Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures

  • Phong Q. Nguyen
  • Oded Regev
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4004)


Lattice-based signature schemes following the Goldreich- Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer’s secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt ’03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRU Cryptosystemssign. Here, we propose an alternative method to attack signature schemes à la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can be solved by a gradient descent. Our approach is very effective in practice: we present the first succesful key-recovery experiments on NTRU Cryptosystemssign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 90,000 signatures are sufficient to recover the NTRU Cryptosystemssign-251 secret key. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges, using a number of signatures which is roughly quadratic in the lattice dimension.


Independent Component Analysis Gradient Descent Signature Scheme Independent Component Analysis Fourth Moment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems. In: Proc. of 28th STOC, pp. 99–108. ACM, New York (1996)Google Scholar
  2. 2.
    Alon, N., Spencer, J.H.: The probabilistic method, 2nd edn. Wiley-Interscience [John Wiley & Sons], New York (2000)CrossRefzbMATHGoogle Scholar
  3. 3.
    Babai, L.: On Lovász lattice reduction and the nearest lattice point problem. Combinatorica 6, 1–13 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Consortium for Efficient Embedded Security. Efficient embedded security standards #1: Implementation aspects of NTRUEncrypt and NTRUSign. Version 2.0 available at [18] (June 2003)Google Scholar
  5. 5.
    Frieze, A., Jerrum, M., Kannan, R.: Learning linear transformations. In: 37th Annual Symposium on Foundations of Computer Science (Burlington, VT, 1996), pp. 359–368. IEEE Comput. Soc. Press, Los Alamitos (1996)Google Scholar
  6. 6.
    Gentry, C., Jonsson, J., Stern, J., Szydlo, M.: Cryptanalysis of the NTRU signature scheme (NSS) from Eurocrypt 2001. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, p. 1. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 299. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Goldreich, O., Goldwasser, S., Halevi, S.: Challenges for the GGH cryptosystem, available at:
  9. 9.
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  10. 10.
    Golub, G., van Loan, C.: Matrix Computations. Johns Hopkins Univ. Press, Baltimore (1996)zbMATHGoogle Scholar
  11. 11.
    Hoffstein, J., Howgrave Graham, N.A., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSIGN: Digital signatures using the NTRU lattice. Full version of [12]. Draft of available on NTRU’s website, April 2 (2002)Google Scholar
  12. 12.
    Hoffstein, J., Howgrave Graham, N.A., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSIGN: Digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Hoffstein, J., Howgrave Graham, N.A., Pipher, J., Silverman, J.H., Whyte, W.: Performances improvements and a baseline parameter generation algorithm for NTRUsign. In: Proc. of Workshop on Mathematical Problems and Techniques in Cryptology, pp. 99–126. CRM (2005)Google Scholar
  14. 14.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NSS: An NTRU lattice-based signature scheme. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 211. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Hyvärinen, A., Karhunen, J., Oja, E.: Independent Component Analysis. John Wiley & Sons, Chichester (2001)CrossRefGoogle Scholar
  17. 17.
    Hyvärinen, A., Oja, E.: A fast fixed-point algorithm for independent component analysis. Neural Computation 9(7), 1483–1492 (1997)CrossRefGoogle Scholar
  18. 18.
    IEEE P1363.1. Public-key cryptographic techniques based on hard problems over lattices (June 2003),
  19. 19.
    McEliece, R.J.: A public-key cryptosystem based on algebraic number theory. Technical report, Jet Propulsion Laboratory, DSN Progress Report 42–44 (1978)Google Scholar
  20. 20.
    Micciancio, D.: Improving lattice-based cryptosystems using the Hermite normal form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, p. 126. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: A Cryptographic Perspective. In: The Kluwer International Series in Engineering and Computer Science, vol. 671. Kluwer Academic Publishers, Boston (2002)Google Scholar
  22. 22.
    Nguyen, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto 1997. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  23. 23.
    Nguyen, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, p. 146. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Shoup, V.: NTL: A library for doing number theory. available at:
  25. 25.
    Szydlo, M.: Hypercubic lattice reduction and analysis of GGH and NTRU signatures. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Phong Q. Nguyen
    • 1
  • Oded Regev
    • 2
  1. 1.CNRS & École normale supérieure, DIParisFrance
  2. 2.Department of Computer ScienceTel-Aviv UniversityTel-AvivIsrael

Personalised recommendations