Lattice klepto: Turning post-quantum crypto against itself

Robin Kwant, Tanja Lange, Kimberley Thissen

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

8 Citations (Scopus)


This paper studies ways to backdoor lattice-based systems following Young and Yung’s work on backdooring RSA and discrete-log based systems. For the NTRU encryption scheme we show how to build a backdoor and to change the system so that each ciphertext leaks information about the plaintext to the owner of the backdoor. For signature schemes the backdoor leaks information about the signing key to the backdoor owner. As in Young and Yung’s work the backdoor uses the freedom that random selections offer in the protocol to hide a secret message encrypted to the backdoor owner. The most interesting and very different part though is how to hide and retrieve the hidden messages.

Original languageEnglish
Title of host publicationSelected Areas in Cryptography – SAC 2017 - 24th International Conference, Revised Selected Papers
Subtitle of host publication24th International Conference, Ottawa, ON, Canada, August 16-18, 2017, Revised Selected Papers
EditorsCarlisle Adams, Jan Camenisch
Place of PublicationDordrecht
Number of pages19
ISBN (Electronic)978-3-319-72565-9
ISBN (Print)978-3-319-72564-2
Publication statusPublished - 2017
Event24th International Conference on Selected Areas in Cryptography (SAC 2017) - Ottawa, Canada
Duration: 16 Aug 201718 Aug 2017
Conference number: 24

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10719 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference24th International Conference on Selected Areas in Cryptography (SAC 2017)
Abbreviated titleSAC 2017


  • Kleptography
  • Lattice-based encryption
  • NTRU
  • Post-quantum cryptography
  • Signatures


Dive into the research topics of 'Lattice klepto: Turning post-quantum crypto against itself'. Together they form a unique fingerprint.

Cite this