Cryptanalysis of the Revised NTRU Signature Scheme
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
NTRU: A Ring-Based Public Key Cryptosystem
ANTS-III Proceedings of the Third International Symposium on Algorithmic Number Theory
Key recovery attacks on NTRU without ciphertext validation routine
ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
NTRUSign: digital signatures using the NTRU lattice
CT-RSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track
Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Quantum resistant public key cryptography: a survey
Proceedings of the 8th Symposium on Identity and Trust on the Internet
When Compromised Readers Meet RFID
Information Security Applications
Recovering NTRU secret key from inversion oracles
PKC'08 Proceedings of the Practice and theory in public key cryptography, 11th international conference on Public key cryptography
An algebraic broadcast attack against NTRU
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
First-order collision attack on protected NTRU cryptosystem
Microprocessors & Microsystems
Hi-index | 0.01 |
We present new and efficient key-recovery chosen-ciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosen-ciphertext attacks on NTRUencrypt previously published at CRYPTO '00 and CRYPTO '03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at random; and the number of oracle queries is small. Interestingly, our attacks can also be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key. For instance, for the initial NTRU-1998 parameter sets, the output of the decryption oracle on a single decryption failure is enough to recover the secret key.