2014 | OriginalPaper | Buchkapitel
Sealing the Leak on Classical NTRU Signatures
verfasst von : Carlos Aguilar Melchor, Xavier Boyen, Jean-Christophe Deneuville, Philippe Gaborit
Erschienen in: Post-Quantum Cryptography
Verlag: Springer International Publishing
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
Initial attempts to obtain lattice based signatures were closely related to reducing a vector modulo the fundamental parallelepiped of a secret basis (like GGH [9], or
NTRUSign
[12]). This approach leaked some information on the secret, namely the shape of the parallelepiped, which has been exploited on practical attacks [24].
NTRUSign
was an extremely efficient scheme, and thus there has been a noticeable interest on developing countermeasures to the attacks, but with little success [6].
In [8] Gentry, Peikert and Vaikuntanathan proposed a randomized version of Babai’s nearest plane algorithm such that the distribution of a reduced vector modulo a secret parallelepiped only depended on the size of the base used. Using this algorithm and generating large, close to uniform, public keys they managed to get provably secure GGH-like lattice-based signatures. Recently, Stehlé and Steinfeld obtained a provably secure scheme very close to
NTRUSign
[26] (from a theoretical point of view).
In this paper we present an alternative approach to seal the leak of
NTRUSign
. Instead of modifying the lattices and algorithms used, we do a classic leaky
NTRUSign
signature and hide it with gaussian noise using techniques present in Lyubashevky’s signatures. Our main contributions are thus a set of strong
NTRUSign
parameters, obtained by taking into account latest known attacks against the scheme, a statistical way to hide the leaky
NTRU
signature so that this particular instantiation of CVP-based signature scheme becomes zero-knowledge and secure against forgeries, based on the worst-case hardness of the
$\mathcal{\tilde{O}}(N^{1.5})$
-Shortest Independent Vector Problem over
NTRU
lattices. Finally, we give a set of concrete parameters to gauge the efficiency of the obtained signature scheme.