Keywords

1 Introduction

The NTRU encryption scheme was devised by Hoffstein, Pipher and Silverman in [15]. It is one of the fastest known lattice-based cryptosystems as testified by its inclusion in the IEEE P1363 standard and regarded as an alternative to RSA and ECC due to its potential of resisting attacks by quantum computers. Based on the underlying problem of NTRU, various cryptographic primitives were designed, such as identity-based encryption [8], fully homomorphic encryption [2, 20], digital signatures [7, 14] and multi-linear maps [11]. Meanwhile, a batch of cryptanalysis works were proposed aiming at NTRU family [1, 4, 5, 9, 10, 12, 16,17,18].

The security of the first NTRUEncrypt in [15] is heuristic and lacks a solid mathematical proof. This leads to a break-and-repair development history of NTRUEncrypt. Stehlé and Steinfeld [29] provided the first provably IND-CPA secure NTRUEncrypt over power of 2 cyclotomic rings. They used the coefficient embedding of polynomial rings and the security of their scheme was based on the corresponding Ring-LWE problem. Although the construction of Stehlé and Steinfeld may be less practical compared with classical NTRUEncrypts [3], their work revealed an important connection between NTRUEncrypt and Ring-LWE, hence between problems over NTRU lattices and worst-case problems (SIVP\(_{\gamma }\)) over ideal lattices. An open problem proposed by Stehlé and Steinfeld is whether their construction can be improved to more general rings. Recently, Yu, Xu and Wang [31] modified the scheme in [29] to make it work over cyclotomic rings of the forms \(\mathbb {Z}[\zeta _{p}]\) for prime integer p. The modified scheme in [31] allowed more flexibility choices of cyclotomic rings, but the size requirements for parameters were more limited, making the modified schemes less efficiency. The first NTRUEncrypt scheme using canonical embedding was discussed in [32] which showed that given appropriate parameters, provably secure NTRUEncrypt could work over prime-power cyclotomic rings. The security of the schemes proposed in [31, 32] relied on a variant of Ring-LWE problems over cyclotomic rings proposed in [6].

With the calls of post-quantum cryptography by NIST, a better understanding of these problems is necessary and the study of NTRUEncrypt is theoretically valuable as stated in [32]. To our knowledge, till now, provably secure NTRUEncrypts were all constructed over prime-power cyclotomic rings by using the coefficient embedding. Also, the security parameter \(\gamma \) and the modulus q rely heavily on the choice of plaintext space. That is to say, in order to reach better efficiency in applications, the plaintext space of the existing NTRUEncrypts were all limited to \(\{0,1\}^n\)-only embed one bit in each coefficient of polynomials in each encrypt process. If we want to embed more bits in each coefficient of polynomials in each encryption process, the lower bounds of \(\gamma \) and q would become pretty bad. These disadvantages restrict the applications of the existing provably secure NTRUEncrypts. Therefore, eliminating the limitation of choices of cyclotomic fields to solve the open problem proposed in [29] and improving the efficiency of the existing provably secure NTRUEncrypts are worth doing. These are also the main motivations of our research.

1.1 Our Contributions

NTRUEncrypt schemes in the standard model by using the canonical embedding over any cyclotomic field. For any fixed cyclotomic field, we design our scheme in the fractional ideal \(R^{\vee }\), i.e. the codifferent ideal of the ring of integers R. In applications, our scheme can also be converted to work in an integral ideal of R.

Once we fix a cyclotomic field, we get an almost uniform bounds for the reduction parameter \(\gamma \) and the modulus q, which are less dependent on the choices of plaintext spaces. Hence, our scheme provides more flexibility for the choices of plaintext spaces and has potential to send more encrypted bits in one encryption process with higher efficiency under stronger hardness assumption.

We use the subgaussian distribution, the decoding basis and the basis-embedding norm to estimate the decryption error. These tools enable us to get tighter lower bounds of q and \(\gamma \), they also bring us a smaller decryption error. More precisely, our decryption algorithm succeeds in recovering the correct message with an exception of a negligible probability \(n^{-\omega {(\sqrt{n\log n})}}\), much better than the previous \(n^{-\omega (1)}\).

We also get a regularity result (a kind of ring-based leftover hash lemma) for all cyclotomic fields, which is useful to design many cryptographic primitives. Set \(R_q^{\times }\) be the set of invertible elements of \(R_q=R/(qR)\), the regularity is about how to construct a tuple \((a_1,\cdots ,a_m;\sum _{i=1}^ma_it_i)\approx U((R_q^{\times })^m\times R_q))\), where \(a_i\hookleftarrow U(R_q^{\times })\) are chosen independently and \(\varvec{t}\) subjects to some distributions. Our results enrich the choices of the distributions of \(\varvec{t}\).

1.2 Technique Overview

Although the main ideas of our NTRUEncrypt follow Stehlé and Steinfeld’s route, many differences exist.

In the previous constructions, analysis of decryption error is the uppermost difficulty which constrains the form of cyclotomic fields. The traditional coefficient embedding decides that this process depends heavily on the form of polynomials f of the corresponding ring \(R=\mathbb {Z}[x]/(f(x))\). To overcome this problem, we have a very important observation that the decryption is only relevant to the coefficients corresponding to the basis we choose, and different bases affect the results heavily. The natural choice of coefficient embedding over polynomial rings may mislead us. So we use the decoding basis of \(R^{\vee }\) and define the basis-coefficient embedding to bound the decryption error. These modifications enable us to control the decryption error for all cyclotomic fields in the same way. Then, if we want to enjoy the high computation speed over polynomial rings, it is easy for us to convert our schemes to work in the ring R in theory.

Benefits brought by those tools and our observation are more than these. If we want to reach the highest efficiency, traditional coefficient embedding may limit the number of encrypted bits in each encryption process, i.e. in order to get the highest efficiency, the existing NTRUEncrypts all limited their plaintext space to \(\{0,1\}^n\). This is caused by the coefficient embedding and the perspective that we regard the elements as polynomials in the ring R. If we regard constant polynomials and non-constant polynomials as usual algebraic integers, then the tools we use give us an almost uniform bound for the reduction parameter \(\gamma \) and the modulus q, which is less dependent on the choices of plaintext spaces. Meanwhile, the decryption error is much smaller than that of the existing schemes.

The reason why we design our scheme in \(R^{\vee }\) is that we want to use the hardness results about Ring-LWE showed in [22], other than those proposed in [6]. This is a natural choice when we want to use the canonical embedding and to get rid of the troubles caused by different polynomials. By using the recent hardness results about primal-Ring-LWE (i.e. the secret \(s\hookleftarrow U(R_q)\)) proved in [28], we can also directly design NTRUEncrypt in R (For more details, see Remark 2). The high level construction outline of our scheme is as follows.

The key generation algorithm is essentially the same as the previous works.

$$\begin{aligned}&\mathbf{Input}{} \mathbf : \ \ q\in \mathbb {Z}^{+},\ p\in \ R_q^{\times },\ \sigma \in \mathbb {R}^{+}. \\&\mathbf{Output}{} \mathbf : \ \ A\ key\ pair\ (sk,\ pk)\in \ R_q^{\times }\times R_q^{\times }. \\&1.\ Sample\ f^{'}\ from\ D_{R,\sigma };\ let\ f=p\cdot f^{'}+1;\ if\ (f\bmod qR)\notin R_q^{\times },\ resample. \\&2.\ Sample\ g\ from\ D_{R,\sigma };\ if\ (g\bmod qR)\notin R_q^{\times },\ resample. \\&3.\ Return\ secret\ key\ sk=f\ and\ public\ key\ pk=h=pg/f\in R_q^{\times }. \end{aligned}$$

We use standard method to prove that the algorithm would terminate in expected time. Furthermore, the Gaussian distribution ensures that the secret key is ‘short’. Provable security needs the public key to distribute statistically close to uniformity, and the analysis of the public key distribution needs to deal with some kinds of q-ary lattices, in order to bound the corresponding smooth parameters. By an accurate analysis of the relationship between different fractional ideals, we give a lower bound of \(\lambda _1\) with respect to \(l_{\infty }\) norm of these q-ary lattices. In this section, we consider these problems absolutely in K, hence get a better result compared with [32] in theory.

Our NTRUEncrypt is as following:

$$\begin{aligned}&\mathbf{Key\ generation}{} \mathbf : \ Use \ the \ algorithm, to\ get\ sk=f\in R_q^{\times } \ with\ f=1\ mod\ pR^{\vee },\\&and\ pk=h=pg\cdot f^{-1} \in R_q^{\times }. \\&\mathbf{Encryption}{} \mathbf : \ Given\ message\ m\in \mathcal {P},\ sample\ s,e\hookleftarrow \chi \ and\ return\ c=hs\\&+pe+m\in R_q^{\vee }. \\&\mathbf{Decryption}{} \mathbf : \ Given\ ciphertext\ c\ and\ secret\ key\ f,\ compute\ c_1=fc.\ Then \\&return\ m=(c_1\bmod qR^{\vee })\bmod pR^{\vee }. \end{aligned}$$

Here, \(\chi \) is the error distribution of the Ring-LWE problem proposed in [22]. The plaintext space of our scheme is \(\mathcal {P}=R^{\vee }/(pR^{\vee })\), where p is an invertible element in \(R_q\). By using the decoding basis of \(R^{\vee }\) and the basis-coefficient embedding of elements in \(R^{\vee }\), we get a tight connection between the canonical norms and the basis-coefficient norms. Moreover, by using subgaussian distributions, we also prove that the decryption error is negligible - \(n^{-\omega (\sqrt{n\log n})}\), which is better than the existing \(n^{-\omega (1)}\). Furthermore, as we remark in Remark 1, we can put all computations and storages in an integral ideal of R and this modification may enjoy the high computation speed over polynomial rings in theory.

Till now, the magnitude of the modulus q is far away from practicality, and this is the common shortcoming of the provably secure NTRUEncrypts. How to reduce the sizes of parameters is an intriguing open problem.

1.3 Organization

In Sect. 2, we introduce some notations and basic results that will be used in our discussion. In Sect. 3, we give a new series of relevant results about some kinds of q-ary lattices. These are important for us to analyze the key generation algorithm of our NTRUEncrypt in Sect. 4. In Sect. 5, we construct the NTRUEncrypt and give a secure reduction from basic lattice problem to the CPA-security of our NTRUEncrypt.

2 Preliminaries

In this section, we introduce some background results and notations.

2.1 Notations

We set \(\hat{l}=l\) when l is odd and \(\hat{l}=\frac{l}{2}\) when l is even. Functions \(\varphi (n)\) and \(\mu (n)\) stand for the Euler function and the M\(\ddot{o}\)bius function. We use [n] to denote the set \(\{1,2,\cdots ,n\}\). For \(p=1,2,\cdots ,\infty \), we use \(||\cdot ||_p\) to represent the \(l_p\) norm corresponding to the canonical embedding. When \(p=2\), we usually use \(||\cdot ||\) to represent the \(l_2\) norm. For any matrix \(M\in \mathbb {C}^{n\times n}\), we use \(\lambda _i(M)\) stand for its eigenvalues and \(s_i(M)\) stand for its singular values for \(i\in [n]\). We arrange eigenvalues and singular values by their magnitudes, i.e. \(\lambda _1(M)\ge \cdots \ge \lambda _n(M)\) and \(s_1(M)\ge \cdots \ge s_n(M)\). For two random variables X and Y, \(\varDelta (X,Y)\) stands for their statistic distance. As usual, E(X) and Var(X) stand for the expectation and the variance of a random variable X. When we write \(X\hookleftarrow \xi \), we mean that the random variable X obeys to a distribution \(\xi \). Function rad represents the radical of a positive integer n, i.e. for \(n=p_1^{\alpha _1}\cdots p_k^{\alpha _k}\) with different primes \(p_i\), \(rad(n)=\prod _{i=1}^kp_i\). If S is a finite set, then |S| is its cardinality and U(S) is the uniform distribution over S. Symbols \(\mathbb {Z}^+\) and \(\mathbb {R}^+\) stand for the sets of positive integers and positive reals. Symbol \(\log x\) represents \(\log _2 x\) for \(x\in \mathbb {R}^+\). For a positive integer a, \(\mathbb {Z}_a^{\times }\) represents the reduced residue system \(\bmod \, a\).

2.2 Cyclotomic Fields, Space H and Geometry

Through out this paper, we consider cyclotomic fields. Let \(K=\mathbb {Q}(\zeta )\), where \(\zeta =\zeta _{l}\) is a primitive l-th root of unity, which has minimal polynomial \(\varPhi _{l}(x)=\prod _{i|l}(x^{i}-1)^{\mu (\frac{l}{i})}\) of degree \(n=\varphi (l)\). Then \([K:\mathbb {Q}]=n=\varphi (l)\) and \(K\cong \mathbb {Q}[x]/\varPhi _{l}(x)\). We set \(R=\mathcal {O}_{K}=\mathbb {Z}[\zeta ]\) be the ring of integers of K.

We set \(\mathrm{{Gal}}(K/\mathbb {Q})= \{\sigma _i:\ i=1,\cdots ,n \}\) and use the canonical embedding \(\sigma \) on K, who maps \(x\in K\) to \((\sigma _1(x),\cdots ,\sigma _n(x))\in H\), where H is a kind of Minkowski space in algebraic number theory. Here we identity \(\sigma _i(\zeta )=\zeta ^{l_i}\) with \(l_i\) the i-th element of \(\mathbb {Z}_l^{\times }\), order the \(\sigma _i\) and define \(H=\{(x_1,\cdots ,x_n)\in \mathbb {C}^{n}:\ x_{n+1-i}=\overline{{x}_{i}},\ \forall i\in [r] \}\). H is isomorphic to \(\mathbb {R}^n\) as an inner product space via the orthonormal basis \(\varvec{h}_{i\in [n]}\) defined as follows. Assume \(\varvec{e}_j\in \mathbb {C}^n\) be the vector with 1 in its j-th coordinate and 0 elsewhere, \(\varvec{i}\) be the imaginary number such that \(\varvec{i}^2=-1\). We then set \(\varvec{h}_j=\frac{1}{\sqrt{2}}(\varvec{e}_j+\varvec{e}_{n+1-j})\) and \(\varvec{h}_{n+1-j}=\frac{\varvec{i}}{\sqrt{2}}(\varvec{e}_j-\varvec{e}_{n+1-j})\) for \(1\le j\le r \).

For any element \(x\in K\), we can define the \(\ell _p\) norm of x by \(||x||_p=||\sigma (x)||_p\) for \(p<\infty \) and \(||x||_{\infty }=\max _{i\in {[n]}}|\sigma _i(x)|\). Because multiplication of embedded elements is component-wise, for any \(x,y\in K\), we have \(||x\cdot y||_p\le ||x||_{\infty }\cdot ||y||_p\) for \(p\in \{1,\cdots ,\infty \}\). The Trace and Norm of \(x\in K\) are defined as usual, i.e. \(\mathrm{{Tr}}(x):=\mathrm{{Tr}}_{K/\mathbb {Q}}(x)=\sum _{i=1}^n\sigma _i(x)\) and \(\mathrm{{N}}(x):=\mathrm{{N}}_{K/\mathbb {Q}}(x)=\prod _{i=1}^n\sigma _i(x)\). The discriminant \(\varDelta _K\) of K, the integral and fractional ideals are defined as usual. Integral ideals can be regarded as special cases of fractional ideals. Recall that, the discriminant of the l-th cyclotomic number field is

$$ \varDelta _K=(-1)^{\frac{n}{2}}\cdot \left( \frac{l}{\prod _{p|l}p^{\frac{1}{p-1}}}\right) ^n\le n^n, $$

where p runs over all prime factors of l.

Let \(q\in \mathbb {Z}\) be a prime, then the factorization of the ideal \((q) =qR\) is as follows. Let \(d\ge 0\) be the largest integer such that \(q^d\) divides l, let \(e=\varphi (q^d)\) and let \(f\ge 1\) be the multiplicative order of q modulo \(l/q^d\). Then \((q) =\prod _{i=1}^{g}\mathfrak {q}_i^e\), where \(\mathfrak {q}_i\) are \(g=n/(ef)\) different prime ideals each of norm \(q^f\). In particular, for a prime \(q=1\bmod l\), we have \(e=f=1\), the ideal (q) splits into n distinct prime ideals as \((q)=\prod _{i\in \mathbb {Z}_l^{{\times }}}\mathfrak {q}_i\) with \(\mathfrak {q}_i=\left\langle q, \zeta -\omega ^i \right\rangle \), where \(\omega \) is a primitive l-th root of unity in \(\mathbb {Z}_q^{\times }\). The norm of \(\mathfrak {q}_i\) is q. We have \(\varPhi _{l}(x)=\prod _{i\in \mathbb {Z}_l^{\times }}(x-\omega ^i)\bmod q\).

2.3 Lattice and Discretization

We define a lattice as a discrete additive subgroup of H and we only deal with full-rank lattices. The minimum distance \(\lambda _1(\varLambda )\) of a lattice is the length of a shortest nonzero lattice vector. We usually use the \(l_2\) norm, i.e. \(\lambda _1(\varLambda )=\min _{0\ne \varvec{x}\in \varLambda }||\varvec{x}||\). The dual lattice of \(\varLambda \subseteq H\) is defined as \(\varLambda ^{\vee }=\{\varvec{y}\in H:\ \forall \ \varvec{x}\in \varLambda ,\ {<}\varvec{x},\overline{\varvec{y}}{>}=\sum _{i=1}^nx_iy_i\in \mathbb {Z}\}\). This is actually the complex conjugate of the dual lattice as usually defined in \(\mathbb {C}^n\). All of the properties of the dual lattice that we use also hold for the conjugate dual. For any fractional ideal I of K, we can represent I as \(\mathbb {Z}\beta _1+\cdots +\mathbb {Z}\beta _n\) for some \(\beta _i\in K\), \(i=1,\cdots , n\). Then \(\sigma (I)\) is a lattice of H, and we call \(\sigma (I)\) an ideal lattice and identify I with this lattice and associate with I all the usual lattice quantities. We have \(|\varDelta _K|=\mathrm{{det}}(\sigma (R))^2\), the squared determinant of the lattice \(\sigma (R)\). For any fractional ideal I, we also have \(\mathrm{{det}}(\sigma (I))=\mathrm{{N}}(I)\cdot \sqrt{|\varDelta _k|}\). The following lemma from [26] gives upper and lower bounds on the minimum distance of an ideal lattice in \(l_2\) norm.

Lemma 1

For any fractional ideal I in a number field K of degree n,

$$ \sqrt{n}\cdot \mathrm{{N}}^{\frac{1}{n}}(I)\le \lambda _1(I)\le \sqrt{n}\cdot \mathrm{{N}}^{\frac{1}{n}}(I)\cdot |\varDelta _K|^{\frac{1}{2n}}. $$

For any fractional ideal I in K, its dual is defined as \(I^{\vee }=\{a\in K:\ \mathrm{{Tr}}(aI)\subseteq \mathbb {Z}\}\). It is easy to verify \((I^{\vee })^{\vee }=I\), \(I^{\vee }\) is a fractional ideal and \(I^{\vee }\) embeds under \(\sigma \) as the dual lattice of I as defined before. In fact, an ideal of K and its inverse are related by multiplication with the dual ideal \(R^{\vee }\): \(I^{\vee }=I^{-1}\cdot R^{\vee }\).

One of the most famous lattice problems is SVP. Given a lattice basis B, try to find a shortest vector in \(\varLambda \backslash \{0\}\), where \(\varLambda =\mathfrak {L}(B)\). The relaxed problem SVP\(_{\gamma }\) is asking for a nonzero lattice vector that is no longer than \(\gamma \) times the length of a solution of SVP. By restricting SVP to the ideal lattice, we obtain Ideal-SVP. No polynomial quantum algorithm is known to solve the worst-case SVP\(_\gamma \) problem for \(\gamma \le \mathrm{{poly}}(n)\) and also no algorithm is known to perform non-negligibly better for ideal lattices than classic lattices. The (Ideal-SIVP\(_\gamma \)) SIVP\(_{\gamma }\) problem is that given a basis of a lattice \(\varLambda \) of dimension n, try to find n linear independent vectors \(x_1,\cdots ,x_n\in \varLambda \) such that \(\max _{1\le i\le n}{||x_i||}\le \gamma \cdot \lambda _n(\varLambda )\).

We now consider the discretization. We describe the formal definition as in [24], a modified version of [22]. Define \(\lceil x\rceil \) to be the smallest integer that is bigger than or equal to x for any \(x\in \mathbb {R}\).

Definition 1

If Bern denotes the Bernoulli distribution, then the univariate Reduction distribution \(Red(a)=Bern(\lceil a\rceil -a)-(\lceil a\rceil -a)\) is the discrete probability distribution defined for parameter \(a\in \mathbb {R}\) as taking the values

  • \(1+a-\lceil a\rceil \) with probability \(\lceil a\rceil -a\),

  • \(a-\lceil a\rceil \) with probability \(1-(\lceil a\rceil -a)\).

A random variable \(\varvec{R}=(R_1,\cdots ,R_n)^T\in \mathbb {R}^n\) has a multivariate Reduction distribution \(R\sim Red(\varvec{a})\) on \(\mathbb {R}^n\) for parameter \(\varvec{a}=(a_1,\cdots ,a_n)^T\) if its components \(R_j\sim Red(a_j)\) for \(j=1,\cdots ,n\) are independent univariate Reduction random variables.

We now describe the coordinate-wise rounding discretisation which is easy to use for our applications.

Definition 2

Suppose \(\varLambda =\mathcal {L}(B)\) is a n-dimensional lattice in space H. For \(\varvec{c}\in H\), the coordinate-wise randomized rounding discretisation \(\lfloor \varvec{X}\rceil _{\varLambda +\varvec{c}}^B\) of random variable \(\varvec{X}\) to the lattice coset \(\varLambda +\varvec{c}\) with respect to the basis B is then defined by the conditional random variable

$$ (\lfloor \varvec{X}\rceil _{\varLambda +\varvec{c}}^B|\varvec{X}=\varvec{x})=\lfloor \varvec{x}\rceil _{\varLambda +\varvec{c}}^B=\varvec{x}+BQ_{\varvec{x},\varvec{c}}, $$

where \(Q_{\varvec{x},\varvec{c}}\sim Red(B^{-1}(\varvec{c}-\varvec{x}))\).

2.4 Gaussian and Subgaussian Random Variables

For \(s>0\), \({\varvec{c}}\in H\), define the Gaussian function \(\rho _{s,\varvec{c}}:H\rightarrow (0,1]\) as \(\rho _{s,\varvec{c}}(\varvec{x})=e^{-\pi \frac{||\varvec{x}-\varvec{c}||^2}{s^2}}\). By normalizing this function, we obtain the continuous Gaussian probability distribution \(D_{s,\varvec{c}}\) of parameter s, whose density is given by \(s^{-n}\cdot \rho _{s,\varvec{c}}(\varvec{x})\). We usually omit the subscript \(\varvec{c}\) when it is \(\varvec{0}\). Let \(\varvec{r}=(r_1,\cdots ,r_n)\in {(\mathbb {R}^+)}^n\) be a vector such that \(r_j=r_{n+1-j}\) for \(j\in \{ 1,\cdots , \frac{n}{2}\}\), we can define the elliptical Gaussian distributions in the basis \({\{\varvec{h}_i}\}_{i\le n}\) as follows: a sample from \(D_{\varvec{r}}\) is given by \(\sum _{i\in [n]}x_i\varvec{h}_i\), where \(x_i\) are chosen independently from the Gaussian distribution \(D_{r_i}\) over \(\mathbb {R}\). Note that, if we define a map \(\varphi :H\rightarrow \mathbb {R}^n\) by \(\varphi (\sum _{i\in [n]}x_i\varvec{h}_i)=(x_1,\cdots ,x_n)\), then \(D_{\varvec{r}}\) is also a (elliptical) Gaussian distribution over \(\mathbb {R}^n\).

For a lattice \(\varLambda \subseteq H\), \(\sigma >0\) and \(\varvec{c}\in H\), we define the lattice Gaussian distribution of support \(\varLambda \), deviation \(\sigma \) and center \(\varvec{c}\) by \(D_{\varLambda ,\sigma ,\varvec{c}}(\varvec{x})=\frac{\rho _{\sigma ,\varvec{c}}(\varvec{x})}{\rho _{\sigma ,\varvec{c}}(\varLambda )}\) for any \(\varvec{x}\in \varLambda \). For \(\delta >0\), we define the smoothing parameter \(\eta _{\delta }(\varLambda )\) as the smallest \(\sigma >0\) such that \(\rho _{\frac{1}{\sigma }}(\varLambda ^{\vee }\setminus \varvec{0})\le \delta \). The following theorem comes from [26]. Here we use \(\tilde{B}\) to represent the Gram-Schmidt orthogonalization of B and regard the columns of B as a set of vectors. For \(B=(b_1,\cdots ,b_n)\), define \(||B||=\max _{i}||b_i||\).

Theorem 1

There is a probabilistic polynomial time algorithm that, given a basis B of an n-dimensional lattice \(\varLambda =\mathcal {L}(B)\), a standard deviation \(\sigma \ge ||\tilde{B}||\cdot \sqrt{\log n}\), and a \(\varvec{c}\in H\), outputs a sample whose distribution is \(D_{\varLambda , \sigma , \varvec{c}}\).

We will also use the following lemmas from [23], [25] and [13].

Lemma 2

For any full-rank lattice \(\varLambda \) and positive real \(\varepsilon >0\), we have \(\eta _{\varepsilon }(\varLambda )\le \sqrt{\frac{\ln {(2n(1+\frac{1}{\varepsilon }))}}{\pi }}\cdot \lambda _n{(\varLambda )}\).

Lemma 3

For any full-rank lattice \(\varLambda \), \(\varvec{c}\in H\), \(\varepsilon \in (0,1)\) and \(\sigma \ge \eta _{\varepsilon }(\varLambda ) \), we have \( \mathrm{{Pr}}_{\varvec{b}\hookleftarrow D_{\varLambda ,\sigma ,\varvec{c}}}[||\) \(\varvec{b}-\varvec{c}||\ge \sigma \sqrt{n}]\le \frac{1+\varepsilon }{1-\varepsilon }\cdot 2^{-n}\).

Lemma 4

For any full-rank lattice \(\varLambda \) and any positive real \(\varepsilon >0\), we have \(\eta _{\varepsilon }(\varLambda )\le \sqrt{\frac{\ln {(2n(1+\frac{1}{\varepsilon }))}}{\pi }} \cdot \frac{1}{\lambda _{1}^{\infty }{(\varLambda ^{\vee })}}\).

Lemma 5

Let \(\varLambda ^{'}\subseteq \varLambda \) be full-rank lattices. For any \(\varvec{c}\in H\), \(\varepsilon \in (0,1/2)\) and \(\sigma \ge \eta _{\varepsilon }(\varLambda ^{'})\), we have \(\varDelta (D_{\varLambda ,\sigma ,\varvec{c}}\bmod \varLambda ^{'},U(\varLambda /\varLambda ^{'}))\le 2\varepsilon \).

It is convenient for us to use the notion of subguassian random variables in our application. We describe the definitions as in [24].

Definition 3

For \(\delta \ge 0\), a real-valued random variable X is \(\delta \)-subgaussian with standard parameter \(b\ge 0\) if

$$ E(e^{tX})\le e^{\delta }e^{\frac{1}{2}b^2t^2}, \ \ \ \ \ for\ all\ t\in \mathbb {R}. $$

A real-valued random variable X is \(\delta \)-subgaussian random variable with scaled parameter \(s\ge 0\) if

$$ E(e^{2\pi tX})\le e^{\delta }e^{\pi s^2t^2}, \ \ \ \ \ for \ all\ t\in \mathbb {R}. $$

A real-valued random variable is \(\delta \)-subgaussian with standard parameter b if and only if it is \(\delta \)-subgaussian with scaled parameter \(\sqrt{2\pi }b\). One can extend the definitions to \(\mathbb {R}^n\) or space H.

Definition 4

For any \(\delta \ge 0\), a multivariate random variable \(\varvec{X}\) on \(\mathbb {R}^n\) is \(\delta \)-subgaussian with standard parameter \(b\ge 0\) if

$$ E(e^{{<}\varvec{t},\varvec{X}{>}})\le e^{\delta }e^{\frac{1}{2}b^2||\varvec{t}||^2}, \ \ \ \ \ for\ all\ \varvec{t}\in \mathbb {R}^n. $$

A multivariate random variable \(\varvec{Z}\) on H is a \(\delta \)-subgaussian with standard parameter \(b\ge 0\) if

$$ E(e^{{<}\varvec{t},\varvec{Z}{>}})\le e^{\delta }e^{\frac{1}{2}b^2||\varvec{t}||^2}, \ \ \ \ \ for\ all\ \varvec{t}\in H. $$

This definition is equivalent to say that a random vector \(\varvec{X}\) or its distribution is \(\delta \)-subgaussian with standard parameter b if for all unit vector \(\varvec{t}\), the random variable \({<}\varvec{X},\varvec{t}{>}\) is \(\delta \)-subgaussian with standard parameter b.

Definition 5

A random variable \(\varvec{Z}\) on \(\mathbb {R}^n\) (or H) is a noncentral subgaussian random variable with noncentrality parameter \(||E(\varvec{Z})||\ge 0\) and deviation parameter \(d\ge 0\) if the centered random variable \(\varvec{Z}_0=\varvec{Z}-E(\varvec{Z})\) is a 0-subgaussian random variable with standard parameter d.

We regard a central subgaussian random variable as a special case of a noncentral subgaussian random variable. Moreover, we have the following useful lemma which is proposed in [24].

Lemma 6

Suppose that B is a column basis matrix for a lattice in H with largest singular value \(s_1(B)\) and \(\varvec{Z}\) is an independent noncentral subgaussian random variable with deviation parameter \(d_{\varvec{Z}}\). The coordinate-wise randomized rounding discretisation of \(\varvec{Z}\) to \(\lfloor \varvec{Z}\rceil _{\varLambda +\varvec{c}}^B\) is a noncentral subgaussian random variable with noncentrality parameter \(||E(\varvec{Z})||\) and deviation parameter \((d_{\varvec{Z}}^2+(\frac{1}{2})^2s_1(B)^2)^{\frac{1}{2}}\).

2.5 Basis for R and \(R^{\vee }\), Ring-LWE problem

In our application, we hope that the matrices whose columns are consisted of the basis of R or \(R^{\vee }\) have smaller \(s_1\) and larger \(s_n\). So, we introduce the powerful basis and the decoding basis as in [22]. We set \(\tau \) be the automorphism of K that maps \(\zeta _l\) to \(\zeta _l^{-1}=\zeta _l^{l-1}\), under the canonical embedding it corresponds to complex conjugation \(\sigma (\tau (a))=\overline{\sigma (a)}\).

Definition 6

The Powerful basis \(\overrightarrow{p}\) of \(K=\mathbb {Q}(\zeta _l)\) and \(R=\mathbb {Z}[\zeta _l]\) is defined as follows:

  • For a prime power l, define \(\overrightarrow{p}\) to be the power basis \((\zeta _l^j)_{(j\in \{0,1,\cdots , n-1\})}\), treated as a vector over \(R\subseteq K\).

  • For l having prime-power factorization \(l=\prod l_k=\prod p_k^{\alpha _k}\), define \(\overrightarrow{p}=\otimes _k\overrightarrow{p_k}\), the tensor product of the power basis \(\overrightarrow{p_k}\) of each \(K_k=\mathbb {Q}(\zeta _{l_k})\).

The Decoding basis of \(R^{\vee }\) is \(\overrightarrow{d}=\tau (\overrightarrow{p})^{\vee }\), the dual of the conjugate of the powerful basis \(\overrightarrow{p}\).

Different bases of R (or \(R^{\vee }\)) are connected by some unimodular matric, hence the spectral norm (i.e. the \(s_1\)) may have different magnitudes. The following lemma comes from [22], which shows the estimates of \(s_1(\sigma (\overrightarrow{p}))\) and \(s_n(\sigma (\overrightarrow{p}))\).

Lemma 7

We have \(s_1(\sigma (\overrightarrow{p}))=\sqrt{\hat{l}}\), \(s_n(\sigma (\overrightarrow{p}))=\sqrt{\frac{l}{rad(l)}}\) and \(||\sigma (\overrightarrow{p})_i||=\sqrt{n}\) for all \(i=1,\cdots ,n\).

We also need the estimates of \(s_1(\sigma (\overrightarrow{d}))\) and \(s_n(\sigma (\overrightarrow{d}))\). Assume that \(\sigma (\overrightarrow{p})=T\), Lemma 7 shows that \(s_1(T)=\sqrt{\hat{l}}\) and \(s_n(T)=\sqrt{\frac{l}{rad(l)}}\). By the definitions of \(\overrightarrow{d}\) and the dual ideal, an easy computation shows that \(\sigma (\overrightarrow{d})=(T^*)^{-1}\). Hence we have \(s_n(\sigma (\overrightarrow{d}))=\frac{1}{\sqrt{\hat{l}}}\), \(s_1(\sigma (\overrightarrow{d}))=\sqrt{\frac{rad(l)}{l}}\). Moreover, one can similarly deduce that \(||\sigma (\overrightarrow{d})_i||\le \sqrt{\frac{rad(l)}{l}}\) for all \(i=1,2,\cdots , n\). The following definition is also useful.

Definition 7

Given a basis B of a fractional ideal J, for any \(x\in J\) with \(x=x_1b_1+\cdots +x_nb_n\), the B-coefficient embedding of x is defined as the vector \((x_1,\cdots ,x_n)\) and the B-coefficient embedding norm of x is defined as \(||x||_B^c=(\sum _{i=1}^nx_i^2)^{\frac{1}{2}}\).

If we represent \(x\in R\) (or \(R^{\vee }\)) with respect to the powerful basis (or decoding basis), we have

$$\begin{aligned} \sqrt{\frac{l}{rad(l)}}||x||_{\sigma {(\overrightarrow{p})}}^c\le ||\sigma (x)||\le \sqrt{\hat{l}}||x||_{\sigma {(\overrightarrow{p})}}^c, \ \ \ \ \ for\ x\in \ R, \end{aligned}$$
(1)

and

$$\begin{aligned} \frac{1}{\sqrt{\hat{l}}}||x||_{\sigma {(\overrightarrow{d})}}^c\le ||\sigma (x)||\le \sqrt{\frac{rad(l)}{l}}||x||_{\sigma {(\overrightarrow{d})}}^c, \ \ \ \ \ for\ x\in \ R^{\vee }. \end{aligned}$$
(2)

We will omit the subscript \({\sigma {(\overrightarrow{d})}}\) of \(||\cdot ||_{{\sigma {(\overrightarrow{d})}}}^c\) in the following applications. When we write \(x\bmod qR^{\vee }\), we use the representative element of the coset \(x+qR^{\vee }\) as \(\sum _{i=1}^nx_i \overrightarrow{d}_i\) with \(x_i\in [-\frac{q}{2},\frac{q}{2})\). From now on, we only use the decoding basis of \(R^{\vee }\) and the powerful basis of R.

The Ring-LWE distribution and Ring-LWE problem are defined as those in [22]. Define \(K_\mathbb {R}=K\otimes _\mathbb {Q}\mathbb {R}\).

Definition 8

For a distribution \(\psi \) over \(K_{\mathbb {R}}\) and a secret \(s\hookleftarrow \lfloor \psi \rceil _{R^{\vee }} \in R_q^{\vee }\), a sample from Ring-LWE distribution \(A_{s,\psi }^{\times }\) over \(R_q^{\times }\times R_q^{\vee }\) is generated by choosing \(a\hookleftarrow U(R_q^{\times })\), \(e\hookleftarrow \lfloor \psi \rceil _{R^{\vee }}\) and outputting \((a,b=a\cdot s+e\bmod qR^{\vee })\). The average-case decision version of the Ring-LWE problem, denoted by R-DLWE\(^{\times }_{q,\psi }\), is to distinguish with non-negligible advantage between independent samples from \(A_{s,\psi }^{\times }\), and the same number of uniformly random and independent samples from \(R_q^{\times }\times R_q^{\vee }\).

Theorem 2

Let K be the l-th cyclotomic number field having dimension \(n=\varphi (l)\) and \(R=\mathcal {O}_K\) be its ring of integers. Let \(\alpha =\alpha (n)>0\), and let \(q=q(n)\ge 2\), \(q=1\bmod l\) be a poly(n)-bounded prime such that \(\alpha q\ge \omega (\sqrt{\log {n}})\). Then there is a polynomial-time quantum reduction from \(\tilde{O}(\frac{\sqrt{n}}{\alpha })\)-approximate SIVP on ideal lattices in K to the problem of solving R-DLWE\(^{\times }_{q,\psi }\) given only k samples, where \(\psi \) is the Gaussian distribution \(D_{\xi \cdot q}\) with \(\xi =\alpha \cdot (\frac{nk}{\log {(nk)}})^{\frac{1}{4}}\).

3 Some New Results on q-Ary Lattices

In this section, we shall prove some useful results which will be used in Sect. 4.

3.1 q-Ary Lattices

We know that \(R_q=\mathbb {Z}_q[x]/\varPhi _l(x)\) and \(\mathbb {Z}_q[x]\) is a principal ideal domain, hence \(R_q\) is a principal ideal ring. If we set \(\phi _i=\omega ^{l_i}\), where \(l_i\) is the i-th element in \(\mathbb {Z}_l^{\times }\), then \(\varPhi _l(x)=\prod _{i=1}^{n}(x-\phi _i)=\prod _{i=1}^{n}(x-\phi _i^{-1})\bmod q\). For any proper ideal \(I\in R_q\), we can write \(I=\left\langle f(x) \right\rangle R_q\), where f(x) contains at least one monomials of \(x-\phi _i\), i.e. \(f(x)=\prod _{i\in S}(x-\phi _i)\) for some non-empty \(S \subseteq \{1,2,\cdots ,n \}\). Since any monomials of the form \(x-\alpha \) with \(\alpha \ne \phi _i\) for \(i=1,2,\cdots ,n\) is an invertible element in \(R_q\), any principal ideal of \(R_q\) is of the form described above. We will use \(I_{S}\) to represent the ideal \(\prod _{i\in S}(x-\phi _i)R_q\) of \(R_q\).

Let I be a proper ideal of \(R_q\), there is a unique ideal J of R such that \(qR\subseteq J\subseteq R\) and \(I=J/qR\). In fact, if we set \(I= f(x)R_q\), then \(J=( f(x),q )R\). Considering the relation \(qJ\subseteq qR \subseteq J \subseteq R\), we get \(R^{\vee }\subseteq J^{\vee }\subseteq (qR)^{\vee }\subseteq (qJ)^{\vee }\), which implies \(R^{\vee }\subseteq J^{\vee }\subseteq \frac{1}{q}(R)^{\vee }\subseteq \frac{1}{q}(J)^{\vee }\). Thus we get an R module inclusion relations

$$\begin{aligned} qR^{\vee }\subseteq qJ^{\vee }\subseteq R^{\vee }\subseteq J^{\vee }. \end{aligned}$$
(3)

Moreover, \(R^{\vee }/qJ^{\vee }\) is an R submodule of \(J^{\vee }/qJ^{\vee }\). Let \(\varvec{a}\in (R_q)^m\), the definitions of the q-ary lattices are as followings:

$$\begin{aligned} \varvec{a}^{\perp }(I)=\{(t_1,\cdots ,t_m)\in J^{m}: \ \sum _{i=1}^{m}t_ia_i=0 \bmod qR\}, \end{aligned}$$
$$\begin{aligned} L(\varvec{a},I)=\{(t_1,\cdots ,t_m)\in (R^{\vee })^m: \ \exists \ s\in R^{\vee }, \ \forall i,\ t_i=a_i\cdot s\bmod qJ^{\vee } \}=R^{\vee }\cdot \varvec{a}+qJ^{\vee }. \end{aligned}$$

Here, \(R^{\vee }\cdot \varvec{a}=\{t\cdot \varvec{a}=(ta_1,\cdots ,ta_m): t\in R^{\vee }\}\). We also define \(\varvec{a}^{\perp }\) and \(L(\varvec{a})\) as \(\varvec{a}^{\perp }(R_q)\) and \(L(\varvec{a},R_q)\). The dual \(M^{\vee }\) of a lattice \(M\subseteq K^m\) is defined as the set of all \(\varvec{x}\in K^m\) such that \(\mathrm{{Tr}}(\varvec{x}\cdot \varvec{v}):=\sum _{j=1}^m\mathrm{{Tr}}(x_j\cdot v_j)\in \mathbb {Z}\) for all \(\varvec{v}\in M\). The following lemma shows the dual relations between \(\varvec{a}^{\perp }(I)\) and \(L(\varvec{a},I)\).

Lemma 8

Let \(\varvec{a}^{\perp }(I)\) and \(L(\varvec{a},I)\) be defined above, then we have \(\varvec{a}^{\perp }(I)=q(L(\varvec{a},I))^{\vee }\) and \(L(\varvec{a},I)=q(\varvec{a}^{\perp }(I))^{\vee }\).

Proof

We only need to prove \(\varvec{a}^{\perp }(I)=q(L(\varvec{a},I))^{\vee }\), since the other equality can be easily deduced by taking dual in both side of \(\varvec{a}^{\perp }(I)=q(L(\varvec{a},I))^{\vee }\).

We start with showing that \(\varvec{a}^{\perp }(I)\subseteq q(L(\varvec{a},I))^{\vee }\). For any \(\varvec{t}\in \varvec{a}^{\perp }(I)\) and \(\varvec{z}\in L(\varvec{a},I)\), we only need to show \(\sum _{i=1}^{m}\mathrm{{Tr}}(t_i\cdot z_i)=0 \bmod q\mathbb {Z}\). Note that \(z_i= a_i\cdot s+q\cdot z_i^{'}\) for some \(z_i^{'}\in J^{\vee }\), we have

$$ \sum _{i=1}^{m}\mathrm{{Tr}}(t_i\cdot z_i)=\mathrm{{Tr}}(s\cdot \sum _{i=1}^{m}t_i\cdot a_i)+q\cdot \sum _{i=1}^{m}\mathrm{{Tr}}(t_i\cdot z_i^{'}). $$

By the definition, \(\sum _{i=1}^{m}t_i\cdot a_i=q\cdot r\) for some \(r\in R\). Thus \(\sum _{i=1}^{m}\mathrm{{Tr}}(t_i\cdot z_i)\in q\mathbb {Z}\).

To complete the proof, we will show \(q(L(\varvec{a},I))^{\vee }\subseteq \varvec{a}^{\perp }(I)\). For any \(\varvec{x}\in (L(\varvec{a},I))^{\vee }\), we need to show \(q\cdot x_i\in J\) for all \(i\in [m]\) and \(\sum _{i=1}^{m}qx_i\cdot a_i\in qR\). Note that \(q(J^{\vee })^{m}\subseteq L(\varvec{a},I)\), we can take \(\varvec{v^{(i)}}\) be the vectors in \(L(\varvec{a},I)\) such that the i-th coordinate is \(q\cdot s^{'}\) with \(s^{'}\in J^{\vee }\) and 0 elsewhere. We have \(\mathrm{{Tr}}(\varvec{x}\cdot \varvec{v^{(i)}})=\mathrm{{Tr}}(x_i\cdot q\cdot s^{'})\in \mathbb {Z}\), hence \( q\cdot x_i\in J\). Note that \(\forall \) \(\varvec{t}\in L(\varvec{a},I)\), \(\sum _{i=1}^{m}\mathrm{{Tr}}(x_i\cdot t_i)\in \mathbb {Z}\). We write \(t_i\) as \(a_i\cdot s+q\cdot t_i^{'}\) with \(t_i^{'}\in J^{\vee }\), then

$$ \sum _{i=1}^{m}\mathrm{{Tr}}(x_i\cdot t_i)=\mathrm{{Tr}}(s\cdot \sum _{i=1}^{m}a_i\cdot x_i)+\sum _{i=1}^{m}\mathrm{{Tr}}(qx_i\cdot t_i^{'}), $$

the latter sum is in \(\mathbb {Z}\), hence \(\mathrm{{Tr}}(s\cdot \sum _{i=1}^{m}a_i\cdot x_i)\in \mathbb {Z}\) and we get \(\sum _{i=1}^{m}a_i\cdot x_i\in R\). Therefore we have proved \(\varvec{a}^{\perp }(I)=q(L(\varvec{a},I))^{\vee }\). We finish the proof.

3.2 Lower Bound of \(\lambda _1^{\infty }\) in L(aI)

In this section, we shall give an estimate of the lower bound of \(\lambda _1^{\infty }\) for \(L(\varvec{a}, I)\) with \(\varvec{a}\hookleftarrow U((R_q^{\times })^m)\), where \(\lambda _1^{\infty }\) is the length of a shortest vector (corresponding to the \(l_{\infty }\) norm) in the lattice \(L(\varvec{a}, I)\). The proof mainly follows the thoughts of [29]. Let \(I_S=\prod _{i\in S}(x-\phi _i)R_q\subseteq R_q\) and \(J_S=( f_S(x),q ) R\subseteq R\), where \(f_S(x)=\prod _{i\in S}(x-\phi _i)\) for \(S\subseteq \{1,2,\cdots ,n\}\). The factorization of ideal (q)R is \(\prod _{i=1}^{n}\mathfrak {q}_i\) with \(\mathfrak {q}_i=( q, x-\phi _i )R\). Since R is a Dedekind domain, each \(\mathfrak {q_i}\) is a maximal ideal, hence \(\mathfrak {q_i}\) and \(\mathfrak {q_j}\) is coprime for any \(i\ne j\in [n]\), \(\mathfrak {q_i}\cdot \mathfrak {q_j}=\mathfrak {q_i}\cap \mathfrak {q_j}=( q,(x-\phi _i)(x-\phi _j))R\). Therefore, \(J_S=\prod _{i\in S}\mathfrak {q}_i\), \(J_S^{-1}=\prod _{i\in S}\mathfrak {q}_i^{-1}\). Further, we have \(J_S^{\vee }=\prod _{i\in S}\mathfrak {q}_i^{-1}R^{\vee }\).

Lemma 9

For any \(S\subseteq [n]\), \(m \ge 2\) and \(\varepsilon >0\), we have \(\lambda _1^{\infty }(L(\varvec{a},I_S))\ge B\) with \(B=\frac{q^\beta }{n}\), where \(\beta =(1-\frac{1}{m})(1-\frac{|S|}{n})-\varepsilon \), except with probability \(p\le 2^{(3m+1)n}q^{-\varepsilon mn}\) over the uniformly random choice of \(\varvec{a}\in (R_q^{\times })^{m}\).

Proof

Let p denote the probability, over the randomness of \(\varvec{a}\), that \(L(\varvec{a},I_S)\) contains a non-zero vector \(\varvec{t}\) of infinity norm \(< B=\frac{q^\beta }{n}\). Recall that, \(\varvec{t}\in L(\varvec{a}, I_S)\) if and only if there is an \(s\in R^{\vee }\) such that \(t_i=a_i\cdot s\bmod qJ^{\vee }_S\) for all \(i\in [m]\). Meanwhile, for any \(s\in R^{\vee }\), all the elements of the coset \(s+qJ_{S}^{\vee }\) satisfy the equation \(t_i=a_i\cdot s\bmod qJ_{S}^{\vee }\) for the same \(t_i\). We give an upper bound of p by the union bound, summing the probabilities \(p(\varvec{t},s)=\mathrm{{Pr}}_{\varvec{a}}[\ t_i=a_i\cdot s\bmod qJ_S^{\vee },\ \forall i\in \ [m]]\) over all possible values of \(\varvec{t}\) of infinity norm \(<B\) and \(s\in R^{\vee }/(qJ_S^{\vee })\). Since the \(\{a_i\}_{i=1}^m\) are independent, we have \(p(\varvec{t},s)=\prod _{i\le m}p_i(t_i,s)\), where \(p_i(t_i,s)=\mathrm{{Pr}}_{a_i}[t_i=a_i\cdot s\bmod qJ_S^{\vee }]\). So, we have

$$ p\le \sum \limits _{\begin{array}{c} \varvec{t}\in (J_{S}^{\vee })^{m}\\ \forall i,\ 0<||t_i||_{\infty }<B \end{array}}\sum _{s\in R^{\vee }/qJ_{S}^{\vee }}\prod _{i=1}^{m}\mathrm{{Pr}}_{a_i}[t_i=a_i\cdot s\bmod qJ_S^{\vee }]. $$

Note that \(qJ_S^{\vee }=q\prod _{i\in S}\mathfrak {q}_i^{-1}R^{\vee }=q\cdot \prod _{i\in S}\mathfrak {q}_i^{-1}\cdot R\cdot R^{\vee }=\prod _{i\in S'}\mathfrak {q}_i\cdot R^{\vee }\), where \(S'=[n]\setminus S\). We have an isomorphism between \(J_S^{\vee }/qJ_S^{\vee }\) and \(J_S^{\vee }/(\mathfrak {q}_{i_{1}}R^{\vee })\oplus \cdots \oplus J_S^{\vee }/(\mathfrak {q}_{i_{|S'|}}R^{\vee })\), where \(i_j\in S'\) for \(j=1,\cdots ,|S'|\). Also we have \(R^{\vee }/qJ_S^{\vee }\cong R^{\vee }/(\mathfrak {q}_{i_{1}}R^{\vee })\oplus \cdots \oplus R^{\vee }/(\mathfrak {q}_{i_{|S'|}}R^{\vee })\).

We claim that for the case \(p_{i}(a_i,s)\ne 0\), there must be a set \(S''\subseteq S'\) such that \(s,t_i\in \prod _{i\in S''}\mathfrak {q}_iR^{\vee }\) and \(s,t_i\notin \mathfrak {q}_jR^{\vee }\) for all \(j\in S'\setminus S''\). Otherwise, there are some \(j\in S'\) such that either \(s=0\bmod \mathfrak {q}_jR^{\vee }\) and \(t_i\ne 0\bmod \mathfrak {q}_jR^{\vee }\), or \(s\ne 0\bmod \mathfrak {q}_jR^{\vee }\) and \(t_i=0\bmod \mathfrak {q}_jR^{\vee }\). In both cases, we have \(p_{i}(a_i,s)=0\), since \(a_i\in R_{q}^{\times }\). Then, for \(j\in S''\), we have \(t_i=a_i\cdot s=0 \bmod \mathfrak {q}_jR^{\vee }\), regardless of the value of \(a_i\in R_{q}^{\times }\). For any \(j\in S'\setminus S''\), we have \(t_i=a_i\cdot s\ne 0\bmod \mathfrak {q}_jR^{\vee }\), the value of \(a_i\) is unique, since \(s\ne 0\bmod \mathfrak {q}_jR^{\vee } \) and \(a_i\in R_{q}^{\times }\). For \(j\in [n]\setminus S'\), the value of \(a_i\) can be arbitrary. Hence, overall, if we set \(|S''|=d\), we get that there are \((q-1)^{n+d-|S'|}\) different \(a_i\) in \(R_q^{\times }\) satisfy \(t_i=a_i\cdot s\bmod qJ^{\vee }_S\), i.e. \(p_i(t_i,s)=(q-1)^{d-|S'|}\). Therefore, we can rewrite the sum’s conditions by

$$ p \le \sum _{0\le d\le |S'|}\sum \limits _{\begin{array}{c} S''\subseteq S' \\ |S''|=d \\ \mathfrak {h}:=\prod _{i\in S''}\mathfrak {q}_iR^{\vee } \end{array}} \sum \limits _{\begin{array}{c} s\in R^{\vee }/(qJ_{S}^{\vee })\\ s\in \mathfrak {h} \end{array}} \sum \limits _{\begin{array}{c} \varvec{t}\in (J_{S}^{\vee })^{m}\\ \forall i,\ 0<||t_i||_{\infty }<B \\ t_i\in \mathfrak {h} \end{array}} \prod _{i=1}^{m}(q-1)^{d-|S'|}. $$

Set \(\mathfrak {h}=\prod _{i\in S''}\mathfrak {q}_iR^{\vee }\), where \(S''\subseteq S'\) and \(|S''|=d\). Let N(Bd) denote the number of \(t\in J_{S}^{\vee }\) such that \(||t||_{\infty }< B\) and \(t\in \mathfrak {h}\). We consider two cases for N(Bd) depending on the magnitudes of d.

Case 1: Suppose that \(d\ge \beta \cdot n\). Since \(t\in \mathfrak {h}=\prod _{i\in S''}\mathfrak {q}_iR^{\vee }\), and \(\mathfrak {h}\) is a fractional ideal of K, we have \(( t )=tR^{\vee }\subseteq \mathfrak {h}\) and (t) is a full-rank R-submodule of \(\mathfrak {h}\). Hence,

$$ |\mathrm{{N}}(t)|=\mathrm{{N}}(( t ))\ge \mathrm{{N}}(\mathfrak {h})\ge \mathrm{{N}}(\prod _{i\in S''}\mathfrak {q}_i\cdot R^{\vee })=(\prod _{i\in S''}\mathrm{{N}}(\mathfrak {q}_i))\mathrm{{N}}(R^{\vee })=q^d\cdot |\varDelta _K|^{-1}. $$

Note that \(|\varDelta _K|\le n^n\), we have \(|\mathrm{{N}}(t)|\ge \frac{q^d}{n^n}\) and conclude that

$$\begin{aligned} ||t||_{\infty }\ge \frac{1}{\sqrt{n}}||t||\ge |\mathrm{{N}}^{\frac{1}{n}}(t)|\ge \frac{q^{\frac{d}{n}}}{n}\ge \frac{q^{\beta }}{n}=B. \end{aligned}$$
(4)

Case 2: Suppose now that \(d<\beta \cdot n\). Define \(\mathfrak {B}(l,\varvec{c})=\{\varvec{x}\in H:\ ||\varvec{x}-\varvec{c}||_{\infty }<l\}\). Note that \(\sigma (\mathfrak {h})\) is a lattice of H, we get N(Bd) is at most the number of points of \(\sigma (\mathfrak {h})\) in the region \( \mathfrak {B}(B,0)\). Let \(\lambda =\frac{\lambda _1^{\infty }(\mathfrak {h})}{2}\), then for any two different elements \(\varvec{v_1}\) and \(\varvec{v_2}\in \mathfrak {h}\), we have \(\mathfrak {B}(\lambda ,\varvec{v_1})\cap \mathfrak {B}(\lambda ,\varvec{v_2})=\phi \). For any \(\varvec{v}\in \mathfrak {B}(B,0)\), we also have \(\mathfrak {B}(\lambda ,\varvec{v})\subseteq \mathfrak {B}(B+\lambda ,0)\). Therefore,

$$ N(B,d)\le \frac{vol(\mathfrak {B}(B+\lambda ,0))}{vol(\mathfrak {B}(\lambda ,0))}=(\frac{B}{\lambda }+1)^{n}\le (2q^{\beta -\frac{d}{n}}+1)^{n}\le 2^{2n}q^{n\beta -d}, $$

where we have used the fact that \(\lambda _1^{\infty }{\mathfrak {(h)}}\ge \frac{q^{\frac{d}{n}}}{n}\) from (4).

We claim that the number of \(s\in R^{\vee }/(qJ_S^{\vee })\) and \(s\in \mathfrak {h}\) is \(q^{|S'|-d}\). In fact, if s satisfies the above conditions, \(s\in \mathfrak {h}/(qJ_S^{\vee })\). Using a kind of isomorphism relation (Lemma 2.14 in [21]) which states that for any fractional ideals \(\mathfrak {a}\), \(\mathfrak {b}\) and integral ideal \(\mathfrak {c}\) with \(\mathfrak {b}\subseteq \mathfrak {a}\), \(\mathfrak {a}\mathfrak {c}/\mathfrak {b}\mathfrak {c}\cong \mathfrak {a}/\mathfrak {b}\), we have

$$ \mathfrak {h}/(qJ_{S}^{\vee })= \prod _{i\in S''}\mathfrak {q}_iR^{\vee }/(\prod _{i\in S'}\mathfrak {q}_iR^{\vee })\cong \prod _{i\in S''}\mathfrak {q}_i/(\prod _{i\in S'}\mathfrak {q}_i)\cong R/(\prod _{i\in (S'\setminus S'')}\mathfrak {q}_i). $$

Hence, we have \(|\mathfrak {h}/(qJ_{S}^{\vee })|=|R/(\prod _{i\in (S'\setminus S'')}\mathfrak {q}_i)|=q^{|S'|-d}\). Using the above N(Bd)-bounds and the fact that the number of subsets of \(S'\) of cardinality d is \(\le 2^d\), setting \(\mathfrak {P}=\prod _{i=1}^{m}(q-1)^{d-|S'|}\), we can rewrite the inequality of p as

$$\begin{aligned} p&\le \left( \sum _{0\le d< \beta \cdot n}+\sum _{\beta \cdot n \le d \le |S'|} \right) \sum \limits _{\begin{array}{c} S''\subseteq S' \\ |S''|=d \\ \mathfrak {h}=\prod _{i\in S''}\mathfrak {q}_iR^{\vee } \end{array}} \sum \limits _{\begin{array}{c} s\in R^{\vee }/(qJ_{S}^{\vee })\\ s\in \mathfrak {h} \end{array}} \sum \limits _{\begin{array}{c} \varvec{t}\in (J_{S}^{\vee })^{m}\\ \forall i,\ 0<||t_i||_{\infty }<B \\ t_i\in \mathfrak {h} \end{array}} \mathfrak {P} \\&\le \sum _{0\le d< \beta \cdot n}\sum \limits _{\begin{array}{c} S''\subseteq S' \\ |S''|=d \\ \mathfrak {h}=\prod _{i\in S''}\mathfrak {q}_iR^{\vee } \end{array}} \sum \limits _{\begin{array}{c} s\in R^{\vee }/(qJ_{S}^{\vee })\\ s\in \mathfrak {h} \end{array}} \sum \limits _{\begin{array}{c} \varvec{t}\in (J_{S}^{\vee })^{m}\\ \forall i,\ 0<||t_i||_{\infty }<B \\ t_i\in \mathfrak {h} \end{array}} \mathfrak {P} \\&\le 2^{|S'|} \max _{d<\beta \cdot n}\frac{q^{|S'|-d}N^m(B,d)}{(q-1)^{m(|S'|-d)}}\\&\le 2^{n(1+3m)}\cdot q^{-\varepsilon mn}. \end{aligned}$$

We finish the proof.

Remark: The estimate of N(Bd) in the case \(d<\beta \cdot n\) is originally inspired by [32], it may be standard. This lemma and the following regularity theorem can be regarded as a special case of Lemma 5.2 and Theorem 5.3 in [28].

3.3 Improved Results on Regularity

In this subsection, we discuss the regularity results of any cyclotomic ring. The following result is a direct consequence of Lemmata 4, 5, 8 and 9. By Lemmas 9 and 8, we have \(\lambda _1^{\infty }(({\varvec{a}}^{\perp }(I_S))^{\vee })=\frac{1}{q}\lambda _1^{\infty }(L(\varvec{a}, I_S))\ge \frac{1}{n}q^{\frac{|S|}{mn}-\frac{|S|}{n}-\frac{1}{m}-\varepsilon }\), except with a fraction of \(2^{(3m+1)n}q^{-\varepsilon mn}\) of \(\varvec{a}\in (R_q^{\times })^m\) for \(S\subseteq [n]\) and \(m\ge 2\). Then Lemma 4 tells us that \(\eta _{\delta }((a^{\perp }(I_S))^{\vee })\le n\sqrt{\frac{\ln (2mn(1+\frac{1}{\delta }))}{\pi }}\cdot q^{\frac{|S|}{n}+\frac{1}{m}-\frac{|S|}{mn}+\varepsilon }\) for any \(\delta >0\). Therefore, Lemma 5 gives us the following lemma.

Lemma 10

Let \(q=1\bmod l\) be a prime, \(K=\mathbb {Q}(\zeta _l)\), \(R=\mathcal {O}_K\), \(m\ge 2\), \(\delta \in (0,\frac{1}{2})\), \(\varepsilon >0\), \(S\subseteq [n]\), \(\varvec{c}\in R^m\) and \(\varvec{t}\hookleftarrow D_{R^m,\sigma ,\varvec{c}}\), where \(\sigma \ge n\sqrt{\frac{\ln (2mn(1+\frac{1}{\delta }))}{\pi }}\cdot q^{\frac{|S|}{n}+\frac{1}{m}-\frac{|S|}{mn}+\varepsilon }\). Then for all except a fraction of \(2^{(3m+1)n}q^{-\varepsilon mn}\) of \(\varvec{a}\in (R_q^{\times })^m\), we have

$$ \varDelta \left( \varvec{t}\bmod \varvec{a}^{\perp }(I_S) ;\ U(R^m/\varvec{a}^{\perp }(I_S))\right) \le 2\delta . $$

Let \(\mathbb {D}_{\chi }\) be the distribution of such tuple \((a_1,\cdots ,a_m\), \(\sum _{i=1}^mt_ia_i)\in (R_q^{\times })^m\times R_q\), where \(a_i\hookleftarrow U(R_q^{\times })\) are chosen independently and \(\varvec{t}\hookleftarrow D_{R^m,\sigma }\). The regularity of the generalized knapsack function \((t_1,\cdots ,t_m)\rightarrow \sum _{i=1}^mt_ia_i\) is the statistical distance between \(\mathbb {D}_{\chi }\) and \(U((R_q^{\times })^m\times R_q)\). Note that for each \(\varvec{a}\hookleftarrow U((R_q^{\times })^m)\), the map \(\varvec{t}\mapsto \sum _{i=1}^ma_it_i\) induces an isomorphism from the quotient \(R^m/{\varvec{a}^{\perp }}\) to its range. The latter is \(R_q\), thanks to the invertibility of \(a_i\)’s. By taking \(S=\phi \) and \(\varvec{c}=0\) in Lemma 10, we deduce the following result.

Theorem 3

Let \(q=1\bmod l\) be a prime, \(K=\mathbb {Q}(\zeta _l)\), \(R=\mathcal {O}_K\), \(m\ge 2\), \(\delta \in (0,\frac{1}{2})\), \(\varepsilon >0\) and \(a_i\hookleftarrow U(R_q^{\times })\) for all \(i\in [m]\). Assume \(\varvec{t}\hookleftarrow D_{R^m,\sigma }\), where \(\sigma \ge n\sqrt{\frac{\ln (2mn(1+\frac{1}{\delta }))}{\pi }}\cdot q^{\frac{1}{m}+\varepsilon }\). Then we have

$$ \varDelta \left( (a_1,\cdots ,a_m,\sum _{i=1}^mt_ia_i); \ U((R_q^{\times })^m\times R_q)\right) \le 2\delta +2^{(3m+1)n}q^{-\varepsilon mn}. $$

4 Analysis of Key Generation Algorithm

With the results in Sect. 3, we can derive a key generation algorithm for NTRUEncrypt as in [29]. Further, by choosing appropriate parameters, we can show that the key generation algorithm terminates in expected time and the public key distribution is very closed to the uniform distribution.

The key generation algorithm is as follows:

$$\begin{aligned}&\mathbf{{Input}}{} \mathbf : \ \ q\in \mathbb {Z}^{+},\ p\in \ R_q^{\times },\ \sigma \in \mathbb {R}^{+}. \\&\mathbf{{Output}}{} \mathbf : \ \ A\ key\ pair\ (sk,\ pk)\in \ R_q^{\times }\times R_q^{\times }. \\&1.\ Sample\ f'\ from\ D_{R,\sigma };\ let\ f=p\cdot f'+1;\ if\ (f\bmod qR)\notin R_q^{\times },\ resample. \\&2.\ Sample\ g\ from\ D_{R,\sigma };\ if\ (g\bmod qR)\notin R_q^{\times },\ resample. \\&3.\ Return\ secret\ key\ sk=f\ and\ public\ key\ pk=h=pg/f\in R_q^{\times }. \end{aligned}$$

Notice that for powerful basis \(\overrightarrow{p}\) of R, we have \(||\overrightarrow{p}||=\sqrt{n}\). Hence, as long as \(\sigma \ge \sqrt{n}\cdot \sqrt{\log n}\), we can sample an element in polynomial time to obey the distribution \(D_{R,\sigma }\) by using Theorem 1. The following lemma shows that the key generation algorithm can terminate with high probability by executing only several times. Proofs in this section are standard and are put in Appendix A.

Lemma 11

Let l be a positive integer, \(n=\varphi (l)\) and q be a prime such that \(q=1\bmod l\). Assume \(\sigma \ge n\cdot \sqrt{\frac{\ln {(2n(1+\frac{1}{\varepsilon }))}}{\pi }}\cdot q^{\frac{1}{n}}\), for an arbitrary \(\varepsilon \in (0,\frac{1}{2})\). Let \(a\in R\) and \(p\in R_q^{\times }\). Then

$$ \mathrm{{Pr}}_{f'\hookleftarrow D_{R,\sigma }}[(p\cdot f'+a\bmod qR)\notin R_q^{\times }]\le n(\frac{1}{q}+2\varepsilon ). $$

Next, we show that the generated secret key by the key generation algorithm is short. This lemma is very useful for us to analyze the decryption error in Sect. 5.

Lemma 12

Let \(n\ge 5\), \(q\ge 8n\), \(q=1\bmod l\) be a prime and \(\sigma \ge \sqrt{\frac{2\ln {(6n)}}{\pi }}\cdot n\cdot q^{\frac{1}{n}}\). Then with probability at least \( 1-2^{3-n}\), the secret key fg satisfy \(||f||\le 2\sqrt{n}\sigma ||p||_{\infty }\) and \(||g||\le \sqrt{n}\sigma \).

The last lemma of this section estimates the statistic distance between the distribution of public key and the uniform distribution over \(R_q^{\times }\). The proof is essentially the same as Theorem 3 in [29]. We denote by \(D_{\sigma ,z}^{\times }\) the discrete Gaussian \(D_{R,\sigma }\) restricted to \(R_{q}^{\times }+z\).

Lemma 13

Let \(\varepsilon >0\), \(n\ge 5\), \(q\ge 8n\) and \(\sigma \ge n^{\frac{3}{2}}\sqrt{\ln {(8nq)}}\cdot q^{\frac{1}{2}+2\varepsilon }\). Let \(p\in R_q^{\times }\), \(y_i\in R_q\) and \(z_i=-y_ip^{-1}\bmod qR\) for \(i\in \{1,2\}\). Then

$$ \varDelta \left[ \frac{y_1+p\cdot D_{\sigma ,z_1}^{\times }}{y_2+p\cdot D_{\sigma ,z_2}^{\times }}\bmod qR,\ U(R_q^{\times })\right] \le \frac{2^{9n}}{q^{\lfloor \varepsilon n\rfloor }}. $$

5 NTRUEncrypt Scheme and Security Analysis

In this section, we give our modified NTRUEncrypt. Meanwhile, we shall analyze the decryption error and give an elementary reduction from R-DLWE\(_{q,D_{q\xi }}^{\times }\) to the CPA-security of our scheme.

The plaintext space of our scheme is \(\mathcal {P}=R^{\vee }/pR^{\vee }\) with \(p\in R_q^{\times }\). Denote \(\chi =\lfloor D_{\xi \cdot q}\rceil _{R^{\vee }}\) with \(\xi =\alpha \cdot (\frac{nk}{\log {(nk)}})^{\frac{1}{4}}\), where \(k=O(1)\) is a positive integer. We will use the decoding basis for element \(x\in R\subseteq R^{\vee }\). One should note that \(f=1\bmod pR\) implies \(f=1\bmod pR^{\vee }\).

$$\begin{aligned}&\mathbf{Key\ generation}{} \mathbf : \ Use \ the \ algorithm\ described\ in\ Section\ 4, \ return\ sk=f \\&\in R_q^{\times }\ with\ f=1\ mod\ pR^{\vee },\ and\ pk=h=pg\cdot f^{-1} \in R_q^{\times }. \\&\mathbf{Encryption}{} \mathbf : \ Given\ message\ m\in \mathcal {P},\ sample\ s,e\hookleftarrow \chi \ and\ return\ c=hs\\&+pe+m\in R_q^{\vee }. \\&\mathbf{Decryption}{} \mathbf : \ Given\ ciphertext\ c\ and\ secret\ key\ f,\ compute\ c_1=fc.\ Then \\&return\ m=(c_1\bmod qR^{\vee })\bmod pR^{\vee }. \end{aligned}$$

We first give an accurate estimate of the infinite norm of elements sampled from the discretisation of a Gaussian distribution.

Lemma 14

Assume that \(\xi =\alpha \left( \frac{nk}{\log {(nk)}}\right) ^{\frac{1}{4}}\), \(\chi =\lfloor D_{\xi \cdot q}\rceil _{R^{\vee }}\), \(\alpha \cdot q\ge \omega (\sqrt{\log n})\) and \(k=O(1)\). Set \(\delta =\omega (\sqrt{n\log n}\cdot \alpha ^2\cdot q^2)\) and B the decoding basis of \(R^{\vee }\), then for any \(\varvec{t}\in H\), we have \(\mathrm{{Pr}}_{\varvec{x}\hookleftarrow \chi }(|<\varvec{t},\varvec{x}>|>\delta ||\varvec{t}||^2)\le n^{-\omega (\sqrt{n\log n})\cdot ||\varvec{t}||^2}\).

Proof

Note that a gaussian random variable \(\varvec{x}\hookleftarrow D_{q\cdot \xi }\) has mean \(\varvec{0}\) and deviation \(\frac{q\cdot \xi }{\sqrt{2\pi }}\), the discretisation \(\lfloor \varvec{x}\rceil \) is a noncentral subgaussian random variable with noncentrality parameter 0 and deviation parameter \((\frac{q^2\xi ^2}{2\pi }+\frac{1}{4}s_1(B)^2)^{\frac{1}{2}}\), by Lemma 6. Therefore, by the Definition 5, we have

$$ E(e^{<\varvec{t},\lfloor \varvec{x}\rceil >})\le e^{\frac{1}{2}\cdot \left( \frac{q^2\xi ^2}{2\pi }+\frac{1}{4}s_1(B)^2\right) \cdot ||\varvec{t}||^2}. $$

For any \(\varvec{x}\hookleftarrow D_{q\cdot \xi }\), by taking the Chernoff bound, we get

$$\begin{aligned} \mathrm{{Pr}}(|<\varvec{t},\varvec{\lfloor \varvec{x}\rceil }>|>\delta \cdot ||\varvec{t}||^2)&=\mathrm{{Pr}}(e^{|<\varvec{t},\varvec{\lfloor \varvec{x}\rceil }>|}>e^{\delta \cdot ||\varvec{t}||^2}) \\&\le 2\cdot e^{\frac{1}{2}\cdot \left( \frac{q^2\xi ^2}{2\pi }+\frac{1}{4}s_1^2(B)\right) \cdot ||\varvec{t}||^2-\delta \cdot ||\varvec{t}||^2}. \end{aligned}$$

Now, we estimate the value of \(\frac{1}{2}\cdot \left( \frac{q^2\xi ^2}{2\pi }+\frac{1}{4}s_1^2(B)\right) \cdot ||\varvec{t}||^2\). Since \(s_1(B)=\sqrt{\frac{rad(l)}{l}}\le 1\), we have \(\frac{1}{2}\cdot \left( \frac{q^2\xi ^2}{2\pi }+\frac{1}{4}s_1^2(B)\right) \cdot ||\varvec{t}||^2=\varOmega (\alpha ^2\cdot q^2\cdot \sqrt{n}\log ^{-\frac{1}{2}}n\cdot ||\varvec{t}||^2)\). Therefore,

$$ \mathrm{{Pr}}(|<\varvec{t},\varvec{\lfloor \varvec{x}\rceil }>|>\delta \cdot ||\varvec{t}||^2)\le n^{-\omega {(\sqrt{n\log n}})\cdot ||\varvec{t}||^2}. $$

We finish the proof.

By using Lemma 14, we can get an estimate for \(||\varvec{x}||_{\infty }\) with \(\varvec{x}\hookleftarrow \chi =\lfloor D_{q\cdot \xi }\rceil \). Choosing \(\varvec{t}=(\frac{1}{\sqrt{2}},0,\cdots ,0,\frac{1}{\sqrt{2}})\) and \(\varvec{t}=(\frac{\varvec{i}}{\sqrt{2}},0,\cdots ,0,-\frac{\varvec{i}}{\sqrt{2}})\), where \(\varvec{i}\) is the imaginary number such that \(\varvec{i}^2=-1\), we get

$$ \mathrm{{Pr}}_{\varvec{x}\hookleftarrow \chi }(|\mathrm{{Re}}(\sigma _1(\varvec{x}))|>\frac{1}{\sqrt{2}}\omega (\sqrt{n\log n}\cdot \alpha ^2\cdot q^2)\le n^{-\omega {(\sqrt{n\log n}})} $$

and

$$ \mathrm{{Pr}}_{\varvec{x}\hookleftarrow \chi }(|\mathrm{{Im}}(\sigma _1(\varvec{x}))|>\frac{1}{\sqrt{2}}\omega (\sqrt{n\log n}\cdot \alpha ^2\cdot q^2)\le n^{-\omega {(\sqrt{n\log n}})}. $$

Hence, we have \(\mathrm{{Pr}}_{\varvec{x}\hookleftarrow \chi }(|\sigma _1(x)|> \omega (\sqrt{n\log n}\alpha ^2 q^2))\le 2n^{-\omega {(\sqrt{n\log n})}}\). Similarly, one can also prove that \(\mathrm{{Pr}}_{\varvec{x}\hookleftarrow \chi }(|\sigma _k(x)|> \omega (\sqrt{n\log n}\alpha ^2 q^2))\le 2n^{-\omega {(\sqrt{n\log n})}}\) for any \(k=1,2\cdots ,\frac{n}{2}\). Therefore, we conclude that

$$\begin{aligned} \mathrm{{Pr}}_{\varvec{x}\hookleftarrow \chi }(||\sigma (x)||_{\infty }> \omega {(\sqrt{n\log n}\cdot \alpha ^2\cdot q^2}))\le n\cdot n^{-\omega {(\sqrt{n\log n}})}\le n^{-\omega '{(\sqrt{n\log n})}}. \end{aligned}$$
(5)

In order to show that the decryption algorithm succeeds in recovering the correct message with high probability, we need the parameters \(C_1\) and \(C_2\) such that \(C_1||x||^c\le ||x||\le C_2||x||^c\).

Lemma 15

Let \(n\ge 5\), \(q\ge 8n\), \(q=1\bmod l\), \(\sigma \ge \sqrt{\frac{2\ln {(6n)}}{\pi }}\cdot n\cdot q^{\frac{1}{n}}\), \(C_1=\sqrt{\hat{l}}\) and \(C_2=\sqrt{\frac{rad(l)}{l}}\). If \(\omega {(n^{\frac{3}{2}}\sqrt{\log n\log \log n})}\) \(\cdot \alpha ^2\cdot q^2\cdot \sigma \cdot ||p||_{\infty }^2<\frac{q}{2}\), then with probability \(1-n^{-\omega {(\sqrt{n\log n}})}\), the decryption algorithm of NTRUEncrtpt recovers m.

Proof

Notice that \(f\cdot h\cdot s=p\cdot g\cdot s\bmod qR^{\vee }\), we have \(fc=pgs+pfe+fm\bmod qR^{\vee }\in R^{\vee }\). If \(||pgs+pfe+fm||_{\infty }^c<\frac{q}{2}\), then we have fc has the representation of the form \(pgs+pfe+fm\) in \(R_q^{\vee }\). Hence, we have \(m=(fc\bmod qR^{\vee }) \bmod pR^{\vee }\). It thus suffices to give an upper bound on the probability that \(||pgs+pfe+fm||_{\infty }^c\ge \frac{q}{2}\).

Note that \(||fc||_{\infty }^c\le ||fc||^c\le C_1||fc||=C_1||pgs+pfe+fm||\le C_1(||pgs||+||pfe||+||fm||)\). By the choice of \(\sigma \) and Lemma 12, with probability greater than \(1-2^{3-n}\), \(||f||\le 2\sqrt{n}\sigma ||p||_{\infty }\) and \(||g||\le \sqrt{n}\sigma \). Hence, combining with (5), we get

$$\begin{aligned} ||pfe||+||pgs||&\le 2\sqrt{n}\sigma ||p||_{\infty }^2\cdot ||e||_{\infty }+\sqrt{n}\sigma ||p||_{\infty }\cdot ||s||_{\infty }\\&\le \omega {(n\sqrt{\log n}\cdot \alpha ^2\cdot q^2)}\sigma ||p||_{\infty }^2 \end{aligned}$$

with probability \(1-n^{-\omega {(\sqrt{n\log n})}}\). Since \(m\in R^{\vee }/(pR^{\vee })\subseteq K\), by reducing modulo the \(p\sigma (\overrightarrow{d})_i\)’s, we can write m into \(\sum _{i=1}^{n}\varepsilon _ip\sigma (\overrightarrow{d})_i\) with \(\varepsilon _i\in (-\frac{1}{2},\frac{1}{2}]\). We have

$$ ||m||=||\sum _{i=1}^{n}\varepsilon _ip\sigma (\overrightarrow{d})_i||\le ||p||_{\infty }||\sum _{i=1}^{n}\varepsilon _i\sigma (\overrightarrow{d})_i||\le \frac{\sqrt{n}}{2}||p||_{\infty }C_2, $$

where we have used that

$$ ||\sum _{i=1}^n\varepsilon _i\sigma (\overrightarrow{d}_i)||\le C_2\cdot ||\sum _{i=1}^n\varepsilon _i\sigma (\overrightarrow{d}_i)||^c\le C_2\cdot \frac{\sqrt{n}}{2}.$$

So, we have \(||fm||\le ||f||\cdot ||m||\le n\sigma ||p||_{\infty }^2C_2\) with probability \(\ge 1-2^{3-n}\). Therefore, putting these results together, we have

$$\begin{aligned} ||fc||^c_{\infty }&\le C_1(\omega {(n\sqrt{\log n}\cdot \alpha ^2\cdot q^2)}\cdot \sigma \cdot ||p||_{\infty }^2+n\cdot \sigma \cdot ||p||_{\infty }^2\cdot C_2) \\&\le \omega {(n^{\frac{3}{2}}\sqrt{\log n\log \log n}\cdot \alpha ^2\cdot q^2)}\cdot \sigma \cdot ||p||_{\infty }^2 \end{aligned}$$

with probability \(1-n^{-\omega {(\sqrt{sn\log n})}}\), where we have used the fact that \(C_2\le 1\) and \(C_1=O(\sqrt{n\log \log n})\). We conclude the results we need.

Remark 1

We remark that we can put all computations in an integral ideal \(I=\hat{l}\cdot R^{\vee }\subseteq R\) by multiplying an integer \(\hat{l}\)(in this case, the corresponding q is \(\hat{l}\) times bigger than the q in Lemma 15). We use symbol \(\hat{a}\) to represent the corresponding element of \(a\in R^{\vee }\), i.e. \(\hat{a}=\hat{l}\cdot a\). Note that \(f=1\bmod pR^{\vee }\), we have \(\hat{l}\cdot f=\hat{l}\bmod pI\). Therefore, \(\hat{m}=\hat{l}^{-1}(\hat{l}((f\cdot \hat{c}\bmod qI)\bmod pI)\bmod pI)\) with \(\hat{m}\in I/(pI)\) and \(gcd(p,\hat{l})=1\). Since the corresponding ‘decoding basis’ of I is connected with the usual power basis of R by an invertible matrix \(M\in \mathbb {Z}^{n\times n}\), this modification may enjoy the high computation speed over polynomial rings.

Remark 2

By using the recent hardness results about primal-Ring-LWE (i.e. the secret \(s\hookleftarrow U(R_q)\)) proved in [28], we can directly design NTRUEncrypt in R. If we set \(\mathcal {P}=R/pR\) and choose \(s,e\hookleftarrow \lfloor D_{\xi \cdot q}\rceil _{R}\) (techniques used in [22, Lemma 2.23] can be modified to R), then the same encryption and decryption process also work. In this case, we use the powerful basis of R. Correspondingly, if we set \(\alpha \cdot q=\omega (\sqrt{\log n})\), magnitudes of \(||s||_{\infty }\) and \(||e||_{\infty }\) are \(\tilde{O}(n)\). Then, we can estimate that \(q=\tilde{O}(\sqrt{\frac{rad(l)}{l}}\cdot n^{\frac{3}{2}}\cdot \sigma )\) is sufficient to decrypt correctly with probability greater than \(1-n^{-\tilde{O}(n)}\). Therefore, we have \(q=\tilde{O}(n^6\cdot \sqrt{\frac{rad(l)}{l}})\in (\tilde{O}(n^5),\tilde{O}(n^{6})]\). But, the reduction parameter \(\gamma \le \tilde{O}(n^{12.5})\), due to the reduction loss of primal-Ring-LWE problem, see [28]. In this situation, we can have high efficiency with weaker hardness guarantee, so, an assessment from the view of actual attacks need be done as in [8].

Remark 3

The reason why we constrain our NTRUEncrypt schemes in cyclotomic fields is that we want to use the decoding basis of \(R^{\vee }\). If a general number field has such a good basis, we can also design NTRUEncrypt over general fields by using our techniques, together with the hardness results showed in [27]. More details are discussed in [30].

Remark 4

By using similar techniques, we can also give a module version of NTRUEncrypt. The security reduction of this modified version of NTRUEncrypt can be reduced to the corresponding Module-LWE problems. More details are put in Appendix B.

The security of our scheme follows by an elementary reduction from R-DLWE\(_{q,D_{q\xi }}^{\times }\), exploiting the uniformity of the public key in \(R_q^{\times }\) and the invertibility of \(p\in R_q\). We put the proof in Appendix C.

Lemma 16

Let \(n\ge 5\), \(q\ge 8n\), \(q=1\bmod l\), \(\sigma \ge \sqrt{\ln {(8nq)}}\cdot n^{\frac{3}{2}}\cdot q^{\frac{1}{2}+\varepsilon }\), \(\delta >0\) and \(\varepsilon \in (0,\frac{1}{2})\). If there exists an IND-CPA attack against NTRUEncrypt that runs in time T with advantage \(\delta \), then there exists an algorithm solving R-DLWE\(^{\times }\) with parameters q and \(q\xi \) that runs in time \(T'=T+O(n)\) with advantage \(\delta '=\delta -q^{-\varOmega {(n)}}\).

In a summary, we have the following result.

Theorem 4

Let l be a positive integer, \(n=\varphi (l)\ge 5\), \(q\ge 8n\), \(q=1 \bmod l\) be a prime of size poly(n) and \(K=\mathbb {Q}(\zeta _l)\). Assume that \(\alpha \in (0,1)\) satisfies \(\alpha q\ge \omega (\sqrt{\log n})\). Let \(\xi =\alpha \cdot (\frac{nk}{\log {(nk)}})^{\frac{1}{4}}\) with \(k=O(1)\), \(\varepsilon \in (0,\frac{1}{2})\) and \(p\in R_q^{\times }\). Moreover, let \(\sigma \ge n^{\frac{3}{2}}\cdot \sqrt{\ln {(8nq)}}\cdot q^{\frac{1}{2}+\varepsilon }\) and \(\omega {(n^{\frac{3}{2}}\sqrt{\log n\log \log n}\cdot \alpha ^2\cdot q^2)}\cdot \sigma \cdot ||p||_{\infty }^2<q\). Then if there exists an IND-CPA attack against NTRUEncrypt\((n,q, p,\sigma ,\xi )\) that runs in time poly(n) with advantage \(\frac{1}{poly(n)}\), there exists a poly(n)-time algorithm solving Ideal-SIVP\(_{\gamma }\) on any ideal lattice of K with \(\gamma =\tilde{O}(\frac{\sqrt{n}}{\alpha })\). Moreover, the decryption algorithm succeeds in regaining the correct message with probability \(1-n^{-\omega (\sqrt{n\log n})}\) over the choice of the encryption randomness.

To sum up, though the magnitude of q is little far away from practicality, the biggest advantage of our scheme is that it is less dependent on the choice of p and is not limited by the cyclotomic fields it bases on. Hence, our schemes provide more flexibility for the choices of plaintext spaces and get rid of the dependence of the cyclotomic fields, so that our NTRUEncrypt has potentialities to send more encrypted bits in each encrypt process with higher efficiency and stronger security. Further, our decryption algorithm succeeds in recovering the correct message with a probability of \(1-n^{-\omega (\sqrt{n\log n})}\), while the previous works were \(1-n^{-\omega (1)}\). Therefore, we believe, our scheme may have more advantages in theory.