A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU

11 years 6 months ago
A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU
To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meet-in-the-middle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in fact a continuum of more efficient attacks between these two attacks. We show that by combining lattice reduction and a meet-in-the-middle strategy one can reduce the number of loops in attacking the NTRUEncrypt private key from 284.2 to 260.3 , for the k = 80 parameter set. In practice the attack is still expensive (dependent on ones choice of cost-metric), although there are certain space/time tradeoffs that can be applied. Asymptotically our attack remains exponential in the security parameter k, but it dictates that NTRUEncrypt parameters must be chosen so that the meet-in-the-middle attack has complexity 2k even after an initial lattice basis reduction of complexity 2k .
Nick Howgrave-Graham
Added 07 Jun 2010
Updated 07 Jun 2010
Type Conference
Year 2007
Authors Nick Howgrave-Graham
Comments (0)