Polynomial Authentication and Signature Scheme (PASS) is a new public key authentication and signature scheme proposed by NTRU Cryptosystems Inc. It is based on the hard problems related to constrained polynomial evaluation. In this paper, we break PASS with the proposed parameters. We show how to forge valid authentication transcripts or digital signatures in PASS with knowledge of the public ...

Let f and g be polynomials of a bounded Euclidean norm in the ring Z[X]/⟨X+1⟩. Given the polynomial [f/g]q ∈ Zq[X]/⟨X+1⟩, the NTRU problem is to find a, b ∈ Z[X]/⟨X + 1⟩ with a small Euclidean norm such that [a/b]q = [f/g]q. We propose an algorithm to solve the NTRU problem, which runs in 2 2 λ) time when ∥g∥, ∥f∥, and ∥g−1∥ are within some range. The main technique of our algorithm is the redu...

Initial attempts to obtain lattice based signatures were closely related to reducing a vector modulo the fundamental parallelepiped of a secret basis (like GGH [9], or NTRUSign [12]). This approach leaked some information on the secret, namely the shape of the parallelepiped, which has been exploited on practical attacks [24]. NTRUSign was an extremely efficient scheme, and thus there has been ...

We define a new notion of a reduced lattice, based on a quantity introduced in the LLL paper. We show that lattices reduced in this sense are simultaneously reduced in both their primal and dual. We show that the definition applies naturally to blocks, and therefore gives a new hierarchy of polynomial time algorithms for lattice reduction with fixed blocksize. We compare this hierarchy of algor...

Résumé : on améliore une attaque algébrique de NTRU (où le paramètre q est une puissance de 2), due à Silverman, Smart et Vercauteren ; au lieu de considérer, comme les précédents, les 2 premiers bits d’un vecteur de Witt attaché à la recherche de la clé secrète, on considère ici les 4 premiers bits, ce qui fournit des équations supplémentaires de degrés 4 puis 8. L’adjonction du 3 bit accélère...