Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures
 Phong Q. Nguyen,
 Oded Regev
 … show all 2 hide
Rent the article at a discount
Rent now* Final gross prices may vary according to local VAT.
Get AccessAbstract
Latticebased signature schemes following the Goldreich–Goldwasser–Halevi (GGH) design have the unusual property that each signature leaks information on the signer’s secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt ’03, Szydlo proposed a potential attack by showing that the leakage reduces the keyrecovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack reallife parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes à la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown ndimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful keyrecovery experiments on NTRUSign251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.
 M. Ajtai, Generating hard instances of lattice problems, in Complexity of Computations and Proofs. Quad. Mat., vol. 13 (Dept. Math., Seconda Univ. Napoli, Caserta, 2004), pp. 1–32
 Alon, N., Spencer, J.H. (2000) The Probabilistic Method. Wiley, New York
 Babai, L. (1986) On Lovász lattice reduction and the nearest lattice point problem. Combinatorica 6: pp. 113 CrossRef
 Consortium for Efficient Embedded Security. Efficient embedded security standards #1: Implementation aspects of NTRUencrypt and NTRUsign. Version 2.0 available at http://grouper.ieee.org/groups/1363/lattPK/index.html, June (2003)
 Frieze, A., Jerrum, M., Kannan, R. (1996) Learning linear transformations. 37th Annual Symposium on Foundations of Computer Science. IEEE Comput. Soc. Press, Los Alamitos, pp. 359368
 C. Gentry, M. Szydlo, Cryptanalysis of the revised NTRU signature scheme, in Proc. of Eurocrypt ’02. LNCS, vol. 2332 (Springer, Berlin, 2002)
 C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in Proc. 40th ACM Symp. on Theory of Computing (STOC), pp. 197–206 (2008)
 C. Gentry, J. Jonsson, J. Stern, M. Szydlo, Cryptanalysis of the NTRU signature scheme (NSS) from Eurocrypt 2001, in Proc. of Asiacrypt ’01. LNCS, vol. 2248 (Springer, Berlin, 2001)
 Goldreich, O., Goldwasser, S., Halevi, S. (1997) Publickey cryptosystems from lattice reduction problems. Proc. of Crypto ’97. Springer, Berlin, pp. 112131
 O. Goldreich, S. Goldwasser, S. Halevi, Challenges for the GGH cryptosystem. Available at http://theory.lcs.mit.edu/~shaih/challenge.html
 Golub, G., Loan, C. (1996) Matrix Computations. Johns Hopkins Univ. Press, Baltimore
 Hoffstein, J., Pipher, J., Silverman, J. (1998) NTRU: a ring based public key cryptosystem. Proc. of ANTS III. Springer, Berlin, pp. 267288
 J. Hoffstein, J. Pipher, J.H. Silverman, NSS: An NTRU latticebased signature scheme, in Proc. of Eurocrypt ’01. LNCS, vol. 2045 (Springer, Berlin, 2001)
 J. Hoffstein, N.A.H. Graham, J. Pipher, J.H. Silverman, W. Whyte, NTRUsign: Digital signatures using the NTRU lattice. Full version of Proc. of CTRSA. LNCS, vol. 2612. Draft of April 2, 2002, available on NTRU’s website
 J. Hoffstein, N.A.H. Graham, J. Pipher, J.H. Silverman, W. Whyte, NTRUsign: Digital signatures using the NTRU lattice, in Proc. of CTRSA. LNCS, vol. 2612 (Springer, Berlin, 2003)
 J. Hoffstein, N.A.H. Graham, J. Pipher, J.H. Silverman, W. Whyte, Performances improvements and a baseline parameter generation algorithm for NTRUsign, in Proc. of Workshop on Mathematical Problems and Techniques in Cryptology (CRM, 2005), pp. 99–126
 Hyvärinen, A., Oja, E. (1997) A fast fixedpoint algorithm for independent component analysis. Neural Comput. 9: pp. 14831492 CrossRef
 Hyvärinen, A., Karhunen, J., Oja, E. (2001) Independent Component Analysis. Wiley, New York CrossRef
 IEEE P1363.1. Publickey cryptographic techniques based on hard problems over lattices. See http://grouper.ieee.org/groups/1363/lattPK/index.html, June 2003
 P. Klein, Finding the closest lattice vector when it’s unusually close, in Proc. of SODA ’00 (ACM–SIAM, 2000)
 V. Lyubashevsky, D. Micciancio, Asymptotically efficient latticebased digital signatures, in Fifth Theory of Cryptography Conference (TCC). Lecture Notes in Computer Science, vol. 4948 (Springer, Berlin, 2008)
 R. McEliece, A publickey cryptosystem based on algebraic number theory. Technical report, Jet Propulsion Laboratory, 1978. DSN Progress Report 4244
 D. Micciancio, Improving latticebased cryptosystems using the Hermite normal form, in Proc. of CALC ’01. LNCS, vol. 2146 (Springer, Berlin, 2001)
 D. Micciancio, Cryptographic functions from worstcase complexity assumptions. Survey paper prepared for the LLL+25 conference. To appear
 Micciancio, D., Goldwasser, S. (2002) Complexity of Lattice Problems: A Cryptographic Perspective. Kluwer Academic, Boston
 D. Micciancio, O. Regev, Latticebased cryptography, in PostQuantum Cryprography, ed. by D.J. Bernstein, J. Buchmann (Springer, Berlin, 2008)
 Micciancio, D., Vadhan, S. (2003) Statistical zeroknowledge proofs with efficient provers: lattice problems and more. Advances in Cryptology—Proc. CRYPTO ’03. Springer, Berlin, pp. 282298
 M. Naor, M. Yung, Universal oneway hash functions and their cryptographic applications, in Proc. 21st ACM Symp. on Theory of Computing (STOC), pp. 33–43 (1989)
 Nguyen, P.Q. (1999) Cryptanalysis of the Goldreich–Goldwasser–Halevi cryptosystem from Crypto ’97. Proc. of Crypto ’99. Springer, Berlin, pp. 288304
 Nguyen, P.Q., Regev, O. (2006) Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures. Advances in Cryptology—Proceedings of EUROCRYPT ’06. Springer, Berlin, pp. 215233 CrossRef
 P.Q. Nguyen, J. Stern, The two faces of lattices in cryptology, in Proc. of CALC ’01. LNCS, vol. 2146 (Springer, Berlin, 2001)
 Regev, O. (2006) Latticebased cryptography. Advances in Cryptology—Proc. of CRYPTO ’06. Springer, Berlin, pp. 131141
 Schnorr, C.P., Euchner, M. (1994) Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66: pp. 181199 CrossRef
 V. Shoup, NTL: A library for doing number theory. Available at http://www.shoup.net/ntl/
 M. Szydlo, Hypercubic lattice reduction and analysis of GGH and NTRU signatures, in Proc. of Eurocrypt ’03. LNCS, vol. 2656 (Springer, Berlin, 2003)
 W. Whyte, Improved NTRUSign transcript analysis. Presentation at the rump session of Eurocrypt ’06, on May 30 (2006)
 Title
 Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures
 Journal

Journal of Cryptology
Volume 22, Issue 2 , pp 139160
 Cover Date
 20090401
 DOI
 10.1007/s0014500890310
 Print ISSN
 09332790
 Online ISSN
 14321378
 Publisher
 SpringerVerlag
 Additional Links
 Topics
 Keywords

 GGH
 NTRUSign
 Lattices
 Moment
 Gradient descent
 Publickey cryptanalysis
 Industry Sectors
 Authors

 Phong Q. Nguyen ^{(1)}
 Oded Regev ^{(2)}
 Author Affiliations

 1. INRIA & École Normale Supérieure, DI, 45 rue d’Ulm, 75005, Paris, France
 2. School of Computer Science, TelAviv University, TelAviv, 69978, Israel