Security Analysis of DBTRU Cryptosystem

Abstract

DBTRU was proposed by Thang and Binh in 2015. As a variant of NTRU, the integer polynomial ring is replaced by two binary truncated polynomial rings $GF(2)\left[x\right]/(x^n+1)$. DBTRU has some advantages over NTRU in terms of security and performance. In this paper, we propose a polynomial-time linear algebra attack against the DBTRU cryptosystem, which can break DBTRU for all recommended parameter choices. The paper shows that the plaintext can be achieved in less than 1 s via the linear algebra attack on a single PC.

1. Introduction

The Number Theory Research Unit (NTRU) cryptosystem as a public key cryptosystem was proposed by Hoffstein, Pipher, and Silverman in 1996 and published in 1998 [1]. It was standardized by IEEE in 2008 [2]. In 2020, NTRU entered the third round of submissions in the National Institute of Standards Technology (NIST) post-quantum cryptography standardization process. NTRU works on the integer polynomial ring $\mathbb{Z}\left[x\right]/(x^n-1)$. The encryption and decryption procedures involve linear operations between ring elements. This characteristic gives NTRU a great advantage over Rivest, Shamir, Adleman (RSA) cryptosystem and elliptic curve cryptosystem (ECC) in terms of computational speed and key size. NTRU can be classified as post-quantum cryptography, and its security is based on the hardness of the shortest vector problem in a certain lattice. Compared with traditional public key algorithms, its research has been a hot spot in the field of public key cryptography. NTRU is widely used in e-commerce, communication, embedded systems, and portable devices [3,4].

Since 2002, cryptographers have been exploring the optimization of NTRU from the underlying mathematical structure in order to achieve a higher level of security or better performance. Banks et al. gave the non-invertible version in 2002 [5]. This extension can overcome the problem of finding “enough” invertible polynomials in small sets. In 2002, Gaborit et al. proposed CTRU [6], a NTRU-like cryptosystem that runs on $F_2\left[T\right]\left[X\right]/(x^n-1)$. CTRU can avoid the attacks based on the LLL algorithm. Vats proved that it is insecure under linear algebra attack in 2008 [7]. In 2005, Coglianese and Goi proposed MaTRU [8], which operates in the ring of k by k matrices $M_k(\mathbb{Z})\left[X\right]/(x^n-1)$. Compared to NTRU, MaTRU further improves system operation efficiency. In 2011, Malekian et al. adopted the unique mathematical structure of quaternion algebra to design the QTRU cryptosystem [9], in which non-commutativeness plays a key role in the system, and which further enhances the security of QTRU. In 2015, Yasuda et al. proposed a general NTRU cryptosystem based on group ring, called GR-NTRU [10]. They investigated the security and performance of the cryptosystem under different instance group rings by combining group representation theory. In 2017, Thakur et al. designed NTRU over spit quaternion algebra [11]; SQTRU can reduced the decryption failure due to a non-commutative algebraic structure. In 2018, Wang et al. presented a variant of NTRU with IND-CPA security named D-NTRU [12], which has higher encryption and decryption efficiency than NTRU. In 2008, Karbasi et al. established PairTRU working in the $k\times k$ matrix ring with pairwise entries of $k^2$ distinct polynomials in $\mathbb{Z}\times \mathbb{Z}$ [13]. PairTRU is more secure than NTRU under lattice based attack. In 2020, Hajaje et al. proposed PMTRU by combining the advantages of NTRU with MATRU [14]. PMTRU also improves the speed of encryption and decryption procedures.

DBTRU was proposed by Thang and Binh in 2015 [15]. The name DBTRU indicates the use of number theory and two binary truncated polynomial rings $GF(2)\left[x\right]/(x^n+1)$, ($n\in {\mathbb{Z}}^{+}$). Because both algorithms for encryption and decryption of DBTRU are only simple modular polynomial operations, DBTRU is as fast as NTRU. Although the message-expansion factor in DBTRU is higher than that in NTRU, the keys of DBTRU are smaller under approximately the same level of security.

In this paper, we further analyze the security of DBTRU and propose a linear algebra attack that can break it for all recommended parameter choices to compare the security levels in NTRU. More precisely, we first explore a hidden linear relationship between the public keys and the secret keys and find the parameter constraints for plaintext and secret key security while guaranteeing correct decryption.

The rest of this paper is organized as follows. In Section 2, we briefly describe the DBTRU encryption scheme. In Section 3, we show how to recover the plaintext under the linear algebra attack. In Section 4, the experimental results of our attack are provided. We give the conclusions in Section 5.

2. The DBTRU System

We describe the DBTRU cryptosystem, as developed in [15], including notations, key generation, encryption, decryption, and decryption criteria.

2.1. Notations

This cryptosystem relies on two integer parameters s, l and four sets ${\mathcal{B}}_f$, ${\mathcal{B}}_g$, ${\mathcal{B}}_{\varphi }$, ${\mathcal{B}}_m$ of polynomials with binary coefficients. In general, s is smaller than l and $gcd(s,l)=1$. Let $\mathcal{R}=\mathbb{Z}\left[x\right]/(x^n-1)$. The polynomial ring $GF(2)\left[x\right]/(x^n+1)$ is denoted by ${\mathcal{R}}_n\left[x\right]$. DBTRU is working in ${\mathcal{R}}_s\left[x\right]$ and ${\mathcal{R}}_l\left[x\right]$. We write * for polynomial multiplication in ${\mathcal{R}}_n\left[x\right]$, and let $deg(f)$ denote the degree of $f\in {\mathcal{R}}_n\left[x\right]$.

Let $d_f$, $d_g$, $d_{\varphi }$, and $d_m$ denote the maximum degree and Hamming weight of f,g,$\varphi$, and m, respectively. We replace the definition $\mathcal{L}(d_1,d_2)$ in NTRU with

$$\mathcal{B}(d)=\{b\in {\mathcal{R}}_l\left[x\right]|deg(b)\le d\}.$$

In addition, similar to DBTRU, we set the modular polynomials as $S=x^s+1$ and $L=x^l+1$.

2.2. Key Generation

During the process of key generation, Bob chooses two arbitrary positive integers s and l such that $s<l$, and sets $d_f=s-1$. In addition, Bob chooses an small positive integer $N_f$ and arbitrary $N_f$ polynomials $f_i\in {\mathcal{B}}_f$ ($i\in [1,N_f]$), which are invertible in both ${\mathcal{R}}_s\left[x\right]$ and ${\mathcal{R}}_l\left[x\right]$. For each $f_i$, Bob computes $F_{i,s}\in {\mathcal{R}}_s\left[x\right]$ and $F_{i,l}\in {\mathcal{R}}_l\left[x\right]$, where $F_{i,s}\ast f_i\equiv 1modS$ and $F_{i,l}\ast f_i\equiv 1modL$. Then Bob computes

$$f=\prod _{i=1}^{N_f}{f}_i,$$

and its two inverses

$$F_s=\prod _{i=1}^{N_f}{F}_{i,s},$$

and

$$F_l=\prod _{i=1}^{N_f}{F}_{i,l}.$$

Notice that $deg(f)\le N_f·d_f$. Bob chooses a non-zero polynomial $g\in {\mathcal{B}}_g$ and computes

$$h=g\ast F_l\ast SmodL.$$

Bob keeps f,$f_i$, and $F_s$ as the private keys, publishing h as the public key.

2.3. Encryption and Decryption

Suppose Alice wants to send a s-bit message m to Bob. First, Alice randomly selects a non-zero polynomial ${\varphi }_0\in {\mathcal{B}}_{\varphi }$, a small positive integer $N_{\varphi }$, and arbitrary $N_{\varphi }$ polynomials ${\varphi }_i\in {\mathcal{B}}_{\varphi }|i\in [1,N_{\varphi }]$. The ciphertext is given by

$$e\equiv ({\varphi }_0\ast h+S\ast \sum _{i=1}^{N_{\varphi }}{\varphi }_i+m)modL.$$

(1)

Alice then sends the l- bit ciphertext e to Bob. After receiving e, Bob computes

$$a\equiv f\ast emodL,$$

(2)

and recovers the message m by computing

$$m\equiv F_s\ast amodS.$$

2.4. Proof of Decryption

By inserting (1) into (2), there is

$$\begin{array}{cc}\hfill a& \equiv f\ast emodL\hfill \\ \hfill & \equiv f\ast ({\varphi }_0\ast h+S\ast \sum _{i=1}^{N_{\varphi }}{\varphi }_i+m)modL\hfill \\ \hfill & \equiv (f\ast {\varphi }_0\ast g\ast F_l\ast S+f\ast S\ast \sum _{i=1}^{N_{\varphi }}{\varphi }_i+f\ast m)modL\hfill \\ \hfill & \equiv (({\varphi }_0\ast g+f\ast \sum _{i=1}^{N_{\varphi }}{\varphi }_i)\ast S+f\ast m)modL.\hfill \end{array}$$

Hence, $F_s\ast amodS=F_s\ast f\ast mmodS$. Thereby,

$$m\equiv F_s\ast amodS.$$

2.5. Decryption Criteria

It is proved that

$$deg({\varphi }_0\ast g\ast S)\le d_{\varphi }+d_g+s,$$

$$deg(f\ast S\ast \sum _{i=1}^{N_{\varphi }}{\varphi }_i)\le N_f·d_f+s+d_{\varphi },$$

and

$$deg(f\ast m)\le d_f+d_m,$$

if $d_g$ satisfies

$$d_g<N_f·d_f,$$

then

$$deg(a)\le N_f·d_f+s+d_{\varphi },$$

Thereby, to ensure successful decryption, it is necessary that

$$l>max(dega)=N_f·d_f+d_{\varphi }+s.$$

3. Security Analysis

In this section, we describe the details of our attack on a DBTRU cryptosystem. First, we show that there is a hidden linear relationship between the public keys and the random non-zero polynomial in the encryption phase. Second, we construct a linear system of equations with the unknown random non-zero polynomial and then recover the plaintext message after we obtain the random non-zero polynomial. Finally, we present the whole algorithm of our attack.

3.1. The Hidden Linear Relationship

Theorem 1.

As described in the DBTRU cryptosystem, let $S=x^s+1$ and $L=x^l+1$, where $s<l$. Let ${\varphi }_i\in {\mathcal{B}}_{\varphi }$ ($i=0,1\cdots ,N_{\varphi }$) be some randomly chosen polynomials with ${\varphi }_0\ne 0$. For the ciphertext

$$e=({\varphi }_0\ast h+S\ast \sum _{i=1}^{N_{\varphi }}{\varphi }_i+m)modL,$$

if $l\ge s+2d_{\varphi }+2$, then the part of coefficients of e, namely, $e_{s+d_{\varphi }+1},\cdots ,e_{l-1}$ are equal to the coefficients of ${\varphi }_0\ast hmodL$ with the same degree.

Proof of Theorem 1

As noted above, the ciphertext is calculated by

$$e=({\varphi }_0\ast h+S\ast \sum _{i=1}^{N_{\varphi }}{\varphi }_i+m)modL,$$

and we can write e as

$$e=\sum _{i=0}^{l-1}{e}_i{x}^i,$$

where $e_i\in GF(2)$ ($i=0,1,\cdots ,l-1$). We assume

$${\varphi }_0={\alpha }_0+{\alpha }_{1}x+\cdots +{\alpha }_{d_{\varphi }}{x}^{d_{\varphi }},$$

where ${\alpha }_i\in GF(2)$ ($i=0,1,\cdots ,d_{\varphi }$). In addition,

$$h=h_0+h_{1}x+\cdots +h_{l-1}{x}^{l-1},$$

with $h_j\in GF(2)$ ($j=0,1,\cdots ,l-1$).

We have

$$deg(S\ast \sum _{i=1}^{N_{\varphi }}{\varphi }_i+m)\le s+d_{\varphi }.$$

Now considering the maximum degree of components of ${\varphi }_0\ast h$, we have

$$deg({\varphi }_0\ast h)\le d_{\varphi }+d_h=d_{\varphi }+l-1.$$

From the precise analysis above, we have only part of the coefficients of e related to the ${\varphi }_0\ast h$, $S\ast {\sum }_{i=1}^{N_{\varphi }}{\varphi }_i$ and m. More specifically, only the coefficients $e_0,e_1,\cdots ,e_{d_{\varphi }-1}$ are affected by the modulo L, and $e_{s+d_{\varphi }+1},\cdots ,e_{l-1}$ are just equal to the coefficients of ${\varphi }_0\ast hmodL$ with the same degree.    □

From Theorem 1, we can see that the key to breaking DBTRU lies in the irrationality of the ciphertext structure. In each encryption process, we can construct the following linear equation system through the partial coefficients $e_k={\sum }_{i+j=k}{\alpha }_i·h_j(s+d_{\varphi }+1\le k\le l-1)$ of the ciphertext e, we have

$$\left\{\begin{array}{c}{h}_{l-1}{\alpha }_0+h_{l-2}{\alpha }_1+\cdots +h_{l-d_{\varphi }-1}{\alpha }_{d_{\varphi }}=e_{l-1}\hfill \\ h_{l-2}{\alpha }_0+h_{l-3}{\alpha }_1+\cdots +h_{l-d_{\varphi }-2}{\alpha }_{d_{\varphi }}=e_{l-2}\hfill \\ \cdots \cdots \hfill \\ h_{s+d_{\varphi }+1}{\alpha }_0+h_{s+d_{\varphi }}{\alpha }_1+\cdots +h_{s+1}{\alpha }_{d_{\varphi }}=e_{s+d_{\varphi }+1}.\hfill \end{array}\right.$$

(3)

We denote the coefficient matrix of Equation (3) as

$$A=\left[\begin{array}{cccc}{h}_{l-1}& h_{l-2}& \cdots & h_{l-d_{\varphi }-1}\\ h_{l-2}& h_{l-3}& \cdots & h_{l-d_{\varphi }-2}\\ ⋮& ⋮& \ddots & ⋮\\ h_{s+d_{\varphi }+1}& h_{s+d_{\varphi }}& \cdots & h_{s+1}\end{array}\right],$$

where the elements of the matrix are the coefficients of the public key h.

In Equation (3), the number of variables is $d_{\varphi }+1$, and the number of equations is $l-s-d_{\varphi }-1$. Let

$$l\ge s+2d_{\varphi }+2,$$

we have that the number of equations is greater than or equal to the number of variables. In this case, the system of equations in (3) has a unique solution. Therefore, plaintext and secret polynomial ${\varphi }_0$ will be secure if

$$l<s+2d_{\varphi }+2.$$

We will present how to recover the unique solution ${\varphi }_0$ in the next subsection.

Remark 1.

In the DBTRU cryptosystem, the authors also proposed an assessment of the algebraic attack on this scheme. The main problem with their security analysis is that they paid attention to too many unknown polynomials. Here, we discover the hidden linear relationship between the public keys and the random non-zero polynomial by careful analysis.

3.2. Recover the Non-Zero Polynomial ${\varphi }_0$

To recover the polynomial ${\varphi }_0$, we need to analyze the solutions of Equation (3). As long as the rank of matrix A defined above is equal to n, then Equation (3) should have only one solution, namely, the polynomial ${\varphi }_0$. To analyze the rank of matrix A, we cite the following result, which is Theorem 2 of [16].

Lemma 1.

Let N be a positive integer. Let $p_1,\cdots ,p_l$ be the distinct prime factors of N. Consider the ring of $n\times n$ matrices with entries in ${\mathbb{Z}}_N$. Then the proportion of invertible matrices (i.e., with determinant coprime to N) is equal to :

$$\prod _{i=1}^l\prod _{k=1}^n(1-p_i^{-k}).$$

Applying Lemma 1, we have the following Corollary.

Corollary 1.

Let p be a prime integer and $t\ge 0$ be an integer. Let ${\mathcal{M}}_{(n+t)\times n}({\mathbb{Z}}_p)$ denote the ring consisting of $(n+t)\times n$ matrices with entries in ${\mathbb{Z}}_p$. The probability of having at least one $n\times n$ invertible matrix in ${\mathcal{M}}_{(n+t)\times n}({\mathbb{Z}}_p)$ is

$$1-{\left(1-\prod _{k=1}^n(1-p^{-k})\right)}^{\left(\begin{array}{c}n+t\\ n\end{array}\right)}.$$

Proof 

(Proof of Corollary 1).

When setting $N=p$ in Lemma 1, we have that the probability of having a irreversible $n\times n$ matrix with entries in ${\mathbb{Z}}_p$ is

$$1-\prod _{k=1}^n(1-p^{-k}).$$

Then, when we choose matrices from ${\mathcal{M}}_{(n+t)\times n}({\mathbb{Z}}_p)$, the probability that all the $n\times n$ matrices are irreversible is

$${\left(1-\prod _{k=1}^n(1-p^{-k})\right)}^{\left(\begin{array}{c}n+t\\ n\end{array}\right)}.$$

Based on the above analysis, we can deduce the result in our corollary.    □

Table 1 shows the probability of having at least one $n\times n$ invertible matrix in ${\mathcal{M}}_{(n+t)\times n}({\mathbb{Z}}_p)$.

Table 1. The probability of at least one $n\times n$ invertible matrix in ${\mathcal{M}}_{(n+t)\times n}({\mathbb{Z}}_p)$, with $p=2$.

	t	$\mathit{t}=0$	$\mathit{t}=1$	$\mathit{t}=2$	$\mathit{t}=3$
n
$n=28$		$0.28879$	$0.99995$	$1.00000$	$1.00000$
$n=45$		$0.28879$	$1.00000$	$1.00000$	$1.00000$
$n=148$		$0.28879$	$1.00000$	$1.00000$	$1.00000$

Remark 1.

From Table 1, we can see that even for p = 2, we only need to choose 3 times or more from ${\mathcal{M}}_{(n+t)\times n}({\mathbb{Z}}_p)$; then we can get a invertible $n\times n$ matrix with a probability close to 1.

Finally, after obtaining ${\varphi }_0$, one can recover the message m by calculating

$$m\equiv (e-{\varphi }_0\ast h)modS.$$

Here, we propose our whole attack as follows Algorithm 1   

Algorithm 1: Main strategy of this attack

Input: $e_k={\sum }_{i+j=k}{\varphi }_i^{\prime }·h_j(s+d_{\varphi }+1\le k\le l-1)$ . 1. Choose $d_{\varphi }+1$ equations from the input system of linear equations, and denote its coefficient matrix as A. 2. Determine whether $detA$ is equal to be zero. 3. If the $detA\ne 0$, apply Gaussian elimination to get the solution $a=(a_0,a_1,\cdots ,a_{d_{\varphi }})$ of the selected systems of equations in Step 1. 4. Else, then reselect $d_{\varphi }+1$ equations, and go back to Step 2, until we find a system of equations for which its coefficient matrix is invertible. 5. For all equations entered, check if $a=(a_0,a_1,\cdots ,a_{d_{\varphi }})$ is a solution to each equation. If so, then we claim to have the target polynomial ${\varphi }_0$. 6. Compute $(e-{\varphi }_0\ast h)modS$. Output: The $s-bit$ plaintext message m.

4. Experiments Results

In DBTRU, the authors concluded that as a variant of NTRU, DBTRU has advantages in both security and performance comparison with NTRU, as shown in Table 2, Table 3 and Table 4, respectively.

Table 2. Comparison in moderate security mode of NTRU.

Moderate Security	NTRU	DBTRU
Basic parameters	$$\begin{gathered} \begin{array}{c}\hfill c(N,p,q,d_f,d_g,d)= \\ (107,3,64,15,12,5)\end{array} \end{gathered}$$	$$\begin{gathered} \begin{array}{c}\hfill c(s,l,d_{\varphi },d_g,N_f,N_{\varphi })= \\ (37,197,27,105,3,4)\end{array} \end{gathered}$$
$S_m$	$2^{26.5}$	$2^{51.21}$
$S_k$	$2^{50}$	$2^{51.71}$
Public key (bits)	642	197
Private key (bits)	340	222
Message-expansion	3.78	5.32

Table 3. Comparison in high security mode of NTRU.

High Security	NTRU	DBTRU
Basic parameters	$$\begin{gathered} \begin{array}{c}\hfill c(N,p,q,d_f,d_g,d)= \\ (167,3,128,61,20,18)\end{array} \end{gathered}$$	$$\begin{gathered} \begin{array}{c}\hfill c(s,l,d_{\varphi },d_g,N_f,N_{\varphi })= \\ (59,293,44,120,3,4)\end{array} \end{gathered}$$
$S_m$	$2^{77.55}$	$2^{85.71}$
$S_k$	$2^{82.9}$	$2^{85.71}$
Public key (bits)	1169	293
Private key (bits)	530	354
Message-expansion	4.23	4.97

Table 4. Comparison in highest security mode of NTRU.

Highest Security	NTRU	DBTRU
Basic parameters	$$\begin{gathered} \begin{array}{c}\hfill c(N,p,q,d_f,d_g,d)= \\ (503,3,256,216,72,55)\end{array} \end{gathered}$$	$$\begin{gathered} \begin{array}{c}\hfill c(s,l,d_{\varphi },d_g,N_f,N_{\varphi })= \\ (197,1019,147,500,3,4)\end{array} \end{gathered}$$
$S_m$	$2^{170}$	$2^{292.70}$
$S_k$	$2^{285}$	$2^{292.71}$
Public key (bits)	4024	1019
Private key (bits)	1595	1182
Message-expansion	5.05	5.17

Here, we use Sage Math to complete our experiments. First, we give the probability of encountering an invertible matrix when selecting multiple times under 10,000 sets of data in Table 5.

Table 5. The probability of having an invertible matrix.

Parameters	Once	Twice	Three Times
$$\begin{gathered} \begin{array}{c}\hfill c(s,l,d_{\varphi },d_g,N_f,N_{\varphi })= \\ (37,197,27,105,3,4)\end{array} \end{gathered}$$	$0.2987$	1	1
$$\begin{gathered} \begin{array}{c}\hfill c(s,l,d_{\varphi },d_g,N_f,N_{\varphi })= \\ (59,293,44,120,3,4)\end{array} \end{gathered}$$	$0.2957$	1	1
$$\begin{gathered} \begin{array}{c}\hfill c(s,l,d_{\varphi },d_g,N_f,N_{\varphi })= \\ (197,1019,147,500,3,4)\end{array} \end{gathered}$$	$0.3033$	1	1

From Table 5, the experiment data validate Remark 2.

Next, we give the total running time of breaking the DBTRU cryptosystem under 10,000 sets of data in Table 6.

Table 6. The running time for breaking DBTRU.

Parameters	The Number of Equations	The Number of Variables	Running Time (Sec)
$$\begin{gathered} \begin{array}{c}\hfill c(s,l,d_{\varphi },d_g,N_f,N_{\varphi })= \\ (37,197,27,105,3,4)\end{array} \end{gathered}$$	132	28	$15.7352$
$$\begin{gathered} \begin{array}{c}\hfill c(s,l,d_{\varphi },d_g,N_f,N_{\varphi })= \\ (59,293,44,120,3,4)\end{array} \end{gathered}$$	189	45	$23.6364$
$$\begin{gathered} \begin{array}{c}\hfill c(s,l,d_{\varphi },d_g,N_f,N_{\varphi })= \\ (197,1019,147,500,3,4)\end{array} \end{gathered}$$	674	148	$128.0634$

From Table 6, the results show that for the three parameter choices recommended in the DBTRU cryptosystem, our proposed linear algebra attack can recover the plaintext within 1 s.

5. Conclusions

The DBTRU cryptosystem is a binary analogue of NTRU. It was claimed in [15] that DBTRU has some important security and performance advantages over NTRU. For instance, at nearly the same level of security, DBTRU always has smaller keys. In this paper, we propose a linear algebra attack that breaks DBTRU by exploiting the secret linear relationship between public keys and secret keys. The linear algebra attack is practical on all three settings of recommended parameters, and the plaintext can be achieved in less than 1 s on a single PC. Our work may provide a new method of security analysis for NTRU variants or other cipher schemes.

Further research direction could be the fusion of NTRU with more complex algebraic structures, such as non-commutative algebras, to enhance the security of NTRU-like cryptosystems.