Message Recovery Attack in NTRU via Knapsack
Eirini Poimenidou, K. A. Draziotis
TL;DR
This work presents a practical message-recovery attack on NTRU-HPS that leverages partial leakage of the plaintext and nonce, converting decryption into a modular knapsack instance $ISIS_q$ and then into a shortest-vector problem (SVP) on a tailored lattice. By applying the FLATTER lattice-reduction algorithm, the authors recover the nonce $\mathbf{r}$ and thus the message $\mathbf{m}$ when roughly $\varepsilon \approx 0.45$ of the coefficients are known, with experimental success on commodity hardware. The attack is demonstrated for NTRU-HPS and HRSS variants, with a two-stage process and an alternative variant that reduces required leakage to about 40–45% by exploiting partial knowledge of both $\mathbf{m}$ and $\mathbf{r}$. The results underscore practical implications for parameter choices and side-channel defenses, and open avenues for extending the approach to other lattice-based schemes such as Kyber and Saber.
Abstract
In the present paper, we introduce a message-recovery attack based on the Modular Knapsack Problem, applicable to all variants of the NTRU-HPS cryptosystem. Assuming that a fraction $ε$ of the coefficients of the message ${\bf{m}}\in\{-1,0,1\}^N$ and of the nonce vector ${\bf r}\in\{-1,0,1\}^N$ are known in advance at random positions, we reduce message decryption to finding a short vector in a lattice that encodes an instance of a modular knapsack system. This allows us to address a key question: how much information about ${\bf m}$, or about the pair $({\bf m},{\bf r})$, is required before recovery becomes feasible? A FLATTER reduction successfully recovers the message, in practice when $ε\approx 0.45$. Our implementation finds ${\bf m}$ within a few minutes on a commodity desktop.