Date: 15 Apr 2001

Key Recovery and Message Attacks on NTRU-Composite


NTRU is a fast public key cryptosystem presented in 1996 by Hoffstein, Pipher and Silverman ofBro wn University. It operates in the ring ofp olynomials ℤ[X]/(X N − 1), where the domain parameter N largely determines the security ofthe system. Although N is typically chosen to be prime, Silverman proposes taking N to be a power of two to enable the use of Fast Fourier Transforms. We break this scheme for the specified parameters by reducing lattices ofmanageably small dimension to recover partial information about the private key. We then use this partial information to recover partial information about the message or to recover the private key in its entirety.