Cryptanalysis of the Revised NTRU Signature Scheme

Gentry, Craig; Szydlo, Michael

doi:10.1007/3-540-46035-7_20

Cited by 111 publications

(116 citation statements)

References 11 publications

Supporting

Mentioning

116

Contrasting

Order By: Relevance

“…Our new algebraic/lattice attacks are extensions of an algorithm by Gentry and Szydlo [GS02], which combines lattice reduction and Fermat's Little Theorem in a clever way to solve a relative norm equation in a cyclotomic field. Our new attacks include a dimension-halving attack on principal ideal lattices (Section 7.8.1), demonstrating that one needs to double the dimension of principal ideal lattices (compared to general ideal lattices) to preserve security.…”

Section: Security Of Our Constructionsmentioning

confidence: 99%

“…Our new attacks are extensions of techniques that were developed in [GS02] for attacking NTRU signatures: In Section 7.8.1 we describe a "dimension-halving attack" on principal ideal lattices, demonstrating that one needs to double the dimension of principal ideal lattices (compared to general ideal lattices) to preserve security. Then in Section 7.6 we provide a polynomial-time algorithm that solves the closest principal ideal generator problem in certain cases.…”

Section: Survey Of Lattice Cryptanalysismentioning

confidence: 99%

“…. are ring elements, and its goal is to use "averaging" to recover v · v, where v = v(x −1 ) is the conjugate of v. It was used by Kaliski (in connection with patent [HKL + 00]) and Gentry and Szydlo [GS02] in attacks against NTRU signature schemes [HKL + 00, HPS01]. We review the averaging attack here.…”

Section: Averaging Attacksmentioning

confidence: 99%

“…If the averaging attack is successful and we recover v · v, we can then use an algorithm by Gentry and Szydlo [GS02]. This algorithm takes v · v and a basis of the ideal v , and outputs the actual element v in polynomial time.…”

Section: Averaging Attacksmentioning

confidence: 99%

“…Here, we describe an algorithm by Gentry and Szydlo [GS02] (the GS algorithm) that recovers v from v · v and a basis of the ideal v . The algorithm runs in polynomial time.…”

Section: Gentry-szydlo: Recovering V From V · V and Vmentioning

confidence: 99%

See 4 more Smart Citations

Candidate Multilinear Maps from Ideal Lattices

Garg

Gentry²,

Halevi³

2013

Lecture Notes in Computer Science

Self Cite

501

635

View full text Add to dashboard Cite

We describe plausible lattice-based constructions with properties that approximate the soughtafter multilinear maps in hard-discrete-logarithm groups, and show an example application of such multi-linear maps that can be realized using our approximation. The security of our constructions relies on seemingly hard problems in ideal lattices, which can be viewed as extensions of the assumed hardness of the NTRU function.

show abstract

Section: Security Of Our Constructionsmentioning

confidence: 99%

Section: Survey Of Lattice Cryptanalysismentioning

confidence: 99%

Section: Averaging Attacksmentioning

confidence: 99%

Section: Averaging Attacksmentioning

confidence: 99%

“…Here, we describe an algorithm by Gentry and Szydlo [GS02] (the GS algorithm) that recovers v from v · v and a basis of the ideal v . The algorithm runs in polynomial time.…”

Section: Gentry-szydlo: Recovering V From V · V and Vmentioning

confidence: 99%

See 3 more Smart Citations

Candidate Multilinear Maps from Ideal Lattices

Garg

Gentry²,

Halevi³

2013

Lecture Notes in Computer Science

Self Cite

501

635

View full text Add to dashboard Cite

show abstract

A new offer of NTRU cryptosystem with two new key pairs

Sever

Özdemir

2020

Numerical Methods Partial

View full text Add to dashboard Cite

In this study, it is aimed to contribute to the NTRU cryptologic system to increase the number of operations of taking module by taking a polynomial module, to increase the number of secret key by adding an isomorphism and also to increase the number of public key by choosing an irreducible polynomial. Since it is calculated module by suitably partitioning a chosen message polynomial, and since it is used properties of module being an algebraic structure in a phase of an operation and a decryption by adding to the system prime number module and prime polynomial module, this title is thought fit.

show abstract

Symplectic Lattice Reduction and NTRU

Gama¹,

Howgrave-Graham²,

Nguyêñ

2006

Advances in Cryptology - EUROCRYPT 2006

View full text Add to dashboard Cite

Abstract. NTRU is a very efficient public-key cryptosystem based on polynomial arithmetic. Its security is related to the hardness of lattice problems in a very special class of lattices. This article is motivated by an interesting peculiar property of NTRU lattices. Namely, we show that NTRU lattices are proportional to the so-called symplectic lattices. This suggests to try to adapt the classical reduction theory to symplectic lattices, from both a mathematical and an algorithmic point of view. As a first step, we show that orthogonalization techniques (Cholesky, GramSchmidt, QR factorization, etc.) which are at the heart of all reduction algorithms known, are all compatible with symplecticity, and that they can be significantly sped up for symplectic matrices. Surprisingly, by doing so, we also discover a new integer Gram-Schmidt algorithm, which is faster than the usual algorithm for all matrices. Finally, we study symplectic variants of the celebrated LLL reduction algorithm, and obtain interesting speed ups.

show abstract

Cryptanalysis of the Revised NTRU Signature Scheme

Cited by 111 publications

References 11 publications

Candidate Multilinear Maps from Ideal Lattices

Candidate Multilinear Maps from Ideal Lattices

A new offer of NTRU cryptosystem with two new key pairs

Symplectic Lattice Reduction and NTRU

Contact Info

Product

Resources

About