, Volume 22, Issue 2, pp 139160
Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures
 Phong Q. NguyenAffiliated withINRIA & École Normale Supérieure, DI
 , Oded RegevAffiliated withSchool of Computer Science, TelAviv University
Rent the article at a discount
Rent now* Final gross prices may vary according to local VAT.
Get AccessAbstract
Latticebased signature schemes following the Goldreich–Goldwasser–Halevi (GGH) design have the unusual property that each signature leaks information on the signer’s secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt ’03, Szydlo proposed a potential attack by showing that the leakage reduces the keyrecovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack reallife parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes à la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown ndimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful keyrecovery experiments on NTRUSign251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.
Keywords
GGH NTRUSign Lattices Moment Gradient descent Publickey cryptanalysis Title
 Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures
 Journal

Journal of Cryptology
Volume 22, Issue 2 , pp 139160
 Cover Date
 200904
 DOI
 10.1007/s0014500890310
 Print ISSN
 09332790
 Online ISSN
 14321378
 Publisher
 SpringerVerlag
 Additional Links
 Topics
 Keywords

 GGH
 NTRUSign
 Lattices
 Moment
 Gradient descent
 Publickey cryptanalysis
 Industry Sectors
 Authors

 Phong Q. Nguyen ^{(1)}
 Oded Regev ^{(2)}
 Author Affiliations

 1. INRIA & École Normale Supérieure, DI, 45 rue d’Ulm, 75005, Paris, France
 2. School of Computer Science, TelAviv University, TelAviv, 69978, Israel