New Chosen-Ciphertext Attacks on NTRU

  • Nicolas Gama
  • Phong Q. Nguyen
Conference paper

DOI: 10.1007/978-3-540-71677-8_7

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4450)
Cite this paper as:
Gama N., Nguyen P.Q. (2007) New Chosen-Ciphertext Attacks on NTRU. In: Okamoto T., Wang X. (eds) Public Key Cryptography – PKC 2007. PKC 2007. Lecture Notes in Computer Science, vol 4450. Springer, Berlin, Heidelberg


We present new and efficient key-recovery chosen-ciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosen-ciphertext attacks on NTRUencrypt previously published at CRYPTO ’00 and CRYPTO ’03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at random; and the number of oracle queries is small. Interestingly, our attacks can also be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key. For instance, for the initial NTRU-1998 parameter sets, the output of the decryption oracle on a single decryption failure is enough to recover the secret key.

Download to read the full conference paper text

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Nicolas Gama
    • 1
  • Phong Q. Nguyen
    • 2
  1. 1.École normale supérieure, DI, 45 rue d’Ulm, 75005 ParisFrance
  2. 2.CNRS/École normale supérieure, DI, 45 rue d’Ulm, 75005 ParisFrance

Personalised recommendations