Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001

  • Craig Gentry
  • Jakob Jonsson
  • Jacques Stern
  • Michael Szydlo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2248)

Abstract

In 1996, a new cryptosystem called NTRU was introduced, related to the hardness of finding short vectors in specific lattices. At Eurocrypt 2001, the NTRU Signature Scheme (NSS), a signature scheme apparently related to the same hard problem, was proposed. In this paper, we show that the problem on which NSS relies is much easier than anticipated, and we describe an attack that allows efficient forgery of a signature on any message. Additionally, we demonstrate that a transcript of signatures leaks information about the secret key: using a correlation attack, it is possible to recover the key from a few tens of thousands of signatures. The attacks apply to the recently proposed parameter sets NSS251-3-SHA1-1, NSS347-3-SHA1-1, and NSS503-3-SHA1-1 in [2]. Following the attacks, NTRU researchers have investigated enhanced encoding/verification methods in [11].

Keywords

NSS NTRU Signature Scheme Forgery Transcript Analysis Lattice Cryptanalysis Key Recovery Cyclotomic Integer 

References

  1. 1.
    H. Cohen. A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics, 138. Springer, 1993.Google Scholar
  2. 4.
    D. Coppersmith and A. Shamir. Lattice Attacks on NTRU. In Proc. of Eurocrypt’ 97, LNCS 1233, pages 52–61. Springer-Verlag, 1997.Google Scholar
  3. 5.
    G. H. Hardy, E. M. Wright. An Introduction to the Theory of Numbers, 5th edition. Oxford University Press, 1979.Google Scholar
  4. 6.
    J. Hoffstein, J. Pipher and J.H. Silverman. NTRU: A New High Speed Public Key Cryptosystem. In Proc. of Algorithm Number Theory (ANTS III), LNCS 1423, pages 267–288. Springer-Verlag, 1998.Google Scholar
  5. 7.
    J. Hoffstein, J.H. Silverman. NSS: The NTRU Signature Scheme. Preliminary version, August 2000.Google Scholar
  6. 8.
    J. Hoffstein, J. Pipher, J.H. Silverman. NSS: The NTRU Signature Scheme. Preprint, November 2000. Available from http://www.ntru.com.
  7. 9.
    J. Hoffstein, J. Pipher, J.H. Silverman. NSS: The NTRU Signature Scheme. In Proc. of Eurocrypt’ 01, LNCS 2045, pages 211–228. Springer-Verlag, 2001.Google Scholar
  8. 10.
    J. Hoffstein, J. Pipher, J.H. Silverman. NSS: The NTRU Signature Scheme: Theory and Practice. Preprint, 2001. Available from http://www.ntru.com.
  9. 11.
    J. Hoffstein, J. Pipher, J.H. Silverman. Enhanced encoding and verification methods for the NTRU signature scheme. Previously posted on http://www.ntru.com/technology/tech.technical.htm.
  10. 12.
    J. Hoffstein, J. Pipher, J.H. Silverman. Enhanced encoding and verification methods for the NTRU signature scheme (ver. 2). May 30, 2001. Available from http://www.ntru.com/technology/tech.technical.htm.
  11. 13.
    A. Lenstra, H. Lenstra, and L. Lovasz. Factoring polynomials with rational coefficients. Math. Ann. 261, pages 515–534, 1982.MATHCrossRefMathSciNetGoogle Scholar
  12. 14.
    I. Mironov. A Note on Cryptanalysis of the Preliminary Version of the NTRU Signature Scheme. Preprint, January 2001. Available at http://eprint.iacr.org/2001/005/.
  13. 15.
    P. Nguyen and J. Stern. Lattice Reduction in Cryptology: An Update. In Proc. of Algorithm Number Theory (ANTS IV), LNCS 1838, pages 85–112. Springer-Verlag, 2000.Google Scholar
  14. 16.
    J. Stern. A method for finding codewords of small weight. Coding Theory and applications, LNCS 388, pages 106–113. Springer-Verlag, 1989.CrossRefGoogle Scholar
  15. 17.
    R. Scheidler and H. C. Williams. A public-key cryptosystem utilizing cyclotomic fields. Designs, Codes and Cryptography 6, pages 117–131, 1995.MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Craig Gentry
    • 1
  • Jakob Jonsson
    • 2
  • Jacques Stern
    • 3
  • Michael Szydlo
    • 2
  1. 1.DoCoMo Communications Laboratories USA, Inc.USA
  2. 2.RSA LaboratoriesBedfordUSA
  3. 3.Dépt d’InformatiqueEcole normale SupérieureParisFrance

Personalised recommendations