Advances in Cryptology — ASIACRYPT 2001

Volume 2248 of the series Lecture Notes in Computer Science pp 1-20


Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001

  • Craig GentryAffiliated withDoCoMo Communications Laboratories USA, Inc.
  • , Jakob JonssonAffiliated withRSA Laboratories
  • , Jacques SternAffiliated withDépt d’Informatique, Ecole normale Supérieure
  • , Michael SzydloAffiliated withRSA Laboratories


In 1996, a new cryptosystem called NTRU was introduced, related to the hardness of finding short vectors in specific lattices. At Eurocrypt 2001, the NTRU Signature Scheme (NSS), a signature scheme apparently related to the same hard problem, was proposed. In this paper, we show that the problem on which NSS relies is much easier than anticipated, and we describe an attack that allows efficient forgery of a signature on any message. Additionally, we demonstrate that a transcript of signatures leaks information about the secret key: using a correlation attack, it is possible to recover the key from a few tens of thousands of signatures. The attacks apply to the recently proposed parameter sets NSS251-3-SHA1-1, NSS347-3-SHA1-1, and NSS503-3-SHA1-1 in [2]. Following the attacks, NTRU researchers have investigated enhanced encoding/verification methods in [11].


NSS NTRU Signature Scheme Forgery Transcript Analysis Lattice Cryptanalysis Key Recovery Cyclotomic Integer