Movatterモバイル変換

NTRU Prime

Intro

Several ideal-lattice-based cryptosystems have been brokenby recent attacks that exploit special structuresof the rings used in those cryptosystems.The same structures are also usedin the leading proposals for post-quantum lattice-based cryptography,including the classic NTRU cryptosystem and typicalRing-LWE-based cryptosystems.

NTRU Primetweaks NTRU to use rings without these structures.Here are two public-key cryptosystems in the NTRU Prime family,both designed for the standard goal of IND-CCA2 security:

Streamlined NTRU Prime is optimized from an implementation perspective.
NTRU LPRime (pronounced "ell-prime") is a variant offering different tradeoffs.

sntrup653,sntrup761,sntrup857,ntrulpr653,ntrulpr761,andntrulpr857are Streamlined NTRU Prime and NTRU LPRimewith high-security post-quantum parameters.The resulting sizes and Haswell speeds(from the officialsupercop-20190816 benchmarks forhiphop)show that reducing the attack surface has very low cost:

System	ciphertext bytes	public-key bytes	enc cycles	dec cycles	keygen cycles
`sntrup653`	897	994	51212	66584	754692
`ntrulpr653`	1025	897	72708	88332	44488
`sntrup761`	1039	1158	55060	70180	1008968
`ntrulpr761`	1167	1039	77604	94064	47732
`sntrup857`	1184	1322	70112	99008	1195560
`ntrulpr857`	1312	1184	101360	125636	60324

sntrup4591761andntrulpr4591761are older versions ofsntrup761andntrulpr761using the same mathematical one-way functions:

System	ciphertext bytes	public-key bytes	enc cycles	dec cycles	keygen cycles
`sntrup4591761`	1047	1218	44992	93064	988456
`ntrulpr4591761`	1175	1047	80300	114180	44056

Contributors (alphabetical order)

Daniel J. Bernstein, University of Illinois at Chicago, USA
Chitchanok Chuengsatiansup, École Normale Supérieure de Lyon, France
Tanja Lange, Technische Universiteit Eindhoven, Netherlands
Christine van Vredendaal, Technische Universiteit Eindhoven, Netherlands

Acknowledgments

This work was supported bythe Cisco University Research Programunder the "Post-quantum networking" project.

This work was supported bythe U.S. National Science Foundation under grant 1314919."Any opinions, findings, and conclusions or recommendationsexpressed in this materialare those of the author(s) and do not necessarilyreflect the views of the National Science Foundation."

This work was supported bythe Commission of the European Communitiesthrough the Horizon 2020 program under project number 645622 (PQCRYPTO) and project number 645421 (ECRYPT-CSA).

This work was supported bythe Netherlands Organisation for Scientific Research (NWO)under grant 639.073.005.

Calculations were carried out onthe Saber cluster of the Cryptographic Implementations groupat Technische Universiteit Eindhoven.

Aug	SEP	Oct
	01
2018	2019	2020