Challenge
1 | import os |
The author also provides a link to the paper that describes a broadcasting attack on NTRU.
Quick recap of the paper
The encryption of NTRU is
\[\mathbf{c} = \mathbf{H}\mathbf{r} + \mathbf{m} \pmod{q},\]
where \(\mathbf{H}\) is the public key (in the form of a ciruclar matrix) and \(\mathbf{r}\) is the nonce. Define \(\mathbf{\hat{H}} = \mathbf{H}^{-1}\) and \(\mathbf{b} = \mathbf{H}^{-1}\mathbf{c}\). If \(\mathbf{r}^T\mathbf{r}\) is known, we have
\[\mathbf{r}^T\mathbf{r} = (\mathbf{b} - \mathbf{\hat{H}}\mathbf{m})^T(\mathbf{b} - \mathbf{\hat{H}}\mathbf{m}) = \mathbf{b}^T\mathbf{b} - 2\mathbf{b}\mathbf{b}^T\mathbf{\hat{H}}\mathbf{m} + \mathbf{m}^T\mathbf{\hat{H}}^T\mathbf{\hat{H}}\mathbf{m}.\]
This is a quadratic equation with variable \(\mathbf{m}\). If we use our usual linearization techinique, we will end up with a quadratic number of variables. However, notice that \(\mathbf{\hat{H}}^T\mathbf{\hat{H}}\) is a symmetric circular matrix, so many quadratic terms share the same coefficient and can be merged. This reduces the number of variables to \(N + \lceil N/2 \rceil\), and we need this amount of public key and ciphertext pair to recover the secret message.
From the paper to our challenge
In our challenge, \(\mathbf{r}\) and \(\mathbf{m}\) are random polynomials with binary coefficients (all coefficients are 0 or 1) , which means \(\mathbf{r}^T\mathbf{r}\). The paper mentions a trick: consider \(\mathbf{r'} = 2\mathbf{r} - (1, 1, \cdots, 1)\), all the entries of \(\mathbf{r'}\) will be either -1 or 1, and \(\mathbf{r'}^T\mathbf{r'}\) would be \(N\), a value we know. This is the official solution as well, but here we provide another trick that can potentially give a faster solution.
The key insight is that \(r(1)\) in polynomial form is the same as \(\mathbf{r}^T\mathbf{r}\) in vector form because of its binary coefficients, and we have the equation
\[c(1) = H(1)r(1) + m(1) \pmod{q}.\]
Since \(H\) is generated by calculating \(p\cdot f/g\) where \(p=3\), and \(f(1) = g(1) = 273\), we have
\[c(1) = 3 \cdot r(1) + m(1)\]
if we scale \(c(1)\) to be in the range \([0, q)\) (we use the fact that LHS is bounded by \(4N < q\)). This means if we know the value of \(m(1)\), we have \(r(1)\) and can perform the paper's attack!
Bruteforce \(m(1)\)
The value of \(m(1)\) can be viewed as the number of heads when flipping \(N = 509\) fair coins. The mean value is \(N/2\) and the standard variation is \(\sqrt{N/4} \approx 11.28\). We also know \(m(1) \bmod 3\), which turned out to be \(2\). Therefore, if we consider \(m(1) = 221, 224, \cdots, 287\) (a total of 23 cases), we are highly confident that we can find the correct \(m(1)\) as it covers up to 3 standard deviations.
Linearization
If we check the equation (3.7) in the paper
\[a_0x_0 + 2a_1x_1 + \cdots + 2a_{\lfloor N/2 \rfloor}x_{\lfloor N/2 \rfloor} -2w_0m_0 - 2w_1m_1 - \cdots - 2w_{N-1}m_{N-1} = \mathbf{r}^T\mathbf{r} - \mathbf{b}^T\mathbf{b} \pmod{q}, \]
the term \(a_0x_0\) is the only one without an even coefficient. \(a_0\) is a known value, and \(x_0\), coincidently, is the value \(m(1)\) (again, using the fact that \(\mathbf{m}^T\mathbf{m} = m(1)\) because it's binary)! Therefore, we can rewrite the equation as
\[a_1x_1 + \cdots + a_{\lfloor N/2 \rfloor}x_{\lfloor N/2 \rfloor} -w_0m_0 - w_1m_1 - \cdots - w_{N-1}m_{N-1} = \frac{1}{2}(\mathbf{r}^T\mathbf{r} - \mathbf{b}^T\mathbf{b} - a_0m(1)) \pmod{q/2}, \]
The benefit is that now we can solve the equation as a boolean linear system, which is a lot easier and faster than solving the system modulo \(q = 2048\).
Final optimization
It seems like the main advantage of this alternative solution is to solve the linear system in boolean instead of \(GF(q)\), but with the cost of bruteforcing 23 cases of \(m(1)\) and a small chance of failing. However, the matrix for the linear system is fixed for all cases, which means we only have to calculate the matrix inversion once, rather than 23 times. The only repeating operation would be the multiplication of a matrix (the inverted one) and a vector, which is not the bottleneck of the solution.
Furthermore, the constant terms of the linear system are the parities of
\[\frac{1}{2}(\mathbf{r}^T\mathbf{r} - \mathbf{b}^T\mathbf{b} - a_0m(1))\]
Since \(\mathbf{r}^T\mathbf{r} = r(1) = (c(1) - m(1)) / 3\),
\[\frac{1}{2}(\mathbf{r}^T\mathbf{r} - \mathbf{b}^T\mathbf{b} - a_0m(1)) \equiv \frac{1-a_0}{2}\cdot m(1) - \frac{1}{2} (\mathbf{b}^T\mathbf{b} + c(1)) \pmod{2}\]
This means that we only have to consider two cases: \(m(1)\) is odd, or \(m(1)\) is even. No more 23x overhead.
Solve script
1 | # Modified from official writeup: https://chocorusk.hatenablog.com/entry/2024/10/12/180717 |