A Note on the Security of NTRUSign
نویسنده
چکیده
At Eurocrypt ’06, Nguyen and Regev presented a new key-recovery attack on the GoldreichGoldwasser-Halevi (GGH) lattice-based signature scheme: when applied to NTRUSign-251 without perturbation, the attack recovers the secret key given only 90,000 signatures. At the rump session, Whyte speculated whether the number of required signatures might be significantly decreased to say 1,000, due to the special properties of NTRU lattices. This short note shows that this is indeed the case: it turns out that as few as 400 NTRUSign-251 signatures are sufficient in practice to recover the secret key. Hence, NTRUSign without perturbation should be considered totally insecure.
منابع مشابه
Performance Improvements and a Baseline Parameter Generation Algorithm for NTRUSign
The NTRUSign signature scheme was introduced in [8]. The original presentation gave a theoretical description of the scheme and an analysis of its security, along with several parameter choices which claimed to yield an 80 bit security level. The paper [8] did not give a general recipe for generating parameter sets to a specific level of security. In line with recent research on NTRUEncrypt [9]...
متن کاملWeak Property of Malleability in NTRUSign
A new type of signature scheme, called NTRUSign, based on solving the approximately closest vector problem in a NTRU lattice was proposed at CT-RSA’03. However no security proof against chosen messages attack has been made for this scheme. In this paper, we show that NTRUSign signature scheme contains the weakness of malleability. From this, one can derive new valid signatures from any previous...
متن کاملAuthentication Protocol using MYK-NTRUSign Signature Algorithm in Wireless Network Environment
In this paper, we propose a new bidirectional authentication and key agreement protocol based on the MYK-NTRUSign signature algorithm. The AES encryption algorithm and hash techniques were adopted to build our protocol. To implement the mutual authentication and session key agreement, the proposed protocol includes two phases: namely initial phase and mutual authentication with key agreement ph...
متن کاملCryptanalysis of the Revised NTRU Signature Scheme
In this paper, we describe a three-stage attack against Revised NSS, an NTRU-based signature scheme proposed at the Eurocrypt 2001 conference as an enhancement of the (broken) proceedings version of the scheme. The first stage, which typically uses a transcript of only 4 signatures, effectively cuts the key length in half while completely avoiding the intended hard lattice problem. After an emp...
متن کاملPractical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign
W e provide a brief history and overview of lattice based cryptography and cryptanalysis: shortest vector problems, closest vector problems, subset sum problem and knapsack systems, GGH, Ajtai-Dwork and NTRU. A detailed discussion of the algorithms NTRUEncrypt and NTRUSign follows. These algorithms have attractive operating speed and keysize and are based on hard problems that are seemingly int...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2006 شماره
صفحات -
تاریخ انتشار 2006