A Subfield Lattice Attack on Overstretched NTRU Assumptions : Cryptanalysis of Some FHE and Graded Encoding Schemes. / Albrecht, Martin; Bai, Shi; Ducas, Leo.

Advances in Cryptology – CRYPTO 2016: 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part I. Vol. 9814 Springer, 2016. p. 153-178 (Lecture Notes in Computer Science; Vol. 9814).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

E-pub ahead of print

Documents

Links

Abstract

The subfield attack exploits the presence of a subfield to solve overstretched versions of the NTRU assumption: norming the public key h down to a subfield may lead to an easier lattice problem and any sufficiently good solution may be lifted to a short vector in the full NTRU-lattice. This approach was originally sketched in a paper of Gentry and Szydlo at Eurocrypt’02 and there also attributed to Jonsson, Nguyen and Stern. However, because it does not apply for small moduli and hence NTRUEncrypt, it seems to have been forgotten. In this work, we resurrect this approach, fill some gaps, analyze and generalize it to any subfields and apply it to more recent schemes. We show that for significantly larger moduli — a case we call overstretched — the subfield attack is applicable and asymptotically outperforms other known attacks.
This directly affects the asymptotic security of the bootstrappable homomorphic encryption schemes LTV and YASHE which rely on a mildly overstretched NTRU assumption: the subfield lattice attack runs in sub-exponential time 2O(λ/log1/3λ)2O(λ/log1/3⁡λ) invalidating the security claim of 2Θ(λ)2Θ(λ). The effect is more dramatic on GGH-like Multilinear Maps: this attack can run in polynomial time without encodings of zero nor the zero-testing parameter, yet requiring an additional quantum step to recover the secret parameters exactly.
We also report on practical experiments. Running LLL in dimension 512 we obtain vectors that would have otherwise required running BKZ with block-size 130 in dimension 8192. Finally, we discuss concrete aspects of this attack, the condition on the modulus q to guarantee full immunity, discuss countermeasures and propose open questions.
Original languageEnglish
Title of host publicationAdvances in Cryptology – CRYPTO 2016
Subtitle of host publication36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part I
PublisherSpringer
Pages153-178
Number of pages26
Volume9814
ISBN (Electronic)978-3-662-53018-4
ISBN (Print)978-3-662-53017-7
DOIs
Publication statusE-pub ahead of print - 21 Jul 2016

Publication series

NameLecture Notes in Computer Science
PublisherSpringer Berlin Heidelberg
Volume9814
ISSN (Print)0302-9743

Projects

This open access research output is licenced under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

ID: 26458918