Abstract
We present BAT – an IND-CCA secure key encapsulation mechanism (KEM) that is based on NTRU but follows an encryption/decryption paradigm distinct from classical NTRU KEMs. It demonstrates a new approach of decrypting NTRU ciphertext since its introduction 25 years ago. Instead of introducing an artificial masking parameter p to decrypt the ciphertext, we use 2 linear equations in 2 unknowns to recover the message and the error. The encryption process is therefore close to the GGH scheme. However, since the secret key is now a short basis (not a vector), we need to modify the decryption algorithm and we present a new NTRU decoder. Thanks to the improved decoder, our scheme works with a smaller modulus and yields shorter ciphertexts, smaller than RSA-4096 for 128-bit classical security with comparable public-key size and much faster than RSA or even ECC. Meanwhile, the encryption and decryption are still simple and fast in spite of the complicated key generation. Overall, our KEM has more compact parameters than all current lattice-based schemes and a practical efficiency. Moreover, due to the similar key pair structure, BAT can be of special interest in some applications using Falcon signature that is also the most compact signature in the round 3 of the NIST post-quantum cryptography standardization. However, different from Falcon, our KEM does not rely on floating-point arithmetic and can be fully implemented over the integers.
Highlights
Lattice-based schemes, especially when they have a polynomial structure, are a very strong contender for post-quantum cryptography
We expect (F, G) to yield one more equation in decryption so that one can recover both the message and encryption randomness via two equations. This in effect gets rid of the masking modulus p in classical NTRU key encapsulation mechanism (KEM) and hopefully allows smaller parameters
We present a new KEM based on NTRU, called BAT.2
Summary
Lattice-based schemes, especially when they have a polynomial structure, are a very strong contender for post-quantum cryptography. We expect (F, G) to yield one more equation in decryption so that one can recover both the message and encryption randomness via two equations This in effect gets rid of the masking modulus p in classical NTRU KEMs and hopefully allows smaller parameters. Similar to Falcon signature, BAT uses h = f −1g mod q as the public key and its secret key is a trapdoor basis Bf,g with an additional ring element (for faster decapsulation). BAT is similar in spirit to Falcon signature: they both achieve good compactness by using some nice NTRU trapdoor basis as the secret key. Chuengsatiansup et al [CPS+20] propose some extensions of Falcon signature and NTRU encryption over Module-NTRU lattices This allows more flexible parameters for NTRU-based cryptosystems. The main difference is that our KEM follows a novel pattern which is essential to minimize the parameters
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
