Abstract
NTRU-like cryptosystems are among the most studied lattice-based post-quantum candidates. While most NTRU proposals have been introduced over a commutative ring of quotient polynomials, other rings can be used. Noncommutative algebra has been endorsed as a direction to build new variants of NTRU a long time ago. The first attempt to construct a noncommutative variant was due to Hoffstein and Silverman motivated by more resistance to lattice attack. The scheme has been built over the group ring of a dihedral group. However, their design differed from standard NTRU and soon was found vulnerable to algebraic attacks. In this work, we revive the group ring NTRU over the dihedral group as an instance of the GR-NTRU framework.
Unlike many proposals of noncommutative variants in the literature, our work focuses on putting the scheme into practice. We clear all the aspects that make our scheme implementable by proposing an efficient inversion algorithm over the new setting of the noncommutative ring, describing the decryption failure model, and analyzing the lattice associated with our instantiation. Finally, we discuss the best-known attacks against our scheme and provide an implementation targeting 128-bit, 192-bit, and 256-bit levels of security as proof of its practicality.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Starting from \(N=113\), the results are averaged over at least 20 trials (only) since the time taken by one trial becomes extensively high. For \(N=127\) with DiTRU lattice, we recorded the trials that found the key with \(\beta \le 65\).
- 2.
May [41] proposed an MITM attack on NTRU-type cryptosystems with a complexity \(O(|\mathcal {T}|^{0.3})\)(classic). However, it cannot be combined with hybrid attacks; therefore, we do not use it in our cost estimations.
- 3.
In NTRUPrime, the authors conclude that according to the submission to NIST standardization process, a cryptosystem achieves levels of security corresponding to AES-128, AES-192, and AES-256, if the classical (pre-quantum) Core-SVP model assign at least \(2^{125}, 2^{181}, \) and \(2^{254}\), respectively to the selected parameter sets.
- 4.
Our implementation is based on NTRU submissions to the first and third round of NIST competition with the required modifications to the dihedral group setup.
References
Agrawal, S., Pellet-Mary, A.: Indistinguishability obfuscation without maps: attacks and fixes for noisy linear FE. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 110–140. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_5
Albrecht, M.R., Gheorghiu, V., Postlethwaite, E.W., Schanck, J.M.: Estimating quantum speedups for lattice sieves. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 583–613. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_20
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key \(\{\)Exchange-A\(\}\) new hope. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 327–343 (2016)
Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_30
Avanzi, R., et al.: CRYSTALS-Kyber algorithm specifications and supporting documentation. NIST PQC Round (2020). https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Bagheri, K., Sadeghi, M.R., Panario, D.: A non-commutative cryptosystem based on quaternion algebras. Des. Codes Cryptogr. 86 (2018). https://doi.org/10.1007/s10623-017-0451-4
Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 10–24. SIAM (2016)
Chen, C., et al.: NTRU: algorithm specifications and supporting documentation. NIST (2020). https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Chen, C., Hoffstein, J., Whyte, W., Zhang, Z.: NIST PQ submission: ntruencrypt a lattice based encryption algorithm. NIST (2017)
Chen, Y.: Réduction de réseau et sécurité concrete du chiffrement completement homomorphe (Ph. D. thesis) (2013)
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Coppersmith, D.: Attacking non-commutative NTRU. Technical report, IBM research report, April 1997. Report (2006). https://dominoweb.draco.res.ibm.com/d102d0885e971b558525659300727a26.html
Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_5
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Ducas, L., van Woerden, W.: NTRU fatigue: how stretched is overstretched? In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 3–32. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_1
Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–471 (1985)
Fouque, P.A., et al.: FALCON: fast-fourier lattice-based compact signatures over NTRU. Technical report (2018). https://www.di.ens.fr/~prest/Publications/falcon.pdf
Gentry, C.: Key recovery and message attacks on NTRU-composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 182–194. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_12
Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01957-9_27
Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z.: Choosing parameters for NTRUEncrypt. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_1
Hoffstein, J., Pipher, J., Silverman, J.: An Introduction to Mathematical Cryptography, 1st edn. Springer Publishing Company, New York (2008). Incorporated. https://doi.org/10.1007/978-0-387-77993-5
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Hoffstein, J., Silverman, J.: A non-commutative version of the NTRU public key cryptosystem. It was for a while available at (1997). http://www.tiac.net/users/ntru/NTRUFTP.html
Hoffstein, J., Silverman, J.H.: A non-commutative version of the NTRU public key cryptosystem. unpublished paper, February 1997
Hoffstein, J., Silverman, J.H., Whyte, W.: Meet-in-the-middle attack on an NTRU private key. Technical report, NTRU Cryptosystems, July 2006. Report (2006)
Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: A meet-in-the-middle attack on an NTRU private key. NTRU cryptosystem Technical report #004. (2003). https://www.securityinnovation.com/uploads/Crypto/NTRUTech004v2.pdf
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_10
Hurley, T.: Group rings and rings of matrices. Int. J. Pure Appl. Math. 31, 319–335 (2006). https://www.researchgate.net/publication/228928727_Group_rings_and_rings_of_matrices
Jarvis, K., Nevins, M.: ETRU: NTRU over the eisenstein integers. Des. Codes Crypt. 74(1), 219–242 (2015). https://doi.org/10.1007/s10623-013-9850-3
Karbasi, A.H., Atani, S.E., Atani, R.E.: PairTRU: pairwise Non-commutative Extension of the NTRU public key cryptosystem. Int. J. Inf. Secur. Sci. 8, 1–10 (2018)
Kim, J., Lee, C.: A polynomial time algorithm for breaking NTRU encryption with multiple keys. Des. Codes Cryptogr. 1–11 (2023).https://doi.org/10.1007/s10623-023-01233-5
Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1
Silverman, J.H., Pipher, J., Hoffstein, J.: An Introduction to Mathematical Cryptography. UTM, Springer, New York (2008). https://doi.org/10.1007/978-0-387-77993-5
Kumar, V., Raya, A., Gangopadhyay, S., Gangopadhyay, A.K.: Lattice attack on group ring NTRU: the case of the dihedral group (2023). https://doi.org/10.48550/arXiv.2309.08304
Laarhoven, T.: Search problems in cryptography: from fingerprinting to lattice sieving. Phd thesis, Eindhoven University of Technology (2015). https://research.tue.nl/en/publications/search-problems-in-cryptography-from-fingerprinting-to-lattice-si
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(ARTICLE), 515–534 (1982). https://doi.org/10.1007/BF01457454
Ling, C., Mendelsohn, A.: NTRU in quaternion algebras of bounded discriminant. In: Johansson, T., Smith-Tone, D. (eds.) Post-Quantum Cryptography. PQCrypto 2023. LNCS, vol. 14154, pp. 256–290. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-40003-2_10
Makhijani, N., Sharma, R., Srivastava, J.: Units in finite dihedral and quaternion group algebras. J. Egypt. Math. Soc. 24(1), 5–7 (2016). https://doi.org/10.1016/j.joems.2014.08.001
Malekian, E., Zakerolhosseini, A., Mashatan, A.: QTRU : a lattice attack resistant version of NTRU PKCS based on quaternion algebra. IACR Cryptology ePrint Archive 2009 (2009). https://eprint.iacr.org/2009/386
May, A.: How to meet ternary LWE keys. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 701–731. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_24
Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Proceedings of the Twenty-Sixth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 276–294. SIAM (2014)
Miyata, T.: On the units of the integral group ring of a dihedral group. J. Math. Soc. Jpn. 32(4) (1980)
Peikert, C.: A decade of lattice cryptography. Found. Trends® Theor. Comput. Sci. 10(4), 283–424 (2016)
Schnorr, C.P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(2–3), 201–224 (1987). https://doi.org/10.1016/0304-3975(87)90064-8
Silverman, J.H.: Almost Inverses and Fast NTRU Key Creation. NTRU Cryptosystems Technical report \(\#14\) (1999)
Singh, S., Padhye, S.: Cryptanalysis of NTRU with n public keys. In: 2017 ISEA Asia Security and Privacy (ISEASP), pp. 1–6 (2017). https://doi.org/10.1109/ISEASP.2017.7976980
Development team, T.F.: FPLLL, a lattice reduction library, Version: 5.4.4 (2023). https://github.com/fplll/fplll
Development team, T.F.: FPYLLL, a Python wraper for the fplll lattice reduction library, Version: 0.5.9 (2023). https://github.com/fplll/fpylll
Truman, K.R.: Analysis and Extension of Non-Commutative NTRU. PhD dissertation, University of Maryland (2007). https://drum.lib.umd.edu/handle/1903/7344
van Hoof, I., Kirshanova, E., May, A.: Quantum key search for ternary LWE. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 117–132. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_7
Vats, N.: NNRU, a noncommutative analogue of NTRU (2009). https://arxiv.org/abs/0902.1891
Working Group of the C/MM Committee and others: IEEE P1363.1 Standard Specification for Public-Key Cryptographic Techniques Based on Hard Problems over Lattices (2009)
Yasuda, T., Dahan, X., Sakurai, K.: Characterizing NTRU-variants using group ring and evaluating their lattice security. IACR Cryptol. ePrint Arch., p. 1170 (2015). http://eprint.iacr.org/2015/1170
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Raya, A., Kumar, V., Gangopadhyay, S. (2024). DiTRU: A Resurrection of NTRU over Dihedral Group. In: Vaudenay, S., Petit, C. (eds) Progress in Cryptology - AFRICACRYPT 2024. AFRICACRYPT 2024. Lecture Notes in Computer Science, vol 14861. Springer, Cham. https://doi.org/10.1007/978-3-031-64381-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-64381-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-64380-4
Online ISBN: 978-3-031-64381-1
eBook Packages: Computer ScienceComputer Science (R0)