More Efficient Algorithms for the NTRU Key Generation Using the Field Norm

  • Thomas Pornin
  • Thomas PrestEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11443)


NTRU lattices [13] are a class of polynomial rings which allow for compact and efficient representations of the lattice basis, thereby offering very good performance characteristics for the asymmetric algorithms that use them. Signature algorithms based on NTRU lattices have fast signature generation and verification, and relatively small signatures, public keys and private keys.

A few lattice-based cryptographic schemes entail, generally during the key generation, solving the NTRU equation:
$$\begin{aligned} f G - g F = q \mod x^n + 1 \end{aligned}$$
Here f and g are fixed, the goal is to compute solutions F and G to the equation, and all the polynomials are in \({\mathbb {Z}}[x]/(x^n + 1)\). The existing methods for solving this equation are quite cumbersome: their time and space complexities are at least cubic and quadratic in the dimension n, and for typical parameters they therefore require several megabytes of RAM and take more than a second on a typical laptop, precluding onboard key generation in embedded systems such as smart cards.

In this work, we present two new algorithms for solving the NTRU equation. Both algorithms make a repeated use of the field norm in tower of fields; it allows them to be faster and more compact than existing algorithms by factors \({\tilde{O}}(n)\). For lattice-based schemes considered in practice, this reduces both the computation time and RAM usage by factors at least 100, making key pair generation within range of smart card abilities.


  1. 1.
    Albrecht, M.R., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). Scholar
  2. 2.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. In: Mehlhorn, K. (ed.) STACS 1985. LNCS, vol. 182, pp. 13–20. Springer, Heidelberg (1985). Scholar
  3. 3.
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Technical report, National Institute of Standards and Technology (2017).
  4. 4.
    Campbell, P., Groves, M.: Practical post-quantum hierarchical identity-based encryption. In: 16th IMA International Conference on Cryptography and Coding (2017).,785752, en.pdf
  5. 5.
    Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010). Scholar
  6. 6.
    Cheon, J.H., Jeong, J., Lee, C.: An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low level encoding of zero. Cryptology ePrint Archive, Report 2016/139 (2016).
  7. 7.
    Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19(90), 297–301 (1965)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). Scholar
  9. 9.
    von zur Gathen, J., Gerhard, J.: Modern Computer Algebra, 3rd edn. Cambridge University Press, Cambridge (2013)CrossRefGoogle Scholar
  10. 10.
    Gentleman, W.M., Sande, G.: Fast Fourier transforms: for fun and profit. In: Proceedings of the 7–10 November 1966, Fall Joint Computer Conference, pp. 563–578. ACM (1966)Google Scholar
  11. 11.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press, May 2008.
  12. 12.
    Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003). Scholar
  13. 13.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). Scholar
  14. 14.
    Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). Scholar
  15. 15.
    Micciancio, D., Warinschi, B.: A linear space algorithm for computing the herite normal form. In: Kaltofen, E., Villard, G. (eds.) Proceedings of the 2001 International Symposium on Symbolic and Algebraic Computation, ISSAC 2001, ORCCA & University of Western Ontario, London, Ontario, Canada, 22–25 July 2001, pp. 231–236. ACM (2001).
  16. 16.
    NIST: Security requirements for cryptographic modules (2001).
  17. 17.
    NIST: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016).
  18. 18.
    Prest, T., et al.: Falcon. Technical report, National Institute of Standards and Technology (2017).
  19. 19.
    Schönhage, A., Strassen, V.: Schnelle multiplikation großer zahlen. Computing 7(3–4), 281–292 (1971). Scholar
  20. 20.
    Smart, N.P., et al.: LIMA. Technical report, National Institute of Standards and Technology (2017).
  21. 21.
    Stehlé, D., Steinfeld, R.: Making NTRUEncrypt and NTRUSign as secure as standard worst-case problems over ideal lattices. Cryptology ePrint Archive, Report 2013/004 (2013).

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.NCC GroupTorontoCanada
  2. 2.PQShield Ltd.OxfordUK

Personalised recommendations