A Subfield Lattice Attack on Overstretched NTRU Assumptions:Cryptanalysis of Some FHE and Graded Encoding Schemes

International audienc

Characterizing overstretched NTRU attacks

Overstretched NTRU, an NTRU variant with a large modulus, has been used as a building block for several cryptographic schemes in recent years. Recently, two lattice \emph{subfield attacks} and a \emph{subring attack} were proposed that broke some suggested parameters for overstretched NTRU. These attacks work by decreasing the dimension of the lattice to be reduced, which improves the performance of the lattice basis reduction algorithm. However, there are a number of conflicting claims in the literature over which of these attacks has the best performance. These claims are typically based on experiments more than analysis. Furthermore, the metric for comparison has been unclear in some prior work. In this paper, we argue that the correct metric should be the lattice dimension. We show both analytically and experimentally that the subring attack succeeds on a smaller dimension lattice than the subfield attack for the same problem parameters, and also succeeds with a smaller modulus when the lattice dimension is fixed

Cryptanalysis of Middle Lattice on the Overstretched NTRU Problem for General Modulus Polynomial

The overstretched NTRU problem, which is the NTRU problem with super-polynomial size q in n, is one of the most important candidates for higher level cryptography. Unfortunately, Albrecht et al. in Crypto 2016 and Cheon et al. in ANTS 2016 proposed so-called subfield attacks which demonstrate that the overstretched NTRU problems with power-of-two cyclotomic modulus are not secure enough with given parameters in GGH multilinear map and YASHE/LTV fully homomorphic encryption. Moreover, Kirchner and Fouque presented new cryptanalysis of the overstretched NTRU problem over general modulus in Eurocrypt 2017. They showed that a lattice basis reduction algorithm upon middle lattice, which is first presented by Howgrave-Graham in Crypto 2007, experimentally recover secret parameters of the overstretched NTRU problem. In this paper, we revisit the middle lattice technique on the overstretched NTRU problem. This analysis show that the optimized middle lattice technique has same complexity to subfield attacks, but threaten more general base ring with poly(n) expansion factor as common in suggested schemes like original GGH, YASHE scheme and NTRU prime rings. Our new analysis implies that cryptosystem related to the overstretched NTRU problem cannot be secured by changing base ring. In addition, we present an extended (trace/norm) subfield attack for the power-of-two cyclotomic modulus, which is also one of the middle lattice technique. This extended subfield attack has a similar asymptotic complexity to the previous subfield attacks, but with smaller constant in the exponent term

Mathematical Analysis of Cryptographic Multilinear Maps

학위논문 (박사)-- 서울대학교 대학원 자연과학대학 수리과학부, 2017. 8. 천정희.Multilinear maps are a very powerful tool in cryptography. Nonetheless, to date, only three types of multilinear maps have been published relying on a graded encoding scheme. The first candidate is proposed by Garg, Gentry, and Halevi (GGH) relying on an ideal lattice [GGH13a], the second one is dened on integers as established by Coron, Lepoint, and Tibouchi (CLT) [CLT13], and the last one is provided by Gentry, Gorbunov, and Halevi (GGH15) relying on a graph induced graded encoding scheme [GGH15]. These multilinear maps have led to a number of applications in cryptography such as one round key exchange protocol, witness encryptions, and even indistinguishable obfuscations. The security of the applications depends on some hardness problems derived from a graded encoding scheme. However, none of them have reduction to well-known hard problems. For that reasons, many researches attempt to investigate the hardness of the problems. Actually, when low-level encodings of zero are given, the GGH scheme is known to be insecure by Hu and Jia [HJ16] and the last candidate of a multilinear map GGH15 is known to be insecure [CLLT16]. In the thesis, we describe an algebraic analysis on the hardness problems of two GGH and CLT multilinear maps. Common to two candidates are constructed by graded encoding schemes and provide an additional public information zerotesting parameter, which is used to determine whether the hidden message is zero or not. Exploiting the structure of graded encoding scheme and additional input, we study how to solve the hardness problems in three cases. First, we show another approach to break the GGH scheme with low level encodings of zero. According to the original GGH paper, finding a short vector for a given principal ideal lattice enables to break the scheme. Therefore, the parameters are set to be invulnerable to the best known algorithm for finding a short vector on ideal lattice. By proposing an improved lattice reduction algorithm to find a short vector, we prove that the multilinear map is broken within quasi polynomial time of the suggested parameters. Second, we describe that how to construct a level-0 encoding of zero from GGH public parameter without level encodings of zero in the quasi polynomial time of the suggested parameters. The obtained encoding of zero serves as a low level encoding of zero in the first study. Thus we also show that GGH without low level encodings of zero is insecure. Finally, for CLT scheme with low level encodings of zero, we attempt to reveal the all secret elements of scheme in polynomial time. By multiplying encodings of zero to zerotesting parameter appropriately, one can obtain an integer matrix of secret quantities. Next we recover the secret elements by computing eigenvalues.Abstract i 1 Introduction 1 1.1 Multilinear maps . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1 Analysis of the GGH scheme . . . . . . . . . . . . . . . 3 1.2.2 Analysis of the CLT scheme . . . . . . . . . . . . . . . 5 2 Preliminaries 7 2.1 Notations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Graded encoding Schemes and Multilinear map Procedure. . . 8 2.3 Hardness Problems. . . . . . . . . . . . . . . . . . . . . . . . . 11 3 Multilinear maps over the Ideal Lattices and Its Analysis 13 3.1 GGH13 Multilinear maps . . . . . . . . . . . . . . . . . . . . . 14 3.2 Basic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.3 Attack on GGH with low level encodings of zero . . . . . . . . 19 3.3.1 Sublattice Algorithm . . . . . . . . . . . . . . . . . . . 21 3.4 Attack on GGH with top level encodings of zero . . . . . . . . 24 3.4.1 Overstretched NTRU Problem and Its Analysis . . . . 25 4 Multilinear Maps over the Integers and Its Analysis 38 4.1 The CLT13 Multilinear Map. . . . . . . . . . . . . . . . . . . 39 4.2 CRT-ACD with auxiliary input and Its Analysis . . . . . . . . 42 4.2.1 Application to CLT Schemes . . . . . . . . . . . . . . . 47 4.3 Analysis of the Related Problems. . . . . . . . . . . . . . . . . 50 4.3.1 Solving the CLT SubM Problem . . . . . . . . . . . . . 55 4.3.2 Solving the CLT DLIN Problem . . . . . . . . . . . . . 56 4.3.3 Solving the CLT GXDH Problem . . . . . . . . . . . . 57 5 Conclusions 59 Abstract (in Korean) 67 Acknowledgement (in Korean) 68Docto

FINAL: Faster FHE instantiated with NTRU and LWE

The NTRU problem is a promising candidate to build efficient Fully Homomorphic Encryption (FHE). However, all the existing proposals (e.g. LTV, YASHE) need so-called `overstretched\u27 parameters of NTRU to enable homomorphic operations. It was shown by Albrecht et al. (CRYPTO 2016) that these parameters are vulnerable against subfield lattice attacks. Based on a recent, more detailed analysis of the overstretched NTRU assumption by Ducas and van Woerden (ASIACRYPT 2021), we construct two FHE schemes whose NTRU parameters lie outside the overstretched range. The first scheme is based solely on NTRU and demonstrates competitive performance against the state-of-the-art FHE schemes including TFHE. Our second scheme, which is based on both the NTRU and LWE assumptions, outperforms TFHE with a 28% faster bootstrapping and 45% smaller bootstrapping and key-switching keys

On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL

We present novel variants of the dual-lattice attack against LWE in the presence of an unusually short secret. These variants are informed by recent progress in BKW-style algorithms for solving LWE. Applying them to parameter sets suggested by the homomorphic encryption libraries HElib and SEAL v2.0 yields revised security estimates. Our techniques scale the exponent of the dual-lattice attack by a factor of $(2\,L)/(2\,L+1)$ when $\log q = \Theta{\left(L \log n\right)}$, when the secret has constant hamming weight $h$ and where $L$ is the maximum depth of supported circuits. They also allow to half the dimension of the lattice under consideration at a multiplicative cost of $2^{h}$ operations. Moreover, our techniques yield revised concrete security estimates. For example, both libraries promise 80 bits of security for LWE instances with $n=1024$ and $\log_2 q \approx {47}$, while the techniques described in this work lead to estimated costs of 68 bits (SEAL v2.0) and 62 bits (HElib)

NTRU-ν\nu-um: Secure Fully Homomorphic Encryption from NTRU with Small Modulus

NTRUEncrypt is one of the first lattice-based encryption schemes. Furthermore, the earliest fully homomorphic encryption (FHE) schemes rely on the NTRU problem. Currently, NTRU is one of the leading candidates in the NIST post-quantum standardization competition. What makes NTRU appealing is the age of the cryptosystem and relatively good performance. Unfortunately, FHE based on NTRU became impractical due to efficient attacks on NTRU instantiations with ``overstretched'' modulus. In particular, currently, NTRU-based FHE schemes to support a reasonable circuit depth require instantiating NTRU with a very large modulus. Breaking the NTRU problem for such large moduli turns out to be easy. Due to these attacks, any serious work on practical NTRU-based FHE essentially stopped. In this paper, we reactivate research on practical FHE that can be based on NTRU. We design an efficient bootstrapping scheme in which the noise growth is small enough to keep the modulus to dimension ratio relatively small, thus avoiding the negative consequences of ``overstretching'' the modulus. Our bootstrapping algorithm is an accumulator-type bootstrapping scheme analogous to AP/FHEW/TFHE. Finally, we show that we can use the bootstrapping procedure to compute any function over $\mathbb{Z}_t$. Consequently, we obtain one of the fastest FHE bootstrapping schemes able to compute any function over elements of a finite field alongside reducing the error

NTRU in Quaternion Algebras of Bounded Discriminant

The NTRU assumption provides one of the most prominent problems on which to base post-quantum cryptography. Because of the efficiency and security of NTRU-style schemes, structured variants have been proposed, using modules. In this work, we create a structured form of NTRU using lattices obtained from orders in cyclic division algebras of index 2, that is, from quaternion algebras. We present a public-key encryption scheme, and show that its public keys are statistically close to uniform. We then prove IND-CPA security of a variant of our scheme when the discriminant of the quaternion algebra is not too large, assuming the hardness of Learning with Errors in cyclic division algebras