Giant Does NOT Mean Strong: Cryptanalysis of BQTRU

Abstract

NTRU-like constructions are among the most studied lattice-based schemes. The freedom of design of NTRU resulted in many variants in literature motivated by faster computations or more resistance against lattice attacks by changing the underlying algebra. To the best of our knowledge, BQTRU (DCC 2017), a noncommutative NTRU-like cryptosystem, is the fastest claimed variant of NTRU built over the quaternion algebra of the bivariate ring of polynomials. The key generation and the encryption of BQTRU are claimed to be 16/7 times faster than standard NTRU for equivalent levels of security. For key recovery attacks, the authors claim that retrieving a decryption key is equivalent to solving the Shortest Vector Problem (SVP) in expanded Euclidean lattices of giant dimensions. This work disproves this claim and proposes practical key and message recovery attacks that break the moderate parameter sets of BQTRU estimated to achieve \(2^{92}\) message security and \(2^{166}\) key security on a standard desktop within less than two core weeks. Furthermore, our analysis shows that the proposed parameter set for the highest security level claiming \(2^{212}\) message security and \(2^{396}\) key security can barely achieve \(2^{82}\) message security and \(2^{125}\) key security. Our work not only provides cryptanalysis for BQTRU but also demonstrates the potential of extending Gentry’s attack to other rings beyond the cyclotomic polynomial ring.

Appendices

A  Group Rings

For a ring R and a finite group \(G = \{g_i : i = 1,2,\dots ,n\}\) of order n, the group ring of G over R is the set of formal sums

$$\begin{aligned} RG = \Biggl \{{a} = \sum _{i=1}^{n}\alpha _{g_i}g_i : \alpha _{g_i}\in R\text { for } i = 1,2,\dots ,n\Biggr \}, \end{aligned}$$

(60)

that forms a ring under the following operations: let \({a} = \sum _{i=1 }^{n}\alpha _{g_i}g_i \) and \({b}= \sum _{i=1}^{n}\beta _{g_i}g_i \) in RG then the sum of a and b is defined as:

$$\begin{aligned} {a} + {b} = \sum _{i=1}^{n}\alpha _{g_i}g_i + \sum _{i=1}^{n}\beta _{g_i}g_i = \sum _{i=1}^{n}(\alpha _{g_i}+\beta _{g_i})g_i\, , \end{aligned}$$

(61)

and the product of a and b as:

$$\begin{aligned} a*b = \left( \sum _{i=1}^{n}\alpha _{g_i}g_i \right) *\left( \sum _{i=1}^{n}\beta _{g_i}g_i\right) = \sum _{i=1}^{n}\gamma _{g_i}g_i\, , \end{aligned}$$

(62)

where

$$\begin{aligned} \gamma _{g_k} = \sum _{g_ig_j = g_k}\alpha _{g_i}\beta _{g_j} = \sum _{i=1}^n \alpha _{g_i}\beta _{{g_i}^{-1}g_k} = \sum _{i=1}^n \alpha _{g_k{g_i}^{-1}}\beta _{g_i}. \end{aligned}$$

(63)

For each element \(a = \sum _{i=1}^{n}\alpha _{g_i}g_i \in RG \), we associate a unique coefficient vector \({{{\boldsymbol{a}}}} = (\alpha _{g_1},\alpha _{g_2},\dots ,\alpha _{g_n})\). We use a and \({{\boldsymbol{a}}}\) interchangeably to refer to an element of group ring RG. In vector notation

$${{{\boldsymbol{a}}}}+{{{\boldsymbol{b}}}} = (\alpha _{g_1}+\beta _{g_1},\alpha _{g_2}+\beta _{g_2},\dots ,\alpha _{g_n}+\beta _{g_n}),~~ {{{\boldsymbol{a}}}}\star {{{\boldsymbol{b}}}} = (\gamma _{g_1},\gamma _{g_2},\dots ,\gamma _{g_n})$$

where \(\gamma _{g_i}\), for \(i=1, 2, \ldots , n\), are given by (63), denote coordinatewise addition and the convolutional product of two vectors \({{{\boldsymbol{a}}}},{{{\boldsymbol{b}}}}\in RG\), respectively. Using Eq. (63), we have

$$\begin{aligned} {{\boldsymbol{a}}}\star {{\boldsymbol{b}}}=(\alpha _{g_1},\alpha _{g_2},\ldots ,\alpha _{g_n})\star \begin{pmatrix} \beta _{g_1^{-1}g_1} & \beta _{g_1^{-1}g_2} & \ldots \ldots & \beta _{g_1^{-1}g_n}\\ \beta _{g_2^{-1}g_1} & \beta _{g_2^{-1}g_2} & \ldots \ldots & \beta _{g_2^{-1}g_n}\\ \vdots & \vdots & \ddots & \vdots \\ \beta _{g_n^{-1}g_1} & \beta _{g_n^{-1}g_2} & \ldots \ldots & \beta _{g_n^{-1}g_n} \end{pmatrix} \end{aligned}$$

(64)

$$\begin{aligned} ({{\boldsymbol{a}}}\star {{\boldsymbol{b}}})^{Tr} =\begin{pmatrix} \alpha _{g_1g_1^{-1}} & \alpha _{g_1g_2^{-1}} & \ldots \ldots & \alpha _{g_1g_n^{-1}}\\ \alpha _{g_2g_1^{-1}} & \alpha _{g_2g_2^{-1}} & \ldots \ldots & \alpha _{g_2g_n^{-1}}\\ \vdots & \vdots & \ddots & \vdots \\ \alpha _{g_ng_1^{-1}} & \alpha _{g_ng_2^{-1}} & \ldots \ldots & \alpha _{g_ng_n^{-1}}\\ \end{pmatrix}\star \begin{pmatrix} \beta _{g_1}\\ \beta _{g_2}\\ \vdots \\ \beta _{g_n} \end{pmatrix}. \end{aligned}$$

(65)

Definition 13

(RG-matrices). [22] For an element \({{{\boldsymbol{a}}}}=(\alpha _{g_1},\alpha _{g_2},\dots ,\alpha _{g_n})\in RG\), define the \(RG-\)matrices of \( {{\boldsymbol{a}}}\) in \(M_n(R)\) as follows:

$$\begin{aligned} A = \begin{pmatrix} \alpha _{g_1^{-1}g_1} & \alpha _{g_1^{-1}g_2} & \ldots \ldots & \alpha _{g_1^{-1}g_n}\\ \alpha _{g_2^{-1}g_1} & \alpha _{g_2^{-1}g_2} & \ldots \ldots & \alpha _{g_2^{-1}g_n}\\ \vdots & \vdots & \ddots & \vdots \\ \alpha _{g_n^{-1}g_1} & \alpha _{g_n^{-1}g_2} & \ldots \ldots & \alpha _{g_n^{-1}g_n} \end{pmatrix},~~~ A^{\prime } = \begin{pmatrix} \alpha _{g_1g_1^{-1}} & \alpha _{g_1g_2^{-1}} & \ldots \ldots & \alpha _{g_1g_n^{-1}}\\ \alpha _{g_2g_1^{-1}} & \alpha _{g_2g_2^{-1}} & \ldots \ldots & \alpha _{g_2g_n^{-1}}\\ \vdots & \vdots & \ddots & \vdots \\ \alpha _{g_ng_1^{-1}} & \alpha _{g_ng_2^{-1}} & \ldots \ldots & \alpha _{g_ng_n^{-1}}\\ \end{pmatrix}. \end{aligned}$$

Lemma 4

For \({{{\boldsymbol{a}}}} = (\alpha _{g_1},\alpha _{g_2},\dots ,\alpha _{g_n}), {{{\boldsymbol{b}}}} = (\beta _{g_1},\beta _{g_2},\dots ,\beta _{g_n})\in RG\), the following hold:

$$\begin{aligned} {{\boldsymbol{a}}}\star {{\boldsymbol{b}}}= {{\boldsymbol{a}}}\star B\quad \text {and}\quad ({{\boldsymbol{a}}}\star {{\boldsymbol{b}}})^{Tr} = A'\star {{\boldsymbol{b}}}^{Tr}. \end{aligned}$$

(66)

Further, if G is abelian group then \( ~~~~{{\boldsymbol{a}}}\star {{\boldsymbol{b}}}= {{\boldsymbol{b}}}\star A.\)

Proof

The first part of the proof immediately follows from Eqs. (64) and (65). The other part follows from the observation that if G is an abelian group, then \(A = (A')^{Tr}\).   \(\square \)

Theorem 3

[22, Theorem 1] The mapping \(\tau : RG \rightarrow M_n(R)\) defined as \(\tau ( {{\boldsymbol{a}}}) =A\) is a ring homomorphism, i.e., \(\tau ({{\boldsymbol{a}}}+{{\boldsymbol{b}}}) = A + B\) and \(\tau ({{\boldsymbol{a}}}\star {{\boldsymbol{b}}}) = A\star B\), where \(+,\star \) denote the usual matrix addition and multiplication, respectively.

Example 1

Let \(G = \langle x, y : x^n = 1, y^n = 1, xy= yx\rangle \) be a group of order \(n^2\), then \(R = {\mathbb Z}[x,y]/\langle x^n-1,y^n-1\rangle \cong {\mathbb Z}G.\) We can express every element of ring R as

$$v(x,y) = v_0(x)+yv_1(x) + y^2v_2(x)+\ldots +y^{n-1}v_{n-1}(x),$$

where each \(v_i(x)\in {\mathbb Z}[x]/\langle x^n-1\rangle \). Then, the coefficient vector of v(x, y) is \({{\boldsymbol{v}}}= ({{\boldsymbol{v}}}_0,{{\boldsymbol{v}}}_1,\ldots ,{{\boldsymbol{v}}}_{n-1})\in {\mathbb Z}^{n^2}\), where \({{\boldsymbol{v}}}_i\in {\mathbb Z}^n\) is the coefficient vector of \(v_i(x)\), and the matrix representation of \({{\boldsymbol{v}}}\) has the form

$$\begin{aligned} V = \begin{pmatrix} V_0 & V_1 & \ldots & V_{n-1}\\ V_{n-1} & V_0 & \ldots & V_{n-2}\\ \vdots & \vdots & \ddots & \vdots \\ V_1 & V_2 & \ldots & V_0 \end{pmatrix}\in M_{n^2}({\mathbb Z}), \end{aligned}$$

(67)

where \(V_i\in M_n({\mathbb Z})\) is the matrix representation of \({{\boldsymbol{v}}}_i\) and \(V' = V^{Tr}\).

B  Multiplication in \({\mathbb {A}}= \left( \frac{1,1}{R}\right) \)

For two quaternions, \(f = f_0+f_1i+f_2j+f_3k, g = g_0+g_1i+g_2j+g_3k\in {\mathbb {A}}\), consider the product

$$\begin{aligned} f*g =&( f_0g_0 + f_1g_1 + f_2g_2 - f_3g_3) + (f_1g_0 + f_0g_1 + f_3g_2 - f_2g_3)i \nonumber \\ & +\,(f_2g_0 - f_3g_1 + f_0g_2 + f_1g_3)j + (f_3g_0 - f_2g_1 + f_1g_2 + f_0g_3)k \end{aligned}$$

(68)

Using Lemma 4, the coefficient vector of the product \(f*g\) is given by

$$\begin{aligned} {{\boldsymbol{f}}}\star {{\boldsymbol{g}}}= ({{\boldsymbol{f}}}_0,{{\boldsymbol{f}}}_1,{{\boldsymbol{f}}}_2,{{\boldsymbol{f}}}_3)\star \begin{pmatrix} {G}_0 & & {G}_1 & & {G}_2 & & {G}_3\\ {G}_1 & & {G}_0 & & {G}_3 & & {G}_2\\ {G}_2 & & -{G}_3 & & {G}_0 & & -{G}_1\\ -{G}_3 & & {G}_2 & & -{G}_1 & & {G}_0 \end{pmatrix}, \end{aligned}$$

(69)

$$\begin{aligned} ({{\boldsymbol{f}}}\star {{\boldsymbol{g}}})^{Tr} = \begin{pmatrix} {F}_0' & & {F}_1' & & {F}_2' & & -{F}_3'\\ {F}_1' & & {F}_0' & & {F}_3' & & -{F}_2'\\ {F}_2' & & -{F}_3' & & {F}_0' & & {F}_1'\\ {F}_3' & & -{F}_2' & & {F}_1' & & {F}_0 \end{pmatrix}\star \begin{pmatrix} {{\boldsymbol{g}}}_0^{Tr}\\ {{\boldsymbol{g}}}_1^{Tr}\\ {{\boldsymbol{g}}}_2^{Tr}\\ {{\boldsymbol{g}}}_3^{Tr} \end{pmatrix}. \end{aligned}$$

(70)

where \(G_i, F_i'\in M_{n^2}({\mathbb Z})\) are the matrix representations of \(g_i, f_i\) as defined in Eq. (67), respectively.

Definition 14

(Quaternion matrices). For a quaternion \(f = f_0+f_1i+f_2j+f_3k\in {\mathbb {A}}\), define the matrix representations of f in \(M_{4n^2}({\mathbb Z})\) as follows:

$$\begin{aligned} \mathcal {F} = \begin{pmatrix} F_0 & F_1 & F_2 & F_3\\ F_1 & F_0 & F_3 & F_2\\ F_2 & -F_3 & F_0 & -F_1\\ -F_3 & F_2 & -F_1 & F_0 \end{pmatrix},~~~ \mathcal {F}' = \begin{pmatrix} F_0' & & F_1' & & F_2' & & -F_3'\\ F_1' & & F_0' & & F_3' & & -F_2'\\ F_2' & & -F_3' & & F_0' & & F_1'\\ F_3' & & -F_2' & & F_1' & & F_0 \end{pmatrix}. \end{aligned}$$

(71)

where \(F_i, F_i'\in M_{n^2}({\mathbb Z})\) are the matrix representations of \(f_i\) as defined in Eq. (67).

Lemma 5

For two quaternions \(f = f_0+f_1i+f_2j+f_3k, g = g_0+g_1i+g_2j+g_3k\in {\mathbb {A}}\), the following hold:

$$\begin{aligned} {{\boldsymbol{f}}}\star {{\boldsymbol{g}}}= {{\boldsymbol{f}}}\star \mathcal {G}\quad \text {and}\quad ({{\boldsymbol{f}}}\star {{\boldsymbol{g}}})^{Tr} = \mathcal {F}'\star {{\boldsymbol{b}}}^{Tr}. \end{aligned}$$

(72)

Further, if \(\tilde{{\mathcal {F}}} = (\mathcal {F}')^{Tr}\) then \( ~~~~{{\boldsymbol{f}}}\star {{\boldsymbol{g}}}= {{\boldsymbol{g}}}\star \tilde{\mathcal {F}}.\)

Proof

The proof immediately follows from Eqs. (69) and (70).    \(\square \)

Note: We would like to point out that in [5], the matrix representation of the quaternions in \({\mathbb {A}}\) is incorrect due to the wrong multiplication in [5, Equation 16].

C  Proof of Lemma 2

Let \(\mathcal {F}\) and \(\mathcal {G}\) be matrices of elements f and \(g\in {\mathbb {A}}\), respectively. Then,

$$\begin{aligned} \phi (\mathcal {F}+\mathcal {G}) &= \phi \begin{pmatrix} F_0+G_0 & \quad F_1+G_1 & \quad F_2+G_2 & \quad F_3+G_3\\ F_1+G_1 & \quad F_0+G_0 & \quad F_3+G_3 & \quad F_2+G_2\\ F_2+G_2 & \quad -F_3-G_3 & \quad F_0+G_0 & \quad -F_1-G_1\\ -F_3-G_3 & \quad F_2+G_2 & \quad -F_1-G_1 & \quad F_0+G_0 \end{pmatrix}\\ &= \begin{pmatrix} F_0+G_0+F_1+G_1 & \quad F_2+G_2+F_3+G_3\\ F_2+G_2-F_3-G_3 & \quad F_0+G_0-F_1-G_1 \end{pmatrix}\\ &= \phi (\mathcal {F}) + \phi (\mathcal {G}). \end{aligned}$$

Similarly, one can verify that \( \phi (\mathcal {F}\star \mathcal {G}) = \phi (\mathcal {F})\star \phi (\mathcal {G})\). Therefore, \(\phi \) is a matrix ring homomorphism.