Abstract
We introduce a general framework encompassing the main hard problems emerging in lattice-based cryptography, which naturally includes the recently proposed Mersenne prime cryptosystem, but also problems coming from code-based cryptography. The framework allows to easily instantiate new hard problems and to automatically construct plausibly post-quantum secure primitives from them. As a first basic application, we introduce two new hard problems and the corresponding encryption schemes. Concretely, we study generalisations of hard problems such as SIS, LWE and NTRU to free modules over quotients of ℤ[X] by ideals of the form (f, g), where f is a monic polynomial and g ∈ ℤ[X] is a ciphertext modulus coprime to f. For trivial modules (i.e. of rank one), the case f = Xn + 1 and g = q ∈ ℤ>1 corresponds to ring-LWE, ring-SIS and NTRU, while the choices f = Xn – 1 and g = X – 2 essentially cover the recently proposed Mersenne prime cryptosystems. At the other extreme, when considering modules of large rank and letting deg(f) = 1, one recovers the framework of LWE and SIS.
1 Introduction
Lattice-based and code-based cryptography are rapidly emerging as leading contenders for generating public-key cryptosystems that promise to withstand quantum attacks. The popularity of these branches of cryptography are due in large part to the simplicity and efficiency of their designs, but is certainly underscored by their strong security guarantees. Two hard problems in particular, the short integer solution (SIS) [3] and learning with errors (LWE) [46] problems, stand out in this regard. While these hard problems are expressible in the language of simple linear algebra over finite rings, and are hence easy to use, they are also provably hard-on-average, assuming the worst-case hardness of certain problems in lattices.
In response to the quadratic scaling of both operational cost and memory associated with a full matrix representation, many proposals switch to using structured matrices [34, 35, 48]. In essence, random matrices are replaced by matrices of multiplication by elements of the ring Rq = ℤ[X]/(f(X), q) resulting in the ring-based versions ring-SIS (RSIS) and ring-LWE (RLWE), respectively. Similar worst-to-average case reductions apply here, albeit from problems in structured lattices, which are potentially easier. Nevertheless, the low bandwidth requirements and high speed made possible by the designs from this category make their deployment an attractive option, and this in turn mandates careful study.
Some recent constructions have similar features to these ring-based cryptosystems, but rely on modular big integer arithmetic rather than arithmetic involving polynomials. We classify the AJPS cryptosystem [1] and the I-RLWE cryptosystem of Gu [24] as members of this category, as well as several submissions to the NIST PQC project [51] such as Ramstake [49] and ThreeBears [25]. Despite relying on different types of rings, the underlying mechanisms of both categories bear a striking resemblance to each other in that a notion of “smallness” of elements is preserved under addition and multiplication operations. This operational similarity suggests the possibility of a unifying perspective and a generic framework for design and analysis. While the existence of such a unification is, perhaps, folklore, a detailed elaboration has not appeared in the literature before, at least not at the level of generality we have in mind.
Our main approach is to replace the ring Rq by a quotient ring of the form Rg = ℤ[X]/(f(X), g(X)) with f, g ∈ ℤ[X] and some restrictions on which pairs one can take. This description captures both the familiar RLWE setting, where g = q ∈ ℤ>1, as well as the big integer arithmetic cryptosystems since, when g(X) = X – b for some integer b, we have (f(X), g(X)) = (f(b), X – b) so that Rg = ℤ[X]/(f(b), X – b) ≅ ℤ/(f(b)). As such, our framework contains both RLWE and AJPS as special cases. To capture plain LWE and module-LWE, we will eventually work with free modules over Rg. Certain problems in code-based cryptography can also be seen to fit within our framework, such as decrypting a ciphertext in many code-based encryption schemes using only knowledge of the public key; this is sometimes called the general decoding (search) problem. The syndrome decoding problem (SDP), used in the Niederreiter cryptosystem [43] and its variants, is also closely related to the inhomogeneous version of the ideal-SIS problem. It is interesting to note that, just like with RLWE, code-based cryptosystems use additional structure (structured codes) which presents additional attack surfaces [47].
On top of the well-known examples, it should be clear that our framework will contain many more, possibly hard, problems that can be considered for use in cryptographic applications. A systematic treatment of the exact hardness of these problems would divert attention away from our current focus; hence we defer such analysis to a future work.
To identify some of the problems we face in this more general setting, consider the following standard noisy key agreement protocol. Let G ∈ Rg be a public parameter, typically sampled uniformly at random or generated pseudorandomly from a short seed. Alice samples two small elements a, b ∈ Rg, and Bob does the same for c, d. They then exchange aG + b and cG + d, thus allowing Alice to obtain a(cG + d) and Bob to obtain c(aG + b) while thwarting any passive eavesdropper. If the difference ad – cb is small, then, in principle, Alice can obtain secret key material identical to Bob’s by correcting the errors or extracting an identical template, possibly with the aid of some additional reconciliation data. Several requirements are needed to make this protocol work.
Condition 1
The representation of elements of Rg must be conducive to efficient computation.
Condition 2
Sampling small elements must be possible, and moreover, whenever a, b, c, d are small, then so is ad – cb.
Condition 3
The adversary must be unable to obtain (a, b) from (G, aG + b) or (c, d) from (G, cG + d).
Condition 4
It must be possible to correct small perturbations like ad – cb or at least tolerate them somehow.
These conditions have been studied extensively in the standard case where g = q ∈ ℤ>1. This paper initiates the study of these same conditions in our more general setting. We view the aforementioned ciphertext ringRg as the quotient of the parent ringR := ℤ[X]/(f(X)) by the ideal gR. The parent ring is used to define smallness: informally, a small element of Rg is the reduction modulo g of an element of the parent ring having small coordinates (in absolute value) with respect to the power basis 1, X, X2, …, Xdeg(f)–1. Furthermore, when computing in Rg, all variables are to be reduced into a set of representatives Rep(Rg); see Section 2.2 for details; this forces noisy expressions to wrap around so that they become hard to distinguish from random expressions. Against this framework, we will provide a thorough analysis of Conditions 1 and 2, thereby providing a new set of tools for the cryptographer’s toolbox that are useful for various specific applications. Condition 3 is addressed briefly in Section 3.1 but will be discussed in depth in a future work. Condition 4 will be discussed only superficially as it has a more ad hoc flavour.
Related work. The idea of using a polynomial rather than an integer for the plaintext modulus in lattice-based encryption schemes has already been considered by a number of authors [10, 13, 16, 27]. The idea of using general ideal lattices for the ciphertext space was also introduced in the context of fully homomorphic encryption by Gentry [22]; however, the hard problem he considers is different to ours. Attempts at unifying various lattice-based cryptographic problems is also not new, for example, the general learning with errors (GLWE) problem was proposed in [13]; their proposal essentially amounts to our ideal-LWE problem when restricting to g = q ∈ ℤ>1.
2 A recipe for generating problems
In this section, we present a general recipe for concocting problems on which to build cryptosystems. The recipe is given as a number of decisions to be taken before ending up with a problem. When following this recipe, it is instructive to think of having a fixed amount of resources (informally, this amount is the size of the problem) to allocate to the different ingredients. Here we simply state the choices to be made and do not attempt to answer the more difficult question of how to make the most appetising dish.
Throughout this section, we look at what choices are made in five different examples. Firstly, we start with plain LWE. Secondly, ring-LWE together with module-LWE are examined. Thirdly, we consider the problem underlying the NTRU Prime cryptosystem from [8]. Next, we have the problems underlying the two Mersenne prime cryptosystems due to Aggarwal, Joux, Prakash and Santha [1, 2]. Finally, we take an example from coding theory, that of the McEliece cryptosystem [37], in which quasi-cyclic codes are often used. We do not concern ourselves here with which specific codes are used.
2.1 Select the parent ring
The first choice one needs to make is the monic polynomial f ∈ ℤ[X] defining the parent ring R = ℤ[X]/(f). If we denote the degree of f by n ≥ 1, then choosing a larger n requires allotting more of our resources to this ingredient. Furthermore, the size of the coefficients of f also affects the consumption of resources; one should keep these small in general so that Condition 2 holds. The parent ring naturally carries the structure of a free ℤ-module with (power) basis 1, X, …, Xn–1.
Running example 1
(Plain LWE). Here f is taken to be a linear polynomial, the most obvious choice being f = X, so that R = ℤ[X]/(f) ≅ ℤ. In this case, we use the least amount of resources possible.
Running example 2
(Ring-LWE and module-LWE). Here we let f be irreducible so that R = ℤ[X]/(f) is an order in a number field.[1]
Running example 3
(NTRU Prime). The NTRU Prime cryptosystem sets n to be an odd prime and takes f = Xn – X – 1, an irreducible polynomial.
Running example 4
(AJPS). The Mersenne prime cryptosystem lets f = Xn – 1 be such that f(2) = 2n – 1 is a prime number; note that n is necessarily prime as well.
Running example 5
(McEliece). As with plain LWE, one chooses f to be linear and R = ℤ.
2.2 Select the ciphertext modulus
Next, we must choose a ciphertext modulusg ∈ ℤ[X], which defines the ciphertext ring Rg = ℤ[X]/(f, g) in terms of which our problems will be formulated. We impose some restrictions on the possible choices for g; throughout this paper, we assume that
f and g are coprime, i.e., their only common divisors are ±1: this ensures that Rg is a finite ring,
deg(g) < n, which is not really a restriction since one can always replace g by g mod f,
there exists a positive integer a and a monic polynomial r ∈ ℤ[X] such that (f, g) = (a, r) as ideals.
Assumption (iii) is the most restrictive, although not as badly as one might fear: a heuristic proportion of 6/π2 ≈ 60.8% of all random pairs f and g satisfies this condition, which is confirmed by experiment (if satisfied, then r is linear with overwhelming probability). The reason for (iii) is it ensures that the ciphertext ring naturally comes equipped with a nice set of representatives
in which all computations are to be reduced; this ensures Condition 1 is satisfied. We stress that having such a nice set of representatives is our only reason for this assumption: it would be possible to weaken it if one is willing to end up with uglier or less canonical sets of representatives; though we avoid a detailed discussion. In Section 5, we will explain how to decide if such a and r exist, and if so, how to find them.
Just as with f, the degree of g and the size of the coefficients of g play a role in defining how much resources a certain g uses. In fact, it is better to consider the values of deg(r) and a as this is what defines the size of Rg : #Rg = #ℤ[X]/(f(X), g(X)) = #ℤ[X]/(a, r(X)) = adeg(r). It is also known that #Rg = |Res(f, g)|;[2] hence one does not need to first compute a and r to compute this value. Increasing this value naturally increases the size of the problem.
Running example 1
(Plain LWE). Here g is a positive integer, usually denoted by q, so that Rg ≅ ℤq and #Rg = q. In this case, one can take a = q and r = f.
Running example 2
(Ring-LWE and module-LWE). Here again g is a positive integer q so that one can take a = q and r = f, hence #Rg = qn.
Running example 3
(NTRU Prime). As above, g is a positive integer q and one takes a = q and r = f.
Running example 4
(AJPS). Here g = X – 2, and one can take a = 2n – 1 and r = g = X – 2 because we have equality of the two ideals (Xn – 1, X – 2) = (2n – 1, X – 2). Thus we have #Rg = 2n – 1.
Running example 5
(McEliece). As with plain LWE, we take g to be an integer q, but whereas, in plain LWE, q is relatively large, here we take q = 2, thus #Rg = 2.
2.3 Select the rank
Thirdly, one must select a positive integer m, the rank, and construct the free Rg-module
consisting of vectors of length m with entries in Rg.
As with n (the degree of f), taking a larger m consumes more resources; indeed the size of an element of M is m deg(r)log|a|.
Running example 1
(Plain LWE). Here m is a reasonably large integer and
Running example 2
(Ring-LWE and module-LWE). In ring-LWE, we take m = 1 so that M = Rq. In module-LWE, m > 1 is a relatively small integer, and the module M is given by
Running example 3
(NTRU Prime). Here m = 1 so that M = Rq.
Running example 4
(AJPS). Here again m = 1 so that M = RX–2.
Running example 5
(McEliece). In this case, the value of m is the dimension of the code used.
2.4 Select the family of hard problems
After choosing the rank, we select one of the following three problems, which we call ideal-LWE, ideal-SIS and ideal-NTRU, respectively. Informally, these problems in their basic form are to solve a system of “noisy” linear equations, to find a non-zero solution to a system of linear equations which is “small” and to express a matrix as a quotient of two “small” matrices, respectively.[3] In each case, the base ring is ℤq for some positive integer q. These basic problems refer to standard LWE, standard SIS and a matrix variant of NTRU, alluded to in [26] when comparing NTRU to McEliece.[4]
The simplest way to generalise these basic problems is to replace the random matrix defining the linear system by a matrix of multiplication; that is a linear map on a free ℤq-module defined by multiplying by an element of that module. This gives the matrix some structure allowing for a more compact representation and gives rise to the ring versions of the problems. In particular, this gives the standard NTRU problem.
The second main way to generalise the basic problem is to take entries from a larger ring than ℤq, such as the ring Rg, which is a ℤa module itself.[5] Thus we can replace the ring elements by deg(r) × deg(r) matrices of multiplication with entries in ℤa which gives a block structure to the original matrix. This is the general module approach which gives rise to the module variants of the problems when g = a ∈ ℤ.
Now that we have seen the two main generalisations; we give the details of how this can be applied to each problem.
Ideal-LWE. For the ideal-LWE problem, one chooses two further parameters k, the number of “keys”, and ℓ, the number of samples (which will depend on the application).[6] The problem is then defined as follows.
Problem 1
(Ideal-LWE search problem). Letχbe a distribution onRdefining small elements, and letkandℓbe positive integers. Sample a uniformly random elementsfrom
In a number of circumstances, one often wants to sample the secret s not from the whole space but some subset of elements, for example by sampling it using the error distribution. This so-called “small secret” case allows more powerful cryptographic constructions to be built as multiplying by s preserves smallness. See [14, Section 4] and [40] for a reduction from the general case to the small secret case.
Ideal-SIS. In the ideal-SIS and ideal-NTRU problems, we require a norm on the parent ring, ∥⋅∥: R → ℝ≥0. We abuse notation and write ∥a∥ < ρ for a ∈ Rm if, for all components ai of a, the relation ∥ai∥ < ρ holds.
Problem 2
(Ideal-SIS search problem). Given an integerℓ > m and a boundρ, sampleℓelements fromM =
One often considers the inhomogeneous problem where, instead of finding a linear combination summing to zero, one is given a target vector which the linear combination must sum to; this is also sometimes called the knapsack problem.
Ideal-NTRU. The final problem we consider is the ideal-NTRU problem.
Problem 3
(Ideal-NTRU search problem). Letχbe a distribution of small elements onRwith appropriate boundρ. Sampleu ← χm×msuch that it is invertible in
Unlike with the previous choices, the cost of picking a certain problem is not so obvious; one could consider, for example, the size of the space to which the solution to the set of linear equations belongs, but this is not so easy to compute in the ideal-SIS and ideal-NTRU cases when the solution is restricted to being small. We point out that the size of the problem is related but not directly equivalent to the hardness of a problem. For most choices of parameters, the best known attacks rely on lattice reduction; hence, in general, the cost will depend on the dimension of the lattice being reduced which need not directly reflect the size of the problem.
Running example 1
(Plain LWE). Naturally, we select the ideal-LWE problem here.
Running example 2
(Ring-LWE and module-LWE). This again amounts to selecting the ideal-LWE problem.
Running example 3
(NTRU Prime). Here we select the ideal-NTRU problem.
Running example 4
(AJPS). The version of [1] amounts to selecting the ideal-NTRU problem, while the corresponding NIST submission [2] amounts to selecting ideal-LWE.
Running example 5
(McEliece). Here we consider the general decoding problem of decrypting a ciphertext using only the public key. One essentially takes the ideal-LWE problem with a fixed number of samples (the length of the code).
2.5 Distribution of small elements
Finally, we come to the issue of what a small element is. Informally spoken, by a small element of R, we mean an element having small coordinates (in absolute value) with respect to the power basis. The archetypal example is that each coordinate is sampled from a discrete Gaussian distribution with standard deviation σ. The LWE type problems all typically use this type of distribution. One can also consider the case when the coefficients are not sampled independently, as in the case of RLWE as defined in [35], as soon as one moves away from the 2-power cyclotomic case. When σ becomes small enough, the coefficients are, with high probability, in the set {–1, 0, 1}. When not sampled independently, it becomes possible to essentially sample vectors of a specified Hamming weight; this is the distribution used in the NTRU setting.
The question of precisely how small to take small elements is complex and depends on the problem and application. In general, larger errors give harder problems but may inhibit functionality and performance of certain cryptographic schemes.
3 A catalogue of problems
Now that we have a general outline for our recipe, we can consider what problems we can create using it. To this end, we start to build a catalogue of problems by looking at examples already in the literature, a number of which we have seen already.
Ideal-LWE. We first consider those using the ideal-LWE problem. If one takes the ciphertext modulus g to be an integer and set k = 1, then we get the familiar LWE type problems: when deg(f) = 1 and m > 1, we get standard LWE, when deg(f) > 1 and m = 1, we have the (poly-)RLWE problem, [9], and bridging them when deg(f) > 1 and m > 1, we find module-LWE. An example for when k > 1 is the matrix LWE problem from [11] which still takes g to be an integer.
In contrast, if one takes g(X) = X – b for some integer b and deg(f) > 1, then one obtains LWE-like problems but associated with big integer arithmetic. We identify the I-MLWE problem of ThreeBears [25] (m > 1, k = 1) and I-RLWE problem of Gu [24] (m = k = 1) as members of this class. Further, the Mersenne-756839 submission to NIST [50] defines and uses the Mersenne low Hamming combination (MLHC) search problem for security; this is essentially the I-RLWE problem when b = 2 and the secret s is not uniformly random but sampled from the distribution χ. The Ramstake submission [49] also makes use of the MLHC problem.
Ideal-NTRU. Next we consider examples of the ideal-NTRU problem. When m = 1 and deg(f) > 1, we capture standard NTRU [27] along with NTRU Prime [8] and many other variants when taking g(X) an integer; in addition, we have the Mersenne low Hamming ratio (MLHR) problem [1] when g(X) = X – 2. Furthermore, for m > 1 and g ∈ ℤ, we have the basic matrix formulation of NTRU [42] when deg(f) = 1, while MaTRU [18] uses deg(f) > 1.
Ideal-SIS. Finally, with the ideal-SIS problem, there are relatively few examples in the existing literature; all take g to be an integer. When deg(f) = 1 and m > 1, we have the standard SIS problem [3], when deg(f) > 1 and m = 1, we have the ring-SIS problem [39], and when both deg(f) > 1 and m > 1, we reach the module-SIS problem [30]. In the case when both deg(f) and m are taken to be one, the resulting problem is the (homogeneous) modular subset sum problem (SSP).
We arrange all of these examples in Table 1 classified by the problem family they utilise, the degrees of f and g as well as whether the rank m is one or larger than one. We colour each cell either red (and mark with a *) when we do not consider the problem as deg(g) ≥ deg(f), yellow when there is a known example in the current literature, or green (marked with a question mark) when the problem has, to the best of our knowledge, not yet been considered.
The catalogue of problems, separated into their separate problem families, and classified by whether m is one or larger, whether the degree of f is one or larger, and the degree of g. Known examples are filled in and the cell coloured yellow, red (*) boxes we do not consider due to the restriction on g, and green (?) give new problems.
 |
Looking at the green entries in the tables, we can immediately see a number of empty entries. Firstly, there seems to be no analogue of NTRU over the integers which appears to be hard; the problem can be solved easily by performing lattice reduction on the 2-dimensional lattice spanned by the row vectors (1, h), (q, 0) and (0, q), where h is the quotient of small elements in ℤq. Secondly, to the best of our knowledge, no one has proposed a matrix version of the NTRU problem over the AJPS ring ℤ[X]/(Xn – 1, X – 2) ≅ ℤ/(2n – 1). Thirdly, the ring and module variants of the SIS problem have also not been considered when using this ring. Finally, as we have already stated, we know of no paper which explicitly considers the case when the modulus g has degree larger than one.
Cryptographic applications. In practice, as cryptographers, our end goal is to build cryptographic schemes which rely on the hardness of a given problem. Just as with deriving a problem by following the above recipe, many of the known cryptographic applications can equally be built almost automatically on top of the new problems in much the same way as when building them from the standard problems; see for example [5] for a detailed analysis of what can be built from certain primitives using algebraic structure. The motivating key-exchange example in the introduction essentially forms the basis for most applications we consider here.
In this respect, we find that the LWE family is the most useful to us, while the SIS family has the fewest known applications to date.
From the problems belonging to the LWE family, we can build basic primitives such as public key encryption [44, 46], key exchange [7, 19], digital signatures [4, 33][10] and oblivious transfer [12, 44], as well as more advanced constructs such as identity-based encryption [23] and fully homomorphic encryption [13, 21].
As for the NTRU family, there are known constructions for much the same primitives: public key encryption [8, 27], digital signatures [28], oblivious transfer [38], identity-based encryption [20] and fully homomorphic encryption [32]; although the latter is not considered competitive due to the attacks presented in [6, 17, 29].
The SIS family has turned out to be far less fruitful; however, it has still been used to create a digital signature scheme via hashing [23]. It is also known that one can build zero knowledge proofs from the inhomogeneous SIS problem [31].
We expect that most of the above primitives can be straightforwardly adapted to work using our more general problems, and we give some simple examples in the case of public-key encryption in the next section.
3.1 An introduction to security
Here, we briefly look at lattice attacks on the three families of problems. The general idea of such an attack is to construct a lattice from the publicly available information which either contains a short vector which depends on secret information (such as an element from the distribution of small elements used), or for which we know a vector (in the ambient space) which is close to a lattice point which again depends on a secret; by finding such a short or closest vector, we can recover information about the secret key. To be able to find such a lattice vector, one uses a technique called lattice reduction. This is a process which takes as input some generating set for the lattice with the goal of returning a basis of the lattice consisting of short and nearly orthogonal vectors. One important property of lattice reduction is that it works on integer lattices. Since we primarily work with the ring Rg and small elements are only defined in R, when describing such a lattice, we will have to include the generators Xig(X) mod f(X) which will account for the fact that we work modulo g. For example, in the simple case of the primal attack on the ideal-LWE problem instantiated with k = m = 1 and a being lifted to a vector of polynomials (a1, a2, …, aℓ)T ∈ Rℓ and similarly for b, lattice reduction is performed on the (ℓn + 1)-dimensional lattice generated by the rows of the matrix
for some positive integer weight w. The aim is then to recover the short vector ±(e1, …, eℓ, w).
In the classical setting, when g(X) = q is simply an integer, this will mean we use as generators vectors which are zero in all but one component where it takes the value q. In applications using LWE and RLWE, the value of q will be rather large and does not cause any problems, but in code-based cryptography, it is typical to take q = 2. This implies that the lattice contains many trivial vectors of Euclidean length
Just as in the integer ciphertext modulus case, when g is chosen as a polynomial, it may be that the constructed integer lattice has trivial short vectors, much shorter than any vector containing information about the secret key. In our Running example 4, for example, g is taken as X – 2 which, in combination with f(X) = Xn – 1, yields many vectors of length
That is not to say lattice reduction does not have a place in attacking our problems for this choice of g; see for example [9], only that it is not the main cost in such attacks. The attack is very similar in spirit to the family of general information-set decoding attacks first introduced by Prange [45] and is more combinatorial in nature, involving finding a set of coordinates which are in some sense error-free. Similar to code-based cryptography, it is in general difficult to recover the small elements used when g = X – 2. This problem was avoided in [1] by ensuring decryption could be performed without recovering the error in the ciphertext; however, they were only able to encrypt one bit per ciphertext. To improve the efficiency of the scheme, by allowing a much larger plaintext space, the authors had to employ an error-correcting code in their scheme [2].
The cases of “large” g and “small” g are in some sense two ends of a spectrum, and the applicable attacks in each case are very different.[11] This leaves open the problem of finding the boundary between the two cases where lattice attacks stop working and combinatorial approaches start to become feasible. It may be possible that choices of parameters towards the middle of this spectrum offer superior security guarantees and/or allow for more efficient schemes.
More details on lattice attacks, and more general attacks, on our problems will appear in a future work; see also the forthcoming PhD thesis of the first author.
4 New examples
4.1 Generalising the Gu encryption scheme to higher degree g
Here, we present a generalisation of the Gu encryption scheme [24] where, instead of taking g to be linear, we consider g of higher degree. We first define our parent ring as R = ℤ[X]/(Xn + 1), that is, we take f(X) = Xn + 1. Next, we carefully choose our ciphertext modulus g = Xd + b, where b > 1, such that d | n, d < n and q = bn/d + (–1)n/d is prime.[12] Then we have that the ideal generated by f and g is also generated by g and the prime q; this is because f = (Xd)n/d + 1 ≡ (–b)n/d + 1 = (–1)n/dq mod g. Therefore, we have that
Next, we define a distribution of small elements in R, χσ, by sampling n coefficients from a discrete Gaussian distribution with standard deviation σ, and forming a polynomial of degree n – 1 from these coefficients. This polynomial will then be reduced modulo g in our scheme to one with d coefficients, which need not be small with respect to q; indeed we expect them not to be. We denote by χσ the distribution on
Key generation. To generate a key, we sample an element a uniformly at random from
Encryption. Given a plaintext m ∈
Decryption. Given a ciphertext (c1, c2) and a private key s, one first computes d = c2 – c1s. For each coefficient di, consider it an integer in [–q/2, q/2), and compute the balanced expansion with base –b, say di = ∑jαi,j(–b)j, where αi,j ∈ [–b/2, b/2). Then, for k = 0, …, n – 1, define mk = αi,j mod p, where i = k mod d and j = ⌊kd/n⌋. Return the vector m = (mk).
Security. Just as in [24, Theorem 3.9], for the specific choices of f and g taken here, we can convert an RLWE sample with f = Xn + 1 and g = b to an ideal-LWE sample with the same f but g = Xd + b and conversely transform an ideal-LWE sample into a RLWE sample, in both cases with a growth in the noise present in the sample. The conversions are simple to write down. To go from RLWE to ideal-LWE, for each polynomial in Rb (i.e. a, b and s), lift it to a polynomial in R with coefficients in the symmetric interval around zero, and then reduce modulo Xd + b. In the reverse direction, for each element in RXd+b with coefficients in the symmetric interval about zero, lift it to a polynomial in R by expanding the coefficients to the base b with the coefficients of powers of b in the range [–b/2, b/2) and then substituting b with –Xd. Reduction modulo b gives an element of Rb.
A proof of the reductions is essentially the same as that given in [24] with the same bound on the growth of the noise.
Somewhat homomorphic encryption. It is easy to transform this scheme into a somewhat homomorphic scheme akin to, for example, the Brakerski–Fan–Vercauteren scheme [21]. Implementing this, we found that, with the same parameters used in practice, we could perform on average between zero and three fewer multiplicative levels than with the original scheme.[13]
4.2 Module-NTRU over the AJPS ring
In this section, we briefly describe a cryptosystem employing the ideal-NTRU problem with rank larger than one and which takes as the underlying ring the AJPS ring; this means, we will take f as Xn – 1 for some prime n such that q = 2n – 1 is also prime, and g as X – 2. We also choose positive integers d and w ≪ n, where d will be the rank of the module used and w will be the Hamming weight of elements sampled from our distribution of small elements. Formally, we define χw to be the uniform distribution over the set {∑i∈𝓘 2i | 𝓘 ⊂ {0, 1, …, n – 1}, #𝓘 = w}. The plaintext space will be {0, 1}d, and for decryption, we will choose two thresholds tl and tu satisfying 0 ≤ tu < tl ≤ n.
Key generation. To generate keys, first sample two matrices u and v from
Encryption. Given a public key w and a message m ∈ {0, 1}d, denote by m the d × d diagonal matrix with the message bits down the diagonal. To encrypt, sample two matrices r and e from
Decryption. To decrypt the ciphertext c with the private key u, first compute the product p = cu. Then, for each i in {1, …, d}, consider the elements in the ith row of p as binary strings of length n, and compute the mean of the Hamming weights of these binary strings. If this mean is at most the threshold tl, set mi = 0; if this mean is no smaller than tu, set mi = 1, and otherwise abort. Return the vector (mi).
Decryption works since we have p = cu = rv + mdu + eu, and the entries of rv and eu will still have relatively small Hamming weight, while the entries of mdu will be zero in the ith row if mi=0 and be uniformly random if mi = 1. The probability that d uniformly random elements have a mean Hamming weight smaller than the threshold tl can be made negligibly small by choosing the parameters appropriately.
5 Generic moduli
In this final section, we look at the structure of the ring Rg for generic g. Then our ring Rg = ℤ[X]/(f(X), g(X)) does not have an obvious canonical set of representatives. In order to have useful representatives, we will try to find a pair a ∈ ℤ>0 and r ∈ ℤ[X] such that (f, g) = (a, r). When r is monic, we can use the set of representatives from equation (2.1). We note that if r is not monic, then a set of representatives is still possible to write down but is not so user-friendly. Our choice of g will be constrained by Rg having such a set of representatives.
Now our task is to find such a and r if they exist. It is natural to choose a to be the smallest positive integer in (f, g) so that (f, g) ∩ ℤ = (a) which always exists due to the coprimality of f and g. This integer is called the “congruence number” or “reduced resultant” of the polynomials f and g. Then r is defined only modulo a and up to units of ℤa[X]. The overall strategy is first to find a. Afterwards, we search for an r using the Euclidean algorithm in the ring ℤa[X]. When a is composite, ℤa is not an integral domain so that finding inverses modulo a can fail. However, in this case, we will have found a factor of a and can use this factor, with some work, to either split a into a product of coprime factors, work modulo each of these factors and combine the results using the Chinese remainder theorem, or write a as a power and use Hensel lifting to find r. Of course, these subroutines can also fail when a division fails, but we recurse until an r is found. We remark that if we do not assume r exists, then it is only possible to determine no r exists during the lifting procedure. This ad hoc recursion strategy allows us to bypass the need to factorise a at the onset.
Lemma 1
Let s, t ∈ ℤ[X] be such that sf + tg ∈ ℤ, with deg(s) < deg(g) and deg(t) < deg(f), and further assume that the greatest common divisor ofsandtis 1. Thena = sf + tg is a generator of the ideal (f, g) ∩ ℤ.
Proof
We proceed by assuming (f, g) ∩ ℤ is not generated by sf + tg but some proper divisor and derive a contradiction.
For some prime factor p of sf + gt, we must have (sf + gt)/p ∈ (f, g) ∩ ℤ and thus (sf + gt)/p = s′f + t′g for some s′, t′ ∈ ℤ[X]. We therefore have sf + tg = ps′f + pt′g, and rearranging gives (s – ps′)f = (pt′ – t)g. Since f and g are coprime, we must have s – ps′ = kg as well as pt′ – t = kf for some polynomial k ∈ ℤ[X].
Denote by ⋅̄ : ℤ[X] → 𝔽p[X] the reduction modulo p map. Then k̄ḡ = s̄ and k̄f̄ = –t̄. The polynomial f is monic, so the assumption deg(t) < deg(f) implies deg(t̄) < deg(f̄). Since 𝔽p[X] is an integral domain, k̄f̄ = –t̄ can only hold if k̄ = t̄ = 0, which implies s̄ = 0. But t̄ = s̄ = 0 implies p divides both s and t, which contradicts the assumption that s and t have greatest common divisor 1.□
The question is thus how to find such s and t. One way to proceed is by computing, using the extended Euclidean algorithm over ℚ[X], rational polynomials s′ and t′ such that s′f + t′g = 1 and deg(s′) < deg(g) and deg(t′) < deg(f); then, multiplying by the lowest common multiple of all the denominators appearing in the coefficients of both s′ and t′, we find such s and t. The a we require is this lowest common multiple.
Next we show that, when it does not fail, we can use Euclid’s algorithm to find r modulo a positive divisor of a. Thus we assume in the lemma that an r exists.
Lemma 2
Letdbe a positive divisor ofa, and suppose that applying Euclid’s algorithm tofandgin the ring ℤd[X] does not fail and outputs the polynomialρ. Thenρ ≡ r mod dup to units in ℤd[X].
Proof
Denote by ⋅̄ the reduction modulo d. Since (f, g) = (a, r), we have (f̄, ḡ) = (ā, r̄) = (r̄) since d | a. Now, by the properties of Euclid’s algorithm, we have (f̄, ḡ) = (ρ). Therefore, r ≡ ρ mod d up to a unit of ℤd[X].□
If d is taken to be a prime p, then Euclid’s algorithm never fails, so we can use it to find a suitable r modulo p. However, it is possible that a larger power of the prime divides a, say pe, and in this case, if Euclid’s algorithm fails modulo pe, we need to use Hensel lifting to lift ρ, our solution modulo p, to one modulo pe. Algorithm 1 shows how to do this iteratively from pj to pj+1. It is at this point where a solution may fail to exist, showing that no such r exists.
Lemma 3
Algorithm 1 for Hensel lifting is correct.
Proof
Firstly, we assume that ρ′ exists. By the preconditions, there exist α, β, and further μ and ν such that ρ ≡ αf + βg, f ≡ μρ and g ≡ νρ modulo pj, and we write each of these in p-ary form with the subscript indexing the digit, starting at zero. Note that α0 and β0 can be computed from f0 and g0 using the extended Euclidean algorithm over 𝔽p[X]. Also, μ and ν can easily be computed from f, g and ρ. Then f – ρμ is divisible by pj, so defining u via f – ρμ = pju mod pj+1, ρj and μj must satisfy
or equivalently ρjμ + ρμj ≡ u mod p. Hence, u ∈ (ρ0, μ0) = (γ), where γ is the greatest common divisor of ρ0 and μ0 in 𝔽p[X], say with Bézout coefficients ξ and ζ so that γ = ξρ0 + ζμ0. So γ divides u, and all solutions for ρj and μj are given by
The same computation for g implies that δ must divide v, where δ = ϕρ0 + ψν0 is the greatest common divisor of ρ0 and ν0 over 𝔽p[X] and v = (g – ρν)/pj mod p. The solutions for ρj and νj are given by
Algorithm 1
Hensel lifting.
| Input: Polynomials f, g, ρ in ℤ[X] (with f monic), a prime p and a positive integer j, satisfying αf + βg ≡ ρ mod pj for some α, β ∈ ℤ[X], as well as f ≡ ρμ mod pj and g ≡ ρν mod pj for some μ, ν ∈ ℤ[X]. | |
| Output: A polynomial ρ′ ∈ ℤ[X] such that ρ′ ≡ α′f + β′g mod pj+1 for some α′, β′ ∈ ℤ[X], as well as ρ′ | f and ρ′ | g in ℤpj+1 [X], or Fail if no such polynomial exists. | |
| μ ← f/ρ | ⊳ Arithmetic in ℤpj [X]. |
| ν ← g/ρ | ⊳ Arithmetic in ℤpj [X]. |
| u ← ((f − ρμ)/pj) mod p | ⊳ Thus f ≡ ρμ + pju mod pj+1. |
| v ← ((g − ρν)/pj) mod p | ⊳ Thus g ≡ ρν + pjv mod pj+1. |
| γ, ξ, ζ = xgcd𝔽p[X](ρ, μ) | ⊳ Thus γ = ξρ + ζμ mod p. |
| δ, ϕ, ψ = xgcd𝔽p[X](ρ, ν) | ⊳ Thus δ = ϕρ + ψν mod p. |
| θ ← ζψ(uν − vμ) mod p | |
| ρ0 ← ρ mod p | |
| ifγ ∤ uorδ ∤ vorρ0 ∤ θthen ∟ return Fail | |
| κ ← (θ/ρ0 + ζϕu − ψξv)τ | |
| ρj ← (ζu − κρ0)/γ mod ρ0 | ⊳ Hence deg(ρj) < deg(ρ0). |
| ρ′ ← ρ + pjρj | ⊳ Arithmetic in ℤ[X]. |
| returnρ′ | |
Equating the two expression for ρj in equations (5.1) and (5.2), we see that (κδ – λγ)ρ0 = ζuδ – ψvγ. Now, using our expressions for γ and δ, we have (κδ – λγ)ρ0 = (ζuϕ – ψvξ)ρ0 + ζψ(uν0 – vμ0). Thus we must have that ρ0 divides θ := ζψ(uν0 – vμ0) and then κδ – λγ = ζuϕ – ψvξ + θ/ρ0.
Next we note that gcd(γ, δ) = 1 as otherwise there would be a non-trivial factor of μ0 and ν0, and then ρ0 could not be the highest-degree common factor of f and g modulo p. Therefore, we can write 1 = σγ + τδ for some σ, τ ∈ 𝔽p[X], and all solutions for κ and λ are given by
and each such ϵ will give a valid solution. Algorithm 1 chooses to take ϵ = 0 at first but implicitly changes its value later via modular reduction. We find ρj by plugging in the expression for κ in equation (5.1) then reducing modulo ρ0. If this modular reduction subtracts kρ0, then this is equivalent to choosing ϵ = k.
The post-conditions are satisfied because there is a solution for μj and νj whenever there is one for ρj. Setting μ′ = μ + μjpj and ν′ = ν + νjpj, this shows that necessarily ρ′μ′ = f and ρ′ν′ = g in ℤpj+1[X]. Moreover, the requirement
is equivalent to w + α0μj + αjμ0 + β0νj + βjν0 = 0 mod p, where w = (αμ + βν – 1)/pj mod p, which always has a solution for αj and βj as μ0 and ν0 are coprime. Therefore, for any such solution, α′ = α + pjαj and β′ = β + pjβj satisfy ρ′ = α′f + β′g mod pj+1.
The proof up until this point shows that if a ρj exists, then Algorithm 1 finds one. Therefore, if the algorithm fails, such a ρj does not exist.□
Remark 1
The algorithm can be modified to avoid computing γ, ξ, ζ and δ, ϕ, ψ every iteration as these variables change only when p does. Also, it is possible to output α′, β′, μ′ and ν′ along with ρ′, if required, but we opted here for brevity and simplicity.
One case where this additional output is useful is when computing inverses in Rg. This can be done in the same way in which r is computed, only replacing the inputs f and g by r and s and using the extended version of Euclid’s algorithm; here s ∈ Rg is the element to be inverted considered as an element of ℤ[X]. Assuming this does not fail, this gives an expression of the form h ≡ αr + βs mod a, and if s is invertible in Rg, then h will be an integer coprime with a, so by multiplying by a constant, we can assume h = 1; then β is the inverse. Computing inverses is required in the ideal-NTRU problem, and this again shows that a factorisation of a is not needed to do this.
In practice, one will not check whether we are working modulo a prime, and the requirement that p is a prime in Algorithm 1 and Lemma 3 is there only to guarantee that the various calls to the Euclidean algorithm return a valid result and will not fail. In practice, if the Euclidean algorithm fails, it will be because it was unable to invert an integer modulo p, and hence we will have found a factor of p and can split it appropriately and try again on each factor until it succeeds.
In more detail, if one is working modulo a and finds a factor d, then one can find the largest power of d dividing a, say dk. Then if a/dk is coprime to d, we can work modulo a/dk and dk. Otherwise, h = gcd(a/dk, d) is such that 1 < h < d; then we find the largest power of h dividing d and the largest power of h dividing a/dk, say hl and hm, respectively. Then hkl+m divides a, and recurse using factors hkl+m, (d/hl)k and a/(dkhm) until all factors are coprime. A solution modulo a is then found by using the Chinese remainder theorem, and this may result in a non-monic r if the degrees modulo each factor are different.
Our calculations (and some heuristics) suggest that 6/π2 ≈ 60.8% of all random pairs f and g satisfy this condition, and that r is linear with overwhelming probability in this case. Of the remaining 39.2%, a little over 25% give non-monic r, and in just under 14% of the cases, no r exists. We leave open the question whether non-monic r can be useful in ways that a monic r cannot.
Finally, we note that we can use the fact that |Res(f, g)| = adeg(r) whenever such a monic r exists as a test of whether such an r exists. Compute a and |Res(f, g)|, and test if the latter is an integer power of the former; if not, then we know that if an r exists, it will not be monic. As a small example, we can compute Res(X4 + 1, X3 + 4X + 1) = 306, while a = 102 in this case, implying no monic r exists such that (X4 + 1, X3 + 4X + 1) = (102, r(X)); indeed r(X) = 68X2 + 101X + 19 in this case.
Funding: This work was supported in part by the Research Council KU Leuven grants C14/18/067 and STG/17/019. Carl Bootland is funded by a FWO fellowship. Wouter Castryck is affiliated on a free basis with imec-COSIC at KU Leuven and with the Department of Mathematics: Algebra and Geometry at Ghent University. Alan Szepieniec was supported by an IWT doctoral grant.
References
[1] D. Aggarwal, A. Joux, A. Prakash and M. Santha, A new public-key cryptosystem via Mersenne numbers, Cryptology ePrint Archive (2017), https://eprint.iacr.org/2017/481/20170530:072202.10.1007/978-3-319-96878-0_16Search in Google Scholar
[2] D. Aggarwal, A. Joux, A. Prakash and M. Santha, A new public-key cryptosystem via Mersenne numbers, Advances in Cryptology—CRYPTO 2018. Part III, Lecture Notes in Comput. Sci. 10993, Springer, Cham, (2018), 459–482.10.1007/978-3-319-96878-0_16Search in Google Scholar
[3] M. Ajtai, Generating hard instances of lattice problems (extended abstract), Proceedings of the 28th Annual ACM Symposium on the Theory of Computing, ACM, New York (1996), 99–108.10.1145/237814.237838Search in Google Scholar
[4] S. Akleylek, N. Bindel, J. Buchmann, J. Krämer and G. A. Marson, An efficient lattice-based signature scheme with provably secure instantiation, Progress in Cryptology—AFRICACRYPT 2016, Lecture Notes in Comput. Sci. 9646, Springer, Cham (2016), 44–60.10.1007/978-3-319-31517-1_3Search in Google Scholar
[5] N. Alamati, H. Montgomery, S. Patranabis and A. Roy, Minicrypt primitives with algebraic structure and applications, Advances in Cryptology—EUROCRYPT 2019, Springer, Cham (2019), 55–82.10.1007/978-3-030-17656-3_3Search in Google Scholar
[6] M. Albrecht, S. Bai and L. Ducas, A subfield lattice attack on overstretched NTRU assumptions: cryptanalysis of some FHE and graded encoding schemes, Advances in Cryptology—CRYPTO 2016. Part I, Lecture Notes in Comput. Sci. 9814, Springer, Berlin (2016), 153–178.10.1007/978-3-662-53018-4_6Search in Google Scholar
[7] E. Alkim, L. Ducas, T. Pöppelmann and P. Schwabe, Post-quantum key exchange—a new hope, Proceedings of the 25th USENIX Security Symposium, USENIX, Berkeley (2016), 327–343.Search in Google Scholar
[8] D. J. Bernstein, C. Chuengsatiansup, T. Lange and C. van Vredendaal, NTRU prime: Reducing attack surface at low cost, Selected Areas in Cryptography—SAC 2017, Lecture Notes in Comput. Sci. 10719, Springer, Cham (2018), 235–260.10.1007/978-3-319-72565-9_12Search in Google Scholar
[9] M. Beunardeau, A. Connolly, R. Géraud and D. Naccache, On the hardness of the Mersenne low hamming ratio assumption, Progress in Cryptology—LATINCRYPT 2017, Lecture Notes in Comput. Sci. 11368, Springer, Cham (2019), 166–174.10.1007/978-3-030-25283-0_9Search in Google Scholar
[10] C. Bootland, W. Castryck, I. Iliashenko and F. Vercauteren, Efficiently processing complex-valued data in homomorphic encryption, Cryptology ePrint Archive (2018), https://eprint.iacr.org/2018/785.10.1515/jmc-2015-0051Search in Google Scholar
[11] J. W. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, A. Raghunathan and D. Stebila, Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ACM, New York (2016), 1006–1018.10.1145/2976749.2978425Search in Google Scholar
[12] Z. Brakerski and N. Döttling, Two-message statistically sender-private OT from LWE, Theory of Cryptography. Part II, Lecture Notes in Comput. Sci. 11240, Springer, Cham (2018), 370–390.10.1007/978-3-030-03810-6_14Search in Google Scholar
[13] Z. Brakerski, C. Gentry and V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping, ACM Trans. Comput. Theory 6 (2014), no. 3, Article ID 13.10.1145/2090236.2090262Search in Google Scholar
[14] Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé, Classical hardness of learning with errors (extended abstract), Proceedings of the 2013 ACM Symposium on Theory of Computing—STOC’13, ACM, New York (2013), 575–584.10.1145/2488608.2488680Search in Google Scholar
[15] W. Castryck, I. Iliashenko and F. Vercauteren, On error distributions in ring-based LWE, LMS J. Comput. Math. 19 (2016), 130–145.10.1112/S1461157016000280Search in Google Scholar
[16] H. Chen, K. Laine, R. Player and Y. Xia, High-precision arithmetic in homomorphic encryption, Topics in Cryptology—CT-RSA 2018, Lecture Notes in Comput. Sci. 10808, Springer, Cham (2018), 116–136.10.1007/978-3-319-76953-0_7Search in Google Scholar
[17] J. H. Cheon, J. Jeong and C. Lee, An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero, LMS J. Comput. Math. 19 (2016), 255–266.10.1112/S1461157016000371Search in Google Scholar
[18] M. Coglianese and B.-M. Goi, MaTRU: A new NTRU-based cryptosystem, Progress in Cryptology—INDOCRYPT 2005, Lecture Notes in Comput. Sci. 3797, Springer, Berlin (2005), 232–243.10.1007/11596219_19Search in Google Scholar
[19] J. Ding, X. Xie and X. Lin, A simple provably secure key exchange scheme based on the learning with errors problem, Cryptology ePrint Archive (2012), https://eprint.iacr.org/2012/688.Search in Google Scholar
[20] L. Ducas, V. Lyubashevsky and T. Prest, Efficient identity-based encryption over NTRU lattices, Advances in Cryptology—ASIACRYPT 2014. Part II, Lecture Notes in Comput. Sci. 8874, Springer, Heidelberg (2014), 22–41.Search in Google Scholar
[21] J. Fan and F. Vercauteren, Somewhat practical fully homomorphic encryption, Cryptology ePrint Archive (2012), https://eprint.iacr.org/2012/144.Search in Google Scholar
[22] C. Gentry, Fully homomorphic encryption using ideal lattices, Proceedings of the 2009 ACM International Symposium on Theory of Computing—STOC’09, ACM, New York (2009), 169–178.10.1145/1536414.1536440Search in Google Scholar
[23] C. Gentry, C. Peikert and V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions [extended abstract], Proceedings of the 40th Annual ACM Symposium on Theory of Computing—STOC’08, ACM, New York (2008), 197–206.10.1145/1374376.1374407Search in Google Scholar
[24] C. Gu, Integer version of ring-LWE and its applications, Cryptology ePrint Archive (2017), https://eprint.iacr.org/2017/641.10.1007/978-981-15-0758-8_9Search in Google Scholar
[25] M. Hamburg, Post-quantum cryptography proposal: ThreeBears, 2018.Search in Google Scholar
[26] J. Hoffstein, J. Pipher and J. H. Silverman, NTRU: A new high speed public key cryptosystem, (1996), https://web.securityinnovation.com/hubfs/files/ntru-orig.pdf.Search in Google Scholar
[27] J. Hoffstein, J. Pipher and J. H. Silverman, NTRU: A ring-based public key cryptosystem, Algorithmic Number Theory, Lecture Notes in Comput. Sci. 1423, Springer, Berlin (1998), 267–288.10.1007/BFb0054868Search in Google Scholar
[28] J. Hoffstein, J. Pipher, W. Whyte and Z. Zhang, A signature scheme from learning with truncation, Cryptology ePrint Archive (2017), https://eprint.iacr.org/2017/995.Search in Google Scholar
[29] P. Kirchner and P.-A. Fouque, Revisiting lattice attacks on overstretched NTRU parameters, Advances in Cryptology—EUROCRYPT 2017. Part I, Lecture Notes in Comput. Sci. 10210, Springer, Cham (2017), 3–26.10.1007/978-3-319-56620-7_1Search in Google Scholar
[30] A. Langlois and D. Stehlé, Worst-case to average-case reductions for module lattices, Des. Codes Cryptogr. 75 (2015), no. 3, 565–599.10.1007/s10623-014-9938-4Search in Google Scholar
[31] S. Ling, K. Nguyen, D. Stehlé and H. Wang, Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications, Public-key Cryptography—PKC 2013, Lecture Notes in Comput. Sci. 7778, Springer, Heidelberg (2013), 107–124.10.1007/978-3-642-36362-7_8Search in Google Scholar
[32] A. López-Alt, E. Tromer and V. Vaikuntanathan, On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption, Proceedings of the 2012 ACM Symposium on Theory of Computing—STOC’12, ACM, New York (2012), 1219–1234.10.1145/2213977.2214086Search in Google Scholar
[33] V. Lyubashevsky, Lattice signatures without trapdoors, Advances in Cryptology—EUROCRYPT 2012, Lecture Notes in Comput. Sci. 7237, Springer, Heidelberg (2012), 738–755.10.1007/978-3-642-29011-4_43Search in Google Scholar
[34] V. Lyubashevsky and D. Micciancio, Generalized compact knapsacks are collision resistant, Automata, Languages and Programming. Part II, Lecture Notes in Comput. Sci. 4052, Springer, Berlin, (2006), 144–155.10.1007/11787006_13Search in Google Scholar
[35] V. Lyubashevsky, C. Peikert and O. Regev, On ideal lattices and learning with errors over rings, Advances in Cryptology—EUROCRYPT 2010, Lecture Notes in Comput. Sci. 6110, Springer, Berlin (2010), 1–23.Search in Google Scholar
[36] V. Lyubashevsky, C. Peikert and O. Regev, On ideal lattices and learning with errors over rings, Advances in Cryptology—EUROCRYPT 2010, Lecture Notes in Comput. Sci. 6110, Springer, Berlin (2010), 1–23.Search in Google Scholar
[37] R. J. McEliece, A public-key cryptosystem based on algebraic coding theory, JPL DSN Progress Report 42–44 (1978), 114–116.Search in Google Scholar
[38] B. Mi, D. Huang, S. Wan, L. Mi and J. Cao, Oblivious transfer based on NTRUEncrypt, IEEE Access 6 (2018), 35283–35291.10.1109/ACCESS.2018.2846798Search in Google Scholar
[39] D. Micciancio, Generalized compact knapsacks, cyclic lattices, and efficient one-way functions, Comput. Complexity 16 (2007), no. 4, 365–411.10.1007/s00037-007-0234-9Search in Google Scholar
[40] D. Micciancio, On the hardness of learning with errors with binary secrets, Theory Comput. 14 (2018), Article ID 13.10.4086/toc.2018.v014a013Search in Google Scholar
[41] G. Myerson, On resultants, Proc. Amer. Math. Soc. 89 (1983), no. 3, 419–420.10.1090/S0002-9939-1983-0715856-2Search in Google Scholar
[42] R. Nayak, C. V. Sastry and J. Pradhan, A matrix formulation for NTRU cryptosystem, 16th IEEE International Conference on Networks, IEEE Press, Piscataway (2008), 1–5.10.1109/ICON.2008.4772602Search in Google Scholar
[43] H. Niederreiter, Knapsack-type cryptosystems and algebraic coding theory, Probl. Control Inf. Theory 15 (1986), no. 2, 159–166.Search in Google Scholar
[44] C. Peikert, V. Vaikuntanathan and B. Waters, A framework for efficient and composable oblivious transfer, Advances in Cryptology—CRYPTO 2008, Lecture Notes in Comput. Sci. 5157, Springer, Berlin (2008), 554–571.10.1007/978-3-540-85174-5_31Search in Google Scholar
[45] E. Prange, The use of information sets in decoding cyclic codes, IRE Trans. IT-8 (1962), S5–S9.10.1109/TIT.1962.1057777Search in Google Scholar
[46] O. Regev, On lattices, learning with errors, random linear codes, and cryptography, Proceedings of the 37th Annual ACM Symposium on Theory of Computing—STOC’05, ACM, New York (2005), 84–93.10.1145/1060590.1060603Search in Google Scholar
[47] P. Santini, E. Persichetti and M. Baldi, Reproducible codes and cryptographic applications, Cryptology ePrint Archive (2018), https://eprint.iacr.org/2018/666.Search in Google Scholar
[48] D. Stehlé, R. Steinfeld, K. Tanaka and K. Xagawa, Efficient public key encryption based on ideal lattices (extended abstract), Advances in Cryptology—ASIACRYPT 2009, Lecture Notes in Comput. Sci. 5912, Springer, Berlin (2009), 617–635.10.1007/978-3-642-10366-7_36Search in Google Scholar
[49] A. Szepieniec, Ramstake, Technical report, National Institute of Standards and Technology, 2018.Search in Google Scholar
[50] NIST. Post-quantum crypto standardization, 2018.Search in Google Scholar
[51] NIST. Submission to the NIST call for PQC proposals, 2018.Search in Google Scholar
© 2020 Carl Bootland et al., published by De Gruyter
This work is licensed under the Creative Commons Attribution 4.0 International License.
