Abstract
The NTRU assumption provides one of the most prominent problems on which to base post-quantum cryptography. Because of the efficiency and security of NTRU-style schemes, structured variants have been proposed, using modules. In this work, we create a structured form of NTRU using lattices obtained from orders in cyclic division algebras of index 2, that is, from quaternion algebras. We present a public-key encryption scheme, and show that its public keys are statistically close to uniform. We then prove IND-CPA security of a variant of our scheme when the discriminant of the quaternion algebra is not too large, assuming the hardness of Learning with Errors in cyclic division algebras.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Albert, A.: Structure of Algebras, AMS colloquium publications, vol. 24. American Mathematical Society, Providence (1939)
Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_6
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Atani, R., Atani, S., Karbasi, A.: NETRU: a noncommutative and secure variant of CTRU cryptosystem. ISC Int. J. Inf. Sec. 10, 45–53 (2018)
Atani, R., Atani, S., Karbasi, A.: A provably secure variant of ETRU based on extended ideal lattices over direct product of Dedekind domains. JCS 5, 13–34 (2018). https://doi.org/10.22108/jcs.2018.106856.0
Bagheri, K., Sadeghi, M.-R., Panario, D.: A non-commutative cryptosystem based on quaternion algebras. Des. Codes Crypt. 86(10), 2345–2377 (2017). https://doi.org/10.1007/s10623-017-0451-4
Banks, W.D., Shparlinski, I.E.: A variant of NTRU with non-invertible polynomials. In: Menezes, A., Sarkar, P. (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 62–70. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36231-2_6
Bayer-Fluckiger, E., Cerri, J.P., Chaubert, J.: Euclidean minima and central division algebras. Int. J. Number Theory 5(07), 1155–1168 (2009). https://doi.org/10.1142/S1793042109002614
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_12
Boudgoust, K., Jeudy, C., Roux-Langlois, A., Wen, A.: Entropic hardness of module-LWE from module-NTRU. In: Isobe, T., Sarkar, S. (eds.) INDOCRYPT 2022. LNCS, vol. 13774, pp. 78–99. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22912-1_4
Caruso, X., Borgne, J.L.: Fast multiplication for skew polynomials. In: ISSAC 2017, pp. 77–84. Association for Computing Machinery (2017). https://doi.org/10.1145/3087604.3087617
Chatterjee, S., Koblitz, N., Menezes, A., Sarkar, P.: Another look at tightness II: practical issues in cryptography. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 21–55. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61273-7_3
Chen, C., et al.: NTRU: algorithm specifications and supporting documentation (2019). https://ntru.org/f/ntru-20190330.pdf
Chen, Y., Genise, N., Mukherjee, P.: Approximate trapdoors for lattices and smaller hash-and-sign signatures. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 3–32. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_1
Cheon, J.H., Kim, D., Kim, T., Son, Y.: A new trapdoor over module-NTRU lattice and its application to id-based encryption. Cryptol. ePrint Archive, Rpt. 2019/1468 (2019). https://eprint.iacr.org/2019/1468
Chuengsatiansup, C., Prest, T., Stehlé, D., Wallet, A., Xagawa, K.: ModFalcon: compact signatures based on module-NTRU lattices, pp. 853–866. ASIA CCS 2020, Assoc. for Computing Machinery (2020). https://doi.org/10.1145/3320269.3384758
Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_5
Felderhoff, J., Pellet-Mary, A., Stehlé, D.: On module unique-SVP and NTRU. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022. LNCS, vol. 13793, pp. 709–740. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_24
Fouque, P.A., et al.: Falcon: Fast-Fourier lattice-based compact signatures over NTRU. https://falcon-sign.info/falcon.pdf
Gaborit, P., Ohler, J., Solé, P.: CTRU, a polynomial analogue of NTRU. Technical report RR-4621, INRIA (2002). https://inria.hal.science/inria-00071964
Grover, C., Mendelsohn, A., Ling, C., Vehkalahti, R.: Non-commutative ring learning with errors from cyclic algebras. J. of Cryptology 35(3), 22 (2022). https://doi.org/10.1007/s00145-022-09430-6
Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W.: Transcript secure signatures based on modular lattices. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 142–159. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_9
Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z.: Choosing parameters for NTRUEncrypt. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_1
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9
Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_14
Howgrave-Graham, N., Silverman, J., Whyte, W.: A meet-in-the-middle attack on an NTRU private key. Technical report, NTRU Cryptosystems (2003)
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_10
Jarvis, K.: NTRU over the Eisenstein Integers. Master’s thesis (2011). https://ruor.uottawa.ca/handle/10393/19862
Karbasi, A.H., Atani, R.: ILTRU: an NTRU-like public key cryptosystem over ideal lattices. Cryptology ePrint Archive, p. 549 (2015)
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. Chapman & Hall/CRC, Boca Raton (2014)
Koblitz, N., Samajder, S., Sarkar, P., Singha, S.: Concrete analysis of approximate ideal-SIVP to decision ring-LWE reduction. Adv. Math. Commun. (2022). https://doi.org/10.3934/amc.2022082
Kouzmenko, R.: Generalizations of the NTRU cryptosystem. Ph.D. thesis (2005)
Malekian, E., Zakerolhosseini, A.: OTRU: a non-associative and high speed public key cryptosystem. In: CADS 15, pp. 83–90 (2010). https://doi.org/10.1109/CADS.2010.5623536
Malekian, E., Zakerolhosseini, A., Mashatan, A.: QTRU: quaternionic version of the NTRU public-key cryptosystem. ISC Int. J. Inf. Secur. 3, 29–42 (2011). https://doi.org/10.22042/isecure.2015.3.1.3
Marcus, D.A.: Number Fields. U, Springer, Cham (2018). https://doi.org/10.1007/978-3-319-90233-3
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: FOCS 2004. SIAM Journal on Computing, vol. 37, pp. 372–381 (2004). https://doi.org/10.1109/FOCS.2004.72
Murphy, S., Player, R.: \(\delta \)-subgaussian random variables in cryptography. In: Jang-Jaccard, J., Guo, F. (eds.) ACISP 2019. LNCS, vol. 11547, pp. 251–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21548-4_14
Murphy, S., Player, R.: Discretisation and product distributions in ring-LWE. J. Math. Cryptol. 15(1), 45–59 (2021). https://doi.org/10.1515/jmc-2020-0073
Jarvis, K., Nevins, M.: ETRU: NTRU over the Eisenstein integers. Des. Codes Crypt. 74(1), 219–242 (2013). https://doi.org/10.1007/s10623-013-9850-3
Nevins, M., KarimianPour, C., Miri, A.: NTRU in rings beyond \(\mathbb{Z} \). Des. Codes Crypt. 56, 65–78 (2009). https://doi.org/10.1007/s10623-009-9342-7
NTRU prime risk-management team: Risks of lattice KEMs (2021). https://ntruprime.cr.yp.to/warnings.html
Oggier, F., Sethuraman, B.A.: Quotients of orders in cyclic algebras and space-time codes. AMC 7(4), 441–461 (2013). https://doi.org/10.3934/amc.2013.7.441
Peikert, C.: Limits on the hardness of lattice problems in \(\ell _p\) norms. In: CCC 2007, pp. 333–346 (2007). https://doi.org/10.1109/CCC.2007.12
Peikert, C., Rosen, A.: Lattices that admit logarithmic worst-case to average-case connection factors. STOC 2007, pp. 478–487. Association for Computing Machinery (2007). https://doi.org/10.1145/1250790.1250860
Pellet-Mary, A., Stehlé, D.: On the hardness of the NTRU problem. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 3–35. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_1
Singh, S., Padhye, S.: Generalisations of NTRU cryptosystem. SCN 9(18), 6315–6334 (2016). https://doi.org/10.1002/sec.1693
Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_4
Stehlé, D., Steinfeld, R.: Making NTRUEncrypt and NTRUSign as secure as standard worst-case problems over ideal lattices. Cryptology ePrint Archive (2013). https://eprint.iacr.org/2013/004
Steinfeld, R.: NTRU cryptosystem: Recent developments and emerging mathematical problems in finite polynomial rings. In: Niederreiter, H., Ostafe, A., Panario, D., Winterhof, A. (eds.) Algebraic Curves and Finite Fields, pp. 179–212. De Gruyter (2014). https://doi.org/10.1515/9783110317916.179
Thakur, K., Tripathi, B.: KTRU: NTRU over the Kleinian integers. J. Int. Acad. Phys. Sci. 20(03), 177–183 (2016)
Thakur, K., Tripathi, B.P.: STRU: a non alternative and multidimensional public key cryptosystem. GJPAM 13, 1447–1464 (2017). http://www.ripublication.com/Volume/gjpamv13n5.htm
Truman, K.: Analysis and extension of non-commutative NTRU. Ph.D. thesis (2007). https://drum.lib.umd.edu/handle/1903/7344
Vats, N.: NNRU, a noncommutative analogue of NTRU. CoRR abs/0902.1891 (2009). http://arxiv.org/abs/0902.1891
Vehkalahti, R., Hollanti, C., Lahtonen, J., Ranto, K.: On the densest MIMO lattices from cyclic division algebras. IEEE Trans. Inf. Theory 55(8), 3751–3780 (2009). https://doi.org/10.1109/TIT.2009.2023713
Voight, J.: Quaternion Algebras. Graduate Texts in Mathematics, Springer, Cham (2021)
Wang, Y., Wang, M.: Provably secure NTRUEncrypt over any cyclotomic field. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 391–417. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_18
Yasuda, T., Anada, H., Sakurai, K.: Application of NTRU using group rings to partial decryption technique. In: Yung, M., Zhang, J., Yang, Z. (eds.) INTRUST 2015. LNCS, vol. 9565, pp. 203–213. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31550-8_13
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proofs
Proof
(of Proposition 5). We have
By assumption, the coefficients \(x_i\) lie in the ideal \(\mathfrak {J}\mathcal {O}_L\). Thus \(x_i\in \bar{\mathcal {I}}:=\mathcal {I}\cap \mathcal {O}_L\) for \(i=0,...,d-1\), and so \(\prod _{0\le i<d}x_i\in \bar{\mathcal {I}}^d\), and hence \(\Vert x\Vert _p^p\ge [\mathcal {A}:\mathbb {Q}]\cdot \left| N_{L/\mathbb {Q}}\left( \bar{\mathcal {I}}\right) \right| ^{dp/[\mathcal {A}:\mathbb {Q}]}.\) Finally, to see \(\lambda _1^\infty (\mathcal {I})\ge \left( N_{L/\mathbb {Q}}(\bar{\mathcal {I}})\right) ^{1/nd}\),
\(\Vert x\Vert _\infty = \underset{{i,j,\alpha }}{{\text {sup}}}|\alpha (\phi (x)_{i,j})|\ge \prod _{i,j,\alpha }|\alpha ((\phi (x))_{i,j})|^{1/nd^2}= N_{L/\mathbb {Q}}(\underset{{0\le i<d}}{\prod } x_i)^{1/nd^2}\). \(\square \)
B Choosing Parameters and Number Fields
In this section, we give a brief overview of some parameters choices for NTRU, focusing on n and q, before giving possible parameters for CDAs. We note that many suggested parameters (including ours) are not chosen according to security proofs, but rather take into account considerations such as speed and efficiency. We note the analysis of [12], and [32] for LWE, and welcome similar analysis for provably secure NTRU variants and CNTRU.
Parameters for NTRU in Previous Works. NTRU [24] uses convolution rings \(\mathbb {Z}[x]/(x^N-1)\) with N prime, which are not ring of integers of algebraic number fields. This is the same as in [23, 28]; since CDAs are constructed from fields, the parameters used here do not adapt straightforwardly to our setting. This situation is mirrored in the NTRU finalist in NIST’s post-quantum standardisation process, [13]. The authors use the rings \(\mathbb {Q}(x)/(x-1)\varPhi _n(x)\) with prime n, which are not fields. In this case, the polynomials ‘\(\varPhi _n(x)\)’ are cyclotomic, hence \(x^n-1 = (x-1)\varPhi _n(x)\); and \((x-1)\varPhi _n(x)\) is plainly not irreducible.
However, the authors of [48, 49] replace \(x^n-1\) by \(x^n+1\), for power-of-two n. These are the 2nth cyclotomic polynomials, which are amenable to generalisation by CDAs. Since n is a power of two, natural choices are \(n = 512\) or \(n = 1024\). They also recommend \(p = 3\) or \(p=2\). As for q, if \(\alpha q>n^{0.75}\), the decryption algorithm recovers m with probability \(1-n^{\omega (1)}\). For the security proof to hold, one needs \(q\equiv 1 \bmod 2n\). So in the context of CDAs, one could choose \(n = 256\), \(q = 7681\), or \(n=512\), \(q = 12289\), if working with the same framework as [49].
Falcon [19] uses \(n=512\) for NIST Level I, and \(n=1024\) for NIST Level V, where n is the degree of the cyclotomic ring. They use \(q = 12289\). ModFalcon [16] uses a rank two module over a power of two cyclotomic of degree 512, and also sets \(q=12289\). In contrast, ModNTRU [15] uses a rank three module over a power of two cyclotomic of degree 512, but uses \(q = 2^{19}\), instead of prime q.
Parameters for NTRU in CDAs. We follow the module NTRU instances in using power of two cyclotomics. Although there has been some concern raised over the large number of subfields and automorphisms attached to these objects [42], there has not yet been an efficient attack against the NTRU problem exploiting these features (for non-‘overstretched’ parameters). We recommend using algebras of dimension approximately 1000 over \(\mathbb {Q}\). Following the construction detailed above: \(\mathcal {A} = (L/\mathbb {Q}(\zeta _n),\theta ,\zeta _n)\) with \(K\subset L\subset M=\mathbb {Q}(\zeta _{\ell n})\) for \(\ell \equiv 1\bmod n\), \(\ell \not \equiv 1\bmod pn\) for any prime \(p\mid n\). Take q to be a prime completely split in L, not too large to avoid attacks exploiting ‘overstretched’ parameters. Example parameters might be \(n=1024\), \(d=2\), \(\ell =12289\), and \(q=13313\).
As for choosing the sets \(\mathcal {S}_f\) and so on, one can take these to be binary or ternary with set weights for efficiency, as some other NTRU schemes do, if desired. We leave the precise analysis of choices of such sets as future work.
C Sketched Cryptographic Functionality
KEM. Here we outline an CNTRU-based KEM. We follow the structure of the KEM in [13] closely. Denote the CNTRU key generation, encryption, and decryption algorithms by KeyGen, Encrypt, and Decrypt respectively.
Below, \(H_1(\cdot )\) and \(H_2(\cdot )\) are hash functions. Correctness is straightforward.
Signatures. We now give a signature scheme for CNTRU, based on pqNTRUSign [22]. Below are the key generation, signing, and verification algorithms. As usual, we fix coprime integers p and q with \(q\gg p\). In [22], ternary polynomials are used, though we note this is not essential for the correctness of the scheme. Let \(\mathcal {T}\) denote elements of \(\varLambda \) with ternary coefficients, i.e. \(\mathcal {T} = \{f = \oplus _{i=0}^{d-1}u^if_i\in \varLambda \text { : }f_i \text { is ternary}\}\). Moreover, let \(\mathcal {R} = \{h = \oplus _{i=0}^{d-1}u^ih_i\text { : }\Vert h_i\Vert _\infty \le q/2, i=0,...,d-1\}\) and \(\mathcal {S} = \{g = \oplus _{i=0}^{d-1}g_i\in \varLambda \text { : }\Vert g_i\Vert _\infty \le p/2, i = 0,...,d-1\}\).
Like pqNTRUSign, we require a function H which takes a public key h and a message \(\mu \) to be signed, and outputs a pair of elements with bounded norm, that is \(H:\mathcal {R}\times \{0,1\}^*\rightarrow \mathcal {S}\times \mathcal {S}\). The values \(B_s\) and \(B_t\) are bounds that can be changed to vary the security level and efficiency of the protocol.
The signing algorithm is nearly identical to that of pqNTRUSign. We do, however, have to be careful about how we multiply a and f, g. For correctness to hold, we use the pair (af, ag) in our algorithm, whereas in [22] one can use (fa, ga) or (af, ag). This is because the NTRU lattice is an \(\mathcal {O}_L\)-bimodule in the commutative case, whereas CNTRU lattices are only left \(\varLambda \)-modules.
It is straightforward to show correctness for this scheme, for well chosen \(B_s\), \(B_t\).
We do not analyse the above schemes in detail; we include them to demonstrate that such functionality is obtainable from NTRU in noncommutative rings.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ling, C., Mendelsohn, A. (2023). NTRU in Quaternion Algebras of Bounded Discriminant. In: Johansson, T., Smith-Tone, D. (eds) Post-Quantum Cryptography. PQCrypto 2023. Lecture Notes in Computer Science, vol 14154. Springer, Cham. https://doi.org/10.1007/978-3-031-40003-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-40003-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-40002-5
Online ISBN: 978-3-031-40003-2
eBook Packages: Computer ScienceComputer Science (R0)