Cryptanalysis of NTRU with two public keys Abderrahmane Nitaj Laboratoire de Mathematiques´ Nicolas Oresme Universite´ de Caen, France Email: [email protected] Abstract—NTRU is a fast public key cryptosystem presented of degree N − 1 with small integer coefficients. Let Zq in 1996 by Hoffstein, Pipher and Silverman. It operates in denote the ring of integers modulo q. The operations of the ring of truncated polynomials. In NTRU, a public key NTRU took place in the ring of truncated polynomials is a polynomial defined by the combination of two private N polynomials. In this paper, we consider NTRU with two Zq[X]= X − 1 . In this ring, the addition of two poly- different public keys defined by different private keys. We nomials is defined as pairwise addition of the coefficients of present a lattice-based attack to recover the private keys the same degree and multiplication, noted \ ∗ " is defined assuming that the public keys share polynomials with a suitable as convolution multiplication. In NTRU, to create a public number of common coefficients. key h, one chooses a private key (f; g) composed with two Keywords-NTRU cryptosystem; Lattice attacks; Cryptanaly- polynomials f and g and computes sis; −1 N h = fq ∗ g 2 Zq[X]= X − 1 ; NTRODUCTION I. I −1 N where fq is the inverse of f in Zq[X]= X − 1 . The NTRU Public Key Cryptosystem is a ring-based In this paper, we consider NTRU with two public keys h, cryptosystem that was first introduced in the rump session at h0 defined by the private keys (f; g) and (F 0;G0) with Crypto’96 [4]. It is one of the fastest public-key cryptosys- 0 0−1 0 tems, offering both encryption (NTRUencrypt) and digital h = Fq ∗ G (mod q): signatures (NTRUSign). It is a relatively new cryptosystem N Since f is invertible in Zq[X]= X − 1 , then we can that appears to be more efficient than the current and more 0 0 widely used public-key cryptosystems, such as RSA [8] and define g = f ∗ h (mod q) so that El Gamal [3]. It is well known that the security of RSA and 0 −1 0 h = fq ∗ g mod q: El Gamal relies on the difficulty of factoring large composite integers or computing discrete logarithms. However, in 1994, The main objective of this paper is to show how to find the Shor [10] showed that quantum computers can be used private key (f; g) when to factor integers and to compute discrete logarithms in kg − g0k < min(kgk; kg0k): polynomial time. Since NTRU does not rely on the difficulty of factoring or computing discrete logarithms and is still Using h and h0, we construct a lattice L(h; h0) of dimension considered secure even against quantum computer attacks, it 2N, and applying the lattice basis reduction algorithm LLL, is a promising alternative to the more established public key we show that short vectors in L(h; h0) can be used to cryptosystems. In [4], Hoffstein, Pipher and Silverman have find the private polynomials f, g, g0 when kg − g0k < studied different possible attacks on NTRU. The brute force min(kgk; kg0k). Under this condition, it is important to and the meet-in-the-middle attacks may be used against the notice that our method is more efficient than the method private key or against a single message but will not succeed of Coppersmith and Shamir to recover the private key (f; g) in a reasonable time. The multiple transmission attack also using the public key h. will fail for a suitable choice of parameters. However, we We note that when the polynomials g, g0 are generated notice that NTRU suggests that the public key should be randomly and independently, then with overwhelming prob- changed very frequently, for each transmission if possible. ability the condition kg − g0k < min(kgk; kg0k) is not The most important attack, presented by Coppersmith and satisfied. So in practice one can easily avoid this inequality. Shamir [2] in 1997 makes use of the LLL algorithm of 0 0−1 0 Similarly, assume that h = Fq ∗ G (mod q) is invert- Lenstra, Lenstra and Lovasz´ [5]. Coppersmith and Shamir N ible in Zq[X]= X − 1 . Then we can define a polynomial constructed a lattice generated by the public key and found f 0 as a factorization of the public key that could be used to break f 0 = h0−1 ∗ g (mod q); the system if the NTRU parameters are poorly set. q 0−1 0 N The NTRU cryptosystem depends on three integer param- where hq is the inverse of h in Zq[X]= X − 1 . Using eters (N; p; q) and four sets Lf , Lg, Lr, Lm of polynomials lattice reduction techniques, we show that it is possible to recover the private key (f; g) assuming that the condition the well known attack of Coppersmith and Shamir on NTRU. kf − f 0k < min(kfk; kf 0k) is fulfilled. Further details can be found in [4] and [2]. The paper is organized as follows. In Section 2, we give A. Definitions and notations motivation for our work. Section 3 gives a brief mathemati- cal description of NTRU and introduces the LLL algoritm as We start by introducing the ring N well as the attack of Coppersmith and Shamir on NTRU. In R = Z[X]=(X − 1); Section 4, we present our new attack on NTRU with two pri- vate keys (f; g) and (f; g0) with kg − g0k < min(kgk; kg0k) upon which NTRU operates. We use ∗ to denote a polyno- and compare it with the attack of Coppersmith and Shamir. mial multiplication in R, which is the cyclic convolution of In Section 5, we present our new attack on NTRU when h two polynomials. If and h0 are invertible and kf − f 0k < min(kfk; kf 0k). We N−1 X i conclude the paper in Section 6. f = (f0; f1; ··· ; fN−1) = fiX ; i=0 II. MOTIVATION N−1 X i g = (g0; g1; ··· ; gN−1) = giX ; RSA, the most commonly used public-key cryptosys- i=0 tem [8] has stood up remarkably well to years of extensive are polynomials of R, then h = f ∗ g is given by h = cryptanalysis and is still considered secure by the crypto- (h ; h ; ··· ; h ); where h is defined for 0 ≤ k ≤ N −1 graphic community (see [1] for more details). RSA derives 0 1 N−1 k by its security from the difficulty of factoring large numbers of k N−1 the shape N = pq where p, q are large unknown primes X X X of the same bit-size. In some cases, the problem can be hk = figj = figk−i + figN+k−i: slightly easier given two RSA modulus N = pq, N 0 = p0q0. i+j≡k mod N i=0 i=k+1 If p = p0, then it is trivial to factor N and N 0 by computing The Euclidean norm or the length of a polynomial f = 0 0 gcd(N; N ). However, it is possible to factor N and N (f0; f1; ··· ; fN−1) is defined as when p and p0 share a certain amount of bits (see [7], [9]). v uN−1 The first paper studying NTRU was written by Copper- u X kfk = t f 2: smith and Shamir [2]. In that paper, they noted that the i i=0 best way to attack the NTRU cryptosystem was via the techniques of lattice reduction. Nevertheless, the security One more notation is the binary set of polynomials B(d) of NTRU is also based on the following factorization defined for a positive integers d by N problem: Given a polynomial h 2 Z[X]= X − 1 , find ( N−1 N−1 ) N X i X two short polynomials f 2 Z[X]= X − 1 and g 2 B(d) = f(X) = fiX ; fi 2 f0; 1g; fi = d : N −1 Z[X]= X − 1 such that h = fq ∗ g (mod q); where i=0 i=0 −1 N fq is the inverse of f in Zq[X]= X − 1 . In other words, B(d) is the set of polynomials of R with d Similarly to RSA with two modulus, consider NTRU with coefficients equal to 1 and all the other coefficients equal to two public keys h and h0 defined by the same parameters 0. −1 0 (N; p; q). Assume that h = fq ∗ g (mod q): Then, h can Different descriptions of NTRUEncrypt and different pro- 0 −1 0 0 0 be expressed as h = fq ∗ g (mod q) where g = f ∗ h posed parameter sets have been in circulation since 1996. (mod q). The main contribution of this paper is to show The 2005 instantiation of NTRU is set up by six public 0 how to find the private keys (f; g) when g and g satisfy integers N, p, q, df , dg, dr and four public spaces Lf , Lg, 0 0 kg − g k < min(kgk; kg k). Lm, Lr such that We notice that lattice-based cryptography is currently seen • N is prime and sufficiently large to prevent lattice as one of the most promising alternatives to cryptography attacks. based on number theory. Given recent advances in lattice- • p and q are relatively prime. based cryptography (see [6] and [11]), studying NTRU and • q is much larger than p. related schemes is both useful and timely. In this direction, •L f is a set of small polynomials from which the private our work shows that using the same f or the same g in keys are selected.