Phong Q. NguyPhong Q. Nguyêên n (École normale supérieure)(École normale supérieure)

Oded Regev Oded Regev (Tel Aviv University)(Tel Aviv University)

Learning a Parallelepiped:Learning a Parallelepiped: Cryptanalysis of Cryptanalysis of GGH and NTRU GGH and NTRU SignaturesSignatures

OutlineOutline

•Introduction to lattices•Lattice-based signature schemes•The attack

Basis: Basis:

vv11,…,v,…,vnn vectors in R vectors in Rnn

The lattice L is The lattice L is

L={aL={a11vv11+…+a+…+annvvnn| a| ai i

integers}integers}

LatticesLattices

v1 v2

0

2v1v1+v2 2v2

2v2-v1

2v2-2v1

Basis is not uniqueBasis is not unique

0

v2

v1

v1’

v2’

• CVP: Given a lattice and a target vector, find the CVP: Given a lattice and a target vector, find the closest lattice pointclosest lattice point

• Seems very difficult; best algorithms take time 2Seems very difficult; best algorithms take time 2nn

• However, checking if a point is However, checking if a point is inin a lattice is easy a lattice is easy

Closest Vector Problem (CVP)Closest Vector Problem (CVP)

0

v2

v1

uu

• Babai’s algorithm: given a point u, writeBabai’s algorithm: given a point u, write

and output and output

• Works well for good basesWorks well for good bases

Babai’s CVP AlgorithmBabai’s CVP Algorithm

Babai’s CVP AlgorithmBabai’s CVP Algorithm

Babai’s CVP AlgorithmBabai’s CVP Algorithm

Lattice-based CryptographyLattice-based Cryptography

• One-way functions based on worst-case One-way functions based on worst-case hardness hardness [Ajtai96, GoldreichGoldwasserHalevi96, [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, MicciancioRegev04]CaiNerurkar97, MicciancioRegev04]

• Public-key cryptosystems based on worst-Public-key cryptosystems based on worst-case hardness [case hardness [AjtaiDwork97, AjtaiDwork97,

GoldreichGoldwasserHalevi97, Regev04, Regev06GoldreichGoldwasserHalevi97, Regev04, Regev06]]– Other public-key cryptosystems Other public-key cryptosystems

[[GoldreichGoldwasserHalevi97, HoffsteinPipherSilverman98]GoldreichGoldwasserHalevi97, HoffsteinPipherSilverman98]

• Signature schemesSignature schemes– GGH GGH [GoldreichGoldwasserHalevi97],[GoldreichGoldwasserHalevi97],– NTRUsign NTRUsign

[HoffsteinHowgraveGrahamPipherSilvermanWhyte01[HoffsteinHowgraveGrahamPipherSilvermanWhyte01]]

Signature SchemesSignature Schemes

• Consists ofConsists of::

– Key generation algorithm:Key generation algorithm: produces a produces a (public-key,private-key) pair(public-key,private-key) pair

– Signing algorithm: Signing algorithm: given a message given a message and a private-key, produces a signatureand a private-key, produces a signature

– Verification algorithm: Verification algorithm: given a given a message+signature and a public key, message+signature and a public key, verifies that the signature matchesverifies that the signature matches

The GGH Signature SchemeThe GGH Signature Scheme• Idea: CVP is hard, but easy with good basisIdea: CVP is hard, but easy with good basis• The scheme:The scheme:

– Key generation algorithm: Key generation algorithm: choose a lattice with choose a lattice with some good basis some good basis

• Private-key = good basisPrivate-key = good basis• Public-key = bad basisPublic-key = bad basis

– Signing algorithm: Signing algorithm: given a message and a private given a message and a private key,key,

• Map message to a point in space Map message to a point in space • Apply Babai’s algorithm with good basis to obtain the Apply Babai’s algorithm with good basis to obtain the

signature signature – Verification algorithm: Verification algorithm: given message+signature given message+signature

and a public key, verify that and a public key, verify that • Signature is a lattice point, andSignature is a lattice point, and• Signature is close to the messageSignature is close to the message

GGH Signature SchemeGGH Signature Scheme

Private-keyPrivate-key::

Public-key:Public-key:

Message:Message:

Signature:Signature:

GGH Signature SchemeGGH Signature Scheme

Public-key:Public-key:

Message:Message:

Signature:Signature:

Verification: 1. should be a lattice pointVerification: 1. should be a lattice point 2. distance between and should be small2. distance between and should be small

The NTRUsign Signature SchemeThe NTRUsign Signature Scheme• Essentially a very efficient implementation of Essentially a very efficient implementation of

the GGH signature schemethe GGH signature scheme– Signature length only 1757 bitsSignature length only 1757 bits– Signing and verification are faster than RSA-based Signing and verification are faster than RSA-based

methodsmethods• Based on the NTRU lattices (bicyclic lattices Based on the NTRU lattices (bicyclic lattices

generated from a polynomial ring)generated from a polynomial ring)• Developed by the company NTRU and Developed by the company NTRU and

currently under consideration by IEEE P1363.1currently under consideration by IEEE P1363.1• Some flaws pointed out in [GentrySzydlo’02]Some flaws pointed out in [GentrySzydlo’02]

Main ResultMain Result

• An inherent security flaw in GGH-based An inherent security flaw in GGH-based signature schemessignature schemes

• Demonstrated a practical attack on:Demonstrated a practical attack on:– GGH GGH

• Up to dimension 400Up to dimension 400– NTRUsign NTRUsign

• Dimension 502 Dimension 502 • Applies to half of the parameter sets in IEEE P1363.1Applies to half of the parameter sets in IEEE P1363.1• Only 400 signatures needed!Only 400 signatures needed!

• The attack recovers the The attack recovers the private keyprivate key

• Running time is a few Running time is a few minutes on a 2Ghz/2GB PCminutes on a 2Ghz/2GB PC

Main ResultMain Result

• Possible countermeasures:Possible countermeasures:– Pertubations, as suggested by NTRU in Pertubations, as suggested by NTRU in

several of the IEEE P1363.1 parameter setsseveral of the IEEE P1363.1 parameter sets– Larger entries in private keyLarger entries in private key– It is not clear if the attack can be extended to It is not clear if the attack can be extended to

deal with these extensionsdeal with these extensions

• Public key encryption schemes and one-Public key encryption schemes and one-way functions are still secure!!way functions are still secure!!– This includes all schemes based on worst-This includes all schemes based on worst-

case hardness and NTRUencryptcase hardness and NTRUencrypt

The AttackThe Attack

•So it is enough to solve the following So it is enough to solve the following problem:problem:

•This would enable us to This would enable us to recover the private keyrecover the private key

Hidden Parallelepiped Hidden Parallelepiped ProblemProblem

Given points sampled uniformly Given points sampled uniformly from an n-dimensional centered from an n-dimensional centered parallelepiped, recover the parallelepiped, recover the parallelepipedparallelepiped

Given points sampled uniformly Given points sampled uniformly from an n-dimensional centered from an n-dimensional centered parallelepiped, recover the parallelepiped, recover the parallelepipedparallelepiped

•Let’s try to solve an easier problem:Let’s try to solve an easier problem:

•We will later reduce the We will later reduce the general case to the general case to the hypercubehypercube

Hidden Hypercube ProblemHidden Hypercube Problem

Given points sampled uniformly Given points sampled uniformly from an n-dimensional centered unit from an n-dimensional centered unit hypercube, recover the hypercubehypercube, recover the hypercube

Given points sampled uniformly Given points sampled uniformly from an n-dimensional centered unit from an n-dimensional centered unit hypercube, recover the hypercubehypercube, recover the hypercube

• For a unit vector u define the variance in the For a unit vector u define the variance in the direction u as direction u as

• Perhaps by computing Var(u) for many u’s we Perhaps by computing Var(u) for many u’s we can learn somethingcan learn something

HHP: First AttemptHHP: First Attempt

• The samples x can be written asThe samples x can be written asfor y chosen uniformly from [-1,1]for y chosen uniformly from [-1,1]n n and an and an orthogonal matrix Uorthogonal matrix U

• Therefore,Therefore,

• So let’s try the fourth moment instead:So let’s try the fourth moment instead:

• A short calculation shows that A short calculation shows that

where uwhere uii are u’s coordinates in the hypercube are u’s coordinates in the hypercube basisbasis

• Therefore:Therefore:• In direction of the corners In direction of the corners

the kurtosis is ~1/3 the kurtosis is ~1/3 • In direction of the faces In direction of the faces

the kurtosis is 1/5the kurtosis is 1/5

HHP: Second AttemptHHP: Second Attempt

The algorithm repeats the following steps:The algorithm repeats the following steps:

• Choose a random unit vector Choose a random unit vector uu• Perform a gradient descent on the Perform a gradient descent on the

sphere to find a local minimum of Kur(u)sphere to find a local minimum of Kur(u)• Output the resulting Output the resulting

vectorvector

Each application randomly Each application randomly yields one of the 2n yields one of the 2n face vectors face vectors

HHP: The AlgorithmHHP: The Algorithm

• Now the samples can be written asNow the samples can be written aswhere y is chosen uniformly from [-1,1]where y is chosen uniformly from [-1,1]nn

and R is some matrix and R is some matrix • Consider the average of the matrix xxConsider the average of the matrix xxTT

• Hence, we can get an approximation of Hence, we can get an approximation of S=RRS=RRT T (the Gram matrix of R)(the Gram matrix of R)

• Now the matrix SNow the matrix S-1/2-1/2R is orthogonal:R is orthogonal:

Back to HPPBack to HPP

• Hence, by applying the transformation Hence, by applying the transformation SS--

1/21/2 to our samples x, we obtain samples to our samples x, we obtain samples from a unit hypercube, so we’re back to from a unit hypercube, so we’re back to HCPHCP

• In other words, we have morphed a In other words, we have morphed a parallelepiped into a hypercube:parallelepiped into a hypercube:

• Now run the HHP algorithm on the Now run the HHP algorithm on the samples samples SS-1/2-1/2x. If U is the returned x. If U is the returned matrix, return Smatrix, return S1/21/2U as the U as the parallelepiped.parallelepiped.

Back to HPPBack to HPP

• The HPP has already been looked at:The HPP has already been looked at:• In statistical analysis, and in In statistical analysis, and in

particular Independent Component particular Independent Component Analysis (ICA). The FastICA algorithm Analysis (ICA). The FastICA algorithm is very similar to ours is very similar to ours [HyvärinenOja97][HyvärinenOja97]. Many applications in . Many applications in signal processing, neural networks, signal processing, neural networks, etc.etc.

• In the computational learning In the computational learning community, by [community, by [FriezeJerrumKannan96FriezeJerrumKannan96]. ]. A somewhat different algorithm.A somewhat different algorithm.

• However, none gives a rigorous However, none gives a rigorous analysis. We analyze the algorithm analysis. We analyze the algorithm rigorously, taking into account the rigorously, taking into account the effects of noiseeffects of noise

We’re not aloneWe’re not alone

Open questionsOpen questions

•Any provably secure lattice-based Any provably secure lattice-based signature schemes?signature schemes?

•Can the attack be extended to deal with Can the attack be extended to deal with the countermeasures?the countermeasures?

+ =

Thanks !!Thanks !!