A Chosen-Ciphertext Attack against NTRU

  • Éliane Jaulmes
  • Antoine Joux
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1880)


We present a chosen-ciphertext attack against the public key cryptosystem called NTRU. This cryptosystem is based on polynomial algebra. Its security comes from the interaction of the polynomial mixing system with the independence of reduction modulo two relatively prime integers p and q. In this paper, we examine the effect of feeding special polynomials built from the public key to the decryption algorithm. We are then able to conduct a chosen-ciphertext attack that recovers the secret key from a few ciphertexts/cleartexts pairs with good probability. Finally, we show that the OAEP-like padding proposed for use with NTRU does not protect against this attack.


Cipher Text Reduction Modulo Decryption Error Brute Force Attack Decryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway. Relations among notions of security for public-key encryption schemes. In Hugo Krawczyk, editor, Advances in Cryptology — CRYPTO’98, volume 1462 of Lecture Notes in Computer Science, pages 26–45. Springer, 1998.CrossRefGoogle Scholar
  2. 2.
    Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption. In A. de Santis, editor, Advances in Cryptology — EUROCRYPT’94, volume 950 of Lecture Notes in Computer Science, pages 92–111. Springer-Verlag, 1994.CrossRefGoogle Scholar
  3. 3.
    D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In Advances in Cryptology — EUROCRYPT’97, volume 1233 of Lecture Notes in Computer Science, pages 52–61, 1997.Google Scholar
  4. 4.
    Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Michael Wiener, editor, Advances in Cryptology — CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 537–554. Springer-Verlag, 1999.Google Scholar
  5. 5.
    H. Gilbert, D. Gupta, A.M. Odlyzko, and J.-J. Quisquater. Attacks on shamir’s ‘rsa for paranoids’. Information Processing Letters, 68:197–199, 1998. Scholar
  6. 6.
    Chris Hall, Ian Goldberg, and Bruce Schneier. Reaction attacks against several public-key cryptosystems. In G. Goos, J. Hartmanis, and J. van Leeuwen, editors, ICICS’99, volume 1726 of Lecture Notes in Computer Science, pages 2–12. Springer-Verlag, 1999.Google Scholar
  7. 7.
    Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. NTRU: A ring based public key cryptosystem. In ANTS’3, volume 1423 of Lecture Notes in Computer Science, pages 267–288. Springer Verlag, 1998.Google Scholar
  8. 8.
    Jeffrey Hoffstein and Joseph H. Silverman. Reaction attacks against the NTRU public key cryptosystem. Technical Report 15, NTRU Cryptosystems, August 1999.Google Scholar
  9. 9.
    M. Joye and J.-J. Quisquater. On the importance of securing your bins: the garbage-man-in-the-middle attack. 4th ACM Conf. Computer Comm. Security, pages 135–141, 1997.Google Scholar
  10. 10.
    A.K. Lenstra, H.W. Lenstra, and L. Lovász. Factoring polynomials with polynomial coefficients. Math. Annalen, 261:515–534, 1982.zbMATHCrossRefGoogle Scholar
  11. 11.
    Joseph H. Silverman. Plaintext awareness and the NTRU PKCS. Technical Report 7, NTRU Cryptosystems, July 1998.Google Scholar
  12. 12.
    Joseph H. Silverman. Estimated breaking times for NTRU lattices. Technical Report 12, NTRU Cryptosystems, March 1999.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Éliane Jaulmes
    • 1
  • Antoine Joux
    • 2
  1. 1.SCSSIIssy-les-Moulineaux cedexFrance
  2. 2.SCSSIIssy-les-Moulineaux cedexFrance

Personalised recommendations