D. Coppersmith and A. Shamir, Lattice Attacks on NTRU, in Proc. of Eurocrypt '97, LNCS 1233, pages 52-61, Springver-Verlag, 1997.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....e f modulo p, one thus recovers m f mod q, hence m. Security. The best attack known against NTRU is based on lattice reduction, but this does not mean that lattice reduction is necessary to break NTRU. The simplest lattice based attack can be described as follows. Coppersmith and Shamir [40] noticed that the target vector fkg 2 Z (the symbol k denotes vector concatenation) belongs to the following natural lattice: LCS = fFkG 2 Z j F j h G mod q where F; G 2 Rg: It is not difficult to see that LCS is a full dimensional lattice in Z , with volume . The volume suggests ....

D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In Proc. of Eurocrypt '97, LNCS. IACR, Springer-Verlag, 1997.

.... generators ( FHK 88, Ste87] against cryptosystems based on rational numbers ( ST90] or modular knapsacks ( JS91, CJS91] and, more recently, against RSA with exponent 3 ( Cop96] and in order to attack a new cryptosystem proposed by Hoffstein, Pipher and Silverman under the name NTRU (see [CS97] Recently, in a beautiful paper, Ajtai [Ajt96] discovered a fascinating connection between the worst case complexity and the average case complexity of some well known lattice problems. More precisely, he established a reduction from the problem of finding the shortest non zero element u of a ....

D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In W. Fumy, editor, Proceedings of EUROCRYPT 97, pages 52--61. Springer, 1997. Lecture Notes in Computer Science No. 1233.

....NTRU and an attack model for the attacks presented against it. 1 Introduction The NTRU cryptosystem [9] is based on polynomial algebra modulo two distinct moduli. The problem of recovering the secret key from the public key has a very natural formation as a lattice basis reduction problem (see [5]) The security parameters suggested for the cryptosystem by NTRU Cryptosystems Inc. are designed to make the related lattice basis reduction problem intractable (see [21] In [12] Jaulmes and Joux presented a chosen ciphertext attack against the NTRU cryptosystem. The basis of the attack was to ....

....they were found. Suppose that x bits of g have been determined. These bits yield x equations of the form f 0 h j f 1 h j 1 : fN 1 h j N 1 g j (mod q) which can be used to reduce the dimension of the NTRU lattice reduction problem from a 2N 2N lattice to a 2(N x) 2(N x) lattice (see [20, 14, 5] for details) Note that the lattice attack will determine both g and f . If y = mf has at least one large coecient then the rate at which indecipherable (m; r) are found will be noticeably larger than for random m and random r. Thus by analyzing the rate at which r are found we can determine ....

Coppersmith, D., and Shamir, A. Lattice Attacks on NTRU. In Advances in Cryptology | EUROCRYPT '97 (1997), vol. 1233 of LNCS, Springer-Verlag, pp. 52-61.

....in a lattice. Lattices nd application in pure and applied mathematics, computer science, physics, and cryptography. In particular, the SVP has been intensively studied for more than one hundred years for its use in these and other areas of mathematics and science. Theory and experimentation [2] suggest the SVP is dicult in lattices of very high dimension. Such instances of the SVP form the basis of NTRU. 2.1 Basic Setup NTRU is best described using the ring of polynomials # = #[#]#(# # 1)# These are polynomials with integer coecients #(#) # # # # # # # # ### #### # ....

D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In ######## ## ############ # ######### ###, pages 52-61. Springer-Verlag, 1997. LNCS 1233.

....that congruence is likely to be a polynomial equality over Z. By further reducing e f modulo p, one thus recovers m f mod q, hence m. Security. The best attack known against NTRU is based on lattice reduction. The simplest lattice based attack can be described as follows. Coppersmith and Shamir [33] noticed that the target vector fkg 2 Z (the symbol k denotes vector concatenation) belongs to the following natural lattice: LCS = fFkG 2 Z j F j h G mod q where F; G 2 Rg: It is not difficult to see that LCS is a full dimensional lattice in Z , with volume q . The volume suggests ....

D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In Proc. of Eurocrypt '97, LNCS. IACR, Springer-Verlag, 1997.

....( 1 mod q) and N 2d zero coecients. Due to the way h is constructed, it is known that such f and g exist. The encryption scheme NTRU [48] and the signature scheme NSS [49] are meant to rely on this problem of recovering f and g from h. This problem can be seen as a lattice shortest vector problem [32]. It was not designed as such. NSS as proposed in [49] is known to have several independent weaknesses [41, 110] Braid groups. Let n be the group of n permutations, for an integer n 0. Let i # n with i # 1; 2; n 1 be the permutation that swaps the ith and (i 1)st element. The ....

D. Coppersmith, A. Shamir, Lattice attacks on NTRU, Proceedings Eurocrypt'97, LNCS 1233, Springer-Verlag 1997, 52-61.

....made in [1] that (at least for the NTRU lattices) the algorithm generally either finds a vector March 9, 1999 NTRU Cryptosystems Technical Report #012 4 of the exact correct length, or it finds one that is considerably too long to be useful for decryption. Thus the idea of Coppersmith and Shamir [3] to use vectors a little longer than the target vector to attack NTRU, while very interesting as a theoretical remark, does not appear to be of practical significance. In practice, LLL generally seems to terminate with a q vector (i.e. a vector with one coordinate equal to q and the rest 0) until ....

D. Coppersmith, A. Shamir, Lattice attacks on NTRU, in W. Fumy, ed., Proceedings fo EUROCRYPT 97, Lecture Notes in Mathematics 1233, Springer, 1997, 52--61

....that congruence is likely to be a polynomial equality over Z. By further reducing e f modulo p, one thus recovers m f mod q, hence m. Security. The best attack known against NTRU is based on lattice reduction. The simplest lattice based attack can be described as follows. Coppersmith and Shamir [33] noticed that the target vector fkg 2 Z 2N (the symbol k denotes vector concatenation) belongs to the following natural lattice: LCS = fFkG 2 Z 2N j F j h G mod q where F; G 2 Rg: It is not difficult to see that LCS is a full dimensional lattice in Z 2N , with volume q N . The volume ....

D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In Proc. of Eurocrypt '97, LNCS. IACR, Springer-Verlag, 1997.

....the security parameter. NTRU has achieved considerable attention because of its encryption and decryption speed and the easyness of creating public key secret key pairs, which makes it practical to change keys frequently. There is a licensing agreement with SONY [5] D. Coppersmith and A. Shamir [1] presented first lattice attacks on the system. In their lattice L cs vectors correspond to factorizations of the public key in the ring ZZ q [X ] X n Gamma 1) They showed that any non trivial lattice vector at most as long as the original secret key the target vector can be used for ....

....distinct. 2 It is tempting to state 1 (L cs ) 2 (L cs ) Delta Delta Delta = n (L cs ) but in general the n cyclic shifted vectors may not be linear independent. The number of linear independent vectors equals the rank of the Toeplitz matrix that they form. Coppersmith, Shamir [1] showed that any vector in L at most as long as the vector corresponding to the factorization of h into the secret components f; g can be equally used in NTRU for decryption. Together with the above Lemma 3.4 this leads to the following Corollary. Corollary 3.5 Let T be the Toeplitz matrix formed ....

[Article contains additional citation context not shown here]

D. Coppersmith, A. Shamir, "Lattice Attacks on NTRU", Eurocrypt '97, Springer LNCS 1233

No context found.

D. Coppersmith and A. Shamir, Lattice Attacks on NTRU, in Proc. of Eurocrypt '97, LNCS 1233, pages 52-61, Springver-Verlag, 1997.

No context found.

D. Coppersmith, A. Shamir, Lattice attacks on NTRU, Proceedings of EUROCRYPT 97.

No context found.

D. Coppersmith and A. Shamir, Lattice Attacks on NTRU, in Proc. of Eurocrypt '97, LNCS 1233, pages 52-61, Springver-Verlag, 1997.

No context found.

D. Coppersmith and A. Shamir. Lattice Attacks on NTRU. In Proc. of Eurocrypt '97, LNCS 1233. Springer-Verlag, 1997.

No context found.

D. Coppersmith, A. Shamir, Lattice attacks on NTRU, in W. Fumy, ed., Proceedings fo EUROCRYPT 97, Lecture Notes in Mathematics 1233, Springer, 1997, 52-61

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC