Lattice signature schemes generally require particular care when it comes to preventing secret information from leaking through signature transcript. For example, the Goldreich–Goldwasser–Halevi (GGH) signature scheme and the NTRUSign scheme were completely broken by the parallelepiped-learning attack of Nguyen and Regev (Eurocrypt 2006). Several heuristic countermeasures were also shown vulnerable to similar statistical attacks. At PKC 2008, Plantard, Susilo and Win proposed a new variant of GGH, informally arguing resistance to such attacks. Based on this variant, Plantard, Sipasseuth, Dumondelle and Susilo proposed a concrete signature scheme, called DRS, that is in the round 1 of the NIST post-quantum cryptography project. In this work, we propose yet another statistical attack and demonstrate a weakness of the DRS scheme: one can recover some partial information of the secret key from sufficiently many signatures. One difficulty is that, due to the DRS reduction algorithm, the relation between the statistical leak and the secret seems more intricate. We work around this difficulty by training a statistical model, using a few features that we designed according to a simple heuristic analysis. While we only recover partial secret coefficients, this information is easily exploited by lattice attacks, significantly decreasing their complexity. Concretely, we claim that, provided that \(100\,000\) signatures are available, the secret key may be recovered using BKZ-138 for the first set of DRS parameters submitted to the NIST. This puts the security level of this parameter set below 80-bits (maybe even 70-bits), to be compared to an original claim of 128-bits. Furthermore, we review the DRS v2 scheme that is proposed to resist above statistical attack. For this countermeasure, while one may not recover partial secret coefficients exactly by learning, it seems feasible to gain some information on the secret key. Exploiting this information, we can still effectively reduce the cost of lattice attacks.

在防止机密信息通过签名笔录泄漏时，格网签名方案通常需要特别注意。例如，Nguyen和Regev的平行六面体学习攻击完全破坏了Goldreich-Goldwasser-Halevi（GGH）签名方案和NTRUSign方案（Eurocrypt 2006）。还显示出几种启发式对策容易受到类似的统计攻击。在PKC 2008上，Plantard，Susilo和Win提出了GGH的新变体，非正式地声称对这种攻击具有抵抗力。基于此变体，Plantard，Sipasseuth，Dumondelle和Susilo提出了一种称为DRS的具体签名方案，该方案位于NIST后量子密码学项目的第1轮中。在这项工作中，我们提出了另一种统计攻击，并证明了DRS方案的弱点：可以从足够多的签名中恢复秘密密钥的某些部分信息。一个困难是，由于采用DRS缩减算法，统计泄漏和机密之间的关系似乎更加复杂。我们通过使用简单的启发式分析设计的一些功能，通过训练统计模型来解决此难题。虽然我们仅恢复部分秘密系数，但该信息容易被晶格攻击利用，从而大大降低了其复杂性。具体来说，我们认为，只要 使用我们根据简单的启发式分析设计的一些功能。虽然我们仅恢复部分秘密系数，但该信息容易被晶格攻击利用，从而大大降低了其复杂性。具体来说，我们认为，只要 使用我们根据简单的启发式分析设计的一些功能。虽然我们仅恢复部分秘密系数，但该信息容易被晶格攻击利用，从而大大降低了其复杂性。具体来说，我们认为，只要\（100 \，000 \）签名可用，对于提交给NIST的第一组DRS参数，可以使用BKZ-138恢复密钥。这使得此参数集的安全级别低于80位（甚至70位），可以与原始的128位声明进行比较。此外，我们回顾了旨在抵抗上述统计攻击的DRS v2方案。对于这种对策，虽然人们可能无法通过学习准确地恢复部分秘密系数，但是似乎可以获得关于秘密密钥的一些信息是可行的。利用这些信息，我们仍然可以有效地降低晶格攻击的成本。