NTRUSign: Digital Signatures Using the NTRU Lattice

  • Jeffrey Hoffstein
  • Nick Howgrave-Graham
  • Jill Pipher
  • Joseph H. Silverman
  • William Whyte
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2612)


In this paper we introduce NTRUSign, an ew family of signature schemes based on solving the approximate closest vector problem (appr-CVP) in NTRU-type lattices. We explore the properties of general appr-CVP based signature schemes (e.g. GGH) and show that they are not immune to transcript attacks even in the random oracle model. We then introduce the idea of using carefully chosen perturbations to limit the information that is obtainable from an analysis of a large signature transcript. In the case of NTRUSign this can be achieved while maintaining attractive efficiency properties.


Hash Function Signature Scheme Lattice Reduction Average Norm Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    M. Ajtai, C. Dwork, A public-key cryptosystem with worst case/average case equivalence. In Proc. 29th ACM Symposium on Theory of Computing, 1997, 284–293. 122Google Scholar
  2. [2]
    L. Babai On Lovász lattice reduction and the nearest lattice point problem, Combinatorica, vol. 6, 1986, 1–13. 127zbMATHCrossRefMathSciNetGoogle Scholar
  3. [3]
    H. Cohen, A course in computational algebraic number theory, GTM 138, Springer-Verlag, 1993. 126Google Scholar
  4. [4]
    Wei Dai, Crypto++ 4.0 Benchmarks,∼weidai/benchmarks.html 139
  5. [5]
    Consortium for Efficient Embedded Security, Efficient Embedded Security Standard #1, available from 139
  6. [6]
    Craig Gentry, Jakob Jonsson, Jacques Stern, Michael Szydlo Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt’ 01, Advances in Cryptology—Asiacrypt’ 01, Lecture Notes in Computer Science, Springer-Verlag, 2001. 123, 131Google Scholar
  7. [7]
    C. Gentry, M Szydlo, Cryptanalysis of the Revised NTRU Signature Scheme, Advances in Cryptology—Eurocrypt’ 02, Lecture Notes in Computer Science, Springer-Verlag, 2002. 123, 132, 133, 138Google Scholar
  8. [8]
    O. Goldreich, S. Goldwasser, S. Halevi, Public-key cryptography from lattice reduction problems. In Proc. CRYPTO’ 97, Lect. Notes in Computer Science 1294, Springer-Verlag, 1997, 112–131. 122, 123, 132Google Scholar
  9. [9]
    D. Hankerson, J. L. Hernandez, A. Menezes, Software Implementation of Elliptic Curve Cryptography over Binary Fields, Cryptographic Hardware and Embedded Systems-CHES 2000, LNCS 1965, C.K. Koc and C. Paar (eds), Springer-Verlag, 2000, 1–19. 139CrossRefGoogle Scholar
  10. [10]
    J. Hoffstein, J. Pipher, J.H. Silverman, NTRU: A new high speed public key cryptosystem, in Algorithmic Number Theory (ANTS III), Portland, OR, June 1998, Lecture Notes in Computer Science 1423 (J. P. Buhler, ed.), Springer-Verlag, Berlin, 1998, 267–288. 122, 131CrossRefGoogle Scholar
  11. [11]
    J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, W. Whyte NTRUSign: Digital signatures using the NTRU lattice. Preliminary draft 2 v2.pdf 123, 131, 138, 139
  12. [12]
    J. Hoffstein, J. Pipher, J.H. Silverman, NSS: An NTRU Lattice-Based SignatureScheme, Advances in Cryptology—Eurocrypt’ 01, Lecture Notes in Computer Science, Springer-Verlag, 2001. 123, 137Google Scholar
  13. [13]
    J. Hoffstein, D. Lieman, J.H. Silverman, Polynomial Rings and Efficient Public Key Authentication, in Proceeding of the International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC’ 99), Hong Kong, (M. Blum and C.H. Lee, eds.), City University of Hong Kong Press. 137, 138Google Scholar
  14. [14]
    J. Hoffstein, J.H. Silverman, Polynomial Rings and Efficient Public Key Authentication II, in Proceedings of a Conference on Cryptography and Number Theory (CCNT’ 99), (I. Shparlinski, ed.), Birkhauser. 137Google Scholar
  15. [15]
    A. K. Lenstra, E.R. Verheul, Selecting Cryptographic Key Sizes, Journal of Cryptology vol. 14, no. 4, 2001, 255–293. 131zbMATHMathSciNetGoogle Scholar
  16. [16]
    T. Meskanen and A. Renvall, University of Turku, private communication. 139Google Scholar
  17. [17]
    A. May, J. H. Silverman, Dimension reduction methods for convolution modular lattices, in Cryptography and Lattices Conference (CaLC 2001), J.H. Silverman (ed.), Lecture Notes in Computer Science 2146, Springer-Verlag, 2001 131Google Scholar
  18. [18]
    P. Nguyen, Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto’ 97, Advances in Cryptology—Proceedings of CRYPTO’ 99, (August 15–19, 1999, Santa Barbara, California), M. Wiener (ed.), Lecture Notes in Computer Science, Springer-Verlag. 122Google Scholar
  19. [19]
    P. Nguyen and J. Stern, Lattice Reduction in Cryptology: An Update, ANTS 2000, pp 85–112. 122Google Scholar
  20. [20]
    A. Shamir, A polynomial-time algorithm for breaking the basic Merkel-Hellman cryptosystem. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, IEEE, 1982, 145–152. 122Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Jeffrey Hoffstein
    • 1
  • Nick Howgrave-Graham
    • 1
  • Jill Pipher
    • 1
  • Joseph H. Silverman
    • 1
  • William Whyte
  1. 1.NTRU CryptosystemsBurlington

Personalised recommendations