Public Key Cryptography – PKC 2007

Volume 4450 of the series Lecture Notes in Computer Science pp 89-106

New Chosen-Ciphertext Attacks on NTRU

  • Nicolas GamaAffiliated withÉcole normale supérieure, DI, 45 rue d’Ulm, 75005 Paris
  • , Phong Q. NguyenAffiliated withCNRS/École normale supérieure, DI, 45 rue d’Ulm, 75005 Paris


We present new and efficient key-recovery chosen-ciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosen-ciphertext attacks on NTRUencrypt previously published at CRYPTO ’00 and CRYPTO ’03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at random; and the number of oracle queries is small. Interestingly, our attacks can also be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key. For instance, for the initial NTRU-1998 parameter sets, the output of the decryption oracle on a single decryption failure is enough to recover the secret key.