D-NTRU: More efficient and average-case IND-CPA secure NTRU variant
Introduction
Public key cryptosystem (PKC) is undoubtedly one of the most important cryptographic tools in network and information security engineering. Tremendous efforts have been made in the public key cryptographic literature to realize efficient and practical PKCs [26]. Amongst these proposals, factorization-based and discrete-logarithm-based PKCs such as RSA and ECC may be the most widely-used public key encryption schemes. In the general settings, RSA and ECC only achieve cubic complexity in both encryption and decryption due to the expensive operations of modular exponentiation and modular inverse operations, respectively. Since the security demands in resource-constraint environments such as RFID, wireless sensor networks, ad hoc networks, et al., are concerned, we need to develop more efficient PKCs.
The NTRU PKC was published in 1998 [15], and was proven much more efficient than traditional PKCs RSA and ECC in terms of key generation, encryption, and decryption. Therefore, NTRU is more applicable to resource-constraint environments including ad hoc networks, RFID, smart cards, and some embedded systems [2]. Some improvement on the original NTRU PKC was made to further improve its encryption/decryption speed and reduce the key sizes [22]. Coppersmith and Shamir found a lattice attack on the NTRU PKC in 1997 [6]. So NTRU is also conceived as a lattice-based PKC [17], [34]. Different from other lattice-based PKCs, NTRU uses an ideal lattice as a platform, allowing compact representation for the underlying algebraic structure. The algebraic structure also sheds light on some other lattice cryptographic designs [8], [12], [13], [28], [30], [35], [40]. Though very attractive due to its speed advantages over other PKCs, NTRU was flawed by the fact that its security was not proven.
- •
Achieving no provable security goals: The original NTRU algorithm only obtains some heuristic security arguments. No serious security flaws were found after many cryptanalytic attacks [1], [5], [6], [7], [10], [11], [18], [19], [23], [24], [27], [31], [32], [33] were examined on the NTRU PKC. However, provable security is a standard requirement for a PKC to be used in practice, and can provide more conceiving security claims. Especially, some lattice PKC can provide a very strong security argument by building the average-case and worst-case equivalence reduction of the underlying mathematically hard problem [37], [38], [39].
- •
High ciphertext expansion: When the ciphertext expansion is too large, it will increase the communication bandwidth requirement. For example, the ciphertext expansion of RSA and ECC are 1:1 and 2:1, respectively. The ciphertext expansion of NTRU is logpq: 1. Under the parameters and (3, 512), the ciphertext expansion for NTRU is 5.047:1, and 5.678:1, respectively.
To resolve the provable security issue of NTRU PKC, several PKCs based on NTRU were proposed in the literature [3], [20], [21], [37], [38], [39], [41], amongst which the famous ones are NAEP [20], [21], pNE [37], [38] and NTRUCCA [39].
- •
NAEP [20], [21]: NAEP was proven IND-CCA secure under some cryptographic assumptions including the average-case NTRU one-wayness assumption in the random oracle model, and even in the presence of decryption failures [19], [33]. However, NAEP introduces some more computations than NTRU and reduces the lengths of plaintext. So NAEP heavily compromises the efficiency of NTRU with respect to both encryption and decryption and further enlarges the ciphertext expansion of NTRU.
- •
pNE [37], [38]: The pNE PKC is proven to be IND-CPA secure in the standard model, under the standard worst-case problems over ideal lattices. However, the pNE cipher requires the public and secret keys to quadratically increase with the security parameter in order to maintain the provable worst-case security, which reduces the speed for both encryption and decryption, and enlarges the ciphertext expansion. The designers of pNE also admitted in [38] that “the practical instantiations of our schemes are likely to be significantly less efficient than the original schemes”.
- •
NTRUCCA [39]: NTRUCCA is based on the idea of pNE and was proven to be IND-CCA secure under the standard model assuming the intractability of some worst-case problems in ideal lattices [39]. The NTRUCCA PKC introduces some more computations than pNE including hash computation, bit-string concatenation operation, and the most expensive signature generation and verification operations. So NTRUCCA is less efficient than pNE. NTRUCCA also increases the size of the modulus q, and further enlarges the ciphertext expansion.
In this paper, we show the possibility to develop a PKC based on the original NTRU algorithm achieving significant advantages in terms of the encryption/decryption speed, the ciphertext expansion, and the provable security over the original NTRU PKC. A general framework for NTRU is taken into account, and two NTRU variants are proposed, which are called C-NTRU and D-NTRU, respectively. The C-NTRU is used just as a bridge to complete the proof of the security of D-NTRU. The D-NTRU has the following features.
- •
Smaller ciphertext expansion: The D-NTRU cipher obtains a ciphertext expansion with q1 and being twin primes, which is asymptotically equal to but somewhat smaller than 2:1. So our proposal significantly reduces the communication bandwidth requirement for the original NTRU algorithm.
- •
More efficient encryption: Under the suggested practical parameters, the speed of D-NTRU is about 2.506, 2.506, 2.833 times that of NTRU when the encryption speed is defined as the number of plaintext bits to be encrypted per unit time.
- •
More efficient decryption: If we define the decryption speed as to be the number of plaintext bits that can be decrypted in a unit time, the speed of the proposed D-NTRU PKC will be theoretically 1.688, 1.688, and 1.917 times that of the NTRU algorithm, respectively, under the suggested practical parameters.
- •
Provable IND-CPA Security: The D-NTRU looks like a one-time-pad encryption scheme. The first part of the ciphertext is used to carry the one-time-key, and the second part of the ciphertext realizes the one-time-pad encryption model. We define several problems, and prove that all of these problems are equivalent to the NTRU one-way problem. Finally, we prove the IND-CPA security of the D-NTRU algorithm under the standard model assuming the average-case NTRU one-wayness intractability. The IND-CPA security reduction is established just under the average-case NTRU one-wayness assumption. We fail to derive any worst-case security reduction.
We also implement both NTRU and D-NTRU at the same level of message and key security. The empirical results show that under the suggested parameters, the encryption speed of D-NTRU is about 2.165, 2.441, and 2.777 times that of the NTRU PKC, and the decryption speed of D-NTRU is about 1.474, 1.270, and 1.637 times that of NTRU, respectively.
The rest of the paper is organized as follows. In Section 2, we introduce some notations, formalize the underlying algebraic structure, and review the NTRU algorithm. In Section 3, we provide the C-NTRU and D-NTRU algorithm. In Section 4, we list some useful results relating to the first and the infinity norms, describe under which parameter settings the NTRU, C-NTRU and D-NTRU PKCs will have no decryption failures, and discuss the invalid ciphertext problems in the three PKCs. In Section 5, we present some definitions underlying the NTRU, C-NTRU, and D-NTRU PKCs, prove the equivalence of these problems, and prove the IND-CPA security under the NTRU one-wayness intractability assumption. In Section 6, we specify the parameter settings, analyze the performance of D-NTRU, compare it with the original NTRU PKC in terms of key generation, encryption, decryption, ciphertext expansion, and key sizes, and implement both NTRU and D-NTRU. In Section 7, we conclude the work and outline the future work.
Section snippets
Preliminaries
In this section, we list some useful notations, define the underlying algebraic structure, and review the NTRU PKC.
The proposed NTRU variants
In this section, we propose two NTRU variants C-NTRU and D-NTRU. Both C-NTRU and D-NTRU use four system parameters (N, p, q1, q2). The C-NTRU allows us to use composite integers q1q2, so the name composite NTRU (C-NTRU for short) comes. The D-NTRU seems to use double NTRU encryption functions during encryption, from which the name double NTRU (D-NTRU, for short) arises.
Norms, decryption failures and invalid ciphertexts
We formalize useful results about the infinity norm, illustrate the conditions that decryption failure will not occur, and point out some types of invalid ciphertexts existing in NTRU, C-NTRU, and D-NTRU.
Security
From the preparations in Section 4, we begin to prove the semantic security of D-NTRU. We stress that in this section, we set .
Performance
Now we analyze the performance of the D-NTRU cryptosystem and compare it with that of the NTRU cryptosystem.
Conclusion
In this paper, we developed a novel modification of NTRU, called D-NTRU. The IND-CPA security of D-NTRU was proven under the NTRU one-wayness hardness assumption. The D-NTRU PKC has a smaller ciphertext expansion than the original NTRU algorithm, and performs more efficient than NTRU with respect to both encryption and decryption. The theoretical analysis of the performance advantages of D-NTRU over NTRU was well supported by the empirical results. We emphasize that the proposal only achieves
Acknowledgments
The authors thank the anonymous reviewers for their valuable suggestions and comments, which polish and improve the readability of the paper. This work was supported by the National Key R&D Program of China under grant 2017YFB0802000, the National Natural Science Foundation of China under grants 61572390, U1736111, 61473029, 61672412, the Plan For Scientific Innovation Talent of Henan Province under grant 184100510012, the Natural Science Foundation of Ningbo City under Grant 201601HJ-B01382,
References (41)
- et al.
On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption
Proceedings of the forty-fourth annual ACM symposium on Theory of computing
(2012) - et al.
Provably secure NTRU instances over prime cyclotomic rings
International Workshop on Public Key Cryptography–PKC 2017
(2017) - et al.
A subfield lattice attack on overstretched NTRU assumptions
Advances in Cryptology–CRYPTO 2016
(2016) - et al.
NTRU in constrained devices
International Workshop on Cryptographic Hardware and Embedded Systems
(2001) - et al.
On the efficiency of provably secure NTRU
Workshop on Post-Quantum Cryptography–PQCrypto 2014
(2014) - et al.
On the efficiency of provably secure NTRU
International Workshop on Post-Quantum Cryptography
(2014) - et al.
Key recovery attacks against NTRU-based somewhat homomorphic encryption schemes
International Information Security Conference–ISC 2015
(2015) - et al.
Lattice attacks on NTRU
International Conference on the Theory and Applications of Cryptographic Techniques
(1997) - et al.
Adaptive key recovery attacks on NTRU-based somewhat homomorphic encryption schemes
International Conference on Information Theoretic Security–ICITS 2015
(2015) - et al.
Efficient identity-based encryption over NTRUlattices
Advances in Cryptology–ASIACRYPT 2014
(2014)