An efficient and parallel Gaussian sampler for lattices
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Practical RSA signature scheme based on periodical rekeying for wireless sensor networks
ACM Transactions on Sensor Networks (TOSN)
Lattice signatures without trapdoors
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Practical lattice-based cryptography: a signature scheme for embedded systems
CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
Learning mixtures of spherical gaussians: moment methods and spectral decompositions
Proceedings of the 4th conference on Innovations in Theoretical Computer Science
Faster gaussian lattice sampling using lazy floating-point arithmetic
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
How to share a lattice trapdoor: threshold protocols for signatures and (H)IBE
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
| Hi-index | 0.00 |
Lattice-based signature schemes following the Goldreich–Goldwasser–Halevi (GGH) design have the unusual property that each signature leaks information on the signer’s secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt ’03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes à la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUSign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.