New Chosen-Ciphertext Attacks on NTRU

  • Nicolas Gama
  • Phong Q. Nguyen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4450)


We present new and efficient key-recovery chosen-ciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosen-ciphertext attacks on NTRUencrypt previously published at CRYPTO ’00 and CRYPTO ’03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at random; and the number of oracle queries is small. Interestingly, our attacks can also be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key. For instance, for the initial NTRU-1998 parameter sets, the output of the decryption oracle on a single decryption failure is enough to recover the secret key.


Convolution Estima Padding 


  1. 1.
    Consortium for Efficient Embedded Security: Efficient embedded security standards #1: Implementation aspects of NTRU and NSS (2001)Google Scholar
  2. 2.
    Consortium for Efficient Embedded Security: Efficient embedded security standards #1: Implementation aspects of NTRUEncrypt and NTRUSign (2002)Google Scholar
  3. 3.
    Gentry, C.: Key recovery and message attacks on NTRU-composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Gentry, C., Jonsson, J., Stern, J., Szydlo, M.: Cryptanalysis of the NTRU signature scheme (NSS) from Eurocrypt 2001. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Han, D., Hong, J., Han, J.W., Kwon, D.: Key recovery attacks on NTRU without ciphertext validation routine. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 274–284. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Hoffstein, J., Howgrave-Graham, N.A., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSIGN. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Hoffstein, J., Pipher, J., Silverman, J.: NTRU: a ring based public key cryptosystem (First presented at the rump session of Crypto ’96). In: Buhler, J.P. (ed.) Algorithmic Number Theory. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  9. 9.
    Hoffstein, J., Silverman, J.H.: Optimizations for NTRU. In: Public-key Cryptography and Computational Number Theory, DeGruyter, Berlin (2000), available at Google Scholar
  10. 10.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3Google Scholar
  11. 11.
    Howgrave-Graham, N.A., Nguyen, P.Q., Pointcheval, D., Proos, J., Silverman, J.H., Singer, A., Whyte, W.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003)Google Scholar
  12. 12.
    IEEE. P1363.1 Public-Key Cryptographic Techniques Based on Hard Problems over Lattices. IEEE (June 2003), Available from
  13. 13.
    Jaulmes, E., Joux, A.: A chosen ciphertext attack on NTRU. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. 14.
    Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Shoup, V.: Number Theory C++ Library (NTL) version 5.4. Available at
  16. 16.
    Silverman, J.H.: Invertibility in truncated polynomial rings. Technical report, NTRU Cryptosystems, Technical reports (2003), available at
  17. 17.
    Silverman, J.H., Whyte, W.: Technical report n. 18, version 1: Estimating decryption failure probabilities for ntruencrypt. Technical report, NTRU Cryptosystems (2005)Google Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Nicolas Gama
    • 1
  • Phong Q. Nguyen
    • 2
  1. 1.École normale supérieure, DI, 45 rue d’Ulm, 75005 ParisFrance
  2. 2.CNRS/École normale supérieure, DI, 45 rue d’Ulm, 75005 ParisFrance

Personalised recommendations