Home  |  Contact  |  Resource Center  |  Search  
Ntru
ServicesProductsMarketsCryptoLabAbout Us

Overview

Crypto Corner

NTRU Algorithms

Scrutiny

Peer Review

Tutorials

Articles

Technical Notes

FAQs

R&D Team

Standards

Archive Center

CryptoLab
FAQs

General

Countermeasures

Standards and Technology

Bibliography

General

What is NTRU announcing?
NTRU announced that it is working with third-party cryptographers to identify and act against potential attacks on secured transmissions. This potential vulnerability is the subject of research and has not been reported by any users.

back to top

Is there an attack?
The countermeasures being announced today address a potential vulnerability discovered by several researchers: Phong Nguyen and David Pointcheval of the Ecole Normale Superieure in Paris, France; Tommi Meskanen and Ari Renvall of the University of Turku, Turku, Finland; John Proos of the University of Waterloo, Waterloo, Canada; and independently by researchers within NTRU. These researchers independently identified a cryptographic vulnerability that affects some NTRUEncrypt implementations. Because of this vulnerability, an attacker can send on the order of a million carefully constructed messages to a device running a particular protocol, and, by observing the devices's response, recover its NTRUEncrypt private key. Due to the large number of messages needed, the potential attack is detectable by network administrators or by local traffic monitoring.

Details are given in the papers [HN+03, MR03, Pro03]. Additionally, it is shown in [HN+03, Pro03] that if decryption failures occur with non-negligible probability sit is impossible to produce a meaningful proof of security.

back to top

What types of communications are affected?
In any situation where an attacker can send a message to a device and then observe whether or not the message was successfully decrypted, this attack can potentially be mounted. The attack does not apply to situations where the attacker cannot tell the decryption status of the message. Additionally, it does not apply if system-level steps are taken to regenerate a key that has experienced a number of decryption failures, if protocol-level steps are taken to use protocols that give the property of perfect forward secrecy, or if parameter-level steps are taken to reduce the likelihood of decryption failures to a negligible level.

back to top

What can an attacker gain?
An attacker who can observe the target device's behavior in enough detail can recover that device's private key for use in decryption. This will allow the attacker to read any traffic sent to the device unless the key is rolled over or a protocol giving perfect forward secrecy is adopted. While these countermeasures will prevent the attack, NTRU recommends the adoption of new parameter sets that will guarantee security independent of the choice of key lifetime policies and protocol.

back to top

Countermeasures

As a current NTRUEncrypt user, how can I protect myself from this attack?
The best defense is to migrate to the versions of Neo and jNeo that are now available, and to use the parameter sets in version 2 of EESS#1 [EESS1v2]. If this is not possible, the attack can be countered by correct key policing: roll a key over after it has experienced a certain number of decryption failures. For further details about your specific installation, please contact NTRU staff directly.

back to top

Going forward, how can I develop software that is not vulnerable?
The next versions of Neo and jNeo, available now, have no vulnerability to this attack.

back to top

Will the EESS#1 standard be modified to protect against this attack?
Version 2 of EESS#1 is now available [EESS1v2]. It provides specifications in standard format of the padding schemes and parameter sets described in the papers released today.

back to top

What about other standards?

Other standards that use or specify NTRUEncrypt, such as the forthcoming ANSI X9.98 and IEEE P1363.1, will be amended to specify the new padding schemes and parameter sets.

back to top

How will NTRU products prevent this problem?

The next versions of Neo and jNeo, available now, have no vulnerability to this attack.

back to top

Standards and Technology

What is EESS#1?

EESS#1 [EESS1v2] is the Efficient Embedded Security Standard #1, issued by the Consortium for Efficient Embedded Security (CEES). It provides standard specifications for NTRUEncrypt and NTRUSign.

back to top

What are SVES-1, SVES-2 and SVES-3?

SVES-1 is the name of the padding scheme described in EESS#1 draft versions 1-4, and included in Neo up to version 7.0 and jNeo up to version 3.5. It is the padding scheme shown by Nguyen and Pointcheval at Crypto 2002 [NP02] to have insufficient provable security against chosen plaintext attack. SVES-2 is the padding scheme described in EESS#1 draft 5 and version 1, which would have provable security if there were no decryption failures. SVES-3 is the name of the new padding scheme, proposed in the papers published today and standardized in version 2 of EESS#1 [EESS1v2].

back to top

What is a chosen ciphertext attack? What is a reaction attack?

Keys for cryptographic systems can be attacked by various methods. In a chosen plaintext attack, an attacker can choose messages and see their encryption. Chosen plaintext attacks are always possible against public-key cryptosystems, because anyone can encrypt a message given the public key. In a chosen ciphertext attack, an attacker can choose different ciphertexts, submit them for decryption, and see the results. In a reaction attack, an attacker can choose different ciphertexts, submit them for decryption, and obtain some but not all information about the result of the decryption (for example, whether or not decryption succeeded). A standard tactic in constructing modern cryptosystems is to ensure that a ciphertext will only decrypt correctly if it was obtained by the valid process of encrypting a plaintext. This prevents an attacker from gaining information by altering existing ciphertexts.

back to top

What is padding?

In a public key cryptosystem, before a message is encrypted it is typically mixed with some random data. This ensures, at the least, that the same message will not encrypt twice to the same ciphertext, so an attacker who guesses the message cannot confirm the guess by comparing the encryption of their guess to the ciphertext. This process is called padding, or message preprocessing. On decryption, the padded message must be unpadded so the actual message can be retrieved. The padding process must therefore be reversible. More sophisticated padding schemes can give systems with provable security (see below).

back to top

What is a proof of security?

Public-key cryptosystems are based on underlying hard problems, but it is not necessarily the case that an attacker has to break the hard problem to break the cryptosystem itself. For example, if RSA is used without padding, there are trivial attacks that recover encrypted messages without recovering the factorization of the modulus. Modern practice is to design padding schemes with the property that breaking the system can be proved to be as hard as breaking the underlying hard problem. The approach is to show that any algorithm that can break the system can be converted straightforwardly into an attack that breaks the hard problem. Not all encryption schemes have the property of provability, and there are many subtleties to constructing an appropriate scheme.

back to top

What is a decryption failure?

Previous parameter sets for NTRUEncrypt had the property that it was theoretically possible for a validly encrypted message not to decrypt. This is known as a decryption failure. Depending on the parameters used, the chance of a decryption failure can vary greatly. With the current parameter sets the chance of a decryption failure is negligible.

back to top

Why do decryption failures affect proofs of security?

One purpose of a proof of security is to show that even if an attacker can see the decryption of any ciphertext they choose (except a specific target ciphertext), this does not help them decrypt the target ciphertext. We do this by requiring that the decryption process outputs "invalid" unless the ciphertext was formed by validly encrypting a message, and otherwise outputs the message. If the ciphertext is a valid encryption, the attacker already knows the message; if it's not a valid encryption, the attacker already knows that (because they formed the ciphertext without performing a valid encryption); therefore, the attacker learns nothing from observing decryptions.

However, when decryption failures occur, something happens that the attacker didn't already know was going to happen. Therefore, it is no longer possible to prove that the attacker obtains no information from observing decryptions. Proofs of security are only possible if the chance of a decryption failure is negligible.

back to top

Why is it necessary to change parameters?

The parameter sets given in [EESS1v1] for N=251 have decryption failure probabilities of around 2-25. This allows attacks to be mounted that recover the private key with on the order of a million ciphertexts. It is necessary to lower the decryption failure probability to 2-80 in order to claim 280 security. The new parameter sets presented in [EESS1v2] give this level of security. In fact, the chance of a decryption failure is considerably less than 2-80; our analysis, presented in [SW03], shows it to be about 2-100.

back to top

What changes have been made?

We have made the following changes for our main parameters
(N = 251, equivalent to RSA-1024 or 80-bit symmetric security):
  • New parameter sets have been chosen, which greatly decrease the risk of decryption failures. Given this level of decryption failures it is possible to construct a proof of security for an appropriate padding scheme. These parameter sets are described in [EESS1v2], and motivation for believing that they give the claimed level of security is presented in [Tech4, Tech12, Tech18].
  • A different padding method has been specified, which is particularly appropriate to NTRU and gives provable security in the same model (the random oracle model) as other popular public key cryptosystems (such as RSA-OAEP). With low decryption failure probability, the reduction to the underlying hard problem is efficient. The padding method is described in [EESS1v2] and analyzed in [HSSW03]. It ensures that an attacker cannot directly control the message representative i or the blinding value r which are used in calculating the ciphertext e = r*h + m. This means that an average-case analysis is sufficient for provable security - there are no particularly "weak" messages.

back to top

Is there a proof of security now?

Yes. With appropriate parameter sets and padding schemes, the change of decryption failures is sufficiently low that proofs are meaningful. The padding scheme in [HSSW03], posted today on the NTRU website, provides provable security even if there is a certain, low, probability of decryption failures. This is the first complete proof of security for NTRU, or any scheme with decryption failures. It constitutes a significant contribution to the understanding of the properties of this scheme.

back to top

Where can I learn more technical details?

The new N=251 parameter sets, with arguments to support the claimed level of decryption failures, are presented in [EESS1v2], available from the CEES website.

The following papers are the major technical articles on the changes in the parameter sets.

N. Howgrave-Graham, J. Silverman, A. Singer, W. Whyte, NAEP: Provable security in the presence of decryption failures. Available from http://www.ntru.com/cryptolab/articles.htm#006.

The paper presents a padding scheme appropriate for cryptosystems with a non-zero but negligible average-case chance of decryption failure. It explains the application of this padding scheme to NTRUEncrypt and gives a proof of security. This is the first full proof of security for NTRUEncrypt, demonstrating that the problem of breaking NTRUEncrypt reduces to the problem of finding a close vector in a specific lattice.

N. Howgrave-Graham, J.H. Silverman, W. Whyte, A meet-in-the-middle attack on an NTRU private key, NTRU Technical Report 004, version 2, 2003. Available from http://www.ntru.com/cryptolab/tech_notes.htm#004.

This note describes a technique, originally due to Odlyzko, for trading off memory for time in searching for an NTRUEncrypt private key by a brute-force method. It demonstrates that for recommended parameter sets with N=251 the strength against meet-in-the-middle attacks is at least 280.

J. Hoffstein, J. Silverman, W. Whyte, NTRU Technical Report #12, v2, Estimating Breaking Times for NTRU Lattices. Available from http://www.ntru.com/cryptolab/tech_notes.htm#012.

The paper discusses the best known lattice-based attacks on NTRU cryptosystems, and demonstrates that for recommended parameter sets with N=251 the strength against lattice attacks is at least 280.

J. Silverman, W. Whyte, NTRU Technical Report #18, Estimating Decryption Failure Probabilities for NTRUEncrypt. Available from http://www.ntru.com/cryptolab/tech_notes.htm#018.

The paper discusses how to analyze the probability of an NTRUEncrypt decryption failure, and demonstrates that there are parameter sets which reduce the probability of a decryption failure to less than 2-80 for N=251.

N. Howgrave-Graham, P. Nguyen, D. Pointcheval, J. Proos, J. Silverman, A. Singer, W. Whyte, The Impact of Decryption Failures on the Security of NTRU Encryption. Available from http://www.ntru.com/cryptolab/articles.htm#005. Proc. Crypto 2003, to appear.

The paper describes an attack on NTRU as described in EESS#1 with the SVES-1 or SVES-2 padding scheme. The attack uses decryption failures to recover the private key with about 240 queries to a decryption oracle. It illustrates the importance of choosing parameter sets such that the chance of decryption failures is negligible.

back to top

Bibliography

view bibliography

[EESS1v1] Consortium for Efficient Embedded Security, Efficient Embedded Security Standard #1, Version 1, November 2002.

[EESS1v2] Consortium for Efficient Embedded Security, Efficient Embedded Security Standard #1, Version 2, May 2003. Available from http://www.ceesstandards.org.

[HN+03] N. Howgrave-Graham, P. Nguyen, D. Pointcheval, J. Proos, J. H. Silverman, A. Singer, W. Whyte, The Impact of Decryption Failures on the Security of NTRU Encryption, available from http://www.ntru.com/cryptolab/articles.htm#005.

[HSSW03] N. Howgrave-Graham, J. Silverman, A. Singer, W. Whyte, NAEP: Provable security in the presence of decryption failures, available from http://www.ntru.com/cryptolab/articles.htm#006.

[MR03] T. Meskanen, A. Renvall, A Wrap Error Attack Against NTRUEncrypt, University of Turku Technical Report TUCS 507, available from http://www.tucs.fi/Research/Series/techreports/techrep.php?year=2003.

[NP02] P. Nguyen, D. Pointcheval, Analysis and Improvements of NTRU Encryption Paddings, available from http://www.di.ens.fr/~pointche/pub.php?reference=NgPo02.

[Pro03] J. Proos, Imperfect Decryption and an Attack on the NTRU Encryption Scheme, available from http://eprint.iacr.org/2003/002/.

[Tech4] N. Howgrave-Graham, J. Silverman, W. Whyte, NTRU Cryptosystems Technical Report 4, v2: A Meet-In-The-Middle Attack on an NTRU Private Key. Available from http://www.ntru.com/cryptolab/tech_notes.htm#004.

[Tech12] J. Hoffstein, J. Silverman, W. Whyte, NTRU Cryptosystems Technical Report 12, v2: Estimated Breaking Times for NTRU Lattices. Available from http://www.ntru.com/cryptolab/tech_notes.htm#012.

[Tech18] J. Silverman, W. Whyte, NTRU Cryptosystems Technical Report 18: Estimating Decryption Failure Probabilities for NTRUEncrypt. Available from http://www.ntru.com/cryptolab/tech_notes.htm#018.

back to top

 

Email Us
Copyright © NTRU Cryptosystems, Inc. 1998-2008 35 Nagog Park, Acton, MA 01720, USA Tel. 978-844-5200 Created by PixelMEDIA