New Chosen-Ciphertext Attacks on NTRU

11 years 7 months ago
New Chosen-Ciphertext Attacks on NTRU
We present new and efficient key-recovery chosen-ciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosen-ciphertext attacks on NTRUencrypt previously published at CRYPTO ’00 and CRYPTO ’03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at random; and the number of oracle queries is small. Interestingly, our attacks can also be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key. For instance, for the initial NTRU-1998 parameter sets, the output of the decryption oracle on a single decryption failure is enough to recover the secret key.
Nicolas Gama, Phong Q. Nguyen
Added 09 Jun 2010
Updated 09 Jun 2010
Type Conference
Year 2007
Where PKC
Authors Nicolas Gama, Phong Q. Nguyen
Comments (0)