Abstract
The NTRU problem can be viewed as an instance of finding a short non-zero vector in a lattice, under the promise that it contains an exceptionally short vector. Further, the lattice under scope has the structure of a rank-2 module over the ring of integers of a number field. Let us refer to this problem as the module unique Shortest Vector Problem, or mod-uSVP for short. We exhibit two reductions that together provide evidence the NTRU problem is not just a particular case of mod-uSVP, but representative of it from a computational perspective.
First, we reduce worst-case mod-uSVP to worst-case NTRU. For this, we rely on an oracle for id-SVP, the problem of finding short non-zero vectors in ideal lattices. Using the worst-case id-SVP to worst-case NTRU reduction from Pellet-Mary and Stehlé [ASIACRYPT’21], this shows that worst-case NTRU is equivalent to worst-case mod-uSVP.
Second, we give a random self-reduction for mod-uSVP. We put forward a distribution \(D^{\textrm{uSVP}}\) over mod-uSVP instances such that solving mod-uSVP with a non-negligible probability for samples from \(D^{\textrm{uSVP}}\) allows to solve mod-uSVP in the worst-case. With the first result, this gives a reduction from worst-case mod-uSVP to an average-case version of NTRU where the NTRU instance distribution is inherited from \(D^{\textrm{uSVP}}\). This worst-case to average-case reduction requires an oracle for id-SVP.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For two rank-2 modules \(M' \subseteq M\) with pseudo-bases \(((\textbf{b}'_1, I'_1),(\textbf{b}'_2,I'_2))\) and \(((\textbf{b}_1, I_1),(\textbf{b}_2,I_2))\) respectively, we say that \(M'\) has index \(\mathfrak {p}\) in M if \(\det _{K}(\textbf{b}'_1, \textbf{b}'_2) \cdot I'_1 I'_2 = \mathfrak {p}\cdot \det _{K}(\textbf{b}_1, \textbf{b}_2) \cdot I_1 I_2\).
References
Albrecht, M.R., Deo, A.: Large modulus ring-LWE \(\ge \) module-LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 267–296. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_10
Aggarwal, D., Li, J., Nguyen, P.Q., Stephens-Davidowitz, N.: Slide reduction, revisited—filling the gaps in SVP approximation. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 274–295. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_10
Biasse, J.-F., Fieker, C., Hofmann, T.: On the computation of the HNF of a module over the ring of integers of a number field. J. Symb. Comput. (2017)
Bosma, W., Pohst, M.: Computations with finitely generated modules over Dedekind domains. In: ISSAC (1991)
Bach, E., Shallit, J.O.: Algorithmic Number Theory: Efficient Algorithms (1996)
Bai, S., Stehlé, D., Wen, W.: Improved reduction from the bounded distance decoding problem to the unique shortest vector problem in lattices. In: ICALP (2016)
Chen, C., et al.: NTRU: a submission to the NIST post-quantum standardization effort (2020). https://www.ntru.org/
Cramer, R., Ducas, L., Wesolowski, B.: Mildly short vectors in cyclotomic ideal lattices in quantum polynomial time. J. ACM (2021)
Cohen, H.: Hermite and Smith normal form algorithms over Dedekind domains. Math. Comput. (1996)
Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_5
de Boer, K., Ducas, L., Pellet-Mary, A., Wesolowski, B.: Random self-reducibility of ideal-SVP via Arakelov random walks. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 243–273. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_9
Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: STOC (2008)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC (2008)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_25
Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1
Khot, S.: Hardness of approximating the shortest vector problem in high \(\ell _p\) norms. J. Comput. Syst. Sci. (2006)
Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. (1982)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Lee, C., Pellet-Mary, A., Stehlé, D., Wallet, A.: An LLL algorithm for module lattices. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 59–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_3
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Code Cryptogr. (2015)
Peikert. C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. (2016)
Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 685–716. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_24
Pellet-Mary, A., Stehlé, D.: On the hardness of the NTRU problem. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 3–35. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_1
Schnorr, C.-P.: A hierarchy of polynomial lattice basis reduction algorithms. Theor. Comput. Sci. (1987)
Sittinger, B.D.: The probability that random algebraic integers are relatively \(r\)-prime. J. Number Theory (2010)
Stehlé, D., Steinfeld, R.: Making NTRUEncrypt and NTRUSign as secure as standard worst-case problems over ideal lattices (2013). https://eprint.iacr.org/2013/004
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36
Acknowledgments
The authors thank Koen de Boer, Guillaume Hanrot and Aurel Page for insightful discussions. Joël Felderhoff is funded by the Direction Générale de l’Armement (Pôle de Recherche CYBER). The authors were supported by the CHARM ANR-NSF grant (ANR-21-CE94-0003) and by the PEPR quantique France 2030 programme (ANR-22-PETQ-0008). The last author was supported in part by the European Union Horizon 2020 Research and Innovation Program Grant 780701.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Felderhoff, J., Pellet-Mary, A., Stehlé, D. (2022). On Module Unique-SVP and NTRU. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13793. Springer, Cham. https://doi.org/10.1007/978-3-031-22969-5_24
Download citation
DOI: https://doi.org/10.1007/978-3-031-22969-5_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22968-8
Online ISBN: 978-3-031-22969-5
eBook Packages: Computer ScienceComputer Science (R0)