Abstract
NTRU is one of the first public key cryptosystems not based on factorization or discrete logarithmic problems and is also considered secure even against quantum computer attacks. In 2011, Stehle and Steinfeld proposed a variant of the classical NTRU that is IND-CPA secure but for the key generation algorithm, they use Gaussian distribution with a large standard deviation to prove the uniformity of the public key by assuming the hardness of Ring Learning With Error (Ring-LWE) problem. In this paper, we present two variants of NTRUEncrypt called BI-NTRU-Product and BI-NTRU-LPR which are IND-CPA secure assuming the hardness of Ring-LWE problem. We also show how one can design an IND-CCA2 secure key encapsulation mechanism from our encryption schemes by using a variant of the Fujisaki-Okamoto Transformation (CRYPTO 1999 and Journal of Cryptology 2013).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Banks, William D., Shparlinski, Igor E.: A Variant of NTRU with Non-invertible Polynomials. In: Menezes, Alfred, Sarkar, Palash (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 62–70. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36231-2_6
Bos, J.W., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Seiler, G., Stehlé D.: CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM. EuroS&P 2018: 353–367 (2018)
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU Prime, Cryptology ePrint Archive, Report 2016/461. (2016)
Coppersmith, Don, Shamir, Adi: Lattice Attacks on NTRU. In: Fumy, Walter (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_5
D’Anvers, Jan-Pieter, Karmakar, Angshuman, Sinha Roy, Sujoy, Vercauteren, Frederik: Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM. In: Joux, Antoine, Nitaj, Abderrahmane, Rachidi, Tajjeeddine (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 282–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_16
Dent, Alexander W.: A Designer’s Guide to KEMs. In: Paterson, Kenneth G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12
Fujisaki, Eiichiro, Okamoto, Tatsuaki: Secure Integration of Asymmetric and Symmetric Encryption Schemes. In: Wiener, Michael (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Hofheinz, Dennis, Hövelmanns, Kathrin, Kiltz, Eike: A Modular Analysis of the Fujisaki-Okamoto Transformation. In: Kalai, Yael, Reyzin, Leonid (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring based public key cryptosystem (1998)
Howgrave-Graham, N., Silverman, J.H., Singer, A., Whyte, W.: NAEP: provable security in the presence of decryption failures. IACR Cryptology ePrint Archive 2003, 172 (2003)
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3. IACR Cryptology ePrint Archive, 2005. https://eprint.iacr.org/2005/045. ANTS-III, Springer LNCS vol. 1423, pp. 267-288, (1998)
Hülsing, Andreas, Rijneveld, Joost, Schanck, John, Schwabe, Peter: High-Speed Key Encapsulation from NTRU. In: Fischer, Wieland, Homma, Naofumi (eds.) CHES 2017. LNCS, vol. 10529, pp. 232–252. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_12
Konyagin, S., Shparlinski, I.: Character Sums with Exponential Functions and their Applications - Cambridge University Press (1994)
López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the -fly multiparty computation on the cloud via multikey fully homomorphic encryption. In Proceedings of the forty-fourth annual ACM symposium on Theory of computing (STOC ’12). ACM, New York, NY, USA, 1219–1234. https://doi.org/10.1145/2213977.2214086 (2012)
Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. Lecture Notes in Computer Science, 1-23. https://doi.org/10.1007/978-3-642-13190-5_1 (2010)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. Journal of the ACM, 60(6):43:1–43:35, November 2013. Preliminary version in EUROCRYPT’10. (2013)
National Institute of Standards and Technology: Announcing request for nominations for public-key post-quantum cryptographic algorithms (2016) https://csrc.nist.gov/news/2016/public-key-post-quantum-cryptographic-algorithms
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. STOC 2008, 187–196 (2008)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6), 1–40, 2009. Preliminary version in STOC (2005)
Shor, P.: Algorithms for quantum computation: Discrete logarithms and factoring, Proc. 35th Annual Symp. Foundations of Computer Science, IEEE, pp. 124–134 (1994)
Shor, P.-W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26(5), 1484–1509, Extended abstract in FOCS -94 (1997)
Stehlé, Damien, Steinfeld, Ron: Making NTRU as Secure as Worst-Case Problems over Ideal Lattices. In: Paterson, Kenneth G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_4
Steinfeld, R., Ling, S., Pieprzyk, J., Tartary, C., Wang H.: NTRUCCA: How to strengthen NTRUEncrypt to chosen-ciphertext security in the standard model. In Marc Fischlin, Johannes Buchmann, and Mark Manulis, editors, PKC 2012: 15th International Workshop on Theory and Practice in Public Key Cryptography, volume 7293 of Lecture Notes in Computer Science, pages 353–371. Springer, May (2012)
Acknowledgment
The authors would like to thank anonymous reviewers for their helpful comments and suggestions, and Igor E. Shparlinski for many online discussions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
Characters on Finite Abelian Groups and Cauchy Inequality
Definition 13
(additive character [13]). Let G be a finite (additive) abelian group. An additive character on G is a function \(\chi : G \rightarrow \mathbb {C}\) such that
for any \(g, g_1, g_2\in G\). The character \(\chi _0\) with \(\chi _0(g) = 1\) for all \(g\in G\) is called the trivial character.
Remark 5
-
One can define also in a similar way a multiplicative character with respect to a multiplicative character.
-
The set of characters on G, together with the multiplication \((\chi _1 \chi _2)(g) = \chi _1(g)\chi _2(g)\) is an abelian group called character group of G, and denoted by \(\bar{G}\).
Theorem 3
Let G be a finite abelian group. Then there exists an isomorphism from G to \(\bar{G}\). In particular, \(|\bar{G}| = |G|\)
Theorem 4 (Orthogonality relations)
Let G be an abelian (additive) group of order n with character group \(\bar{G}\) and identity element \(0_G\).
-
1.
for each \(\chi \in \bar{G}\) we have \( \sum _{a\in G} \chi (a)={\left\{ \begin{array}{ll} n &{} {\textit{if}} \; \chi =\chi _0\\ 0 &{} {\textit{if}}\; \chi \ne \chi _0 \end{array}\right. }\)
-
2.
for each \(a \in G\) we have \( \sum _{\chi \in \bar{G}} \chi (a)={\left\{ \begin{array}{ll} n &{} {\textit{if}}\; a=0_G\\ 0 &{} {\textit{if}}\; a\ne 0_G \end{array}\right. }\)
Lemma 7
(Cauchy-Schwarz inequality [13]). The inequality \(\sum _{i=1}^N A_iB_i \le \left( \sum _{i=1}^N A_i^\alpha \right) ^{1/\alpha } \left( \sum _{i=1}^N B_i^\beta \right) ^{1/\beta } \) holds for any two sequences of positive numbers \(A_i, B_i\) for \(i=1,2, \ldots , N\) and any two positive numbers \(\alpha , \beta \) with \(1/\alpha + 1/\beta = 1\).
Proof of the Uniformity of the Distribution of the Public Keys Banks and Shparlinski in [1] show that for almost all \(Q\in R_q^\times \) the set \(\{Q.\phi : \phi \in \mathcal {L} \}\) is uniformly distributed where \(R_q=\mathbb {Z}_q[X]/(\varPhi (X)) \) with \(\varPhi \) a square free polynomials of degree N and \(\mathcal {L} \) is a subset of \(R_q\). We will show that their result remains true for almost all \(Q\in R_q\) i.e for almost all \(B\in R_q\), the set \(\{G=B.\phi :\phi \in \mathcal {L}_t\}\) is uniformly distributed.
Notice that Theorem 1 in [1] remains true if we replace \(R_q^\times \) by \(R_q\). For the sake of completeness, let us prove it:
Let \(\varPhi (X) = \varPsi _1(X) \ldots \varPsi _r(X)\) be the complete factorization of \(\varPhi (X)\) into square free polynomial in the ring \(R_q=\mathbb {Z}_q[x]/(\varPhi (X))\). Since \(\varPhi (X)\) is square-free in \(R_q\), then all of these factors are pairwise distinct.
We recall that \(\mathbb {F}_q[X]/\varPsi (X)\cong F_{q^m}\) for any irreducible polynomials \(\varPsi (X)\in \mathbb {F}_q[X]\) with \(\mathrm {deg} \varPsi = m\) For each \(j = 1, \ldots , r\), we fix a root \(\alpha _j\) of \(\varPsi _j(X)\) and denote
where \(n_j=\mathrm {deg}\varPsi _j\). For each j, let \(Tr_j(z)=\sum _{k=0}^{n_j-1}z^{q^{n_j}}\) be the trace of \(z\in \mathbb {K}_j\) to \(\mathbb {F}_q\). We denote by A the direct product of fields, we recall that \(A=\mathbb {K}_1\times \mathbb {K}_2\times \ldots \times \mathbb {K}_r\). Consider the map \(G_\alpha :R_q \longrightarrow A: f \mapsto a_f=(f(\alpha _1),f(\alpha _2),\ldots ,f(\alpha _r))\)
One can show easily that the map \(G_\alpha \) is an isomorphism. Which implies that \(R_q\cong A\). For every vector \(a = (a_1, \ldots , a_r) \in A\), let \(\chi _a\) be the character of \(R_q\) given by
where \(e(z)=\exp (2i\pi z/q)\). It is easy to show that \(\{\chi _a,a\in A\}\) is the complete set of additive characters of \(R_q\).
We have the following lemma
Lemma 8
Let \(a = (a_1, \ldots , a_r) \in A\) and let \(\mathcal {J}=\{1,\ldots ,r\}\) be the set of j with \(a_j\ne 0\). Define \( W_a(\mathcal {L}_t)=\sum _{B\in R_q}\left| \sum _{\phi \in \mathcal {L}_t}\chi _a(B.\phi ) \right| \) for \(a\in A\). Then we have \( W_a(\mathcal {L}_t)\le q^N|\mathcal {L}_t|^{1/2}\prod _{j\notin \mathcal {J}}q^{n_j/2} \)
Proof:
Using the Cauchy-Schwarz inequality Lemma 7 (with \(A_i=1\) and \(B_i=\left| \sum _{\phi \in \mathcal {L}_t}\chi _a(B.\phi ) \right| \)), we derive
We have the following:
-
if \(\phi _1(\alpha _j) \ne \phi _2(\alpha _j)\) for some \(j \in \mathcal {J}\), the product vanishes
-
otherwise \( \prod _{j\in \mathcal {J}} \sum _{x_j\in \mathbb {K}_j} e(Tr_j(a_jx_j (\phi _1(\alpha _j)-\phi _2( \alpha _j)))) =\prod _{j\in \mathcal {J}}q^{n_j}\)
Hence,
Since \(\{\varPsi _j | j = 1,\ldots , r\}\) are irreducible polynomials, the condition \(\phi _1(\alpha _j)= \phi _2(\alpha _j)\)) is equivalent to \(\varPsi _j|(\phi _1-\phi _2)\). Hence \( (W_a(\mathcal {L}_t))^2\le q^{2N} M(\mathcal {J})\) where \( M(\mathcal {J})=\sum _{\underset{\phi _1(\alpha _j) = \phi _2(\alpha _j)\forall j}{\phi _1,\phi _2 \in \mathcal {L}_t}} 1\) is the number of pairs \(\phi _1, \phi _2 \in \mathcal {L}_t\) with \(\phi _1\equiv \phi _2\ (\mathrm{{mod}}\,\,\prod _{j\in \mathcal {J}} \varPsi _j).\) For each \(\phi _1\in \mathcal {L}_t\) there are at most \( q^N\prod _{j\in \mathcal {J}}q^{-n_j}=\prod _{j\notin \mathcal {J}}q^{n_j} \) such values for \(\phi _2\). Consequently \( M(\mathcal {J})\le |\mathcal {L}_t|\prod _{j\notin \mathcal {J}}q^{n_j} \) and the lemma follows. Â Â Â \(\square \)
Theorem 5
Given polynomials \(S \in R_q\) and \(B \in R_q\), a set \(\mathcal {L}_t \subset R_q\), and an integer d. We denote by \(N_d(S, B, \mathcal {L}_t)\) the number of polynomials \(\phi \in \mathcal {L}_t\) such that the inequality \(\mathrm {deg}(S - B \phi ) < d\) holds. Then for \(q>4\), the following bound holds.
Proof:
We know that \(N_d(S, B, \mathcal {L}_t) = q^{-d} T_d(S, B, \mathcal {L}_t)\), where \(T_d(S, B, \mathcal {L}_t)\) is the number of representations \(B.\phi = S +\psi _1-\psi _2\) with \(\phi \in \mathcal {L}_t\) and polynomials \(\psi _1,\psi _2\in R_q\) of degree at most \(d- 1\). We have
For any nonempty set \(\mathcal {J} \subseteq \{1, \ldots , r\}\), let \(A_\mathcal {J}\) be the subset of A consisting of all \(a = (a_1,\ldots , a_r)\) such that \(a_j = 0\) whenever \(j\notin \mathcal {J}\). Then we obtain
Applying Lemma 8, it follows that
We have
where U is the number of pairs of \(\phi ,\psi \in R_q\) with \(\mathrm {deg}(\phi ),\mathrm {deg}(\psi )\le d-1\) and such that \(\phi _(\alpha _j) = \psi (\alpha _j)\) for all \(j \in \mathcal {J}\). Since this condition is equivalent to the polynomial congruence \( \phi (X)\equiv \psi (X)\ (\mathrm{{mod}}\,\,\prod _{j\in \mathcal {J}}\varPsi _j(X)) \) we derive that
Hence, in either case \( 0\le -q^{2d}+U\prod _{j\in \mathcal {J}}q^{n_j}\le q^d \prod _{j\in \mathcal {J}}q^{n_j}\) and consequently
Therefore, we have
Since \((1 + x) \le 3^x\) for every \(0\le x\le 1\), and each term \(q^{n_j/2}>1\), we have
Consequently
Since \( T_d(S, B, \mathcal {L}_t) = q^{d} N_d(S, B, \mathcal {L}_t)\), we have
   \(\square \)
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Seck, M., Sow, D. (2019). BI-NTRU Encryption Schemes: Two New Secure Variants of NTRU. In: Gueye, C., Persichetti, E., Cayrel, PL., Buchmann, J. (eds) Algebra, Codes and Cryptology. A2C 2019. Communications in Computer and Information Science, vol 1133. Springer, Cham. https://doi.org/10.1007/978-3-030-36237-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-36237-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36236-2
Online ISBN: 978-3-030-36237-9
eBook Packages: Computer ScienceComputer Science (R0)