Lattice attack on group ring NTRU: The case of the dihedral group

TL;DR

This paper demonstrates a lattice attack on group ring NTRU schemes based on dihedral groups, showing that nonabelian groups do not necessarily enhance security and providing explicit lattice reduction methods with experimental validation.

Contribution

The paper introduces a concrete lattice attack on dihedral group ring NTRU, explicitly performing lattice reduction without relying on representation theory, and validates it with experiments.

Findings

Dihedral groups do not guarantee better security against lattice attacks.

Private keys can be recovered by solving SVP in reduced-dimension lattices.

Explicit lattice reduction techniques are effective without using structure theorems.

Abstract

Group ring NTRU (GR-NTRU) provides a general structure to design different variants of NTRU-like schemes by employing different groups. Although, most of the schemes in literature are built over cyclic groups, nonabelian groups can also be used. Coppersmith and Shamir in 1997 have suggested that noncommutativity may result in better security against some lattice attacks for some groups. Lattice attacks on the public key of NTRU-like cryptosystems try to retrieve the private key by solving the shortest vector problem (SVP) or its approximation in a lattice of a certain dimension, assuming the knowledge of the public key only. This paper shows that dihedral groups do not guarantee better security against this class of attacks. We prove that retrieving the private key is possible by solving the SVP in two lattices with half the dimension of the original lattice generated for GR-NTRU based on dihedral groups. The possibility of such an attack was mentioned by Yasuda et al.(IACR/2015/1170). In contrast to their proposed approach, we explicitly provide the lattice reduction without any structure theorem from the representation theory for finite groups. Furthermore, we demonstrate the effectiveness of our technique with experimental results.