The Impact of Decryption Failures on the Security of NTRU Encryption

NTRUENCRYPT is unusual among public-key cryptosystems in that, with standard parameters, validly generated ciphertexts can fail to decrypt. This affects the provable security properties of a cryptosystem, as it limits the ability to build a simulator in the random oracle model without knowledge of the private key. We demonstrate attacks which use decryption failures to recover the private key. Such attacks work for all standard parameter sets, and one of them applies to any padding. The appropriate countermeasure is to change the parameter sets and possibly the decryption process so that decryption failures are vanishingly unlikely, and to adopt a padding scheme that prevents an attacker from directly controlling any part of the input to the encryption primitive. We outline one such candidate padding scheme.

[1]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[2]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[3]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[4]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[5]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[6]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[7]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[8]  J. Silverman Invertibility in Truncated Polynomial Rings , 1998 .

[9]  J. Silverman Title: Estimated Breaking times for Ntru Lattices , 1999 .

[10]  Bruce Schneier,et al.  Reaction Attacks against several Public-Key Cryptosystems , 1999, ICICS.

[11]  Joseph H. Silverman,et al.  Protecting NTRU Against Chosen Ciphertext and Reaction Attacks , 2000 .

[12]  Antoine Joux,et al.  A Chosen-Ciphertext Attack against NTRU , 2000, CRYPTO.

[13]  R. Frederickson Technical Reports , 2000, Nature Biotechnology.

[14]  Joseph H. Silverman,et al.  Optimizations for NTRU , 2001 .

[15]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[16]  Joseph H. Silverman,et al.  Dimension Reduction Methods for Convolution Modular Lattices , 2001, CaLC.

[17]  Craig Gentry Key Recovery and Message Attacks on NTRU-Composite , 2001, EUROCRYPT.

[18]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.

[19]  Daesung Kwon,et al.  Chosen-Ciphertext Attacks on Optimized NTRU , 2002 .

[20]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[21]  David Pointcheval,et al.  Analysis and Improvements of NTRU Encryption Paddings , 2002, CRYPTO.

[22]  William Whyte,et al.  NAEP: Provable Security in the Presence of Decryption Failures , 2003, IACR Cryptol. ePrint Arch..

[23]  John Proos Imperfect Decryption and an Attack on the NTRU Encryption Scheme , 2003, IACR Cryptol. ePrint Arch..

[24]  J. Hoffstein,et al.  Random small Hamming weight products with applications to cryptography , 2003, Discret. Appl. Math..