An Algebraic Broadcast Attack against NTRU

  • Jintai Ding
  • Yanbin Pan
  • Yingpu Deng
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7372)


In this paper, we propose an algebraic broadcast attack against NTRU, which recovers a single message encrypted multiple times using different NTRU public keys. Namely, when a message is broadcasted, under some reasonable assumptions, our attack can be completed in polynomial time and space. To the best of our knowledge, this is the first successful broadcast attack against NTRU.


Broadcast attack NTRU lattice-based cryptosystems LWE 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arora, S., Ge, R.: New Algorithm for Learning in Presence of Errors,
  2. 2.
    Buchmann, J., Cabarcas, D., Ding, J., Mohamed, M.S.E.: Flexible Partial Enlargement to Accelerate Gröbner Basis Computation over \(\mathbb{F}_2\). In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 69–81. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Coppersmith, D., Shamir, A.: Lattice Attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997)Google Scholar
  4. 4.
    Courtois, N.T., Klimov, A.B., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Ding, J.: Solving LWE problem with bounded errors in polynomial time. Cryptology ePrint Archive, Report 2010/558 (2010)Google Scholar
  6. 6.
    Ding, J.: Fast Algorithm to solve a family of SIS problem with l  ∞  norm. Cryptology ePrint Archive, Report 2010/581 (2010)Google Scholar
  7. 7.
    Ding, J.: Algebraic solvers for certain lattice-related problems. In: 2011 IEEE Information Theory Workshop (ITW), pp. 405–409. IEEE Conference Publications (2011)Google Scholar
  8. 8.
    Gama, N., Nguyên, P.Q.: New Chosen-Ciphertext Attacks on NTRU. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 89–106. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Hästad, J.: Solving simultaneous modular equations of low degree. SIAM J. Comput. 17, 336–341 (1988)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Hoffstein, J., Silverman, J.H.: Implementation Notes for NTRU PKCS Multiple Transmissions, Report #6, NTRU Technical Reports,
  11. 11.
    Hoffstein, J., Silverman, J.H.: Optimizations for NTRU. Technical report, NTRU Cryptosystems (June 2000),
  12. 12.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A Ring-Based Public Key Cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  13. 13.
    Howgrave-Graham, N.: A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Howgrave-Graham, N., Nguyên, P.Q., Pointcheval, D., Proos, J., Silverman, J.H., Singer, A., Whyte, W.: The Impact of Decryption Failures on the Security of NTRU Encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: A Meet-In-The-Meddle Attack on an NTRU Private Key. Technical Report,
  16. 16.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3. Technical Report, NTRU Cryptosystems (2005)Google Scholar
  17. 17.
    Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    IEEE. P1363.1 Public-Key Cryptographic Techniques Based on Hard Problems over Lattices. IEEE (June 2003),
  19. 19.
    May, A., Silverman, J.H.: Dimension Reduction Methods for Convolution Modular Lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 110–125. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Mol, P., Yung, M.: Recovering NTRU Secret Key from Inversion Oracles. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 18–36. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Nguyên, P.Q., Pointcheval, D.: Analysis and Improvements of NTRU Encryption Paddings. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 210–225. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    Plantard, T., Susilo, W.: Broadcast Attacks against Lattice-Based Cryptosystems. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 456–472. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Johnson, D.S., Feige, U. (eds.) Proc. of 37th STOC, pp. 84–93. ACM (2005)Google Scholar
  24. 24.
    Shoup, V.: NTL: A library for doing number theory,

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jintai Ding
    • 1
    • 2
  • Yanbin Pan
    • 3
  • Yingpu Deng
    • 3
  1. 1.Chongqing UniversityChina
  2. 2.Department of Mathematical SciencesUniversity of CincinnatiUSA
  3. 3.Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems ScienceChinese Academy of SciencesChina

Personalised recommendations