NTRUSign is a new signature scheme based on the approximate closest vector problem (APPR--CVP) in the NTRU lattice. In this paper, we first introduce the NTRUSign scheme and its mathematical background. Then we review some relevant known attacks against NTRUEncrypt and previous NTRU-based signature schemes. Finally, we point out three weak points of NTRUSign: firstly, we can obtain some {f * w mod q, g*w mod q } from some valid signature transcripts; secondly, we can calculate the private key (f,g) from the unreduced (F,G); and thirdly, zero would be the valid signature of a kind of message digest m, if m satisfied some conditions. |