Note for Technical Report #007 Version 2. the Material on Oaep in This Report Has Been Superceded by Ntru Technical Report #016, " Protecting Ntru against Chosen Ciphertext and Reaction Attacks, " Available At

RSA and Bell Labs [2, 3] have recently announced a potential attack on certain public key protocols, along with several suggested countermeasures. The most secure of these countermeasures uses the concept of plaintext aware, which means that it should be infeasible to construct a valid ciphertext without knowing the corresponding plaintext. Failure to be plaintext aware may open a cryptosystem to various sorts of attacks. In this note we describe some potential attacks on the NTRU Public Key Cryptosystem (PKC) analogous to the attack described in [2, 3] and suggest the use of an OAEP digital envelope to eliminate the threat of such attacks. Note for Technical Report #007 Version 2. The material on OAEP in this report has been superceded by NTRU Technical Report #016, “Protecting NTRU Against Chosen Ciphertext and Reaction Attacks,” available at www.ntru.com. The report #016 describes a padding technique of Fujisaki and Okamoto that protects against chosen ciphertext attacks (CCA) and other attacks described in this note, against the reaction attacks described in NTRU Technical Note #015, and against the CCA described in “A chosen-ciphertext attack against NTRU,” E. Jaulmes and A. Joux, Proceedings of CRYPTO 2000, Lecture Notes in Computer Science, Springer-Verlag. A cryptosystem is said to be plaintext aware if it is infeasible for an attacker to construct a valid ciphertext without knowing the corresponding plaintext. (For a more precise definition of this concept, see [4].) Failure to be plaintext aware may open the door to various sorts of attacks, such as Bleichenbacher’s Adaptive Chosen Ciphertext Attack [2, 3] on RSA’s Public Key Cryptography Standard #1 (PKCS #1). In this note we will construct several attacks on the NTRU Public Key Cryptosystem, including an adaptive chosen ciphertext attack similar to [2]. A number of countermeasures to Bleichenbacher-type attacks are described in [3], including: • Frequent changes of key pair. • Check messages more rigorously for format after decryption. • Require the sender to demonstrate knowledge of the data before indicating whether the decryption was successful.