Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures.Léo Ducas and Phong Nguyen. Published at ASIACRYPT' 12.Abstract: There is growing interest in lattice cryptography, but from a practical point of view, only one lattice signature scheme is competitive with standard signatures: NTRUsign, designed in 2003. The basic version of NTRUsign was broken by Nguyen and Regev in 2006: one can efficiently recover the secret key from about 400 signatures. However, countermeasures have been proposed to repair the scheme, such as the perturbation used in NTRUsign standardization proposals, and the deformation proposed by Hu et al. at IEEE Trans. Inform. Theory in 2008. These two countermeasures were claimed to prevent the NR attack. Surprisingly, we show that these two claims are incorrect by revisiting the NR gradient-descent attack: the attack is much more powerful than previously expected, and breaks both countermeasures in practice. More precisely, we explain why the Nguyen-Regev algorithm for learning a parallelepiped is heuristically able to learn more complex objects, such as zonotopes and deformed parallelepipeds. As a concrete application, we recover the NTRUsign secret key in a few hours, using 8,000 signatures for the original NTRUsign-251 scheme with one perturbation submitted to IEEE P1363 in 2003, or 6,000 signatures for the latest 80-bit-security parameter set proposed in 2010. Proceedings version (PDF) Slides (HTML+Java) |