Advertisement

Learning Strikes Again: The Case of the DRS Signature Scheme

  • Yang YuEmail author
  • Léo Ducas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)

Abstract

Lattice signature schemes generally require particular care when it comes to preventing secret information from leaking through signature transcript. For example, the Goldreich-Goldwasser-Halevi (GGH) signature scheme and the NTRUSign scheme were completely broken by the parallelepiped-learning attack of Nguyen and Regev (Eurocrypt 2006). Several heuristic countermeasures were also shown vulnerable to similar statistical attacks.

At PKC 2008, Plantard, Susilo and Win proposed a new variant of GGH, informally arguing resistance to such attacks. Based on this variant, Plantard, Sipasseuth, Dumondelle and Susilo proposed a concrete signature scheme, called DRS, that has been accepted in the round 1 of the NIST post-quantum cryptography project.

In this work, we propose yet another statistical attack and demonstrate a weakness of the DRS scheme: one can recover some partial information of the secret key from sufficiently many signatures. One difficulty is that, due to the DRS reduction algorithm, the relation between the statistical leak and the secret seems more intricate. We work around this difficulty by training a statistical model, using a few features that we designed according to a simple heuristic analysis.

While we only recover partial information on the secret key, this information is easily exploited by lattice attacks, significantly decreasing their complexity. Concretely, we claim that, provided that \(100\,000\) signatures are available, the secret key may be recovered using BKZ-138 for the first set of DRS parameters submitted to the NIST. This puts the security level of this parameter set below 80-bits (maybe even 70-bits), to be compared to an original claim of 128-bits.

Keywords

Cryptanalysis Lattice based signature Statistical attack Learning BDD 

Notes

Acknowledgements

We thank Thomas Plantard, Arnaud Sipasseuth, and Han Zhao for helpful discussions and comments. We are also grateful to Yanbin Pan for sharing their work. Yang Yu is supported by the National Key Research and Development Program of China (No. 2017YFA0303903) and Zhejiang Province Key R & D Project (No. 2017C01062). Léo Ducas is supported by a Veni Innovational Research Grant from NWO under project number 639.021.645.

References

  1. 1.
    Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_4CrossRefGoogle Scholar
  2. 2.
    Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_11CrossRefGoogle Scholar
  3. 3.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: USENIX Security 2016, pp. 327–343 (2016)Google Scholar
  5. 5.
    Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_3CrossRefGoogle Scholar
  6. 6.
    Bai, S., Langlois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: Using the rényi divergence rather than the statistical distance. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 3–24. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48797-6_1CrossRefzbMATHGoogle Scholar
  7. 7.
    Basak, D., Pal, S., Patranabis, D.C.: Support vector regression. Neural Inf. Process. Lett. Rev. 11(10), 203–224 (2007)Google Scholar
  8. 8.
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. PhD thesis (2013)Google Scholar
  9. 9.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates (full version). http://www.di.ens.fr/~ychen/research/Full_BKZ.pdf
  10. 10.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1CrossRefGoogle Scholar
  11. 11.
    Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78381-9_5CrossRefGoogle Scholar
  12. 12.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_3CrossRefGoogle Scholar
  13. 13.
    Ducas, L., Nguyen, P.Q.: Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 433–450. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34961-4_27CrossRefGoogle Scholar
  14. 14.
    Fukase, M., Kashiwabara, K.: An accelerated algorithm for solving SVP based on statistical analysis. J. Inf. Process. 23(1), 67–80 (2015)Google Scholar
  15. 15.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206 (2008)Google Scholar
  16. 16.
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052231CrossRefGoogle Scholar
  17. 17.
    Li, H., Liu, R., Nitaj, A., Pan, Y.: Cryptanalysis of the randomized version of a lattice-based signature scheme from PKC’08. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 455–466. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-93638-3_26CrossRefGoogle Scholar
  18. 18.
    Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36563-X_9CrossRefGoogle Scholar
  19. 19.
    Hu, Y., Wang, B., He, W.: NTRUSign with a new perturbation. IEEE Trans. Inf. Theor. 54(7), 3216–3221 (2008)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Liaw, A., Wiener, M., et al.: Classification and regression by randomforest. R News 2(3), 18–22 (2002)Google Scholar
  21. 21.
    Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_35CrossRefGoogle Scholar
  22. 22.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA 2010, pp. 1468–1480 (2010)Google Scholar
  23. 23.
    Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_17CrossRefGoogle Scholar
  24. 24.
    NIST: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, December 2016. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf
  25. 25.
    Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_5CrossRefGoogle Scholar
  26. 26.
    Plantard, T., Sipasseuth, A., Dumondelle, C., Susilo, W.: DRS : diagonal dominant reduction for lattice-based signature. Submitted to the NIST Post-Quantum Cryptography Project. https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  27. 27.
    Plantard, T., Susilo, W., Win, K.T.: A digital signature scheme based on CVP\(_\infty \). In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 288–307. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78440-1_17CrossRefGoogle Scholar
  28. 28.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Teruya, T., Kashiwabara, K., Hanaoka, G.: Fast lattice basis reduction suitable for massive parallelization and its application to the shortest vector problem. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 437–460. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76578-5_15CrossRefGoogle Scholar
  30. 30.
    Yu, Y., Ducas, L.: Second order statistical behavior of LLL and BKZ. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 3–22. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-72565-9_1CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Department of Computer Science and TechnologyTsinghua UniversityBeijingChina
  2. 2.Cryptology GroupCWIAmsterdamThe Netherlands

Personalised recommendations