Skip to main content

On the (M)iNTRU Assumption in the Integer Case

  • Conference paper
  • First Online:
Provable and Practical Security (ProvSec 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13059))

Included in the following conference series:

  • 534 Accesses

Abstract

In AsiaCrypt 2019, Genise, Gentry, Halevi, Li and Micciancio put forth two novel and intriguing computational hardness hypotheses: The inhomogeneous NTRU (\(\mathsf {iNTRU}\)) assumption and its matrix version \(\mathsf {MiNTRU}\). In this work, we break the integer case of the \(\mathsf {iNTRU}\) assumption through elementary lattice reduction, and we describe how the attack might be generalized to polynomial rings and to the low dimensional \(\mathsf {MiNTRU}\) assumption with small noise.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Hereinafter, we will only use the LLL algorithm for lattice reduction. Better results may be achieved using recent results on the BKZ algorithm (see [14]). However, the LLL algorithm suffices for our elementary analysis.

  2. 2.

    For \(\mathcal {R}=\mathbb {Z}\) and random \(x_0,\dots ,x_{\ell }\), the probability that our first attack cannot be used is only \(\left( 1- \frac{\phi (q)}{q}\right) ^{\ell }\) where \(\phi \) denotes the Euler totient function. In particular, if q is prime our first attack should always work.

  3. 3.

    The only possibility for which this would not be the case takes place when \(g=\gcd (y_0,\dots ,y_{\ell -1},q)>1\) as then \((0,\dots ,0,\frac{q}{g})\) will be the shortest lattice vector, but this scenario is rather improbable.

  4. 4.

    This conclusion also holds in the case of a random tuple.

References

  1. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing (STOC 1996), pp. 99–108, New York, NY, USA. Association for Computing Machinery (1996)

    Google Scholar 

  2. Ajtai, M.: Generating random lattices according to the invariant distribution, March 2006

    Google Scholar 

  3. Albrecht, M.R., Fitzpatrick, R., Göpfert, F.: On the Efficacy of Solving LWE by Reduction to Unique-SVP. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 293–310. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12160-4_18

  4. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    Google Scholar 

  5. Gama, N., Nguyen, P.Q.: Predicting Lattice Reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_3

  6. Genise, N., Gentry, C., Halevi, S., Li, B., Micciancio, D.: Homomorphic encryption for finite automata. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 473–502. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_17

  7. Genise, N., Li, B.: Gadget-based iNTRU lattice trapdoors. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 601–623. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_27

  8. Gentry, C., Peikert, C., Vaikuntanathan,V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing (STOC 2008), pp. 197–206, New York, NY, USA. Association for Computing Machinery (2008)

    Google Scholar 

  9. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868

  10. Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1

  11. Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2014). https://doi.org/10.1007/s10623-014-9938-4

  12. Lee, C., Wallet, A.: Lattice analysis on mintru problem. Cryptology ePrint Archive, Report 2020/230 (2020). https://ia.cr/2020/230

  13. Lenstra, A.K., Lenstra, H., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)

    Google Scholar 

  14. Li, J., Nguyen, P.Q.: A complete analysis of the BKZ lattice reduction algorithm. Cryptology ePrint Archive, Report 2020/1237 (2020). https://ia.cr/2020/1237

  15. Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8

  16. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing (STOC 2005), pp. 84–93, New York, NY, USA. Association for Computing Machinery (2005)

    Google Scholar 

  17. Wen, W.: Contributions to the hardness foundations of lattice-based cryptography. Ph.D. thesis. Université de Lyon, Computational Complexity, HAL archives-ouvertes.fr (2018)

    Google Scholar 

Download references

Acknowledgement

Jim Barthel was supported in part by the Luxembourg National Research Fund through grant PRIDE15/10621687/SPsquared. Răzvan Roşie was supported in part by ERC grant CLOUDMAP 787390.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jim Barthel .

Editor information

Editors and Affiliations

A Proof of Lemma 1

A Proof of Lemma 1

We observe that by the properties of the Euclidean and the infinity norm, we have

$$\mathbb {P}\left( \left( \left\| [r\mathbf {y}\mod q^2]\right\| _2\le Bq \right) \cap (r\in S)\right) \le \mathbb {P}\left( \left( \max \big \{ \left| [r\mathbf {y}\mod q^2]\right| \big \}\le Bq\right) \cap (r\in S) \right) $$

where the maximum is taken over all the modulo reduced entries of \(r\mathbf {y}\). The right expression is equal to

$$\mathbb {P}\left( \left( \bigcap _{i=0}^{\ell -1} \underbrace{\big (\left| [ry_iq \mod q^2]\right| \le Bq\big )}_{:=C_i}\right) \cap \underbrace{\big (\left| [r \mod q^2]\right| \le Bq \big )}_{:=C_{\ell }}\cap (r\in S) \right) .$$

Each event \(C_0,\dots ,C_{\ell -1}\) in the probability statement can be written as a union of events \(C_i=\bigcup _{\beta _i=-Bq}^{Bq} ([ry_iq\mod q^2]=\beta _i)\). As this event can only take place whenever \(\beta _i\) is a multiple of q (otherwise, the equality cannot be satisfied), we need only to consider the restricted union of events \(\bigcup _{\beta _i=-B}^{B} ([ry_iq\mod q^2]=\beta _i q)=\bigcup _{\beta _i=-B}^{B} ([ry_i\mod q]=\beta _i)\). Furthermore, \(C_{\ell }=\bigcup _{\beta _{\ell }=-Bq}^{Bq} ([r\mod q^2]=\beta _{\ell })=\bigcup _{\beta _{\ell }=-Bq}^{Bq} (r=\beta _{\ell })\) which is restricted to \(\beta _{\ell }\in S\) by the last condition. Thus, our overall probability is equal to

$$\mathbb {P}\left( \left( \bigcap _{i=0}^{\ell -1} \bigcup _{\beta _i=-B}^{B} ([ry_i\mod q]=\beta _i) \right) \; \cap \; \left( \bigcup _{\underset{\beta _{\ell }\in S}{\beta _{\ell }=-Bq}}^{Bq} (r=\beta _{\ell }) \right) \right) .$$

Reordering the events gives

$$\mathbb {P}\left( \bigcup _{\beta _0=-B}^{B} \dots \bigcup _{\beta _{\ell -1}=-B}^{B} \bigcup _{\underset{\beta _{\ell }\in S}{\beta _{\ell }=-Bq}}^{Bq} \left( \bigcap _{i=0}^{\ell -1} ([ry_{i} \mod q]=\beta _i) \cap (r=\beta _{\ell }) \right) \right) .$$

As the events are mutually exclusive, this probability is equal to

$$\sum _{\beta _0=-B}^B \dots \sum _{\beta _{\ell -1}=-B}^B\sum _{\underset{\beta _{\ell }\in S}{\beta _{\ell }=-Bq}}^{Bq}\mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([ry_{i} \mod q]=\beta _i) \cap (r=\beta _{\ell }) \right) .$$

Using Bayes’ conditional probability rule followed by Euler’s rule of interchanging finite sums, this quantity can be rewritten as:

$$\begin{aligned}&\sum _{\beta _0=-B}^B \dots \sum _{\beta _{\ell -1}=-B}^B\sum _{\underset{\beta _{\ell }\in S}{\beta _{\ell }=-Bq}}^{Bq}\mathbb {P}\left( r=\beta _{\ell }\right) \mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([ry_{i} \mod q]=\beta _i) \;\Big |\; (r=\beta _{\ell }) \right) \\ =&\sum _{\underset{\beta _{\ell }\in S}{\beta _{\ell }=-Bq}}^{Bq} \mathbb {P}\left( r=\beta _{\ell } \right) \sum _{\beta _0=-B}^B \dots \sum _{\beta _{\ell -1}=-B}^B\mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([ry_{i} \mod q]=\beta _i) \;\Big |\; (r=\beta _{\ell }) \right) \end{aligned}$$

Naturally \(\mathbb {P}\left( r=\beta _{\ell } \right) =\frac{1}{q^2}\) for any \(\beta _{\ell }\). It remains to investigate the value of the rightmost probability. To do so, we rewrite \(\beta _{\ell }=g_{\ell }\beta '_{\ell }\) where \(g_{\ell }=\gcd (\beta _{\ell },q)\). Then, for fixed \(\beta _0,\dots ,\beta _{\ell -1},\beta _{\ell }\):

$$\begin{aligned}&\mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([ry_{i} \mod q]=\beta _i) \;\Big |\; (r=\beta _{\ell }) \right) \\ =\,&\mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([\beta _{\ell } y_{i} \mod q]=\beta _i) \right) \\ =\,&\mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([g_{\ell }\beta '_{\ell } y_{i} \mod q]=\beta _i) \right) \end{aligned}$$

The events in this probability will only be satisfiable if \(\beta _i\) is a multiple of \(g_{\ell }\), say \(\beta _i=\beta '_ig_{\ell }\). Thus, our cumulative probability rewrites as

$$\begin{aligned}&\sum _{\underset{\beta _{\ell }\in S}{\beta _{\ell }=-Bq}}^{Bq} \frac{1}{q^2} \sum _{\beta '_0=-\lfloor B/g_{\ell }\rfloor }^{\lfloor B/g_{\ell }\rfloor } \dots \sum _{\beta '_{\ell -1}=-\lfloor B/g_{\ell }\rfloor }^{\lfloor B/g_{\ell }\rfloor } \mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([g_{\ell }\beta '_{\ell } y_{i} \mod q]=\beta '_ig_{\ell }) \right) \\ =&\sum _{\underset{\beta _{\ell }\in S}{\beta _{\ell }=-Bq}}^{Bq} \frac{1}{q^2} \sum _{\beta '_0=-\lfloor B/g_{\ell }\rfloor }^{\lfloor B/g_{\ell }\rfloor } \dots \sum _{\beta '_{\ell -1}=-\lfloor B/g_{\ell }\rfloor }^{\lfloor B/g_{\ell }\rfloor } \mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([\beta '_{\ell } y_{i} \mod \frac{q}{g_{\ell }}]=\beta '_i) \right) \\ =&\sum _{\underset{\beta _{\ell }\in S}{\beta _{\ell }=-Bq}}^{Bq} \frac{1}{q^2} \sum _{\beta '_0=-\lfloor B/g_{\ell }\rfloor }^{\lfloor B/g_{\ell }\rfloor } \dots \sum _{\beta '_{\ell -1}=-\lfloor B/g_{\ell }\rfloor }^{\lfloor B/g_{\ell }\rfloor } \mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([ y_{i} \mod \frac{q}{g_{\ell }}]=[\beta '_i\beta '^{-1}_{\ell }\mod \frac{q}{g_{\ell }}]) \right) \end{aligned}$$

where we used the fact that \(g_{\ell }=\gcd (\beta _{\ell },q)\) which implies that \(\beta '_{\ell }\) is invertible modulo \(\frac{q}{g_{\ell }}\). It is now clear that the remaining events are independent as they only depend on \(y_i\). Thus

$$\begin{aligned}&\mathbb {P}\left( \bigcap _{i=0}^{\ell -1} ([ y_{i} \mod \frac{q}{g_{\ell }}] =[\beta '_i\beta '^{-1}_{\ell }\mod \frac{q}{g_{\ell }}]) \right) \\ =&\prod _{i=0}^{\ell -1} \mathbb {P}\left( [ y_{i} \mod \frac{q}{g_{\ell }}]=[\beta '_i\beta '^{-1}_{\ell }\mod \frac{q}{g_{\ell }}] \right) \\ =&\left( \frac{1}{\frac{q}{g_{\ell }}}\right) ^{\ell }\\ =&\left( \frac{g_{\ell }}{q}\right) ^{\ell }. \end{aligned}$$

Thereby, the cumulative probability is given by

$$ \sum _{\underset{\beta _{\ell }\in S}{\beta _{\ell }=-Bq}}^{Bq} \frac{\ell (2\lfloor B/g_{\ell }\rfloor +1)}{q^2} \left( \frac{g_{\ell }}{q}\right) ^{\ell }. $$

   \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Barthel, J., Müller, V., Roşie, R. (2021). On the (M)iNTRU Assumption in the Integer Case. In: Huang, Q., Yu, Y. (eds) Provable and Practical Security. ProvSec 2021. Lecture Notes in Computer Science(), vol 13059. Springer, Cham. https://doi.org/10.1007/978-3-030-90402-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-90402-9_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90401-2

  • Online ISBN: 978-3-030-90402-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics