Cryptanalysis of the Revised NTRU Signature Scheme

  • Craig Gentry
  • Mike Szydlo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2332)


In this paper, we describe a three-stage attack against Revised NSS, an NTRU-based signature scheme proposed at the Eurocrypt 2001 conference as an enhancement of the (broken) proceedings version of the scheme. The first stage, which typically uses a transcript of only 4 signatures, effectively cuts the key length in half while completely avoiding the intended hard lattice problem. After an empirically fast second stage, the third stage of the attack combines lattice-based and congruence-based methods in a novel way to recover the private key in polynomial time. This cryptanalysis shows that a passive adversary observing only a few valid signatures can recover the signer’s entire private key. We also briefly address the security of NTRUSign, another NTRU-based signature scheme that was recently proposed at the rump session of Asiacrypt 2001. As we explain, some of our attacks on Revised NSS may be extended to NTRUSign, but a much longer transcript is necessary. We also indicate how the security of NTRUSign is based on the hardness of several problems, not solely on the hardness of the usual NTRU lattice problem.


NSS NTRU NTRUSign Signature Scheme Lattice Reduction Cryptanalysis Orthogonal Lattice Cyclotomic Integer Galois Congruence 


  1. 1.
    M. Ajtai, The shortest vector problem in L 2 is NP-hard for randomized reductions, in Proc. 30th ACM Symposium on Theory of Computing, 1998, 10–19.Google Scholar
  2. 2.
    H. Cohen, A Course in Computational Algebraic Number Theory, Graduate Texts in Mathematics, 138. Springer, 1993.Google Scholar
  3. 3.
    H. Cohen, Advanced Topics in Computational Number Theory, Graduate Texts in Mathematics 138, 1993.Google Scholar
  4. 4.
    Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) # 1: Draft 1.0. Previously on
  5. 5.
    Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) # 1: Draft 2.0. Previously on
  6. 6.
    Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) # 1: Draft 3.0. Available from
  7. 7.
    D. Coppersmith and A. Shamir, Lattice Attacks on NTRU, in Proc. of Eurocrypt’ 97, LNCS 1233, pages 52–61. Springer-Verlag, 1997.Google Scholar
  8. 8.
    C. Gentry, Key Recovery and Message Attacks on NTRU-Composite, in Proc. of Eurocrypt’ 01, LNCS 2045, pages 182–194. Springer-Verlag, 2001.Google Scholar
  9. 9.
    C. Gentry, J. Jonsson, J. Stern, M. Szydlo, Cryptanalysis of the NTRU signature scheme, in Proc. of Asiacrypt’ 01, LNCS 2248, pages 1–20. Springer-Verlag, 2001.Google Scholar
  10. 10.
    O. Goldreich, S. Goldwasser, S. Halevi, Public-key Cryptography from Lattice Reduction Problems, in Proc. of Crypto’ 97, LNCS 1294, pages 112–131. Springer-Verlag, 1997.Google Scholar
  11. 11.
    J. Hoffstein, N. Howgrave-Graham, J. Pipher, J.H. Silverman, W. Whyte, NTRUSign: Digital Signatures Using the NTRU Lattice, December, 2001. Available from
  12. 12.
    J. Hoffstein, B.S. Kaliski, D. Lieman, M.J.B. Robshaw, Y.L. Yin, Secure user identification based on constrained polynomials, US Patent 6,076,163, June 13, 2000.Google Scholar
  13. 13.
    J. Hoffstein, D. Lieman, J.H. Silverman, Polynomial Rings and Efficient Public Key Authentication, in Proc. International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC’ 99), Hong Kong, (M. Blum and C.H. Lee, eds.), City University of Hong Kong Press.Google Scholar
  14. 14.
    J. Hoffstein, J. Pipher, J.H. Silverman, Enhanced Encoding and Verification Methods for the NTRU Signature Scheme, NTRU Technical Note #017, May 2001. Available from
  15. 15.
    J. Hoffstein, J. Pipher, J.H. Silverman. Enhanced encoding and verification methods for the NTRU signature scheme (ver. 2), May 30, 2001. Available from
  16. 16.
    J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme, preprint, November 2000. Available from
  17. 17.
    J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme, in Proc. of Eurocrypt’ 01, LNCS 2045, pages 211–228. Springer-Verlag, 2001.Google Scholar
  18. 18.
    J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme: Theory and Practice, preprint, 2001. Available from
  19. 19.
    A.K. Lenstra, H.W. Lenstra Jr., L. Lovász, Factoring Polynomials with Rational Coefficients, Mathematische Ann. 261 (1982), 513–534.Google Scholar
  20. 20.
    A. May, Cryptanalysis of NTRU-107, preprint, 1999. Available from
  21. 21.
    I. Mironov, A Note on Cryptanalysis of the Preliminary Version of the NTRU Signature Scheme, IACR preprint server,
  22. 22.
    P. Nguyen and J. Stern, Lattice Reduction in Cryptology: An Update, in Proc. of Algorithm Number Theory (ANTS IV), LNCS 1838, pages 85–112. Springer-Verlag, 2000.CrossRefGoogle Scholar
  23. 23.
    J.H. Silverman, Estimated Breaking Times for NTRU Lattices, NTRU Technical Note #012, March 1999. Available from
  24. 24.
    J.H. Silverman, Invertibility in Truncated Polynomial Rings., NTRU Technical Note #009, October 1998. Available from
  25. 25.
    L. Washington, Introduction to Cyclotomic Fields, Graduate Texts in Mathematics 83, 1982.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Craig Gentry
    • 1
  • Mike Szydlo
    • 2
  1. 1.DoCoMo USA LabsSan JoseUSA
  2. 2.RSA LaboratoriesBedfordUSA

Personalised recommendations