Find in Library

NTRU cryptosystem was proposed by J. Hoffstein, J.Pipher and J.H. Silverman in 1996, whose security is related to the hardness of finding sufficient short vectors in NTRU lattice with dimension <inline-formula> <tex-math notation="LaTeX">$2N$ </tex-math></inline-formula>. Many researchers conjecture that the private key vector is indeed the shortest vector in the lattice in most cases. However, no formal proof has been provided in the literature before to the best of our knowledge. In this paper, we revisit the lattice attack on NTRU and present a new dimension reduction attack on NTRU without considering the pattern of private polynomials. More precisely, we show that one can recover a group of equivalent private keys by solving shortest vector problem in a new dimension-reduced lattice with dimension <inline-formula> <tex-math notation="LaTeX">$N+k, k &lt; N$ </tex-math></inline-formula>, where <inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula> is related to the specific parameters selected. As a corollary of our attack, we prove that the private key vector and its rotations are the shortest vectors of the original NTRU lattice with an overwhelming probability, which confirms the conjecture of the length of the shortest vector of the original NTRU lattice.