Abstract
NTRU-like schemes are among the most studied lattice-based cryptosystems. Since the first scheme was introduced, many variants of NTRU have been developed in the literature. These variants involve a high degree of freedom in designing the cryptosystem aspects, from sampling the polynomials (representing the private key) to the underlying ring used to build the structure. As a generalization of NTRU, Group-ring NTRU describes how to create different variants of NTRU by employing other groups. While most designs in literature are built over a commutative group-ring, a non-commutative group can also be used. Some groups can result in more efficient implementations or better resistance against some attacks. However, introducing new groups triggers fundamental questions related to the key space, encryption, decryption failures, and correctness of the new scheme. This paper uses the non-commutative dihedral group to explore the key space for a group-ring NTRU. Our work investigates whether elements sampled according to specific properties in the reference NTRU implementations can still be used as a key space in the case of the dihedral group. We show that the key space is suitable for building a non-commutative group-ring NTRU based on the dihedral group. Experimental results are provided for polynomials with different properties and compared to the results of reference implementations of NTRU over well-defined parameter sets.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The security of the parameter sets of NTRU-HPS have been evaluated according to two models (local and non-local model): according to the local model, the parameters achieve the security levels 1,3 and 5, while according to the non-local model, they achieve lower levels of security.
- 2.
The parameter set of NTRU-HRSS matches the security level 3 according to the local model and the level 1 according to the non-local model.
- 3.
The order of the dihedral group \(D_N\) is 2N; therefore, the number of coefficients in the sampled element in \(\mathcal {R}_{(q, D_N)}\) will be 2N.
- 4.
The horizontal axis refers to the tested values of q, N denoted as q _N. We ran the code using Sagemath on Jupyter Notebook on a machine powered by Intel(R) Core(TM) i7-7700 CPU@3.60GHZ, running Windows 10 pro.
References
Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process. US Department of Commerce, NIST (2022). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934458
Avanzi, R., et al.: Crystals-Kyber algorithm specifications and supporting documentation. NIST PQC Round (2020). https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Basso, A., et al.: SABER: Mod-LWR based KEM (round 3 submission). NIST PQC Round (2020). https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Chen, C., et al.: NTRU: algorithm specifications and supporting documentation. NIST (2020). https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Coppersmith, D.: Attacking non-commutative NTRU. Technical report, IBM research report, April 1997. Report (2006). https://dominoweb.draco.res.ibm.com/d102d0885e971b558525659300727a26.html
Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_5
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Fouque, P.A., et al.: Falcon: fast-fourier lattice-based compact signatures over NTRU. NIST PQC Round (2020). https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01957-9_27
Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z.: Choosing parameters for NTRUEncrypt. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_1
Hoffstein, J., Pipher, J., Silverman, J.: An Introduction to Mathematical Cryptography, 1st edn. Springer, New York (2008). https://doi.org/10.1007/978-0-387-77993-5
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_10
Hurley, T.: Group rings and rings of matrices. Int. J. Pure Appl. Math. 31, 319–335 (2006). https://www.researchgate.net/publication/228928727_Group_rings_and_rings_of_matrices
Jarvis, K., Nevins, M.: ETRU: NTRU over the Eisenstein integers. Des. Codes Crypt. 74(1), 219–242 (2015). https://doi.org/10.1007/s10623-013-9850-3
Joseph, S.H.: Almost inverses and fast NTRU key creation. NTRU cryptosystems Technical Report (1999). https://ntru.org/f/tr/tr014v1.pdf
Kim, J., Lee, C.: A polynomial time algorithm for breaking NTRU encryption with multiple keys. Des. Codes Cryptogr. 1–11 (2023)
Lyubashevsky, V., et al.: Crystals-dilithium: algorithm specifications and supporting documentation. NIST PQC Round (2020). https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Malekian, E., Zakerolhosseini, A., Mashatan, A.: QTRU: a lattice attack resistant version of NTRU. Cryptology ePrint Archive (2009). https://eprint.iacr.org/2009/386
Milies, C., Sehgal, S.: An Introduction to Group Rings (2002). https://doi.org/10.1007/978-94-010-0405-3
Peikert, C., et al.: A decade of lattice cryptography. Found. Trends® Theor. Comput. Sci. 10(4), 283–424 (2016)
Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_4
Truman, K.R.: Analysis and extension of non-commutative NTRU, Ph.D. thesis, University of Maryland, College Park (2007)
Yasuda, T., Dahan, X., Sakurai, K.: Characterizing NTRU-variants using group ring and evaluating their lattice security. IACR Cryptology ePrint Archive 1170 (2015). https://eprint.iacr.org/2015/1170
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Faster Computation of Inverses in \(R{\mathcal G}={\mathcal R}_{(q,D_N)}\) when q is Odd
Let \(\alpha \in {\mathcal R}_{(q,D_N)}\) be an unit, where q is odd. Let \({\mathcal M}_{R{\mathcal G}}(\alpha ) = \begin{pmatrix} F &{} G \\ G &{} F \end{pmatrix}\), and \({\mathcal M}_{R{\mathcal G}}(\alpha ^{-1}) = \begin{pmatrix} A &{} B \\ B &{} A \end{pmatrix}\), two matrices of dimension \(2N \times 2N\). We know that, \({\mathcal M}_{R{\mathcal G}}(\alpha ^{-1}) = {\mathcal M}_{R{\mathcal G}}(\alpha )^{-1}\), i.e., \( \begin{pmatrix} A &{} B \\ B &{} A \end{pmatrix} = \begin{pmatrix} F &{} G \\ G &{} F \end{pmatrix}^{-1}. \) Conjugating both sides by \(\mathcal {I}=\begin{pmatrix} I_N &{} I_N \\ I_N &{} -I_N \end{pmatrix}\) gives
When q is odd, 2 is a unit in the ring \({\mathbb Z}_q\). Therefore, we get
Finally, the first row of the matrix \({\mathcal M}_{R{\mathcal G}}(\alpha ^{-1})\) is precisely the coefficients of \(\alpha ^{-1}.\) This method will help in faster computations of inverses in \(\mathcal {R}_{(q,D_N)}\) for odd q as we need to invert two \(N \times N\) matrices \((F+G), (F-G)\) instead of big matrix of \(2N \times 2N\). Figure 2 refers to the time needed to find inverses using the conventional matrix inversion versus the second approach that can find the inverse faster for odd values of q. We can see that the second method gives noticeable better results for larger values of q, NFootnote 4.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Raya, A., Kumar, V., Gangopadhyay, S., Gangopadhyay, A.K. (2024). Results on the Key Space of Group-Ring NTRU: The Case of the Dihedral Group. In: Regazzoni, F., Mazumdar, B., Parameswaran, S. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2023. Lecture Notes in Computer Science, vol 14412. Springer, Cham. https://doi.org/10.1007/978-3-031-51583-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-51583-5_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51582-8
Online ISBN: 978-3-031-51583-5
eBook Packages: Computer ScienceComputer Science (R0)