Abstract
We describe a method for generating parameter sets, and calculating security estimates, for NTRUEncrypt. Our security analyses consider lattice attacks, the hybrid attack, subfield attacks, and quantum search. Analyses are provided for the IEEE 1363.1-2008 product-form parameter sets, for the NTRU Challenge parameter sets, and for two new parameter sets. These new parameter sets are designed to provide \(\ge 128\)-bit post-quantum security.
An extended version of the paper is available at [10].
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In practice q has a strong impact on the effectiveness of pure lattice reduction attacks as well. For large q the relevant problem becomes Unique-SVP which appears to be somewhat easier than Hermite-SVP. Conservative parameter generation should ensure that it is difficult to solve Hermite-SVP to within a factor of \(q/\varDelta ^{1/2N} = \sqrt{q}\).
- 2.
A lattice reduction algorithm that achieves root Hermite factor \(\delta \) returns a basis with \(\Vert {\varvec{b}}_1\Vert _2 \approx \delta ^n \det (\varLambda )^{1/n}\).
- 3.
We will abuse notation slightly and allow \(\varPi \) to act on elements of R by acting on their coefficient vectors lifted to \(\mathbb {Z}^N\).
- 4.
The \(X_k\) for different k have the same distribution, but they are not completely independent. However, they are so weakly correlated as to not affect our analysis.
References
NTRU OpenSource Project.online. https://github.com/NTRUOpenSourceProject/ntru-crypto
Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers makeSHARCS obsolete? (2009). http://cr.yp.to/papers.html#collisioncost
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_1
Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates (full version) (2011). http://www.di.ens.fr/~ychen/research/Full_BKZ.pdf
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4_3
Fluhrer, S.R.: Quantum cryptanalysis of NTRU. IACR Cryptology ePrint Archive, 2015:676 (2015)
Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78967-3_3
Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01957-9_27
Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z.: Choosing Parameters for NTRUEncrypt (full version). IACR Cryptology ePrint Archive 2015:708 (2015)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). doi:10.1007/BFb0054868
Hoffstein, J., Silverman, J.H.: Optimizations for NTRU (2000)
Hoffstein, J., Silverman, J.H.: Random small hamming weight products with applications to cryptography. Discrete Appl. Math. 130(1), 37–49 (2003)
Hoffstein, J., Silverman, J.H., Whyte, W.: Provable Probability Bounds for NTRUEncrypt Convolution (2007). http://www.ntru.com
Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74143-5_9
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30574-3_10
Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20465-4_4
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z. (2017). Choosing Parameters for NTRUEncrypt . In: Handschuh, H. (eds) Topics in Cryptology – CT-RSA 2017. CT-RSA 2017. Lecture Notes in Computer Science(), vol 10159. Springer, Cham. https://doi.org/10.1007/978-3-319-52153-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-52153-4_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-52152-7
Online ISBN: 978-3-319-52153-4
eBook Packages: Computer ScienceComputer Science (R0)