New chosen-ciphertext attacks on NTRU

Authors:
Nicolas Gama;Phong Q. Nguyen
Affiliations:
École normale supérieure, Paris, France;CNRS, École normale supérieure, Paris, France
Venue:
PKC'07 Proceedings of the 10th international conference on Practice and theory in public-key cryptography
Year:
2007

Citing 5
Cited 5

Cryptanalysis of the Revised NTRU Signature Scheme

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
NTRU: A Ring-Based Public Key Cryptosystem

ANTS-III Proceedings of the Third International Symposium on Algorithmic Number Theory
Key recovery attacks on NTRU without ciphertext validation routine

ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
NTRUSign: digital signatures using the NTRU lattice

CT-RSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track
Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures

EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques

Quantum resistant public key cryptography: a survey

Proceedings of the 8th Symposium on Identity and Trust on the Internet
When Compromised Readers Meet RFID

Information Security Applications
Recovering NTRU secret key from inversion oracles

PKC'08 Proceedings of the Practice and theory in public key cryptography, 11th international conference on Public key cryptography
An algebraic broadcast attack against NTRU

ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
First-order collision attack on protected NTRU cryptosystem

Microprocessors & Microsystems

Quantified Score

Hi-index	0.01

Visualization

Abstract

We present new and efficient key-recovery chosen-ciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosen-ciphertext attacks on NTRUencrypt previously published at CRYPTO '00 and CRYPTO '03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at random; and the number of oracle queries is small. Interestingly, our attacks can also be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key. For instance, for the initial NTRU-1998 parameter sets, the output of the decryption oracle on a single decryption failure is enough to recover the secret key.