An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero
نویسندگان
چکیده
Let h and g be polynomials of bounded Euclidean norm in the ring Z[X]/⟨X+1⟩. Given polynomial [h/g]q ∈ Zq[X]/⟨X+1⟩, the NTRU problem is to find a, b ∈ Z[X]/⟨X + 1⟩ with small Euclidean norm such that [a/b]q = [h/g]q. We propose an algorithm to solve the NTRU problem which runs in 2 2 q) time when ∥g∥, ∥h∥ and ∥g−1∥ are in some range. The main technique of our algorithm is to reduce a problem on a field to one in a subfield. Recently, the GGH scheme, the first candidate of a (approximate) multilinear map, was known to be insecure by the Hu-Jia attack using encodings of zero, but no polynomial time attack was known without them. Our algorithm can be directly applied to construct level-0 encodings of zero and so utilized to attack the GGH scheme without encodings of zero in polynomial time of its security parameter.
منابع مشابه
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero
Let f and g be polynomials of a bounded Euclidean norm in the ring Z[X]/⟨X+1⟩. Given the polynomial [f/g]q ∈ Zq[X]/⟨X+1⟩, the NTRU problem is to find a, b ∈ Z[X]/⟨X + 1⟩ with a small Euclidean norm such that [a/b]q = [f/g]q. We propose an algorithm to solve the NTRU problem, which runs in 2 2 λ) time when ∥g∥, ∥f∥, and ∥g−1∥ are within some range. The main technique of our algorithm is the redu...
متن کاملCryptanalysis of Middle Lattice on the Overstretched NTRU Problem for General Modulus Polynomial
The overstretched NTRU problem, which is the NTRU problem with super-polynomial size q in n, is one of the most important candidates for higher level cryptography. Unfortunately, Albrecht et al. in Crypto 2016 and Cheon et al. in ANTS 2016 proposed so-called subfield attacks which demonstrate that the overstretched NTRU problems with power-of-two cyclotomic modulus are not secure enough with gi...
متن کاملCryptanalysis of the Multilinear Map over the Integers
We describe a polynomial-time cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT). The attack relies on an adaptation of the so-called zeroizing attack against the Garg, Gentry and Halevi (GGH) candidate multilinear map. Zeroizing is much more devastating for CLT than for GGH. In the case of GGH, it allows to break generalizations of the Decision Linear and S...
متن کاملCryptanalysis of the multilinear map on the ideal lattices
We improve the zeroizing attack on the multilinear map of Garg, Gentry and Halevi (GGH). Our algorithm can solve the Graded Decisional Diffie-Hellman (GDDH) problem on the GGH scheme when the dimension n of the ideal lattice Z[X]/(X+1) is O(κλ) as suggested for the κ-linear GGH scheme. The zeroizing attack is to recover a basis of an ideal generated by a secret element g ∈ Z[X]/(X + 1) from the...
متن کاملMultilinear Maps Using Random Matrix
Garg, Gentry and Halevi (GGH) described the first candidate multilinear maps using ideal lattices. However, Hu and Jia presented an efficient attack on GGH map, which breaks the GGH-based applications of multipartite key exchange (MPKE) and witness encryption (WE) based on the hardness of 3-exact cover problem. We describe a new construction of multilinear map using random matrix, which support...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2016 شماره
صفحات -
تاریخ انتشار 2016