## Cryptology ePrint Archive: Report 2018/331

Estimate all the {LWE, NTRU} schemes!

Martin R. Albrecht and Benjamin R. Curtis and Amit Deo and Alex Davidson and Rachel Player and Eamonn W. Postlethwaite and Fernando Virdia and Thomas Wunderer

Abstract: We consider all LWE- and NTRU-based encryption, key encapsulation, and digital signature schemes proposed for standardisation as part of the Post-Quantum Cryptography process run by the US National Institute of Standards and Technology (NIST). In particular, we investigate the impact that different estimates for the asymptotic runtime of (block-wise) lattice reduction have on the predicted security of these schemes. Relying on the LWE estimator'' of Albrecht et al., we estimate the cost of running primal and dual lattice attacks against every LWE-based scheme, using every cost model proposed as part of a submission. Furthermore, we estimate the security of the proposed NTRU-based schemes against the primal attack under all cost models for lattice reduction.

Category / Keywords: post-quantum cryptography, public-key cryptography, cryptanalysis, learning with errors, NTRU, NIST

Original Publication (with minor differences): Conference on Security and Cryptography for Networks (SCN'18)

Date: received 9 Apr 2018, last revised 3 Dec 2018

Contact author: benjamin curtis 2015 at rhul ac uk

Available format(s): PDF | BibTeX Citation