Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures

Phong Q. Nguyen, Oded Regev

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSIGN. Here, we propose an alternative method to attack signature schemes à la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can be solved by a gradient descent. Our approach is very effective in practice: we present the first succesful key-recovery experiments on NTRUSIGN-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 90,000 signatures are sufficient to recover the NTRUSIGN-251 secret key. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges, using a number of signatures which is roughly quadratic in the lattice dimension.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology - EUROCRYPT 2006 - 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
Pages271-288
Number of pages18
Volume4004 LNCS
StatePublished - 2006
Event24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2006 - St. Petersburg, Russian Federation
Duration: May 28 2006Jun 1 2006

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume4004 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2006
CountryRussian Federation
CitySt. Petersburg
Period5/28/066/1/06

Fingerprint

Parallelepiped
Cryptanalysis
Signature
Learning
Key Recovery
Recovery
Heuristic methods
Attack
Signature Scheme
Cryptography
Gradient Descent
Heuristic Method
Leakage
Quadratic form
Encryption
n-dimensional
Experiments
Transform
Sufficient
Optimization Problem

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

Nguyen, P. Q., & Regev, O. (2006). Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures. In Advances in Cryptology - EUROCRYPT 2006 - 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings (Vol. 4004 LNCS, pp. 271-288). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4004 LNCS).

Learning a parallelepiped : Cryptanalysis of GGH and NTRU signatures. / Nguyen, Phong Q.; Regev, Oded.

Advances in Cryptology - EUROCRYPT 2006 - 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 4004 LNCS 2006. p. 271-288 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4004 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Nguyen, PQ & Regev, O 2006, Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures. in Advances in Cryptology - EUROCRYPT 2006 - 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. vol. 4004 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4004 LNCS, pp. 271-288, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2006, St. Petersburg, Russian Federation, 5/28/06.
Nguyen PQ, Regev O. Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures. In Advances in Cryptology - EUROCRYPT 2006 - 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 4004 LNCS. 2006. p. 271-288. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
Nguyen, Phong Q. ; Regev, Oded. / Learning a parallelepiped : Cryptanalysis of GGH and NTRU signatures. Advances in Cryptology - EUROCRYPT 2006 - 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 4004 LNCS 2006. pp. 271-288 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{48c1b08403b04717b98d21cec5e1fe5a,
title = "Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures",
abstract = "Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSIGN. Here, we propose an alternative method to attack signature schemes {\`a} la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can be solved by a gradient descent. Our approach is very effective in practice: we present the first succesful key-recovery experiments on NTRUSIGN-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 90,000 signatures are sufficient to recover the NTRUSIGN-251 secret key. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges, using a number of signatures which is roughly quadratic in the lattice dimension.",
author = "Nguyen, {Phong Q.} and Oded Regev",
year = "2006",
language = "English (US)",
isbn = "3540345469",
volume = "4004 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "271--288",
booktitle = "Advances in Cryptology - EUROCRYPT 2006 - 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings",

}

TY - GEN

T1 - Learning a parallelepiped

T2 - Cryptanalysis of GGH and NTRU signatures

AU - Nguyen, Phong Q.

AU - Regev, Oded

PY - 2006

Y1 - 2006

N2 - Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSIGN. Here, we propose an alternative method to attack signature schemes à la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can be solved by a gradient descent. Our approach is very effective in practice: we present the first succesful key-recovery experiments on NTRUSIGN-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 90,000 signatures are sufficient to recover the NTRUSIGN-251 secret key. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges, using a number of signatures which is roughly quadratic in the lattice dimension.

AB - Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSIGN. Here, we propose an alternative method to attack signature schemes à la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can be solved by a gradient descent. Our approach is very effective in practice: we present the first succesful key-recovery experiments on NTRUSIGN-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 90,000 signatures are sufficient to recover the NTRUSIGN-251 secret key. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges, using a number of signatures which is roughly quadratic in the lattice dimension.

UR - http://www.scopus.com/inward/record.url?scp=33746038898&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33746038898&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:33746038898

SN - 3540345469

SN - 9783540345466

VL - 4004 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 271

EP - 288

BT - Advances in Cryptology - EUROCRYPT 2006 - 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings

ER -