Sealing the Leak on Classical NTRU Signatures

Carlos Aguilar Melchor, Xavier Boyen, Jean-Christophe Deneuville, and Philippe Gaborit

Abstract

Initial attempts to obtain lattice based signatures were closely related to reducing a vector modulo the fundamental parallelepiped of a secret basis (like GGH \cite{GGH97}, or \texttt{NTRUSign} \cite{HHPSW02}). This approach leaked some information on the secret, namely the shape of the parallelepiped, which has been exploited on practical attacks \cite{NR06}. \texttt{NTRUSign} was an extremely efficient scheme, and thus there has been a noticeable interest on developing countermeasures to the attacks, but with little success \cite{DN12}. In \cite{GPV08} Gentry, Peikert and Vaikuntanathan proposed a randomized version of Babai's nearest plane algorithm such that the distribution of a reduced vector modulo a secret parallelepiped only depended on the size of the base used. Using this algorithm and generating large, close to uniform, public keys they managed to get provably secure GGH-like lattice-based signatures. Recently, Stehlé and Steinfeld obtained a provably secure scheme very close to \texttt{NTRUSign} \cite{SS13} (from a theoretical point of view). In this paper we present an alternative approach to seal the leak of \texttt{NTRUSign}. Instead of modifying the lattices and algorithms used, we do a classic leaky \texttt{NTRUSign} signature and hide it with gaussian noise using techniques present in Lyubashevky's signatures. Our main contributions are thus a set of strong \texttt{NTRUSign} parameters, obtained by taking into account latest known attacks against the scheme, a statistical way to hide the leaky \texttt{NTRU} signature so that this particular instantiation of CVP-based signature scheme becomes zero-knowledge and secure against forgeries, based on the worst-case hardness of the $\mathcal{\tilde{O}}(N^{1.5})$-Shortest Independent Vector Problem over \texttt{NTRU} lattices. Finally, we give a set of concrete parameters to gauge the efficiency of the obtained signature scheme.

Available format(s)
Publication info
Preprint. MINOR revision.
Keywords
Lattice-based CryptographyDigital SignaturesNTRUSignProvable SecuritySIS
Contact author(s)
jean-christophe deneuville @ xlim fr
History
2014-07-21: revised
See all versions
Short URL
https://ia.cr/2014/484

CC BY

BibTeX

@misc{cryptoeprint:2014/484,
author = {Carlos Aguilar Melchor and Xavier Boyen and Jean-Christophe Deneuville and Philippe Gaborit},
title = {Sealing the Leak on Classical NTRU Signatures},
howpublished = {Cryptology ePrint Archive, Paper 2014/484},
year = {2014},
note = {\url{https://eprint.iacr.org/2014/484}},
url = {https://eprint.iacr.org/2014/484}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.