Skip to main content Accessibility help
×
Home

Reduced memory meet-in-the-middle attack against the NTRU private key

  • Christine van Vredendaal (a1)

Abstract

NTRU is a public-key cryptosystem introduced at ANTS-III. The two most used techniques in attacking the NTRU private key are meet-in-the-middle attacks and lattice-basis reduction attacks. Howgrave-Graham combined both techniques in 2007 and pointed out that the largest obstacle to attacks is the memory capacity that is required for the meet-in-the-middle phase. In the present paper an algorithm is presented that applies low-memory techniques to find ‘golden’ collisions to Odlyzko’s meet-in-the-middle attack against the NTRU private key. Several aspects of NTRU secret keys and the algorithm are analysed. The running time of the algorithm with a maximum storage capacity of $w$ is estimated and experimentally verified. Experiments indicate that decreasing the storage capacity $w$ by a factor $1<c<\sqrt{w}$ increases the running time by a factor $\sqrt{c}$ .

    • Send article to Kindle

      To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

      Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

      Find out more about the Kindle Personal Document Service.

      Reduced memory meet-in-the-middle attack against the NTRU private key
      Available formats
      ×

      Send article to Dropbox

      To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

      Reduced memory meet-in-the-middle attack against the NTRU private key
      Available formats
      ×

      Send article to Google Drive

      To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

      Reduced memory meet-in-the-middle attack against the NTRU private key
      Available formats
      ×

Copyright

References

Hide All
1. Bernstein, D. J., ‘The Saber cluster’, 2014, http://blog.cr.yp.to/20140602-saber.html.
2. Bernstein, D. J. and Lange, T., ‘Computing small discrete logarithms faster’, Progress in cryptology – INDOCRYPT 2012, Proceedings of the 13th International Conference on Cryptology in India, Kolkata, India, December 9–12, 2012 , Lecture Notes in Computer Science 7668 (eds Galbraith, S. D. and Nandi, M.; Springer, Berlin, 2012) 317338.
3. Bernstein, D. J. and Lange, T., ‘Batch NFS’, Selected areas in cryptography – SAC 2014 – 21st International Conference, Montreal, QC, Canada, August 14–15, 2014, Revised Selected Papers , Lecture Notes in Computer Science 8781 (eds Joux, A. and Youssef, A. M.; Springer, Cham, Switzerland, 2014) 3858.
4. Brakerski, Z. and Vaikuntanathan, V., ‘Efficient fully homomorphic encryption from (standard) LWE’, SIAM J. Comput. 43 (2014) no. 2, 831871.
5. Buchmann, J., Göpfert, F., Player, R. and Wunderer, T., ‘On the hardness of LWE with binary error: revisiting the hybrid lattice-reduction and meet-in-the-middle attack’, Progress in Cryptology – AFRICACRYPT 2016 , Lecture Notes in Computer Science 9646 (Springer, Cham, 2016) 2443.
6. Cover, T. M., ‘Enumerative source encoding’, IEEE Trans. Inform. Theory 19 (1973) no. 1, 7377.
7. Davisson, L. D., ‘Comments on “Sequence time coding for data compression”’, Proc. IEEE 54 (1966) no. 12, 20102010.
8. Ducas, L., Durmus, A., Lepoint, T. and Lyubashevsky, V., ‘Lattice signatures and bimodal Gaussians’, Advances in cryptology – CRYPTO 2013, Proceedings of the 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2013. Part I , Lecture Notes in Computer Science 8042 (eds Canetti, R. and Garay, J. A.; Springer, Berlin, 2013) 4056.
9. Fluhrer, S., ‘Quantum cryptanalysis of NTRU’, IACR Cryptology ePrint Archive, arXiv:2015:676, 2015.
10. Hirschhorn, P. S., Hoffstein, J., Howgrave-Graham, N. and Whyte, W., ‘Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches’, Applied cryptography and network security, Proceedings of the 7th International Conference, ACNS 2009, Paris-Rocquencourt, France, June 2–5, 2009 , Lecture Notes in Computer Science 5536 (eds Abdalla, M., Pointcheval, D., Fouque, P.-A. and Vergnaud, D.; Springer, Berlin, 2009) 437455.
11. Hoffstein, J., Pipher, J., Schanck, J. M., Silverman, J. H., Whyte, W. and Zhang, Z., ‘Choosing parameters for NTRUEncrypt’, IACR Cryptology ePrint Archive, arXiv:2015:708, 2015.
12. Hoffstein, J., Pipher, J. and Silverman, J. H., ‘NTRU: A ring-based public key cryptosystem’, Algorithmic number theory, Proceedings of the 3rd International Symposium, ANTS-III, Portland, Oregon, USA, June 21–25, 1998 , Lecture Notes in Computer Science 1423 (ed. Buhler, J.; Springer, Berlin, 1998) 267288.
13. Hoffstein, J. and Silverman, J. H., ‘Random small Hamming weight products with applications to cryptography’, Discrete Appl. Math. 130 (2003) no. 1, 3749.
14. Howgrave-Graham, N., ‘A hybrid lattice-reduction and meet-in-the-middle attack against NTRU’, Advances in cryptology – CRYPTO 2007, Proceedings of the 27th Annual International cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2007 , Lecture Notes in Computer Science 4622 (ed. Menezes, Alfred; Springer, Berlin, 2007) 150169.
15. Howgrave-Graham, N., Silverman, J. H. and Whyte, W., ‘A meet-in-the-middle attack on an NTRU private key’, Technical report, NTRU Cryptosystems, June 2003.
16. Howgrave-Graham, N., Silverman, J. H. and Whyte, W., ‘Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3’, Topics in Cryptology – CT-RSA 2005 , Lecture Notes in Computer Science 3376 (Springer, Berlin, Heidelberg, 2005) 118135.
17. Langlois, A., Ling, S., Nguyen, K. and Wang, H., ‘Lattice-based group signature scheme with verifier-local revocation’, Public-key cryptography – PKC 2014 – Proceedings of the 17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26–28, 2014 , Lecture Notes in Computer Science 8383 (ed. Krawczyk, Hugo; Springer, Berlin, 2014) 345361.
18. Lehmer, D. H., ‘Teaching combinatorial tricks to a computer’, Proceedings of Symposia in Applied Mathematics 10 (American Mathematical Society, Providence, RI, 1960) 179193.
19. Lindner, R. and Peikert, C., ‘Better key sizes (and attacks) for LWE-based encryption’, Topics in cryptology – CT-RSA 2011 – Proceedings of the The Cryptographers’ Track at the RSA Conference 2011, San Francisco, CA, USA, February 14–18, 2011 , Lecture Notes in Computer Science 6558 (ed. Kiayias, Aggelos; Springer, Berlin, 2011) 319339.
20. Lynch, T. J., ‘Sequence time coding for data compression’, Proc. IEEE 54 (1966) no. 10, 14901491.
21. Pollard, J. M., ‘Monte Carlo methods for index computation (mod p)’, Math. Comp. 32 (1978) 918924.
22. Sage Developers. Sage Mathematics Software (Version 6.9), 2015, http://www.sagemath.org.
23. Schalkwijk, J., ‘An algorithm for source coding’, IEEE Trans. Inform. Theory 18 (1972) no. 3, 395399.
24. Schanck, J., ‘Parameter generation for NTRUEncrypt’, 2015, https://github.com/NTRUOpenSourceProject/ntru-params.
25. Stehlé, D. and Steinfeld, R., ‘Making NTRU as secure as worst-case problems over ideal lattices’, Advances in cryptology – EUROCRYPT 2011 – Proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15–19, 2011 , Lecture Notes in Computer Science 6632 (ed. Paterson, Kenneth G.; Springer, Berlin, 2011) 2747.
26. van Oorschot, P. C. and Wiener, M. J., ‘Parallel collision search with application to hash functions and discrete logarithms’, CCS ’94, Proceedings of the 2nd ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, November 2–4, 1994 (eds Denning, D. E., Pyle, R., Ganesan, R. and Sandhu, R. S.; ACM, New York, 1994) 210218.
27. van Oorschot, P. C. and Wiener, M. J., ‘Improving implementable meet-in-the-middle attacks by orders of magnitude’, Advances in cryptology – CRYPTO ’96, Proceedings of the 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 1996 , Lecture Notes in Computer Science 1109 (ed. Koblitz, Neal; Springer, Berlin, 1996) 229236.
28. van Oorschot, P. C. and Wiener, M. J., ‘Parallel collision search with cryptanalytic applications’, J. Cryptology 12 (1999) no. 1, 128.
29. van Vredendaal, C., Publication: reduced memory meet-in-the-middle attack against the NTRU private key, 2016, http://scarecryptow.org/publications/ntrumitm.html.
30. Wang, H., Ma, Z. and Ma, C., ‘An efficient quantum meet-in-the-middle attack against NTRU-2005’, Chin. Sci. Bull. 58 (2013) no. 28, 35143518.
MathJax
MathJax is a JavaScript display engine for mathematics. For more information see http://www.mathjax.org.

MSC classification

Metrics

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed