Message Recovery Attack in NTRU via Knapsack

TL;DR

This paper presents a message-recovery attack on NTRU cryptosystems using a reduction to the Modular Knapsack Problem, demonstrating practical feasibility when nearly half of the message and nonce coefficients are known.

Contribution

It introduces a novel attack method based on lattice reduction and knapsack problem reduction applicable to all NTRU-HPS variants, with practical implementation results.

Findings

Successful message recovery when approximately 45% of coefficients are known

Practical attack implementation completes within minutes on standard hardware

Addresses the amount of known information needed for message recovery in NTRU

Abstract

In the present paper, we introduce a message-recovery attack based on the Modular Knapsack Problem, applicable to all variants of the NTRU-HPS cryptosystem. Assuming that a fraction $\epsilon$ of the coefficients of the message ${\bf{m}}\in\{-1,0,1\}^N$ and of the nonce vector ${\bf r}\in\{-1,0,1\}^N$ are known in advance at random positions, we reduce message decryption to finding a short vector in a lattice that encodes an instance of a modular knapsack system. This allows us to address a key question: how much information about ${\bf m}$, or about the pair $({\bf m},{\bf r})$, is required before recovery becomes feasible? A FLATTER reduction successfully recovers the message, in practice when $\epsilon\approx 0.45$. Our implementation finds ${\bf m}$ within a few minutes on a commodity desktop.