Elsevier

Information Sciences

Volume 438, April 2018, Pages 15-31
Information Sciences

D-NTRU: More efficient and average-case IND-CPA secure NTRU variant

https://doi.org/10.1016/j.ins.2018.01.037Get rights and content

Abstract

NTRU is a fast public key cryptosystem remaining unbroken. However, there is no known worst-to-average reduction for the original NTRU cryptosystem. Several provably secure NTRU modifications such as NAEP, pNE and NTRUCCA were proposed in the literature at the cost of inefficiency in encryption/decryption and enlarged ciphertext expansion. NAEP completes the IND-CCA security of the original NTRU under the average-case NTRU one-wayness intractability assumption. Both pNE and NTRUCCA obtain provable security goals under worst-case lattice assumptions. In this paper, a general framework for NTRU is considered, and a new PKC called D-NTRU is proposed. It is shown that the D-NTRU cryptosystem reduces the ciphertext expansion of the NTRU algorithm, and the encryption and decryption algorithms of D-NTRU perform even asymptotically faster than the NTRU algorithm only at the cost of slightly enlarged secret and public keys. The security of D-NTRU is proven in the standard model and under the average-case NTRU one-wayness assumption. The proof of the IND-CPA security of D-NTRU is completed by introducing another NTRU variant called C-NTRU as a bridge, defining some problems, and then proving the equivalence of these problems. So the proposed D-NTRU algorithm is more advantageous than the original NTRU algorithm, and much more efficient than all the provably secure variants of NTRU.

Introduction

Public key cryptosystem (PKC) is undoubtedly one of the most important cryptographic tools in network and information security engineering. Tremendous efforts have been made in the public key cryptographic literature to realize efficient and practical PKCs [26]. Amongst these proposals, factorization-based and discrete-logarithm-based PKCs such as RSA and ECC may be the most widely-used public key encryption schemes. In the general settings, RSA and ECC only achieve cubic complexity in both encryption and decryption due to the expensive operations of modular exponentiation and modular inverse operations, respectively. Since the security demands in resource-constraint environments such as RFID, wireless sensor networks, ad hoc networks, et al., are concerned, we need to develop more efficient PKCs.

The NTRU PKC was published in 1998 [15], and was proven much more efficient than traditional PKCs RSA and ECC in terms of key generation, encryption, and decryption. Therefore, NTRU is more applicable to resource-constraint environments including ad hoc networks, RFID, smart cards, and some embedded systems [2]. Some improvement on the original NTRU PKC was made to further improve its encryption/decryption speed and reduce the key sizes [22]. Coppersmith and Shamir found a lattice attack on the NTRU PKC in 1997 [6]. So NTRU is also conceived as a lattice-based PKC [17], [34]. Different from other lattice-based PKCs, NTRU uses an ideal lattice as a platform, allowing compact representation for the underlying algebraic structure. The algebraic structure also sheds light on some other lattice cryptographic designs [8], [12], [13], [28], [30], [35], [40]. Though very attractive due to its speed advantages over other PKCs, NTRU was flawed by the fact that its security was not proven.

  • Achieving no provable security goals: The original NTRU algorithm only obtains some heuristic security arguments. No serious security flaws were found after many cryptanalytic attacks [1], [5], [6], [7], [10], [11], [18], [19], [23], [24], [27], [31], [32], [33] were examined on the NTRU PKC. However, provable security is a standard requirement for a PKC to be used in practice, and can provide more conceiving security claims. Especially, some lattice PKC can provide a very strong security argument by building the average-case and worst-case equivalence reduction of the underlying mathematically hard problem [37], [38], [39].

  • High ciphertext expansion: When the ciphertext expansion is too large, it will increase the communication bandwidth requirement. For example, the ciphertext expansion of RSA and ECC are 1:1 and 2:1, respectively. The ciphertext expansion of NTRU is logpq: 1. Under the parameters (p,q)=(3,256) and (3, 512), the ciphertext expansion for NTRU is 5.047:1, and 5.678:1, respectively.

To resolve the provable security issue of NTRU PKC, several PKCs based on NTRU were proposed in the literature [3], [20], [21], [37], [38], [39], [41], amongst which the famous ones are NAEP [20], [21], pNE [37], [38] and NTRUCCA [39].

  • NAEP [20], [21]: NAEP was proven IND-CCA secure under some cryptographic assumptions including the average-case NTRU one-wayness assumption in the random oracle model, and even in the presence of decryption failures [19], [33]. However, NAEP introduces some more computations than NTRU and reduces the lengths of plaintext. So NAEP heavily compromises the efficiency of NTRU with respect to both encryption and decryption and further enlarges the ciphertext expansion of NTRU.

  • pNE [37], [38]: The pNE PKC is proven to be IND-CPA secure in the standard model, under the standard worst-case problems over ideal lattices. However, the pNE cipher requires the public and secret keys to quadratically increase with the security parameter in order to maintain the provable worst-case security, which reduces the speed for both encryption and decryption, and enlarges the ciphertext expansion. The designers of pNE also admitted in [38] that “the practical instantiations of our schemes are likely to be significantly less efficient than the original schemes”.

  • NTRUCCA [39]: NTRUCCA is based on the idea of pNE and was proven to be IND-CCA secure under the standard model assuming the intractability of some worst-case problems in ideal lattices [39]. The NTRUCCA PKC introduces some more computations than pNE including hash computation, bit-string concatenation operation, and the most expensive signature generation and verification operations. So NTRUCCA is less efficient than pNE. NTRUCCA also increases the size of the modulus q, and further enlarges the ciphertext expansion.

In this paper, we show the possibility to develop a PKC based on the original NTRU algorithm achieving significant advantages in terms of the encryption/decryption speed, the ciphertext expansion, and the provable security over the original NTRU PKC. A general framework for NTRU is taken into account, and two NTRU variants are proposed, which are called C-NTRU and D-NTRU, respectively. The C-NTRU is used just as a bridge to complete the proof of the security of D-NTRU. The D-NTRU has the following features.

  • Smaller ciphertext expansion: The D-NTRU cipher obtains a ciphertext expansion (log2q1+log2q2):log2q2 with q1 and q2=q1+2 being twin primes, which is asymptotically equal to but somewhat smaller than 2:1. So our proposal significantly reduces the communication bandwidth requirement for the original NTRU algorithm.

  • More efficient encryption: Under the suggested practical parameters, the speed of D-NTRU is about 2.506, 2.506, 2.833 times that of NTRU when the encryption speed is defined as the number of plaintext bits to be encrypted per unit time.

  • More efficient decryption: If we define the decryption speed as to be the number of plaintext bits that can be decrypted in a unit time, the speed of the proposed D-NTRU PKC will be theoretically 1.688, 1.688, and 1.917 times that of the NTRU algorithm, respectively, under the suggested practical parameters.

  • Provable IND-CPA Security: The D-NTRU looks like a one-time-pad encryption scheme. The first part of the ciphertext is used to carry the one-time-key, and the second part of the ciphertext realizes the one-time-pad encryption model. We define several problems, and prove that all of these problems are equivalent to the NTRU one-way problem. Finally, we prove the IND-CPA security of the D-NTRU algorithm under the standard model assuming the average-case NTRU one-wayness intractability. The IND-CPA security reduction is established just under the average-case NTRU one-wayness assumption. We fail to derive any worst-case security reduction.

We also implement both NTRU and D-NTRU at the same level of message and key security. The empirical results show that under the suggested parameters, the encryption speed of D-NTRU is about 2.165, 2.441, and 2.777 times that of the NTRU PKC, and the decryption speed of D-NTRU is about 1.474, 1.270, and 1.637 times that of NTRU, respectively.

The rest of the paper is organized as follows. In Section 2, we introduce some notations, formalize the underlying algebraic structure, and review the NTRU algorithm. In Section 3, we provide the C-NTRU and D-NTRU algorithm. In Section 4, we list some useful results relating to the first and the infinity norms, describe under which parameter settings the NTRU, C-NTRU and D-NTRU PKCs will have no decryption failures, and discuss the invalid ciphertext problems in the three PKCs. In Section 5, we present some definitions underlying the NTRU, C-NTRU, and D-NTRU PKCs, prove the equivalence of these problems, and prove the IND-CPA security under the NTRU one-wayness intractability assumption. In Section 6, we specify the parameter settings, analyze the performance of D-NTRU, compare it with the original NTRU PKC in terms of key generation, encryption, decryption, ciphertext expansion, and key sizes, and implement both NTRU and D-NTRU. In Section 7, we conclude the work and outline the future work.

Section snippets

Preliminaries

In this section, we list some useful notations, define the underlying algebraic structure, and review the NTRU PKC.

The proposed NTRU variants

In this section, we propose two NTRU variants C-NTRU and D-NTRU. Both C-NTRU and D-NTRU use four system parameters (N, p, q1, q2). The C-NTRU allows us to use composite integers q1q2, so the name composite NTRU (C-NTRU for short) comes. The D-NTRU seems to use double NTRU encryption functions during encryption, from which the name double NTRU (D-NTRU, for short) arises.

Norms, decryption failures and invalid ciphertexts

We formalize useful results about the infinity norm, illustrate the conditions that decryption failure will not occur, and point out some types of invalid ciphertexts existing in NTRU, C-NTRU, and D-NTRU.

Security

From the preparations in Section 4, we begin to prove the semantic security of D-NTRU. We stress that in this section, we set δ=2(pmin{2dg1,2d}+2df1).

Performance

Now we analyze the performance of the D-NTRU cryptosystem and compare it with that of the NTRU cryptosystem.

Conclusion

In this paper, we developed a novel modification of NTRU, called D-NTRU. The IND-CPA security of D-NTRU was proven under the NTRU one-wayness hardness assumption. The D-NTRU PKC has a smaller ciphertext expansion than the original NTRU algorithm, and performs more efficient than NTRU with respect to both encryption and decryption. The theoretical analysis of the performance advantages of D-NTRU over NTRU was well supported by the empirical results. We emphasize that the proposal only achieves

Acknowledgments

The authors thank the anonymous reviewers for their valuable suggestions and comments, which polish and improve the readability of the paper. This work was supported by the National Key R&D Program of China under grant 2017YFB0802000, the National Natural Science Foundation of China under grants 61572390, U1736111, 61473029, 61672412, the Plan For Scientific Innovation Talent of Henan Province under grant 184100510012, the Natural Science Foundation of Ningbo City under Grant 201601HJ-B01382,

References (41)

  • E. Fujisaki et al.

    How to enhance the security of public-key encryption at minimum cost

    International Workshop on Public Key Cryptography

    (1999)
  • N. Gama et al.

    New chosen-ciphertext attacks on NTRU

    International Workshop on Public Key Cryptography

    (2007)
  • C. Gentry

    Key recovery and message attacks on NTRU-composite

    International Conference on the Theory and Applications of Cryptographic Techniques

    (2001)
  • C. Gentry

    Fully homomorphic encryption using ideal lattices.

    STOC

    (2009)
  • L. Goubin et al.

    Blending FHE-NTRU keys – the excalibur property

    Progress in Cryptology–INDOCRYPT 2016

    (2016)
  • J. Hermansand et al.

    Speed records for NTRU

    CT-RSA

    (2010)
  • J. Hoffstein et al.

    NTRU: a ring-based public key cryptosystem

    Algorithmic Number Theory, Third International Symposium, ANTS-III, Portland, Oregon, USA, June 21–25, 1998, Proceedings

    (1998)
  • J. Hoffstein et al.

    Invertibility in Truncated Polynomial Rings

    Technical Report

    (1998)
  • J.H. Hoffstein et al.

    Practical lattice-based cryptography: NTRUEncrypt and NTRUSign

    The LLL Algorithm - Survey and Applications

    (2010)
  • N. Howgrave-Graham

    A hybrid lattice-reduction and meet-in-the-middle attack against NTRU

    Annual International Cryptology Conference

    (2007)
  • Cited by (0)

    View full text