Security Analysis of DBTRU Cryptosystem

DBTRU was proposed by Thang and Binh in 2015. As a variant of NTRU, the integer polynomial ring is replaced by two binary truncated polynomial rings GF(2)[x]/(xn+1). DBTRU has some advantages over NTRU in terms of security and performance. In this paper, we propose a polynomial-time linear algebra attack against the DBTRU cryptosystem, which can break DBTRU for all recommended parameter choices. The paper shows that the plaintext can be achieved in less than 1 s via the linear algebra attack on a single PC.


Introduction
The Number Theory Research Unit (NTRU) cryptosystem as a public key cryptosystem was proposed by Hoffstein, Pipher, and Silverman in 1996 and published in 1998 [1]. It was standardized by IEEE in 2008 [2]. In 2020, NTRU entered the third round of submissions in the National Institute of Standards Technology (NIST) post-quantum cryptography standardization process. NTRU works on the integer polynomial ring Z[x]/(x n − 1). The encryption and decryption procedures involve linear operations between ring elements. This characteristic gives NTRU a great advantage over Rivest, Shamir, Adleman (RSA) cryptosystem and elliptic curve cryptosystem (ECC) in terms of computational speed and key size. NTRU can be classified as post-quantum cryptography, and its security is based on the hardness of the shortest vector problem in a certain lattice. Compared with traditional public key algorithms, its research has been a hot spot in the field of public key cryptography. NTRU is widely used in e-commerce, communication, embedded systems, and portable devices [3,4].
Since 2002, cryptographers have been exploring the optimization of NTRU from the underlying mathematical structure in order to achieve a higher level of security or better performance. Banks et al. gave the non-invertible version in 2002 [5]. This extension can overcome the problem of finding "enough" invertible polynomials in small sets. In 2002, Gaborit et al. proposed CTRU [6], a NTRU-like cryptosystem that runs on F 2 [T][X]/(x n − 1). CTRU can avoid the attacks based on the LLL algorithm. Vats proved that it is insecure under linear algebra attack in 2008 [7]. In 2005, Coglianese and Goi proposed MaTRU [8], which operates in the ring of k by k matrices M k (Z)[X]/(x n − 1). Compared to NTRU, MaTRU further improves system operation efficiency. In 2011, Malekian et al. adopted the unique mathematical structure of quaternion algebra to design the QTRU cryptosystem [9], in which non-commutativeness plays a key role in the system, and which further enhances the security of QTRU. In 2015, Yasuda et al. proposed a general NTRU cryptosystem based on group ring, called GR-NTRU [10]. They investigated the security and performance of the cryptosystem under different instance group rings by combining group representation theory. In 2017, Thakur et al. designed NTRU over spit quaternion algebra [11]; SQTRU can reduced the decryption failure due to a non-commutative algebraic structure. In 2018, Wang et al. presented a variant of NTRU with IND-CPA security named D-NTRU [12], which has higher encryption and decryption efficiency than NTRU. In 2008, Karbasi et al. established PairTRU working in the k × k matrix ring with pairwise entries of k 2 distinct polynomials in Z × Z [13]. PairTRU is more secure than NTRU under lattice based attack. In 2020, Hajaje et al. proposed PMTRU by combining the advantages of NTRU with MATRU [14]. PMTRU also improves the speed of encryption and decryption procedures.
DBTRU was proposed by Thang and Binh in 2015 [15]. The name DBTRU indicates the use of number theory and two binary truncated polynomial rings GF(2)[x]/(x n + 1), (n ∈ Z + ). Because both algorithms for encryption and decryption of DBTRU are only simple modular polynomial operations, DBTRU is as fast as NTRU. Although the messageexpansion factor in DBTRU is higher than that in NTRU, the keys of DBTRU are smaller under approximately the same level of security.
In this paper, we further analyze the security of DBTRU and propose a linear algebra attack that can break it for all recommended parameter choices to compare the security levels in NTRU. More precisely, we first explore a hidden linear relationship between the public keys and the secret keys and find the parameter constraints for plaintext and secret key security while guaranteeing correct decryption.
The rest of this paper is organized as follows. In Section 2, we briefly describe the DBTRU encryption scheme. In Section 3, we show how to recover the plaintext under the linear algebra attack. In Section 4, the experimental results of our attack are provided. We give the conclusions in Section 5.

The DBTRU System
We describe the DBTRU cryptosystem, as developed in [15], including notations, key generation, encryption, decryption, and decryption criteria.

Notations
This cryptosystem relies on two integer parameters s, l and four sets B f , B g , B φ , B m of polynomials with binary coefficients. In general, s is smaller than l and gcd(s, l) = 1.
Let d f , d g , d φ , and d m denote the maximum degree and Hamming weight of f ,g,φ, and m, respectively. We replace the definition L(d 1 , In addition, similar to DBTRU, we set the modular polynomials as S = x s + 1 and L = x l + 1.

Key Generation
During the process of key generation, Bob chooses two arbitrary positive integers s and l such that s < l, and sets d f = s − 1. In addition, Bob chooses an small positive integer N f and arbitrary

and its two inverses
Bob chooses a non-zero polynomial g ∈ B g and computes Bob keeps f , f i , and F s as the private keys, publishing h as the public key.

Encryption and Decryption
Suppose Alice wants to send a s-bit message m to Bob. First, Alice randomly selects a non-zero polynomial φ 0 ∈ B φ , a small positive integer N φ , and arbitrary N φ polynomials The ciphertext is given by Alice then sends the lbit ciphertext e to Bob. After receiving e, Bob computes and recovers the message m by computing m ≡ F s * a mod S.

Decryption Criteria
and Thereby, to ensure successful decryption, it is necessary that

Security Analysis
In this section, we describe the details of our attack on a DBTRU cryptosystem. First, we show that there is a hidden linear relationship between the public keys and the random non-zero polynomial in the encryption phase. Second, we construct a linear system of equations with the unknown random non-zero polynomial and then recover the plaintext message after we obtain the random non-zero polynomial. Finally, we present the whole algorithm of our attack.
3.1. The Hidden Linear Relationship Theorem 1. As described in the DBTRU cryptosystem, let S = x s + 1 and L = x l + 1, where s < l. Let φ i ∈ B φ (i = 0, 1 · · · , N φ ) be some randomly chosen polynomials with φ 0 = 0. For the ciphertext if l ≥ s + 2d φ + 2, then the part of coefficients of e, namely, e s+d φ +1 , · · · , e l−1 are equal to the coefficients of φ 0 * h mod L with the same degree.
Proof of Theorem 1. As noted above, the ciphertext is calculated by where e i ∈ GF(2) (i = 0, 1, · · · , l − 1). We assume where α i ∈ GF(2) (i = 0, 1, · · · , d φ ). In addition, We have Now considering the maximum degree of components of φ 0 * h, we have From the precise analysis above, we have only part of the coefficients of e related to the More specifically, only the coefficients e 0 , e 1 , · · · , e d φ −1 are affected by the modulo L, and e s+d φ +1 , · · · , e l−1 are just equal to the coefficients of φ 0 * h mod L with the same degree.
From Theorem 1, we can see that the key to breaking DBTRU lies in the irrationality of the ciphertext structure. In each encryption process, we can construct the following linear equation system through the partial coefficients e k = ∑ i+j=k α i · h j (s + d φ + 1 ≤ k ≤ l − 1) of the ciphertext e, we have We denote the coefficient matrix of Equation (3) as where the elements of the matrix are the coefficients of the public key h. In Equation (3), the number of variables is d φ + 1, and the number of equations is we have that the number of equations is greater than or equal to the number of variables. In this case, the system of equations in (3) has a unique solution. Therefore, plaintext and secret polynomial φ 0 will be secure if l < s + 2d φ + 2.
We will present how to recover the unique solution φ 0 in the next subsection.

Remark 1.
In the DBTRU cryptosystem, the authors also proposed an assessment of the algebraic attack on this scheme. The main problem with their security analysis is that they paid attention to too many unknown polynomials. Here, we discover the hidden linear relationship between the public keys and the random non-zero polynomial by careful analysis.

Recover the Non-Zero Polynomial φ 0
To recover the polynomial φ 0 , we need to analyze the solutions of Equation (3). As long as the rank of matrix A defined above is equal to n, then Equation (3) should have only one solution, namely, the polynomial φ 0 . To analyze the rank of matrix A, we cite the following result, which is Theorem 2 of [16]. Lemma 1. Let N be a positive integer. Let p 1 , · · · , p l be the distinct prime factors of N. Consider the ring of n × n matrices with entries in Z N . Then the proportion of invertible matrices (i.e., with determinant coprime to N) is equal to : Applying Lemma 1, we have the following Corollary.

Corollary 1.
Let p be a prime integer and t ≥ 0 be an integer. Let M (n+t)×n (Z p ) denote the ring consisting of (n + t) × n matrices with entries in Z p . The probability of having at least one n × n invertible matrix in M (n+t)×n (Z p ) is Proof of Corollary 1. When setting N = p in Lemma 1, we have that the probability of having a irreversible n × n matrix with entries in Z p is Then, when we choose matrices from M (n+t)×n (Z p ), the probability that all the n × n matrices are irreversible is Based on the above analysis, we can deduce the result in our corollary. Table 1 shows the probability of having at least one n × n invertible matrix in M (n+t)×n (Z p ). Table 1. The probability of at least one n × n invertible matrix in M (n+t)×n (Z p ), with p = 2.  Table 1, we can see that even for p = 2, we only need to choose 3 times or more from M (n+t)×n (Z p ); then we can get a invertible n × n matrix with a probability close to 1.
Finally, after obtaining φ 0 , one can recover the message m by calculating Here, we propose our whole attack as follows Algorithm 1

Algorithm 1: Main strategy of this attack
Input: Choose d φ + 1 equations from the input system of linear equations, and denote its coefficient matrix as A.

2.
Determine whether det A is equal to be zero.

3.
If the det A = 0, apply Gaussian elimination to get the solution a = (a 0 , a 1 , · · · , a d φ ) of the selected systems of equations in Step 1.

4.
Else, then reselect d φ + 1 equations, and go back to Step 2, until we find a system of equations for which its coefficient matrix is invertible.

5.
For all equations entered, check if a = (a 0 , a 1 , · · · , a d φ ) is a solution to each equation. If so, then we claim to have the target polynomial φ 0 . 6.

Experiments Results
In DBTRU, the authors concluded that as a variant of NTRU, DBTRU has advantages in both security and performance comparison with NTRU, as shown in Table 2, Table 3 and  Table 4, respectively. Here, we use Sage Math to complete our experiments. First, we give the probability of encountering an invertible matrix when selecting multiple times under 10,000 sets of data in Table 5. From Table 5, the experiment data validate Remark 2. Next, we give the total running time of breaking the DBTRU cryptosystem under 10,000 sets of data in Table 6. From Table 6, the results show that for the three parameter choices recommended in the DBTRU cryptosystem, our proposed linear algebra attack can recover the plaintext within 1 s.

Conclusions
The DBTRU cryptosystem is a binary analogue of NTRU. It was claimed in [15] that DBTRU has some important security and performance advantages over NTRU. For instance, at nearly the same level of security, DBTRU always has smaller keys. In this paper, we propose a linear algebra attack that breaks DBTRU by exploiting the secret linear relationship between public keys and secret keys. The linear algebra attack is practical on all three settings of recommended parameters, and the plaintext can be achieved in less than 1 s on a single PC. Our work may provide a new method of security analysis for NTRU variants or other cipher schemes.
Further research direction could be the fusion of NTRU with more complex algebraic structures, such as non-commutative algebras, to enhance the security of NTRU-like cryptosystems.