An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero

نویسندگان

  • Jung Hee Cheon
  • Jinhyuck Jeong
  • Changmin Lee
چکیده

Let h and g be polynomials of bounded Euclidean norm in the ring Z[X]/⟨X+1⟩. Given polynomial [h/g]q ∈ Zq[X]/⟨X+1⟩, the NTRU problem is to find a, b ∈ Z[X]/⟨X + 1⟩ with small Euclidean norm such that [a/b]q = [h/g]q. We propose an algorithm to solve the NTRU problem which runs in 2 2 q) time when ∥g∥, ∥h∥ and ∥g−1∥ are in some range. The main technique of our algorithm is to reduce a problem on a field to one in a subfield. Recently, the GGH scheme, the first candidate of a (approximate) multilinear map, was known to be insecure by the Hu-Jia attack using encodings of zero, but no polynomial time attack was known without them. Our algorithm can be directly applied to construct level-0 encodings of zero and so utilized to attack the GGH scheme without encodings of zero in polynomial time of its security parameter.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero

Let f and g be polynomials of a bounded Euclidean norm in the ring Z[X]/⟨X+1⟩. Given the polynomial [f/g]q ∈ Zq[X]/⟨X+1⟩, the NTRU problem is to find a, b ∈ Z[X]/⟨X + 1⟩ with a small Euclidean norm such that [a/b]q = [f/g]q. We propose an algorithm to solve the NTRU problem, which runs in 2 2 λ) time when ∥g∥, ∥f∥, and ∥g−1∥ are within some range. The main technique of our algorithm is the redu...

متن کامل

Cryptanalysis of Middle Lattice on the Overstretched NTRU Problem for General Modulus Polynomial

The overstretched NTRU problem, which is the NTRU problem with super-polynomial size q in n, is one of the most important candidates for higher level cryptography. Unfortunately, Albrecht et al. in Crypto 2016 and Cheon et al. in ANTS 2016 proposed so-called subfield attacks which demonstrate that the overstretched NTRU problems with power-of-two cyclotomic modulus are not secure enough with gi...

متن کامل

Cryptanalysis of the Multilinear Map over the Integers

We describe a polynomial-time cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT). The attack relies on an adaptation of the so-called zeroizing attack against the Garg, Gentry and Halevi (GGH) candidate multilinear map. Zeroizing is much more devastating for CLT than for GGH. In the case of GGH, it allows to break generalizations of the Decision Linear and S...

متن کامل

Cryptanalysis of the multilinear map on the ideal lattices

We improve the zeroizing attack on the multilinear map of Garg, Gentry and Halevi (GGH). Our algorithm can solve the Graded Decisional Diffie-Hellman (GDDH) problem on the GGH scheme when the dimension n of the ideal lattice Z[X]/(X+1) is O(κλ) as suggested for the κ-linear GGH scheme. The zeroizing attack is to recover a basis of an ideal generated by a secret element g ∈ Z[X]/(X + 1) from the...

متن کامل

Multilinear Maps Using Random Matrix

Garg, Gentry and Halevi (GGH) described the first candidate multilinear maps using ideal lattices. However, Hu and Jia presented an efficient attack on GGH map, which breaks the GGH-based applications of multipartite key exchange (MPKE) and witness encryption (WE) based on the hardness of 3-exact cover problem. We describe a new construction of multilinear map using random matrix, which support...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • IACR Cryptology ePrint Archive

دوره 2016  شماره 

صفحات  -

تاریخ انتشار 2016