Paper 2015/676

Quantum Cryptanalysis of NTRU

Scott Fluhrer


This paper explores some attacks that someone with a Quantum Computer may be able to perform against NTRUEncrypt, and in particular NTRUEncrypt as implemented by the publicly available library from Security Innovation. We show four attacks that an attacker with a Quantum Computer might be able to perform against encryption performed by this library. Two of these attacks recover the private key from the public key with less effort than expected; in one case taking advantage of how the published library is implemented, and the other, an academic attack that works against four of the parameter sets defined for NTRUEncrypt. In addition, we also show two attacks that are able to recover plaintext from the ciphertext and public key with less than expected effort. This has potential implications on the use of NTRU within TOR, as suggested by Whyte and Schanck

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
NTRUQuantum Cryptography
Contact author(s)
sfluhrer @ cisco com
2015-07-05: revised
2015-07-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Scott Fluhrer},
      title = {Quantum Cryptanalysis of NTRU},
      howpublished = {Cryptology ePrint Archive, Paper 2015/676},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.