You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/main.tex
+288-3Lines changed: 288 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -705,13 +705,296 @@ \subsection{LLL Attack on RSA}
705
705
This attack method is based on the description from the book \textit{Introduction to Cryptography with Coding Theory} by Trappe and Washington (2nd Edition, Pearson, 2006). An example implementation of this attack has been developed and published by the author on GitHub: \href{https://github.com/SanyaKor/Cryptanalysis/blob/main/notebooks/lll\_attack.ipynb}{github.com/SanyaKor/Cryptanalysis/blob/main/notebooks/lll\_attack.ipynb}.
706
706
\newpage
707
707
708
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
708
+
\subsection{NTRU}
709
+
710
+
Lattice-based cryptography becomes especially powerful in high-dimensional settings. While traditional reduction techniques like the \textsc{LLL} algorithm lose their effectiveness as the dimension \( n \) increases (typically beyond \( n \geq 100 \)), this limitation opens the door for new constructions that rely on the hardness of certain lattice problems.
711
+
712
+
One of the most prominent lattice-based cryptosystems is \textsc{NTRU}, a public-key encryption scheme known for its efficiency and resistance to quantum attacks. Although its original formulation did not explicitly reference lattices, it can be naturally interpreted through a lattice framework—a perspective we will explore in this chapter.
713
+
714
+
\bigskip
715
+
716
+
\subsection*{Preliminaries for NTRU}
717
+
Before presenting the structure of the NTRU cryptosystem, we introduce a few algebraic preliminaries.
718
+
719
+
We work with polynomials of degree less than \( N \), with coefficients in the ring \(\mathbb{Z}_q \). Let
However, NTRU operates in the quotient ring \(\mathbb{Z}_q[x]/(x^N - 1) \), where coefficients are reduced modulo \( q \), and the exponents wrap around modulo \( N \). In this ring, polynomial multiplication becomes
732
+
733
+
\[
734
+
(f \ast g)(x) = \sum_{i=0}^{N-1} c_i x^i, \qquad\text{where } c_i = \sum_{\substack{j + k \equiv i \!\!\!\!\pmod{N}}} a_j b_k \pmod{q}.
735
+
\]
736
+
737
+
This cyclic convolution is fundamental to the design and efficiency of the NTRU cryptosystem.
738
+
739
+
\medskip
740
+
\begin{example}
741
+
Let \( N = 3 \), and consider the polynomials
742
+
\[
743
+
f(x) = x^2 + 7x + 9, \qquad g(x) = 3x^2 + 2x + 5.
744
+
\]
745
+
We compute their cyclic convolution product \( f \ast g \) in \(\mathbb{Z}[x]/(x^3 - 1) \). The coefficient \( c_1 \) of \( x \) is
This operation is straightforward and preserves the ring structure.
774
+
775
+
776
+
\medskip
777
+
\noindent
778
+
NTRU works with a specific subset of polynomials that have small integer coefficients. To formalize this, we define a family of sets:
779
+
780
+
\[
781
+
\mathcal{L}(j, k) =
782
+
\left\{
783
+
\begin{array}{l}
784
+
\text{the set of polynomials of degree } < N \text{ with} \\
785
+
j \text{ coefficients equal to } +1,\ k \text{ coefficients equal to } -1, \\
786
+
\text{and all other coefficients equal to } 0.
787
+
\end{array}
788
+
\right.
789
+
\]
790
+
The remaining coefficients are set to zero.
791
+
792
+
\medskip
793
+
794
+
\noindent
795
+
We are now ready to describe the NTRU cryptosystem. Suppose Alice wishes to send a message to Bob. To begin, Bob must generate and publish a public key. He selects three integers \( N, p, q \), subject to the constraints:
796
+
\[
797
+
\gcd(p, q) = 1, \quad\text{and} \quad p \ll q.
798
+
\]
799
+
Recommended parameters for moderate security include:
NTRU Parameter Sets and Estimated Attack Times. Based on data from \url{https://www.ntru.org/}. Tests were performed on a 200 MHz Pentium Pro processor.
824
+
825
+
\newpage
826
+
827
+
To initiate the cryptosystem, Bob begins by selecting two small polynomials \( f \) and \( g \), typically with coefficients in \(\{-1, 0, 1\}\). These polynomials are chosen such that \( f \) is invertible modulo both \( p \) and \( q \). This means there exist polynomials \( F_p \) and \( F_q \), each of degree less than \( N \), such that
828
+
829
+
\[
830
+
F_p * f \equiv 1 \pmod{p}, \qquad F_q * f \equiv 1 \pmod{q}.
831
+
\]
832
+
833
+
Using these, Bob computes the public key polynomial
834
+
835
+
\[
836
+
h \equiv F_q * g \pmod{q},
837
+
\]
838
+
839
+
and publishes the tuple \( (N, p, q, h) \) as his public key.
840
+
841
+
\medskip
842
+
843
+
The private key is the polynomial \( f \), which should be kept secret. Although \( F_p \) can be efficiently recomputed from \( f \), it is recommended to store it for faster decryption. As for \( g \), note that since \( g \equiv f * h \pmod{q} \), all required information is contained in \( f \) and \( h \), so storing \( g \) is unnecessary.
844
+
845
+
846
+
\subsection*{Encryption and Decryption in NTRU}
847
+
848
+
Once the keys are established, Alice can encrypt a message for Bob. She encodes her message as a polynomial \( m \) of degree less than \( N \), with coefficients from \(\{ -1, 0, 1 \}\), assuming \( p = 3 \). Then she chooses a small random polynomial \(\phi\) (its precise constraints will be detailed later) and computes the ciphertext as
849
+
850
+
\[
851
+
c \equiv p\phi * h + m \pmod{q}.
852
+
\]
853
+
854
+
This ciphertext \( c \) is sent to Bob.
855
+
856
+
\medskip
857
+
858
+
To decrypt the message, Bob first computes
859
+
860
+
\[
861
+
a \equiv f * c \pmod{q}.
862
+
\]
863
+
864
+
If all coefficients of \( a \) have absolute value less than \( q/2 \), he can recover the original message by reducing modulo \( p \):
865
+
866
+
\[
867
+
m \equiv F_p * a \pmod{p}.
868
+
\]
869
+
870
+
871
+
Although decryption is not always guaranteed to succeed, appropriate parameter choices yield very low failure probabilities (e.g., less than \( 5 \times 10^{-5} \)).
872
+
873
+
Here’s a sketch of why decryption usually works:
874
+
875
+
\[
876
+
a \equiv f * c \equiv f * (p\phi * h + m) \equiv f * p\phi * F_q * g + f * m \equiv p\phi * g + f * m \pmod{q}.
877
+
\]
878
+
879
+
Given that \(\phi, g, f, m \) all have small coefficients and \( p \ll q \), it is likely that the result does not wrap modulo \( q \), so we can treat the expression as:
880
+
881
+
\[
882
+
a = p\phi * g + f * m.
883
+
\]
884
+
885
+
Applying \( F_p \), we have:
886
+
887
+
\[
888
+
F_p * a = pF_p * \phi * g + F_p * f * m \equiv 0 + 1 * m \equiv m \pmod{p},
889
+
\]
890
+
891
+
which successfully recovers the message \( m \).
892
+
893
+
894
+
895
+
896
+
\medskip
897
+
898
+
A complete implementation of the NTRU cryptosystem, including key generation, encryption, and decryption, is available on GitHub:
\subsection*{Advantages and Disadvantages of NTRU}
909
+
910
+
\textbf{Advantages:}
911
+
\begin{itemize}
912
+
\item\textit{Efficiency:} NTRU offers fast key generation, encryption, and decryption compared to many other public-key schemes.
913
+
\item\textit{Small Key Sizes:} Public and private keys are relatively small, making NTRU attractive for constrained environments.
914
+
\item\textit{Post-Quantum Security:} NTRU is believed to be resistant to attacks by quantum computers, unlike RSA or ECC.
915
+
\end{itemize}
916
+
917
+
\textbf{Disadvantages:}
918
+
\begin{itemize}
919
+
\item\textit{Decryption Failures:} With improper parameters, decryption can fail. Careful tuning is required.
920
+
\item\textit{Parameter Sensitivity:} Security and correctness heavily depend on choosing parameters properly.
921
+
\item\textit{Lattice Attacks:} Though generally secure, NTRU remains susceptible to advanced lattice-based attacks if parameters are too weak.
922
+
\end{itemize}
923
+
924
+
\newpage
925
+
926
+
\subsection{Attack on NTRU}
927
+
928
+
Let \( h = h_{N-1}X^{N-1} + \cdots + h_0 \). Form the \( N \times N \) matrix
929
+
\[
930
+
H =
931
+
\begin{pmatrix}
932
+
h_0 & h_1 & \cdots & h_{N-1} \\
933
+
h_{N-1} & h_0 & \cdots & h_{N-2} \\
934
+
\vdots & \vdots & \ddots & \vdots\\
935
+
h_1 & h_2 & \cdots & h_0
936
+
\end{pmatrix}.
937
+
\]
938
+
939
+
If we represent the polynomials \( f = f_{N-1}X^{N-1} + \cdots + f_0 \) and \( g = g_{N-1}X^{N-1} + \cdots + g_0 \) by their corresponding row vectors:
then multiplication in \(\mathbb{Z}_q[x]/(x^N - 1) \) can be viewed as matrix-vector multiplication \( H \cdot\vec{f} \).
709
944
945
+
\vspace{0.5em}
946
+
947
+
Here, \( H \) is a circulant matrix generated from the coefficients of \( h \). This form is particularly useful because circulant matrices encode convolution-like operations. When working modulo \( X^N - 1 \), the multiplication of polynomials behaves like cyclic convolution. Representing this operation via matrix multiplication simplifies both notation and implementation, especially in lattice-based cryptographic schemes like NTRU.
948
+
949
+
950
+
We observe that
951
+
\[
952
+
\vec{f} H \equiv\vec{g} \pmod{q}.
953
+
\]
954
+
955
+
To express this relationship as a lattice problem, define the identity matrix \( I \) and the scaled identity matrix \( qI \) as:
956
+
\[
957
+
I =
958
+
\begin{pmatrix}
959
+
1 & 0 & \cdots & 0 \\
960
+
0 & 1 & \cdots & 0 \\
961
+
\vdots & \vdots & \ddots & \vdots\\
962
+
0 & 0 & \cdots & 1
963
+
\end{pmatrix}, \qquad
964
+
qI =
965
+
\begin{pmatrix}
966
+
q & 0 & \cdots & 0 \\
967
+
0 & q & \cdots & 0 \\
968
+
\vdots & \vdots & \ddots & \vdots\\
969
+
0 & 0 & \cdots & q
970
+
\end{pmatrix}.
971
+
\]
972
+
973
+
Now form the \( 2N \times 2N \) matrix \( M \) by:
974
+
\[
975
+
M =
976
+
\begin{pmatrix}
977
+
I & H \\
978
+
0 & qI
979
+
\end{pmatrix}.
980
+
\]
981
+
982
+
Let \( y \) be an unknown polynomial of degree less than \( N \), with coefficient vector \(\vec{y} \). Then we can express the relation
983
+
\[
984
+
g = f * h + qy
985
+
\]
986
+
as
987
+
\[
988
+
(\vec{f}, \vec{y}) M = (\vec{f}, \vec{g}).
989
+
\]
990
+
991
+
This means the vector \( (\vec{f}, \vec{g}) \) belongs to the lattice \( L \) generated by the rows of \( M \). Because \( f \) and \( g \) have small coefficients, the corresponding vector is short. An attacker can apply lattice reduction techniques (like the LLL algorithm) to search for short vectors in \( L \), and potentially recover \( f \) and \( g \), thus compromising the cryptosystem.
710
992
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
711
993
994
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
995
+
\newpage
712
996
\section{Code}
713
-
This section documents the source code modules that implement the main functionality of the project.
714
-
It includes core algorithms for lattice manipulation, polynomial arithmetic, cryptographic operations,
997
+
This section provides an overview of the source code modules responsible for implementing the core functionality of the project.It includes core algorithms for lattice manipulation, polynomial arithmetic, cryptographic operations,
715
998
and supporting utilities such as testing and verification routines.
716
999
717
1000
Each file is presented with its key functions, their parameters, return types, and the full implementation
This project explored key techniques in lattice-based cryptography. We started with two-dimensional basis reduction and then applied the LLL algorithm to higher-dimensional problems. Using these tools, we analyzed two attacks: one on RSA with partial message leakage, and another on NTRU, where short vectors reveal secret keys. The practical examples showed how lattice reduction helps uncover hidden information when parameters are weak. Through both theory and implementation, we saw how powerful and versatile lattice methods are in modern cryptography.
0 commit comments