Paper 2015/127

Adaptive key recovery attacks on NTRU-based somewhat homomorphic encryption schemes

Ricardo Dahab, Steven Galbraith, and Eduardo Morais


In this paper we present adaptive key recovery attacks on NTRU-based somewhat homomorphic encryption schemes. Among such schemes, we study the proposal by Bos et al [BLLN13] in 2013. Given access to a decryption oracle, the attack allows us to compute the private key for all parameter choices. Such attacks show that one must be very careful about the use of homomorphic encryption in practice. The existence of a key recovery attack means that the scheme is not CCA1-secure. Indeed, almost every somewhat homomorphic construction proposed till now in the literature is vulnerable to an attack of this type. Hence our result adds to a body of literature that shows that building CCA1-secure homomorphic schemes is not trivial.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Accepted to the conference ICITS 2015
NTRU-based homomorphic encryptionadaptive key recovery attack
Contact author(s)
eduardo morais @ gmail com
2015-02-26: received
Short URL
Creative Commons Attribution


      author = {Ricardo Dahab and Steven Galbraith and Eduardo Morais},
      title = {Adaptive key recovery attacks on {NTRU}-based somewhat homomorphic encryption schemes},
      howpublished = {Cryptology ePrint Archive, Paper 2015/127},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.