Journal of Cryptology

, Volume 22, Issue 2, pp 139–160 | Cite as

Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures

  • Phong Q. Nguyen
  • Oded Regev
Article

Abstract

Lattice-based signature schemes following the Goldreich–Goldwasser–Halevi (GGH) design have the unusual property that each signature leaks information on the signer’s secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt ’03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes à la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUSign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.

Keywords

GGH NTRUSign Lattices Moment Gradient descent Public-key cryptanalysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    M. Ajtai, Generating hard instances of lattice problems, in Complexity of Computations and Proofs. Quad. Mat., vol. 13 (Dept. Math., Seconda Univ. Napoli, Caserta, 2004), pp. 1–32 Google Scholar
  2. [2]
    N. Alon, J.H. Spencer, The Probabilistic Method. Wiley-Interscience Series in Discrete Mathematics and Optimization, 2nd edn. (Wiley, New York, 2000) MATHGoogle Scholar
  3. [3]
    L. Babai, On Lovász lattice reduction and the nearest lattice point problem. Combinatorica 6, 1–13 (1986) MATHCrossRefMathSciNetGoogle Scholar
  4. [4]
    Consortium for Efficient Embedded Security. Efficient embedded security standards #1: Implementation aspects of NTRUencrypt and NTRUsign. Version 2.0 available at http://grouper.ieee.org/groups/1363/lattPK/index.html, June (2003)
  5. [5]
    A. Frieze, M. Jerrum, R. Kannan, Learning linear transformations, in 37th Annual Symposium on Foundations of Computer Science, Burlington, VT, 1996 (IEEE Comput. Soc. Press, Los Alamitos, 1996), pp. 359–368 Google Scholar
  6. [6]
    C. Gentry, M. Szydlo, Cryptanalysis of the revised NTRU signature scheme, in Proc. of Eurocrypt ’02. LNCS, vol. 2332 (Springer, Berlin, 2002) Google Scholar
  7. [7]
    C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in Proc. 40th ACM Symp. on Theory of Computing (STOC), pp. 197–206 (2008) Google Scholar
  8. [8]
    C. Gentry, J. Jonsson, J. Stern, M. Szydlo, Cryptanalysis of the NTRU signature scheme (NSS) from Eurocrypt 2001, in Proc. of Asiacrypt ’01. LNCS, vol. 2248 (Springer, Berlin, 2001) Google Scholar
  9. [9]
    O. Goldreich, S. Goldwasser, S. Halevi, Public-key cryptosystems from lattice reduction problems, in Proc. of Crypto ’97. LNCS, vol. 1294 (Springer, Berlin, 1997), pp. 112–131. Full version available at ECCC as TR96-056 Google Scholar
  10. [10]
    O. Goldreich, S. Goldwasser, S. Halevi, Challenges for the GGH cryptosystem. Available at http://theory.lcs.mit.edu/~shaih/challenge.html
  11. [11]
    G. Golub, C. Loan, Matrix Computations (Johns Hopkins Univ. Press, Baltimore, 1996) MATHGoogle Scholar
  12. [12]
    J. Hoffstein, J. Pipher, J. Silverman, NTRU: a ring based public key cryptosystem, in Proc. of ANTS III. LNCS, vol. 1423 (Springer, Berlin, 1998), pp. 267–288. First presented at the rump session of Crypto ’96 Google Scholar
  13. [13]
    J. Hoffstein, J. Pipher, J.H. Silverman, NSS: An NTRU lattice-based signature scheme, in Proc. of Eurocrypt ’01. LNCS, vol. 2045 (Springer, Berlin, 2001) Google Scholar
  14. [14]
    J. Hoffstein, N.A.H. Graham, J. Pipher, J.H. Silverman, W. Whyte, NTRUsign: Digital signatures using the NTRU lattice. Full version of Proc. of CT-RSA. LNCS, vol. 2612. Draft of April 2, 2002, available on NTRU’s website Google Scholar
  15. [15]
    J. Hoffstein, N.A.H. Graham, J. Pipher, J.H. Silverman, W. Whyte, NTRUsign: Digital signatures using the NTRU lattice, in Proc. of CT-RSA. LNCS, vol. 2612 (Springer, Berlin, 2003) Google Scholar
  16. [16]
    J. Hoffstein, N.A.H. Graham, J. Pipher, J.H. Silverman, W. Whyte, Performances improvements and a baseline parameter generation algorithm for NTRUsign, in Proc. of Workshop on Mathematical Problems and Techniques in Cryptology (CRM, 2005), pp. 99–126 Google Scholar
  17. [17]
    A. Hyvärinen, E. Oja, A fast fixed-point algorithm for independent component analysis. Neural Comput. 9(7), 1483–1492 (1997) CrossRefGoogle Scholar
  18. [18]
    A. Hyvärinen, J. Karhunen, E. Oja, Independent Component Analysis (Wiley, New York, 2001) CrossRefGoogle Scholar
  19. [19]
    IEEE P1363.1. Public-key cryptographic techniques based on hard problems over lattices. See http://grouper.ieee.org/groups/1363/lattPK/index.html, June 2003
  20. [20]
    P. Klein, Finding the closest lattice vector when it’s unusually close, in Proc. of SODA ’00 (ACM–SIAM, 2000) Google Scholar
  21. [21]
    V. Lyubashevsky, D. Micciancio, Asymptotically efficient lattice-based digital signatures, in Fifth Theory of Cryptography Conference (TCC). Lecture Notes in Computer Science, vol. 4948 (Springer, Berlin, 2008) Google Scholar
  22. [22]
    R. McEliece, A public-key cryptosystem based on algebraic number theory. Technical report, Jet Propulsion Laboratory, 1978. DSN Progress Report 42-44 Google Scholar
  23. [23]
    D. Micciancio, Improving lattice-based cryptosystems using the Hermite normal form, in Proc. of CALC ’01. LNCS, vol. 2146 (Springer, Berlin, 2001) Google Scholar
  24. [24]
    D. Micciancio, Cryptographic functions from worst-case complexity assumptions. Survey paper prepared for the LLL+25 conference. To appear Google Scholar
  25. [25]
    D. Micciancio, S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective. The Kluwer International Series in Engineering and Computer Science, vol. 671 (Kluwer Academic, Boston, 2002) MATHGoogle Scholar
  26. [26]
    D. Micciancio, O. Regev, Lattice-based cryptography, in Post-Quantum Cryprography, ed. by D.J. Bernstein, J. Buchmann (Springer, Berlin, 2008) Google Scholar
  27. [27]
    D. Micciancio, S. Vadhan, Statistical zero-knowledge proofs with efficient provers: lattice problems and more, in Advances in Cryptology—Proc. CRYPTO ’03. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 282–298 Google Scholar
  28. [28]
    M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications, in Proc. 21st ACM Symp. on Theory of Computing (STOC), pp. 33–43 (1989) Google Scholar
  29. [29]
    P.Q. Nguyen, Cryptanalysis of the Goldreich–Goldwasser–Halevi cryptosystem from Crypto ’97, in Proc. of Crypto ’99. LNCS, vol. 1666 (Springer, Berlin, 1999), pp. 288–304 Google Scholar
  30. [30]
    P.Q. Nguyen, O. Regev, Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures, in Advances in Cryptology—Proceedings of EUROCRYPT ’06. LNCS, vol. 4004 (Springer, Berlin, 2006), pp. 215–233 CrossRefGoogle Scholar
  31. [31]
    P.Q. Nguyen, J. Stern, The two faces of lattices in cryptology, in Proc. of CALC ’01. LNCS, vol. 2146 (Springer, Berlin, 2001) Google Scholar
  32. [32]
    O. Regev, Lattice-based cryptography, in Advances in Cryptology—Proc. of CRYPTO ’06. LNCS, vol. 4117 (Springer, Berlin, 2006), pp. 131–141 Google Scholar
  33. [33]
    C.P. Schnorr, M. Euchner, Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994) CrossRefMathSciNetGoogle Scholar
  34. [34]
    V. Shoup, NTL: A library for doing number theory. Available at http://www.shoup.net/ntl/
  35. [35]
    M. Szydlo, Hypercubic lattice reduction and analysis of GGH and NTRU signatures, in Proc. of Eurocrypt ’03. LNCS, vol. 2656 (Springer, Berlin, 2003) Google Scholar
  36. [36]
    W. Whyte, Improved NTRUSign transcript analysis. Presentation at the rump session of Eurocrypt ’06, on May 30 (2006) Google Scholar

Copyright information

© International Association for Cryptologic Research 2008

Authors and Affiliations

  • Phong Q. Nguyen
    • 1
  • Oded Regev
    • 2
  1. 1.INRIA & École Normale SupérieureDIParisFrance
  2. 2.School of Computer ScienceTel-Aviv UniversityTel-AvivIsrael

Personalised recommendations