Abstract
In this paper, we describe a three-stage attack against Revised NSS, an NTRU-based signature scheme proposed at the Eurocrypt 2001 conference as an enhancement of the (broken) proceedings version of the scheme. The first stage, which typically uses a transcript of only 4 signatures, effectively cuts the key length in half while completely avoiding the intended hard lattice problem. After an empirically fast second stage, the third stage of the attack combines lattice-based and congruence-based methods in a novel way to recover the private key in polynomial time. This cryptanalysis shows that a passive adversary observing only a few valid signatures can recover the signer’s entire private key. We also briefly address the security of NTRUSign, another NTRU-based signature scheme that was recently proposed at the rump session of Asiacrypt 2001. As we explain, some of our attacks on Revised NSS may be extended to NTRUSign, but a much longer transcript is necessary. We also indicate how the security of NTRUSign is based on the hardness of several problems, not solely on the hardness of the usual NTRU lattice problem.
Chapter PDF
Similar content being viewed by others
Keywords
References
M. Ajtai, The shortest vector problem in L 2 is NP-hard for randomized reductions, in Proc. 30th ACM Symposium on Theory of Computing, 1998, 10–19.
H. Cohen, A Course in Computational Algebraic Number Theory, Graduate Texts in Mathematics, 138. Springer, 1993.
H. Cohen, Advanced Topics in Computational Number Theory, Graduate Texts in Mathematics 138, 1993.
Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) # 1: Draft 1.0. Previously on http://www.ceesstandards.org
Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) # 1: Draft 2.0. Previously on http://www.ceesstandards.org
Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) # 1: Draft 3.0. Available from http://www.ceesstandards.org
D. Coppersmith and A. Shamir, Lattice Attacks on NTRU, in Proc. of Eurocrypt’ 97, LNCS 1233, pages 52–61. Springer-Verlag, 1997.
C. Gentry, Key Recovery and Message Attacks on NTRU-Composite, in Proc. of Eurocrypt’ 01, LNCS 2045, pages 182–194. Springer-Verlag, 2001.
C. Gentry, J. Jonsson, J. Stern, M. Szydlo, Cryptanalysis of the NTRU signature scheme, in Proc. of Asiacrypt’ 01, LNCS 2248, pages 1–20. Springer-Verlag, 2001.
O. Goldreich, S. Goldwasser, S. Halevi, Public-key Cryptography from Lattice Reduction Problems, in Proc. of Crypto’ 97, LNCS 1294, pages 112–131. Springer-Verlag, 1997.
J. Hoffstein, N. Howgrave-Graham, J. Pipher, J.H. Silverman, W. Whyte, NTRUSign: Digital Signatures Using the NTRU Lattice, December, 2001. Available from http://www.ntru.com
J. Hoffstein, B.S. Kaliski, D. Lieman, M.J.B. Robshaw, Y.L. Yin, Secure user identification based on constrained polynomials, US Patent 6,076,163, June 13, 2000.
J. Hoffstein, D. Lieman, J.H. Silverman, Polynomial Rings and Efficient Public Key Authentication, in Proc. International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC’ 99), Hong Kong, (M. Blum and C.H. Lee, eds.), City University of Hong Kong Press.
J. Hoffstein, J. Pipher, J.H. Silverman, Enhanced Encoding and Verification Methods for the NTRU Signature Scheme, NTRU Technical Note #017, May 2001. Available from http://www.ntru.com
J. Hoffstein, J. Pipher, J.H. Silverman. Enhanced encoding and verification methods for the NTRU signature scheme (ver. 2), May 30, 2001. Available from http://www.ntru.com
J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme, preprint, November 2000. Available from http://www.ntru.com
J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme, in Proc. of Eurocrypt’ 01, LNCS 2045, pages 211–228. Springer-Verlag, 2001.
J. Hoffstein, J. Pipher, J.H. Silverman, NSS: The NTRU Signature Scheme: Theory and Practice, preprint, 2001. Available from http://www.ntru.com
A.K. Lenstra, H.W. Lenstra Jr., L. Lovász, Factoring Polynomials with Rational Coefficients, Mathematische Ann. 261 (1982), 513–534.
A. May, Cryptanalysis of NTRU-107, preprint, 1999. Available from http://www.informatik.uni-frankfurt.de/~alex/crypto.html
I. Mironov, A Note on Cryptanalysis of the Preliminary Version of the NTRU Signature Scheme, IACR preprint server, http://eprint.iacr.org/2001/005.
P. Nguyen and J. Stern, Lattice Reduction in Cryptology: An Update, in Proc. of Algorithm Number Theory (ANTS IV), LNCS 1838, pages 85–112. Springer-Verlag, 2000.
J.H. Silverman, Estimated Breaking Times for NTRU Lattices, NTRU Technical Note #012, March 1999. Available from http://www.ntru.com
J.H. Silverman, Invertibility in Truncated Polynomial Rings., NTRU Technical Note #009, October 1998. Available from http://www.ntru.com
L. Washington, Introduction to Cyclotomic Fields, Graduate Texts in Mathematics 83, 1982.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gentry, C., Szydlo, M. (2002). Cryptanalysis of the Revised NTRU Signature Scheme. In: Knudsen, L.R. (eds) Advances in Cryptology — EUROCRYPT 2002. EUROCRYPT 2002. Lecture Notes in Computer Science, vol 2332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46035-7_20
Download citation
DOI: https://doi.org/10.1007/3-540-46035-7_20
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43553-2
Online ISBN: 978-3-540-46035-0
eBook Packages: Springer Book Archive