2016
DOI: 10.1007/978-3-662-53018-4_6
|View full text |Cite
|
Sign up to set email alerts
|

A Subfield Lattice Attack on Overstretched NTRU Assumptions

Abstract: Abstract. The subfield attack exploits the presence of a subfield to solve overstretched versions of the NTRU assumption: norming the public key h down to a subfield may lead to an easier lattice problem and any sufficiently good solution may be lifted to a short vector in the full NTRU-lattice. This approach was originally sketched in a paper of Gentry and Szydlo at Eurocrypt'02 and there also attributed to Jonsson, Nguyen and Stern. However, because it does not apply for small moduli and hence NTRUEncrypt, i… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1

Citation Types

0
72
0

Year Published

2017
2017
2022
2022

Publication Types

Select...
5
1
1

Relationship

1
6

Authors

Journals

citations
Cited by 139 publications
(72 citation statements)
references
References 46 publications
0
72
0
Order By: Relevance
“…We present a theoretical construction with suggested parameters in the asymptotic sense. There are a batch of cryptanalyses work aiming at NTRU, such as hybrid attack [19], subfield attack [1] and straightforward attack [22]. Detailed analyses of our NTRU variant against these attacks should be wellconsidered.…”
Section: Discussionmentioning
confidence: 99%
See 3 more Smart Citations
“…We present a theoretical construction with suggested parameters in the asymptotic sense. There are a batch of cryptanalyses work aiming at NTRU, such as hybrid attack [19], subfield attack [1] and straightforward attack [22]. Detailed analyses of our NTRU variant against these attacks should be wellconsidered.…”
Section: Discussionmentioning
confidence: 99%
“…If ω n 2 log 0.5 n p 2 rt/q < 1(resp. ω n log 0.5 n p 2 rt/q < 1 if deg p = 0) and t = √ nαq (n−1)k log((n−1)k) 1/4 > 1, then the decryption algorithm of NTRUEncrypt recovers M with probability 1 − n −ω (1) over the choice of s, e, f, g.…”
Section: Decryptionmentioning
confidence: 99%
See 2 more Smart Citations
“…A practical variant of their scheme, which reintroduces the DSRP assumption is also presented in the same work. However, it is later shown that the optimizations and parameter selection that yield a significant increase in the performance makes it vulnerable to sub-field lattice attacks [Albrecht et al 2016]. The attack shown by Albrecht et al affected not only [Bos et al 2013], but every other NTRU-like scheme, which relies on DSRP problem and whose parameters (e.g., secret key, modulus) are chosen poorly.…”
Section: Lwe-based Fhe Schemesmentioning
confidence: 99%