Learning a zonotope and more: cryptanalysis of ntrusign countermeasures.

*(English)*Zbl 1292.94059
Wang, Xiaoyun (ed.) et al., Advances in cryptology – ASIACRYPT 2012. 18th international conference on the theory and application of cryptology and information security, Beijing, China, December 2–6, 2012. Proceedings. Berlin: Springer (ISBN 978-3-642-34960-7/pbk). Lecture Notes in Computer Science 7658, 433-450 (2012).

Summary: NTRUSign is the most practical lattice signature scheme. Its basic version was broken by Nguyen and Regev in 2006: one can efficiently recover the secret key from about 400 signatures. However, countermeasures have been proposed to repair the scheme, such as the perturbation used in NTRUSign standardization proposals, and the deformation proposed by Hu et al. at IEEE Trans. Inform. Theory in 2008. These two countermeasures were claimed to prevent the NR attack. Surprisingly, we show that these two claims are incorrect by revisiting the NR gradient-descent attack: the attack is more powerful than previously expected, and actually breaks both countermeasures in practice, e.g. 8,000 signatures suffice to break NTRUSign-251 with one perturbation as submitted to IEEE P1363 in 2003. More precisely, we explain why the Nguyen-Regev algorithm for learning a parallelepiped is heuristically able to learn more complex objects, such as zonotopes and deformed parallelepipeds.

For the entire collection see [Zbl 1258.94006].

For the entire collection see [Zbl 1258.94006].

##### MSC:

94A60 | Cryptography |