Abstract
NTRUSign is the most practical lattice signature scheme. Its basic version was broken by Nguyen and Regev in 2006: one can efficiently recover the secret key from about 400 signatures. However, countermeasures have been proposed to repair the scheme, such as the perturbation used in NTRUSign standardization proposals, and the deformation proposed by Hu et al. at IEEE Trans. Inform. Theory in 2008. These two countermeasures were claimed to prevent the NR attack. Surprisingly, we show that these two claims are incorrect by revisiting the NR gradient-descent attack: the attack is more powerful than previously expected, and actually breaks both countermeasures in practice, e.g. 8,000 signatures suffice to break NTRUSign-251 with one perturbation as submitted to IEEE P1363 in 2003. More precisely, we explain why the Nguyen-Regev algorithm for learning a parallelepiped is heuristically able to learn more complex objects, such as zonotopes and deformed parallelepipeds.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ajtai, M.: Generating random lattices according to the invariant distribution (Draft of March 2006)
Ajtai, M.: Generating hard instances of lattice problems. In: Complexity of Computations and Proofs. Quad. Mat, vol. 13, Dept. Math., Seconda Univ. Napoli, Caserta, pp. 1–32 (2004)
Babai, L.: On Lovász lattice reduction and the nearest lattice point problem. Combinatorica 6, 1–13 (1986)
Consortium for Efficient Embedded Security. Efficient embedded security standards #1: Implementation aspects of NTRUEncrypt and NTRUSign. Version 2.0 [17] (June 2003)
Ducas, L., Nguyen, P.Q.: Learning a zonotope and more: Cryptanalysis of NTRUSign countermeasures. Full version of the ASIACRYPT 2012 article (2012)
Ducas, L., Nguyen, P.Q.: Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 415–432. Springer, Heidelberg (2012)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proc. STOC 2009, pp. 169–178. ACM (2009)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proc. STOC 2008, pp. 197–206. ACM (2008)
Goldreich, O., Goldwasser, S., Halevi, S.: Public-Key Cryptosystems from Lattice Reduction Problems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997); full version vailable at ECCC as TR96-056
Hoffstein, J., Graham, N.A.H., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSIGN: Digital signatures using the NTRU lattice. Full version of [11] Draft of April 2 (2002); Available on NTRU’s website
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSIGN: Digital Signatures Using the NTRU Lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003)
Hoffstein, J., Graham, N.A.H., Pipher, J., Silverman, J.H., Whyte, W.: Performances improvements and a baseline parameter generation algorithm for NTRUsign. In: Proc. of Workshop on Mathematical Problems and Techniques in Cryptology, pp. 99–126. CRM (2005)
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In [25] (2010)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A Ring-Based Public Key Cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998); first presented at the rump session of Crypto 1996
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: A meet-in-the-middle attack on an NTRU private key (2003), http://www.ntru.com/cryptolab/tech_notes.htm#004
Hu, Y., Wang, B., He, W.: NTRUSign with a new perturbation. IEEE Transactions on Information Theory 54(7), 3216–3221 (2008)
IEEE P1363.1. Public-key cryptographic techniques based on hard problems over lattices (June 2003), http://grouper.ieee.org/groups/1363/lattPK/index.html
Klein, P.: Finding the closest lattice vector when it’s unusually close. In: Proc. of SODA 2000. ACM–SIAM (2000)
Lyubashevsky, V.: Lattice Signatures without Trapdoors. IACR Cryptology ePrint Archive, 2011:537 (2011); In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012)
Malkin, T., Peikert, C., Servedio, R.A., Wan, A.: Learning an overcomplete basis: Analysis of lattice-based signatures with perturbations, 2009 manuscript cited in [26], available as [27, Chapter 6] (2009)
Micciancio, D.: Improving Lattice Based Cryptosystems Using the Hermite Normal Form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer, Heidelberg (2001)
Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-Quantum Cryptography, pp. 147–191. Springer, Berlin (2009)
Nguyen, P.Q., Regev, O.: Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures. J. Cryptology 22(2), 139–160 (2009); In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006)
Nguyen, P.Q., Stern, J.: The Two Faces of Lattices in Cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)
Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer (2010)
Peikert, C.: An Efficient and Parallel Gaussian Sampler for Lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010)
Wan, A.: Learning, cryptography, and the average case. PhD thesis, Columbia University (2010), http://itcs.tsinghua.edu.cn/~atw12/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 International Association for Cryptologic Research
About this paper
Cite this paper
Ducas, L., Nguyen, P.Q. (2012). Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures. In: Wang, X., Sako, K. (eds) Advances in Cryptology – ASIACRYPT 2012. ASIACRYPT 2012. Lecture Notes in Computer Science, vol 7658. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34961-4_27
Download citation
DOI: https://doi.org/10.1007/978-3-642-34961-4_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34960-7
Online ISBN: 978-3-642-34961-4
eBook Packages: Computer ScienceComputer Science (R0)