BI-NTRU Encryption Schemes: Two New Secure Variants of NTRU

Abstract

NTRU is one of the first public key cryptosystems not based on factorization or discrete logarithmic problems and is also considered secure even against quantum computer attacks. In 2011, Stehle and Steinfeld proposed a variant of the classical NTRU that is IND-CPA secure but for the key generation algorithm, they use Gaussian distribution with a large standard deviation to prove the uniformity of the public key by assuming the hardness of Ring Learning With Error (Ring-LWE) problem. In this paper, we present two variants of NTRUEncrypt called BI-NTRU-Product and BI-NTRU-LPR which are IND-CPA secure assuming the hardness of Ring-LWE problem. We also show how one can design an IND-CCA2 secure key encapsulation mechanism from our encryption schemes by using a variant of the Fujisaki-Okamoto Transformation (CRYPTO 1999 and Journal of Cryptology 2013).

A Appendix

Characters on Finite Abelian Groups and Cauchy Inequality

Definition 13

(additive character [13]). Let G be a finite (additive) abelian group. An additive character on G is a function \(\chi : G \rightarrow \mathbb {C}\) such that

$$ \chi (g_1 + g_2) = \chi (g_1){.}\chi (g_2) \text { and } |\chi (g)|=1 $$

for any \(g, g_1, g_2\in G\). The character \(\chi _0\) with \(\chi _0(g) = 1\) for all \(g\in G\) is called the trivial character.

Remark 5

• One can define also in a similar way a multiplicative character with respect to a multiplicative character.

• The set of characters on G, together with the multiplication \((\chi _1 \chi _2)(g) = \chi _1(g)\chi _2(g)\) is an abelian group called character group of G, and denoted by \(\bar{G}\).

Theorem 3

Let G be a finite abelian group. Then there exists an isomorphism from G to \(\bar{G}\). In particular, \(|\bar{G}| = |G|\)

Theorem 4 (Orthogonality relations)

Let G be an abelian (additive) group of order n with character group \(\bar{G}\) and identity element \(0_G\).

1. 1.

   for each \(\chi \in \bar{G}\) we have \( \sum _{a\in G} \chi (a)={\left\{ \begin{array}{ll} n &{} {\textit{if}} \; \chi =\chi _0\\ 0 &{} {\textit{if}}\; \chi \ne \chi _0 \end{array}\right. }\)

2. 2.

   for each \(a \in G\) we have \( \sum _{\chi \in \bar{G}} \chi (a)={\left\{ \begin{array}{ll} n &{} {\textit{if}}\; a=0_G\\ 0 &{} {\textit{if}}\; a\ne 0_G \end{array}\right. }\)

Lemma 7

(Cauchy-Schwarz inequality [13]). The inequality \(\sum _{i=1}^N A_iB_i \le \left( \sum _{i=1}^N A_i^\alpha \right) ^{1/\alpha } \left( \sum _{i=1}^N B_i^\beta \right) ^{1/\beta } \) holds for any two sequences of positive numbers \(A_i, B_i\) for \(i=1,2, \ldots , N\) and any two positive numbers \(\alpha , \beta \) with \(1/\alpha + 1/\beta = 1\).

Proof of the Uniformity of the Distribution of the Public Keys Banks and Shparlinski in [1] show that for almost all \(Q\in R_q^\times \) the set \(\{Q.\phi : \phi \in \mathcal {L} \}\) is uniformly distributed where \(R_q=\mathbb {Z}_q[X]/(\varPhi (X)) \) with \(\varPhi \) a square free polynomials of degree N and \(\mathcal {L} \) is a subset of \(R_q\). We will show that their result remains true for almost all \(Q\in R_q\) i.e for almost all \(B\in R_q\), the set \(\{G=B.\phi :\phi \in \mathcal {L}_t\}\) is uniformly distributed.

Notice that Theorem 1 in [1] remains true if we replace \(R_q^\times \) by \(R_q\). For the sake of completeness, let us prove it:

Let \(\varPhi (X) = \varPsi _1(X) \ldots \varPsi _r(X)\) be the complete factorization of \(\varPhi (X)\) into square free polynomial in the ring \(R_q=\mathbb {Z}_q[x]/(\varPhi (X))\). Since \(\varPhi (X)\) is square-free in \(R_q\), then all of these factors are pairwise distinct.

We recall that \(\mathbb {F}_q[X]/\varPsi (X)\cong F_{q^m}\) for any irreducible polynomials \(\varPsi (X)\in \mathbb {F}_q[X]\) with \(\mathrm {deg} \varPsi = m\) For each \(j = 1, \ldots , r\), we fix a root \(\alpha _j\) of \(\varPsi _j(X)\) and denote

$$ \mathbb {K}_j=\mathbb {F}_{q^{n_j}}=\mathbb {F}_q(\alpha _j)\cong \mathbb {F}_q[X]/\varPsi _j(X) $$

where \(n_j=\mathrm {deg}\varPsi _j\). For each j, let \(Tr_j(z)=\sum _{k=0}^{n_j-1}z^{q^{n_j}}\) be the trace of \(z\in \mathbb {K}_j\) to \(\mathbb {F}_q\). We denote by A the direct product of fields, we recall that \(A=\mathbb {K}_1\times \mathbb {K}_2\times \ldots \times \mathbb {K}_r\). Consider the map \(G_\alpha :R_q \longrightarrow A: f \mapsto a_f=(f(\alpha _1),f(\alpha _2),\ldots ,f(\alpha _r))\)

One can show easily that the map \(G_\alpha \) is an isomorphism. Which implies that \(R_q\cong A\). For every vector \(a = (a_1, \ldots , a_r) \in A\), let \(\chi _a\) be the character of \(R_q\) given by

$$\begin{aligned} \chi _a(f)=\prod _{j=1}^re(Tr_j(a_jf(\alpha _j))),\qquad f\in R_q \end{aligned}$$

(1)

where \(e(z)=\exp (2i\pi z/q)\). It is easy to show that \(\{\chi _a,a\in A\}\) is the complete set of additive characters of \(R_q\).

We have the following lemma

Lemma 8

Let \(a = (a_1, \ldots , a_r) \in A\) and let \(\mathcal {J}=\{1,\ldots ,r\}\) be the set of j with \(a_j\ne 0\). Define \( W_a(\mathcal {L}_t)=\sum _{B\in R_q}\left| \sum _{\phi \in \mathcal {L}_t}\chi _a(B.\phi ) \right| \) for \(a\in A\). Then we have \( W_a(\mathcal {L}_t)\le q^N|\mathcal {L}_t|^{1/2}\prod _{j\notin \mathcal {J}}q^{n_j/2} \)

Proof:

Using the Cauchy-Schwarz inequality Lemma 7 (with \(A_i=1\) and \(B_i=\left| \sum _{\phi \in \mathcal {L}_t}\chi _a(B.\phi ) \right| \)), we derive

$$\begin{aligned} (W_a(\mathcal {L}_t))^2= & {} \left( \sum _{B\in R_q}\left| \sum _{\phi \in \mathcal {L}_t}\chi _a(B.\phi ) \right| \right) ^2\\\le & {} |R_q| \sum _{B\in R_q}\left| \sum _{\phi \in \mathcal {L}_t}\chi _a(B.\phi ) \right| ^2 \\= & {} |R_q| \sum _{B\in R_q} \sum _{\phi _1,\phi _2 \in \mathcal {L}_t}\chi _a(B.(\phi _1-\phi _2)) \\\le & {} |R_q| \sum _{\phi _1,\phi _2 \in \mathcal {L}_t} \sum _{B\in R_q}\prod _{j=1}^r e(Tr_j(a_jB(\alpha _j) (\phi _1(\alpha _j)-\phi _2( \alpha _j))))\\\le & {} |R_q| \sum _{\phi _1,\phi _2 \in \mathcal {L}_t} \prod _{j=1}^r \sum _{x_j\in \mathbb {K}_j} e(Tr_j(a_jx_j(\phi _1(\alpha _j)-\phi _2( \alpha _j))))\\= & {} |R_q| \prod _{j\notin \mathcal {J}}q^{n_j} \sum _{\phi _1,\phi _2 \in \mathcal {L}_t} \prod _{j\in \mathcal {J}} \sum _{x_j\in \mathbb {K}_j} e(Tr_j(a_jx_j (\phi _1(\alpha _j)-\phi _2( \alpha _j)))) \end{aligned}$$

We have the following:

• if \(\phi _1(\alpha _j) \ne \phi _2(\alpha _j)\) for some \(j \in \mathcal {J}\), the product vanishes

• otherwise \( \prod _{j\in \mathcal {J}} \sum _{x_j\in \mathbb {K}_j} e(Tr_j(a_jx_j (\phi _1(\alpha _j)-\phi _2( \alpha _j)))) =\prod _{j\in \mathcal {J}}q^{n_j}\)

Hence,

$$\begin{aligned} (W_a(\mathcal {L}_t))^2\le & {} |R_q| \prod _{j\notin \mathcal {J}}q^{n_j} \sum _{\underset{\phi _1(\alpha _j) = \phi _2(\alpha _j)\forall j}{\phi _1,\phi _2 \in \mathcal {L}_t}} \prod _{j\in \mathcal {J}}q^{n_j}\\= & {} q^N \prod _{j\notin \mathcal {J}}q^{n_j} \prod _{j\in \mathcal {J}}q^{n_j}\sum _{\underset{\phi _1(\alpha _j) = \phi _2(\alpha _j)\forall j}{\phi _1,\phi _2 \in \mathcal {L}_t}} 1\\= & {} q^{2N} \sum _{\underset{\phi _1(\alpha _j) = \phi _2(\alpha _j)\forall j}{\phi _1,\phi _2 \in \mathcal {L}_t}} 1 \end{aligned}$$

Since \(\{\varPsi _j | j = 1,\ldots , r\}\) are irreducible polynomials, the condition \(\phi _1(\alpha _j)= \phi _2(\alpha _j)\)) is equivalent to \(\varPsi _j|(\phi _1-\phi _2)\). Hence \( (W_a(\mathcal {L}_t))^2\le q^{2N} M(\mathcal {J})\) where \( M(\mathcal {J})=\sum _{\underset{\phi _1(\alpha _j) = \phi _2(\alpha _j)\forall j}{\phi _1,\phi _2 \in \mathcal {L}_t}} 1\) is the number of pairs \(\phi _1, \phi _2 \in \mathcal {L}_t\) with \(\phi _1\equiv \phi _2\ (\mathrm{{mod}}\,\,\prod _{j\in \mathcal {J}} \varPsi _j).\) For each \(\phi _1\in \mathcal {L}_t\) there are at most \( q^N\prod _{j\in \mathcal {J}}q^{-n_j}=\prod _{j\notin \mathcal {J}}q^{n_j} \) such values for \(\phi _2\). Consequently \( M(\mathcal {J})\le |\mathcal {L}_t|\prod _{j\notin \mathcal {J}}q^{n_j} \) and the lemma follows.    \(\square \)

Theorem 5

Given polynomials \(S \in R_q\) and \(B \in R_q\), a set \(\mathcal {L}_t \subset R_q\), and an integer d. We denote by \(N_d(S, B, \mathcal {L}_t)\) the number of polynomials \(\phi \in \mathcal {L}_t\) such that the inequality \(\mathrm {deg}(S - B \phi ) < d\) holds. Then for \(q>4\), the following bound holds.

$$ \dfrac{1}{|R_q|}\sum _{B\in R_q}\left| N_d(S,B,\mathcal {L}_t) -\dfrac{|\mathcal {L}_t|}{q^{N-d}}\right| \le 3^{Nq^{-1/2}} |\mathcal {L}_t|^{1/2} $$

Proof:

We know that \(N_d(S, B, \mathcal {L}_t) = q^{-d} T_d(S, B, \mathcal {L}_t)\), where \(T_d(S, B, \mathcal {L}_t)\) is the number of representations \(B.\phi = S +\psi _1-\psi _2\) with \(\phi \in \mathcal {L}_t\) and polynomials \(\psi _1,\psi _2\in R_q\) of degree at most \(d- 1\). We have

$$\begin{aligned} T_d(S, B, \mathcal {L}_t)= & {} \dfrac{1}{q^N} \sum _{\phi \in \mathcal {L}_t}\sum _{\underset{\mathrm {deg}(\psi _1),\mathrm {deg}(\psi _1)\le d-1}{\psi _1, \psi _2\in R_q}}\sum _{a\in A}\chi _a(B.\phi -S-\psi _1+\psi _2)\\= & {} \dfrac{1}{q^N} \sum _{\phi \in \mathcal {L}_t}\sum _{\underset{\mathrm {deg}(\psi _1),\mathrm {deg}(\psi _1)\le d-1 }{\psi _1,\psi _2\in R_q}}\sum _{a\in A}\chi _a(B.\phi )\chi _a(-S)\chi _a(-\psi _1+\psi _2))\\= & {} \dfrac{1}{q^N}\sum _{a\in A}\chi _a(-S)\sum _{\phi \in \mathcal {L}_t}\chi _a(B.\phi )\sum _{\underset{\mathrm {deg}(\psi _1), \mathrm {deg}(\psi _1)\le d-1}{\psi _1,\psi _2\in R_q}}\chi _a(\psi _2-\psi _1)\\= & {} \dfrac{1}{q^N}\sum _{a\in A}\chi _a(-S)\sum _{\phi \in \mathcal {L}_t}\chi _a(B.\phi )\left| \sum _{\underset{ \mathrm {deg}(\psi )\le d-1}{\psi \in R_q}}\chi _a(\psi )\right| ^2\\= & {} \dfrac{1}{q^N}\sum _{\underset{a\ne 0}{a\in A}}\chi _a(-S)\sum _{\phi \in \mathcal {L}_t}\chi _a(B.\phi )\left| \sum _{\underset{ \mathrm {deg}(\psi )\le d-1}{\psi \in R_q}}\chi _a(\psi )\right| ^2 +\underset{}{q^{2d-N}|\mathcal {L}_t|} \end{aligned}$$

For any nonempty set \(\mathcal {J} \subseteq \{1, \ldots , r\}\), let \(A_\mathcal {J}\) be the subset of A consisting of all \(a = (a_1,\ldots , a_r)\) such that \(a_j = 0\) whenever \(j\notin \mathcal {J}\). Then we obtain

$$ \left| T_d(S, B, \mathcal {L}_t)-\dfrac{|\mathcal {L}_t|}{q^{N-2d}}\right| \le \dfrac{1}{q^N}\sum _{\overset{\mathcal {J}\ne \emptyset }{\mathcal {J} \subseteq \{1,\ldots ,r\}}}\sum _{\overset{a\ne 0}{a\in A_\mathcal {J}}} \left| \sum _{\phi \in \mathcal {L}_t}\chi _a(B. \phi )\right| \left| \sum _{\underset{\mathrm {deg}(\psi )\le d-1}{\psi \in R_q}}\chi _a(\psi )\right| ^2 $$

Applying Lemma 8, it follows that

$$\sum _{Q\in R_q} \!\left| T_d(S, B, \mathcal {L}_t)-\dfrac{|\mathcal {L}_t|}{q^{N-2d}}\right| \le |\mathcal {L}_t|^{1/2} \!\sum _{\overset{\mathcal {J}\ne \emptyset }{\mathcal {J} \subseteq \{1,\ldots ,r\}}} \prod _{j\notin \mathcal {J}}q^{n_j/2} \sum _{\overset{a\ne 0}{a\in A_\mathcal {J}}} \! \left| \sum _{\underset{\mathrm {deg}(\psi )\le d-1}{\psi \in R_q}}\chi _a(\psi )\right| ^2 $$

We have

$$\begin{aligned} \sum _{\overset{a\ne 0}{a\in A_\mathcal {J}}} \left| \sum _{\underset{\mathrm {deg}(\psi )\le d-1}{\psi \in R_q}}\chi _a(\psi )\right| ^2= & {} -q^{2d}+ \sum _{a\in A_\mathcal {J}} \left| \sum _{\underset{\mathrm {deg}(\psi )\le d-1}{\psi \in R_q}}\chi _a(\psi )\right| ^2\\= & {} -q^{2d}+ \sum _{a\in A_\mathcal {J}} \sum _{\underset{\mathrm {deg}(\phi ),\mathrm {deg}(\psi )\le d-1}{\phi ,\psi \in R_q}}\chi _a(\phi -\psi )\\= & {} -q^{2d}+ \sum _{\underset{\mathrm {deg}(\phi ),\mathrm {deg}(\psi )\le d-1}{\phi ,\psi \in R_q}} \sum _{a\in A_\mathcal {J}} \chi _a(\phi -\psi )\\= & {} -q^{2d}+ \sum _{\underset{\mathrm {deg}(\phi ),\mathrm {deg}(\psi )\le d-1}{\phi ,\psi \in R_q}} \sum _{a\in A_\mathcal {J}} \prod _{j\in \mathcal {J}}e(Tr_j(a_j(\phi (\alpha _j)-\psi (\alpha _j))))\\= & {} -q^{2d}+ U \prod _{j\in \mathcal {J}}q^{n_j} \end{aligned}$$

where U is the number of pairs of \(\phi ,\psi \in R_q\) with \(\mathrm {deg}(\phi ),\mathrm {deg}(\psi )\le d-1\) and such that \(\phi _(\alpha _j) = \psi (\alpha _j)\) for all \(j \in \mathcal {J}\). Since this condition is equivalent to the polynomial congruence \( \phi (X)\equiv \psi (X)\ (\mathrm{{mod}}\,\,\prod _{j\in \mathcal {J}}\varPsi _j(X)) \) we derive that

$$ U=\left\{ \begin{matrix} q^{2d}\prod \nolimits _{j\in \mathcal {J}}q^{-n_j},&{} if\ d\ge \sum \nolimits _{j\in \mathcal {J}}n_j\\ q^d,&{} \text { otherwise} \end{matrix} \right. $$

Hence, in either case \( 0\le -q^{2d}+U\prod _{j\in \mathcal {J}}q^{n_j}\le q^d \prod _{j\in \mathcal {J}}q^{n_j}\) and consequently

$$ \sum _{\overset{a\ne 0}{a\in A_\mathcal {J}}} \left| \sum _{\underset{\mathrm {deg}(\psi )\le d-1}{\psi \in R_q}}\chi _a(\psi )\right| ^2 \le q^d \prod _{j\in \mathcal {J}}q^{n_j} $$

Therefore, we have

$$\begin{aligned} \dfrac{1}{|R_q|}\sum _{Q\in R_q} \left| T_d(S, B, \mathcal {L}_t)-\dfrac{|\mathcal {L}_t|}{q^{N-2d}}\right|\le & {} |R_q|^{-1}|\mathcal {L}_t|^{1/2}q^{d}\sum _{\overset{\mathcal {J}\ne \emptyset }{\mathcal {J}\subseteq \{1,\ldots ,r \}}}\prod _{j\notin \mathcal {J}}q^{n_j/2} \prod _{j\in \mathcal {J}}q^{n_j}\\\le & {} |\mathcal {L}_t|^{1/2}q^{d-N/2}\sum _{\overset{\mathcal {J}\ne \emptyset }{\mathcal {J}\subseteq \{1,\ldots ,r\}}} \prod _{j\in \mathcal {J}}q^{n_j/2}\\\le & {} |\mathcal {L}_t|^{1/2}q^{d-N/2}\left( \prod _{j=1}^{r}(1+q^{n_j/2})-1 \right) \\< & {} |\mathcal {L}_t|^{1/2}q^{d-N/2} \prod _{j=1}^{r}(1+q^{n_j/2})\\= & {} |\mathcal {L}_t|^{1/2}q^{d} \prod _{j=1}^r(1+q^{-n_j/2}) \end{aligned}$$

Since \((1 + x) \le 3^x\) for every \(0\le x\le 1\), and each term \(q^{n_j/2}>1\), we have

$$ \prod _{j=1}^{r}(1+q^{-n_j/2}) \le \prod _{j=1}^{r} 3^{q^{-n_j/2}} \le \prod _{j=1}^{r} 3^{q^{-1/2}} \le 3^{Nq^{-1/2}} $$

Consequently

$$ \dfrac{1}{|R_q|}\sum _{Q\in R_q} \left| T_d(S, B, \mathcal {L}_t)-\dfrac{|\mathcal {L}_t|}{q^{N-2d}}\right| \le 3^{Nq^{-1/2}} |\mathcal {L}_r|^{1/2}q^{d} $$

Since \( T_d(S, B, \mathcal {L}_t) = q^{d} N_d(S, B, \mathcal {L}_t)\), we have

$$ \dfrac{1}{|R_q|}\sum _{B\in R_q}\left| N_d(S,B,\mathcal {L}_t) -\dfrac{|\mathcal {L}_t|}{q^{N-d}}\right| \le 3^{Nq^{-1/2}} |\mathcal {L}_t|^{1/2} $$

   \(\square \)