45 research outputs found
A Subfield Lattice Attack on Overstretched NTRU Assumptions:Cryptanalysis of Some FHE and Graded Encoding Schemes
International audienc
Cryptanalysis of Middle Lattice on the Overstretched NTRU Problem for General Modulus Polynomial
The overstretched NTRU problem, which is the NTRU problem with super-polynomial size q in n,
is one of the most important candidates for higher level cryptography.
Unfortunately, Albrecht et al. in Crypto 2016 and Cheon et al. in ANTS 2016 proposed so-called subfield attacks
which demonstrate that the overstretched NTRU problems with power-of-two cyclotomic modulus are not secure enough
with given parameters in GGH multilinear map and YASHE/LTV fully homomorphic encryption.
Moreover, Kirchner and Fouque presented new cryptanalysis of the overstretched NTRU problem over general modulus in Eurocrypt 2017.
They showed that a lattice basis reduction algorithm upon middle lattice, which is first presented by Howgrave-Graham
in Crypto 2007,
experimentally recover secret parameters of the overstretched NTRU problem.
In this paper, we revisit the middle lattice technique on the overstretched NTRU problem.
This analysis show that the optimized middle lattice technique has same complexity to subfield attacks,
but threaten more general base ring with poly(n) expansion factor
as common in suggested schemes like original GGH, YASHE scheme and NTRU prime rings.
Our new analysis implies that cryptosystem related to the overstretched NTRU problem cannot be secured by changing base ring.
In addition, we present an extended (trace/norm) subfield attack for the power-of-two cyclotomic modulus, which is also one
of the middle lattice technique.
This extended subfield attack has a similar asymptotic complexity to the previous subfield attacks, but with smaller constant in the exponent term
Comparison between Subfield and Straightforward Attacks on NTRU
Recently in two independent papers, Albrecht, Bai and Ducas and Cheon, Jeong and Lee presented two
very similar attacks, that allow to break NTRU with larger parameters and GGH Multinear Map without
zero encodings. They proposed an algorithm for recovering the NTRU secret key given the public key
which apply for large NTRU modulus, in particular to Fully Homomorphic Encryption schemes based on
NTRU. Hopefully, these attacks do not endanger the security of the NTRUE NCRYPT scheme, but shed new
light on the hardness of this problem. The basic idea of both attacks relies on decreasing the dimension
of the NTRU lattice using the multiplication matrix by the norm (resp. trace) of the public key in some
subfield instead of the public key itself. Since the dimension of the subfield is smaller, the dimension of
the lattice decreases, and lattice reduction algorithm will perform better.
Here, we revisit the attacks on NTRU and propose another variant that is simpler and outperforms both
of these attacks in practice. It allows to break several concrete instances of YASHE, a NTRU-based FHE
scheme, but it is not as efficient as the hybrid method of Howgrave-Graham on concrete parameters of
NTRU. Instead of using the norm and trace, we propose to use the multiplication by the public key in
some subring and show that this choice leads to better attacks. We
√ can then show that for power of two
cyclotomic fields, the time complexity is polynomialFinally, we show that, under
heuristics, straightforward lattice reduction is even more efficient, allowing to extend this result to fields
without non-trivial subfields, such as NTRU Prime. We insist that the improvement on the analysis applies
even for relatively small modulus ; though if the secret is sparse, it may not be the fastest attack. We also
derive a tight estimation of security for (Ring-)LWE and NTRU assumptions. when
FINAL: Faster FHE instantiated with NTRU and LWE
The NTRU problem is a promising candidate to build efficient Fully Homomorphic Encryption (FHE). However, all the existing proposals (e.g. LTV, YASHE) need so-called `overstretched\u27 parameters of NTRU to enable homomorphic operations. It was shown by Albrecht et al. (CRYPTO 2016) that these parameters are vulnerable against subfield lattice attacks.
Based on a recent, more detailed analysis of the overstretched NTRU assumption by Ducas and van Woerden (ASIACRYPT 2021), we construct two FHE schemes whose NTRU parameters lie outside the overstretched range.
The first scheme is based solely on NTRU and demonstrates competitive performance against the state-of-the-art FHE schemes including TFHE. Our second scheme, which is based on both the NTRU and LWE assumptions, outperforms TFHE with a 28% faster bootstrapping and 45% smaller bootstrapping and key-switching keys
A Successful Subfield Lattice Attack on a Fully Homomorphic Encryption Scheme
We present the application of a known subfield lattice attack on a fully homomorphic encryption scheme based on NTRU. We show that the scheme is vulnerable to the attack due to a particular parameter having to satisfy a derived lower bound. We also show that, due to the structure of the scheme, the attack is successful in all practical instantiations of the scheme
Multilinear Maps Using a Variant of Ring-LWE
GGH13, CLT13 and GGH15 of multilinear maps suffer from zeroizing attacks. In this paper, we present a new construction of multilinear maps using a variant of ring-LWE (vRLWE). Furthermore, we also present two new variants of vRLWE, which respectively support the applications of multipartite key exchange and witness encryption. At the same time, we also present a new variant of GGH13 using matrix form. The security of our construction depends upon new hardness assumptions
Security Guidelines for Implementing Homomorphic Encryption
Fully Homomorphic Encryption (FHE) is a cryptographic primitive that allows performing arbitrary operations on encrypted data. Since the conception of the idea in [RAD78], it was considered a holy grail of cryptography. After the first construction in 2009 [Gen09], it has evolved to become a practical primitive with strong security guarantees. Most modern constructions are based on well-known lattice problems such as Learning with Errors (LWE). Besides its academic appeal, in recent years FHE has also attracted significant attention from industry, thanks to its applicability to a considerable number of real-world use-cases. An upcoming standardization effort by ISO/IEC aims to support the wider adoption of these techniques. However, one of the main challenges that standards bodies, developers, and end users usually encounter is establishing parameters. This is particularly hard in the case of FHE because the parameters are not only related to the security level of the system, but also to the type of operations that the system is able to handle. In this paper, we provide examples of parameter sets for LWE targeting particular security levels that can be used in the context of FHE constructions. We also give examples of complete FHE parameter sets, including the parameters relevant for correctness and performance, alongside those relevant for security. As an additional contribution, we survey the parameter selection support offered in open-source FHE libraries