NTRU is one of the most widely used public-key cryptosystems and its security has been an active research topic. This paper proposes a new way to find NTRU-2005 private key. The algorithm is based on meet-in-the-middle attack and a quantum algorithm for searching the fixed weight target. Compared with the current classical and quantum meet-in-the-middle attacks, our algorithm has lower time and space complexity. Moreover, this attack can also be applied against different versions of NTRU. The result can help to understand the security of NTRU better. quantum algorithm, NTRU, meet-in-the-middle attack
Citation:Wang H, Ma Z, Ma C G. An efficient quantum meet-in-the-middle attack against NTRU-2005. Chin Sci Bull, 2013, 58: 35143518, doi: 10.1007 For all the time, how to use the quantum computational theory to improve the classical cryptanalysis ability is an important issue. NTRU is a public-key cryptosystem based on the shortest lattice vector problem. At equivalent security level, NTRU needs lower memory and smaller computational complexity than RSA. Now, there is no efficient quantum algorithm known that will solve the shortest lattice vector problem. So, it is believed that NTRU is secure in quantum times [1]. In fact, with the rapid development of quantum computation, all cryptosystems based on the problems of large integer factorization and discrete logarithm are potentially fragile. However, it is still unclear what kind of effects the quantum computational theory could make on the security of NTRU till now. Classical meet-in-the-middle (MITM) attack is a generic cryptanalytic method originally developed from cryptanalysis of block ciphers. Recently, this technique is also found to be quite useful in the cryptanalysis of public-key cryptography. MITM attack is the best algorithm for attacking NTRU at present. Grover [2] proposed a generic quantum search algorithm which gives a quadratic speedup over the classical brute-force search. However, it is not yet known whether Grover algorithm can speed up the classical MITM attack.There are some new developments in the classical cryptanalysis of NTRU, such as lattice attack, hybrid attack [3], broadcast attack [4], etc. Ludwig [5] combined lattice reduction technique with Grover algorithm, and put forward a novel quantum attack algorithm against NTRU. However, the attack algorithm in [5] is not better than classical MITM attack. In 2011, a quantum algorithm used to find fixed weight target was proposed [6]. At the same time, the author analyzed the security of NTRU by the proposed algorithm. The computation complexity of Wang's algorithm is significantly lower than a classical brute-force search, but still higher than a classical MITM attack.Xiong et al. [7] combined MITM attack with Grover quantum searching algorithm, and developed a quantum MITM attack method against NTRU. The time complexity