Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv - - PowerPoint PPT Presentation

cryptanalysis of ggh and ntru signatures
SMART_READER_LITE
LIVE PREVIEW

Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv - - PowerPoint PPT Presentation

May 15, 2023 125 likes •430 views

Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 20/2/2012 Learning a Parallelepiped: Bar-Ilan University Dept. of Computer Science Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv

slide-1
SLIDE 1

Based on work with Phong Q. Nguyen

(École normale supérieure) [Eurocrypt’06]

Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures

Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 20/2/2012

Oded Regev

(Tel Aviv University and CNRS, ENS-Paris)

Bar-Ilan University

  • Dept. of Computer Science
slide-2
SLIDE 2
slide-3
SLIDE 3

Basis: b1,…,bn vectors in Rn The lattice L is L={a1b1+…+anbn| ai integers}

Lattices

b1 b2 2b1 b1+b2 2b2 2b2-b1 2b2-2b1

slide-4
SLIDE 4
  • CVP: Given a lattice and a target vector, find the closest

lattice point

  • Seems very difficult; best algorithms take time 2n
  • However, checking if a point is in a lattice is easy

Closest Vector Problem (CVP)

b2 b1

u

slide-5
SLIDE 5
  • Babai’s algorithm: given a point u, write

𝑣 = 𝛽1𝑐1 + ⋯ + 𝛽𝑜𝑐𝑜 and output ⌈𝛽1⌋𝑐1 + ⋯ + ⌈𝛽𝑜⌋𝑐𝑜

  • Works well for “good” bases

Babai’s (rounding) CVP Algorithm

slide-6
SLIDE 6

Babai’s CVP Algorithm

slide-7
SLIDE 7

Babai’s CVP Algorithm

slide-8
SLIDE 8

Babai’s CVP Algorithm: Analysis

slide-9
SLIDE 9

Babai’s CVP Algorithm: Analysis

  • For a basis b1,…,bn, define the dual basis b1*,…,bn* by taking

bi* to be the vector satisfying bi*,bi=1 and bi*,bj=0 for all ij.

  • In matrix notation, if B=(b1,…,bn), then B*=(B-1)T
  • Notice that if 𝑣 = 𝛽1𝑐1 + ⋯ + 𝛽𝑜𝑐𝑜 then 𝛽𝑗 = 〈𝑣, 𝑐𝑗

∗〉

  • We can therefore equivalently write Babai’s algorithm as:
  • Given a point u, output

⌈〈𝑣, 𝑐1

∗〉⌋𝑐1 + ⋯ + ⌈〈𝑣, 𝑐𝑜 ∗〉⌋𝑐𝑜

  • So the radius of correct decoding is:

1 2 max ||𝑐𝑗

∗||

  • The lattice generated by 𝑐1

∗, … , 𝑐𝑜 ∗

is called the dual lattice

slide-10
SLIDE 10

Signature Scheme

  • Consists of:

– Key generation algorithm: produces a (public-

key,private-key) pair

– Signing algorithm: given a message and a

private-key, produces a signature

– Verification algorithm: given a pair

(message,signature) and a public key, verifies that the signature matches

– Although can be built from any

  • ne-way function, efficient constructions

are very important and still a main

  • pen question
slide-11
SLIDE 11

The GGH Signature Scheme [1997]

  • Suggested in [GoldreichGoldwasserHalevi97]; no security proof
  • Idea: CVP is hard, but easy with good basis
  • The scheme:

– Key generation algorithm: choose a lattice with some good basis

  • Private-key = good basis
  • Public-key = bad basis

– Signing algorithm: given a message and a private key,

  • Map message to a point in space
  • Apply Babai’s algorithm with good basis to obtain the signature

– Verification algorithm: given message+signature and a public

key, verify that

  • Signature is a lattice point, and
  • Signature is close to the message
slide-12
SLIDE 12

Private-key: Public-key: Message: Signature:

GGH Signature Scheme:

slide-13
SLIDE 13

GGH Signature Scheme:

Public-key: Message: Signature: Verification: 1. should be a lattice point

  • 2. distance between and

should be small

slide-14
SLIDE 14
slide-15
SLIDE 15

The NTRUsign Signature Scheme

[HoffsteinHowgraveGrahamPipherSilvermanWhyte01]

  • Essentially a very efficient implementation of the

GGH signature scheme

– Signature length only 1757 bits – Signing and verification are faster than RSA-based

methods

  • Based on the NTRU lattices (bicyclic lattices

generated from a polynomial ring)

  • Developed by the company NTRU and was under

IEEE P1363.1

  • Some flaws pointed out in

[GentrySzydlo’02]

slide-16
SLIDE 16

Main Result

  • An inherent security flaw in GGH-based signature schemes
  • Demonstrated a practical attack on:

– GGH

  • Up to dimension 400

– NTRUsign

  • Dimension 502
  • Applies to half of the parameter sets in IEEE P1363.1
  • Only 400 signatures needed!
  • The attack recovers the

private key

  • Running time is a few

minutes on a 2Ghz/2GB PC

slide-17
SLIDE 17

Main Result

  • Possible countermeasures:

– Pertubations, as suggested by NTRU in several of the

IEEE P1363.1 parameter sets

– Larger entries in private key – It is not clear if the attack can be extended to deal with

these extensions

– Use provably secure alternatives!!

  • NTRUEncrypt is still secure, as is all provably secure

lattice-based crypto!

slide-18
SLIDE 18
slide-19
SLIDE 19

The Attack

slide-20
SLIDE 20
  • So it is enough to solve the following problem:
  • This would enable us to recover the private key

Hidden Parallelepiped Problem

Given points sampled uniformly from an n- dimensional centered parallelepiped, recover the parallelepiped

slide-21
SLIDE 21
  • Let’s try to solve an easier problem:
  • We will later reduce the general case to the

hypercube

Hidden Hypercube Problem

Given points sampled uniformly from an n-dimensional centered unit hypercube, recover the hypercube

slide-22
SLIDE 22
  • For a unit vector u define the variance in the direction u as
  • Perhaps by computing Var(u) for many u’s we can learn something

HHP: First Attempt

  • The samples x can be written as for y chosen uniformly

from [-1,1]n and an orthogonal matrix U, so

slide-23
SLIDE 23
  • So let’s try the fourth moment instead:
  • A short calculation shows that

where ui are u’s coordinates in the hypercube basis

  • Therefore:
  • In direction of the corners the

kurtosis is ~1/3

  • In direction of the faces the

kurtosis is 1/5

HHP: Second Attempt

slide-24
SLIDE 24

The algorithm repeats the following steps:

  • Choose a random unit vector u
  • Perform a gradient descent on the sphere to find a local minimum
  • f Kur(u)
  • Output the resulting vector

Each application randomly yields

  • ne of the 2n face vectors

HHP: The Algorithm

slide-25
SLIDE 25
  • Now the samples can be written as

where y is chosen uniformly from [-1,1]n and R is some matrix

  • Consider the average of the matrix xxT
  • Hence, we can get an approximation of S=RRT

(the Gram matrix of R)

  • Now the matrix S-1/2R is
  • rthogonal:

Back to HPP

slide-26
SLIDE 26
  • Hence, by applying the transformation S-1/2 to our

samples x, we obtain samples from a unit hypercube, so we’re back to HCP

  • In other words, we have morphed a

parallelepiped into a hypercube:

Back to HPP

  • Now run the HHP algorithm
  • n the samples S-1/2x. If U is the

returned matrix, return S1/2U as the parallelepiped.

slide-27
SLIDE 27
  • The HPP has already been looked at:
  • In statistical analysis, and in particular

Independent Component Analysis (ICA). The FastICA algorithm is very similar to ours

[HyvärinenOja97]. Many applications in signal

processing, neural networks, etc.

  • In the computational learning community, by

[FriezeJerrumKannan96]. A somewhat different algorithm.

We’re not alone

  • However, none gives a rigorous
  • analysis. We analyze the algorithm

rigorously, taking into account the effects of noise

slide-28
SLIDE 28

Followup Work

  • Countermeasure: “perturbations”
  • Can the attack be extended to deal with pertubrations?
  • Yes, to some extent!

[DucasNguyen12]

  • Provably secure signatures using

Gaussian sampler

[GentryPeikertVaikuntanathan08]

+ =

slide-29
SLIDE 29

Thanks