The NTRU problem with multiple keys arises when a user generates multiple distinct NTRU public keys \(\boldsymbol{h_i} = \boldsymbol{g_i}/\boldsymbol{f} \bmod q\) by keeping its private key \(\boldsymbol{f}\) fixed, and an adversary tries to recover the user’s private key \(\boldsymbol{f}\) by collecting multiple instances of public keys \(\boldsymbol{h_i}\) . At DCC 2023, Kim et al. introduced a polynomial-time algorithm to address this problem. Subsequently, at ICICS 2024, Song et al. identified a weakness in Kim et al.’s approach and proposed their own method. There are various versions of the NTRU algorithm, resulting in different ways of selecting the parameter \(\boldsymbol{f}\) . For instance, in the NIST PQC standardization process, the NTRUEncrypt in Round 1 and NTRU-HPS in Round 3, chooses the private key \(\boldsymbol{f}\) in the form \(\boldsymbol{f} = 1 \bmod p\) to improve efficiency. However, previous studies focus on the scenario where the private key \(\boldsymbol{f}\) is a ternary polynomial with a fixed Hamming weight. In this paper, we propose a polynomial time attack against NTRU with multiple keys, assuming that \(\boldsymbol{f}=1+p*\boldsymbol{F}\) , where \(\boldsymbol{F}\) is a ternary polynomial of degree at most \(N-1\) with a fixed Hamming weight and \(p=3\) . Given the fixed Hamming weight of \(\boldsymbol{g_i}\) , we can derive the initial modular equations from different \(\boldsymbol{h_i}\) . By employing linearization techniques and exploiting the relationships between the coefficients of the equations, we can establish a system of linear modular equations with \(\lfloor \frac{N}{2} \rfloor \) variables that possesses a unique solution. Using this solution, we can effectively recover the private key \(\boldsymbol{f}\) . We conducted experiments using the parameters of NTRU scheme in NIST PQC Competition and achieved successful results with an overwhelming probability. As a by-product, we can naturally extend the multi-key attack scenario to the NTRU-based proxy re-encryption scheme NTRUReEncrypt proposed by Nu \(\mathrm {\tilde{n}}\) ez et al. at AsiaCCS 2015, and successfully recover the user’s private key.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Generalizing Key Recovery Attacks Against NTRU with Multiple Keys and Its Application in NTRUReEncrypt

  • Qingjie Hu,
  • Zhen Liu,
  • Yuchen Cao,
  • Guanju Xiao,
  • Jianhua Wang

摘要

The NTRU problem with multiple keys arises when a user generates multiple distinct NTRU public keys \(\boldsymbol{h_i} = \boldsymbol{g_i}/\boldsymbol{f} \bmod q\) by keeping its private key \(\boldsymbol{f}\) fixed, and an adversary tries to recover the user’s private key \(\boldsymbol{f}\) by collecting multiple instances of public keys \(\boldsymbol{h_i}\) . At DCC 2023, Kim et al. introduced a polynomial-time algorithm to address this problem. Subsequently, at ICICS 2024, Song et al. identified a weakness in Kim et al.’s approach and proposed their own method. There are various versions of the NTRU algorithm, resulting in different ways of selecting the parameter \(\boldsymbol{f}\) . For instance, in the NIST PQC standardization process, the NTRUEncrypt in Round 1 and NTRU-HPS in Round 3, chooses the private key \(\boldsymbol{f}\) in the form \(\boldsymbol{f} = 1 \bmod p\) to improve efficiency. However, previous studies focus on the scenario where the private key \(\boldsymbol{f}\) is a ternary polynomial with a fixed Hamming weight. In this paper, we propose a polynomial time attack against NTRU with multiple keys, assuming that \(\boldsymbol{f}=1+p*\boldsymbol{F}\) , where \(\boldsymbol{F}\) is a ternary polynomial of degree at most \(N-1\) with a fixed Hamming weight and \(p=3\) . Given the fixed Hamming weight of \(\boldsymbol{g_i}\) , we can derive the initial modular equations from different \(\boldsymbol{h_i}\) . By employing linearization techniques and exploiting the relationships between the coefficients of the equations, we can establish a system of linear modular equations with \(\lfloor \frac{N}{2} \rfloor \) variables that possesses a unique solution. Using this solution, we can effectively recover the private key \(\boldsymbol{f}\) . We conducted experiments using the parameters of NTRU scheme in NIST PQC Competition and achieved successful results with an overwhelming probability. As a by-product, we can naturally extend the multi-key attack scenario to the NTRU-based proxy re-encryption scheme NTRUReEncrypt proposed by Nu \(\mathrm {\tilde{n}}\) ez et al. at AsiaCCS 2015, and successfully recover the user’s private key.