New Chosen-Ciphertext Attacks on NTRU

  • Nicolas Gama
  • Phong Q. Nguyen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4450)


We present new and efficient key-recovery chosen-ciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosen-ciphertext attacks on NTRUencrypt previously published at CRYPTO ’00 and CRYPTO ’03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at random; and the number of oracle queries is small. Interestingly, our attacks can also be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key. For instance, for the initial NTRU-1998 parameter sets, the output of the decryption oracle on a single decryption failure is enough to recover the secret key.


Decryption Algorithm Oracle Query Decryption Oracle Choose Ciphertext Attack Random Message 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Consortium for Efficient Embedded Security: Efficient embedded security standards #1: Implementation aspects of NTRU and NSS (2001)Google Scholar
  2. 2.
    Consortium for Efficient Embedded Security: Efficient embedded security standards #1: Implementation aspects of NTRUEncrypt and NTRUSign (2002)Google Scholar
  3. 3.
    Gentry, C.: Key recovery and message attacks on NTRU-composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Gentry, C., Jonsson, J., Stern, J., Szydlo, M.: Cryptanalysis of the NTRU signature scheme (NSS) from Eurocrypt 2001. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Han, D., Hong, J., Han, J.W., Kwon, D.: Key recovery attacks on NTRU without ciphertext validation routine. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 274–284. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Hoffstein, J., Howgrave-Graham, N.A., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSIGN. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Hoffstein, J., Pipher, J., Silverman, J.: NTRU: a ring based public key cryptosystem (First presented at the rump session of Crypto ’96). In: Buhler, J.P. (ed.) Algorithmic Number Theory. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  9. 9.
    Hoffstein, J., Silverman, J.H.: Optimizations for NTRU. In: Public-key Cryptography and Computational Number Theory, DeGruyter, Berlin (2000), available at Google Scholar
  10. 10.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3Google Scholar
  11. 11.
    Howgrave-Graham, N.A., Nguyen, P.Q., Pointcheval, D., Proos, J., Silverman, J.H., Singer, A., Whyte, W.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003)Google Scholar
  12. 12.
    IEEE. P1363.1 Public-Key Cryptographic Techniques Based on Hard Problems over Lattices. IEEE (June 2003), Available from
  13. 13.
    Jaulmes, E., Joux, A.: A chosen ciphertext attack on NTRU. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. 14.
    Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Shoup, V.: Number Theory C++ Library (NTL) version 5.4. Available at
  16. 16.
    Silverman, J.H.: Invertibility in truncated polynomial rings. Technical report, NTRU Cryptosystems, Technical reports (2003), available at
  17. 17.
    Silverman, J.H., Whyte, W.: Technical report n. 18, version 1: Estimating decryption failure probabilities for ntruencrypt. Technical report, NTRU Cryptosystems (2005)Google Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Nicolas Gama
    • 1
  • Phong Q. Nguyen
    • 2
  1. 1.École normale supérieure, DI, 45 rue d’Ulm, 75005 ParisFrance
  2. 2.CNRS/École normale supérieure, DI, 45 rue d’Ulm, 75005 ParisFrance

Personalised recommendations