Abstract
NTRUEncrypt is unusual among public-key cryptosystems in that, with standard parameters, validly generated ciphertexts can fail to decrypt. This affects the provable security properties of a cryptosystem, as it limits the ability to build a simulator in the random oracle model without knowledge of the private key. We demonstrate attacks which use decryption failures to recover the private key. Such attacks work for all standard parameter sets, and one of them applies to any padding. The appropriate countermeasure is to change the parameter sets and possibly the decryption process so that decryption failures are vanishingly unlikely, and to adopt a padding scheme that prevents an attacker from directly controlling any part of the input to the encryption primitive. We outline one such candidate padding scheme.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)
Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption – How to Encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)
EESS: Consortium for Efficient Embedded Security. Efficient Embedded Security Standards #1: Implementation Aspects of NTRU and NSS. Draft Version 3.0 (July 2001), available at http://www.ceesstandards.org
EESS: Consortium for Efficient Embedded Security. Efficient Embedded Security Standards #1: Implementation Aspects of NTRUEncrypt and NTRUSign. Version 1.0 (November 2002), available at http://www.ceesstandards.org
Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA–OAEP is Secure under the RSA Assumption. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 260–274. Springer, Heidelberg (2001)
Gentry, C.: Key Recovery and Message Attacks on NTRU-Composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 182–194. Springer, Heidelberg (2001)
Gentry, C., Szydlo, M.: Cryptanalysis of the Revised NTRU Signature Scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002)
Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences 28, 270–299 (1984)
Hall, C., Goldberg, I., Schneier, B.: Reaction Attacks Against Several Public- Key Cryptosystems. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 2–12. Springer, Heidelberg (1999)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A Ring-Based Public Key Cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)
Hoffstein, J., Silverman, J.H.: Random Small Hamming Weight Products With Applications To Cryptography. Discrete Applied Mathematics. To appear, available at [22]
Hoffstein, J., Silverman, J.H.: Invertibility in Truncated Polynomial Rings. Technical report, NTRU Cryptosystems (October 1998); Report #009, version 1, available at [22]
Hoffstein, J., Silverman, J.H.: Optimizations for NTRU. In: Public-key Cryptography and Computational Number Theory. DeGruyter (2000) To appear, available at [22]
Hoffstein, J., Silverman, J.H.: Protecting NTRU against Chosen Ciphertext and Reaction Attacks. Technical report, NTRU Cryptosystems (June 2000); Report #16, version 1, available at [22]
Hong, J., Han, J.W., Kwon, D., Han, D.: Chosen-Ciphertext Attacks on Optimized NTRU. Cryptology ePrint Archive: Report 2002/188
Howgrave-Graham, N., Silverman, J.H., Singer, A., Whyte, W.: NAEP: Provable Security in the Presence of Decryption Failures. Cryptology ePrint archive, http://eprint.iacr.org
Jaulmes, E., Joux, A.: A Chosen Ciphertext Attack on NTRU. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 20–35. Springer, Heidelberg (2000)
May, A., Silverman, J.H.: Dimension Reduction Methods for Convolution Modular Lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 110–125. Springer, Heidelberg (2001)
Meskanen, T., Renvall, A.: Wrap Error Attack Against NTRUEncrypt. To appear in Proc. of WCC 2003 (2003)
Naor, M., Yung, M.: Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In: Proc. of the 22nd STOC, pp. 427–437. ACM Press, New York (1990)
Nguyen, P.Q., Pointcheval, D.: Analysis and Improvements of NTRU Encryption Paddings. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 210–225. Springer, Heidelberg (2002)
NTRU Cryptosystems. Technical reports (2002), Available at http://www.ntru.com
Okamoto, T., Pointcheval, D.: REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–175. Springer, Heidelberg (2001)
Proos, J.: Imperfect Decryption and an Attack on the NTRU Encryption Scheme. Cryptology ePrint Archive: Report 2003/002
Rackoff, C., Simon, D.R.: Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)
Silverman, J.H.: Estimated breaking times for NTRU lattices. Technical report, NTRU Cryptosystems (March 1999); Report #012, version 1, available at [22]
Silverman, J.H., Whyte, W.: Estimating Decryption Failure Probabilities for NTRUEncrypt. Technical report, NTRU Cryptosystems (May 2003); Report #018, version 1, available at [22]
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Howgrave-Graham, N. et al. (2003). The Impact of Decryption Failures on the Security of NTRU Encryption. In: Boneh, D. (eds) Advances in Cryptology - CRYPTO 2003. CRYPTO 2003. Lecture Notes in Computer Science, vol 2729. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45146-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-540-45146-4_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40674-7
Online ISBN: 978-3-540-45146-4
eBook Packages: Springer Book Archive