Abstract
We present a polynomial time algorithm for breaking NTRU encryption schemes with multiple keys. Our algorithm takes advantage of the specific sampling regime used in NTRU encryption, which samples secret polynomials with a fixed number of coefficients of 1 and \(-1\). By constructing an equation system on the secret keys, we are able to recover the unique secret key when n multiple keys sharing a common denominator are given for an extension degree n. This result shows that NTRU encryption schemes with multiple keys can be solved in polynomial time in n.
Similar content being viewed by others
Notes
We focus exclusively on the NTRU-HPS parameter regime in our experimental analysis since it aligns with the parameter setup required in this paper, as defined in [11]. While there exists another parameter regime called NTRU-HRSS, it is not relevant to our work.
References
Agrawal S., Pellet-Mary A.: Indistinguishability obfuscation without maps: attacks and fixes for noisy linear fe. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, New York, pp. 110–140 (2020).
Agrawal S.: Indistinguishability obfuscation without multilinear maps: new methods for bootstrapping and instantiation. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, New York, pp. 191–225 (2019).
Albrecht M.R., Cocis C., Laguillaumie F., Langlois A.: Implementing candidate graded encoding schemes from ideal lattices. In: Asiacrypt 2015, vol. 9453. Springer, New York (2015).
Albrecht M., Bai S., Ducas L.: A subfield lattice attack on overstretched NTRU assumptions. In: Annual Cryptology Conference. Springer, New York, pp. 153–178 (2016).
Ananth P., Jain A., Jin Z., Malavolta G.: Multi-key fully-homomorphic encryption in the plain model. In: Theory of Cryptography Conference. Springer, New York, pp. 28–57 (2020).
Arora S., Ge R.: New algorithms for learning in presence of errors. In: International Colloquium on Automata, Languages, and Programming. Springer, New York, pp. 403–415 (2011).
Bernstein D.J., Chuengsatiansup C., Lange T., van Vredendaal C.: NTRU prime: reducing attack surface at low cost. In: International Conference on Selected Areas in Cryptography. Springer, New York, pp. 235–260 (2017).
Bernstein D.J., Chuengsatiansup C., Lange T., van Vredendaal C.: NTRU Prime: round 3. In: Submission to the NIST PQC Standardization Process. https://ntruprime.cr.yp.to (2020).
Bos J.W., Lauter K.E., Loftus J., Naehrig M.: Improved security for a ring-based fully homomorphic encryption scheme. In: IMA International Conference. Springer, New York, pp. 45–64 (2013).
Che X., Zhou T., Li N., Zhou H., Chen Z., Yang X.: Modified multi-key fully homomorphic encryption based on NTRU cryptosystem without key-switching. Tsinghua Sci. Technol. 25(5), 564–578 (2020).
Chen C., Danba O., Hoffstein J., Hulsing A., Rijneveld J., Schanck J.M., Schwabe P., Whyte W., Zhang Z.: NTRU: algorithm specifications and supporting documentation (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions (2019).
Cheon J.H., Jeong J., Lee C., Cheon Jung Hee: An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero. LMS J. Comput. Math. 19(1), 255–266 (2016).
Chongchitmate W., Ostrovsky R.: Circuit-private multi-key FHE. In: IACR International Workshop on Public Key Cryptography. Springer, New York, pp. 241–270 (2017).
Chris P.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016).
Developers Sage: SageMath, the Sage Mathematics Software System (Version 9.5.2). https://www.sagemath.org (2020).
Doröz Y., Yin H., Sunar B.: Homomorphic aes evaluation using the modified ltv scheme. Des. Codes Cryptogr. 80(2), 333–358 (2016).
Ducas L., Durmus A., Lepoint T., Lyubashevsky V.: Lattice signatures and bimodal gaussians. In: Advances in Cryptology–CRYPTO 2013. Springer, New York, pp. 40–56 (2013).
Ducas L., Lyubashevsky V., Prest T.: Efficient identity-based encryption over NTRU lattices. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer, New York, pp. 22–41 (2014).
Ducas, L., van Woerden W.: Ntru fatigue: how stretched is overstretched? In: Advances in Cryptology–ASIACRYPT 2021: 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, Proceedings, Part IV 27. Springer, New York, pp. 3–32 (2021).
Garg S., Gentry C., Halevi S.: Candidate multilinear maps from ideal lattices. EUROCRYPT 2013, 1–17 (2013).
Gentry C., Szydlo M.: Cryptanalysis of the revised NTRU signature scheme. In: International Conference on the Theory and Applications of Cryptographic Techniques. Springer, New York, pp. 299–320 (2002).
Hoffstein J., Pipher J., Silverman J.H.: NTRU: a ring-based public key cryptosystem. In: Algorithmic number theory. Springer, New York, pp. 267–288 (1998).
Hoffstein J., Howgrave-Graham N., Pipher J., Silverman J.H., Whyte W.: NTRUSIGN: digital signatures using the NTRU lattice. In: Topics in CryptologyùCT-RSA 2003. Springer, New York, pp. 122–140 (2003).
Kirchner P., Fouque P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, New York, pp. 3–26(2017).
Langlois A., Stehlé D., Steinfeld R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, New York, pp. 239–256 (2014).
Lenstra Arjen K., Lenstra H.W., Lovász L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982).
López-Alt A., Tromer E., Vaikuntanathan V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Proceedings of the forty-fourth annual ACM symposium on Theory of computing, pp. 1219–1234 (2012).
Nitaj A.: Cryptanalysis of NTRU with two public keys. Int. J. Netw. Secur. 16(2), 112–117 (2014).
Peikert C.: Multiple NTRU public keys for the same private key? https://crypto.stackexchange.com/questions/30893/multiple-ntru-public-keys-for-the-same-private-key (2015).
Pellet-Mary A., Stehlé D.: On the hardness of the NTRU problem. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer, New York, pp. 3–35 (2021).
Singh S., Padhye S.: Cryptanalysis of NTRU with n public keys. In: 2017 ISEA Asia Security and Privacy (ISEASP). IEEE, pp. 1–6 (2017).
Stehlé D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, New York, pp. 27–47 (2011).
Yu Y., Xu G., Wang X.: Provably secure NTRU instances over prime cyclotomic rings. In: IACR International Workshop on Public Key Cryptography. Springer, New York, pp. 409–434 (2017).
Acknowledgements
We sincerely thank for reviewers of Design, codes and cryptography for insightful reviews and efforts for improving the earlier version of this paper.
Funding
Supported by research funds for newly appointed professors of Jeonbuk National University in 2022. Supported by a KIAS Individual Grant CG080601 at Korea Institute for Advanced Study.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by D. Stehle.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Kim, J., Lee, C. A polynomial time algorithm for breaking NTRU encryption with multiple keys. Des. Codes Cryptogr. 91, 2779–2789 (2023). https://doi.org/10.1007/s10623-023-01233-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-023-01233-5