An Algorithm for NTRU Problems

Transcription

1 An Algorithm for NTRU Problems Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University August 29, 2016 Changmin Lee An Algorithm for NTRU Problems / 27

2 Introduction The NTRU encryption algorithm is a lattice-based public key cryptosystem alternative to RSA and ECC. This system is fully accepted to IEEE P1363 standards under the specifications for lattice-based public-key cryptography. Speedy and low memory use. The security of it depends on the NTRU problem. Changmin Lee An Algorithm for NTRU Problems / 27

3 Applications of NTRU problems Public key Encryption-NTRU scheme [HPS98] Signature Scheme [HHGP+03] [DDLL13] Fully Homomorphic Encryption [LATV12] [BLLN13] Multilinear Maps [GGH13] [LSS14] [ACLL14] Changmin Lee An Algorithm for NTRU Problems / 27

4 Notation Z q := ( q/2, q/2] Z φ n (X ) := X n + 1, where n is a power of two K := Q[X ]/ φ n (X ), K i := Q[X 2i ]/ φ n (X ) R := Z[X ]/ φ n (X ), R i = Z[X 2i ]/ φ n (X ) [R] q := Z q [X ]/ φ n (X ) Gal(K/F ): the Galois group of K over F For u = n 1 u i X i R, i=0 [u]q = n 1 [u i ] q X i [R] q i=0 n 1 u = ui 2 i=0 V : R Z n is defined by V (u) = (u 0,, u n 1 ) T Changmin Lee An Algorithm for NTRU Problems / 27

5 NTRU problems Problem (A variant of NTRU Problem) Let q be an integer, D, N and B be real numbers. The NTRU Problem NTRU φn,q,d,n,b is to find a, b R with Euclidean norm smaller than B such that [b/a] q = f for given a polynomial f = [h/g] q, where g and h are sampled from R and have Euclidean norms bounded by D and N, respectively. Without loss of generality, we can assume h g Changmin Lee An Algorithm for NTRU Problems / 27

6 Contributions We reduce a NTRU problem on a given field to one in a subfield We propose an attack algorithm to GCDH problem, which is a security ground of the GGH multilinear maps Changmin Lee An Algorithm for NTRU Problems / 27

7 Warm-up: Naive approach to solve the NTRU problem Changmin Lee An Algorithm for NTRU Problems / 27

8 Basic lemma 1 Lemma (1) For any a, b R, ab a b n. Proof The X k s coefficient of ab: i+j=k a i b j i+j=n+k a i b j. By the Cauchy - Schwartz inequality, it is smaller than a b. Since each coefficient is smaller than a b, we have ab a b n. Changmin Lee An Algorithm for NTRU Problems / 27

9 Basic lemma 2 Lemma (2) Let g be an element of R, and h R be relative prime to g. If c R satisfies c < q/(2 h n) and [c h g 1 ] q < q/(2 g n), then c is contained in the ideal g. Proof Let w := [c h g 1 ] q. Then, [ch] q = [gw] q. By assumption, we have ch c h n q/2 and gw g w n q/2. Therefore, ch = gw in R and so ch g. Since h is relative prime to g, we can conclude c g. Changmin Lee An Algorithm for NTRU Problems / 27

10 Naive approach Strategy : Find c R s.t c and [c f] q are small. For f = n 1 f i X i, consider the matrix defined by i= I n..... M f := f 0 f n 1 f 1. f 1 f 0 f f n 1 f n 2 f 0 Changmin Lee An Algorithm for NTRU Problems / 27

11 Naive approach Define V : R Z n as V Then we can observe that [ ] In = M f ( n 1 i=0 u i X i ) = (u 0,, u n 1 ) T. [ V (1) V (X n 1 ] ) V (f) V (X n 1 f) and [ ] V (c) n 1 [ V (X = c i ] ) V (c f) i V (X i f) i=0 n 1 for c = c i X i R. i=0 Changmin Lee An Algorithm for NTRU Problems / 27

12 Naive approach [ ] V (c) To obtain instead of [V (c f)] q [ ] V (c), define the column V (c f) lattice Λ f generated by [ In 0 M f qi n ]. Since [ ] V (c) V (c f) = n 1 i=0 [ V (X c i ] ) i V (X i, a short vector in Λ f) f corresponds to (c, [c f] q ) R 2 such that both c and [c f] q are small. However, the dimension of lattice is too big to find a short vector. Hence, to solve the NTRU problem, one needs to reduce a dimension. Changmin Lee An Algorithm for NTRU Problems / 27

13 Our attack algorithm Changmin Lee An Algorithm for NTRU Problems / 27

14 Motivation n = 2 s K 0 = Q[X ]/ X n + 1 K 1 = Q[X 2 ]/ X n + 1. K s 1 = Q[X 2s 1 ]/ X n + 1 Q = K s an instance in K 0 an instance in K 1 Changmin Lee An Algorithm for NTRU Problems / 27

15 Preliminary For a finite Galois extension K over F, the trace Tr K/F (α) F and norm N K/F (α) F of α K over F are defined as: Tr K/F (α) = σ Gal(K/F ) σ(α), N K/F (α) = σ Gal(K/F ) σ(α) For a Number field K i = Q[X 2i ]/ X n + 1, 0 i log n, one have the following properties: For 0 i < j log n, K i is a finite Galois extension over K j Gal(K i /K j ) = 2 j i Changmin Lee An Algorithm for NTRU Problems / 27

16 Idea sketch Gal(K 0 /K 1 ) = {id, σ} satisfying σ(x ) = X and so σ 2 = id where id is the identity map. For elements f, g R K 0, the following elements are contained in R 1 K 1 : Tr K0 /K 1 (f) = f + σ(f) N K0 /K 1 (f) = f σ(f) Tr K0 /K t (fσ(g)) = fσ(g) + σ(f)g, since these are fixed by the Gal(K 0 /K 1 ). Note that these elements have only n/2 terms and the last one lies in 2 R 1. Changmin Lee An Algorithm for NTRU Problems / 27

17 Idea sketch For a given instance f = [h/g] q for NTRU φn,q,d,n,b with Gal(K 0 /K 1 ) = {id, σ}, You can see that: [Tr K0 /K 1 (f)] q = [f + σ(f)] q = [[h/g] q + σ([h/g] q )] q gσ(h) + σ(g)h 2 R 1, = [(hσ(g) + σ(h)g)/gσ(g)] q gσ(h) + σ(g)h 2 gσ(g) R 1, gσ(g) g 2 n/2 n/2 h g Changmin Lee An Algorithm for NTRU Problems / 27

18 Idea sketch R 0 R 1 f h g h g + σ(h) σ(g) Denominator g gσ(g) Numerator h hσ(g) + σ(h)g Changmin Lee An Algorithm for NTRU Problems / 27

19 Idea sketch We can consider [Tr K0 /K 1 (f)/2] q as a new instance of the NTRU φn/2,q,d 1,N 1,B 1 problem over K 1 where D 1 = D 2 n/2, N 1 = ND { } q q q n/2, B 1 = min,, 2D 1 n 2N 1 n 2nN 2 g 1 n Using the concept inductively, one can extend it to K i Changmin Lee An Algorithm for NTRU Problems / 27

20 Idea sketch R 0 R i f h g σ σ ( ) h g Denominator g Numerator h σ (g) σ ( σ h ) σ (g) σ σ id Changmin Lee An Algorithm for NTRU Problems / 27

21 Idea sketch R 0 R i R i f h g Tr(f) N(f) Denominator g N (g) N (g) Numerator h Tr ( h ) σ (g) σ id N (h) [ABD16] A subfield Lattice Attack on Overstretched NTRU Assumptions Cryptanalysis of Some FHE and Graded Encdoing Schemes Changmin Lee An Algorithm for NTRU Problems / 27

22 Idea sketch Suppose we have a solution (a, b) of NTRU φn/2,q,d 1,N 1,B [ ] [ ] 1 b (gσ(h) + σ(g)h)/2 = a gσ(g) q. q s.t Then by Lemma (2), a is of the form a = dgσ(g) and [a f] q = [dgσ(g) [h/g] q ] q = [dhσ(g)] q { } q q q If B 1 = min,, 2D 1 n 2N 1 n 2nN 2 g 1, the both sizes of a n and [af] q are smaller than q. When is it extendable until? Changmin Lee An Algorithm for NTRU Problems / 27

23 Main Theorem Theorem We can reduce where D t = D 2t and B t = min NTRU φn,q,d,n,b into NTRU φn/2 t,q,d t,n t,b t t n/2 j, N t = ND 2t 1 j=1 { q 2D t n, q 2N t n, q 2nN 2 g 1 n t j=1 }. n/2 j are smaller than q, Changmin Lee An Algorithm for NTRU Problems / 27

24 Main Theorem Hence, if we solve the NTRU φn/2 t,q,d t,n t,b t solve the NTRU φn,q,d,n,b in 2 O(β) time in 2 O(β) time, we can also For β > 0 and t Z with n t 2β 2(β 1) q B t we can solve the NTRU φn,q,d,n,b problem in 2 O(β) time. Changmin Lee An Algorithm for NTRU Problems / 27

25 GGH scheme: Algebraic Setup R := Z[x]/(x n + 1) (n a power of 2), P := R/ g, C := R/qR Z q [x]/(x n + 1) Secret: z C, g R with small coeff, h, r i, r R rel. small. The level-t encoding of m, enc t (m), is of the form: enc t (m) = rg + m z t Public: n, q, κ Z, (x 1,..., x τ, y, P zt ) C τ+1 xi = gr i z κ, y = r z κ [ ] hz κ Zero testing parameter: P zt := g q Changmin Lee An Algorithm for NTRU Problems / 27

26 Corollary GCDH problem, security ground of GGH scheme, heavily relies on finding a short vector of g. Applying our results to [y/x i ] q, one can recover a short multiple of g. When given parameters in GGH scheme with some auxiliary inputs, we show that GGH scheme has not λ-bit security. when n is Θ(λ 2 ) and log q = Θ(λ), we can solve the GCDH problem in 2 O(log2 λ). Changmin Lee An Algorithm for NTRU Problems / 27

27 DANKE! Changmin Lee An Algorithm for NTRU Problems / 27