Generating hard instances of lattice problems (extended abstract)
STOC '96 Proceedings of the twenty-eighth annual ACM symposium on Theory of computing
A fast fixed-point algorithm for independent component analysis
Neural Computation
Complexity of Lattice Problems
Complexity of Lattice Problems
Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto '97
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Public-Key Cryptosystems from Lattice Reduction Problems
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
NSS: An NTRU Lattice-Based Signature Scheme
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Cryptanalysis of the Revised NTRU Signature Scheme
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
NTRU: A Ring-Based Public Key Cryptosystem
ANTS-III Proceedings of the Third International Symposium on Algorithmic Number Theory
Improving Lattice Based Cryptosystems Using the Hermite Normal Form
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
The Two Faces of Lattices in Cryptology
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Learning linear transformations
FOCS '96 Proceedings of the 37th Annual Symposium on Foundations of Computer Science
Hypercubic lattice reduction and analysis of GGH and NTRU signatures
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
NTRUSign: digital signatures using the NTRU lattice
CT-RSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track
Trapdoors for hard lattices and new cryptographic constructions
STOC '08 Proceedings of the fortieth annual ACM symposium on Theory of computing
Sliding Window Method for NTRU
ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
Efficient lattice-based signature scheme
International Journal of Applied Cryptography
New chosen-ciphertext attacks on NTRU
PKC'07 Proceedings of the 10th international conference on Practice and theory in public-key cryptography
Cryptanalysis of the Paeng-Jung-Ha cryptosystem from PKC 2003
PKC'07 Proceedings of the 10th international conference on Practice and theory in public-key cryptography
A digital signature scheme based on CV P∞
PKC'08 Proceedings of the Practice and theory in public key cryptography, 11th international conference on Public key cryptography
Symplectic lattice reduction and NTRU
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Fault analysis of the NTRUSign digital signature scheme
Cryptography and Communications
Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Lattice-based message recovery signature schemes
International Journal of Electronic Security and Digital Forensics
| Hi-index | 0.00 |
Lattice-based signature schemes following the Goldreich- Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt '03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRU Cryptosystemssign. Here, we propose an alternative method to attack signature schemes à la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can be solved by a gradient descent. Our approach is very effective in practice: we present the first succesful key-recovery experiments on NTRU Cryptosystemssign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 90,000 signatures are sufficient to recover the NTRU Cryptosystemssign-251 secret key. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges, using a number of signatures which is roughly quadratic in the lattice dimension.