Results on the Key Space of Group-Ring NTRU: The Case of the Dihedral Group

Abstract

NTRU-like schemes are among the most studied lattice-based cryptosystems. Since the first scheme was introduced, many variants of NTRU have been developed in the literature. These variants involve a high degree of freedom in designing the cryptosystem aspects, from sampling the polynomials (representing the private key) to the underlying ring used to build the structure. As a generalization of NTRU, Group-ring NTRU describes how to create different variants of NTRU by employing other groups. While most designs in literature are built over a commutative group-ring, a non-commutative group can also be used. Some groups can result in more efficient implementations or better resistance against some attacks. However, introducing new groups triggers fundamental questions related to the key space, encryption, decryption failures, and correctness of the new scheme. This paper uses the non-commutative dihedral group to explore the key space for a group-ring NTRU. Our work investigates whether elements sampled according to specific properties in the reference NTRU implementations can still be used as a key space in the case of the dihedral group. We show that the key space is suitable for building a non-commutative group-ring NTRU based on the dihedral group. Experimental results are provided for polynomials with different properties and compared to the results of reference implementations of NTRU over well-defined parameter sets.

Appendix

Faster Computation of Inverses in \(R{\mathcal G}={\mathcal R}_{(q,D_N)}\) when q is Odd

Let \(\alpha \in {\mathcal R}_{(q,D_N)}\) be an unit, where q is odd. Let \({\mathcal M}_{R{\mathcal G}}(\alpha ) = \begin{pmatrix} F &{} G \\ G &{} F \end{pmatrix}\), and \({\mathcal M}_{R{\mathcal G}}(\alpha ^{-1}) = \begin{pmatrix} A &{} B \\ B &{} A \end{pmatrix}\), two matrices of dimension \(2N \times 2N\). We know that, \({\mathcal M}_{R{\mathcal G}}(\alpha ^{-1}) = {\mathcal M}_{R{\mathcal G}}(\alpha )^{-1}\), i.e., \( \begin{pmatrix} A &{} B \\ B &{} A \end{pmatrix} = \begin{pmatrix} F &{} G \\ G &{} F \end{pmatrix}^{-1}. \) Conjugating both sides by \(\mathcal {I}=\begin{pmatrix} I_N &{} I_N \\ I_N &{} -I_N \end{pmatrix}\) gives

$$\begin{aligned} \mathcal {I}\begin{pmatrix} A &{} B \\ B &{} A \end{pmatrix}\mathcal {I}^{-1} &= \mathcal {I}\begin{pmatrix} F &{} G \\ G &{} F \end{pmatrix}^{-1}\mathcal {I}^{-1}\\ \begin{pmatrix} A+B &{} \textbf{0}_N \\ \textbf{0}_N &{} A-B \end{pmatrix} &= \left( \mathcal {I}\begin{pmatrix} F &{} G \\ G &{} F \end{pmatrix}\mathcal {I}^{-1}\right) ^{-1}\\ \begin{pmatrix} A+B &{} \textbf{0}_N \\ \textbf{0}_N &{} A-B \end{pmatrix} &= \begin{pmatrix} (F+G)^{-1} &{} \textbf{0}_N \\ \textbf{0}_N &{} (F-G)^{-1} \end{pmatrix} \end{aligned}$$

When q is odd, 2 is a unit in the ring \({\mathbb Z}_q\). Therefore, we get

$$\begin{aligned} A = \frac{(F+G)^{-1}+(F-G)^{-1}}{2}~~~~ \text {and}~~~~ B = \frac{(F+G)^{-1}-(F-G)^{-1}}{2} \end{aligned}$$

Finally, the first row of the matrix \({\mathcal M}_{R{\mathcal G}}(\alpha ^{-1})\) is precisely the coefficients of \(\alpha ^{-1}.\) This method will help in faster computations of inverses in \(\mathcal {R}_{(q,D_N)}\) for odd q as we need to invert two \(N \times N\) matrices \((F+G), (F-G)\) instead of big matrix of \(2N \times 2N\). Figure 2 refers to the time needed to find inverses using the conventional matrix inversion versus the second approach that can find the inverse faster for odd values of q. We can see that the second method gives noticeable better results for larger values of q, N⁴.

Fig. 2.

Matrix approach vs. faster approach of finding inverses for odd values of q.