Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures

Lattice-based signature schemes following the Goldreich- Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRU Cryptosystemssign. Here, we propose an alternative method to attack signature schemes a la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can be solved by a gradient descent. Our approach is very effective in practice: we present the first succesful key-recovery experiments on NTRU Cryptosystemssign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 90,000 signatures are sufficient to recover the NTRU Cryptosystemssign-251 secret key. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges, using a number of signatures which is roughly quadratic in the lattice dimension.

[1]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[2]  Joseph H. Silverman,et al.  NSS: An NTRU Lattice-Based Signature Scheme , 2001, EUROCRYPT.

[3]  Noga Alon,et al.  The Probabilistic Method, Second Edition , 2004 .

[4]  Craig Gentry,et al.  Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001 , 2001, ASIACRYPT.

[5]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[6]  Jacques Stern,et al.  The Two Faces of Lattices in Cryptology , 2001, CaLC.

[7]  Aapo Hyvärinen,et al.  A Fast Fixed-Point Algorithm for Independent Component Analysis , 1997, Neural Computation.

[8]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[9]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[10]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[11]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[12]  E. Oja,et al.  Independent Component Analysis , 2013 .

[13]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.

[14]  Noga Alon,et al.  The Probabilistic Method , 2015, Fundamentals of Ramsey Theory.

[15]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[16]  Daniele Micciancio,et al.  Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More , 2003, CRYPTO.

[17]  Gene H. Golub,et al.  Matrix computations , 1983 .

[18]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[19]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[20]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[21]  Michael Szydlo,et al.  Hypercubic Lattice Reduction and Analysis of GGH and NTRU Signatures , 2003, EUROCRYPT.

[22]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[23]  Alan M. Frieze,et al.  Learning linear transformations , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[24]  William Whyte,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.

[25]  Phong Q. Nguyen Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto '97 , 1999, CRYPTO.

[26]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.