phong q. nguy ê n (École normale supérieure) oded regev (tel aviv university)
DESCRIPTION
Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures. Phong Q. Nguy ê n (École normale supérieure) Oded Regev (Tel Aviv University). Introduction to lattices Lattice-based signature schemes The attack. Outline. Lattices. Basis: - PowerPoint PPT PresentationTRANSCRIPT
Phong Q. NguyPhong Q. Nguyêên n (École normale supérieure)(École normale supérieure)
Oded Regev Oded Regev (Tel Aviv University)(Tel Aviv University)
Learning a Parallelepiped:Learning a Parallelepiped: Cryptanalysis of Cryptanalysis of GGH and NTRU GGH and NTRU SignaturesSignatures
OutlineOutline
•Introduction to lattices•Lattice-based signature schemes•The attack
Basis: Basis:
vv11,…,v,…,vnn vectors in R vectors in Rnn
The lattice L is The lattice L is
L={aL={a11vv11+…+a+…+annvvnn| a| ai i
integers}integers}
LatticesLattices
v1 v2
0
2v1v1+v2 2v2
2v2-v1
2v2-2v1
Basis is not uniqueBasis is not unique
0
v2
v1
v1’
v2’
• CVP: Given a lattice and a target vector, find the CVP: Given a lattice and a target vector, find the closest lattice pointclosest lattice point
• Seems very difficult; best algorithms take time 2Seems very difficult; best algorithms take time 2nn
• However, checking if a point is However, checking if a point is inin a lattice is easy a lattice is easy
Closest Vector Problem (CVP)Closest Vector Problem (CVP)
0
v2
v1
uu
• Babai’s algorithm: given a point u, writeBabai’s algorithm: given a point u, write
and output and output
• Works well for good basesWorks well for good bases
Babai’s CVP AlgorithmBabai’s CVP Algorithm
Babai’s CVP AlgorithmBabai’s CVP Algorithm
Babai’s CVP AlgorithmBabai’s CVP Algorithm
Lattice-based CryptographyLattice-based Cryptography
• One-way functions based on worst-case One-way functions based on worst-case hardness hardness [Ajtai96, GoldreichGoldwasserHalevi96, [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, MicciancioRegev04]CaiNerurkar97, MicciancioRegev04]
• Public-key cryptosystems based on worst-Public-key cryptosystems based on worst-case hardness [case hardness [AjtaiDwork97, AjtaiDwork97,
GoldreichGoldwasserHalevi97, Regev04, Regev06GoldreichGoldwasserHalevi97, Regev04, Regev06]]– Other public-key cryptosystems Other public-key cryptosystems
[[GoldreichGoldwasserHalevi97, HoffsteinPipherSilverman98]GoldreichGoldwasserHalevi97, HoffsteinPipherSilverman98]
• Signature schemesSignature schemes– GGH GGH [GoldreichGoldwasserHalevi97],[GoldreichGoldwasserHalevi97],– NTRUsign NTRUsign
[HoffsteinHowgraveGrahamPipherSilvermanWhyte01[HoffsteinHowgraveGrahamPipherSilvermanWhyte01]]
Signature SchemesSignature Schemes
• Consists ofConsists of::
– Key generation algorithm:Key generation algorithm: produces a produces a (public-key,private-key) pair(public-key,private-key) pair
– Signing algorithm: Signing algorithm: given a message given a message and a private-key, produces a signatureand a private-key, produces a signature
– Verification algorithm: Verification algorithm: given a given a message+signature and a public key, message+signature and a public key, verifies that the signature matchesverifies that the signature matches
The GGH Signature SchemeThe GGH Signature Scheme• Idea: CVP is hard, but easy with good basisIdea: CVP is hard, but easy with good basis• The scheme:The scheme:
– Key generation algorithm: Key generation algorithm: choose a lattice with choose a lattice with some good basis some good basis
• Private-key = good basisPrivate-key = good basis• Public-key = bad basisPublic-key = bad basis
– Signing algorithm: Signing algorithm: given a message and a private given a message and a private key,key,
• Map message to a point in space Map message to a point in space • Apply Babai’s algorithm with good basis to obtain the Apply Babai’s algorithm with good basis to obtain the
signature signature – Verification algorithm: Verification algorithm: given message+signature given message+signature
and a public key, verify that and a public key, verify that • Signature is a lattice point, andSignature is a lattice point, and• Signature is close to the messageSignature is close to the message
GGH Signature SchemeGGH Signature Scheme
Private-keyPrivate-key::
Public-key:Public-key:
Message:Message:
Signature:Signature:
GGH Signature SchemeGGH Signature Scheme
Public-key:Public-key:
Message:Message:
Signature:Signature:
Verification: 1. should be a lattice pointVerification: 1. should be a lattice point 2. distance between and should be small2. distance between and should be small
The NTRUsign Signature SchemeThe NTRUsign Signature Scheme• Essentially a very efficient implementation of Essentially a very efficient implementation of
the GGH signature schemethe GGH signature scheme– Signature length only 1757 bitsSignature length only 1757 bits– Signing and verification are faster than RSA-based Signing and verification are faster than RSA-based
methodsmethods• Based on the NTRU lattices (bicyclic lattices Based on the NTRU lattices (bicyclic lattices
generated from a polynomial ring)generated from a polynomial ring)• Developed by the company NTRU and Developed by the company NTRU and
currently under consideration by IEEE P1363.1currently under consideration by IEEE P1363.1• Some flaws pointed out in [GentrySzydlo’02]Some flaws pointed out in [GentrySzydlo’02]
Main ResultMain Result
• An inherent security flaw in GGH-based An inherent security flaw in GGH-based signature schemessignature schemes
• Demonstrated a practical attack on:Demonstrated a practical attack on:– GGH GGH
• Up to dimension 400Up to dimension 400– NTRUsign NTRUsign
• Dimension 502 Dimension 502 • Applies to half of the parameter sets in IEEE P1363.1Applies to half of the parameter sets in IEEE P1363.1• Only 400 signatures needed!Only 400 signatures needed!
• The attack recovers the The attack recovers the private keyprivate key
• Running time is a few Running time is a few minutes on a 2Ghz/2GB PCminutes on a 2Ghz/2GB PC
Main ResultMain Result
• Possible countermeasures:Possible countermeasures:– Pertubations, as suggested by NTRU in Pertubations, as suggested by NTRU in
several of the IEEE P1363.1 parameter setsseveral of the IEEE P1363.1 parameter sets– Larger entries in private keyLarger entries in private key– It is not clear if the attack can be extended to It is not clear if the attack can be extended to
deal with these extensionsdeal with these extensions
• Public key encryption schemes and one-Public key encryption schemes and one-way functions are still secure!!way functions are still secure!!– This includes all schemes based on worst-This includes all schemes based on worst-
case hardness and NTRUencryptcase hardness and NTRUencrypt
The AttackThe Attack
•So it is enough to solve the following So it is enough to solve the following problem:problem:
•This would enable us to This would enable us to recover the private keyrecover the private key
Hidden Parallelepiped Hidden Parallelepiped ProblemProblem
Given points sampled uniformly Given points sampled uniformly from an n-dimensional centered from an n-dimensional centered parallelepiped, recover the parallelepiped, recover the parallelepipedparallelepiped
Given points sampled uniformly Given points sampled uniformly from an n-dimensional centered from an n-dimensional centered parallelepiped, recover the parallelepiped, recover the parallelepipedparallelepiped
•Let’s try to solve an easier problem:Let’s try to solve an easier problem:
•We will later reduce the We will later reduce the general case to the general case to the hypercubehypercube
Hidden Hypercube ProblemHidden Hypercube Problem
Given points sampled uniformly Given points sampled uniformly from an n-dimensional centered unit from an n-dimensional centered unit hypercube, recover the hypercubehypercube, recover the hypercube
Given points sampled uniformly Given points sampled uniformly from an n-dimensional centered unit from an n-dimensional centered unit hypercube, recover the hypercubehypercube, recover the hypercube
• For a unit vector u define the variance in the For a unit vector u define the variance in the direction u as direction u as
• Perhaps by computing Var(u) for many u’s we Perhaps by computing Var(u) for many u’s we can learn somethingcan learn something
HHP: First AttemptHHP: First Attempt
• The samples x can be written asThe samples x can be written asfor y chosen uniformly from [-1,1]for y chosen uniformly from [-1,1]n n and an and an orthogonal matrix Uorthogonal matrix U
• Therefore,Therefore,
• So let’s try the fourth moment instead:So let’s try the fourth moment instead:
• A short calculation shows that A short calculation shows that
where uwhere uii are u’s coordinates in the hypercube are u’s coordinates in the hypercube basisbasis
• Therefore:Therefore:• In direction of the corners In direction of the corners
the kurtosis is ~1/3 the kurtosis is ~1/3 • In direction of the faces In direction of the faces
the kurtosis is 1/5the kurtosis is 1/5
HHP: Second AttemptHHP: Second Attempt
The algorithm repeats the following steps:The algorithm repeats the following steps:
• Choose a random unit vector Choose a random unit vector uu• Perform a gradient descent on the Perform a gradient descent on the
sphere to find a local minimum of Kur(u)sphere to find a local minimum of Kur(u)• Output the resulting Output the resulting
vectorvector
Each application randomly Each application randomly yields one of the 2n yields one of the 2n face vectors face vectors
HHP: The AlgorithmHHP: The Algorithm
• Now the samples can be written asNow the samples can be written aswhere y is chosen uniformly from [-1,1]where y is chosen uniformly from [-1,1]nn
and R is some matrix and R is some matrix • Consider the average of the matrix xxConsider the average of the matrix xxTT
• Hence, we can get an approximation of Hence, we can get an approximation of S=RRS=RRT T (the Gram matrix of R)(the Gram matrix of R)
• Now the matrix SNow the matrix S-1/2-1/2R is orthogonal:R is orthogonal:
Back to HPPBack to HPP
• Hence, by applying the transformation Hence, by applying the transformation SS--
1/21/2 to our samples x, we obtain samples to our samples x, we obtain samples from a unit hypercube, so we’re back to from a unit hypercube, so we’re back to HCPHCP
• In other words, we have morphed a In other words, we have morphed a parallelepiped into a hypercube:parallelepiped into a hypercube:
• Now run the HHP algorithm on the Now run the HHP algorithm on the samples samples SS-1/2-1/2x. If U is the returned x. If U is the returned matrix, return Smatrix, return S1/21/2U as the U as the parallelepiped.parallelepiped.
Back to HPPBack to HPP
• The HPP has already been looked at:The HPP has already been looked at:• In statistical analysis, and in In statistical analysis, and in
particular Independent Component particular Independent Component Analysis (ICA). The FastICA algorithm Analysis (ICA). The FastICA algorithm is very similar to ours is very similar to ours [HyvärinenOja97][HyvärinenOja97]. Many applications in . Many applications in signal processing, neural networks, signal processing, neural networks, etc.etc.
• In the computational learning In the computational learning community, by [community, by [FriezeJerrumKannan96FriezeJerrumKannan96]. ]. A somewhat different algorithm.A somewhat different algorithm.
• However, none gives a rigorous However, none gives a rigorous analysis. We analyze the algorithm analysis. We analyze the algorithm rigorously, taking into account the rigorously, taking into account the effects of noiseeffects of noise
We’re not aloneWe’re not alone
Open questionsOpen questions
•Any provably secure lattice-based Any provably secure lattice-based signature schemes?signature schemes?
•Can the attack be extended to deal with Can the attack be extended to deal with the countermeasures?the countermeasures?
+ =
Thanks !!Thanks !!