Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches

  • Philip S. Hirschhorn
  • Jeffrey Hoffstein
  • Nick Howgrave-Graham
  • William Whyte
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5536)


We present the new NTRUEncrypt parameter generation algorithm, which is designed to be secure in light of recent attacks that combine lattice reduction and meet-in-the-middle (MITM) techniques. The parameters generated from our algorithm have been submitted to several standard bodies and are presented at the end of the paper.


Security Level Lattice Reduction Message Recovery MITM Attack Extrapolation Line 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Babai, L.: On Lovasz’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Cavallar, S., Dodson, B., Lenstra, A.K., Lioen, W., Montgomery, P.L., Murphy, B., te Riele, H.J.J., et al.: Factorization of a 512-bit RSA modulus. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 1–17. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Coppersmith, D., Shamir, A.: Lattice Attack on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  4. 4.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Gentry, C.: Key recovery and message attacks on NTRU-composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 182. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A new high speed public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  7. 7.
    Hoffstein, J., Silverman, J.H.: Invertibility in truncated polynomial rings.  Technical report, NTRU Cryptosystems, Report #009, version 1 (October 1998),
  8. 8.
    Hoffstein, J., Silverman, J.H.: Random small hamming weight products with applications to cryptography. Discrete Applied Mathematics 130(1), 37–49 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Howgrave-Graham, N., Nguyen, P., Pointcheval, D., Proos, J., Silverman, J.H., Singer, A., Whyte, W.: The Impact of Decryption Failures on the Security of NTRU Encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Howgrave-Graham, N., Silverman, J.H., Singer, A., Whyte, W.: NAEP: Provable Security in the Presence of Decryption Failures IACR ePrint Archive, Report 2003-172,
  11. 11.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3 CT-RSA, pp. 118–135 (2005)Google Scholar
  12. 12.
    Howgrave-Graham, N.: A hybrid meet-in-the-middle and lattice reduction attack on NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Joux, A., Howgrave-Graham, N.: Generalized birthday problems applied to subset sum (manuscript)Google Scholar
  14. 14.
    Lenstra, A., Verheul, E.: Selecting Cryptographic Key Sizes. Journal of Cryptology 14(4), 255–293 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Micciancio, D.: Improving Lattice Based Cryptosystems Using the Hermite Normal Form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Mol, P., Yung, M.: Recovering NTRU Secret Key from Inversion Oracles. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 18–36. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Rivest, R., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21, 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    RSA Laboratories, RSAES-OAEP Encryption Scheme,
  19. 19.
    Schnorr, C.P.: Lattice Reduction by Random Sampling and Birthday Methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Vaudenay, S.: Hidden Collisions on DSS. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 83–88. Springer, Heidelberg (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Philip S. Hirschhorn
    • 1
  • Jeffrey Hoffstein
    • 2
  • Nick Howgrave-Graham
    • 3
  • William Whyte
    • 3
  1. 1.Wellesley CollegeUSA
  2. 2.Brown UniversityUSA
  3. 3.NTRU Cryptosystems, Inc.USA

Personalised recommendations