Skip to main content Accessibility help
×
Home

An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero

  • Jung Hee Cheon (a1), Jinhyuck Jeong (a2) and Changmin Lee (a3)

Abstract

Let $\mathbf{f}$ and $\mathbf{g}$ be polynomials of a bounded Euclidean norm in the ring $\mathbb{Z}[X]/\langle X^{n}+1\rangle$ . Given the polynomial $[\mathbf{f}/\mathbf{g}]_{q}\in \mathbb{Z}_{q}[X]/\langle X^{n}+1\rangle$ , the NTRU problem is to find $\mathbf{a},\mathbf{b}\in \mathbb{Z}[X]/\langle X^{n}+1\rangle$ with a small Euclidean norm such that $[\mathbf{a}/\mathbf{b}]_{q}=[\mathbf{f}/\mathbf{g}]_{q}$ . We propose an algorithm to solve the NTRU problem, which runs in $2^{O(\log ^{2}\unicode[STIX]{x1D706})}$ time when $\Vert \mathbf{g}\Vert ,\Vert \mathbf{f}\Vert$ , and $\Vert \mathbf{g}^{-1}\Vert$ are within some range. The main technique of our algorithm is the reduction of a problem on a field to one on a subfield. The GGH scheme, the first candidate of an (approximate) multilinear map, was recently found to be insecure by the Hu–Jia attack using low-level encodings of zero, but no polynomial-time attack was known without them. In the GGH scheme without low-level encodings of zero, our algorithm can be directly applied to attack this scheme if we have some top-level encodings of zero and a known pair of plaintext and ciphertext. Using our algorithm, we can construct a level- $0$ encoding of zero and utilize it to attack a security ground of this scheme in the quasi-polynomial time of its security parameter using the parameters suggested by Garg, Gentry and Halevi [‘Candidate multilinear maps from ideal lattices’, Advances in cryptology — EUROCRYPT 2013 (Springer, 2013) 1–17].

    • Send article to Kindle

      To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

      Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

      Find out more about the Kindle Personal Document Service.

      An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero
      Available formats
      ×

      Send article to Dropbox

      To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

      An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero
      Available formats
      ×

      Send article to Google Drive

      To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

      An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero
      Available formats
      ×

Copyright

References

Hide All
1. Aggarwal, D., Dadush, D., Regev, O. and Stephens-Davidowitz, N., ‘Solving the shortest vector problem in $2^{n}$ time via discrete Gaussian sampling’, Preprint, 2014, arXiv:1412.7994.
2. Albrecht, M. R., Bai, S. and Ducas, L., ‘A subfield lattice attack on overstretched NTRU assumptions: cryptanalysis of some FHE and graded encoding schemes’, Advances in cryptology — CRYPTO 2016 (Springer, Berlin, 2016) 153178.
3. Albrecht, M. R., Cocis, C., Laguillaumie, F. and Langlois, A., ‘Implementing candidate graded encoding schemes from ideal lattices’, Advances in cryptology — ASIACRYPT 2015 (Springer, Berlin, 2015) 752775.
4. Boneh, D. and Silverberg, A., ‘Applications of multilinear forms to cryptography’, Topics in algebraic and noncommutative geometry , Contemporary Mathematics 324 (eds Melles, C. G., Brasselet, J.-P., Kennedy, G., Lauter, K. and McEwan, L.; American Mathematical Society, Providence, RI, 2003) 7190.
5. Bos, J. W., Lauter, K., Loftus, J. and Naehrig, M., ‘Improved security for a ring-based fully homomorphic encryption scheme’, Cryptography and coding 2013 (Springer, Berlin, 2013) 4564.
6. Cheon, J. H., Han, K., Lee, C., Ryu, H. and Stehlé, D., ‘Cryptanalysis of the multilinear map over the integers’, Advances in cryptology — EUROCRYPT 2015 (Springer, Berlin, 2015) 312.
7. Cheon, J. H., Lee, C. and Ryu, H., ‘Cryptanalysis of the new CLT multilinear maps’, Advances in cryptology — EUROCRYPT 2016 (Springer, Berlin, 2016) 509536.
8. Coron, J.-S., ‘Cryptanalysis of GGH15 multilinear maps’, Advances in cryptology — CRYPTO 2016 (Springer, Berlin, 2016) 607628.
9. Coron, J.-S., Lepoint, T. and Tibouchi, M., ‘Practical multilinear maps over the integers’, Advances in cryptology — CRYPTO 2013 (Springer, Berlin, 2013) 476493.
10. Coron, J.-S., Lepoint, T. and Tibouchi, M., ‘New multilinear maps over the integers’, Advances in cryptology — CRYPTO 2015 (Springer, Berlin, 2015) 267286.
11. Ducas, L., Durmus, A., Lepoint, T. and Lyubashevsky, V., ‘Lattice signatures and bimodal Gaussians’, Advances in cryptology – CRYPTO 2013 (Springer, Berlin, 2013) 4056.
12. Garg, S., Gentry, C. and Halevi, S., ‘Candidate multilinear maps from ideal lattices’, Advances in cryptology – EUROCRYPT 2013 (Springer, Berlin, 2013) 117.
13. Garg, S., Gentry, C. and Halevi, S., ‘Graph-induced multilinear maps from lattices’, Theory of cryptography 2015 (Springer, Berlin, 2015) 498527.
14. Gentry, C. and Szydlo, M., ‘Cryptanalysis of the revised NTRU signature scheme’, Advances in cryptology — EUROCRYPT 2002 (Springer, Berlin, 2002).
15. Hanrot, G., Pujol, X. and Stehlé, D., ‘Terminating BKZ’, IACR Cryptology ePrint Archive 2011, https://eprint.iacr.org/2011/198.
16. Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J. H. and Whyte, W., ‘NTRUSIGN: digital signatures using the NTRU lattice’, Topics in cryptology — CT-RSA 2003 (Springer, Berlin, 2003) 122140.
17. Hoffstein, J., Pipher, J. and Silverman, J. H., ‘NTRU: a ring-based public key cryptosystem’, Algorithmic number theory 1998 (Springer, Berlin, 1998) 267288.
18. Hu, Y. and Jia, H., ‘Cryptanalysis of GGH map’, Advances in cryptology — EUROCRYPT 2016 (Springer, Berlin, 2016) 537565.
19. Langlois, A., Stehlé, D. and Steinfeld, R., ‘GGHLite: more efficient multilinear maps from ideal lattices’, Advances in cryptology — EUROCRYPT 2014 (Springer, Berlin, 2014) 239256.
20. López-Alt, A., Tromer, E. and Vaikuntanathan, V., ‘On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption’, Proceedings of the Forty-Fourth Annual ACM Symposium on Theory of Computing 2012 (ACM, New York, NY, 2012) 12191234.
21. Miles, E., Sahai, A. and Zhandry, M., ‘Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13’, Advances in cryptology — CRYPTO 2016 (Springer, Berlin, 2016) 491520.
MathJax
MathJax is a JavaScript display engine for mathematics. For more information see http://www.mathjax.org.

MSC classification

Metrics

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed