Cryptanalysis of Middle Lattice on the Overstretched NTRU Problem for General Modulus Polynomial

The overstretched NTRU problem, which is the NTRU problem with super-polynomial size q in n, is one of the most important candidates for higher level cryptography. Unfortunately, Albrecht et al. in Crypto 2016 and Cheon et al. in ANTS 2016 proposed so-called subfield attacks which demonstrate that the overstretched NTRU problems with power-of-two cyclotomic modulus are not secure enough with given parameters in GGH multilinear map and YASHE/LTV fully homomorphic encryption. Moreover, Kirchner and Fouque presented new cryptanalysis of the overstretched NTRU problem over general modulus in Eurocrypt 2017. They showed that a lattice basis reduction algorithm upon middle lattice, which is first presented by Howgrave-Graham in Crypto 2007, experimentally recover secret parameters of the overstretched NTRU problem. In this paper, we revisit the middle lattice technique on the overstretched NTRU problem. This analysis show that the optimized middle lattice technique has same complexity to subfield attacks, but threaten more general base ring with poly(n) expansion factor as common in suggested schemes like original GGH, YASHE scheme and NTRU prime rings. Our new analysis implies that cryptosystem related to the overstretched NTRU problem cannot be secured by changing base ring. In addition, we present an extended (trace/norm) subfield attack for the power-of-two cyclotomic modulus, which is also one of the middle lattice technique. This extended subfield attack has a similar asymptotic complexity to the previous subfield attacks, but with smaller constant in the exponent term

A Subfield Lattice Attack on Overstretched NTRU Assumptions:Cryptanalysis of Some FHE and Graded Encoding Schemes

International audienc

Characterizing overstretched NTRU attacks

Overstretched NTRU, an NTRU variant with a large modulus, has been used as a building block for several cryptographic schemes in recent years. Recently, two lattice \emph{subfield attacks} and a \emph{subring attack} were proposed that broke some suggested parameters for overstretched NTRU. These attacks work by decreasing the dimension of the lattice to be reduced, which improves the performance of the lattice basis reduction algorithm. However, there are a number of conflicting claims in the literature over which of these attacks has the best performance. These claims are typically based on experiments more than analysis. Furthermore, the metric for comparison has been unclear in some prior work. In this paper, we argue that the correct metric should be the lattice dimension. We show both analytically and experimentally that the subring attack succeeds on a smaller dimension lattice than the subfield attack for the same problem parameters, and also succeeds with a smaller modulus when the lattice dimension is fixed

New NTRU Records with Improved Lattice Bases

The original NTRU cryptosystem from 1998 can be considered the starting point of the great success story of lattice-based cryptography. Modern NTRU versions like NTRU-HPS and NTRU-HRSS are round-3 finalists in NIST\u27s selection process, and also Crystals-Kyber and especially Falcon are heavily influenced by NTRU. Coppersmith and Shamir proposed to attack NTRU via lattice basis reduction, and variations of the Coppersmith-Shamir lattice have been successfully applied to solve official NTRU challenges by Security Innovations, Inc. up to dimension $n=173$. In our work, we provide the tools to attack modern NTRU versions, both by the design of a proper lattice basis, as well as by tuning the modern BKZ with lattice sieving algorithm from the G6K library to NTRU needs. Let $n$ be prime, $\Phi_n := (X^n-1)/(X-1)$, and let $\mathbb{Z}_q[X]/(\Phi_n)$ be the cyclotomic ring. As opposed to the common belief, we show that switching from the Coppersmith-Shamir lattice to a basis for the cyclotomic ring provides benefits. To this end, we slightly enhance the LWE with Hints framework by Dachman-Soled, Ducas, Gong, Rossi with the concept of projections against almost-parallel hints. Using our new lattice bases, we set the first cryptanalysis landmarks for NTRU-HPS with $n \in [101,171]$ and for NTRU-HRSS with $n \in [101,211]$. As a numerical example, we break our largest HPS-171 instance using the cyclotomic ring basis within $83$ core days, whereas the Coppersmith-Shamir basis requires $172$ core days. We also break one more official NTRU challenges by Security Innovation, Inc., originally worth 1000\$, in dimension$n=181$in$20$ core years

Indistinguishability Obfuscation Without Maps: Attacks and Fixes for Noisy Linear FE

Candidates of Indistinguishability Obfuscation (iO) can be categorized as ``direct\u27\u27 or ``bootstrapping based\u27\u27. Direct constructions rely on high degree multilinear maps [GGH13,GGHRSW13] and provide heuristic guarantees, while bootstrapping based constructions [LV16,Lin17,LT17,AJLMS19,Agr19,JLMS19] rely, in the best case, on bilinear maps as well as new variants of the Learning With Errors (LWE) assumption and pseudorandom generators. Recent times have seen exciting progress in the construction of indistinguishability obfuscation (iO) from bilinear maps (along with other assumptions) [LT17,AJLMS19,JLMS19,Agr19]. As a notable exception, a recent work by Agrawal [Agr19] provided a construction for iO without using any maps. This work identified a new primitive, called Noisy Linear Functional Encryption (NLinFE) that provably suffices for iO and gave a direct construction of NLinFE from new assumptions on lattices. While a preliminary cryptanalysis for the new assumptions was provided in the original work, the author admitted the necessity of performing significantly more cryptanalysis before faith could be placed in the security of the scheme. Moreover, the author did not suggest concrete parameters for the construction. In this work, we fill this gap by undertaking the task of thorough cryptanalytic study of NLinFE. We design two attacks that let the adversary completely break the security of the scheme. To achieve this, we develop new cryptanalytic techniques which (we hope) will inform future designs of the primitive of NLinFE. From the knowledge gained by our cryptanalytic study, we suggest modifications to the scheme. We provide a new scheme which overcomes the vulnerabilities identified before. We also provide a thorough analysis of all the security aspects of this scheme and argue why plausible attacks do not work. We additionally provide concrete parameters with which the scheme may be instantiated. We believe the security of NLinFE stands on significantly firmer footing as a result of this work

NTRU Fatigue: How stretched is overstretched?

Until recently lattice reduction attacks on NTRU lattices were thought to behave similar as on (ring-)LWE lattices with the same parameters. However several works (Albrecht-Bai-Ducas 2016, Kirchner-Fouque 2017) showed a significant gap for large moduli q, the so-called overstretched regime of NTRU. With the NTRU scheme being a finalist to the NIST PQC competition it is important to understand —both asymptotically and concretely— where the fatigue point lies exactly, i.e. at which q the overstretched regime begins. Unfortunately the analysis by Kirchner and Fouque is based on an impossibility argument, which only results in an asymptotic upper bound on the fatigue point. It also does not really explain how lattice reduction actually recovers secret-key information. We propose a new analysis that asymptotically improves on that of Kirchner an

Mathematical Analysis of Cryptographic Multilinear Maps

학위논문 (박사)-- 서울대학교 대학원 자연과학대학 수리과학부, 2017. 8. 천정희.Multilinear maps are a very powerful tool in cryptography. Nonetheless, to date, only three types of multilinear maps have been published relying on a graded encoding scheme. The first candidate is proposed by Garg, Gentry, and Halevi (GGH) relying on an ideal lattice [GGH13a], the second one is dened on integers as established by Coron, Lepoint, and Tibouchi (CLT) [CLT13], and the last one is provided by Gentry, Gorbunov, and Halevi (GGH15) relying on a graph induced graded encoding scheme [GGH15]. These multilinear maps have led to a number of applications in cryptography such as one round key exchange protocol, witness encryptions, and even indistinguishable obfuscations. The security of the applications depends on some hardness problems derived from a graded encoding scheme. However, none of them have reduction to well-known hard problems. For that reasons, many researches attempt to investigate the hardness of the problems. Actually, when low-level encodings of zero are given, the GGH scheme is known to be insecure by Hu and Jia [HJ16] and the last candidate of a multilinear map GGH15 is known to be insecure [CLLT16]. In the thesis, we describe an algebraic analysis on the hardness problems of two GGH and CLT multilinear maps. Common to two candidates are constructed by graded encoding schemes and provide an additional public information zerotesting parameter, which is used to determine whether the hidden message is zero or not. Exploiting the structure of graded encoding scheme and additional input, we study how to solve the hardness problems in three cases. First, we show another approach to break the GGH scheme with low level encodings of zero. According to the original GGH paper, finding a short vector for a given principal ideal lattice enables to break the scheme. Therefore, the parameters are set to be invulnerable to the best known algorithm for finding a short vector on ideal lattice. By proposing an improved lattice reduction algorithm to find a short vector, we prove that the multilinear map is broken within quasi polynomial time of the suggested parameters. Second, we describe that how to construct a level-0 encoding of zero from GGH public parameter without level encodings of zero in the quasi polynomial time of the suggested parameters. The obtained encoding of zero serves as a low level encoding of zero in the first study. Thus we also show that GGH without low level encodings of zero is insecure. Finally, for CLT scheme with low level encodings of zero, we attempt to reveal the all secret elements of scheme in polynomial time. By multiplying encodings of zero to zerotesting parameter appropriately, one can obtain an integer matrix of secret quantities. Next we recover the secret elements by computing eigenvalues.Abstract i 1 Introduction 1 1.1 Multilinear maps . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1 Analysis of the GGH scheme . . . . . . . . . . . . . . . 3 1.2.2 Analysis of the CLT scheme . . . . . . . . . . . . . . . 5 2 Preliminaries 7 2.1 Notations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Graded encoding Schemes and Multilinear map Procedure. . . 8 2.3 Hardness Problems. . . . . . . . . . . . . . . . . . . . . . . . . 11 3 Multilinear maps over the Ideal Lattices and Its Analysis 13 3.1 GGH13 Multilinear maps . . . . . . . . . . . . . . . . . . . . . 14 3.2 Basic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.3 Attack on GGH with low level encodings of zero . . . . . . . . 19 3.3.1 Sublattice Algorithm . . . . . . . . . . . . . . . . . . . 21 3.4 Attack on GGH with top level encodings of zero . . . . . . . . 24 3.4.1 Overstretched NTRU Problem and Its Analysis . . . . 25 4 Multilinear Maps over the Integers and Its Analysis 38 4.1 The CLT13 Multilinear Map. . . . . . . . . . . . . . . . . . . 39 4.2 CRT-ACD with auxiliary input and Its Analysis . . . . . . . . 42 4.2.1 Application to CLT Schemes . . . . . . . . . . . . . . . 47 4.3 Analysis of the Related Problems. . . . . . . . . . . . . . . . . 50 4.3.1 Solving the CLT SubM Problem . . . . . . . . . . . . . 55 4.3.2 Solving the CLT DLIN Problem . . . . . . . . . . . . . 56 4.3.3 Solving the CLT GXDH Problem . . . . . . . . . . . . 57 5 Conclusions 59 Abstract (in Korean) 67 Acknowledgement (in Korean) 68Docto

구분불가능한 난독화의 수학적분석에 관한 연구

학위논문(박사)--서울대학교 대학원 :자연과학대학 수리과학부,2020. 2. 천정희.Indistinguishability obfuscation (iO) is a weak notion of the program obfuscation which requires that if two functionally equivalent circuits are given, their obfuscated programs are indistinguishable. The existence of iO implies numerous cryptographic primitives such as multilinear map, functional encryption, non interactive multi-party key exchange. In gen- eral, many iO schemes are based on branching programs, and candidates of multilinear maps represented by GGH13, CLT13 and GGH15. In this thesis, we present cryptanalyses of branching program based iO over multilinear maps GGH13 and GGH15. First, we propose cryptanaly- ses of all existing branching program based iO schemes over GGH13 for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroiz- ing, which can be applied to a wide range of obfuscation constructions. We then show that there exists polynomial time reduction from the NTRU problem to all known branching program based iO over GGH13. Moreover, we propose a new attack on iO based on GGH15 which exploits statistical properties rather than algebraic approaches. We apply our attack to recent two obfuscations called CVW and BGMZ obfuscations. Thus, we break the CVW obfuscation under the current parameter setup, and show that algebraic security model of BGMZ obfuscation is not enough to achieve ideal security. We show that our attack is lying outside of the algebraic security model by presenting some parameters not captured by the proof of the model.기능성이 같은 두 프로그램과, 그 난독화된 프로그램들이 있을 때, 난독화된 프로그 램들을 구분할 수 없다면 구분불가능한 난독화라고 한다. 구분불가능한 난독화가 존재한다면, 다중선형함수, 함수암호, 다자간 키교환 등 많은 암호학적인 응용들이 존재하기 때문에, 구분불가능한 난독화를 설계하는 것은 매우 중요한 문제 중 하나 이다. 일반적으로, 많은 구분불가능한 난독화들은 다중선형함수 GGH13, CLT13, GGH15를 기반으로 하여 설계되었다. 본 학위 논문에서는, 다중선형함수를 기반으로 하는 난독화 기술들에 대한 안 전성 분석을 진행한다. 먼저, GGH13 다중선형함수를 기반으로 하는 모든 난독화 기술들은 현재 파라미터 하에 안전하지 않음을 보인다. 프로그램 변환(program converting), 행렬 제로화 공격(matrix zeroizing attack)이라는 두 가지 새로운 방 법을 제안하여 안전성을 분석하였고, 그 결과, 현존하는 모든 GGH13 다중선형함수 기반 난독화 기술이 다항식 시간 내에 NTRU 문제로 환원됨을 보인다. 또한, GGH15 다중선형함수를 기반으로 하는 난독화 기술에 대한 통계적인 공격방법을 제안한다. 통계적 공격방법을 최신 기술인 CVW 난독화, BGMZ 난독 화에 적용하여, CVW 난독화가 현재 파라미터에서 안전하지 않음을 보인다. 또한 BGMZ 난독화에서 제안한 대수적 안전성 모델이 이상적인 난독화 기술을 설계하 는데 충분하지 않다는 것을 보인다. 실제로, BGMZ 난독화가 안전하지 않은 특이한 파라미터를 제안하여, 우리 공격이 BGMZ에서 제안한 안전성 모델에 해당하지 않 음을 보인다.1. Introduction 1 1.1 Indistinguishability Obfuscation 1 1.2 Contributions 4 1.2.1 Mathematical Analysis of iO based on GGH13 4 1.2.2 Mathematical Analysis of iO based on GGH15 5 1.3 List of Papers 6 2 Preliminaries 7 2.1 Basic Notations 7 2.2 Indistinguishability Obfuscation 8 2.3 Cryptographic Multilinear Map 9 2.4 Matrix Branching Program 10 2.5 Tensor product and vectorization . 11 2.6 Background Lattices . 12 3 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH13 Multilinear Map 13 3.1 Preliminaries 14 3.1.1 Notations 14 3.1.2 GGH13 Multilinear Map 14 3.2 Main Theorem 17 3.3 Attackable BP Obfuscations 18 3.3.1 Randomization for Attackable Obfuscation Model 20 3.3.2 Encoding by Multilinear Map 21 3.3.3 Linear Relationally Inequivalent Branching Programs 22 3.4 Program Converting Technique 23 3.4.1 Converting to R Program 24 3.4.2 Recovering and Converting to R/ Program 27 3.4.3 Analysis of the Converting Technique 28 3.5 Matrix Zeroizing Attack 29 3.5.1 Existing BP Obfuscations 31 3.5.2 Attackable BP Obfuscation, General Case 34 4 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH15 Multilinear Map 37 4.1 Preliminaries 38 4.1.1 Notations 38 4.2 Statistical Zeroizing Attack . 39 4.2.1 Distinguishing Distributions using Sample Variance 42 4.3 Cryptanalysis of CVW Obfuscation 44 4.3.1 Construction of CVW Obfuscation 45 4.3.2 Cryptanalysis of CVW Obfuscation 48 4.4 Cryptanalysis of BGMZ Obfuscation 56 4.4.1 Construction of BGMZ Obfuscation 56 4.4.2 Cryptanalysis of BGMZ Obfuscation 59 5 Conclusions 65 6 Appendix 66 6.1 Appendix of Chapter 3 66 6.1.1 Extended Attackable Model 66 6.1.2 Examples of Matrix Zeroizing Attack 68 6.1.3 Examples of Linear Relationally Inequivalent BPs 70 6.1.4 Read-once BPs from NFA 70 6.1.5 Input-unpartitionable BPs from Barringtons Theorem 71 6.2 Appendix of Chapter 5 73 6.2.1 Simple GGH15 obfuscation 73 6.2.2 Modified CVW Obfuscation . 75 6.2.3 Transformation of Branching Programs 76 6.2.4 Modification of CVW Obfuscation 77 6.2.5 Assumptions of lattice preimage sampling 78 6.2.6 Useful Tools for Computing the Variances 79 6.2.7 Analysis of CVW Obfuscation 84 6.2.8 Analysis of BGMZ Obfuscation 97 Abstract (in Korean) 117Docto

Concrete NTRU Security and Advances in Practical Lattice-Based Electronic Voting

In recent years there has been much focus on the development of core cryptographic primitives based on lattice assumptions. This has been driven by the NIST call for post-quantum key encapsulation and digital signature specifications. However, there has been much less work on efficient privacy-preserving protocols with post-quantum security. In this work we present an efficient electronic voting scheme from lattice assumptions, ensuring the long-term security of encrypted ballots and voters\u27 privacy. The scheme relies on the NTRU and RLWE assumptions. We begin by conducting an extensive analysis of the concrete hardness of the NTRU problem. Extending the ternary-NTRU analysis of Ducas and van Woerden (ASIACRYPT 2021), we determine the concrete fatigue point of NTRU to be $q=0.0058\cdot\sigma^2\cdot d^{\: 2.484}$ (above which parameters become overstretched) for modulus $q$, ring dimension $d$, and secrets drawn from a Gaussian of parameter $\sigma$. Moreover, we demonstrate that the nature of this relation enables a more fine-grained choice of secret key sizes, leading to more efficient parameters in practice. Using the above analysis, our second and main contribution is to significantly improve the efficiency of the state-of-the-art lattice-based voting scheme by Aranha et al. (ACM CCS 2023). Replacing the BGV encryption scheme with NTRU we obtain a factor $\times 5.3$ reduction in ciphertext size and $\times 2.6$ more efficient system overall, making the scheme suitable for use in real-world elections. As an additional contribution, we analyse the (partially) blind signature scheme by del Pino and Katsumata (CRYPTO 2022). We note that the NTRU security is much lower than claimed and propose new parameters. This results in only a minor efficiency loss, enabled by our NTRU analysis where previous parameter selection techniques would have been much more detrimental