Towards Message Recovery in NTRU Encryption with Auxiliary Data

Abstract

In the present paper, we implement a message recovery attack on the NTRU-HPS cryptosystem using its state-of-the-art parameters. We assume the knowledge of at most 2 bits of each coefficient of an unknown polynomial u(x). Then, using Babai’s nearest plane algorithm, we successfully recover the message. Additionally, we discuss the possibility of a side-channel attack method designed to extract the necessary bit information from the cryptographic operations.

The second author was co-funded by SECUR-EU. The SECUR-EU project funded under Grant Agreement 101128029 is supported by the European Cybersecurity Competence Centre.

A Appendix

Proposition 2

Let k, N and q be positive integers with \(q \ge (k+1)\sqrt{k^2+1}.\) We set

$$ M_k= \left[ \begin{array}{c|c} I_N & -kI_N \\ \hline {{\textbf {0}}}_N & qI_N \\ \end{array}\right] . $$

Let \({\mathcal {L}}_{k}\) be the lattice generated by the rows of \(M_k.\) Then, \(\lambda _1(\mathcal {L}_k) = \sqrt{k^2+1}.\)

Proof

It is enough to prove that for all non-zero \(\textbf{v}\in {\mathcal {L}}_{k}\) we have \(\Vert \textbf{v}\Vert \ge \sqrt{k^2+1}.\) Since the first row of \(M_k\) has length \(\sqrt{k^2+1}\) we are done.

Suppose that there is a vector \(\textbf{v}\in {\mathcal {L}}_{k}\setminus \{\textbf{0}\}\) such that

$$\begin{aligned} \Vert \textbf{v}\Vert < \sqrt{k^2+1}. \end{aligned}$$

(8)

Let \(\textbf{b}_1,\dots ,\textbf{b}_{2N}\) be the rows of the matrix \(M_k.\) Since \(\textbf{v}\in {\mathcal {L}}_{k},\) there are integers \(l_1,\ldots ,l_{2N}\) such that,

$$ \textbf{v}=l_1\textbf{b}_1+\cdots +l_{2N} \textbf{b}_{2N} = $$

$$ (l_1,\ldots ,l_N,-l_1k+ql_{N+1},\ldots ,-l_Nk+ql_{2N}) $$

From the inequality (8) we get

$$\begin{aligned} {\left\{ \begin{array}{ll} |l_1|,|l_2|,\dots ,|l_N| < \sqrt{k^2+1}\\ |-l_1k+ql_{N+1}| < \sqrt{k^2+1}\\ \dots \\ |-l_Nk+ql_{2N}| < \sqrt{k^2+1} \end{array}\right. } \end{aligned}$$

(9)

So we can easily see that for \(i=1,\dots ,N\) we get

$$\begin{aligned} |l_ik| < \sqrt{k^2+1}k. \end{aligned}$$

(10)

Case 1: not all the integers \(l_{N+1},l_{N+2},\dots ,l_{2N}\) are zero.

Without loss of generality, say \(l_{N+j}\) is not zero for some \(j\in \{1,\dots ,N\}. \) Then from (10) and (9), we get

$$ \Vert \textbf{v}\Vert \ge |-l_jk+ql_{N+j}| \ge |l_{N+j}|q-|l_jk| > q -\sqrt{k^2+1}k \ge \sqrt{k^2+1}, $$

which contradicts to inequality (8).

Case 2: Let \(l_{N+1}=l_{N+2}=\dots =l_{2N}=0.\)

In this case

$$ \textbf{v} = (l_1,\ldots ,l_N,-l_1k,\ldots ,-l_Nk). $$

Then,

$$ \Vert \textbf{v}\Vert =\sqrt{l_1^2(1+k^2)+l_2^2(1+k^2)+\cdots +l_N^2(1+k^2)}>\sqrt{k^2+1}, $$

which contradicts our hypothesis (8). The Proposition follows.