Chosen Message Attack Against Goldreich-Goldwasser-Halevi's Lattice Based Signature Scheme

Goldreich-Goldwasser-Halevi 전자서명의 선택 평문 공격

Abstract

The Goldreich-Goldwasser-Halevi(GGH)'s signature scheme from Crypto '97 is cryptanalyzed, which is based on the well-blown lattice problem. We mount a chosen message attack on the signature scheme, and show the signature scheme is vulnerable to the attack. We collects n lattice points that are linearly independent each other, and constructs a new basis that generates a sub-lattice of the original lattice. The sub-lattice is shown to be sufficient to generate a valid signature. Empirical results are presented to show the effectiveness of the attack Finally, we show that the cube-like parameter used for the private-key generation is harmful to the security of the scheme.

이 논문에서는 Crypto97에 발표된 잘 알려진 lattice 문제에 기반한 Goldreich-Goldwasser-Halevi(GGH)의 전자 서명을 암호 해독한다. GGH의 서명방법에 선택 평문공격을 수행하고 제안하는 공격방법에 취약함을 보인다. 암호 해독한다. GGH의 서명방법에 선택 평문공격을 수행하고 제안하는 공격방법에 취약함을 보인다. 암호해독 방법에서는 서로 선형 독립적인 n개의 lattice점을 모아서 원래 lattice의 sub-lattice를 생성하는 새로운 basis를 생성한다. 이 sub-lattice가 유효한 서명을 생성하는데 사용될 수 있음을 보인다. 이 공격방법의 유효성을 실험을 통해서 보이고, 마지막으로 비밀키를 생성하는데 사용되는 cube-like parameter가 안정성에 좋지 않은 영향을 미침을 보인다.

Ⅰ. Introduction

Recent researches have found that Closest Vector Problem(CVP) and Shortest Vector Problem(SVP) may be useful in the public-key cryptography. The CVP was shown by van Emde Boas to be NP-hard in 1981, i7j In 1996, Ajtai introduced a function that is provably one-way if approximating the shortest non-zero vector(SVP) in a lattice is hard in the worst case, and invented a public-key cryptosystem using the lattice problem.'12J

Being motivated by Ajtai's work, Goldreich, Goldwasser, and Halevi proposed a public-key cryptosystem using lattice reduction problems/4] Their cryptosystem shed light on the possibility of new cryptosystems based neither on the factorization nor on the discrete logarithm problems. Even better, their cryptosystem is superior to existing schemes in that it encrypts a message and writes a signature in 0( n2) operations, while RSA encrypts a message in 0( n3) operations for security parameter n, at the expense of key sizes. The speed gain obtained by long key sizes looks quite attractive for the upcoming high speed network environments such as ATM(Asyn-chronous Transfer Mode). Also, it has a novel property that it can process an analogue signal. In ⑹, their encryption scheme was attacked and P. Nguyen showed that it would be dangerous to use a dimension less than 400 even though we fix the flow, which limits our interests in the encryption scheme. P. Nguyen's attack depends on two weaknesses: one is that the error vectors are always quite shorter than the vectors in the lattice, and the other is the regular form of the error vectors. These two weaknesses do not appear in GGH's signature scheme. Thus, their signature scheme still works well. As far as we know, there has not been any published challenge on GGH's signature scheme.

In this paper, we cryptanalyze the GGH's public-key signature scheme, of which security depends on the approximability of the close lattice point within a bound. A key observation of the cryptanalysis is that for a message which consists of small elements, a signing oracle returns as a signature a lattice point whose Euclidean length is short. Properly collected n lattice points with a signing oracle may be used as a new basis for the lattice. Unfortunately, randomly collected n lattice points do not make the same lattice as that generated from the public or private basis, but they are likely to generate a sparser lattice than the original one. The second observation is that we do not have to use the same lattice as the lattice generated from the public or private-key to write a valid signature. That is, we can make use of the sub-lattice as a private-key. Especially. we show that in case of a private basis with non-zero cube-like parameter, the original private basis can be completely restored(The cube-like parameter represents how cube-like a private basis is. A private basis is generated as R= k . I + rand(±l), where k is 나le cube-like paramee ter.).

Set of real numbers and set of integers are denoted by R and Z, respectively in this paper. We denote real numbers by small Greek letters and integers by lowercase letters such as i, j, k...... Column vectors are denoted by bold-face lowercase (e.g. b, c. e etc.), and matrices are denoted by capital letters (e.g. B, H, R, etc.), all of which are n " matrices.

Ⅱ. Brief Survey of GGH's Public-key Cryptosystem

GGH's cryptosystem encrypts a message by encoding it into u L and adding a small noise to u, where L is the carefully selected lattice. Decryption is the process to eliminate the added noise from the lattice point and decode the result. Before we summarize the GGH's cryptosystem, let's define the lattice.

Definition 1. Lattice Given a set of n linearly independent column vectors in Rn, B= {bi, ...bnl, we define the lattice spanned by the basis B as the set of all linear combinations of the bi's with integral coefficients, namely

#

One of the important facts about lattice is that all the bases of a given lattice have the same determinant.

Definition 2. Orthogonality Defect Let 13 be a non-singular n乂孔 matrix. Then the orthogonality defect of B is defined as

#

where II bi II is the Euclidean norm of the i'th column in B.

Definition 3. Dual Orthogonality Defect Let B be a non-singular n matrix. Then the dual orthogonality defect of B is defined as

#

where II bi H is the Euclidean norm of the 厂th row in B1.

The dual orthogonality defect plays a crucial role in the security of GGH's cryptosystem.

GGH's cryptosystem uses two bases B and R of the same full rank lattice in Z11. and a positive real number g. Here, B has a high dual orthogonality defect, whereas R has a low dual orthogonality defect. (B, (7)is the public-key, and R plays a role as the private-key in their settings. Refer to〔4〕how (B, are generated.

The ciphertext corresponding to an encoded plaintext v is obtained by computing c = _8v + e, where e is a randomly chosen vector from Rn whose each entry has zero-mean and variance cr2. Deciphering is performed by evaluating where T= B」R is a unimodular matrix.

They also provided a public-key digital signature scheme. Their scheme signs a vector u in RH by finding a lattice point v that is sufficiently close to the vector. The lattice point is represented as a linear combination of the columns of B, and the verifier can verify the signature by comparing t and the distance between the message vector and the vector v.

To sign a message s, we encode the message into u & R& by an encoding function Enc(s) = u. Now, a lattice point near u is easily found by computing v = T[R4uJ, where (T = E iR, R bis a private-key. A signature is verified by computing Euclidean distance of Bv-u and comparing it with r. If the distance is shorter than r, the signature is regarded valid, otherwise not. r must be carefully determined, since it takes greatly effect both on the security of the signature scheme and on the verification error probability.

Ⅲ. Cryptanalysis of GGH's Signature Scheme

3.1 Idea: Subulattice Attack

We begin with the simple fact that a GGH's signing oracle returns a sufficiently close lattice vector for a given random vector u e R* . For a vector u £ Rn whose element ranges from -k to k、the signing oracle gives a signature, or a lattice point of which Euclidean distance from u is smaller than the public value r. In this setting, we mount the chosen message attack against the signature scheme by providing many short messages and collecting the results. The collected signatures can be used to construct a new private basis. even though they are likely to generate a different lattice from the lattice generated from the original public-key or the private -key. More exactly, they have large probability to make a sub-lattice of the original lattice. Even though the newly constructed basis spans only a subset of the original lattice, we can still utilize it as a private-key. Using the new basis, we can write a valid signature for an arbitrary message. Define the "error vector"

#

and, RoundH(u) [H₄uJ, where H is an wx n basis of a lattice. Then the distance between u and RoundH(u) is WHe H , the Euclidean norm of the vector He. Clearly, the z'th entry e(- in e is less than or equal to 1/2 for all i, because of the rounding-off. Thus, we w이]Id prefer to the sub-lattice whose elements are small enough to make Il He II smaller than r. The effort to find another basis H can be taken by gathering many short signatures. Intuitively, submitting a short random vector u to a signing oracle gives us a short lattice point.

Now, the problem how short the vector must be is solved. Given a message u, a signing oracle returns v = B니and the cryptanalysist can collect many signatures By=R [R4uJ . Note that if u is carefully selected, the vector d= fR4uJ will consist of almost 0's except one or a few ±l's. Then, the signature of the u is either exactly one of the columns of K or a sum of a few columns of R, the private basis. From now on, sum of several vectors ri means

#

where e/n portions of c/s are ±1 for a small constant e.

With n signatures collected in this way, we can construct a new basis, though the basis is likely to generate the sub-lattice of L(R) rather 난}an L(R) itself.

To make d= [R"미 have almost 0's and only a few of ±l's, we must constrain the range of elements of u. We use the Hoeffding bound. Let's denote the「th entry in d and u by & and 3 respectively. Also, we denote the i, j 'th element in R-1 by Pij, and the maximum L” norm of the rows in 1 by Y/vG们 where Y will be roughly estimated by any randomly generated basis with the maximum entry size of R and its cube-like parameter.

#(1)

#(2)

where B is set to a very small value such as IO"10.

If we limit k such that it satisfies equation (1) and (2), Si will be composed of almost 0's and £ number of ±Ts, and entries whose absolute values are greater than 1 will be occurred with B probability. By giving a random vector whose element ranges from ~k to /c to a signing oracle, we can extract either exactly one of the columns of R or a sum of a several columns of R.

To get a numerical sense, consider the parameters n=140, £ =5, 8 = 10」", Y = 1/30. Evaluating the equation (1), (2) yields I k \ <6 and I k | <7, respectively. However, the effective value of I k \ in the experiment is twice as large as those values.

Let H be the newly constructed basis. To write a signature, we need another matrix, that is T=B니R. the unimodular matrix. But in our case, we can construct T' =B“H. Our T is not a unimodular matrix, but it is composed of only integer elements. This is because L(H) is a sublattice of L(B) (sometimes, L(B) itself), and H's determinant (equally, the volume of the parallelepied of L(H)) is the integer multiple of B's determinant(the volume of the parallelepied of L(B)). Now, we can write a signature for any message with the newly generated private-key, For a message m, the distance between m and the signature T|H너!이 is expressed in the following equation.

#

To make H H으 II much smaller, we can apply a lattice reduction algorithm like LLL reduction to H.⑸

It is high time to estimate the distance between the message and the signature that is written by (H’T').

Let's denote L norm of i-th row in R and that in H by Y您 and、畑, respectively. Every column of our newly constructed basis H is constructed from the vector d = 니 that has less than or equal to e number of + 1's and at least one ±1. For the worst case analysis, we assume that d consists of exactly e number of ±Ts. Under the assumption of uniform distribution of + 1 in d, we can obtain

#

Thus,

#(3)

As seen in the equation (3), a signature generated with (H, TZ) is e times farther from the message than the signature generated with (R, T) is. Equation (3), however, is the worst case estimation for the distance between a message and its corresponding signature. As stated previously, d has less than or equal to e number of ±l's. Furthermore, many of them contain only one ± 1. Thus, the distance in the experiment is much nearer than that in the above estimation.

3.2. Description of the Procedure

We describe the cryptanalyzing procedure of GGH's signature scheme that finds H, a basis for a sub-lattice of L(R) and T. Fig. 1 describes an algorithm to find out a new private-key.

Fig. 1 Algorithm 1 to find out an equivalent private key

The parameter q determines when the algorithm stops. The more columns are substituted, the lower the probability for to remain fully ranked is. Because we replaced longer columns first, a few remaining columns will not degrade the quality of H.

Writing a signature with (H.F) for an encoded message m is the same as that with (R, T). For a message m to be signed, a signer generates the signature 이. The signature is verified by comparing r with II m-Bv H (= H He il).

Instead of using the Babai's round off algorithm to get the lattice point near the message, we can use his nearest plane algorithm to decrease more distance between the signature generated by H and the me-Ci; ssage/'

Now, we estimate the algorithm's running time.

First, we approximate the number of repetitions of the main loop. We must consider the probability for Br to remain fully ranked after substituting Bn for one of its columns, bc. Assume the matrix U~ obtained by substituting zero column vector with one of columns of U, which is If we transform U into echelon form, every /-th column has a non-zero z-th entry except one column, which is a zero column vector.

Thus, when we replace the zero column with a new vector d= [R4uJ that has only 0's and s number of ±l's, d would make U be fully ranked with high probability if the /-th element of d is not zero. Thus, if we assume that e number of ±l's are uniformly distributed in d, the probability for one of ±1 to hit the Hh position is e/n.

Within the loop 4, the most time consuming part is an operation to check whether the resultant matrix is fully ranked or not, and it takes。(护).

Finally, we get the average running time of our algorithm.

#(4)

3.3. Empirical Results

In this section, we show empirical results of our 사。To get the empirical results, we used the LiDIA package.[8] In the experiments, we let 1 = 4, the entry size of R and the cube-like parameter =Jx[l+/지. To generate the public basis from R, we performed 2n number of mixing steps, where each step is performed by a uni-modular matrix whose all elements in its diagonal are 1 and one of its columns is composed of {T, 0, 1). The column has a bias toward 0 and Pr[l] =Pr[-l] =1/7.

These parameter settings are the same as those of. 4 The messages are uniformly distributed in the range of [-200, 200].

Fig. 2-5 show r (for £ =2 30), distances between 100 messages and corresponding signatures with H and R for dimensions 80, 100, 120 and 140. For dimension 80 and 100 with k=10, the algorithm found the same basis as R. With k=15, the distances between the signatures with H and the messages are short enough for the signatures to be regarded as valid ones, though they are rather longer than those with R. With k= 10 or k= 12, signatures with H cannot be discriminated from the signatures with R.

Fig. 2 Quality of signatures generated with H, Dimension = 80

Fig. 3 Quality of signatures generated with H, Dimension = 100

Fig. 4 Quality of signatures generated with H, Dimension= 120

Fig. 5 Quality of signatures generated with H. Dimension= 140

Table 1 summarizes various metrics regarding the quality of signatures generated with H. In the table, AD(B) is the average distance from the messages and the signatures generated by the basis B, and Det(B) is the determinant of B. rc and pc is the number of replaced columns in each trial and the number of messages consumed, respectively. We didn't count messages that derive signatures to be zero. B/R means the orthogonality defect ratio between B and R, and H/R means that between H and R, where both B and R are LLL-reduced.

Table 1. Summary of the Experiments

From these empirical results, we can conclude that the new basis obtained in the way of section 3 has enough quality to generate a signature that is sufficiently close to the submitted message.

Finally, fig. 6 shows that the cardinality of

Fig. 6 Cardinalities of M(H, k) for varying parameters

#

has a light-tailed distribution. The lighttailed distribution means that almost every columns of H are those of R and only a few columns are sum of several columns of R. This property of M(Htakes a positive effect not only on the quality of the signature with H, but also on the restoration of the private basis in the attack of the signature scheme, which will be described in the following section.

3.4 Complete Restoration of the Private Basis

In this section, we show that with a rectangular private basis, the signature scheme may reveal its private basis. Regardless of the cube-like parameter, we can attack the signature scheme by the sublattice, and we showed by experiment that it generates the basis with enough quality.

However, as pointed in/41 non-zero cube -like parameter is preferable to zero cube -like parameter, because that much increases the dual orthogonality defect ratio of public basis and private basis. In this section, we show that we can completely restore the original private basis R if the signature system uses the non-zero cube-like parameter.

We can obtain the exact R from the approximated H by solving a simultaneous equation. For the establishment of simultaneous equation, we take advantage of the fact that the cube-Iike parameter is 口+\厂치 times larger than I. The key observation is that that is the signature for u is a sum of several columns of R, and we can observe in a Bv several peaks resulted from the biased diagonals of R.

As shown in section 3.1, the vector [R4u] has only a few ± Ts and other large portions are filled with 0's. Also, note that the i-th element of the /-th column of R is biased by the cube-like parameter, while others are not. Thus, by counting the peak elements of By, we can guess how many columns are combined to construct the signature By, and by observing positions of the peaks, we can guess which columns of R are involved to make a signature. By collecting n-linearly independent pairs of such Bv, we can establish the following simultaneous equations and recover R by solving it.

#(5)

where X is an nx n matrix whose columns are made up of {0, ±l} and constructed from linearly independent 8v's by Algorithm 2 and 3.

In this scenario, however, we must not disregard that the number of combined columns of R to make Bv does matter in the attack. If the number of columns combined exceeds a certain threshold, that is, lots of columns are linearly combined, we cannot discriminate the peak points in the vector Bv because every elements in get equally large.

Following is the worst case approximation for the number of columns to be combined, x. In the worst case, the biased point is subtracted by xl, while others are added by xl, where I is the maximum entry size of R. Thus, to make the peak points still greater than others, following must be satisfied.

#

Rewriting the above equation for x, we get

#(6)

For dimension 100, x = 5, for 120, x = 6, and for 200, x = 8, etc. Equation(6) is the worst -case approximation for x. Since all elements in R are unformly distributed in [-/, /] except the diagonal, each element in the vector that is made by summing x number of columns of R up would likely to be around 0 except the peak points. So, we can set x much larger than the approximated value in equation(6).

Because the permitted x is proportional to £ of the equation(4), we can attack faster with a larger x.

Let us describe how to find the peak points. It consists of two phases. One is finding how many columns of R are combined to be By, and the other is searching the positions where the peaks are located. Followings are those procedures.

First, we describe how columns the number of columns combined can be found. By equation(6), we assume that columns is 1 4.1 [1+荷 less than 2 .

Now, the following procedure outputs positions and polarities of the peaks.

From n linearly independent Bv's, we can get n linearly independent x's (equally, [ R-'vd's) and make the matrix X in equation(5). Since X is fully ranked, its inverse does exist and we can easily find the exact R from equation(5).

Fig. 7 Algorithm 2 to find out columns

Fig. 8 Algorithm 3 to find out x

Fig. 6 사lows that M(H, k) has a lighttailed distribution, and it ensures that our attack should succeed to restore the private basis. Consequently, the cube-like parameter is not desirable for the security of GGH's signature scheme.

Ⅳ. Conclusion

In the paper, we presented an effective attack against GGH's signature scheme. The chosen message attack against the signature scheme uses the fact that a signing oracle returns a short lattice point for a short message vector and gathering those lattice points can construct a good basis to write a valid sign. Especially, the cube-like parameter is shown to be harm for the security of the cryptosystem.

We believe that the running time can be reduced by starting from the null basis, filling columns of it one by one with a short lattice point while checking whether the lattice point increases the rank of the basis. Also, the attack has inherently very high parallelism and its running time can be easily improved by the distributed computing.