Hypercubic Lattice Reduction and Analysis of GGH and NTRU Signatures

In this paper, we introduce a new lattice reduction technique applicable to the narrow, but important class of Hypercubic lattices, (L = Z ). Hypercubic lattices arise during transcript analysis of certain GGH, and NTRUSign signature schemes. After a few thousand signatures, key recovery amounts to discovering a hidden unitary matrix U , from its Gram matrix G = UU . This case of the Gram Matrix Factorization Problem is equivalent to finding the shortest vectors in the hypercubic lattice, LG, defined by the quadratic form G. Our main result is a polynomial-time reduction to a conjecturally easier problem: the Lattice Distinguishing Problem. Additionally, we propose a heuristic solution to this distinguishing problem with a distributed computation of many “relatively short” vectors.