NTRU in Quaternion Algebras of Bounded Discriminant

Abstract

The NTRU assumption provides one of the most prominent problems on which to base post-quantum cryptography. Because of the efficiency and security of NTRU-style schemes, structured variants have been proposed, using modules. In this work, we create a structured form of NTRU using lattices obtained from orders in cyclic division algebras of index 2, that is, from quaternion algebras. We present a public-key encryption scheme, and show that its public keys are statistically close to uniform. We then prove IND-CPA security of a variant of our scheme when the discriminant of the quaternion algebra is not too large, assuming the hardness of Learning with Errors in cyclic division algebras.

Appendices

A Proofs

Proof

(of Proposition 5). We have

$$\begin{aligned} \Vert x\Vert _p^p&= \sum _{\alpha \in {\text {Emb}}(K)}\sum _{1\le i,j<d}|\alpha ((\phi (x))_{i,j})|^p\ge d^2\sum _{\alpha \in {\text {Emb}}(K)}\left( \prod _{i,j}|\alpha ((\phi (x))_{i,j})|^p\right) ^{1/d^2}\\&\ge d^2[K:\mathbb {Q}]\left( \prod _{\alpha \in {\text {Emb}}(K)}\left( \prod _{0\le i<d}|\alpha (N_{L/K}(x_i))|^p\right) ^{1/d^2}\right) ^{1/[K:\mathbb {Q}]}\\&= [\mathcal {A}:\mathbb {Q}] \left( \prod _{0\le i<d}|N_{L/\mathbb {Q}}(x_i)|\right) ^{p/[\mathcal {A}:\mathbb {Q}]},\text { and if}\; x\in \mathcal {I},\\ \Vert x\Vert _p^p&\ge [\mathcal {A}:\mathbb {Q}] \left( \prod _{0\le i<d}|N_{L/\mathbb {Q}}(x_i)|\right) ^{p/[\mathcal {A}:\mathbb {Q}]} = [\mathcal {A}:\mathbb {Q}] \left| N_{L/\mathbb {Q}}\left( \prod _{0\le i<d}x_i\right) \right| ^{p/[\mathcal {A}:\mathbb {Q}]} \end{aligned}$$

By assumption, the coefficients \(x_i\) lie in the ideal \(\mathfrak {J}\mathcal {O}_L\). Thus \(x_i\in \bar{\mathcal {I}}:=\mathcal {I}\cap \mathcal {O}_L\) for \(i=0,...,d-1\), and so \(\prod _{0\le i<d}x_i\in \bar{\mathcal {I}}^d\), and hence \(\Vert x\Vert _p^p\ge [\mathcal {A}:\mathbb {Q}]\cdot \left| N_{L/\mathbb {Q}}\left( \bar{\mathcal {I}}\right) \right| ^{dp/[\mathcal {A}:\mathbb {Q}]}.\) Finally, to see \(\lambda _1^\infty (\mathcal {I})\ge \left( N_{L/\mathbb {Q}}(\bar{\mathcal {I}})\right) ^{1/nd}\),

\(\Vert x\Vert _\infty = \underset{{i,j,\alpha }}{{\text {sup}}}|\alpha (\phi (x)_{i,j})|\ge \prod _{i,j,\alpha }|\alpha ((\phi (x))_{i,j})|^{1/nd^2}= N_{L/\mathbb {Q}}(\underset{{0\le i<d}}{\prod } x_i)^{1/nd^2}\).   \(\square \)

B Choosing Parameters and Number Fields

In this section, we give a brief overview of some parameters choices for NTRU, focusing on n and q, before giving possible parameters for CDAs. We note that many suggested parameters (including ours) are not chosen according to security proofs, but rather take into account considerations such as speed and efficiency. We note the analysis of [12], and [32] for LWE, and welcome similar analysis for provably secure NTRU variants and CNTRU.

Parameters for NTRU in Previous Works. NTRU [24] uses convolution rings \(\mathbb {Z}[x]/(x^N-1)\) with N prime, which are not ring of integers of algebraic number fields. This is the same as in [23, 28]; since CDAs are constructed from fields, the parameters used here do not adapt straightforwardly to our setting. This situation is mirrored in the NTRU finalist in NIST’s post-quantum standardisation process, [13]. The authors use the rings \(\mathbb {Q}(x)/(x-1)\varPhi _n(x)\) with prime n, which are not fields. In this case, the polynomials ‘\(\varPhi _n(x)\)’ are cyclotomic, hence \(x^n-1 = (x-1)\varPhi _n(x)\); and \((x-1)\varPhi _n(x)\) is plainly not irreducible.

However, the authors of [48, 49] replace \(x^n-1\) by \(x^n+1\), for power-of-two n. These are the 2nth cyclotomic polynomials, which are amenable to generalisation by CDAs. Since n is a power of two, natural choices are \(n = 512\) or \(n = 1024\). They also recommend \(p = 3\) or \(p=2\). As for q, if \(\alpha q>n^{0.75}\), the decryption algorithm recovers m with probability \(1-n^{\omega (1)}\). For the security proof to hold, one needs \(q\equiv 1 \bmod 2n\). So in the context of CDAs, one could choose \(n = 256\), \(q = 7681\), or \(n=512\), \(q = 12289\), if working with the same framework as [49].

Falcon [19] uses \(n=512\) for NIST Level I, and \(n=1024\) for NIST Level V, where n is the degree of the cyclotomic ring. They use \(q = 12289\). ModFalcon [16] uses a rank two module over a power of two cyclotomic of degree 512, and also sets \(q=12289\). In contrast, ModNTRU [15] uses a rank three module over a power of two cyclotomic of degree 512, but uses \(q = 2^{19}\), instead of prime q.

Parameters for NTRU in CDAs. We follow the module NTRU instances in using power of two cyclotomics. Although there has been some concern raised over the large number of subfields and automorphisms attached to these objects [42], there has not yet been an efficient attack against the NTRU problem exploiting these features (for non-‘overstretched’ parameters). We recommend using algebras of dimension approximately 1000 over \(\mathbb {Q}\). Following the construction detailed above: \(\mathcal {A} = (L/\mathbb {Q}(\zeta _n),\theta ,\zeta _n)\) with \(K\subset L\subset M=\mathbb {Q}(\zeta _{\ell n})\) for \(\ell \equiv 1\bmod n\), \(\ell \not \equiv 1\bmod pn\) for any prime \(p\mid n\). Take q to be a prime completely split in L, not too large to avoid attacks exploiting ‘overstretched’ parameters. Example parameters might be \(n=1024\), \(d=2\), \(\ell =12289\), and \(q=13313\).

As for choosing the sets \(\mathcal {S}_f\) and so on, one can take these to be binary or ternary with set weights for efficiency, as some other NTRU schemes do, if desired. We leave the precise analysis of choices of such sets as future work.

C Sketched Cryptographic Functionality

KEM. Here we outline an CNTRU-based KEM. We follow the structure of the KEM in [13] closely. Denote the CNTRU key generation, encryption, and decryption algorithms by KeyGen, Encrypt, and Decrypt respectively.

Below, \(H_1(\cdot )\) and \(H_2(\cdot )\) are hash functions. Correctness is straightforward.

Signatures. We now give a signature scheme for CNTRU, based on pqNTRUSign [22]. Below are the key generation, signing, and verification algorithms. As usual, we fix coprime integers p and q with \(q\gg p\). In [22], ternary polynomials are used, though we note this is not essential for the correctness of the scheme. Let \(\mathcal {T}\) denote elements of \(\varLambda \) with ternary coefficients, i.e. \(\mathcal {T} = \{f = \oplus _{i=0}^{d-1}u^if_i\in \varLambda \text { : }f_i \text { is ternary}\}\). Moreover, let \(\mathcal {R} = \{h = \oplus _{i=0}^{d-1}u^ih_i\text { : }\Vert h_i\Vert _\infty \le q/2, i=0,...,d-1\}\) and \(\mathcal {S} = \{g = \oplus _{i=0}^{d-1}g_i\in \varLambda \text { : }\Vert g_i\Vert _\infty \le p/2, i = 0,...,d-1\}\).

Like pqNTRUSign, we require a function H which takes a public key h and a message \(\mu \) to be signed, and outputs a pair of elements with bounded norm, that is \(H:\mathcal {R}\times \{0,1\}^*\rightarrow \mathcal {S}\times \mathcal {S}\). The values \(B_s\) and \(B_t\) are bounds that can be changed to vary the security level and efficiency of the protocol.

The signing algorithm is nearly identical to that of pqNTRUSign. We do, however, have to be careful about how we multiply a and f, g. For correctness to hold, we use the pair (af, ag) in our algorithm, whereas in [22] one can use (fa, ga) or (af, ag). This is because the NTRU lattice is an \(\mathcal {O}_L\)-bimodule in the commutative case, whereas CNTRU lattices are only left \(\varLambda \)-modules.

It is straightforward to show correctness for this scheme, for well chosen \(B_s\), \(B_t\).

We do not analyse the above schemes in detail; we include them to demonstrate that such functionality is obtainable from NTRU in noncommutative rings.