Abstract
NTRUEncrypt is a public key cryptosystem based on hard problems over lattices. The dominant operation in NTRUEncrypt is convolution, i.e., multiplication over a quotient ring of polynomials. Based on the fact that a convolution has a highly regular structure, Lee et al. proposed the sliding window method for fast convolution of binary polynomials in 2013, which was then extended to ternary polynomials for ideal lattices by Akleylek, Alkim, and Tok in 2016. These sliding window methods reduce the cost of a convolution operation using look-up tables that store partial computation results related to repeated coefficient patterns. In this paper, we propose a signed sliding window method with side-channel resistance for NTRUEncrypt. The proposed method considers both positive and negative nonzero coefficients when constructing look-up tables. The new method not only accelerates convolution but also enables the application of power analysis countermeasures effectively. According to the experimental results, the constant-time implementation of the proposed method with timing and power analysis countermeasures accelerates the previously developed secure convolution method by up to 20%.
Highlights
The NTRU cryptosystem, i.e., NTRUEncrypt, is a public key cryptosystem based on a hard problem over lattices, i.e., the shortest vector problem (SVP) [2]
Since its first announcement at the rump session of Crypto 96 [3], NTRUEncrypt has attracted attention from many researchers because of its greater speed compared with existing public key systems, such as RSA and elliptic curve cryptography (ECC) [4]–[9]
In 2009, NTRUEncrypt was standardized as an alternative public key cryptosystem by the IEEE P1363 working group [10]
Summary
The NTRU cryptosystem, i.e., NTRUEncrypt, is a public key cryptosystem based on a hard problem over lattices, i.e., the shortest vector problem (SVP) [2]. In [20], this method was extended to the standard NTRUEncrypt [10] by considering ternary polynomials This method substantially accelerated the speed of index-based convolution [21], but it was not possible to apply side-channel countermeasures to this method, as the computations related to positive and negative coefficients should be clearly separated. We redefine the meaning of a coefficient pattern, design a new data structure for merging the positive and negative coefficients, and propose a new method for encoding a polynomial into a pattern sequence This improvement enables us to apply side-channel countermeasures to sliding window-based convolutions. S, C, and F stand for size, cost, and fast, respectively, where cost optimization means minimizing (operation time)2×(size) [10]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
