Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures

Phong Q. Nguyen, Oded Regev

Research output: Contribution to journalArticle

Abstract

Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes à la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUSign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.

Original languageEnglish (US)
Pages (from-to)139-160
Number of pages22
JournalJournal of Cryptology
Volume22
Issue number2
DOIs
StatePublished - Apr 2009

Fingerprint

Parallelepiped
Cryptanalysis
Signature
Key Recovery
Recovery
Heuristic methods
Attack
Signature Scheme
Cryptography
Gradient Descent
Heuristic Method
Leakage
Quadratic form
Encryption
n-dimensional
Experiments
Transform
Sufficient
Optimization Problem
Analogue

Keywords

  • GGH
  • Gradient descent
  • Lattices
  • Moment
  • NTRUSign
  • Public-key cryptanalysis

ASJC Scopus subject areas

  • Applied Mathematics
  • Computer Science Applications
  • Software

Cite this

Learning a parallelepiped : Cryptanalysis of GGH and NTRU signatures. / Nguyen, Phong Q.; Regev, Oded.

In: Journal of Cryptology, Vol. 22, No. 2, 04.2009, p. 139-160.

Research output: Contribution to journalArticle

@article{96990560768240f88162d9f48bc90635,
title = "Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures",
abstract = "Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes {\`a} la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUSign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.",
keywords = "GGH, Gradient descent, Lattices, Moment, NTRUSign, Public-key cryptanalysis",
author = "Nguyen, {Phong Q.} and Oded Regev",
year = "2009",
month = "4",
doi = "10.1007/s00145-008-9031-0",
language = "English (US)",
volume = "22",
pages = "139--160",
journal = "Journal of Cryptology",
issn = "0933-2790",
publisher = "Springer New York",
number = "2",

}

TY - JOUR

T1 - Learning a parallelepiped

T2 - Cryptanalysis of GGH and NTRU signatures

AU - Nguyen, Phong Q.

AU - Regev, Oded

PY - 2009/4

Y1 - 2009/4

N2 - Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes à la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUSign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.

AB - Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes à la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUSign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.

KW - GGH

KW - Gradient descent

KW - Lattices

KW - Moment

KW - NTRUSign

KW - Public-key cryptanalysis

UR - http://www.scopus.com/inward/record.url?scp=64249149689&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=64249149689&partnerID=8YFLogxK

U2 - 10.1007/s00145-008-9031-0

DO - 10.1007/s00145-008-9031-0

M3 - Article

VL - 22

SP - 139

EP - 160

JO - Journal of Cryptology

JF - Journal of Cryptology

SN - 0933-2790

IS - 2

ER -