Abstract
Cryptography based on the hardness of lattice problems over polynomial rings currently provides the most practical solution for public key encryption in the quantum era. Indeed, three of the four schemes chosen by NIST in the recently-concluded post-quantum standardization effort for encryption and signature schemes are based on the hardness of these problems. While the first encryption scheme utilizing properties of polynomial rings was NTRU (ANTS ’98), the scheme that NIST chose for public key encryption (CRYSTALS-Kyber) is based on the hardness of the somewhat-related Module-LWE problem. One of the reasons for Kyber’s selection was the fact that it is noticeably faster than NTRU and a little more compact. And indeed, the practical NTRU encryption schemes in the literature generally lag their Ring/Module-LWE counterparts in either compactness or speed, or both.
In this paper, we put the efficiency of NTRU-based schemes on equal (even slightly better, actually) footing with their Ring/Module-LWE counterparts. We provide several instantiations and transformations, with security given in the ROM and the QROM, that are on par, compactness-wise, with their counterparts based on Ring/Module-LWE. Performance-wise, the NTRU schemes instantiated in this paper over NTT-friendly rings of the form \(\mathbb {Z}_q[X]/(X^d-X^{d/2}+1)\) are the fastest of all public key encryption schemes, whether quantum-safe or not. When compared to the NIST finalist NTRU-HRSS-701, our scheme is \(15\%\) more compact and has a 15X improvement in the round-trip time of ephemeral key exchange, with key generation being 35X faster, encapsulation being 6X faster, and decapsulation enjoying a 9X speedup.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The polynomial f(X) is therefore the 3d-th cyclotomic polynomial.
- 3.
As a sanity check, one can see that the attack in [18] does not work because it is impossible for a polynomial f(X) that’s irreducible over the integers to split modulo q into polynomials of large degree (e.g. d/2) whose coefficients are small. For example, it’s trivial to see that \(X^d+1\) cannot have factors \(X^{d/2}\pm \beta \) with \(\beta <\sqrt{q}\). For a more general result, one needs a little algebraic number theory (e.g. implicit in the proof of [27, Lemma 3.1] is that any factor of degree d/k of \(X^d+1\) has \(\ell _2\)-norm at least \(p^{1/k}\), and this result extends in a similar way to other polynomials).
- 4.
Say that \(\textsf{PKE}\) has message space \(\mathcal {M}= \mathcal {M}_1 \times \mathcal {M}_2\),and say that \(\textsf{PKE}\)’s encryptions of messages \(M_1 || M_2\) leak \(M_1\) and the first bit of \(M_2\). When instantiated with the classical one-time-pad, \(\textsf{ACWC}\) encrypts a message m by sampling a message \(M_1 \leftarrow \mathcal {M}_1\) and encrypting \(M_1 ||m \oplus \textsf{F}(M_1)\), thereby leaking the first bit of m.
- 5.
In \({{q}\mathsf {\text {-}OW\text {-}CPA}}\) security the adversary is given an encryption of a random plaintext and wins if it returns a set of cardinality at most q containing the plaintext. For \(q=1\) this is \(\mathsf {OW\text {-}CPA}\) security.
- 6.
In cases where the support of \(\psi _{\mathcal {M}_1}\) is some finite set R, it may be sometimes convenient to upper bound \(\Vert \psi _{\mathcal {M}_1}\Vert \) by \(\Vert \psi _{\mathcal {M}_1}\Vert _\infty \cdot \sqrt{|R|}\), where \(\Vert \psi _{\mathcal {M}_1}\Vert _\infty \) is the maximum probability for any element in R.
- 7.
This was verified experimentally by fixing the \(a,a'\) in (8) to all valid values and computing the probability of failure assuming that all the secret keys have this value.
References
Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_6
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of Learning with Errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Alkim, E., et al.: Post-quantum key exchange - a new hope. In: USENIX Security Symposium. USENIX Association, pp. 327–343 (2016)
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10
Bos, J.W., et al.: CRYSTALS - kyber: a CCA-secure module-lattice- based KEM. In: EuroS &P, pp. 353–367. IEEE (2018)
Boudgoust, K., Jeudy, C., Roux-Langlois, A., Wen, W.: On the hardness of module-LWE with binary secret. In: Paterson, K.G. (ed.) CT-RSA 2021. LNCS, vol. 12704, pp. 503–526. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75539-3_21
Brakerski, Z., et al.: Classical hardness of learning with errors. In: STOC, pp. 575–584 (2013)
Cheon, J.H., Jeong, J., Lee, C.: An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero. LMS J. Comput. Math. 19(A), 255–266 (2016)
Chung, C.M., et al.: NTT multiplication for NTT-unfriendly rings new speed records for saber and NTRU on cortex-M4 and AVX2. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(2), 159–188 (2021)
D’Anvers, J.-P., Karmakar, A., Sinha Roy, S., Vercauteren, F.: Saber: module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 282–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_16
Don, J., Fehr, S., Majenz, C.: The measure-and-reprogram technique 2.0: multi-round fiat-shamir and more. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 602–631. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_21
Don, J., et al.: Online-extractability in the quantum random-oracle model. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 677–706. Springer, Cham. (2022). https://doi.org/10.1007/978-3-031-07082-2_24
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13
Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5
Ducas, L., van Woerden, W.: NTRU fatigue: how stretched is overstretched? In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 3–32. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_1
Duman, J., et al.: A thorough treatment of highly-efficient NTRU instantiations. In: Cryptology ePrint Archive (2021)
Duman, J., et al.: Faster lattice-based KEMs via a generic Fujisaki-Okamoto transform using prefix hashing. In: CCS (2021)
Gentry, C.: Key recovery and message attacks on NTRU-composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 182–194. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_12
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: ANTS, pp. 267–288 (1998)
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: TCC, pp. 341–371 (2017)
Hülsing, A., Rijneveld, J., Schanck, J., Schwabe, P.: High-speed key encapsulation from NTRU. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 232–252. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_12
Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptography 75(3), 565–599 (2015)
Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: ICALP (2), pp. 144–155 (2006)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Lyubashevsky, V., Seiler, G.: NTTRU: truly fast NTRU using NTT. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(3), 180–201 (2019)
Lyubashevsky, V., Seiler, G.: Short, invertible elements in partially splitting cyclotomic rings and applications to lattice-based zero-knowledge proofs. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 204–224. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_8
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: J. ACM 56.6 (2009)
Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_4
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36
Unruh, D.: Revocable quantum timed-release encryption. J. ACM 62(6), 49, 1–49:76 (2015)
Acknowledgements
The work of Julien Duman was supported by the German Federal Ministry of Education and Research (BMBF) in the course of the 6GEM Research Hub under Grant 16KISK037. Eike Kiltz was supported by the Deutsche Forschungsgemeinschaft (DFG, German research Foundation) as part of the Excellence Strategy of the German Federal and State Governments - EXC 2092 CASA - 390781972, and by the European Union (ERC AdG REWORC - 101054911). Dominique Unruh was supported by the ERC consolidator grant CerQuS (819317), by the Estonian Centre of Excellence in IT (EXCITE) funded by ERDF, by PUT team grant PRG946 from the Estonian Research Council. Vadim Lyubashevsky and Gregor Seiler were supported by the ERC Consolidator grant PLAZA (101002845).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Duman, J., Hövelmanns, K., Kiltz, E., Lyubashevsky, V., Seiler, G., Unruh, D. (2023). A Thorough Treatment of Highly-Efficient NTRU Instantiations. In: Boldyreva, A., Kolesnikov, V. (eds) Public-Key Cryptography – PKC 2023. PKC 2023. Lecture Notes in Computer Science, vol 13940. Springer, Cham. https://doi.org/10.1007/978-3-031-31368-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-31368-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-31367-7
Online ISBN: 978-3-031-31368-4
eBook Packages: Computer ScienceComputer Science (R0)
