Hostname: page-component-6766d58669-bp2c4 Total loading time: 0 Render date: 2026-05-17T09:14:12.883Z Has data issue: false hasContentIssue false
  • English
  • Français

Reduced memory meet-in-the-middle attackagainst the NTRU private key

Part of: Communication, information Theory of computing Computational number theory Finite fields and commutative rings (number-theoretic aspects)

Published online by Cambridge University Press:  26 August 2016

Christine van Vredendaal
Christine van Vredendaal*
Affiliation:
Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, PO Box 513, 5600 MB Eindhoven, The Netherlands email c.v.vredendaal@tue.nl

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the 'Save PDF' action button.

NTRU is a public-key cryptosystem introduced at ANTS-III. The two most used techniques in attacking the NTRU private key are meet-in-the-middle attacks and lattice-basis reduction attacks. Howgrave-Graham combined both techniques in 2007 and pointed out that the largest obstacle to attacks is the memory capacity that is required for the meet-in-the-middle phase. In the present paper an algorithm is presented that applies low-memory techniques to find ‘golden’ collisions to Odlyzko’s meet-in-the-middle attack against the NTRU private key. Several aspects of NTRU secret keys and the algorithm are analysed. The running time of the algorithm with a maximum storage capacity of $w$ is estimated and experimentally verified. Experiments indicate that decreasing the storage capacity $w$ by a factor $1<c<\sqrt{w}$ increases the running time by a factor $\sqrt{c}$ .

MSC classification

Primary: 94A60: Cryptography
Secondary: 11T71: Algebraic coding theory; cryptography 11Y16: Algorithms; complexity 68Q25: Analysis of algorithms and problem complexity

References

Bernstein, D. J., ‘The Saber cluster’, 2014, http://blog.cr.yp.to/20140602-saber.html.Google Scholar
Bernstein, D. J. and Lange, T., ‘Computing small discrete logarithms faster’, Progress in cryptology – INDOCRYPT 2012, Proceedings of the 13th International Conference on Cryptology in India, Kolkata, India, December 9–12, 2012 , Lecture Notes in Computer Science 7668 (eds Galbraith, S. D. and Nandi, M.; Springer, Berlin, 2012) 317338.Google Scholar
Bernstein, D. J. and Lange, T., ‘Batch NFS’, Selected areas in cryptography – SAC 2014 – 21st International Conference, Montreal, QC, Canada, August 14–15, 2014, Revised Selected Papers , Lecture Notes in Computer Science 8781 (eds Joux, A. and Youssef, A. M.; Springer, Cham, Switzerland, 2014) 3858.Google Scholar
Brakerski, Z. and Vaikuntanathan, V., ‘Efficient fully homomorphic encryption from (standard) LWE’, SIAM J. Comput. 43 (2014) no. 2, 831871.CrossRefGoogle Scholar
Buchmann, J., Göpfert, F., Player, R. and Wunderer, T., ‘On the hardness of LWE with binary error: revisiting the hybrid lattice-reduction and meet-in-the-middle attack’, Progress in Cryptology – AFRICACRYPT 2016 , Lecture Notes in Computer Science 9646 (Springer, Cham, 2016) 2443.CrossRefGoogle Scholar
Cover, T. M., ‘Enumerative source encoding’, IEEE Trans. Inform. Theory 19 (1973) no. 1, 7377.CrossRefGoogle Scholar
Davisson, L. D., ‘Comments on “Sequence time coding for data compression”’, Proc. IEEE 54 (1966) no. 12, 20102010.CrossRefGoogle Scholar
Ducas, L., Durmus, A., Lepoint, T. and Lyubashevsky, V., ‘Lattice signatures and bimodal Gaussians’, Advances in cryptology – CRYPTO 2013, Proceedings of the 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2013. Part I , Lecture Notes in Computer Science 8042 (eds Canetti, R. and Garay, J. A.; Springer, Berlin, 2013) 4056.Google Scholar
Fluhrer, S., ‘Quantum cryptanalysis of NTRU’, IACR Cryptology ePrint Archive, arXiv:2015:676, 2015.Google Scholar
Hirschhorn, P. S., Hoffstein, J., Howgrave-Graham, N. and Whyte, W., ‘Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches’, Applied cryptography and network security, Proceedings of the 7th International Conference, ACNS 2009, Paris-Rocquencourt, France, June 2–5, 2009 , Lecture Notes in Computer Science 5536 (eds Abdalla, M., Pointcheval, D., Fouque, P.-A. and Vergnaud, D.; Springer, Berlin, 2009) 437455.Google Scholar
Hoffstein, J., Pipher, J., Schanck, J. M., Silverman, J. H., Whyte, W. and Zhang, Z., ‘Choosing parameters for NTRUEncrypt’, IACR Cryptology ePrint Archive, arXiv:2015:708, 2015.Google Scholar
Hoffstein, J., Pipher, J. and Silverman, J. H., ‘NTRU: A ring-based public key cryptosystem’, Algorithmic number theory, Proceedings of the 3rd International Symposium, ANTS-III, Portland, Oregon, USA, June 21–25, 1998 , Lecture Notes in Computer Science 1423 (ed. Buhler, J.; Springer, Berlin, 1998) 267288.Google Scholar
Hoffstein, J. and Silverman, J. H., ‘Random small Hamming weight products with applications to cryptography’, Discrete Appl. Math. 130 (2003) no. 1, 3749.CrossRefGoogle Scholar
Howgrave-Graham, N., ‘A hybrid lattice-reduction and meet-in-the-middle attack against NTRU’, Advances in cryptology – CRYPTO 2007, Proceedings of the 27th Annual International cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2007 , Lecture Notes in Computer Science 4622 (ed. Menezes, Alfred; Springer, Berlin, 2007) 150169.Google Scholar
Howgrave-Graham, N., Silverman, J. H. and Whyte, W., ‘A meet-in-the-middle attack on an NTRU private key’, Technical report, NTRU Cryptosystems, June 2003.Google Scholar
Howgrave-Graham, N., Silverman, J. H. and Whyte, W., ‘Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3’, Topics in Cryptology – CT-RSA 2005 , Lecture Notes in Computer Science 3376 (Springer, Berlin, Heidelberg, 2005) 118135.CrossRefGoogle Scholar
Langlois, A., Ling, S., Nguyen, K. and Wang, H., ‘Lattice-based group signature scheme with verifier-local revocation’, Public-key cryptography – PKC 2014 – Proceedings of the 17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26–28, 2014 , Lecture Notes in Computer Science 8383 (ed. Krawczyk, Hugo; Springer, Berlin, 2014) 345361.Google Scholar
Lehmer, D. H., ‘Teaching combinatorial tricks to a computer’, Proceedings of Symposia in Applied Mathematics 10 (American Mathematical Society, Providence, RI, 1960) 179193.Google Scholar
Lindner, R. and Peikert, C., ‘Better key sizes (and attacks) for LWE-based encryption’, Topics in cryptology – CT-RSA 2011 – Proceedings of the The Cryptographers’ Track at the RSA Conference 2011, San Francisco, CA, USA, February 14–18, 2011 , Lecture Notes in Computer Science 6558 (ed. Kiayias, Aggelos; Springer, Berlin, 2011) 319339.Google Scholar
Lynch, T. J., ‘Sequence time coding for data compression’, Proc. IEEE 54 (1966) no. 10, 14901491.CrossRefGoogle Scholar
Pollard, J. M., ‘Monte Carlo methods for index computation (mod p)’, Math. Comp. 32 (1978) 918924.Google Scholar
Sage Developers. Sage Mathematics Software (Version 6.9), 2015, http://www.sagemath.org.Google Scholar
Schalkwijk, J., ‘An algorithm for source coding’, IEEE Trans. Inform. Theory 18 (1972) no. 3, 395399.CrossRefGoogle Scholar
Schanck, J., ‘Parameter generation for NTRUEncrypt’, 2015, https://github.com/NTRUOpenSourceProject/ntru-params.Google Scholar
Stehlé, D. and Steinfeld, R., ‘Making NTRU as secure as worst-case problems over ideal lattices’, Advances in cryptology – EUROCRYPT 2011 – Proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15–19, 2011 , Lecture Notes in Computer Science 6632 (ed. Paterson, Kenneth G.; Springer, Berlin, 2011) 2747.Google Scholar
van Oorschot, P. C. and Wiener, M. J., ‘Parallel collision search with application to hash functions and discrete logarithms’, CCS ’94, Proceedings of the 2nd ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, November 2–4, 1994 (eds Denning, D. E., Pyle, R., Ganesan, R. and Sandhu, R. S.; ACM, New York, 1994) 210218.Google Scholar
van Oorschot, P. C. and Wiener, M. J., ‘Improving implementable meet-in-the-middle attacks by orders of magnitude’, Advances in cryptology – CRYPTO ’96, Proceedings of the 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 1996 , Lecture Notes in Computer Science 1109 (ed. Koblitz, Neal; Springer, Berlin, 1996) 229236.Google Scholar
van Oorschot, P. C. and Wiener, M. J., ‘Parallel collision search with cryptanalytic applications’, J. Cryptology 12 (1999) no. 1, 128.CrossRefGoogle Scholar
van Vredendaal, C., Publication: reduced memory meet-in-the-middle attack against the NTRU private key, 2016, http://scarecryptow.org/publications/ntrumitm.html.CrossRefGoogle Scholar
Wang, H., Ma, Z. and Ma, C., ‘An efficient quantum meet-in-the-middle attack against NTRU-2005’, Chin. Sci. Bull. 58 (2013) no. 28, 35143518.CrossRefGoogle Scholar