In the present paper, we introduce a message-recovery attack based on the Modular Knapsack Problem, applicable to all variants of the NTRU-HPS cryptosystem. Assuming that a fraction $\epsilon$ of the coefficients of the message ${\bf{m}}\in\{-1,0,1\}^N$ and of the nonce vector ${\bf r}\in\{-1,0,1\}^N$ are known in advance at random positions, we reduce message decryption to finding a short vector in a lattice that encodes an instance of a modular knapsack system. This allows us to address a key question: how much information about ${\bf m}$, or about the pair $({\bf m},{\bf r})$, is required before recovery becomes feasible? A FLATTER reduction successfully recovers the message, in practice when $\epsilon\approx 0.45$. Our implementation finds ${\bf m}$ within a few minutes on a commodity desktop.

翻译：本文提出一种基于模背包问题的消息恢复攻击方法，适用于NTRU-HPS密码系统的所有变体。假设消息向量${\\bf{m}}\\in\\{-1,0,1\\}^N$与非ce向量${\\bf r}\\in\\{-1,0,1\\}^N$中随机位置的$\\epsilon$比例系数已知，我们将消息解密问题转化为在编码模背包系统实例的格中寻找短向量。这使我们能够解决一个关键问题：在恢复变得可行之前，需要多少关于${\\bf m}$或关于对$({\\bf m},{\\bf r})$的信息？FLATTER归约方法在实际中当$\\epsilon\\approx 0.45$时能成功恢复消息。我们的实现在普通台式机上可在几分钟内找到${\\bf m}$。