A course in computational algebraic number theory
A course in computational algebraic number theory
The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
Public-Key Cryptosystems from Lattice Reduction Problems
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Key Recovery and Message Attacks on NTRU-Composite
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
NSS: An NTRU Lattice-Based Signature Scheme
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Lattice Reduction in Cryptology: An Update
ANTS-IV Proceedings of the 4th International Symposium on Algorithmic Number Theory
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Security in embedded systems: Design challenges
ACM Transactions on Embedded Computing Systems (TECS)
Provable Cryptographic Security and its Applications to Mobile Wireless Computing
Wireless Personal Communications: An International Journal
Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions
Computational Complexity
Sliding Window Method for NTRU
ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
Efficient lattice-based signature scheme
International Journal of Applied Cryptography
New chosen-ciphertext attacks on NTRU
PKC'07 Proceedings of the 10th international conference on Practice and theory in public-key cryptography
Hypercubic lattice reduction and analysis of GGH and NTRU signatures
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
About the XL algorithm over GF(2)
CT-RSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track
A digital signature scheme based on CV P∞
PKC'08 Proceedings of the Practice and theory in public key cryptography, 11th international conference on Public key cryptography
Symplectic lattice reduction and NTRU
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Fault analysis of the NTRUSign digital signature scheme
Cryptography and Communications
Lattice signatures without trapdoors
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
| Hi-index | 0.00 |
In this paper, we describe a three-stage attack against Revised NSS, an NTRU-based signature scheme proposed at the Eurocrypt 2001 conference as an enhancement of the (broken) proceedings version of the scheme. The first stage, which typically uses a transcript of only 4 signatures, effectively cuts the key length in half while completely avoiding the intended hard lattice problem. After an empirically fast second stage, the third stage of the attack combines lattice-based and congruence-based methods in a novel way to recover the private key in polynomial time. This cryptanalysis shows that a passive adversary observing only a few valid signatures can recover the signer's entire private key. We also briefly address the security of NTRUSign, another NTRUbased signature scheme that was recently proposed at the rump session of Asiacrypt 2001. As we explain, some of our attacks on Revised NSS may be extended to NTRUSign, but a much longer transcript is necessary. We also indicate how the security of NTRUSign is based on the hardness of several problems, not solely on the hardness of the usual NTRU lattice problem.