A Subfield Lattice Attack on Overstretched NTRU Assumptions

Albrecht, M.; Bai, Shi; Ducas, Léo

doi:10.1007/978-3-662-53018-4_6

Cited by 134 publications

(72 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We present a theoretical construction with suggested parameters in the asymptotic sense. There are a batch of cryptanalyses work aiming at NTRU, such as hybrid attack [19], subfield attack [1] and straightforward attack [22]. Detailed analyses of our NTRU variant against these attacks should be wellconsidered.…”

Section: Discussionmentioning

confidence: 99%

“…If ω n 2 log 0.5 n p 2 rt/q < 1(resp. ω n log 0.5 n p 2 rt/q < 1 if deg p = 0) and t = √ nαq (n−1)k log((n−1)k) 1/4 > 1, then the decryption algorithm of NTRUEncrypt recovers M with probability 1 − n −ω (1) over the choice of s, e, f, g.…”

Section: Decryptionmentioning

confidence: 99%

“…In the course of assessing the security of NTRU, Coppersmith and Shamir first claimed in [5] that one can convert breaking NTRU to solving hard problems on the so-called NTRU lattice. Then an army of cryptanalyses [1,2,4,9,10,12,15,19,21,22,29,34] have brought security estimations on NTRU and its variants, and NTRU is still considered secure in practice.…”

mentioning

confidence: 99%

“…As a large subring, this ring is much closer to the original NTRU ring. It is also remarked that a class of subfield attacks [1] is proposed recently and affects the asymptotic security of NTRU for large moduli q. Note that the subfield attack is not applicable to the setting of [33], but it is still meaningful to consider NTRU over the fields with no subfields of desired relative degree.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Provably Secure NTRU Instances over Prime Cyclotomic Rings

Wang

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Due to its remarkable performance and potential resistance to quantum attacks, NTRUEncrypt has drawn much attention recently; it also has been standardized by IEEE. However, classical NTRUEncrypt lacks a strong security guarantee and its security still relies on heuristic arguments. At Eurocrypt 2011, Stehlé and Steinfeld first proposed a variant of NTRUEncrypt with a security reduction from standard problems on ideal lattices. This variant is restricted to the family of rings Z[X]/(X n + 1) with n a power of 2 and its private keys are sampled by rejection from certain discrete Gaussian so that the public key is shown to be almost uniform. Despite the fact that partial operations, especially for RLWE, over Z[X]/(X n + 1) are simple and efficient, these rings are quite scarce and different from the classical NTRU setting. In this work, we consider a variant of NTRUEncrypt over prime cyclotomic rings, i.e. Z[X]/(X n−1 + · · · + X + 1) with n an odd prime, and obtain IND-CPA secure results in the standard model assuming the hardness of worst-case problems on ideal lattices. In our setting, the choice of the rings is much more flexible and the scheme is closer to the original NTRU, as Z[X]/(X n−1 + · · · + X + 1) is a large subring of the NTRU ring Z[X]/(X n −1). Some tools for prime cyclotomic rings are also developed.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Decryptionmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Provably Secure NTRU Instances over Prime Cyclotomic Rings

Wang

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…A practical variant of their scheme, which reintroduces the DSRP assumption is also presented in the same work. However, it is later shown that the optimizations and parameter selection that yield a significant increase in the performance makes it vulnerable to sub-field lattice attacks [Albrecht et al 2016]. The attack shown by Albrecht et al affected not only [Bos et al 2013], but every other NTRU-like scheme, which relies on DSRP problem and whose parameters (e.g., secret key, modulus) are chosen poorly.…”

Section: Lwe-based Fhe Schemesmentioning

confidence: 99%

A Survey on Homomorphic Encryption Schemes

et al. 2018

View full text Add to dashboard Cite

Legacy encryption systems depend on sharing a key (public or private) among the peers involved in exchanging an encrypted message. However, this approach poses privacy concerns. The users or service providers with the key have exclusive rights on the data. Especially with popular cloud services, the control over the privacy of the sensitive data is lost. Even when the keys are not shared, the encrypted material is shared with a third party that does not necessarily need to access the content. Moreover, untrusted servers, providers, and cloud operators can keep identifying elements of users long after users end the relationship with the services. Indeed, Homomorphic Encryption (HE), a special kind of encryption scheme, can address these concerns as it allows any third party to operate on the encrypted data without decrypting it in advance. Although this extremely useful feature of the HE scheme has been known for over 30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE) scheme, which allows any computable function to perform on the encrypted data, was introduced by Craig Gentry in 2009. Even though this was a major achievement, different implementations so far demonstrated that FHE still needs to be improved significantly to be practical on every platform. Therefore, this survey focuses on HE and FHE schemes. First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which are important pillars of achieving FHE. Then, the main FHE families, which have become the base for the other follow-up FHE schemes are presented. Furthermore, the implementations and recent improvements in Gentry-type FHE schemes are also surveyed. Finally, further research directions are discussed. This survey is intended to give a clear knowledge and foundation to researchers and practitioners interested in knowing, applying, as well as extending the state of the art HE, PHE, SWHE, and FHE systems.

show abstract