Abstract
In this paper, we introduce a new lattice reduction technique applicable to the narrow, but important class of Hypercubic lattices, (L ≅ ℤN). Hypercubic lattices arise during transcript analysis of certain GGH, and NTRUSign signature schemes. After a few thousand signatures, key recovery amounts to discovering a hidden unitary matrix U, from its Gram matrix G = UU T. This case of the Gram Matrix Factorization Problem is equivalent to finding the shortest vectors in the hypercubic lattice, L G , defined by the quadratic form G. Our main result is a polynomial-time reduction to a conjecturally easier problem: the Lattice Distinguishing Problem. Additionally, we propose a heuristic solution to this distinguishing problem with a distributed computation of many “relatively short” vectors.
Chapter PDF
References
M. Ajtai, The shortest vector problem in L 2 is NP-hard for randomized reductions, in Proc. 30th ACM Symposium on Theory of Computing, 1998, 10–19.
H. Cohen, A Course in Computational Algebraic Number Theory, Graduate Texts in Mathematics, 138. Springer, 1993.
D. Coppersmith and A. Shamir, Lattice Attacks on NTRU, in Proc. of Eurocrypt’ 97, LNCS 1233, pages 52–61. Springer-Verlag, 1997.
I. Dinur, G. Kindler, S. Safra, Approximating CVP to within almost-polynomial factors is NP-hard, in Proc. 39th Symposium on Foundations of Computer Science, pages 99–109, 1998.
N. Elkies, Lattices, Linear Codes, and Invariants, in Notices of the American Math. Society, 47 pages 1238–1245, Cambridge University Press, 2000.
O. Goldreich and S. Goldwasser, On the Limits of Non-Approximability of Lattice, In Proc. of the 13th ACM Symposium on the Theory of Computing, 1998.
O. Goldreich, D. Micciancio, S. Safra, J.P. Seifert, Using Lattice Problem in Cryptography, 1999.
C. Gentry, J. Jonsson, J. Stern, M. Szydlo, Cryptanalysis of the NTRU signature scheme, in Proc. of Asiacrypt’ 01, LNCS 2248, pages 1–20. Springer-Verlag, 2001.
O. Goldreich, D. Micciancio, S. Safra, J.P. Seifert, Approximating shortest lattice vectors is not harder than approximating closest lattice vectors, Electronic Colloquium on Computational Complexity, 1999.
C. Gentry, M. Szydlo, Cryptanalysis of the Revised NTRU signature scheme, in Proc. of Eurocrypt’ 02, LNCS 2332, pages 299–320. Springer-Verlag, 2002.
O. Goldreich, S. Goldwasser, S. Halevi, Public-key Cryptography from Lattice Reduction Problems, in Proc. of Crypto’ 97, LNCS 1294, pages 112–131. Springer-Verlag, 1997.
J. Hoffstein, N. Howgrave-Graham, J. Pipher, J.H. Silverman, W. Whyte, NTRUSign: Digital Signatures Using the NTRU Lattice, December, 2001. Available from http://www.ntru.com.
J. Hoffstein, B.S. Kaliski, D. Lieman, M.J.B. Robshaw, Y.L. Yin, Secure user identification based on constrained polynomials, US Patent 6,076,163, June 13, 2000.
J. Hoffstein, D. Lieman, J.H. Silverman, Polynomial Rings and Efficient Public Key Authentication, in Proc. International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC’ 99), Hong Kong, (M. Blum and C.H. Lee, eds.), City University of Hong Kong Press.
J. Hoffstein, J. Pipher, J.H. Silverman. Enhanced encoding and verification methods for the NTRU signature scheme (ver. 2), May 30, 2001. Available from http://www.ntru.com.
J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme, preprint, November 2000. Available from http://www.ntru.com.
J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme, in Proc. of Eurocrypt’ 01, LNCS 2045, pages 211–228. Springer-Verlag, 2001.
J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme: Theory and Practice, preprint, 2001. Available from http://www.ntru.com.
J. Hoffstein, J. Pipher and J.H. Silverman, NTRU: A New High Speed Public Key Cryptosystem, in Proc. of Algorithm Number Theory (ANTS III), LNCS 1423, pages 267–288. Springer-Verlag, 1998.
A.K. Lenstra, H.W. Lenstra Jr., L. Lovász, Factoring Polynomials with Rational Coefficients, Mathematische Ann. 261 (1982), 513–534.
D. Micciancio, The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant, in Proc. 39th Symposium on Foundations of Computer Science, 1998, 92–98.
P. Nguyen, Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto’ 97, 1999
P. Nguyen and J. Stern, Lattice Reduction in Cryptology: An Update, in Proc. of Algorithm Number Theory (ANTS IV), LNCS 1838, pages 85–112. Springer-Verlag, 2000.
C.-P. Schnorr, A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms, Theoretical Computer Science 53 (1987), 201–224.
J.H. Silverman, Estimated Breaking Times for NTRU Lattices, NTRU Technical Note #012, March 1999. Available from http://www.ntru.com.
L. Washington, Introduction to Cyclotomic Fields, Graduate Texts in Mathematics 83, 1982.
Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) # 1: Draft 3.0. Available from http://www.ceesstandards.org.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 International Association for Cryptologic Research
About this paper
Cite this paper
Szydlo, M. (2003). Hypercubic Lattice Reduction and Analysis of GGH and NTRU Signatures. In: Biham, E. (eds) Advances in Cryptology — EUROCRYPT 2003. EUROCRYPT 2003. Lecture Notes in Computer Science, vol 2656. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39200-9_27
Download citation
DOI: https://doi.org/10.1007/3-540-39200-9_27
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-14039-9
Online ISBN: 978-3-540-39200-2
eBook Packages: Springer Book Archive