Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001

  • Craig Gentry
  • Jakob Jonsson
  • Jacques Stern
  • Michael Szydlo
Conference paper

DOI: 10.1007/3-540-45682-1_1

Part of the Lecture Notes in Computer Science book series (LNCS, volume 2248)
Cite this paper as:
Gentry C., Jonsson J., Stern J., Szydlo M. (2001) Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001. In: Boyd C. (eds) Advances in Cryptology — ASIACRYPT 2001. ASIACRYPT 2001. Lecture Notes in Computer Science, vol 2248. Springer, Berlin, Heidelberg

Abstract

In 1996, a new cryptosystem called NTRU was introduced, related to the hardness of finding short vectors in specific lattices. At Eurocrypt 2001, the NTRU Signature Scheme (NSS), a signature scheme apparently related to the same hard problem, was proposed. In this paper, we show that the problem on which NSS relies is much easier than anticipated, and we describe an attack that allows efficient forgery of a signature on any message. Additionally, we demonstrate that a transcript of signatures leaks information about the secret key: using a correlation attack, it is possible to recover the key from a few tens of thousands of signatures. The attacks apply to the recently proposed parameter sets NSS251-3-SHA1-1, NSS347-3-SHA1-1, and NSS503-3-SHA1-1 in [2]. Following the attacks, NTRU researchers have investigated enhanced encoding/verification methods in [11].

Keywords

NSS NTRU Signature Scheme Forgery Transcript Analysis Lattice Cryptanalysis Key Recovery Cyclotomic Integer 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Craig Gentry
    • 1
  • Jakob Jonsson
    • 2
  • Jacques Stern
    • 3
  • Michael Szydlo
    • 2
  1. 1.DoCoMo Communications Laboratories USA, Inc.USA
  2. 2.RSA LaboratoriesBedfordUSA
  3. 3.Dépt d’InformatiqueEcole normale SupérieureParisFrance

Personalised recommendations