The NTRU Signature Scheme : Theory and Practice

The NTRU Signature Scheme (NSS) with enhanced document encoding and signature verification is described. Three areas of security are investigated: (1) It is proven (under a heuristic assumption) that direct forgery is equivalent to the solution of a closest vector problem, up to constant factor, in an NTRU convolution modular lattice. (2) The probability of forgery using partially preselected vectors is calculated, both theoretically and experimentally, for a recommended set of parameters. (3) The potential leakage of information from frequency analysis of signature transcripts is analyzed and is shown to be negligible.

[1]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[2]  Joseph H. Silverman,et al.  NSS: An NTRU Lattice-Based Signature Scheme , 2001, EUROCRYPT.

[3]  Claus-Peter Schnorr,et al.  Segment LLL-Reduction with Floating Point Orthogonalization , 2001, CaLC.

[4]  Claus-Peter Schnorr,et al.  Segment LLL-Reduction of Lattice Bases , 2001, CaLC.

[5]  Joseph H. Silverman,et al.  Version 2 Title : Enhanced Encoding and Verification Methods for the NTRU Signature Scheme , 2001 .

[6]  Ilya Mironov A Note on Cryptanalysis of the Preliminary Version of the NTRU Signature Scheme , 2001, IACR Cryptol. ePrint Arch..

[7]  Joseph H. Silverman,et al.  Polynomial Rings and Efficient Public Key Authentication II , 2001 .

[8]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[9]  Phong Q. Nguyen Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto '97 , 1999, CRYPTO.

[10]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[11]  Jean-Pierre Seifert,et al.  On the complexity of computing short linearly independent vectors and short bases in a lattice , 1999, STOC '99.

[12]  H. Silverman Almost Inverses and Fast NTRU Key Creation , 1999 .

[13]  Daniele Micciancio,et al.  The shortest vector in a lattice is hard to approximate to within some constant , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[14]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[15]  Oded Goldreich,et al.  On the limits of non-approximability of lattice problems , 1998, STOC '98.

[16]  Guy Kindler,et al.  Approximating CVP to Within Almost-Polynomial Factors is NP-Hard , 2003, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[17]  Jin-Yi Cai,et al.  An improved worst-case to average-case connection for lattice problems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[18]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[19]  O. Goldreich Public-key cryptography from lattice reduction problems , 1997, CRYPTO 1997.

[20]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[21]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[22]  Jacques Stern,et al.  Designing Identification Schemes with Keys of Short Size , 1994, CRYPTO.

[23]  Jacques Stern,et al.  A New Identification Scheme Based on Syndrome Decoding , 1993, CRYPTO.

[24]  Tatsuaki Okamoto,et al.  Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , 1992, CRYPTO.

[25]  Ernest F. Brickell,et al.  Interactive identification and digital signatures , 1991, AT&T Technical Journal.

[26]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[27]  Jeffrey C. Lagarias,et al.  Korkin-Zolotarev bases and successive minima of a lattice and its reciprocal lattice , 1990, Comb..

[28]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[29]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[30]  Claus-Peter Schnorr,et al.  A More Efficient Algorithm for Lattice Basis Reduction , 1988, J. Algorithms.

[31]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[32]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[33]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.