Cryptology ePrint Archive: Report 2021/1352

A Thorough Treatment of Highly-Efficient NTRU Instantiations

Julien Duman and Kathrin Hövelmanns and Eike Kiltz and Vadim Lyubashevsky and Gregor Seiler and Dominique Unruh

Abstract: Cryptography based on the hardness of lattice problems over polynomial rings currently provides the most practical solution for public key encryption in the quantum era. The first encryption scheme utilizing properties of polynomial rings was NTRU (ANTS '98), but in the recent decade, most research has focused on constructing schemes based on the hardness of the somewhat related Ring/Module-LWE problem. Indeed, 14 out of the 17 encryption schemes based on the hardness of lattice problems in polynomial rings submitted to the first round of the NIST standardization process used some version of Ring/Module-LWE, with the other three being based on NTRU.

The preference for using Ring/Module-LWE is due to the fact that this problem is at least as hard as NTRU, is more flexible in the algebraic structure due to the fact that no polynomial division is necessary, and that the decryption error is independent of the message. And indeed, the practical NTRU encryption schemes in the literature generally lag their Ring/Module-LWE counterparts in either compactness or speed, or both.

In this paper, we put the efficiency of NTRU-based schemes on equal (even slightly better, actually) footing with their Ring/Module-LWE counterparts. We provide several instantiations and transformations, with security given in the ROM and the QROM, that detach the decryption error from the message, thus eliminating the adversary's power to have any effect on it, which ultimately allows us to decrease parameter sizes. The resulting schemes are on par, compactness-wise, with their counterparts based on Ring/Module-LWE. Performance-wise, the NTRU schemes instantiated in this paper over NTT-friendly rings of the form $Z_q[X]/(X^d-X^{d/2}+1)$ are the fastest of all public key encryption schemes, whether quantum-safe or not. When compared to the NIST finalist NTRU-HRSS-701, our scheme is $15\%$ more compact and has a $15$X improvement in the round-trip time of ephemeral key exchange, with key generation being $35$X faster, encapsulation being $6$X faster, and decapsulation enjoying a $9$X speedup.

Category / Keywords: public-key cryptography / Lattice Cryptography, NTRU

Date: received 7 Oct 2021

Contact author: Julien Duman at rub de, kathrin at hoevelmanns net, eike kiltz at rub de, gseiler at inf ethz ch, vadim lyubash at gmail com, unruh at ut ee

Available format(s): PDF | BibTeX Citation

Version: 20211007:113117 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]