Recovering NTRU Secret Key from Inversion Oracles

  • Petros Mol
  • Moti Yung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4939)


We consider the NTRU encryption scheme as lately suggested for use, and study the connection between inverting the NTRU primitive (i.e., the one-way function over the message and the blinding information which underlies the NTRU scheme) and recovering the NTRU secret key (universal breaking). We model the inverting algorithms as black-box oracles and do not take any advantage of the internal ways by which the inversion works (namely, it does not have to be done by following the standard decryption algorithm). This allows for secret key recovery directly from the output on several inversion queries even in the absence of decryption failures. Our oracles might be queried on both valid and invalid challenges e, however they are not required to reply (correctly) when their input is invalid. We show that key recovery can be reduced to inverting the NTRU function. The efficiency of the reduction highly depends on the specific values of the parameters. As a side-result, we connect the collisions of the NTRU function with decryption failures which helps us gain a deeper insight into the NTRU primitive.


NTRUEncrypt Inversion Oracles Universal Breaking Public-Key Cryptanalysis 


  1. 1.
    EESS: Consortium for Efficient Embedded Security. Efficient Embedded Security Standards #1: Implementation Aspects of NTRU and NSS, draft version 3.0 edition (July 2001)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  3. 3.
    Boneh, D., Venkatesan, R.: Breaking RSA May Not Be Equivalent to Factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Coppersmith, D., Shamir, A.: Lattice Attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997)Google Scholar
  5. 5.
    Gama, N., Nguyen, P.Q.: New Chosen-Ciphertext Attacks on NTRU. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 89–106. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Gentry, C.: Key Recovery and Message Attacks on NTRU-Composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 182–194. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: Hybrid Lattice Reduction and Meet in the Middle Resistant Parameter Selection for NTRUEncrypt,
  8. 8.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A Ring-Based Public Key Cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  9. 9.
    Hoffstein, J., Silverman, J.H.: Protecting NTRU Against Chosen Ciphertext and Reaction Attacks. Technical report, NTRU Cryptosystems (2000),
  10. 10.
    Hoffstein, J., Silverman, J.H.: Reaction Attacks Against the NTRU Public Key Cryptosystem. Technical Report, NTRU Cryptosystems, Report #015, version 2 (June 2000),
  11. 11.
    Howgrave-Graham, N.: A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Howgrave-Graham, N., Nguyen, P.Q., Pointcheval, D., Proos, J., Silverman, J.H., Singer, A., Whyte, W.: The Impact of Decryption Failures on the Security of NTRU Encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003)Google Scholar
  13. 13.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3. Technical Report, NTRU CRYPTOSYSTEMS (2005)Google Scholar
  14. 14.
    Hong, J., Han, J., Kwon, D., Han, D.: Chosen-Ciphertext Attacks on Optimized NTRU. Cryptology ePrint Archive: Report 2002/188 (2002)Google Scholar
  15. 15.
    Jaulmes, É., Joux, A.: A Chosen-Ciphertext Attack against NTRU. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 20–35. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Hoffstein, J., Silverman, J.: Optimizations for NTRU. Technical report, NTRU Cryptosystems (June 2000),
  17. 17.
    Näslund, M., Shparlinski, I., Whyte, W.: On the Bit Security of NTRUEncrypt. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 62–70. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
  19. 19.
    Nguyen, P.Q., Pointcheval, D.: Analysis and Improvements of NTRU Encryption Paddings.. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 210–225. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  20. 20.
    Paillier, P., Villar, J.L.: Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption.. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 252–266. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Rabin, M.O.: Digital Signatures and Public-Key Functions as Intractable as Factorization. Technical report, Cambridge (1979)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Petros Mol
    • 1
  • Moti Yung
    • 2
  1. 1.University of CaliforniaSan Diego 
  2. 2.Google Inc.Columbia University 

Personalised recommendations