NTRU Cryptosystem: Recent developments and emerging mathematical problems in finite polynomial rings

The NTRU public-key cryptosystem, proposed in 1996 by Hoffstein, Pipher and Silverman, is a fast and practical alternative to classical schemes based on factorization or discrete logarithms. In contrast to the latter schemes, it offers quasi-optimal asymptotic efficiency and conjectured security against quantum computing attacks. The scheme is defined over finite polynomial rings, and its security analysis involves the study of natural statistical and computational problems defined over these rings. We survey several recent developments in both the security analysis and in the applications of NTRU and its variants, within the broader field of lattice-based cryptography. These developments include a provable relation between the security of NTRU and the computational hardness of worst-case instances of certain lattice problems, and the construction of fully homomorphic and multilinear cryptographic algorithms. In the process, we identify the underlying statistical and computational problems in finite rings.

[1]  David Pointcheval,et al.  The Impact of Decryption Failures on the Security of NTRU Encryption , 2003, CRYPTO.

[2]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[3]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[4]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[5]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[6]  Mark Zhandry,et al.  Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation , 2014, Algorithmica.

[7]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[8]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[9]  Dan Boneh,et al.  Applications of Multilinear Forms to Cryptography , 2002, IACR Cryptol. ePrint Arch..

[10]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[11]  David A. Cooper,et al.  Quantum resistant public key cryptography: a survey , 2009, IDtrust '09.

[12]  William Whyte,et al.  Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign , 2010, The LLL Algorithm.

[13]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[14]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[15]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[16]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[17]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[18]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[19]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[20]  Oded Regev,et al.  The Learning with Errors Problem (Invited Survey) , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[21]  Shirley Dex,et al.  JR 旅客販売総合システム(マルス)における運用及び管理について , 1991 .

[22]  Joseph H. Silverman,et al.  Optimizations for NTRU , 2001 .

[23]  Adi Shamir,et al.  Lattice Attacks on NTRU , 1997, EUROCRYPT.

[24]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[25]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[26]  Vinod Vaikuntanathan,et al.  Lattice-based FHE as secure as PKE , 2014, IACR Cryptol. ePrint Arch..

[27]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[28]  Mark Zhandry,et al.  Differing-Inputs Obfuscation and Applications , 2013, IACR Cryptol. ePrint Arch..

[29]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems Based on Voronoi Cell Computations , 2013, SIAM J. Comput..

[30]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[31]  Ron Steinfeld,et al.  Making NTRUEncrypt and NTRUSign as Secure as Standard Worst-Case Problems over Ideal Lattices , 2013, IACR Cryptol. ePrint Arch..

[32]  Yael Tauman Kalai,et al.  Protecting Obfuscation against Algebraic Attacks , 2014, EUROCRYPT.

[33]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[34]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[35]  Chris Peikert,et al.  Limits on the Hardness of Lattice Problems in ℓp Norms , 2008, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[36]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[37]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[38]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.

[39]  Léo Ducas,et al.  Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic , 2012, ASIACRYPT.

[40]  Johannes A. Buchmann,et al.  Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers , 2013, IACR Cryptol. ePrint Arch..

[41]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[42]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[43]  Ron Steinfeld,et al.  GGHLite: More Efficient Multilinear Maps from Ideal Lattices , 2014, IACR Cryptol. ePrint Arch..

[44]  Craig Gentry,et al.  Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001 , 2001, ASIACRYPT.

[45]  Zvika Brakerski,et al.  Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP , 2012, CRYPTO.

[46]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[47]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[48]  Phong Q. Nguyen,et al.  Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures , 2006, EUROCRYPT.

[49]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[50]  Monica Nevins,et al.  ETRU: NTRU over the Eisenstein integers , 2013, Designs, Codes and Cryptography.

[51]  Oliver Roche-Newton,et al.  An improved sum-product estimate for general finite fields , 2011, SIAM J. Discret. Math..

[52]  Kwangjo Kim,et al.  Weak Property of Malleability in NTRUSign , 2004, ACISP.

[53]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[54]  Michael Szydlo,et al.  Hypercubic Lattice Reduction and Analysis of GGH and NTRU Signatures , 2003, EUROCRYPT.

[55]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[56]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[57]  Vinod Vaikuntanathan,et al.  On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption , 2012, STOC '12.

[58]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[59]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[60]  Michael Naehrig,et al.  Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme , 2013, IMACC.

[61]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[62]  Frederik Vercauteren,et al.  High Precision Discrete Gaussian Sampling on FPGAs , 2013, Selected Areas in Cryptography.

[63]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[64]  W. Banks,et al.  Distribution of inverses in polynomial rings , 2001 .

[65]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[66]  Ron Steinfeld,et al.  Making NTRU as Secure as Worst-Case Problems over Ideal Lattices , 2011, EUROCRYPT.

[67]  Ronald L. Rivest,et al.  ON DATA BANKS AND PRIVACY HOMOMORPHISMS , 1978 .