The Impact of Decryption Failures on the Security of NTRU Encryption

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


NTRUEncrypt is unusual among public-key cryptosystems in that, with standard parameters, validly generated ciphertexts can fail to decrypt. This affects the provable security properties of a cryptosystem, as it limits the ability to build a simulator in the random oracle model without knowledge of the private key. We demonstrate attacks which use decryption failures to recover the private key. Such attacks work for all standard parameter sets, and one of them applies to any padding. The appropriate countermeasure is to change the parameter sets and possibly the decryption process so that decryption failures are vanishingly unlikely, and to adopt a padding scheme that prevents an attacker from directly controlling any part of the input to the encryption primitive. We outline one such candidate padding scheme.


Hash Function Security Level Random Oracle Random Oracle Model Provable Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption – How to Encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  3. 3.
    EESS: Consortium for Efficient Embedded Security. Efficient Embedded Security Standards #1: Implementation Aspects of NTRU and NSS. Draft Version 3.0 (July 2001), available at
  4. 4.
    EESS: Consortium for Efficient Embedded Security. Efficient Embedded Security Standards #1: Implementation Aspects of NTRUEncrypt and NTRUSign. Version 1.0 (November 2002), available at
  5. 5.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA–OAEP is Secure under the RSA Assumption. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 260–274. Springer, Heidelberg (2001)Google Scholar
  6. 6.
    Gentry, C.: Key Recovery and Message Attacks on NTRU-Composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 182–194. Springer, Heidelberg (2001)Google Scholar
  7. 7.
    Gentry, C., Szydlo, M.: Cryptanalysis of the Revised NTRU Signature Scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences 28, 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Hall, C., Goldberg, I., Schneier, B.: Reaction Attacks Against Several Public- Key Cryptosystems. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 2–12. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  10. 10.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A Ring-Based Public Key Cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  11. 11.
    Hoffstein, J., Silverman, J.H.: Random Small Hamming Weight Products With Applications To Cryptography. Discrete Applied Mathematics. To appear, available at [22]Google Scholar
  12. 12.
    Hoffstein, J., Silverman, J.H.: Invertibility in Truncated Polynomial Rings. Technical report, NTRU Cryptosystems (October 1998); Report #009, version 1, available at [22]Google Scholar
  13. 13.
    Hoffstein, J., Silverman, J.H.: Optimizations for NTRU. In: Public-key Cryptography and Computational Number Theory. DeGruyter (2000) To appear, available at [22]Google Scholar
  14. 14.
    Hoffstein, J., Silverman, J.H.: Protecting NTRU against Chosen Ciphertext and Reaction Attacks. Technical report, NTRU Cryptosystems (June 2000); Report #16, version 1, available at [22]Google Scholar
  15. 15.
    Hong, J., Han, J.W., Kwon, D., Han, D.: Chosen-Ciphertext Attacks on Optimized NTRU. Cryptology ePrint Archive: Report 2002/188Google Scholar
  16. 16.
    Howgrave-Graham, N., Silverman, J.H., Singer, A., Whyte, W.: NAEP: Provable Security in the Presence of Decryption Failures. Cryptology ePrint archive,
  17. 17.
    Jaulmes, E., Joux, A.: A Chosen Ciphertext Attack on NTRU. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 20–35. Springer, Heidelberg (2000)Google Scholar
  18. 18.
    May, A., Silverman, J.H.: Dimension Reduction Methods for Convolution Modular Lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 110–125. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Meskanen, T., Renvall, A.: Wrap Error Attack Against NTRUEncrypt. To appear in Proc. of WCC 2003 (2003)Google Scholar
  20. 20.
    Naor, M., Yung, M.: Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In: Proc. of the 22nd STOC, pp. 427–437. ACM Press, New York (1990)Google Scholar
  21. 21.
    Nguyen, P.Q., Pointcheval, D.: Analysis and Improvements of NTRU Encryption Paddings. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 210–225. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    NTRU Cryptosystems. Technical reports (2002), Available at
  23. 23.
    Okamoto, T., Pointcheval, D.: REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–175. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Proos, J.: Imperfect Decryption and an Attack on the NTRU Encryption Scheme. Cryptology ePrint Archive: Report 2003/002Google Scholar
  25. 25.
    Rackoff, C., Simon, D.R.: Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  26. 26.
    Silverman, J.H.: Estimated breaking times for NTRU lattices. Technical report, NTRU Cryptosystems (March 1999); Report #012, version 1, available at [22]Google Scholar
  27. 27.
    Silverman, J.H., Whyte, W.: Estimating Decryption Failure Probabilities for NTRUEncrypt. Technical report, NTRU Cryptosystems (May 2003); Report #018, version 1, available at [22]Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.NTRU CryptosystemsBurlingtonUSA
  2. 2.CNRS/ENS–DIParisFrance
  3. 3.University of WaterlooWaterlooCanada

Personalised recommendations