Sphere-packings, lattices, and groups
Sphere-packings, lattices, and groups
Succinct certificates for almost all subset sum problems
SIAM Journal on Computing
Lattice basis reduction: improved practical algorithms and solving subset sum problems
Mathematical Programming: Series A and B
Finding the closest lattice vector when it's unusually close
SODA '00 Proceedings of the eleventh annual ACM-SIAM symposium on Discrete algorithms
Lattice Reduction by Random Sampling and Birthday Methods
STACS '03 Proceedings of the 20th Annual Symposium on Theoretical Aspects of Computer Science
A Generalized Birthday Problem
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
NTRU: A Ring-Based Public Key Cryptosystem
ANTS-III Proceedings of the Third International Symposium on Algorithmic Number Theory
Improved algorithms for integer programming and related lattice problems
STOC '83 Proceedings of the fifteenth annual ACM symposium on Theory of computing
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Rankin's constant and blockwise lattice reduction
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Symplectic lattice reduction and NTRU
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Quantum resistant public key cryptography: a survey
Proceedings of the 8th Symposium on Identity and Trust on the Internet
Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches
ACNS '09 Proceedings of the 7th International Conference on Applied Cryptography and Network Security
INDOCRYPT '09 Proceedings of the 10th International Conference on Cryptology in India: Progress in Cryptology
Recovering NTRU secret key from inversion oracles
PKC'08 Proceedings of the Practice and theory in public key cryptography, 11th international conference on Public key cryptography
Accelerating lattice reduction with FPGAs
LATINCRYPT'10 Proceedings of the First international conference on Progress in cryptology: cryptology and information security in Latin America
New generic algorithms for hard knapsacks
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
A general NTRU-Like framework for constructing lattice-based public-key cryptosystems
WISA'11 Proceedings of the 12th international conference on Information Security Applications
A new lattice-based public-key cryptosystem mixed with a knapsack
CANS'11 Proceedings of the 10th international conference on Cryptology and Network Security
An algebraic broadcast attack against NTRU
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
First-order collision attack on protected NTRU cryptosystem
Microprocessors & Microsystems
| Hi-index | 0.01 |
To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meet-in-the-middle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in fact a continuum of more efficient attacks between these two attacks. We show that by combining lattice reduction and a meet-in-the-middle strategy one can reduce the number of loops in attacking the NTRUEncrypt private key from 284.2 to 260.3, for the k = 80 parameter set. In practice the attack is still expensive (dependent on ones choice of cost-metric), although there are certain space/time tradeoffs that can be applied. Asymptotically our attack remains exponential in the security parameter k, but it dictates that NTRUEncrypt parameters must be chosen so that the meet-in-the-middle attack has complexity 2k even after an initial lattice basis reduction of complexity 2k.