Choosing Parameters for NTRUEncrypt

We describe a method for generating parameter sets, and calculating security estimates, for NTRUEncrypt. Our security analyses consider lattice attacks, the hybrid attack, subfield attacks, and quantum search. Analyses are provided for the IEEE 1363.1-2008 product-form parameter sets, for the NTRU Challenge parameter sets, and for two new parameter sets. These new parameter sets are designed to provide \(\ge 128\)-bit post-quantum security.

[1]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[2]  William Whyte,et al.  Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches , 2009, ACNS.

[3]  William Whyte,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.

[4]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[5]  Scott R. Fluhrer Quantum Cryptanalysis of NTRU , 2015, IACR Cryptol. ePrint Arch..

[6]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[7]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[8]  Joseph H. Silverman,et al.  Random small Hamming weight products with applications to cryptography , 2003, Discret. Appl. Math..

[9]  Ron Steinfeld,et al.  Making NTRU as Secure as Worst-Case Problems over Ideal Lattices , 2011, EUROCRYPT.

[10]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[11]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[12]  William Whyte,et al.  Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3 , 2005, IACR Cryptol. ePrint Arch..

[13]  William Whyte,et al.  Performance Improvements and a Baseline Parameter Generation Algorithm for NTRUSign , 2005, IACR Cryptol. ePrint Arch..

[14]  Phong Q. Nguyen,et al.  Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures , 2009, Journal of Cryptology.