Revisiting Lattice Attacks on Overstretched NTRU Parameters

124

Abstract. Several ideal-lattice-based cryptosystems have been broken by recent attacks that exploit special structures of the rings used in those cryptosystems. The same structures are also used in the leading proposals for post-quantum lattice-based cryptography, including the classic NTRU cryptosystem and typical Ring-LWE-based cryptosystems. This paper (1) proposes NTRU Prime, which tweaks NTRU to use rings without these structures; (2) proposes Streamlined NTRU Prime, a public-key cryptosystem optimized from an implementation perspective, subject to the standard design goal of IND-CCA2 security; (3) finds high-security post-quantum parameters for Streamlined NTRU Prime; and (4) optimizes a constant-time implementation of those parameters. The resulting sizes and speeds show that reducing the attack surface has very low cost.

Section: The Design Space Of Lattice-based Encryptionmentioning

confidence: 99%

Section: Choosing Haswell Multiplication Instructionsmentioning

confidence: 99%

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

124

“…Yet, this proposal surprisingly relies on the seemingly stronger NTRU assumption ("unusuallyShort Vector Problem" over modules of rank 2). In the current state of affairs [KF16], there seems to be an asymptotic hardness gap between NTRU and Ring-LWE, whatever the ring 2 , and down to quite small polynomial approximation factors. Should the concrete security claims of [BCLvV16] not be directly affected, the same reasonable precaution principle should favor weaker assumptions, involving modules of a larger rank.…”

Section: Impact Open Questions and Recommendationsmentioning

confidence: 89%

Short Stickelberger Class Relations and Application to Ideal-SVP

Cramer

Ducas

Wesolowski

2017

Abstract. The hardness of finding short vectors in ideals of cyclotomic number fields (Ideal-SVP) serves as the worst-case hypothesis underlying the security of numerous cryptographic schemes, including key-exchange, public-key encryption and fully-homomorphic encryption. A series of recent works has shown that, for large approximation factors, Principal Ideal-SVP is not as hard as finding short vectors in general lattices. Namely, there exists a quantum polynomial time algorithm for an approximation factor of exp(Õ( √ n)), even in the worst-case. Some schemes were broken, but more generally this exposed an unexpected hardness gap between general lattices and some structured ones, and called into question the exact security of various assumption over structured lattices.In this work, we generalize the previous result to general ideals. We show an efficient way of finding a close enough principal multiple of any ideal by exploiting the classical theorem that, in our setting, the class-group is annihilated by the (Galois-module action of) the so-called Stickelberger ideal. Under some plausible number-theoretical hypothesis, we conclude that worstcase Ideal-SVP in this same set-up -choice of ring, and approximation factor exp(Õ( √ n)) -is also solvable in quantum polynomial time. Although it is not yet clear whether the security of further cryptosystems is directly affected, we contribute novel ideas to the cryptanalysis of schemes based on structured lattices. Moreover, our result shows a deepening of the gap between general lattices and structured one.

“…From some recent papers on lattice-based cryptography one might get the impression that NTRU has been "superseded" by public-key encryption based on Ring-LWE [39] or by NTRU Prime [3]. For example, Kirchner and Fouque write in [35]: "Since the practical cost of transforming a [sic] NTRU-based cryptosystem into a Ring-LWE-based cryptosystem is usually small, especially for key-exchange [...], we recommend to dismiss the former, in particular since it is known to be weaker." Bernstein, Chuengsatiansup, Lange, and van Vredendaal write in [3]: "Rings of the form (Z/q)[x]/(x p − 1), where p is a prime and q is a power of 2, are used in the classic NTRU cryptosystem, and have none of our recommended defenses.…”

Section: Introductionmentioning

confidence: 99%

High-Speed Key Encapsulation from NTRU

Hülsing

Rijneveld

Schanck

et al. 2017

Abstract. This paper presents software demonstrating that the 20-year-old NTRU cryptosystem is competitive with more recent latticebased cryptosystems in terms of speed, key size, and ciphertext size. We present a slightly simplified version of textbook NTRU, select parameters for this encryption scheme that target the 128-bit post-quantum security level, construct a KEM that is CCA2-secure in the quantum random oracle model, and present highly optimized software targeting Intel CPUs with the AVX2 vector instruction set. This software takes only 307 914 cycles for the generation of a keypair, 48 646 for encapsulation, and 67 338 for decapsulation. It is, to the best of our knowledge, the first NTRU software with full protection against timing attacks.