Timing Attacks on NTRUEncrypt Via Variation in the Number of Hash Calls

  • Joseph H. Silverman
  • William Whyte
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4377)


This report studies timing attacks on NTRUEncrypt based on variation in the number of hash calls made on decryption. The attacks apply to the parameter sets of [8,6]. To mount the attacker, an attacker performs a variable amount of precomputation, then submits a relatively small number of specially constructed ciphertexts for decryption and measures the decryption times. Comparison of the decryption times with the precomputed data allows the attacker to recover the key in greatly reduced time compared to standard attacks on NTRUEncrypt. The precomputed data can be used for all keys generated with a specific parameter set and tradeoffs exist that increase the amount of precomputation in order to decrease the time required to recover an individual key. For parameter sets in [3] that claim k-bit security but are vulnerable to this attack, we find that an attacker can typically recover a single key with about k/2 bits of effort.

Finally, we describe a simple means to prevent these attacks by ensuring that all operations take a constant number of SHA calls. The recommended countermeasure does not break interoperability with the parameter sets of [8,6] and has only a slight effect on performance.


Hash Function Timing Attack Smart Card Hypergeometric Distribution Decryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Journal of Computer Networks (2005)Google Scholar
  2. 2.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A new high speed public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Hoffstein, J., Silverman, J.H.: Optimizations for NTRU. In: Public Key Cryptography and Computational Number Theory, September 11–15, 2000, pp. 77–88. Walter de Gruyter, Berlin (2001)Google Scholar
  4. 4.
    Howgrave-Graham, N.A., Silverman, J.H., Whyte, W.: A Meet-in-the-Middle Attack on an NTRU Private key. Technical report, NTRU Cryptosystems, Report #004, version 2 (June 2003),
  5. 5.
    Howgrave-Graham, N., Silverman, J.H., Singer, A., Whyte, W.: NAEP: Provable Security in the Presence of Decryption Failures. IACR ePrint Archive, Report 2003-172,
  6. 6.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005), CrossRefGoogle Scholar
  7. 7.
    Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) #1 version 2 (2003)Google Scholar
  8. 8.
    Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) #1 version 3 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Joseph H. Silverman
    • 1
  • William Whyte
    • 1
  1. 1.NTRU Cryptosystems, Inc. 

Personalised recommendations