Cryptanalysis of an NTRU-Based Proxy Encryption Scheme from ASIACCS’15

  • Zhen Liu
  • Yanbin Pan
  • Zhenfei ZhangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11505)


In ASIACCS 2015, Nu\(\tilde{\mathrm{n}}\)ez, Agudo, and Lopez proposed a proxy re-encryption scheme, NTRUReEncrypt, based on NTRU, which allows a proxy to translate ciphertext under the delegator’s public key into a re-encrypted ciphertext that can be decrypted correctly by delegatee’s private key. In addition to its potential resistance to quantum algorithm, the scheme was also considered to be efficient. However, in this paper we point out that the re-encryption process will increase the decryption error, and the increased decryption error will lead to a reaction attack that enables the proxy to recover the private key of the delegator and the delegatee. Moreover, we also propose a second attack which enables the delegatee to recover the private key of the delegator when he collects enough re-encrypted ciphertexts from a same message. We reevaluate the security of NTRUReEncrypt, and also give suggestions and discussions on potential mitigation methods.


NTRUReEncrypt NTRU Decryption failure Reaction attack Key recovery 



The authors would like to thank David Nuñez for his helpful discussions.


  1. 1.
  2. 2.
    ANSI X 98: Lattice-based polynomial public key establishment algorithm for the financial services industry. Technical report, ANSI (2010)Google Scholar
  3. 3.
    Aono, Y., Boyen, X., Phong, L.T., Wang, L.: Key-private proxy re-encryption under LWE. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 1–18. Springer, Cham (2013). Scholar
  4. 4.
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). Scholar
  5. 5.
    Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). Scholar
  6. 6.
    Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 185–194. ACM (2007)Google Scholar
  7. 7.
    Chen, L., et al.: Report on post-quantum cryptography. Technical report (2016).
  8. 8.
    Fluhrer, S.R.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptology ePrint Archive 2016, p. 85 (2016).
  9. 9.
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). Scholar
  10. 10.
    Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009). Scholar
  11. 11.
    Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z.: Choosing parameters for NTRUEncrypt. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 3–18. Springer, Cham (2017). Scholar
  12. 12.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). Scholar
  13. 13.
    Hoffstein, J., Silverman, J.H.: Reaction attacks against the NTRU public key cryptosystem. Technical report, NTRU Cryptosystems Technical Report (1999)Google Scholar
  14. 14.
    Howgrave-Graham, N., et al.: The impact of decryption failures on the Security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). Scholar
  15. 15.
    Hülsing, A., Rijneveld, J., Schanck, J., Schwabe, P.: High-speed key encapsulation from NTRU. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 232–252. Springer, Cham (2017). Scholar
  16. 16.
    Nuñez, D., Agudo, I., Lopez, J.: NTRUReEncrypt: an efficient proxy re-encryption scheme based on NTRU. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 179–189. ACM (2015)Google Scholar
  17. 17.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 1994 Proceedings of 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)Google Scholar
  18. 18.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Whyte, W., Howgrave-Graham, N., Hoffstein, J., Pipher, J., Silverman, J., Hirschhorn, P.: IEEE P1363. 1: draft standard for public-key cryptographic techniques based on hard problems over lattices. Technical report, IEEE (2008)Google Scholar
  20. 20.
    Xagawa, K., Tanaka, K.: Proxy re-encryption based on learning with errors (mathematical foundation of algorithms and computer science) (2010)Google Scholar
  21. 21.
    Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: NTRUencrypt. Technical report (2017).
  22. 22.
    Zhang, Z., Plantard, T., Susilo, W.: Reaction attack on outsourced computing with fully homomorphic encryption schemes. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 419–436. Springer, Heidelberg (2012). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Key Laboratory of Mathematics Mechanization, NCMIS, Academy of Mathematics and Systems ScienceChinese Academy of SciencesBeijingChina
  2. 2.State Key Laboratory of CryptologyBeijingChina
  3. 3.School of Mathematical SciencesUniversity of Chinese Academy of SciencesBeijingChina
  4. 4.AlgorandBostonUSA

Personalised recommendations