Download presentation
Presentation is loading. Please wait.
1
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of Cryptanalysis of GGH and NTRU Signatures GGH and NTRU Signatures ˜
2
Outline Introduction to lattices Lattice-based signature schemes The attack
4
Basis: v 1, …,v n vectors in R n v 1, …,v n vectors in R n The lattice L is L={a 1 v 1 + … +a n v n | a i integers} L={a 1 v 1 + … +a n v n | a i integers} Lattices v1v1 v2v2 0 2v 1 v 1 +v 2 2v 2 2v 2 -v 1 2v 2 -2v 1
5
Basis is not unique 0 v2v2 v1v1 v1’v1’ v2’v2’
6
CVP: Given a lattice and a target vector, find the closest lattice point CVP: Given a lattice and a target vector, find the closest lattice point Seems very difficult; best algorithms take time 2 n Seems very difficult; best algorithms take time 2 n However, checking if a point is in a lattice is easy However, checking if a point is in a lattice is easy Closest Vector Problem (CVP) 0 v2v2 v1v1u
7
Babai ’ s algorithm: given a point u, write Babai ’ s algorithm: given a point u, write and output Works well for good bases Works well for good bases Babai ’ s CVP Algorithm
10
Lattice-based Cryptography One-way functions based on worst-case hardness [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, MicciancioRegev04] One-way functions based on worst-case hardness [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, MicciancioRegev04] Public-key cryptosystems based on worst- case hardness [ AjtaiDwork97, GoldreichGoldwasserHalevi97, Regev04, Regev06 ] Public-key cryptosystems based on worst- case hardness [ AjtaiDwork97, GoldreichGoldwasserHalevi97, Regev04, Regev06 ] – Other public-key cryptosystems [ GoldreichGoldwasserHalevi97, HoffsteinPipherSilverman98] Signature schemes Signature schemes – GGH [GoldreichGoldwasserHalevi97], – NTRUsign [HoffsteinHowgraveGrahamPipherSilvermanWhyte01 ]
11
Signature Schemes Consists of : Consists of : – Key generation algorithm: produces a (public-key,private-key) pair – Signing algorithm: given a message and a private-key, produces a signature – Verification algorithm: given a message+signature and a public key, verifies that the signature matches
12
The GGH Signature Scheme Idea: CVP is hard, but easy with good basis Idea: CVP is hard, but easy with good basis The scheme: The scheme: – Key generation algorithm: choose a lattice with some good basis Private-key = good basis Private-key = good basis Public-key = bad basis Public-key = bad basis – Signing algorithm: given a message and a private key, Map message to a point in space Map message to a point in space Apply Babai ’ s algorithm with good basis to obtain the signature Apply Babai ’ s algorithm with good basis to obtain the signature – Verification algorithm: given message+signature and a public key, verify that Signature is a lattice point, and Signature is a lattice point, and Signature is close to the message Signature is close to the message
13
GGH Signature Scheme Private-key: Public-key: Message: Signature:
14
Public-key: Message: Signature: Verification: 1. should be a lattice point 2. distance between and should be small 2. distance between and should be small
16
The NTRUsign Signature Scheme Essentially a very efficient implementation of the GGH signature scheme Essentially a very efficient implementation of the GGH signature scheme – Signature length only 1757 bits – Signing and verification are faster than RSA- based methods Based on the NTRU lattices (bicyclic lattices generated from a polynomial ring) Based on the NTRU lattices (bicyclic lattices generated from a polynomial ring) Developed by the company NTRU and currently under consideration by IEEE P1363.1 Developed by the company NTRU and currently under consideration by IEEE P1363.1 Some flaws pointed out in [GentrySzydlo ’ 02] Some flaws pointed out in [GentrySzydlo ’ 02]
17
Main Result An inherent security flaw in GGH-based signature schemes An inherent security flaw in GGH-based signature schemes Demonstrated a practical attack on: Demonstrated a practical attack on: – GGH Up to dimension 400 Up to dimension 400 – NTRUsign Dimension 502 Dimension 502 Applies to half of the parameter sets in IEEE P1363.1 Applies to half of the parameter sets in IEEE P1363.1 Only 400 signatures needed! Only 400 signatures needed! The attack recovers the The attack recovers the private key Running time is a few Running time is a few minutes on a 2Ghz/2GB PC
18
Main Result Possible countermeasures: Possible countermeasures: – Pertubations, as suggested by NTRU in several of the IEEE P1363.1 parameter sets – Larger entries in private key – It is not clear if the attack can be extended to deal with these extensions Public key encryption schemes and one-way functions are still secure!! Public key encryption schemes and one-way functions are still secure!! – This includes all schemes based on worst-case hardness and NTRUencrypt
20
The Attack
21
So it is enough to solve the following problem: So it is enough to solve the following problem: This would enable us to This would enable us to recover the private key Hidden Parallelepiped Problem Given points sampled uniformly from an n-dimensional centered parallelepiped, recover the parallelepiped
22
Let’s try to solve an easier problem: Let’s try to solve an easier problem: We will later reduce the We will later reduce the general case to the hypercube Hidden Hypercube Problem Given points sampled uniformly from an n-dimensional centered unit hypercube, recover the hypercube
23
For a unit vector u define the variance in the direction u as For a unit vector u define the variance in the direction u as Perhaps by computing Var(u) for many u’s we can learn something Perhaps by computing Var(u) for many u’s we can learn something HHP: First Attempt The samples x can be written as The samples x can be written as for y chosen uniformly from [-1,1] n and an orthogonal matrix U Therefore, Therefore,
24
So let’s try the fourth moment instead: So let’s try the fourth moment instead: A short calculation shows that A short calculation shows that where u i are u’s coordinates in the hypercube basis Therefore: Therefore: In direction of the corners In direction of the corners the kurtosis is ~1/3 In direction of the faces In direction of the faces the kurtosis is 1/5 HHP: Second Attempt
25
The algorithm repeats the following steps: Choose a random unit vector uChoose a random unit vector u Perform a gradient descent on the sphere to find a local minimum of Kur(u)Perform a gradient descent on the sphere to find a local minimum of Kur(u) Output the resultingOutput the resultingvector Each application randomly yields one of the 2n face vectors HHP: The Algorithm
26
Now the samples can be written asNow the samples can be written as where y is chosen uniformly from [-1,1] n and R is some matrix Consider the average of the matrix xx TConsider the average of the matrix xx T Hence, we can get an approximation of S=RR T (the Gram matrix of R)Hence, we can get an approximation of S=RR T (the Gram matrix of R) Now the matrix S -1/2 R is orthogonal:Now the matrix S -1/2 R is orthogonal: Back to HPP
27
Hence, by applying the transformation S -1/2 to our samples x, we obtain samples from a unit hypercube, so we’re back to HCPHence, by applying the transformation S -1/2 to our samples x, we obtain samples from a unit hypercube, so we’re back to HCP In other words, we have morphed a parallelepiped into a hypercube:In other words, we have morphed a parallelepiped into a hypercube: Now run the HHP algorithm on the samples S -1/2 x. If U is the returned matrix, return S 1/2 U as the parallelepiped.Now run the HHP algorithm on the samples S -1/2 x. If U is the returned matrix, return S 1/2 U as the parallelepiped. Back to HPP
28
The HPP has already been looked at:The HPP has already been looked at: In statistical analysis, and in particular Independent Component Analysis (ICA). The FastICA algorithm is very similar to ours [HyvärinenOja97]. Many applications in signal processing, neural networks, etc.In statistical analysis, and in particular Independent Component Analysis (ICA). The FastICA algorithm is very similar to ours [HyvärinenOja97]. Many applications in signal processing, neural networks, etc. In the computational learning community, by [ FriezeJerrumKannan96 ]. A somewhat different algorithm.In the computational learning community, by [ FriezeJerrumKannan96 ]. A somewhat different algorithm. However, none gives a rigorous analysis. We analyze the algorithm rigorously, taking into account the effects of noiseHowever, none gives a rigorous analysis. We analyze the algorithm rigorously, taking into account the effects of noise We ’ re not alone
29
Open questions Any provably secure lattice-based signature schemes? Any provably secure lattice-based signature schemes? Can the attack be extended to deal with the countermeasures? Can the attack be extended to deal with the countermeasures? + =
30
Thanks !!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.