Lattice Klepto

Turning Post-Quantum Crypto Against Itself

Robin Kwant, Tanja Lange, and Kimberley Thissen

Department of Mathematics and Computer Science

Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, NL
[email protected], [email protected],
[email protected]

Abstract. This paper studies ways to backdoor lattice-based systems

following Young and Yung’s work on backdooring RSA and discrete-log
based systems. For the NTRU encryption scheme we show how to build
a backdoor and to change the system so that each ciphertext leaks infor-
mation about the plaintext to the owner of the backdoor. For signature
schemes the backdoor leaks information about the signing key to the
backdoor owner.
As in Young and Yung’s work the backdoor uses the freedom that ran-
dom selections offer in the protocol to hide a secret message encrypted to
the backdoor owner. The most interesting and very different part though
is how to hide and retrieve the hidden messages.
Keywords: Post-quantum cryptography, kleptography, lattice-based en-
cryption, NTRU, signatures.

1 Introduction
The attacks studied in cryptanalysis can typically be classified into mathemat-
ical, algorithmic attacks and side-channel attacks. The former tries to tackle
the hard problem the system is based on or to find ways to circumvent the
hard problem altogether; the latter uses information gathered during execution
of algorithms (possibly after introducing faults or cache flushes) to learn secret
information. Typically the analysis assumes that the attacker has full knowledge
of the algorithm implemented and typically also of the implementation itself.
In the mid 90’s, Young and Yung invented [15,16,17] the concept of Cryptovi-
rology or Kleptography and studied how easily systems lend themselves to being
backdoored. Their setups typically include a black-box implementation whose
output should be indistinguishable from the output of a legitimate implementa-
tion for anybody but the owner of the backdoor key. The klepto implementation
of a regular algorithm leaks (parts of) the secret message, a private key, or the
This work was supported by the European Communities through the
Horizon 2020 program under project number 645622 (PQCRYPTO) and
project number 645421 (ECRYPT-CSA). Permanent ID of this document:
e14bc1779799664cf160742e72d7fa50. Date: 2017.08.11.
2 Robin Kwant, Tanja Lange, and Kimberley Thissen

state of a random-number generator to the attacker. In a secure klepto scheme

this is done in such a way that the attacker holds a secret key which gives him
the unique power to decrypt that leaked information. If anybody inspects or
reverse engineers the black-box implementation they may observe a difference
in how the values are generated but must not be able to decrypt their own past
leaks or those of others. Ideally they should not be able to even decrypt future
leaks.
The properties of a secure klepto scheme are

– exclusivity,
– indistinguishability, and
– forward secrecy.

This implies that the backdoor encryption must use a public-key system and
that only the public part of the backdoor key is stored on the device.
The study of kleptopgraphy has gained topicality in the wake of the Snowden
revelations which mention “subversion of standards” as one of the targets of NSA
and news articles [13] strongly indicating that the elliptic-curve based random-
number generator DualEC [10] was designed with a backdoor. This backdoor
is closely related to the “repeated DH Setup” by Young and Yung. Subsequent
research has shown that this backdoor can be exploited in the wild [2] in TLS
implementations and turned up more evidence about the origin [1] of DualEC
and how it got incorporated into standards.
While the overall lesson is clear: do not accept black-box implementations
of cryptographic algorithms and request justification for all choices made, the
power of klepto schemes differs noticeably between RSA, finite field DH, and
elliptic-curve cryptography (ECC). The most powerful backdoor against RSA
produces keys that are indistinguishable from random keys but include an ECC-
based encryption to a backdoor key of the same cryptographic security as the
RSA key that allows instant factorization [18].
This raises the question how other public-key schemes can be turned into
kleptographic schemes. Post-quantum cryptography has received a lot of interest
in recent years and NIST calls for submissions of post-quantum algorithms by the
end of 2017. So far schemes have been evaluated purely for security, functionality,
speed, and at best for implementation security (side-channel countermeasures).
We are not aware of any study of kleptographic attacks against these schemes.
This paper studies lattice-based encryption, in particular the NTRU [7] fam-
ily of encryption schemes and signature schemes and shows how to turn them
into klepto schemes with an ECC-based backdoor.

2 Background

This section briefly describes the NTRU encryption system and fixes parameters
for our klepto scheme. For the NTRU encryption scheme we follow the original
NTRU paper [7].
 Lattice Klepto 3

2.1. Background on Kleptography. Young and Yung call their the core of
their klepto schemes a SETUP. SETUP is an abbreviation of “Secretly Embed-
ded Trapdoor with Universal Protection”.
Definition 2.1 (SETUP). Let S be a publicly known cryptosystem. A SETUP
mechanism is an algorithmic modification made to S to get S 0 such that:

– The input of S 0 agrees with the public specifications of the input of S.

– S 0 computes using the attacker’s public encryption function E (and possibly
other functions as well), contained within S 0 .
– The attacker’s private decryption function D is not contained within S 0 and
is known only by the attacker.
– The output of S 0 agrees with the public specifications of the output of S. At
the same time, it contains published bits which are easily derivable by the
attacker but are otherwise hidden.
– Furthermore, the outputs of S and S 0 are polynomially indistinguishable to
everyone except the attacker.

The definition of a weak SETUP mechanism is a relaxation of a regular

SETUP mechanism. A weak SETUP is the same as a regular SETUP with the
exception that it does not require the polynomial indistinguishability between
the output of S and S 0 [16]. This may seem very easily detectable, but in practice
this still works well because an end user does not know that the implementation
contains a SETUP. Furthermore, an end user often does not know what the
output of S should be.
2.2. Subliminal Channel. A subliminal channel is a secondary channel of
communication hidden inside a communications channel that is presumed to be
compromised. The concept of a subliminal channel was introduced as a solution
to the prisoners problem by Simmons in 1984 [14]. In the prisoners problem
two people Alice and Bob are incarcerated and wish to plan a breakout. Their
only way of communicating is by passing over messages via Eve who is one of
the guards. They are allowed to use encryption, but Eve will only pass along
the messages if she is allowed to read the messages, so she needs access to the
keys and the decryption function. As Eve will report any breakout plan, Alice
and Bob have to hide their communications about breaking out within their
communication.
This subliminal channel seems to solve a very specific problem, yet in times
of surveillance this problem is and will be more frequently seen in practice. More
and more countries propose laws which oblige citizens to give up their private
keys if requested. If they want to continue having secure communications, this
creates a situation directly analogous to the prisoners problem.
2.3. Concrete choices. For concreteness we consider ECC to exfiltrate secrets.
The benefits of using ECC are small ciphertext size, needing just 256 bits at 128-
bit security level in addition to the symmetric-key encryption of the message.
Let E/Fp be an elliptic curve over the prime field Fp , e.g. let E/Fp be P256 from
[11] with base point P , and let PB = BP be the public key for the backdoor.
4 Robin Kwant, Tanja Lange, and Kimberley Thissen

For symmetric encryption and authentication we use AES-GCM, this means

that to exfiltrate M ∈ {0, 1}` we need 256 + 128` + 128 bits by sending C =
(AP, AES-GCMK (M )), where K is the key for AES-GCM derived from the DH
key APB . Upon receipt of C the backdoor owner uses its secret backdoor key B
to compute the same K from B(AP ).
Obviously the security level of the backdoor key is significantly reduced once
a quantum computer exists and the schemes will no longer satisfy the property
of exclusivity if the backdoor key is found by somebody having a quantum com-
puter. However, there are no agreed upon post-quantum encryption schemes, yet,
and, in showing how to exfiltrate these > 512 random bits, we provide a mech-
anism of exfiltrating any data, possibly split over multiple NTRU encryption
messages.
Furthermore, NTRU has been proposed independently of post-quantum cryp-
tography as a very efficient encryption system and was included into standards,
such as IEEE P1363.1 and ASC X9 X9.98, on its own merits.
2.4. NTRU parameters. NTRU is an asymmetric cryptosystem commonly
used in a hybrid cryptosystem to share keys for a symmetric encryption algo-
rithm. NTRU is specified by six public parameters, the integers (N, p, q, df , dg , dr ),
in which gcd(p, q) = 1 and q is much larger than p. In practice p is usually chosen
as 3 and q a power of 2. NTRU works with operations on elements of the ring
R = Z[X]/(X N − 1). In the following we assume q is even and p is odd. An
element can be represented as either a polynomial of degree at most N − 1 or a
vector of length N containing the coefficients of that polynomial. The operation
denoted as ~ is the cyclic convolution product, that is multiplication in R. Using
the property X N ≡ 1 mod (X N − 1) it is defined as F ~ G = H with
k
X N
X −1 X
Hk = Fi · Gk−i + Fi · GN +k−i = Fi · Gj .
i=0 i=k+1 i+j≡k mod N

The parameters (df , dg , dr ) specify the sets (Lf , Lg , Lr , Lm ), which are sets
of polynomials of degree at most N − 1 with a fixed number of (small) nonzero
coefficients. Concrete parameter choices are included in Table 5.1.
Definition 2.2 (Message space). The message space Lm is defined as

Lm = {m ∈ R|m has coefficients in [−(p − 1)/2, (p − 1)/2]}.

Messages are assumed to be integers in a radix p representation, with every

digit a coefficient of the polynomial. The rest of this section follows definitions
from [7].
Definition 2.3 (The set L(d1 , d2 )). The set of ternary polynomials L(d1 , d2 )
is defined as:
 
 d1 coefficients equal to 1, 
L(d1 , d2 ) = F ∈ R F has exactly d2 coefficients equal to − 1
the rest of the coefficients equal 0
 
 Lattice Klepto 5

The key and randomness spaces (Lf , Lg , andLr ) are defined as:

Lf = L(df , df − 1)
Lg = L(dg , dg )
Lr = L(dr , dr )

Lf is not set as L(df , df ) because a polynomial f ∈ L(df , df ) would have f (1) =

0 which is not invertible, while f needs to be invertible for key creation explained
now.
2.5. NTRU key generation. To create a key, two random polynomials f ∈ Lf
and g ∈ Lg are chosen such that inverses Fq and Fp of f exist in R modulo q
and p respectively.
The public key
h ≡ Fq ~ g mod q, (2)
is computed.
The private key is the pair (f, Fp ), in which Fp is derivable from f and p but
is precomputed for practical purposes. The reduction modulo q of the polynomial
means a reduction of the coefficients to equivalent representatives in the interval
(−q/2, q/2].
2.6. NTRU encryption. A message m ∈ Lm is chosen and a random r ∈ Lr
is selected. Now ciphertext

c ≡ p · r ~ h + m mod q, (3)

is computed.
2.7. NTRU decryption. To obtain message m, first the quantity a ≡ f ~
c mod q is computed. Because

a ≡ f ~ (p · r ~ h + m) ≡ f ~ (p · r ~ Fq ~ g + m) ≡ p · r ~ g + f ~ m mod q, (4)

reducing modulo p yields f ~ m if the polynomials are sparse enough.

In that case,
m ≡ a ~ Fp mod p.
We now consider possible exceptions to this equivalence.
2.8. NTRU decryption failures. When Equation (4) is not an exact equation
in R due to the modular reductions in the decryption step, then m might be not
or only partially recovered. In Equation 4 first the term a ≡ p · r ~ g + f ~ m is
reduced modulo q after which it is reduced modulo p. Since gcd(p, q) = 1, this
resulting a reduced modulo q and p is not well defined, as reducing a different
representative of a modulo p could give a different result. In practice this problem
is avoided by choosing the uniquely defined representative of a with coefficients
in the interval (−q/2, q/2]. The resulting a in equation (4) equals p·r~g+f ~m in
R if the maximum absolute value of any coefficient is not too big. This property
is captured by the width:
6 Robin Kwant, Tanja Lange, and Kimberley Thissen

PN −1
Definition 2.4 (Width). Let l = i=0 li X i ∈ R. The width of l is defined as

|l|∞ = max li − min li .

0≤i≤N −1 0≤i≤N −1

If the width of the term S = p · r ~ g + f ~ m exceeds q, some coefficients

in the recovered polynomial will differ from the coefficients of m. If m is used as
the key for symmetric authenticated encryption the user will quickly notice that
the authenticator does not verify. This is called a decryption failure and has to
be taken into account in parameter selection.

3 The NTRU Backdoor

In this section an example of a modified NTRU encryption with a backdoor
using a weak SETUP is described and analyzed, after which countermeasures
are given. The backdoor has the purpose of leaking secrets of the encrypting
party to a third party. This information is made available exclusively to the
third party by encrypting it to the party’s ECC key.
3.1. Description. This version differs from regular NTRU in the sense that
a secondary encrypted message along with the regular message is included in
the ciphertext. This secondary message is available to a third party. As in Sec-
tion 2.3, the public key encryption of this secondary message will be denoted
as C, encrypting plaintext M . The key setup on the receiving end stays exactly
the same. We take C to be the ECC encrypted and authenticated message to be
exfiltrated; in the typical hybrid setting of NTRU, M is the symmetric session
key of the legitimate user, so M typically has 256 bits (for encryption and MAC
part) and C has 640 bits.
3.2. Encryption. Let ρ < q be an integer coprime to p. Consider C as a
polynomial in R with coefficients modulo ρ,i.e., C ∈ Zρ [X]/(X N − 1), ρ < q
and gcd(ρ, p) = 1. To obtain this representation, first take the bitstring C and
interpret it as a large integer, then take its coefficients in base ρ as polynomial
coefficients.
On the sending end, a slight adaptation of Equation (3) is used. First cipher-
text c is computed as in Equation (3). Now the new ciphertext c0 including the
secondary message, is computed as

c0 = c + k · p, (5)
0
with k a polynomial in R with coefficients in Zρ such that c ≡ C mod ρ. This
polynomial k can be obtained by solving the integer equation Ci ≡ ci +ki ·p mod ρ
for every coefficient of k. Having the gcd(ρ, p) = 1 by definition, ensures the
existence of these solutions.
3.3. Decryption by the attacker. The attacker reduces c0 mod ρ and recovers
the polynomial C, since C ≡ c0 mod ρ. The attacker interprets C as a bitstring
and decrypts it with his private key (as in Section 2.3) to obtains the leaked
information.
 Lattice Klepto 7

3.4. Decryption by the intended receiver. Decryption at the receiver end

stays exactly the same. First the quantity a0 = f ~ c0 mod q is computed as in
Equation (4). Because

a0 ≡ f ~ (p · k + p · r ~ h + m)
≡ f ~ (p · k + p · r ~ Fq ~ g + m) (6)
≡ p · k ~ f + p · r ~ g + f ~ m mod q,

reducing a0 modulo p still yields f ~ m if the coefficients are not too large (see
the comment on decryption failures above). Thus m ≡ a0 ~ Fp mod p.

4 Analysis of the Backdoor Quality

In this section we analyze how much more likely a decryption failure gets de-
pending on the size of the backdoor parameter ρ. A large ρ value is convenient
for the attacker to send more data but obviously makes failures more likely. 4.1.
Decryption failures. As pointed out in Section 2.8, a decryption failure occurs
when the polynomial
S = p · r ~ g + f ~ m,
has a width larger than q. Adding the k · p term to the ciphertext c0 in Equation
(5) makes decryption failures more likely because now a decryption failure occurs
when the polynomial

T = p · k ~ f + p · r ~ g + f ~ m,

has a width larger than q, as generally |T |∞ > |S|∞ . Because for a single coeffi-
cient of T it applies that
X
Tl = Sl + p · ki · fj ,
i+j≡l mod N

the contribution of this extra convolution product p · k ~ f to a single coefficient

is at most
p · (d(ρ − 1)/2e) · (2 · df − 1). (7)
Let α = min (dg , dr ), the maximum width of S is given by

max |S|∞ = 2 · p · α + (2 · df − 1) · (p − 1)/2, (8)

so the maximum width of T would be

max |T |∞ = 2 · p · α + (2 · df − 1) · ((p − 1)/2 + p · d(ρ − 1)/2e). (9)

4.2. Parameter choices. Because of the possible decryption failures it is im-

portant to pick parameters that minimize this phenomenon while maintaining
global security. It is recommended to keep ρ as small as possible. In the case
8 Robin Kwant, Tanja Lange, and Kimberley Thissen

where p = 3 the value ρ = 2 is quite suitable. Other options would be ρ = 4 and

ρ = 5 as this would give space to leak more information, but as noted above,
decryption failures will be much more likely because the extra contribution of
the term in Equation (7) can become much larger. For most parameter sets ρ = 2
will most likely be the only option that works without increasing the probability
of decryption failures too much.
For the typical 128-bit security level the klepto ciphertext C has only 640
bits, which is less than N for typical parameter choices, meaning that ρ = 2 is
sufficient to exfiltrate ciphertexts as described in Section 2.3.
4.3. Optimization. Decryption failures will be less likely if the vector k · p
added in Equation (5) is sparse. This is the case when k is sparse. A way to keep
k sparse is to minimize the number of bits needed to store C and pad it with
zeros. Depending on what information will be leaked it might even be possible
to split up C over several messages. In that case C will only be partially leaked,
but can be recovered if multiple messages containing all the parts are recorded.
Another optimization that works in the case where ρ = 2 is to append a one
bit shorter message C 0 with an indicator bit i such that instead of C, [i|C 0 ] is
leaked. The polynomial k is now computed regularly. If this k contains more
ones then it contains zeros the term k̄ · p is added instead of k · p, with k̄ the
bitwise complement of k. The attacker now recovers either [0|C 0 ] or [1|C̄ 0 ] and
is able to recover C 0 by taking the complement if i = 1. Note that this indicator
costs one bit in space, so C 0 has at most N − 1 bits where C would have N .
Another trick for ρ = 1 is to randomly pick between ±1 for nonzero ki in
order to halve the average width of p · k ~ f .

5 Practical implementation

We wrote an implementation of NTRU in Sage [3] and added the backdoor as

described in Section 3, using parameter ρ = 2. We ran experiments to look at the
impact of the backdoor with respect to decryption failures. In every experiment
a pseudorandom ternary message m is generated along with a pseudorandom N
bit binary message C. This way C is as long as N , which for most parameter sets
is longer than necessary, but we were interested in seeing the overall impact and
using a shorter C will make the system more likely to function correctly. None of
the optimizations discussed in Section 4.3 were applied in the implementation.
The first set of experiments counts the number of decryption failures caused
by the backdoor in 2 different ways using NTRU parameters from [4]. First a
subset of experiments was conducted in which a new key is generated with every
trial, in this case all trials are independent. Secondly a subset of experiments
was conducted in which the same key is used more than once, these trials are
not independent but they do represent a real world situation in which keys are
generated once and then reused often. Doing multiple trials with the same keys
also allows for more experiments as generating a new key is relatively expensive
computationally.
 Lattice Klepto 9

Table 5.1. Decryption failure check results

Parameters
# keys # trials per key # failures
N pq df dg dr
20000 1 0
613 3 2048 55 204 55
100 10000 0
10000 1 0
887 3 2048 81 295 81
100 10000 0
5000 1 0
1171 3 2048 106 390 106
100 10000 0

Since no decryption failures occurred in these experiments, the increased

probability of a decryption failure caused by the backdoor will probably go
unnoticed in practice. With Equation (7) the maximum contribution to the width
of T with the parameters used can be computed, with respect to q this difference
is relatively small enough. Looking at Equations (8) and (9) the maximum width
T is only slightly larger than the maximum width of S with the parameters used
in the experiments. This could possibly explain the lack of decryption failures.
Note that the maximum width was not expected to be obtained. These extreme
widths are in general very rare, as f and r are chosen to be sparse. They are
intentionally centered around 0 to let a lot of cancellations occur. This behavior
is not unique to the parameters used in the experiments, in most parameter
sets used in practice df = dr . When ρ = 2 is chosen, the most significant term
in Equation (9) is generally the first one, so the contribution of the backdoor
to the maximum width is generally small enough. In the implementation any
message can be leaked as long as its encryption does not exceed N bits. The
trialled version with parameter N = 613 is 27 bits too short for the hidden
ciphertext C described in Section 2.3 but also has slightly lower security. The
versions with N = 887 and N = 1171 have ample space, even for longer messages
C. For instance, in N = 1171 there could be an 256-bit ECC key and a 128-bit
authentication tag, which leaves (1171−256−128 = 787) bits for a message. The
787 bits fit 6 blocks of 128 bit ciphertext and the remaining 19 bits could be used
for the optimizations discussed in Section 4.3. To get an idea of how much the
probability of decryption failures increases on average instead of just the worst
case, a second set of experiments was run. In the second set of experiments,
the width of the terms S and T were stored. A decryption failure occurs when
|S|∞ > q or |T |∞ > q, without and with the backdoor respectively. For these
experiments the parameters from Table 5.1 were used. The results are presented
in histograms where red corresponds to |S|∞ and green corresponds to |T |∞ .
Note that all observed widths are significantly smaller even than q/2.
These results confirm that on average the probability of a decryption failure
increases, but this increase is small enough to go unnoticed in a practical situa-
tion because large widths are rare. An interesting side effect is that the standard
deviation also increases when the backdoor is added. The green spike is gener-
ally lower and less steep, which means that the |T |∞ values are less predictable
10 Robin Kwant, Tanja Lange, and Kimberley Thissen

|S|∞ |T |∞
µ 164.0471 190.7234
σ 13.81889 15.95371
min 116 139
max 251 294

Fig. 5.1. (N, p, q, df , dg , dr ) = (613, 3, 2048, 55, 204, 55), 10 keys, 10000 trials per key.

than the |S|∞ values. This phenomena gives rise to some questions explained in
Section 10.2.

6 Countermeasures

There are ways to find out that the ciphertext was tampered with. One of those
being the recovery of the randomness. From Equation (3) we obtain

c − m = r ~ h mod q,

meaning r can be recovered by

r = (c − m) ~ h−1 mod q

if inverse h−1 exists in R modulo q. In the case of a ciphertext with an extra

term added, doing the same computation will result in r +k ·p~h−1 instead of r,
which with high probability will not be an element of Lr . Since by specification
r ∈ Lr , the receiver can check whether (c − m) ~ h−1 ∈ Lr . If this is not the case
and h is invertible in R modulo q, the ciphertext has been tampered with and a
warning can be sent back to the sender. To make sure that this is possible, it is
important that h is always invertible in R modulo q. Remember that h depends
on the choice of f and g so a change has to be made to the selection of those.
Public key h is defined as h = Fq ~ g mod q. By definition Fq is invertible so
the only extra requirement is that g must also be invertible, this can be done
 Lattice Klepto 11

|S|∞ |T |∞
µ 163.9682 190.6541
σ 13.79992 15.95437
min 117 140
max 257 300

Fig. 5.2. (N, p, q, df , dg , dr ) = (613, 3, 2048, 55, 204, 55), 100 keys, 10000 trials per key

by choosing g ∈ Lg in a similar manner as f . Since invertibility is required, Lg

can no longer be defined as Lg = L(dg , dg ) and would need to be defined as
Lg = L(dg , dg − 1).

7 Subliminal Channel in NTRU

In this section a modification of NTRU with a SETUP is shown in which an extra

possibly secret channel for information is added. This channel differs from the
backdoor discussed in Section 3 as it is intended for the receiver of the message
instead of a third party.
7.1. Description. In this adaptation, Bob sends a regular message m and a
subliminal encrypted message C to receiver Alice. We use the same ECC-AES-
GCM-based setup as described in Section 2.3 to construct C. To include this C,
a technique inspired by the countermeasures described in Section 6 is used. In
addition to the regular setup, both Alice and Bob agree upon an injective map
φ which maps C to an element of Lr and a pair of ECC keys to generate and
decrypt C.
7.2. Key setup. Alice chooses f ∈ Lf and computes Fq and Fp as in Section 2.5.
Now g ∈ L(dg , dg − 1) is chosen such that inverse g −1 exists in Rq and public
key h is computed normally as in Equation (2). Choosing g ∈ L(dg , dg − 1) is
justifiable as a protection against the specific backdoor mentioned earlier. Alice
publishes her public key h so that others including Bob, can send her messages.
12 Robin Kwant, Tanja Lange, and Kimberley Thissen

|S|∞ |T |∞
µ 206.3269 239.786
σ 16.43092 18.94655
min 157 182
max 298 358

Fig. 5.3. (N, p, q, df , dg , dr ) = (887, 3, 2048, 81, 295, 81), 10 keys, 10000 trials per key.

7.3. Encryption. Bob takes the secret message M , generates C, uses the func-
tion φ to map C to an element r ∈ Lr and encrypts m by computing c using
Equation (3) with this choice of r. Bob now sends c to Alice.

7.4. Decryption. Alice receives c and recovers m using Equation (4). She now
computes h−1 and uses this to recover r ≡ (c−m)~h−1 mod q. She now recovers
C as the preimage of r using φ−1 . For efficiency it is possible to precompute h−1 .

7.5. Encoding messages. In this section an example for the injective map
φ mentioned earlier is described. It is somewhat similar to Algorithm 2.2 in
[12]. Let C,the encryption of ahmessage M , be represented
i as a unique number
chosen in the discrete interval 0, dNr · N d−d



r
r
− 1 . Then φ is an injective map
h i
0, dNr · N d−d



r
r
− 1 → Lr that encodes an encrypted message C to an r ∈ Lr .
The inverse φ−1 gives preimage C from the image r.
The set Lr can be represented as a tree, with every level representing one
coefficient. We now describe how this tree is constructed, see Figure 7.1 for a
visualization. The root is defined as representing r0 , the level of the leaves rn .
Every leaf corresponds to a unique element of Lr , and is defined by the unique
path from the root to the leaf. Every node has at most 3 branches depending on
whether it can still be completed, because left and right branches are limited:
The leftmost branch corresponds to choosing a −1, the middle branch a 0 and
the right branch a 1 on that level. Now the set Lr can be indexed by counting
the leaves from left to right, where the leftmost leaf has index 0.
 Lattice Klepto 13

|S|∞ |T |∞
µ 242.3299 281.6776
σ 18.47012 21.31923
min 182 218
max 365 435

Fig. 5.4. (N, p, q, df , dg , dr ) = (1171, 3, 2048, 106, 390, 106), 10 keys, 10000 trials per
key

The tree itself does not have to be stored in

memory, at every node the
number of leaves can be computed by nk · n−k


l , with n being the number of
levels from the node to a leaf, k the number of −1s and l the number of 1s that
are not used

yet at

that
node. The

left, middle, and right

subbranches of a node
have n−1 n−k n−1 n−k−1 n−1

n−k−1
k−1 · l , k · l and k · l−1 leaves respectively.
To convert an index C into an r ∈ Lr the tree is traversed starting from the
root, and a running index j is kept, so at the root i = 0 and j = C. At every
level i the number of leaves in the left subbranch Li is computed. If j ≤ Li , the
left branch is taken and ri = −1. If this is not the case, the number of leaves
in the middle subbranch is computed and added to Li to obtain L0i which is the
number of leaves in the left and middle subbranch combined. Now if Li < j ≤ L0i
the middle branch is taken, ri = 0 and we set j = j − Li . If j > L0i the right
branch is taken, ri = 1 and we set j = j − L0i . This process repeats until a leaf
is reached.
The inverse φ−1 works in a similar matter, the tree is traversed starting from
the root according to the path specified in r. A running index j is kept for which
j = 0 at the root. Now at every level i the number of leaves that are ”skipped”
by not choosing the left or middle branch respectively, are added to j. So if
ri = 0, the middle branch is taken, Li is computed and we set j = j + Li . Else
if ri = 1, the right branch is taken, L0i is computed and we set j = j + L0i . This
process repeats until all the bits of r are evaluated. Now finally C = j.
14 Robin Kwant, Tanja Lange, and Kimberley Thissen

Fig. 7.1. Example of a tree for dr = 1 and N = 4

7.6. Why does it work?. As pointed out in Section 6 the randomness r can
be recovered by the receiver if g is chosen to be invertible. This phenomenon is
exploited by putting a message in r rather than choosing r randomly.
This subliminal channel changes the choice of r to being deterministic in C
but does not change the range for r, hence it does not introduce any extra de-
cryption errors and is completely undetectable from the observable distribution,
even to Eve who obtained the NTRU key. For properly chosen elliptic curves, C
is indistinguishable from random bitstrings and thus r is indistinguishable from
a randomly chosen element from Lr .

8 pqNTRUSign
This section briefly describes pqNTRUSign, also known as NTRU-MLS, which
is short for NTRU Modular Lattice Signature. For this we follow the original
paper [6] from PQCrypto 2014. Though other NTRU signature schemes, such as
NSS [8] and NTRUSign [5], have been broken, this scheme has no known attacks
against the currently proposed parameters.
8.1. pqNTRUSign parameters. The signature scheme works in NTRU lat-
tices, so the set up is very similar to NTRU (Section 2.4). pqNTRUSign is
specified by five parameters, the integers (N, p, q, Bs , Bt ), where gcd(p, q) = 1,
q is much larger than p and Bs and Bt are some bounds on the norms of some
elements; typically p = 3 and q has 15 or more bits. Similar to NTRU, all com-
putations take place in the ring R = Z[X]/(X N − 1) and polynomials are often
reduced modulo q or p. Unlike NTRU, only the size of the polynomial coefficients
is limited but there is no limit on the number of non-zero coefficients. We write
Rp to denote elements of R with coefficients in Zp ; we consider elements auto-
matically lifted to Z using integers in (−p/2, p/2]; all integer modular reductions
are made explicit.
 Lattice Klepto 15

8.2. pqNTRUSign key generation. To generate a key pick F ∈ R3 , g ∈ Rp

such that both are invertible modulo p and q. Let f = pF . The private key is
the pair (f, g).
The public key is h ≡ f −1 ~ g mod q.
Similar to NTRU, polynomials in Lh = {(s, t) ∈ R2 |t ≡ h ~ s mod q} will be
considered, this is the NTRU lattice which is emphasized in the naming of the
signature scheme.
8.3. pqNTRUSign signature. To sign message m ∈ {0, 1}∗ compute (sp , tp ) =
H(hkm), where H : Rq × {0, 1}∗ → Rp × Rp is a hash function.
The next step picks a random polynomial r from a certain distribution. For
NTRU-MLS this is from R` for some integer ` ≈ q/p and for pqNTRUSign
(as presented at the PQCrypto 2017 rump session [9]) this is from a bimodal
Gaussian distribution. For our klepto scheme the details do not matter; we note
that both distributions are sufficiently wide.
Let s0 = sp + pr and t0 ≡ s0 ~ h mod q. Now compute a ≡ (tp − t0 ) ~
g −1 mod p. Then the candidate signature is (s, t) = (s0 , t0 ) + (a ~ f, a ~ g). Note
that this last computation takes place in R, i.e., there is no reduction on the
coefficients, while a ∈ Rp and t0 ∈ Rq . The latter ensures that all coefficients are
small. Note further that by construction s ≡ sp mod p and t ≡ tp mod p because
f = pF .
NTRU-MLS outputs (s, t) if no coefficient in a ~ f is larger than Bs , no
coefficient in a ~ g is larger than Bt and the coefficients of s and t are bounded
by ksk ≤ 2q − Bs and ktk ≤ 2q − Bt . Else the procedure restarts with a different
choice of r.
The details for the bounds in the latest version of pqNTRUSign are less clear
but a similar rejection sampling on (s, t) is performed.
The signature is on m is (s, t); to save space the pqNTRUSign authors also
suggest a version in which the signature is s and t ≡ s ~ h mod q is recomputed.
8.4. pqNTRUSign Verification. In order to verify the signature, either first
recompute t ≡ s ~ h mod q or check that t in the signature verifies this equiva-
lence. Also check the bounds on the coefficients of s and t. If any of the checks
fails, reject the signature.
Then compute (sp , tp ) = H(hkm) and accept the signature if s ≡ sp mod p
and t ≡ tp mod p, else reject it.

9 The pqNTRUSign backdoor

In this section we show how to backdoor pqNTRUSign using a weak SETUP.

Signatures are easier to backdoor than NTRU because the signer can check for
verification failures himself and restart with a new random choice. Since the
regular algorithm uses rejection sampling on the outputs these restarts will not
raise suspicion if they do not get significantly more frequent. The backdoor is
based on the same idea as that in NTRU: taking the signature modulo 2 reveals
a secondary ciphertext C encrypted to the public key of the klepto scheme (for
16 Robin Kwant, Tanja Lange, and Kimberley Thissen

details see Section 2.3). As in the NTRU backdoor we choose reduction modulo
2 because the typical choice of p is 3 which is coprime to 2 and larger moduli
increase the chance of resampling.
The most obvious target to leak in a signature scheme is the signing key.
In pqNTRUSign this would be F ∈ R3 , needing bN log2 3c + 1 bits in optimal
packing. Alternatively, an evil implementer could point to the importance of
short secret keys and generate F deterministically from a short random seed
that can be leaked in a shorter message.
Unlike in NTRU we will not be able to transmit N bits at once but only a
small number (in order to keep resampling rates acceptable). This means that C
needs to be transmitted over multiple signatures and then concatenated at the
receiver end. The GCM part of the encryption then also serves as a check for
correctness. In the following, C will be a ciphertext to be leaked, encoded as a
binary polynomial of degree less than d ≤ N .
In line with the paper topic we chose to exploit the flexibility in random
choices for a klepto scheme but would like to point out that it could as well be
used as a subliminal channel to hide encrypted messages. Because the signer can
validate the signature himself there no distinction between the capacity of the
klepto/covert channel and the subliminal channel.
There are no modification to the key generation or verification algorithm
and the owner of the klepto backdoor obtains and deciphers the ciphertext as
for NTRU (apart from sorting and arranging partial ciphertexts).

9.1. Trivial backdoor. We want to achieve that s ≡ C mod 2, up to the degree

of C, i.e., that this equivalence holds for the coefficients of 1, X, X 2 , . . . , X d−1
for some d.
In the trivial backdoor we check whether s satisfies this equation or else reject
the signature in the rejection step. This means that the change to the signature
algorithm is minimal but increases signature generation time by a factor of 2d
on average.

9.2. Modified signature. To avoid too many rejections we will now modify
the signature generation. As a warm up put d = 1, i.e. we will leak 1 bit.
Changing s to s0 = s + p, i.e., adding p to the constant will change the
parity of the constant but not affect s ≡ sp mod p. This change implies choosing
s00 = s0 + p instead of s0 and r0 = r + 1 instead of r which only minimally affects
the distribution of the randomness. There is a minimal chance that s will violate
Bs if s was valid.
However, t ≡ h ~ s mod q may no longer hold. If t00 ≡ s00 ~ h ≡ s0 ~ h +
ph mod q equals t0 modulo p, i.e., t0 had small enough coefficients that adding
ph did not cause a reduction in it, then a0 = a and verification will work for
t0 = t00 + a ~ g and s0 (provided that they also satisfy Bs and Bt ). Note that
h is a full-size polynomial, i.e. its coefficients can range over the full interval
(−q/2, q/2], and the equivalence has to hold in all N coefficients. If either of
these checks fails, a possible fix is to use s0 = s − p instead, otherwise a new r
needs to be sampled.
 Lattice Klepto 17

Pd−1 Pd−1
Now let c(X) = i=0 ci X i ∈ R2 for some larger d and let k(X) = i=0 ki X i
with ki ∈ {0, ±1} such that s0 = s + pk ≡ c mod 2 on the bottom d coefficients.
As for NTRU this is possible because gcd(2, p) = 1. Then r0 = r + k and
s00 = s0 + pk, which still likely pass the size test for s since p is much smaller
than q.
However, for increasing d, t00 ≡ t0 + ph ~ k mod q will increasingly likely
invoke a reduction modulo q when adding ph ~ k.
Again we can vary the sign on the ki to reduce the size of h ~ k mod q.
For small d this can be done exhautively to find the minimum and for larger d
randomizing signs to reach roughly as many +1 as −1 seems beneficial.
A final optimization is to skip validity tests on (s, t) before including the
backdoor and choosing signs in k such that (s0 , t0 ) is smaller.
We plan on providing experimental results in the very near future to deter-
mine acceptable rejection rates and good sizes for d.

10 Final Remarks
As shown in Sections 3, 7, and 9 it is feasible and practical to modify NTRU
and pqNTRUSign in such a way that they contains a backdoor or subliminal
channel. Countermeasures against the NTRU backdoor have been described in
Section 6.
10.1. Minimization of decryption failures. In Section 4 some optimizations
have been given in order to reduce the increased probability of decryption failures
with the backdoor added. In Section 5 some experimental results are given. By
doing more experiments and with more parameter sets, the increased probability
of decryption failures might be estimated and parameters can be selected which
allow for more information to be leaked without increasing the failure probability
too much. Research can also be done to find the theoretical probability instead of
an estimation. With this estimation parameters can be computed that preserve
global security, but at the same time minimize the probability of decryption
failures.
10.2. Statistical countermeasures. In Section 5 experimental results were
given on the width of the polynomial T with respect to the width of S. These
results showed that the width of T is less predictable but still small. The stan-
dard deviation was larger for the values of T . This occurs because adding an
extra message to the ciphertext means adding some randomness. This yields the
question, whether a receiver of messages could distinguish the ones that were
tampered with from the ones that were not and alert the sender? How many
messages would it need to be able to do so? These are questions that might be
worthwhile looking into.
10.3. Potential biases in pqNTRUSign klepto signatures. The result of
the modified signatures of the pqNTRUSign scheme in Section 9 could poten-
tially be biased as the random generation is influenced. If the user would collect
a set of signatures generated by this black box algorithm, it will likely show that
18 Robin Kwant, Tanja Lange, and Kimberley Thissen

the signatures are not as random as the user would expect. This behavior could
be analyzed.
10.4. Further research. For backdoors in NTRUSign [5] and NSS [8] see
the thesis by Kimberley Thissen http://repository.tue.nl/854465. For full
details and further considerations on NTRU see the thesis by Robin Kwant
http://repository.tue.nl/854433.

References
1. Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen. Dual EC: A stan-
dardized back door. In Peter Y. A. Ryan, David Naccache, and Jean-Jacques
Quisquater, editors, The New Codebreakers - Essays Dedicated to David Kahn on
the Occasion of His 85th Birthday, volume 9100 of Lecture Notes in Computer
Science, pages 256–281. Springer, 2016.
2. Stephen Checkoway, Ruben Niederhagen, Adam Everspaugh, Matthew Green,
Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz, Hovav
Shacham, and Matthew Fredrikson. On the practical exploitability of dual EC in
TLS implementations. In Kevin Fu and Jaeyeon Jung, editors, Proceedings of the
23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014.,
pages 319–335. USENIX Association, 2014.
3. The Sage Developers. SageMath, the Sage Mathematics Software System, 2017.
http://www.sagemath.org.
4. Philip S. Hirschhorn, Jeffrey Hoffstein, Nick Howgrave-Graham, and William
Whyte. Choosing NTRUEncrypt parameters in light of combined lattice reduc-
tion and MITM approaches. In Michel Abdalla, David Pointcheval, Pierre-Alain
Fouque, and Damien Vergnaud, editors, Applied Cryptography and Network Secu-
rity, 7th International Conference, ACNS 2009, Paris-Rocquencourt, France, June
2-5, 2009. Proceedings, volume 5536 of Lecture Notes in Computer Science, pages
437–455, 2009.
5. Jeffrey Hoffstein, Nick Howgrave-Graham, Jill Pipher, Joseph H. Silverman, and
William Whyte. NTRUSIGN: digital signatures using the NTRU lattice. In Marc
Joye, editor, Topics in Cryptology - CT-RSA 2003, The Cryptographers’ Track the
RSA Conference 2003, San Francisco, CA, USA, April 13-17, Proceedings, volume
2612 of Lecture Notes in Computer Science, pages 122–140. Springer, 2003.
6. Jeffrey Hoffstein, Jill Pipher, John M. Schanck, Joseph H. Silverman, and William
Whyte. Transcript secure signatures based on modular lattices. In Michele Mosca,
editor, Post-Quantum Cryptography - 6th International Workshop, PQCrypto
2014, Waterloo, ON, Canada, October 1-3, 2014. Proceedings, volume 8772 of Lec-
ture Notes in Computer Science, pages 142–159. Springer, 2014.
7. Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. NTRU: A ring-based
public key cryptosystem. In Joe Buhler, editor, Algorithmic Number Theory, Third
International Symposium, ANTS-III, Portland, Oregon, USA, June 21-25, 1998,
Proceedings, volume 1423 of Lecture Notes in Computer Science, pages 267–288.
Springer, 1998.
8. Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. NSS: an NTRU lattice-
based signature scheme. In Birgit Pfitzmann, editor, Advances in Cryptology -
EUROCRYPT 2001, International Conference on the Theory and Application of
Cryptographic Techniques, Innsbruck, Austria, May 6-10, 2001, Proceeding, volume
2045 of Lecture Notes in Computer Science, pages 211–228. Springer, 2001.
 Lattice Klepto 19

9. Jeffrey Hoffstein, Jill Pipher, William Whyte, and Zhenfei Zhang. pqNTRUSign:
update and recent results, 2017. http://2017.pqcrypto.org/conference/
slides/recent-results/zhang.pdf.
10. National Institute of Standards and Technology. Special Publication 800-90:
Recommendation for random number generation using deterministic random bit
generators, 2012. First version June 2006, second version March 2007, http:
//csrc.nist.gov/publications/PubsSPs.html#800-90A.
11. National Security Agency. Suite B cryptography / cryptographic interoperability,
2005. https://web.archive.org/web/20150724150910/https://www.nsa.gov/
ia/programs/suiteb_cryptography/.
12. Raphael Overbeck and Nicolas Sendrier. Code-based cryptography. In Daniel J.
Bernstein, Johannes Buchmann, and Erik Dahmen, editors, Post-Quantum Cryp-
tography, pages 95–145. Springer, Berlin, 2008.
13. Nicole Perlroth, Jeff Larson, and Scott Shane. N.S.A. able to foil basic safeguards
of privacy on web. International New York Times, September 2013. http://www.
nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html.
14. Gustavus J. Simmons. Subliminal channels; past and present. European Transac-
tions on Telecommunications, 5(4):459–474, 1994.
15. Adam L. Young and Moti Yung. Cryptovirology: Extortion-based security threats
and countermeasures. In 1996 IEEE Symposium on Security and Privacy, May
6-8, 1996, Oakland, CA, USA, pages 129–140. IEEE Computer Society, 1996.
16. Adam L. Young and Moti Yung. Kleptography: Using cryptography against cryp-
tography. In Walter Fumy, editor, Advances in Cryptology - EUROCRYPT ’97,
International Conference on the Theory and Application of Cryptographic Tech-
niques, Konstanz, Germany, May 11-15, 1997, Proceeding, volume 1233 of Lecture
Notes in Computer Science, pages 62–74. Springer, 1997.
17. Adam L. Young and Moti Yung. Malicious cryptography - exposing cryptovirology.
Wiley, 2004.
18. Adam L. Young and Moti Yung. Kleptography from standard assumptions and
applications. In Juan A. Garay and Roberto De Prisco, editors, Security and
Cryptography for Networks, 7th International Conference, SCN 2010, Amalfi, Italy,
September 13-15, 2010. Proceedings, volume 6280 of Lecture Notes in Computer
Science, pages 271–290. Springer, 2010.