Abstract
In this paper the authors give an efficient bounded distance decoding (BDD for short) algorithm for NTRU lattices under some conditions about the modulus number q and the public key h. They then use this algorithm to give plain-text recovery attack to NTRU Encrypt and forgery attack on NTRU Sign. In particular the authors figure out a weak domain of public keys such that the recent transcript secure version of NTRU signature scheme NTRUMLS with public keys in this domain can be forged.