Cryptography and Communications

, Volume 4, Issue 2, pp 131–144 | Cite as

Fault analysis of the NTRUSign digital signature scheme

  • Abdel Alim Kamal
  • Amr M. Youssef


We present a fault analysis of the NTRUSign digital signature scheme. The utilized fault model is the one in which the attacker is assumed to be able to fault a small number of coefficients in a specific polynomial during the signing process but cannot control the exact location of the injected transient faults. For NTRUsign with parameters (N, q = p l , \(\mathcal{B}\), standard, \(\mathcal{N}\)), when the attacker is able to skip the norm-bound signature checking step, our attack needs one fault, succeeds with probability \(\approx 1-\frac{1}{p}\) and requires O((qN) t ) steps when the number of faulted polynomial coefficients is upper bounded by t. The attack is also applicable to NTRUSign utilizing the transpose NTRU lattice but it requires double the number of fault injections. Different countermeasures against the proposed attack are investigated.


Side channel attacks Lattice-based public key cryptosystems Fault analysis and countermeasures Digital signature schemes NTRU 

Mathematics Subject Classification (2010)




The authors would like to thank the anonymous reviewers for their valuable comments and suggestions that helped improve the quality of the paper. This work is supported in part by the Natural Sciences and Engineering Research Council of Canada.


  1. 1.
    Hoffstein, J., Graham, N., Pipher, J., Silverman, J., Whyte, W.: NTRUSign: Digital signatures using the NTRU lattice. Draft 2, NTRU Cryptosystem Inc. (2002). Available at:
  2. 2.
    Hoffstein, J., Graham, N., Pipher, J., Silverman, J., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Proc. of CT-RSA’03, LNCS 2612, pp. 122–140. Springer (2003)Google Scholar
  3. 3.
    Hoffstein, J., Pipher, J., Silverman, J.: An Introduction to Mathematical Cryptography. Undergraduate Texts in Mathematics. Springer (2008)Google Scholar
  4. 4.
    Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS)#1: Implementation Aspects of NTRUEncrypt and NTRUSign (2003). Available at
  5. 5.
    Hoffstein, J., Pipher, J., Silverman, J.: NSS: an NTRU lattice-based signature scheme. In: Proc. of EUROCRYPT’01, LNCS 2045, pp. 211–228. Springer (2001)Google Scholar
  6. 6.
    Gentry, C., Jonsson, J., Stern, J., Szydlo, M.: Cryptanalysis of the NTRU signature scheme (NSS) from Eurocrypt 2001. In: Proc. of ASIACRYPT’01, LNCS 2248, pp. 1–20. Springer (2001)Google Scholar
  7. 7.
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Proc. of EUROCRYPT’02, LNCS 2332, pp. 299–320. Springer (2002)Google Scholar
  8. 8.
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Proc. of CRYPTO’97, LNCS 1294, pp. 112–131. Springer (1997)Google Scholar
  9. 9.
    Min, S., Yamamoto, G., Kim, K.: Weak property of malleability in NTRUSign. In: Proc. ACISP’04, LNCS 3108, pp. 379–390. Springer (2004)Google Scholar
  10. 10.
    Szydlo, M.: Hypercubic lattice reduction and analysis of GGH and NTRU signatures. In: Proc. of EUROCRYPT’03, LNCS 2656, pp. 433–448. Springer (2003)Google Scholar
  11. 11.
    Nguyen, P., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Proc. of EUROCRYPT’06, LNCS 4004, pp. 215–233. Springer (2006)Google Scholar
  12. 12.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Proc. of EUROCRYPT’97, LNCS 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  13. 13.
    Biernat, J., Nikodem, M.: Fault cryptanalysis of ElGamal signature scheme. In: Proc. of EUROCAST’05, LNCS 3643, pp. 327–336. Springer (2005)Google Scholar
  14. 14.
    Giraud, C., Knudsen, E., Tunstall, M.: Improved fault analysis of signature schemes. In: Proc. of CARDIS’10, LNCS 6035, pp. 164–181. Springer (2010)Google Scholar
  15. 15.
    Biehl, I., Meyer, B., Muller, V.: Differential fault analysis on elliptic curve cryptosystems. In: Proc. of CRYPTO’00, LNCS 1880, pp. 131–146. Springer (2000)Google Scholar
  16. 16.
    Seifert, J.: On authenticated computing and RSA-based authentication. In: Proc. of ACM CCS’05, pp. 122–127. ACM Press (2005)Google Scholar
  17. 17.
    Muir, J.: Seifert’s RSA fault attack: simplified analysis and generalizations. In: Proc. of ICICS’06, LNCS 4307, pp. 420–434. Springer (2006)Google Scholar
  18. 18.
    Brier, E., Chevallier-Mames, B., Ciet, M., Clavier, C.: Why one should also secure RSA public key elements. In: Proc. of CHES’06, LNCS 4249, pp. 324–338. Springer (2006)Google Scholar
  19. 19.
    Berzati, A., Canovas, C., Goubin, L.: Perturbating RSA public keys: an improved attack. In: Proc. of CHES’08, LNCS 5141 , pp. 380–395. Springer (2008)Google Scholar
  20. 20.
    Berzati, A., Canovas, C., Doumas, J., Goubin, L.: Fault attacks on RSA public keys: left-to-right implementations are also vulnerable. In: Proc. of CT-RSA’09, LNCS 5473, pp. 414–428. Springer (2009)Google Scholar
  21. 21.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Proc. of CRYPTO’97, LNCS 1294, pp. 513–525. Springer (1997)Google Scholar
  22. 22.
    Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on AES. In: Proc. of ACNS’03, LNCS 2846, pp. 293–306. Springer (2003)Google Scholar
  23. 23.
    Hoch, J., Shamir, A.: Fault analysis of stream ciphers. In: Proc. of CHES’04, LNCS 3156, pp. 240–253. Springer (2004)Google Scholar
  24. 24.
    Kamal, A., Youssef, A.: Fault analysis of NTRUEncrypt. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E94-A(4), 1156–1158 (2011)CrossRefGoogle Scholar
  25. 25.
    Blömer, J., Otto, M.: Wagner’s attack on a secure CRT-RSA algorithm reconsidered. In: Proc. of FDTC’06, LNCS 4236, pp. 13–23. Springer (2006)Google Scholar
  26. 26.
    Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks. United States Patent #5991415, November 23, 1999. Also presented at the rump session of EUROCRYPT’97Google Scholar
  27. 27.
    Kim, C., Quisquater, J.: Fault attacks for CRT based RSA: new attacks, new results, and new countermeasures. In: Proc. of WISTP’07, LNCS 4462, pp. 215–228. Springer (2007)Google Scholar
  28. 28.
    Yen, S., Kim, S., Lim, S., Moon, S.: RSA speedup with Chinese Remainder Theorem immune against hardware fault cryptanalysis. IEEE Trans. Comput. 52(4), 461–472 (2003)CrossRefGoogle Scholar
  29. 29.
    Blömer, J., Otto, M., Seifert, J.: A new CRT-RSA algorithm secure against Bellcore attacks. In: Proc. of CCS’03, pp. 311–320 (2003)Google Scholar
  30. 30.
    Ciet, M., Joye, M.: Practical fault countermeasures for Chinese remaindering based RSA. In: Proc. of FDTC’05, pp. 124–131 (2005)Google Scholar
  31. 31.
    Driessen, B., Poschmann, A., Paar, C.: Comparison of innovative signature algorithms for WSNs. In: Proc. of WiSec’08, pp. 30–35. ACM Press (2008)Google Scholar
  32. 32.
    Skorobogatov, S., Anderson, R.: Optical fault induction attacks. In: Proc. of CHES’03, LNCS 2523, pp. 2–12. Springer (2003)Google Scholar
  33. 33.
    Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In: The LLL Algorithm, pp. 1–42. Springer, Berlin (2010)Google Scholar
  34. 34.
    Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J., Whyte, W.: Performance improvements and a baseline parameter generation algorithm for NTRUSign. In: Workshop on Mathematical Problems and Techniques in Cryptology, Barcelona, Spain (2005)Google Scholar
  35. 35.
    Silverman, J.: Almost inverses and fast NTRU key creation. NTRU Report 014, NTRU Cryptosystem Inc. (1999). Available at:
  36. 36.
    Silverman, J.: Invertibility in truncated polynomial rings. NTRU Report 009, NTRU cryptosystem Inc. (1998). Available at:
  37. 37.
    Koren, I., Mani Krishna, C.: Fault-Tolerant Systems. Elsevier/Morgan Kaufmann (2007)Google Scholar

Copyright information

© Springer Science + Business Media, LLC 2012

Authors and Affiliations

  1. 1.Concordia Institute for Information Systems EngineeringConcordia UniversityMontrealCanada

Personalised recommendations