In this paper, we present a fault analysis of the original NTRU public key cryptosystem. The fault model in which we analyze the cipher is the one in which the attacker is assumed to be able to fault a small number of coefficients of the polynomial input to (or output from) the second step of the decryption process but cannot control the exact location of injected faults. For this specific original instantiation of the NTRU encryption system with parameters (N,p,q), our attack succeeds with probability≈ and when the number of faulted coefficients is upper bounded by t, it requires O((pN)t) polynomial inversions in Z/p Z[x]/(xN-1).

Keith Salvin presented a key exchange protocol using matrices in the general linear group, GL(r,Zn), where n is the product of two distinct large primes. The system is fully specified in the US patent number 7346162 issued in 2008. In the patent claims, it is argued that the best way to break this system is to factor n. Furthermore, for efficiency reasons, it is suggested to use r=2. In this letter, we show that this cryptosystem can be easily broken by solving a set of consistent homogeneous r2 linear equations in 2r unknowns over Zn.

Tseng et al. proposed two efficient authenticated encryption schemes with message linkages for message flows. Hwang et al. (IEICE Trans. Inf. and Syst., Vol. E89-D, No. 4, April 2006) presented a forgery attack against these two schemes and proposed an improvement that they claim resists such attacks. In this paper, we show that the improved authenticated encryption schemes proposed by Hwang et al. are not secure by presenting another message forgery attack against these improved schemes.

Shi-Hui et al. proposed a new public key cryptosystem using ergodic binary matrices. The security of the system is derived from some assumed hard problem based on ergodic matrices over GF(2). In this note, we show that breaking this system, with a security parameter n (public key of length 4n2 bits, secret key of length 2n bits and block length of length n2 bits), is equivalent to solving a set of n4 linear equations over GF(2) which renders this system insecure for practical choices of n.