Hypercubic Lattice Reduction and Analysis of GGH and NTRU Signatures

  • Michael Szydlo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2656)


In this paper, we introduce a new lattice reduction technique applicable to the narrow, but important class of Hypercubic lattices, (L ≅ ℤN). Hypercubic lattices arise during transcript analysis of certain GGH, and NTRUSign signature schemes. After a few thousand signatures, key recovery amounts to discovering a hidden unitary matrix U, from its Gram matrix G = UU T . This case of the Gram Matrix Factorization Problem is equivalent to finding the shortest vectors in the hypercubic lattice, L G , defined by the quadratic form G. Our main result is a polynomial-time reduction to a conjecturally easier problem: the Lattice Distinguishing Problem. Additionally, we propose a heuristic solution to this distinguishing problem with a distributed computation of many “relatively short” vectors.


Lattice Isomorphism Lattice Distinguishing Oracle Distributed Lattice Reduction Decisional Lattice Problem Gram Matrix Factorization Integral Lattice Embedding Orthogonal Lattice GGH Cryptanalysis NTRUSign 


  1. 1.
    M. Ajtai, The shortest vector problem in L 2 is NP-hard for randomized reductions, in Proc. 30th ACM Symposium on Theory of Computing, 1998, 10–19.Google Scholar
  2. 2.
    H. Cohen, A Course in Computational Algebraic Number Theory, Graduate Texts in Mathematics, 138. Springer, 1993.Google Scholar
  3. 3.
    D. Coppersmith and A. Shamir, Lattice Attacks on NTRU, in Proc. of Eurocrypt’ 97, LNCS 1233, pages 52–61. Springer-Verlag, 1997.Google Scholar
  4. 4.
    I. Dinur, G. Kindler, S. Safra, Approximating CVP to within almost-polynomial factors is NP-hard, in Proc. 39th Symposium on Foundations of Computer Science, pages 99–109, 1998.Google Scholar
  5. 5.
    N. Elkies, Lattices, Linear Codes, and Invariants, in Notices of the American Math. Society, 47 pages 1238–1245, Cambridge University Press, 2000.zbMATHMathSciNetGoogle Scholar
  6. 6.
    O. Goldreich and S. Goldwasser, On the Limits of Non-Approximability of Lattice, In Proc. of the 13th ACM Symposium on the Theory of Computing, 1998.Google Scholar
  7. 7.
    O. Goldreich, D. Micciancio, S. Safra, J.P. Seifert, Using Lattice Problem in Cryptography, 1999.Google Scholar
  8. 8.
    C. Gentry, J. Jonsson, J. Stern, M. Szydlo, Cryptanalysis of the NTRU signature scheme, in Proc. of Asiacrypt’ 01, LNCS 2248, pages 1–20. Springer-Verlag, 2001.Google Scholar
  9. 9.
    O. Goldreich, D. Micciancio, S. Safra, J.P. Seifert, Approximating shortest lattice vectors is not harder than approximating closest lattice vectors, Electronic Colloquium on Computational Complexity, 1999.Google Scholar
  10. 10.
    C. Gentry, M. Szydlo, Cryptanalysis of the Revised NTRU signature scheme, in Proc. of Eurocrypt’ 02, LNCS 2332, pages 299–320. Springer-Verlag, 2002.Google Scholar
  11. 11.
    O. Goldreich, S. Goldwasser, S. Halevi, Public-key Cryptography from Lattice Reduction Problems, in Proc. of Crypto’ 97, LNCS 1294, pages 112–131. Springer-Verlag, 1997.Google Scholar
  12. 12.
    J. Hoffstein, N. Howgrave-Graham, J. Pipher, J.H. Silverman, W. Whyte, NTRUSign: Digital Signatures Using the NTRU Lattice, December, 2001. Available from
  13. 13.
    J. Hoffstein, B.S. Kaliski, D. Lieman, M.J.B. Robshaw, Y.L. Yin, Secure user identification based on constrained polynomials, US Patent 6,076,163, June 13, 2000.Google Scholar
  14. 14.
    J. Hoffstein, D. Lieman, J.H. Silverman, Polynomial Rings and Efficient Public Key Authentication, in Proc. International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC’ 99), Hong Kong, (M. Blum and C.H. Lee, eds.), City University of Hong Kong Press.Google Scholar
  15. 15.
    J. Hoffstein, J. Pipher, J.H. Silverman. Enhanced encoding and verification methods for the NTRU signature scheme (ver. 2), May 30, 2001. Available from
  16. 16.
    J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme, preprint, November 2000. Available from
  17. 17.
    J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme, in Proc. of Eurocrypt’ 01, LNCS 2045, pages 211–228. Springer-Verlag, 2001.Google Scholar
  18. 18.
    J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme: Theory and Practice, preprint, 2001. Available from
  19. 19.
    J. Hoffstein, J. Pipher and J.H. Silverman, NTRU: A New High Speed Public Key Cryptosystem, in Proc. of Algorithm Number Theory (ANTS III), LNCS 1423, pages 267–288. Springer-Verlag, 1998.CrossRefGoogle Scholar
  20. 20.
    A.K. Lenstra, H.W. Lenstra Jr., L. Lovász, Factoring Polynomials with Rational Coefficients, Mathematische Ann. 261 (1982), 513–534.Google Scholar
  21. 21.
    D. Micciancio, The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant, in Proc. 39th Symposium on Foundations of Computer Science, 1998, 92–98.Google Scholar
  22. 22.
    P. Nguyen, Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto’ 97, 1999Google Scholar
  23. 23.
    P. Nguyen and J. Stern, Lattice Reduction in Cryptology: An Update, in Proc. of Algorithm Number Theory (ANTS IV), LNCS 1838, pages 85–112. Springer-Verlag, 2000.CrossRefGoogle Scholar
  24. 24.
    C.-P. Schnorr, A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms, Theoretical Computer Science 53 (1987), 201–224.zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    J.H. Silverman, Estimated Breaking Times for NTRU Lattices, NTRU Technical Note #012, March 1999. Available from
  26. 26.
    L. Washington, Introduction to Cyclotomic Fields, Graduate Texts in Mathematics 83, 1982.Google Scholar
  27. 27.
    Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) # 1: Draft 3.0. Available from

Copyright information

© International Association for Cryptologic Research 2003

Authors and Affiliations

  • Michael Szydlo
    • 1
  1. 1.RSA LaboratoriesBedfordUSA

Personalised recommendations