] scheme without any encodings of zero, which are used as basic tools for constructing applications such as indistinguishable obfuscations, have still not been analyzed yet. Related work. Recently for GGH multilinear maps without encodings of zero, two more concurrent and independent cryptanalytic works have been announced simultaneously: One by Albrecht, Bai, and Ducas [MA16] and the other by Miles, Sahai, and Zhandry [MSZ16]. The first introduces a very similar reduction from NT RU ϕn,,d,n,b into NT RU ϕn/2,,d 1,N 1,B 1. But they used the norm function instead of the trace function in our algorithm and so happened to have larger N 1 than ours, when N > 2D. That results in uantum polynomial time or subexponential time attack on GGH without encodings of zero. However, they provided rich analysis for NTRU-like homomorphic encryptions LTV [LATV12] and YASHE [BLLN13], and multilinear maps GGH with some implementations. The second introduces a polynomial time attack algorithm against the GGH multilinear maps, so called annihilation attacks. Using non-linear polynomials,

4 4 it also leads to a polynomial time break of the GGH scheme without low level encodings of zero. Organization. In Section 2, we introduce some notations and preliminaries related to ideal theory and Galois theory. In Section 3, we state useful properties and their proof used to solve the NT RU problem. In Section 4, we explain the GGH scheme briefly and present our algorithm to attack the GGH scheme using our theorem. 2 Preliminaries Notation. For an integer, we use the notations Z := Z/(Z) and R := Z [X]/ X n + 1 = R/R. We denote by (x mod ) or [x] the number in Z with range ( 2, ] n 1 2, which is congruent to x modulo. For u = u i X i R, [u] = n 1 [u i ] X i and u denote the Euclidean norm of u. We define ι : Z Z by [x] Z x Z for 2 < x 2. We extend this map into R applying to each coefficient. By abuse of notation, we omit this ι unless confused to identify [x] Z with an integer x when 2 < x 2. Throughout this paper, we assume that an integer n is a power of 2. Then K := Q[X]/ X n +1 is a number field with the ring of integers R := Z[X]/ X n + 1. Especially, K is a Galois extension of Q and we denote by Gal(K/Q) the Galois group of K over Q. As in technical overview, for any polynomial f = n 1 f i X i K, we consider it as a column vector (f 0,, f n 1 ) T. When we need an inverse of element a R, we usually consider the inverse in K with notation a 1. If we want to consider it in R not in K, then we denote it by [ a 1]. We use bold letters to denote vectors or ring elements in Z n or R. Ideal Lattice. An n-dimension full-rank lattice M R n is the set of all Z- linear combinations of n linearly independent vectors. Let det(m) denote the determinant of lattice M. For an element g R, we denote by g be the principal ideal in R generated by g, whose basis consists of {g, Xg,..., X n 1 g}. By identifying a polynomial g = g i X i R with a vector (g n 1, g n 2,..., g 0 ) T in Z n, we can apply a lattice theory to the algebraic ring R and an algebraic ring theory to the ideal lattice g. For a polynomial u R and a basis B := {b 1, b 2,..., b n }, we denote by u mod B the reduction of u modulo the fundamental region of lattice B, i.e, u mod B is the uniue representation of u R such that u (u mod B) B and u mod B = n 1 α i b i for α i ( 1/2, 1/2]. For a polynomial u, v R, we use the notations u mod v as u mod V, where V is a basis {v, Xv,..., X n 1 v}. By

5 definition of u mod v, it is of the form n 1 α i X i v for α i ( 1/2, 1/2]. Hence its Euclidean norm size is bounded by n 1 X i v /2 = n 1 v /2 = n 2 v. Next, we introduce useful lemmas related to ideal lattices. Lemma 1 For any a, b R, ab a b n. Proof. The k-th coefficient of ab is of the form: i+j=k a i b j i+j=n+k 5 a i b j. By the Cauchy - Schwartz ineuality, it is smaller than a b. Since each coefficient is smaller than a b, ab a b n. Lemma 2 Let g be an element of Z[X]/ X n + 1, and h Z[X]/ X n + 1 be relative prime to g. If c Z[X]/ X n + 1 satisfies c < /(2 h n) and [c h g 1 ] < /(2 g n), then c is contained in the ideal g. Proof. Let w := [c h g 1 ]. Then, [gw] = [ch]. Since w < /(2 g n), we have gw g w n /2 and ch c h n /2. Therefore, gw = ch in Z[X]/ X n + 1. Because ch g and h is relative prime to g, we can conclude c g. Using Lemma 2, if one can find the c satisfying lemma 2, c is of the form c = dg for some small d Z[X]/ X n + 1. Then multiplying it to [hg 1 ], one can obtain, a small multiple of h, dh. Hence, dh and dg become a solution of NTRU problem. Gaussian distribution. Given σ > 0, the discrete Gaussian distribution over the set L with zero mean is defined as D L,σ (x) = ρ σ (x)/ρ σ (L) for any x L, where ρ σ (x) = exp( π x 2 /σ 2 ), ρ σ (L) = ρ σ (x). We use a notation a D x L to denote choosing an element a according to the distribution of D. Norm and Trace of Field For a finite extension K of a field F, the trace Tr K/F (α) and norm N K/F (α) of α K over F is defined as the trace and determinant of the linear transformation M α which maps x K to αx K respectively, i.e, Tr K/F (α) = a i,i and N K/F (α) = det(a i,j ) where a i,j is the matrix for M α with respect to any base of K over F. The map Tr K/F and N K/F satisfy the following properties: (1) Tr K/F (α) = σ(α), N K/F (α) = σ(α) σ Gal(K/F ) σ Gal(K/F ) if K is a Galois extension of F (2) Tr K/F (α + β) = Tr K/F (α) + Tr K/F (β), N K/F (αβ) = N K/F (α)n K/F (β) (3) Tr K/F (a α) = a Tr K/F (α), N K/F (a α) = a [K:F ] N K/F (α) (4) Tr K/F (a) = [K : F ] a, N K/F (a) = a [K:F ] for α, β K and a F.

6 6 3 Main Theorem In this section we introduce how we can reduce NTRU problem with a given input [h/g] into NTRU problem with an input of which denominator and numerator have the half degree of h and g. Throughout this section, let n = 2 s, and denote Q[X 2t ]/ X n +1 and Z[X 2t ]/ X n +1 by K t and R t, respectively, with 0 t s. Note that K s := Q K s 1 K 0 = Q[X]/ X n + 1, where A B denotes A is a subfield of B. Since K 0 is a Galois extension field of K 1 with degree 2, Gal(K 0 /K 1 ) is a group of order 2. That is, Gal(K 0 /K 1 ) = {id, σ} satisfying σ 2 = id where id is the identity map. For an element f, g R K 0, the following elements are contained in R 1 K 1 : f + σ(f) f σ(f) fσ(g) + σ(f)g, since these are fixed by the Gal(K 0 /K 1 ). Using this property, we can get the following theorem which is the main theorem in this paper. Theorem 1 Let, t and m Z be integers, and let D, N and B be positive real numbers. Put B = min{ 2D n, 2N n }. Then, for ϕ n(x) = X n + 1 with n a power of 2, we can reduce NT RU ϕn,,d,n,b into NT RU ϕn/2,,d t,n t,b t where D t = Dt 1 2 n/2t, N t = 2t D tn D, B t = min{ 2D t n, 2N t n, 2nN 2 g 1 n } with D 0 = D, N 0 = N and B 0 = B. Proof. If we prove this theorem with t = 1, one can easily generalize to obtain the desired result. Suppose we are given [h/g] where g and h are sampled from the set {(g, h) R 2 = (Z[X]/ ϕ ( ) n (X) ) 2 : h < N, g < D}. We consider an h useful element T r K0/K 1 = h ( ) h g g + σ hσ(g) + σ(h)g = K 1 satisfying: g gσ(g) its denominator and numerator lie in R 1, hσ(g) + σ(h)g n/2 h σ(g) + n/2 σ(h) g 2ND n/2, gσ(g) n/2 g σ(g) N 2 n/2. [ ] hσ(g) + σ(h)g Therefore, we can see gσ(g) as a new instance for NT RU ϕn/2,,d 1,N 1,B 1 where N 1 = 2ND n/2, D 1 = N 2 n/2. Now, suppose that a solution (a 1, b 1 ) R 1 of NT RU ϕn/2,,d 1,N 1,B 1 is known such that [b 1 /a 1 ] = [h/g]. Moreover, since g and h are relative prime with high probability [ref], we assume the coprimality of g and h. Then, by Lemma 2, a 1 is of the form a 1 = dgσ(g). Computing [a 1 f] = [dgσ(g) [h/g] ] = [dhσ(g)], put a = a 1 and b = [dhσ(g)]. Then, we can conclude that the pair (a, b) is a

7 7 solution of NT RU ϕn,,d,n,b with following properties: [b/a] = [h/g] { } a B = min 2D n, 2N n 2N n/2 dhσ(g) = dgσ(g)g 1 h a 1 g 1 h n 2nN 2 g 1 n g 1 N n = 2N n The second ineuality implies b = [dhσ(g)] is actually b = dhσ(g) in R. Thus, we get the desired result. Theorem 2 Let be an integer, n be a power of 2, and λ be a security parameter. Let [h/g] be an instance of NT RU ϕn,,d,n,b problem with setting n, N, D, log = poly(λ), ϕ n (X) = X n + 1, and B = min{ }. If g 1 < poly(λ), the problem is solved in 2Õ(n/log2 ) time. 2D n, 2N n For example, when n = λ 2 and log = λ, one can solve the NT RU ϕn,,d,n,b in polynomial time in λ. In case of n = λ 3 and log = λ, one can solve the problem in 2Õ(λ) time. Proof. Without loss of generality, we assume N is larger than D. More precisely, we put N = λ s, D = λ k for s k. Then, by Theorem 1, one can obtain a new instance Tr K/Kt ([h/g] ) R R t for NT RU ϕn/2 t,,n t,d t,b t where N t < 2 t λ s (nλ t /2) 2t, D t < ( nλ k /2 ) 2 t, and B t = min{, 2D t nt, nλ 2s g 1 }. If t > 1, we assume B t = since it is asymptotically smaller than the others Now, we consider the following column lattice M t : ( ) Int 0 M t =, Λ t I nt where I nt is the identity matrix of size n t = n/2 t and Λ t Z n t n t is a matrix whose i-th column is ι(x i2t Tr K/Kt ([h/g] )) for 0 i < n/2 t. In other words, for Tr K/Kt ([h/g] ) = nt 1 f j X j2t, the i-th column of Λ t is of the form j=0 ( f nt i,, f nt 1, f 0, f nt i 1) T. Using the BKZ algorithm with block size β, one can obtain an element in M t u t = (u 0,, u nt 1, u nt,, u 2nt 1) T with u t 2β n t 1 2(β 1) det(mt ) = 2β n t 1 2(β 1) [HPS11]. Take c = n t 1 u i X i2t Z[X 2t ]/ X n + 1. Then we have [c Tr K/Kt ([h/g] )] = nt 1 u nt+ix i2t

8 8 Z[X 2t ]/ X n + 1. Moreover, if we choose t such that 2β n t 2(β 1) + 3 2, then c and c Tr K/Kt ([h/g] )] satisfy c < u t 2β n t 1 2(β 1) c Tr K/Kt ([h/g] )] < u t 2β n t 1 2(β 1) D t nt. In other words, c satisfies the conditions of Lemma 2. Therefore, c is in N K/Kt (g) g. Note that c is of the form c = d N K/Kt (g) = d g R t. To check the above condition of t is satisfied, we have the euivalence euation: 2β n t 2(β 1) ( nt 2(β 1) + 3 ) log β + log N t + log n t + 2 < log To optimize the left hand side of ineuality, we choose t such that 2 t n log β 2(β 1)(log nλ k /2). Then the left hand side is asymptotic to the following: ( nt 2(β 1) + 3 ) log β + log N t + log n t n 2 t 2(β 1) log β + 2t log(nλ k /2) + O(κ log n) n log β log(nλ k /2) 2 + O(κ log n) 2(β 1) where the last approximation comes from the arithmetic-geometric mean. It n implies that if one choose β =, for arbitrary 0 < ϵ < 2, then the last (log ) 2 ϵ value is smaller than log asymptotically. 2 Running time of this procedure is dominated by that of BKZ algorithm with block size β, which is poly(n, log ) C HKZ (β) times where C HKZ (β) = 2 O(β) is the cost of HKZ-reduction in dimension β [ADRSD14,HPS11] Finally, we have constructed an algorithm to find an element dn K/Kt (g) with the size of it smaller than from [h/g]. By multiplying dn K/Kt (g) to [h/g], one 2N t nt < 2N n t can obtain an element dhn K/Kt (g)g 1 and its Euclidean size is smaller than

9 9 2N n. dn K/Kt (g) h g 1 n N g 1 n nn 2 g 1 N g 1 n The second ineuality comes from B t = min{, 2D t nt, nn 2 g 1 } = by assumption. Hence, a pair (dn K/Kt (g), dhn K/Kt (g)g 1 ) is a solution of NT RU ϕn,,n,d,b. 4 Application to GGH In this section, we explain an attack algorithm to solve the GDDH problem of GGH scheme without low level encodings of zero. 4.1 The GGH Scheme First, we briefly recall the Garg et al. construction. We refer to the original paper [GGH13] for a complete description. The scheme relies on the following parameters. λ: the security parameter κ: the multilinearity parameter : the modulus of a ciphertext n: the dimension of base ring m: the number of level-κ encodings of zero in public parameters σ: the basic Gaussian parameter for drawing the ideal generator g σ : the Gaussian parameter for sampling level-zero elements Instance generation: (params, p zt ) InstGen(1 λ, 1 κ ). For given λ and κ, determine the parameter (σ, σ,, n) to satisfy the above conditions and output (params, p zt ). Sample g D R,σ until g, g 1 n 2 and I = g is a prime ideal in R. Sample z R. Sample X = {b i g} D I,σ and set a level-κ encoding of 0, x i = for each i m. Sample h D R, and set a zero-testing parameter p zt = Publish params = (n,, κ, {x i }) and p zt. [ ] h g zκ. [ ] bi g z κ Sampling level-zero encodings: a samp(params). Sample a D I,σ. Encodings at higher levels: c i enc(params, i, [ c). c Given a level-j encoding c for j < i, compute c i = z i j ].

10 10 Adding and multiplying encodings: Given two encodings c 1 and c 2 of same level, the addition of c 1 and c 2 is computed by Add(c 1, c 2 )=[c 1 + c 2 ]. Given two encodings c 1 and c 2, we multiply c 1 and c 2 by Mul(c 1, c 2 )=[c 1 c 2 ]. Zero-testing: iszero(params, p zt, c)? = 0/1. Given a level-κ encoding c, return 1 if [p zt c] < 3/4, and return 0 otherwise. Extraction: sk ext(params, p zt, c). Given a level-κ encoding c, compute MSB log /4 λ ([p zt c] ). 4.2 Hardness Assumptions We recall the definition of the Graded Decisional Diffie-Hellman problem (GDDH) and Graded Computational Diffie-Hellman problem (GCDH) on which the security of GGH scheme relies [GGH13]. These do not seem to be reducible to more classical assumptions in generic ways. GDDH, ext-gcdh, GCDH. For an adversary A and parameters λ, κ, we consider the following process in the GGH scheme. 1. Choose (, {x i }, p zt ) InstGen(1 λ, 1 κ ). 2. Sample a j samp(, {x i }) for each 0 j κ. 3. Set u j enc(, {x i }, 1, a j ) for all 0 j κ. 4. Choose r D R,σ. 5. Sample [ ρ j {0, 1} for 1 j m 6. Set û= 7. Set u= [ a 0 κ i=1 u i + j r κ i=1 u i + j ρ j x j ] ρ j x j ] The GCDH problem is to output a level-κ encoding of.. {, {x i }, p zt, u 0,..., u κ }. κ a i + I given inputs The ext-gcdh problem is to output a v R such that [v p zt û] < 3/4 given inputs {, {x i }, p zt, u 0,..., u κ }. The GDDH problem is to distinguish between two distributions D DDH and D R where D DDH = {, {x i }, p zt, u 0,..., u κ, û} and D R = {, {x i }, p zt, u 0,..., u κ, u}.

11 Attack to GGH Considering GGH13, one can notice that the theorem in section 3 can be applied to solve the GCDH problem, which is the security problem of the GGH scheme. More precisely, suppose we have {, {x i }, p zt, u 0,, u κ }. Additionally, we assume [ that we ] have a pair of level-0 encoding m / g and its m + ag level-1 encoding b =. Our attack algorithm consists of three steps: z First, find a small element cg g. Next, compute a small level-1 encoding of m 1 using the m, cg Last, recover a element m i in R = Z[X]/ Xn + 1 such that m i m i g for any 0 i κ. [( κ ) ] Finally, we can compute m i ( m 1 ) κ mod cg b κ and it becomes a solution of GCDH problem Step 1: Finding a small element of g Note that m + αg, b i g, a i n 3.5 and m n 3 with overwhelming probability. Considering [u κ 1/x 1 ] = [a κ 1/b 1 g], the size of denominator and numerator is bounded by n 3.5κ n κ 1 < n 4κ and n 3.5, respectively. Using the algorithm of Theorem 2 to several [a i1 a iκ /b j g], for i 1,, i κ {0,, κ} and j {1,, m}, one can recover several multiples of N K/Kt (g) and basis matrix of the ideal lattice of N K/Kt (g) over R t. Its determinant is eual to N Kt /Q(N K/Kt (g)) = N K/Q (g) and it is bounded by n 2n. Now, using β block- BKZ algorithm [HPS11], one can obtain an element cg N K/Kt (g) such that cg 2β n t 1 2(β 1) n 2 t+1 as we want Step( 2: Recovering the level-1 encoding of 1 [ ] ) m + ag Using a pair m, b =, one can recover a level-1 encoding of 1 as z follows. If m and cg N K/Kt (g) are relative prime, one can compute e, e R such that e m + e cg = 1. Then, (e mod cg) and (e κ mod cg) are the inverses of m and m κ in R/ N K/Kt (g) and R/ g, respectively. Moreover, these size are smaller than cg n/2 β n t 1 2(β 1) n 2 t+2. Note that m and cg N K/Kt (g) are relative prime with high probability [MA16] and it is always true when g is a prime in R Step 3: Computing the m We refer to Section in [GGH13] to solve the GCDH problem with short

12 12 vector c g. We explain how to use cg in order to solve the GCDH problem in the GGH scheme. First, by using u 0, u 1,..., u κ, cg, b, e κ mod cg, and p zt, one can obtain the following zero-testing values in Z[X]/ X n + 1 : ) f := ι ([(e κ mod cg) b κ p zt cg] = (1 + Jg)hd ( [(ui f i := ι e κ mod cg) b κ 1 p zt cg ] ) = (m i + J g)hd, (0 i κ). Assuming that f has an inverse in R/ N K/Kt (g), we can compute f i /f = m i mod N K/Kt (g). It implies that f i /f mod N K/Kt (g) is also in m i + g for 0 i κ. Therefore we obtain F = is in κ m i + g. Now compute F e κ cg n/2 β n t 1 2(β 1) κ f i /f mod N K/Kt (g), which mod cg whose size is smaller than n 2 t+2. To compute the level-κ encoding of compute [F e κ mod cg b κ p zt ]. We notice that it is of the form κ m i, we κ m i +rg g, the size of whose denominator is bounded by F e κ mod cg ( m + ag) κ h β n t 1 2(β 1) n 2 t+2 n 4κ. When β = λ 1 ϵ, it is asymptotically smaller than 3/4 and we can solve the GCDH problem. In summary, we can get the following corollary. Corollary 3 Given {n,, {x i }, m, b, p zt, u 0,, u κ } of the GGH scheme parameters, where n is Θ(λ 2 ), log = Θ(λ), x i is a level-κ encoding of zero, m is a level-0 encoding, b is a level of 1 encoding of m and u i is a level-1 encoding of a i, one can compute an enc κ ( κ a i ) which is a solution of GCDH problem in the GGH scheme in the 2 O(λ1 ϵ) for some 0 < ϵ < 1. 5 Conclusion After GGH scheme providing encoding of zero is known to be insecure, the variant of NTRU has received a lot of attention because of the security grounding of GGH scheme without encoding of zero. In this work, we described how to find a small solution of the variant of NTRU using reduction techniue. By applying the method to GGH scheme, we could attack the GCDH problem in GGH scheme. Therefore, our results imply that there is no guarantee for the security of the GGH scheme not only when we are given a small encoding of zero but also when we are not given.

13 13 References [ACLL14] Martin R Albrecht, Catalin Cocis, Fabien Laguillaumie, and Adeline Langlois. Implementing candidate graded encoding schemes from ideal lattices. In Advances in Cryptology ASIACRYPT 2015, pages Springer, [ADRSD14] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens- Davidowitz. Solving the shortest vector problem in 2 n time via discrete gaussian sampling. arxiv preprint arxiv: , [BLLN13] Joppe W Bos, Kristin Lauter, Jake Loftus, and Michael Naehrig. Improved security for a ring-based fully homomorphic encryption scheme. In Cryptography and Coding, pages Springer, [BS02] D. Boneh and A. Silverberg. Applications of multilinear forms to cryptography. Contemporary Mathematics, 324:71 90, [CHL + 15] Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu, and Damien Stehlé. Cryptanalysis of the multilinear map over the integers. In Advances in Cryptology EUROCRYPT 2015, pages Springer, [CLR15] Jung Hee Cheon, Changmin Lee, and Hansol Ryu. Cryptanalysis of the new clt multilinear maps. IACR-ePrint ( iacr. org/2015/934), [CLT13] Jean-Sébastien Coron, Tancrede Lepoint, and Mehdi Tibouchi. Practical multilinear maps over the integers. In Advances in Cryptology CRYPTO 2013, pages Springer, [CLT15] Jean-Sebastien Coron, Tancrede Lepoint, and Mehdi Tibouchi. New multilinear maps over the integers. In Advances in Cryptology CRYPTO 2015, pages Springer, [Cor15] Jean-Sébastien Coron. Cryptanalysis of GGH15 multilinear maps. IACR Cryptology eprint Archive, 2015:1037, [DDLL13] Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal gaussians. In Advances in Cryptology [GGH13] CRYPTO 2013, pages Springer, Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal lattices. In Eurocrypt, volume 7881, pages Springer, [HJ15] [HPS98] [HPS11] [GGH15] Craig Gentry, Sergey Gorbunov, and Shai Halevi. Graph-induced multilinear maps from lattices. In Theory of Cryptography, pages Springer, [HHGP + 03] Jeffrey Hoffstein, Nick Howgrave-Graham, Jill Pipher, Joseph H Silverman, and William Whyte. Ntrusign: Digital signatures using the ntru lattice. In Topics in cryptologyct-rsa 2003, pages Springer, Yupu Hu and Huiwen Jia. Cryptanalysis of GGH map. Technical report, Cryptology eprint Archive, Report 2015/301, Jeffrey Hoffstein, Jill Pipher, and Joseph H Silverman. Ntru: A ring-based public key cryptosystem. In Algorithmic number theory, pages Springer, Guillaume Hanrot, Xavier Pujol, and Damien Stehlé. Terminating bkz. IACR Cryptology eprint Archive, 2011:198, [LATV12] Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan. On-thefly multiparty computation on the cloud via multikey fully homomorphic encryption. In Proceedings of the forty-fourth annual ACM symposium on Theory of computing, pages ACM, 2012.

14 14 [LSS14] Adeline Langlois, Damien Stehlé, and Ron Steinfeld. Gghlite: More efficient multilinear maps from ideal lattices. In Advances in Cryptology EUROCRYPT 2014, pages Springer, [MA16] Léo Ducas Martin Albrecht, Shi Bai. A subfield lattice attack on overstretched ntru assumptions: Cryptanalysis of some fhe and graded encoding schemes. Cryptology eprint Archive, Report 2016/127, [MSZ16] Eric Miles, Amit Sahai, and Mark Zhandry. Annihilation attacks for multilinear maps: Cryptanalysis of indistinguishability obfuscation over ggh13. Cryptology eprint Archive, Report 2016/147,