Abstract
We present NTTRU – an IND-CCA2 secure NTRU-based key encapsulation scheme that uses the number theoretic transform (NTT) over the cyclotomic ring Z7681[X]/(X768−X384+1) and produces public keys and ciphertexts of approximately 1.25 KB at the 128-bit security level. The number of cycles on a Skylake CPU of our constant-time AVX2 implementation of the scheme for key generation, encapsulation and decapsulation is approximately 6.4K, 6.1K, and 7.9K, which is more than 30X, 5X, and 8X faster than these respective procedures in the NTRU schemes that were submitted to the NIST post-quantum standardization process. These running times are also, by a large margin, smaller than those for all the other schemes in the NIST process as well as the KEMs based on elliptic curve Diffie-Hellman. We additionally give a simple transformation that allows one to provably deal with small decryption errors in OW-CPA encryption schemes (such as NTRU) when using them to construct an IND-CCA2 key encapsulation.
Highlights
Lattice-based schemes based on structured polynomial lattices [HPS98, LPR13] provide us with one of the most promising solutions for post-quantum encryption
Lattice schemes are especially fast when they work over rings in which operations can be performed via the Number Theory Transform (NTT) [LMPR08] and many lattice-based encryption schemes utilize this approach (e.g. NewHope [ADPS16], Kyber [BDK+18], LIMA[SAL+17])
Using the NTT could be beneficial to NTRU because key generation requires inversion over a polynomial ring, which is a much more efficient operation when done over NTT-compatible rings
Summary
Lattice-based schemes based on structured polynomial lattices [HPS98, LPR13] provide us with one of the most promising solutions for post-quantum encryption. Using the NTT could be beneficial to NTRU because key generation (whose timing is important in ephemeral key exchange) requires inversion over a polynomial ring, which is a much more efficient operation when done over NTT-compatible rings Despite this apparent advantage, there were no NTT-based NTRU schemes submitted to the NIST standardization process, and the key generation procedure in the proposed schemes ([HRSS17], [BCLvV17]) was significantly slower than in the proposals based on Ring / Module-LWE. Generalized LWE schemes like Kyber and Saber have the advantage that they are based on weaker assumptions, do not require re-implementation to increase/decrease security, and can be used as a basis for schemes requiring a large gap between error and modulus; while NTRU has the advantage of having faster encapsulation / decapsulation and may result in smaller outputs when used together with zero-knowledge proofs. One should hope that both of these variants of doing lattice-based cryptography become accepted standards
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have