Advances in Cryptology — CRYPTO 2000

Volume 1880 of the series Lecture Notes in Computer Science pp 20-35


A Chosen-Ciphertext Attack against NTRU

  • Éliane JaulmesAffiliated withSCSSI
  • , Antoine JouxAffiliated withSCSSI


We present a chosen-ciphertext attack against the public key cryptosystem called NTRU. This cryptosystem is based on polynomial algebra. Its security comes from the interaction of the polynomial mixing system with the independence of reduction modulo two relatively prime integers p and q. In this paper, we examine the effect of feeding special polynomials built from the public key to the decryption algorithm. We are then able to conduct a chosen-ciphertext attack that recovers the secret key from a few ciphertexts/cleartexts pairs with good probability. Finally, we show that the OAEP-like padding proposed for use with NTRU does not protect against this attack.