We present new and efficient key-recovery chosen-ciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosen-ciphertext attacks on NTRUencrypt previously published at CRYPTO ’00 and CRYPTO ’03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at r...

NTRU is a fast public key cryptosystem presented in 1996 by Hoffstein, Pipher and Silverman of Brown University. It operates in the ring of polynomials Z[X]/(X − 1), where the domain parameter N largely determines the security of the system. Although N is typically chosen to be prime, Silverman proposes taking N to be a power of two to enable the use of Fast Fourier Transforms. We break this sc...

Postquantum cryptography requires a different set of arithmetic routines from traditional public-key such as elliptic curves. In particular, in each the lattice-based NISTPQC Key Establishment finalists, every state-ofthe-art optimized implementation for schemes still round 3 currently uses complex multiplication based on Number Theoretic Transform. We verify NTT-based multiplications used NTRU...

We present a cryptosystem which is complete for the class of probabilistic public-key cryptosystems with bounded error. Besides traditional encryption schemes such as RSA and El Gamal, this class contains probabilistic encryption of Goldwasser-Micali as well as Ajtai-Dwork and NTRU cryptosystems. The latter two are known to make errors with some small positive probability. To our best knowledge...

We propose a new identification scheme from a newly introduced lattice problem. Our scheme is a provable identification problem based on a lattice problem. This affirmatively answers the question raised by Hoffstein and others on the possibility to construct a provable identification/signature scheme from lattice problems. We give a concrete realization of the identification scheme using the NT...