Title: Plaintext Awareness and the Ntru Pkcs

RSA and Bell Labs 2, 3] have recently announced a potential attack on certain public key protocols, along with several suggested countermeasures. The most secure of these countermeasures uses the concept of plaintext aware, which means that it should be infeasible to construct a valid ciphertext without knowing the corresponding plaintext. Failure to be plaintext aware may open a cryptosystem to various sorts of attacks. In this note we describe some potential attacks on the NTRU Public Key Cryptosystem (PKC) analogous to the attack described in 2, 3] and suggest the use of an OAEP digital envelope to eliminate the threat of such attacks. A cryptosystem is said to be plaintext aware if it is infeasible for an attacker to construct a valid ciphertext without knowing the corresponding plaintext. (For a more precise deenition of this concept, see 4].) Failure to be plaintext aware may open the door to various sorts of attacks, such as Bleichenbacher's Adaptive Chosen Ciphertext Attack 2, 3] on RSA's Public Key Cryptography Standard #1 (PKCS #1). In this note we will construct several attacks on the NTRU Public Key Cryptosystem, including an adaptive chosen ciphertext attack similar to 2]. A number of countermeasures to Bleichenbacher-type attacks are described in 3], including: Frequent changes of key pair. Check messages more rigorously for format after decryption. Require the sender to demonstrate knowledge of the data before indicating whether the decryption was successful. If a message is rejected for any reason, the timing and format of the error message sent back to the sender should be the same. Add structure to the data (e.g., by including a hash of the data) to decrease the probability of a message being accepted. All of these sensible countermeasures apply to any public key cryptosystem, including NTRU, and many of them require few changes in currently implemented digital envelopes and protocols, such as RSA's PKCS#1. With regard to the rst countermeasure , we want to stress that an important feature of the NTRU PKC is the ease and speed of key creation. This makes NTRU the only current commercially viable public key cryptosystem which supports single use public/private key pairs; that is, public/private key pairs which are used for a single transaction or a single session 1