of NTRU with two public keys

Abderrahmane Nitaj Laboratoire de Mathematiques´ Nicolas Oresme Universite´ de Caen, France Email: [email protected]

Abstract—NTRU is a fast public presented of degree N − 1 with small integer coefficients. Let Zq in 1996 by Hoffstein, Pipher and Silverman. It operates in denote the ring of integers modulo q. The operations of the ring of truncated polynomials. In NTRU, a public key NTRU took place in the ring of truncated polynomials is a polynomial defined by the combination of two private N  polynomials. In this paper, we consider NTRU with two Zq[X]/ X − 1 . In this ring, the addition of two poly- different public keys defined by different private keys. We nomials is defined as pairwise addition of the coefficients of present a -based attack to recover the private keys the same degree and multiplication, noted “ ∗ ” is defined assuming that the public keys share polynomials with a suitable as convolution multiplication. In NTRU, to create a public number of common coefficients. key h, one chooses a private key (f, g) composed with two Keywords-NTRU cryptosystem; Lattice attacks; Cryptanaly- polynomials f and g and computes sis; −1 N  h = fq ∗ g ∈ Zq[X]/ X − 1 , NTRODUCTION I.I −1 N  where fq is the inverse of f in Zq[X]/ X − 1 . The NTRU Public Key Cryptosystem is a ring-based In this paper, we consider NTRU with two public keys h, cryptosystem that was first introduced in the rump session at h0 defined by the private keys (f, g) and (F 0,G0) with Crypto’96 [4]. It is one of the fastest public-key cryptosys- 0 0−1 0 tems, offering both (NTRUencrypt) and digital h = Fq ∗ G (mod q). signatures (NTRUSign). It is a relatively new cryptosystem N  Since f is invertible in Zq[X]/ X − 1 , then we can that appears to be more efficient than the current and more 0 0 widely used public-key , such as RSA [8] and define g = f ∗ h (mod q) so that El Gamal [3]. It is well known that the security of RSA and 0 −1 0 h = fq ∗ g mod q. El Gamal relies on the difficulty of factoring large composite integers or computing discrete logarithms. However, in 1994, The main objective of this paper is to show how to find the Shor [10] showed that quantum computers can be used private key (f, g) when to factor integers and to compute discrete logarithms in kg − g0k < min(kgk, kg0k). polynomial time. Since NTRU does not rely on the difficulty of factoring or computing discrete logarithms and is still Using h and h0, we construct a lattice L(h, h0) of dimension considered secure even against quantum computer attacks, it 2N, and applying the lattice basis reduction algorithm LLL, is a promising alternative to the more established public key we show that short vectors in L(h, h0) can be used to cryptosystems. In [4], Hoffstein, Pipher and Silverman have find the private polynomials f, g, g0 when kg − g0k < studied different possible attacks on NTRU. The brute force min(kgk, kg0k). Under this condition, it is important to and the meet-in-the-middle attacks may be used against the notice that our method is more efficient than the method private key or against a single message but will not succeed of Coppersmith and Shamir to recover the private key (f, g) in a reasonable time. The multiple transmission attack also using the public key h. will fail for a suitable choice of parameters. However, we We note that when the polynomials g, g0 are generated notice that NTRU suggests that the public key should be randomly and independently, then with overwhelming prob- changed very frequently, for each transmission if possible. ability the condition kg − g0k < min(kgk, kg0k) is not The most important attack, presented by Coppersmith and satisfied. So in practice one can easily avoid this inequality. Shamir [2] in 1997 makes use of the LLL algorithm of 0 0−1 0 Similarly, assume that h = Fq ∗ G (mod q) is invert- Lenstra, Lenstra and Lovasz´ [5]. Coppersmith and Shamir N  ible in Zq[X]/ X − 1 . Then we can define a polynomial constructed a lattice generated by the public key and found f 0 as a of the public key that could be used to break f 0 = h0−1 ∗ g (mod q), the system if the NTRU parameters are poorly set. q 0−1 0 N  The NTRU cryptosystem depends on three integer param- where hq is the inverse of h in Zq[X]/ X − 1 . Using eters (N, p, q) and four sets Lf , Lg, Lr, Lm of polynomials lattice reduction techniques, we show that it is possible to recover the private key (f, g) assuming that the condition the well known attack of Coppersmith and Shamir on NTRU. kf − f 0k < min(kfk, kf 0k) is fulfilled. Further details can be found in [4] and [2]. The paper is organized as follows. In Section 2, we give A. Definitions and notations motivation for our work. Section 3 gives a brief mathemati- cal description of NTRU and introduces the LLL algoritm as We start by introducing the ring N well as the attack of Coppersmith and Shamir on NTRU. In R = Z[X]/(X − 1), Section 4, we present our new attack on NTRU with two pri- vate keys (f, g) and (f, g0) with kg − g0k < min(kgk, kg0k) upon which NTRU operates. We use ∗ to denote a polyno- and compare it with the attack of Coppersmith and Shamir. mial multiplication in R, which is the cyclic convolution of In Section 5, we present our new attack on NTRU when h two polynomials. If and h0 are invertible and kf − f 0k < min(kfk, kf 0k). We N−1 X i conclude the paper in Section 6. f = (f0, f1, ··· , fN−1) = fiX , i=0 II.MOTIVATION N−1 X i g = (g0, g1, ··· , gN−1) = giX , RSA, the most commonly used public-key cryptosys- i=0 tem [8] has stood up remarkably well to years of extensive are polynomials of R, then h = f ∗ g is given by h = cryptanalysis and is still considered secure by the crypto- (h , h , ··· , h ), where h is defined for 0 ≤ k ≤ N −1 graphic community (see [1] for more details). RSA derives 0 1 N−1 k by its security from the difficulty of factoring large numbers of k N−1 the shape N = pq where p, q are large unknown primes X X X of the same bit-size. In some cases, the problem can be hk = figj = figk−i + figN+k−i. slightly easier given two RSA modulus N = pq, N 0 = p0q0. i+j≡k mod N i=0 i=k+1 If p = p0, then it is trivial to factor N and N 0 by computing The Euclidean norm or the length of a polynomial f = 0 0 gcd(N,N ). However, it is possible to factor N and N (f0, f1, ··· , fN−1) is defined as when p and p0 share a certain amount of bits (see [7], [9]). v uN−1 The first paper studying NTRU was written by Copper- u X kfk = t f 2. smith and Shamir [2]. In that paper, they noted that the i i=0 best way to attack the NTRU cryptosystem was via the techniques of lattice reduction. Nevertheless, the security One more notation is the binary set of polynomials B(d) of NTRU is also based on the following factorization defined for a positive integers d by N  problem: Given a polynomial h ∈ Z[X]/ X − 1 , find ( N−1 N−1 ) N  X i X two short polynomials f ∈ Z[X]/ X − 1 and g ∈ B(d) = f(X) = fiX , fi ∈ {0, 1}, fi = d . N  −1 Z[X]/ X − 1 such that h = fq ∗ g (mod q), where i=0 i=0 −1 N  fq is the inverse of f in Zq[X]/ X − 1 . In other words, B(d) is the set of polynomials of R with d Similarly to RSA with two modulus, consider NTRU with coefficients equal to 1 and all the other coefficients equal to two public keys h and h0 defined by the same parameters 0. −1 0 (N, p, q). Assume that h = fq ∗ g (mod q). Then, h can Different descriptions of NTRUEncrypt and different pro- 0 −1 0 0 0 be expressed as h = fq ∗ g (mod q) where g = f ∗ h posed parameter sets have been in circulation since 1996. (mod q). The main contribution of this paper is to show The 2005 instantiation of NTRU is set up by six public 0 how to find the private keys (f, g) when g and g satisfy integers N, p, q, df , dg, dr and four public spaces Lf , Lg, 0 0 kg − g k < min(kgk, kg k). Lm, Lr such that We notice that lattice-based is currently seen • N is prime and sufficiently large to prevent lattice as one of the most promising alternatives to cryptography attacks. based on number theory. Given recent advances in lattice- • p and q are relatively prime. based cryptography (see [6] and [11]), studying NTRU and • q is much larger than p. related schemes is both useful and timely. In this direction, •L f is a set of small polynomials from which the private our work shows that using the same f or the same g in keys are selected. h h0 generating public keys , is likely to reduce the security •L g is a similar set of small polynomials from which of NTRU. other private keys are selected. •L m is the plaintext space. It is a set of polynomials m ∈ III.MATHEMATICAL BACKGROUND N Zp[X]/(X − 1) that represent encryptable messages. In this section, we give a brief description of the NTRU •L r is a set of polynomials from which the blinding encryption and the LLL algorithm for lattice reduction and value used during encryption is selected. B. The NTRU Encryption Scheme for i = 1, . . . , n. With i = 1, this implies that kb1k n−1 1 1) Key pair generation.: To create a NTRU key, one satisfies kb1k ≤ 2 4 det(L) n . In comparison, a theorem of Minkowski asserts that any lattice L of dimension n contains randomly chooses a polynomial f ∈ Lf and a polynomial a non-zero vector v with g ∈ Lg. The polynomial f must satisfy the additional f −1 p r requirement that it has an inverse p modulo and an 2n 1 −1 kvk ≤ det(L) n . inverse fq modulo q, that is eπ −1 −1 f ∗ fp = 1 (mod p), f ∗ fq = 1 (mod q). On the other hand, the Gaussian heuristic says that the length of the shortest non-zero vector is usually approximately Then the private key is f and the public key is the polyno- σ(L) where mial r n 1 n −1 σ(L) = det(L) . h = fq ∗ g (mod q). 2πe We recall that N, p, q are also public. D. The attack of Coppersmith and Shamir on NTRU 2) Encryption.: To encrypt a message m ∈ Lm, one In [2] Coppersmith and Shamir presented a lattice attack randomly chooses a polynomial r ∈ Lr. The is on NTRU. They defined a lattice determined by the param- the polynomial eters N, q, h of the system and showed that recovering the e = pr ∗ h + m (mod q). secret key (f, g) from the public key h is reduced to finding a shortest vector of the lattice. Let h = (h0, h1, ··· , hN−1) 3) Decryption.: To decrypt an encrypted message e using be the public key. The NTRU lattice L is the lattice of the private key f, one computes dimension 2N generated by the row vectors of a matrix of the following form a = f ∗ e mod q,   λIN H a −q/2 q/2 M(L) = where the coefficients of lie between and . 0 qIN The message m is then obtained from a by reducing the   −1 λ 0 ··· 0 h0 h1 ··· hN−1 coefficients of fp ∗ a modulo p.  0 λ ··· 0 hN−1 h0 ··· hN−2    C. The LLL algorithm  ......   ......    Since lattice reduction is an essential tool for our attack,  0 0 ··· λ h1 h2 ··· h0  =   . let us recall a few facts about lattices and reduced basis.  0 0 ··· 0 q 0 ··· 0  m   Let u1, . . . , un ∈ R be linearly independent vectors with  0 0 ··· 0 0 q ··· 0    n ≤ m. The lattice L spanned by (u1, . . . , un) consists of  ......  ...... all integral linear combinations of u , . . . , u , that is   1 n 0 0 ··· 0 0 0 ··· q ( n )

X −1 L = Zu1 ⊕ · · · ⊕ Zun = biui, bi ∈ Z . Since h = fq ∗ g (mod q), then f ∗ h − qu = g for some i=1 u ∈ R and   The set (u1, . . . , un) is called a lattice basis. A lattice can λI H (f, −u) ∗ M(L) = (f, −u) ∗ N = (λf, g). be conveniently represented by a matrix B whose rows are 0 qIN the vectors u1, . . . , un. The determinant of the lattice L is defined as So the vector (λf, g) is a short vector in the NTRU lattice q L, which is with high probability the shortest vector of det(L) = det (BBT ). L. Hence, an attacker uses lattice reduction algorithms to Any two bases of the same lattice L are related by some find (f, g) from L, then he can recover the private keys. integral matrix of determinant ±1. More precisely, the Gaussian heuristic says that the length of There are several natural computational problems relating the shortest non-zero vector is usually approximately σ(L) to lattices. An important problem is the shortest vector where problem (SVP): given a basis matrix B for L, compute a r dim(L) non-zero vector v ∈ L such that kvk is minimal. σ(L) = (det L)1/ dim(L) 2πe In 1982, Lenstra, Lenstra and Lovasz´ [5] introduced the r 2N N LLL reduction algorithm which produces an LLL-reduced = (λq) 2N basis b , . . . , b of L with the following property 2πe 1 n r λqN n(n−1) 1 = . kb1k ≤ kb2k ≤ ... ≤ kbik ≤ 2 4(n+1−i) det(L) n+1−i , πe Hence, in order to maximize the probability of breaking the Proof: Assume that f ∗h = g+qu and f ∗h0 = g0 +qu0. NTRU system using lattice reduction, the attacker should Substracting the two equalities, we get choose λ to minimize the ratio f ∗ h − f ∗ h0 = f ∗ (h − h0) = g − g0 (mod q). k(λf, g)k pλ2kfk2 + kgk2 c = = . 0 0 σ(L) q λqN This implies that the vector (λf, g −g ) is in L(h, h ). Next, πe we have This occurs for λ = kgk/kfk which leads to (f, −u + u0) ∗ M(h, h0) s  λI H − H0  2πekgkkfk = (f, −u + u0) ∗ N c = . (1) 0 qI qN N = (λf, g − g0). The ratio c measures how much smaller the key is compared to the expected smallest vector. If c is very small then we This terminates the proof. expect a lattice reduction algorithm as LLL to have an easier B. The Gaussian heuristics time finding it. For a random lattice L, the Gaussian heuristic says that IV. THE NEW ATTACK WHEN kg − g0k < min(kgk, kg0k) the length of the shortest non-zero vector is approximately r A. The new lattice dim(L) σ(L) = det L1/ dim(L). Let 2πe N−1 N−1 0 X i 0 X 0 i The dimension and determinant of L(h, h ) are given by h(X) = hiX , h (X) = hiX , 0 0 N N i=0 i=0 dim(L(h, h )) = 2N, det(L(h, h )) = λ q . be two NTRU public keys created by the private poly- Hence for the lattice L(h, h0), we have nomials (f, g) and (F 0,G0) with the same parameters r (N, p, q, df , dg, dr, dm), that is λNq σ(L(h, h0)) = . −1 0 0−1 0 πe h = fq ∗ g (mod q), h = Fq ∗ G (mod q). Let us define the ratio Let g0 = f ∗ h0 (mod q). Then k(λf, g − g0)k 0 −1 0 c1 = 0 . h = fq ∗ g (mod q). σ(L(h, h ))

For a positive constant λ, define the lattice So c1 is the ratio of the length of the target vector to the length of the expected shortest vector. The smaller the value 0  2 0 L(h, h ) = (λv, w) ∈ R : w = v ∗ (h − h ) (mod q) . of c1, the easier it will be to find the target vector. Thus, the idea to increase the chances of LLL to find (λf, g − g0) is This is a 2N-dimension lattice spanned by the matrix to choose λ such that k(λf, g − g0)k is as small as possible  λI H − H0  compared to σ(L(h, h0)). In L(h, h0), we have M(h, h0) = N , 0 qIN k(λf, g − g0)k = pλ2kfk2 + kg − g0k2. where H − H0 is the circulant matrix It turns out that we should choose  0 0 0  h0 − h0 h1 − h1 ··· hN−1 − hN−1 0 0 0 kg − g0k  hN−1 − hN−1 h0 − h0 ··· hN−2 − hN−2  λ = .   .  . . .. .  kfk  . . . .  0 0 0 This implies that the ratio c satisfies h1 − h1 h2 − h2 ··· h0 − h0 1 s The matrix M(h, h0) has the following property. 2πekg − g0kkfk 0 c = . Proposition 4.1: Let h, h be two NTRU public keys. 1 qN Assume that Let us compare the ratio c1 and the ratio c as defined by (1) 0 0 0 f ∗ h = g + qu, f ∗ h = g + qu . in the the attack of Coppersmith and Shamir. Our attack will be more efficient when c < c. This leads to the following Then the vector (λf, g − g0) is in the lattice L(h, h0) and 1 condition (f, −u + u0) ∗ M(h, h0) = (λf, g − g0). kg − g0k < min(kgk, kg0k). V. THE NEW ATTACK WHEN kf − f 0k < min (kfk, kf 0k) B. The Gaussian heuristics A. The new lattice We can apply the the Gaussian heuristic to the lattice 0 −1 0 0−1 0 Lq(h, h ). The shortest non-zero vector is approximately Let h = fq ∗ g (mod q) and h = Fq ∗ G (mod q) be two NTRU public keys with the same parameters 0 σ(Lq(h, h )) (N, p, q, df , dg, dr, dm). In this section, we assume that h, r 0 0 0 N  0 dim(Lq(h, h )) 0 1/ dim(Lq (h,h )) h are invertible in Zq[X]/ X − 1 . Let hq and hq be = det Lq(h, h ) their inverses. Define f 0 = g ∗ h0 . We have 2πe q r λNq 0 0 = . g ∗ hq = f (mod q), g ∗ hq = f (mod q). πe Let To compare the length of the target vector (λg, f − f 0) to 0 N−1 N−1 the length of the expected shortest vector σ(Lq(h, h )), we X i 0 X 0 i consider the ratio hq(X) = hq,iX , hq(X) = hq,iX , i=0 i=0 k(λg, f − f 0)k c2 = . 0 σ(L (h, h0)) be the representations of hq(X) and hq(X) in q N  Zq[X]/ X − 1 . For a positive constant λ, define In order to increase the chances of LLL to find the vector the 2N dimension lattice (λg, f − f 0), the attacker chooses the balancing constant λ 0 0 to make c2 as small as possible. For the lattice Lq(h, h ), Lq(h, h )  2 0  we have = (λv, w) ∈ R : w = v ∗ hq − hq (mod q) . k(λg, f − f 0)k = pλ2kgk2 + kf − f 0k2. The lattice is generated by the row vectors of the matrix 0 Mq(h, h ) given below Hence the optimal choice for λ is

 0  0 0 λIN Hq − Hq kf − f k Mq(h, h ) = , λ = . 0 qIN kgk 0 where Hq − Hq is the circulant matrix which leads to  0 0  s hq,0 − hq,0 ··· hq,N−1 − hq,N−1 2πekf − f 0kkgk 0 0 c = .  hq,N−1 − h ··· hq,N−2 − h  2  q,N−1 q,N−2  qN  . . .  . . .. .   To increase the chance of this attack to find (λg, f − f 0) h − h0 ··· h − h0 q,1 q,1 q,0 q,0 comparatively to the attack of Coppersmith and Shamir, we 0 The matrix Mq(h, h ) has the following property. should have c2 < c where c is the constant defined by (1). Proposition 5.1: Let h, h0 be two NTRU public keys and This gives the condition h , h0 their inverses in [X]/ XN − 1. Assume that q q Zq kf − f 0k < min (kfk, kf 0k) . 0 0 0 g ∗ hq = f + qv, g ∗ hq = f + qv . VI.CONCLUSION 0 0 Then the vector (λg, f − f ) is in the lattice Lq(h, h ) and We have shown that choosing two NTRU public keys −1 0 0−1 0 (g, −v + v0) ∗ M (h, h0) = (λg, f − f 0). h = fq ∗ g (mod q) and h = Fq ∗ G (mod q) could q 0 0 −1 0 be insecure in some cases. Rewriting h as h = fq ∗ g 0 0 0 0 0 Proof: Assume that g∗hq = f+qv and g∗hq = f +qv . (mod q), where g = f ∗ h (mod q), we have shown, that 0 0 Then g ∗ hq = f (mod q) and g ∗ hq = f (mod q). This using lattice reduction techniques, it is possible to find the 0 0 0 0 gives g ∗ (hq − hq) = f − f (mod q) and it follows that private key (f, g) when kg−g k < min (kgk, kg k). We have 0 0 0 the vector (λg, f − f ) is in Lq(h, h ). More precisely, shown that the same techniques apply when h is invertible modulo q and kf − f 0k < min (kfk, kf 0k). Here f 0 is 0 0 (g, −v + v ) ∗ Mq(h, h ) defined by the equality f 0 ∗ h0 = g (mod q). For imple-  0  0 λIN Hq − Hq mentations of NTRU key pair generation we recommend = (g, −v + v ) ∗ 0 0 0 qIN to build in a check for kg − g k > min (kgk, kg k) and 0 0 = (λg, f − f 0). kf −f k > min (kfk, kf k). This is very easy to implement, and will only in extremely rare cases imply that the key pair This terminates the proof. is to be rejected. REFERENCES [1] D. Boneh. Twenty years of attacks on the RSA cryptosystem. Notices of the American Mathematical Society (AMS) 46 (2), 203–213 (1999).

[2] D. Coppersmith and A. Shamir. Lattice attacks on NTRU, In Advances in cryptology-Eurocrypt’97, volume 1233 of Lecture Notes in Comput. Sci., pages 52–61. Springer, Berlin, (1997).

[3] T. El Gamal. A public key cryptosystem and signature scheme based on discrete logarithms, IEEE Transactions on Informa- tion Theory IT-31, 496–473, (1985).

[4] J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A Ring Based Public Key Cryptosystem in Algorithmic Number The- ory, Lecture Notes in Computer Science 1423, Springer-Verlag, pages 267–288, (1998).

[5] A.K. Lenstra, H.W. Lenstra and L. Lovasz.´ Factoring polyno- mials with rational coefficients, Mathematische Annalen, Vol. 261, 513-534 (1982).

[6] V. Lyubashevsky, C. Peikert, O. Regev. On Ideal Lattices and over Rings. Advances in cryptology- Eurocrypt 2010, pages 1–23, Lecture Notes in Comput. Sci., 6110, Springer, Berlin (2010).

[7] A. May and M. Ritzenhofen. Implicit factoring: On polynomial time factoring given only an implicit hint. In Stanislaw Jarecki and Gene Tsudik, editors, Public Key Cryptography, volume 5443 of Lecture Notes in Computer Science, pages 1–14. Springer (2009).

[8] R. Rivest, A. Shamir, L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communi- cations of the ACM, Vol. 21 (2), 120–126 (1978).

[9] S. Sarkar, S. Maitra. Further Results on Implicit Factoring in Polynomial Time. Advances in Mathematics of Communica- tions, 3(2), 205–217 (2009).

[10] P.W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Computing 26, 1484–1509 (1997).

[11] D. Stehle´ and R. Steinfeld. Making NTRU as Secure as Worst- Case Problems over Ideal Lattices, in Kenneth G. Paterson (Ed.): Advances in Cryptology - Eurocrypt 2011, Lecture Notes in Computer Science 6632, 27–47, Springer (2011).