A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU

  • Nick Howgrave-Graham
Conference paper

DOI: 10.1007/978-3-540-74143-5_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)
Cite this paper as:
Howgrave-Graham N. (2007) A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU. In: Menezes A. (eds) Advances in Cryptology - CRYPTO 2007. CRYPTO 2007. Lecture Notes in Computer Science, vol 4622. Springer, Berlin, Heidelberg


To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meet-in-the-middle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in fact a continuum of more efficient attacks between these two attacks. We show that by combining lattice reduction and a meet-in-the-middle strategy one can reduce the number of loops in attacking the NTRUEncrypt private key from 284.2 to 260.3, for the k = 80 parameter set. In practice the attack is still expensive (dependent on ones choice of cost-metric), although there are certain space/time tradeoffs that can be applied. Asymptotically our attack remains exponential in the security parameter k, but it dictates that NTRUEncrypt parameters must be chosen so that the meet-in-the-middle attack has complexity 2k even after an initial lattice basis reduction of complexity 2k.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Nick Howgrave-Graham
    • 1
  1. 1.NTRU Cryptosystems, Inc. 

Personalised recommendations