Cryptanalysis of ITRU

ITRU cryptosystem is a public key cryptosystem and one of the known variants of NTRU cryptosystem. Instead of working in a truncated polynomial ring, ITRU cryptosystem is based on the ring of integers. The authors claimed that ITRU has better features comparing to the classical NTRU, such as having a simple parameter selection algorithm, invertibility, and successful message decryption, and better security. In this paper, we present an attack technique against the ITRU cryptosystem, and it is mainly based on a simple frequency analysis on the letters of ciphertexts.



There are no comments yet.


page 5

page 6


On Bergman's Diamond Lemma for Ring Theory

This expository paper deals with the Diamond Lemma for ring theory, whic...

Algebraic aspects of solving Ring-LWE, including ring-based improvements in the Blum-Kalai-Wasserman algorithm

We provide several reductions of Ring-LWE problems to smaller Ring-LWE p...

Cryptanalysis of Semidirect Product Key Exchange Using Matrices Over Non-Commutative Rings

It was recently demonstrated that the Matrix Action Key Exchange (MAKE) ...

Automatic Tree Ring Detection using Jacobi Sets

Tree ring widths are an important source of climatic and historical data...

Non-Commutative Ring Learning With Errors From Cyclic Algebras

The Learning with Errors (LWE) problem is the fundamental backbone of mo...

Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

We introduce the first microarchitectural side channel attacks that leve...

Cubical Cohomology Ring of 3D Photographs

Cohomology and cohomology ring of three-dimensional (3D) objects are top...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The study of cryptography has been interested to cryptologists for long time because the necessity of transferring important information secretly, which established the existence of many types of cryptosystems. It is well-known that there are two types of cryptography, which are symmetric cryptography and asymmetric cryptography ( or, public key cryptography). In the symmetric cryptosystem, the same key being used in the encryption and decryption procedures. However, in the asymmetric cryptosystem two different keys are used; the public key that should be announced to everyone and the corresponding private key has to be secret. In fact, many models of these cryptosystems have been established by several cryptologists. Indeed, nowadays the most used cryptography is the public key cryptography for its better efficiency and security comparing to the other type. The security of many public key cryptosystems such as Rivest, Shamir and Adelman (RSA) cryptosystem [32], McEliece cryptosystem [22], ElGamal cryptosystem [5], or elliptic curve cryptosystem (ECC) [18] is based on different intractable mathematical problems. In practice, all of these public key cryptosystems are far slower than symmetric cryptosystems such as Data Encryption Standard (DES) cryptosystem [28] or Advanced Encryption Standard (AES) cryptosystem [29] in terms of space and computational complexity and for this reason they are often simply used to solve the problem of sharing a secret key for use in a symmetric cryptosystem (for more details, see [38], [33], and the references given there ).

Therefore, the main target for cryptologists is the discovery of a fast public key cryptosystem based on different hard problems. In Hoffstein, Pipher and Silverman [11] proposed a class of fast public key cryptosystems called NTRU ( Degree Truncated Polynomial Ring) cryptosystem, which was published in This cryptosystem is considered as a lattice-based public key cryptosystem, and it is the first asymmetric cryptosystem based on the polynomial ring

Indeed, it has very good features comparing to other public key cryptosystems such as reasonably short, easily created keys, high speed, and low memory requirements. Its encryption and decryption procedures rely on a mixing system presented by polynomial algebra combined with a clustering principle based on elementary probability theory. From its lattice-based structure, the security of the NTRU cryptosystem is based on the hardness of solving the Closest Vector Problem (CVP), which is a computational problem on lattices closely related to Shortest Vector Problem (SVP) and considered to be NP hard (non-deterministic polynomial-time hardness) (for more details, see

[24] and the references given there ).

In fact, the inventors [11] proved that the NTRU cryptosystem preforms much faster than other public key cryptosystems. For instance, the encryption and decryption procedure of a message block of length takes operations using the NTRU cryptosystem and this is considerably faster than the operations required by RSA cryptosystem. Further, the key lengths of NTRU cryptosystem are , which is very good comparing to the key lengths required by other fast public key cryptosystems presented in [10] and [22].

Furthermore, preliminary experimental results by Shen, Du, and Chen [35] showed that the speed of the NTRU cryptosystem is much faster than that of the RSA cryptosystem in which the key generation is more than times faster, the encryption is almost times faster, and the decryption is about times faster. These results show the applicable possibility of NTRU cryptosystem in mobile Java systems.

For further enhancement of the security of the NTRU cryptosystem, researchers have been proposing several variants of NTRU cryptosystem. Starting with a generalization of NTRU cryptosystem proposed by Banks and Shparlinski [1] with non-invertible polynomials on the same ring as NTRU. The main advantage of this variant is that it is more secure against some of the known attacks on the original NTRU cryptosystem such as lattice attack. On the other hand, it is less efficient than NTRU since the lengths of its public key and the ciphertext are twice the ones in the classical NTRU cryptosystem. Another analogue of NTRU cryptosystem was introduced by Gaborit, Ohler, and Solé [6] called CTRU cryptosystem in which the ring in NTRU cryptosystem is replaced by the ring of polynomials . A new variant of the NTRU cryptosystem was presented by Coglianese and Goi [3]

called MaTRU cryptosystem. However, it operates under the same general principles as the NTRU cryptosystem, it works in a different ring with a different linear transformation in the encryption and decryption procedures. As a result, MaTRU cryptosystem is more efficient and has a better security level comparing to NTRU cryptosystem. Kouzmenko

[19] used Gaussian integers instead of the ring in NTRU cryptosystem to propose a generalization of NTRU cryptosystem. However, it is not as efficient as NTRU, this scheme is slightly more secure against lattice attack than NTRU cryptosystem. By replacing the ring in NTRU cryptosystem by the Eisenstein integers , Nevins, KarimianPour, and Miri [26] proposed another variant, which we they called it by ETRU cryptosystem, which presents a more difficult lattice problem for lattice attacks, for the same level of decryption failure security. Malekian, Zakerolhosseini, and Mashatan [21] presented a new variant called QTRU cryptosystem based on using the ring of quaternions instead of the ring in NTRU cryptosystem. They showed that the structure of QTRU cryptosystem gives more resistant to some lattice-based attacks comparing to the classical NTRU cryptosystem.

Other variants have been introduced by many authors such ILTRU cryptosystem, which is a modification of ETRU cryptosystem, introduced by Karbasi and Atani [16]. The security of this cryptosystem is based on the worst case hardness of the approximate both SVP and CVP in ideal lattices.

Last but not least, we mention one of the known variants of NTRU cryptosystem called ITRU cryptosystem, which was presented in by Gaithuru, Salleh, and Mohamad [7]. Instead of working in a truncated polynomial ring, ITRU cryptosystem is based on the ring of integers. They showed that the ITRU cryptosystem has some interesting features such as having a simple parameter selection algorithm, invertibility, and successful message decryption. In fact, a description of a parameter selection algorithm and an implementation of ITRU with an application were provided. As a result, they claimed that the ITRU cryptosytem has a successful message decryption, which leads to more assurance of security in comparison to NTRU cryptosystem. Other variants of NTRU cryptosystem can be found, e.g. in [27], [39], [17], [30], [36], [2].

However, the inventors of NTRU cryptosystem ensured that it is extremely unlikely to several potential attacks against the scheme to succeed ( particularly, the standard lattice-based attack ) since the secret key was surrounded by a“cloud” of exponentially many unrelated lattice vectors. Later, in Coppersmith and Shamir [4] showed that the security of NTRU cryptosystem is not necessarily based on the difficulty of reducing the NTRU lattice since the lattice reduction can be one of the practical attacks against NTRU cryptosystem. In fact, they presented a lattice-based attack, which can either find the original secret key or an alternative key which can be used instead of to obtain the plaintexts by decrypting the corresponding ciphertexts with only slightly higher computational complexity. After that, many types of lattice-based attacks on the NTRU cryptosystem and its variants have been occurred. It is important to mention that all of these attacks have focused primarily on the “secret key recovery” problem. For instance, Gentry [8] proposed lattice-based attacks that are especially effective when N, in the polynomial ring that used in the classical NTRU cryptosystem, is composite. He used low-dimensional lattices to find a folded version of the private key, where this key has coefficients where dividing This folded private key is used to recover a folding of the plaintext, or it helps to recover the original private key.

However, a chosen ciphertext attack is another type of attacks, which was already used in [9] or [14] against other public key cryptosystems. Here, the attacker constructs invalid cipher messages. By knowing the plaintexts corresponding to his messages, she can get some information about the private key or even recover it. Such an attack was used against the NTRU cryptosystem by Jaulmes and Joux [13]. Similar attack to the later one was proposed by Meskanen and Renvalla [23].

Another attack on NTRU cryptosystem hardware implementations, that employ scan based Design-for-Test (DFT) techniques, was proposed by Kamal and Youssef [15], and they called it a scan-based side channel attack. This attack determines the scan chain structure of the polynomial multiplication circuits used in the decryption algorithm which allows the cryptanalyst to efficiently retrieve the secret key.

More attack techniques against NTRU cryptosystem and its variants can be found, i.e. [31], [25], [34], [12], [20], and the references given there.

In fact, most of the attacks against the NTRU cryptosystem especially the ones mentioned above focus primarily on the “secret key recovery” problem. Therefore, in this paper we present a new attack technique to break the ITRU cryptosystem proposed in [7]. Since the ITRU cryptosystem is a substitution cipher, so our attack is mainly based on a simple frequency analysis on the letters of ciphertexts using a function implemented in SageMath [37] as frequency_distribution(). As a result, this techniques will recover the corresponding plaintexts immediately with no need of having the private keys.

2 The ITRU Cryptosystem

As mentioned earlier, instead of working in a truncated polynomial ring ITRU cryptosystem is based on the ring of integers. The parameters and the main steps of ITRU cryptosystem are as follows.

  • The value of is suggested to be 1000.

  • Random integers and are chosen such that is invertible modulo .

  • A prime is fixed satisfying , where is the representation of the message in decimal form. The suggested conversion is based on conversion tables, that is the one with .

  • One computes and . These computations can be done by using the extended Euclidean algorithm.

  • The public key is consisted of and such that

  • The encryption procedure is similar to the one applied in NTRU cryptosystem [11], one generated a random integer and computes

  • To get the plaintext from the ciphertext one determines

  • Recovering the message is done by computing


In order to show this later recovery leads to the original plaintext at the end, one can show that as follows. Combining equation (3) with (2) and (1), with use of of the fact that we obtain that


It remains to compute by substituting (5) in (4) and using the fact that . We obtain that

3 ITRU Cryptosystem Implementation

We note that to fix one needs a bound for the largest possible value of the representation, so here if one only uses the letters from ’A’ to ’Z’ and ’a’ to ’z’, then the maximum is . In the following SageMath implementation we will use Moreover, we preform our implementation on the arbitrary message : Cryptanalysis.

enhanced jigsaw

[colback=blue!5!white,colframe=blue!75!black, colbacktitle=blue!75!black,title=ITRU Implementation Input, breakable] 1     Cryptanalysis
2     pretty_ print(The message is:, s)
5     Set([ for in range if ])
6     random_element()
7     Set()
8     random_element()
9     [ord() for in ]
10     pretty_print( The ASCII code of the message :, )
11     next_prime()
15     pretty_print( Large modulus :)
16     pretty_print( Public key :)
17     pretty_print( Private key pair :)
18     for in ]
19     pretty_print( The encrypted message :)
20     for in ]
21     pretty_print(html(\cdot \pmod is : latex()))
22     for in ]
23     pretty_print(html(_p \cdot \pmod {}$ is : latex()))
24     [chr() for in ]
25     pretty_print( The original message :.join())

[colback=green!5!white,colframe=green!75!black, colbacktitle=green!75!black,title=Output, breakable]

The message is : Cryptanalysis
The ASCII code of the message :
Large modulus :
Public key :
Private key pair :
The encrypted message :
is :

is :
The original message : Cryptanalysis

4 ITRU Plaintext Recovery

In this section we show how the ITRU cryptosystem can be attacked using a simple frequency analysis on the letters of cipher message. This attack is preformed with SageMath Software in which the plaintext is completely recovered only from the ciphertext and the public key with no need to have the private key. However, this attack technique can be applied on any encrypted message using the ITRU cryptosystem, let us preform this technique on the following paragraph from the article describing ITRU cryptosystem [7] (without spaces):

[enhanced, colback=gray!5!white,colframe=gray!75!black,fonttitle=, breakable] ThegoalofthisstudyistopresentavariantofNTRUwhichisbasedontheringof

If this paragraph is encrypted with the large modulus and the public key , then the ciphertext starts as

In fact, there are different numbers appearing in the ciphertext these are between and A simple frequency analysis with the function frequency_distribution() provides the following data:

[enhanced, colback=yellow!5!white,colframe=yellow!75!black,fonttitle=, breakable]

We see that the number appears the most in the ciphertext. Therefore, represents either or . If it is , then we apply the formula

where represents the ciphertext blocks in the ASCII character code for all . Thus, we get a sequence of numbers starting with

Finally, if we consider it as a sequence of ASCII codes and determine the corresponding plaintext, then we get the encoded message.

5 Acknowledgments

The research was supported in part by grants K115479 and K128088 (Sz.T.) of the Hungarian National Foundation for Scientific Research. The work of H. R. Hashim was supported by the Stipendium Hungaricum Scholarship.


  • [1] William D. Banks and Igor E. Shparlinski. A variant of NTRU with non-invertible polynomials. In Progress in cryptology – INDOCRYPT 2002. Third international conference on cryptology in India, Hyderabad, India, December 16–18, 2002. Proceedings, pages 62–70. Berlin: Springer, 2002.
  • [2] M. G. Camara, De. Sow, and Dj. Sow. Dtru1: First generalization of ntru using dual integers. International Journal of Algebra, 12(7):257–271, 2018.
  • [3] Michael Coglianese and Bok-Min Goi. MaTRU: A new NTRU-based cryptosystem. In Progress in cryptology – INDOCRYPT 2005. 6th international conference on cryptology in India, Bangalore, India, December 10–12, 2005, Proceedings, pages 232–243. Berlin: Springer, 2005.
  • [4] D. Coppersmith and A. Shamir. Lattice attacks on ntru. In Walter Fumy, editor, Advances in Cryptology — EUROCRYPT ’97, pages 52–61, Berlin, Heidelberg, 1997. Springer Berlin Heidelberg.
  • [5] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31(4):469–472, 1985.
  • [6] P. Gaborit, J. Ohler, and P. Solé. CTRU, a polynomial analogue of NTRU. Technical Report RR-4621, INRIA, November 2002.
  • [7] J. N. Gaithuru, M. Salleh, and I. Mohamad. Itru: Ntru-based cryptosystem using ring of integers. International Journal of Innovative Computing, 7(1), 2017.
  • [8] C. Gentry. Key recovery and message attacks on NTRU-composite. In Advances in cryptology - EUROCRYPT 2001. 20th international conference on theory and application of cryptographic techniques, Innsbruck, Austria, May 6–10, 2001. Proceedings, pages 182–194. Berlin: Springer, 2001.
  • [9] Henri Gilbert, Dipankar Gupta, Andrew Odlyzko, and Jean-Jacques Quisquater. Attacks on Shamir’s ‘RSA for paranoids’. Inf. Process. Lett., 68(4):197–199, 1998.
  • [10] O. Goldreich, S. Goldwasser, and S. Halevi. Public-key cryptosystems from lattice reduction problems. In Advances in cryptology—CRYPTO ’97 (Santa Barbara, CA, 1997), volume 1294 of Lecture Notes in Comput. Sci., pages 112–131. Springer, Berlin, 1997.
  • [11] J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A ring-based public key cryptosystem. In Algorithmic number theory. 3rd international symposium, ANTS-III, Portland, OR, USA, June 21–25, 1998. Proceedings, pages 267–288. Berlin: Springer, 1998.
  • [12] Nick Howgrave-Graham. A hybrid lattice-reduction and meet-in-the-middle attack against ntru. In Alfred Menezes, editor, Advances in Cryptology - CRYPTO 2007, pages 150–169, Berlin, Heidelberg, 2007. Springer Berlin Heidelberg.
  • [13] Éliane Jaulmes and Antoine Joux. A chosen-ciphertext attack against ntru. In Mihir Bellare, editor, Advances in Cryptology — CRYPTO 2000, pages 20–35, Berlin, Heidelberg, 2000. Springer Berlin Heidelberg.
  • [14] Marc Joye and Jean-Jacques Quisquater. On the importance of securing your bins: The garbage-man-in-the-middle attack. In Proceedings of the 4th ACM conference on Computer and communications security, pages 135–141, 1997.
  • [15] A. A. Kamal and A. M. Youssef. A scan-based side channel attack on the ntruencrypt cryptosystem. In 2012 Seventh International Conference on Availability, Reliability and Security, pages 402–409, 2012.
  • [16] A. H. Karbasi and R. E. Atani. Iltru: An ntru-like public key cryptosystem over ideal lattices. IACR Cryptology ePrint Archive, 2015:549, 2015.
  • [17] A. H. Karbasi, R. E. Atani, and S. E. Atani. Pairtru: Pairwise non-commutative extension of the ntru public key cryptosystem. International Journal of Information Security Science, 8:1–10, 03 2018.
  • [18] Neal Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209, 1987.
  • [19] R Kouzmenko. Generalizations of the ntru cryptosystem. Diploma Project, École Polytechnique Fédérale de Lausanne,(2005–2006), 2006.
  • [20] Zhen Liu, Yanbin Pan, and Zhenfei Zhang. Cryptanalysis of an NTRU-based proxy encryption scheme from ASIACCS’15. In Post-quantum cryptography, volume 11505 of Lecture Notes in Comput. Sci., pages 153–166. Springer, Cham, 2019.
  • [21] E. Malekian, A. Zakerolhosseini, and A. Mashatan. Qtru: Quaternionic version of the ntru public-key cryptosystems. ISeCure, 3(1), 2011.
  • [22] R. J. McEliece. A Public-Key Cryptosystem Based On Algebraic Coding Theory. Deep Space Network Progress Report, 44:114–116, January 1978.
  • [23] Tommi Meskanen and Ari Renvall. A wrap error attack against NTRUEncrypt. Discrete Appl. Math., 154(2):382–391, 2006.
  • [24] D. Micciancio. Closest Vector Problem, pages 79–80. Springer US, Boston, MA, 2005.
  • [25] Petros Mol and Moti Yung. Recovering NTRU secret key from inversion oracles. In Public key cryptography – PKC 2008. 11th international workshop on practice and theory in public-key cryptography, Barcelona, Spain, March 9–12, 2008. Proceedings, pages 18–36. Berlin: Springer, 2008.
  • [26] M. Nevins, C. KarimianPour, and A. Miri. NTRU over rings beyond . Des. Codes Cryptography, 56(1):65–78, 2010.
  • [27] David Nuñez, Isaac Agudo, and Javier Lopez. Ntrureencrypt: An efficient proxy re-encryption scheme based on ntru. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’15, page 179–189, New York, NY, USA, 2015. Association for Computing Machinery.
  • [28] National Bureau of Standards. Data encryption standard. FIPS Publication 46, U.S. Department of Commerce, 1977.
  • [29] National Institute of Standards and Technology. Advanced encryption standard. FIPS Publication 197, U.S. Department of Commerce, 2001.
  • [30] Y. Pan and Y. Deng. A general ntru-like framework for constructing lattice-based public-key cryptosystems. In Souhwan Jung and Moti Yung, editors, Information Security Applications, pages 109–120, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg.
  • [31] John Proos. Imperfect decryption and an attack on the ntru encryption scheme, 2003. 12059 received 7 Jan 2003.
  • [32] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM, 21(2):120–126, 1978.
  • [33] Gurpreet S. and Supriya. A study of encryption algorithms (rsa, des, 3des and aes) for information security. International Journal of Computer Applications, 67(19):33–38, 2013.
  • [34] Tanya E. Seidel, Daniel Socek, and Michal Sramka. Parallel symmetric attack on NTRU using non-deterministic lattice reduction. Des. Codes Cryptography, 32(1-3):369–379, 2004.
  • [35] X. Shen, Z. Du, and R. Chen. Research on ntru algorithm for mobile java security. In 2009 International Conference on Scalable Computing and Communications; Eighth International Conference on Embedded Computing, pages 366–369, Sep. 2009.
  • [36] S. Singh and S. Padhye. Generalisations of ntru cryptosystem. Security and Communication Networks, 9(18):6315–6334, 2016.
  • [37] W. A. Stein et al. Sage Mathematics Software (Version 9.0). The Sage Development Team, 2020.
  • [38] J. Talbot and D. Welsh. Complexity and cryptography. Cambridge University Press, Cambridge, 2006. An introduction.
  • [39] H. Yassein and N. Al-Saidi. Bitru: Binary version of the ntru public key cryptosystem via binary algebra. International Journal of Advanced Computer Science and Applications, 12 2016.