Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3

We present, for the first time, an algorithm to choose parameter sets for NTRUEncrypt that give a desired level of security. Note: This is an expanded version of a paper presented at CT-RSA 2005

Modified Parameter Attacks: Practical Attacks against CCA2 Secure Cryptosystems and Countermeasures

We introduce the concept of Modified Parameter Attacks, a natural extension of the idea of Adapative Chosen Ciphertext Attacks (CCA2) under which some CCA2 secure systems can be shown to be insecure. These insecurities can be addressed at the application level, but can also be addressed when cryptographic schemes are being designed. We survey some existing CCA2 secure systems which are vulnerable to this attack and suggest practical countermeasures

Exploiting Decryption Failures in Mersenne Number Cryptosystems

Mersenne number schemes are a new strain of potentially quantum-safe cryptosystems that use sparse integer arithmetic modulo a Mersenne prime to encrypt messages. Two Mersenne number based schemes were submitted to the NIST post-quantum standardization process: Ramstake and Mersenne-756839. Typically, these schemes admit a low but non-zero probability that ciphertexts fail to decrypt correctly. In this work we show that the information leaked from failing ciphertexts can be used to gain information about the secret key. We present an attack exploiting this information to break the IND-CCA security of Ramstake. First, we introduce an estimator for the bits of the secret key using decryption failures. Then, our estimates can be used to apply the Slice-and-Dice attack due to Beunardeau et al. at significantly reduced complexity to recover the full secret. We implemented our attack on a simplified version of the code submitted to the NIST competition. Our attack is able to extract a good estimate of the secrets using $2^{12}$ decryption failures, corresponding to $2^{74}$~failing ciphertexts in the original scheme. Subsequently the exact secrets can be extracted in $O(2^{46})$ quantum computational steps

Approximate integer common divisors

Abstract. We show that recent results of Coppersmith, Boneh, Durfee and Howgrave-Graham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of “fully ” approximate common divisors, i.e. where both integers are only known by approximations. We explain the lattice techniques in both the partial and general cases. As an application of the partial approximate common divisor algorithm we show that a cryptosystem proposed by Okamoto actually leaks the private information directly from the public information in polynomial time. In contrast to the partial setting, our technique with respect to the general setting can only be considered heuristic, since we encounter the same “proof of algebraic independence ” problem as a subset of the above authors have in previous papers. This problem is generally considered a (hard) problem in lattice theory, since in our case, as in previous cases, the method still works extremely reliably in practice; indeed no counter examples have been obtained. The results in both the partial and general settings are far stronger than might be supposed from a continued-fraction standpoint (the way in which the problems were attacked in the past), and the determinant calculations admit a reasonably neat analysis. Keywords: Greatest common divisor, approximations, Coppersmith’s method, continued fractions, lattice attacks

A method to solve cyclotomic norm equations

Abstract. We present a technique to recover f ∈ Q(ζp) where ζp is a primitive pth root of unity for a prime p, given its norm g = f ∗ ¯ f in the totally real field Q(ζp + ζ −1 p). The classical method of solving this problem involves finding generators of principal ideals by enumerating the whole class group associated with Q(ζp), but this approach quickly becomes infeasible as p increases. The apparent hardness of this problem has led several authors to suggest the problem as one suitable for cryptography. We describe a technique which avoids enumerating the class group, and instead recovers f by factoring Nf, the absolute norm of f, (for example with a subexponential sieve algorithm), and then running the Gentry-Szydlo polynomial time algorithm for a number of candidates. The algorithm has been tested with an implementation in PARI.

Paillier's Trapdoor Function Hides up to O(n) bits

At EuroCrypt'99 Paillier proposed a new encryption scheme based on higher residuosity classes. The new scheme was proven to be one-way under the assumption that computing N-residuosity classes in Z 2 is hard. Similarly the scheme can be proven to be semantically secure under a much stronger decisional assumption: given w 2 Z 2 it is impossible to decide if w is an N-residue or not