Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign

We provide a brief history and overview of lattice based cryptography and cryptanalysis: shortest vector problems, closest vector problems, subset sum problem and knapsack systems, GGH, Ajtai-Dwork and NTRU. A detailed discussion of the algorithms NTRUEncrypt and NTRUSign follows. These algorithms have attractive operating speed and keysize and are based on hard problems that are seemingly intractable. We discuss the state of current knowledge about the security of both algorithms and identify areas for further research.

[1]  O. Regev A Subexponential Time Algorithm for the Dihedral Hidden Subgroup Problem with Polynomial Space , 2004, quant-ph/0406151.

[2]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[3]  Dan Boneh,et al.  Simplified OAEP for the RSA and Rabin Functions , 2001, CRYPTO.

[4]  Jacques Stern,et al.  Cryptanalysis of the Ajtai-Dwork Cryptosystem , 1998, CRYPTO.

[5]  Greg Kuperberg A Subexponential-Time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2005, SIAM J. Comput..

[6]  Joseph H. Silverman,et al.  Optimizations for NTRU , 2001 .

[7]  J. Silverman Title: Estimated Breaking times for Ntru Lattices , 1999 .

[8]  Henry Cohn,et al.  The densest lattice in twenty-four dimensions , 2004, math/0408174.

[9]  Alfred Menezes,et al.  Software Implementation of Elliptic Curve Cryptography over Binary Fields , 2000, CHES.

[10]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[11]  Craig Gentry Key Recovery and Message Attacks on NTRU-Composite , 2001, EUROCRYPT.

[12]  David Pointcheval,et al.  The Impact of Decryption Failures on the Security of NTRU Encryption , 2003, CRYPTO.

[13]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[14]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[15]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.

[16]  Oded Regev,et al.  Quantum computation and lattice problems , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[17]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[18]  Robert D. Silverman A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths RSA Labs bulletin , 2000 .

[19]  J. Hoffstein,et al.  NSS : The NTRU Signature Scheme , 2000 .

[20]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[21]  Craig Gentry,et al.  Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001 , 2001, ASIACRYPT.

[22]  Alfred Menezes,et al.  Software Implementation of the NIST Elliptic Curves Over Prime Fields , 2001, CT-RSA.

[23]  Andrew Odlyzko,et al.  The Rise and Fall of Knapsack Cryptosystems , 1998 .

[24]  John Proos Imperfect Decryption and an Attack on the NTRU Encryption Scheme , 2003, IACR Cryptol. ePrint Arch..

[25]  Joseph H. Silverman,et al.  Random small Hamming weight products with applications to cryptography , 2003, Discret. Appl. Math..

[26]  William Whyte,et al.  NAEP: Provable Security in the Presence of Decryption Failures , 2003, IACR Cryptol. ePrint Arch..

[27]  Eike Kiltz,et al.  A General Construction of IND-CCA2 Secure Public Key Encryption , 2003, IMACC.

[28]  Phong Q. Nguyen Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto '97 , 1999, CRYPTO.

[29]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[30]  Phong Q. Nguyen A Note on the Security of NTRUSign , 2006, IACR Cryptol. ePrint Arch..

[31]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[32]  Joseph H. Silverman,et al.  Dimension Reduction Methods for Convolution Modular Lattices , 2001, CaLC.

[33]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[34]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[35]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[36]  William Whyte,et al.  Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3 , 2005, IACR Cryptol. ePrint Arch..

[37]  Ari Renvall,et al.  A wrap error attack against NTRUEncrypt , 2006, Discret. Appl. Math..

[38]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[39]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[40]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[41]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[42]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[43]  Joseph H. Silverman,et al.  NSS: An NTRU Lattice-Based Signature Scheme , 2001, EUROCRYPT.

[44]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[45]  William Whyte,et al.  Performance Improvements and a Baseline Parameter Generation Algorithm for NTRUSign , 2005, IACR Cryptol. ePrint Arch..

[46]  Phong Q. Nguyen,et al.  Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures , 2009, Journal of Cryptology.

[47]  Christoph Ludwig,et al.  A Faster Lattice Reduction Method Using Quantum Search , 2003, ISAAC.

[48]  William Whyte,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.