On Generic Side-Channel Assisted Chosen Ciphertext Attacks on Lattice-based PKE/KEMs Towards key recovery attacks on NTRU-based PKE/KEMs Prasanna Ravi 1,2 , Martianus Frederic Ezerman 3 , Shivam Bhasin 1 , Anupam Chattopadhyay 1,2 , and Sujoy Sinha Roy 4 1 Temasek Laboratories, NTU Singapore 2 School of Computer Science and Engineering, NTU Singapore 3 School of Physical and Mathematical Sciences, NTU Singapore 4 Institute of Applied Information Processing and Communications, TU Graz, Austria {prasanna.ravi,fredezerman,sbhasin,anupam}@ntu.edu.sg {sujoy.sinharoy}@iaik.tugraz.at In this work, we demonstrate novel side-channel assisted chosen ciphertext attack applicable to IND-CCA secure NTRU-based PKE/KEMs. In particular, we propose two types of chosen ciphertext attacks on Streamlined NTRU Prime which instantiate respectively, a plaintext-checking oracle and decryption-failure oracle to perform full key recovery. We propose efficient strategies to construct chosen ciphertexts to instantiate the aforementioned oracles to perform full key recovery. We perform experimental validation of our attacks on the optimized implementation of Streamlined NTRU Prime obtained from the pqm4 public library, a testing and benchmarking framework for post quantum cryptographic schemes on the ARM Cortex-M4 microcontroller. We positively confirm that both the PC and DF oracle-based attacks result in full key recovery in a few thousand traces with 100% success rate. We also perform a brief survey of the various side-channel assisted chosen-ciphertext attacks on LWE/LWR-based schemes and subsequently identify critical similarities and differences between our proposed attacks as well as known attacks on the LWE/LWR-based schemes. Based on preliminary results from our proposed attacks, we do not observe any considerable increase in the attacker’s effort to defeat both LWE/LWR-based schemes as well as NTRU-based schemes by a side-channel attacker in a chosen-ciphertext setting. 1. Introduction The NIST standardization process for post-quantum cryptography is currently in the third and final round with seven finalist candidates and eight alternate candidates for Public Key Encryption 1