Protecting NTRU Against Chosen Ciphertext and Reaction Attacks

This report describes how the Fujisaki-Okamoto SelfReferential Technique (FOSRT) can be used to make the NTRU Public Key Cryptosystem resistant to adaptive chosen ciphertext attacks and to reaction attacks. Many asymmetric ciphers are susceptible to (adaptive) chosen ciphertext attacks. An attacker sends a series of purported ciphertexts e1, e2, . . . and uses the decryptions to deduce information about either the secret key or about an intercepted ciphertext e that was used to create e1, e2, . . .. The user Alice may try to guard against such attacks by padding her plaintext so that Bob can detect valid plaintexts from invalid plaintexts, but then the attacker may be able to gain useful information by simply observing which ciphertexts are accepted and which ciphertexts are rejected. An example of such an attack against RSA and a suggested defense can be found in [2] and [3]. Adaptive chosen ciphertext attacks against NTRU have also been formulated and various countermeasures described, see [9] and [10]. Another type of attack called a reaction attack [6] can be used against some cryptosystems, including NTRU [8]. In a reaction attack, one can takes a ciphertext e and creates ciphertexts e1, e2, . . . such that for each ciphertext ei, there is a significant positive probability it will decrypt to the same plaintext as e and a significant positive probability it will decrypt to a different plaintext than e. Some specific reaction attacks against NTRU, again with assorted countermeasures, are given in [8] and [9]. In this report we describe two methods of Fujisaki and Okamoto [5] that can be used to defend NTRU against both adaptive chosen ciphertext attacks and reaction attacks. The basic idea is to use a hash of the plaintext (suitably padded) as the random component required in the encryption process. The decrypted plaintext is then checked by redoing the encryption. Since the plaintext reinserts itself into the encryption process, we have dubbed this the Fujisaki-Okamoto Self-Referential Technique (FOSRT). Although FOSRT, as applied to NTRU, has a small drawback in that it requires computation of one extra convolution product, NTRU remains extremely fast even with this extra computation. We also note that an alternative defense against chosen ciphertext and reaction attacks takes advantage of NTRU’s fast key creation to create transient (e.g., one-per-session) keys.