Reveal the invisible secret: chosen-ciphertext side-channel attacks on NTRU

Zhuang Xu*, Owen Pemberton, David Oswald, Zhiming Zheng

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

96 Downloads (Pure)


NTRU is a well-known lattice-based cryptosystem that has been selected as one of the four key encapsulation mechanism finalists in Round 3 of NIST’s post-quantum cryptography standardization. This paper presents two succinct and efficient chosen-ciphertext side-channel attacks on the latest variants of NTRU, i.e., NTRU-HPS and NTRU-HRSS as in Round 3 submissions. Both methods utilize the leakage from the polynomial modular reduction to recover the long-term secret key. For the first attack, although the side-channel leakage does not directly reveal the secret polynomial f , we recover differences between adjacent coefficients using appropriately chosen ciphertexts, and finally reconstruct f  through linear algebra. The second attack is based on the inherent relation between the secret key and the public key in NTRU-HPS: we first reveal the “invisible” secret polynomial g  with chosen ciphertexts and then use g  and the public polynomial h  to compute f . In theory, these attacks only need 4 and 2 ciphertexts, respectively. We then practically apply those attacks on all reference implementations of four instances in the PQClean library and show that the accuracy of secret-key recovery can reach 100% with only few traces (4 to 24 and 2 to 6, respectively). We also observe similar leakage in optimized implementations in the pqm4 library and propose an according analysis scheme. 
Original languageEnglish
Title of host publicationInternational Conference on Smart Card Research and Advanced Applications
Subtitle of host publicationCARDIS 2022: Smart Card Research and Advanced Applications
ISBN (Electronic)9783031253195
ISBN (Print)9783031253188
Publication statusPublished - 29 Jan 2023
Event21st Smart Card Research and Advanced Application Conference - University of Birmingham, Birmingham, United Kingdom
Duration: 7 Nov 20229 Nov 2022

Publication series

NameLecture Notes in Computer Science
ISSN (Print)302-9743
ISSN (Electronic)1611-3349


Conference21st Smart Card Research and Advanced Application Conference
Abbreviated titleCARDIS 2022
Country/TerritoryUnited Kingdom


Dive into the research topics of 'Reveal the invisible secret: chosen-ciphertext side-channel attacks on NTRU'. Together they form a unique fingerprint.

Cite this