Professional Documents
Culture Documents
NTRUEn rypt
and
NTRUSign
as Se ure as Standard
Damien Stehl
1
ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL),
46 Alle d'Italie, 69364 Lyon Cedex 07, Fran
e.
damien.stehleens-lyon.fr http://perso.ens-lyon.fr/damien.stehle
2
Clayton S
hool of Information Te
hnology,
Monash University, Clayton, Australia.
ron.steinfeldmonash.edu http://users.monash.edu.au/~rste/
Abstra t. NTRUEn rypt, proposed in 1996 by Hostein, Pipher and Silverman, is the fastest known
latti
e-based en
ryption s
heme. Its moderate key-sizes, ex
ellent asymptoti
performan
e and
onje
tured resistan
e to quantum
omputers make it a desirable alternative to fa
torisation and dis
rete-log
based en
ryption s
hemes. However, sin
e its introdu
tion, doubts have regularly arisen on its se
urity
and that of its digital signature
ounterpart. In the present work, we show how to modify NTRUEn
rypt
and NTRUSign to make them provably se
ure in the standard (resp. random ora
le) model, under the
assumed quantum (resp.
lassi
al) hardness of standard worst-
ase latti
e problems, restri
ted to a
family of latti
es related to some
y
lotomi
elds.
Our main
ontribution is to show that if the se
ret key polynomials of the en
ryption s
heme are sele
ted
from dis
rete Gaussians, then the publi
key, whi
h is their ratio, is statisti
ally indistinguishable
from uniform over its range. We also show how to rigorously extend the en
ryption se
ret key into
a signature se
ret key. The se
urity then follows from the already proven hardness of the R-SIS and
R-LWE problems.
Keywords. Latti e-based ryptography, NTRU, ideal latti es, provable se urity.
1 Introdu
tion
The NTRU en
ryption s
heme devised by Hostein, Pipher and Silverman, was rst presented at
the rump session of Crypto'96 [27. Although its des
ription relies on arithmeti
over the polynomial
ring
Zq [x]/(xn 1) for n
prime and
be expressed as a problem over Eu
lidean latti
es [27, 11. At the ANTS'98
onferen
e, the NTRU
authors gave an improved presentation in
luding a thorough assessment of its pra
ti
al se
urity
against latti
e atta
ks [28. We refer to [24 for an up-to-date a
ount on the past 15 years of
se
urity and performan
e analyses. Nowadays,
alternative to the en
ryption s
hemes based on integer fa
torisation and dis
rete logarithm over nite
elds and ellipti
urves, as testied by its in
lusion in the IEEE P1363 standard [33. It is also often
onsidered as the most viable post-quantum publi
-key en
ryption (see, e.g., [58). The authors of
NTRUEn
rypt also proposed a signature s
heme based on a similar design. The history of NTRUSign
started with NSS in 2001 [29. Its development has been signi
antly more he
ti
and
ontroversial,
with a series of
ryptanalyses and repairs (see, e.g., [20, 22, 31, 67, 49, 52 and the survey [24).
In parallel to the break-and-repair development of the pra
ti
ally e
ient NTRU s
hemes, the
(mainly) theoreti
al eld of provably se
ure latti
e-based
ryptography has steadily been developed.
Some of the results in this paper have been presented in preliminary form at Euro
rypt 2011 [64. The results in
this paper improve and signi
antly extend those in [64; the most signi
ant addition is the se
urity analysis of
a provably se
ure variant of NTRUSign.
It originated in 1996 with Ajtai's a
laimed worst-
ase to average-
ase redu
tion [3, leading to
a
ollision-resistant hash fun
tion that is as hard to break as solving several natural worst-
ase
problems dened over Eu
lidean latti
es. Ajtai's average-
ase problem is now referred to as the
Small Integer Solution problem (SIS). Another major breakthrough in this eld was the introdu
tion
in 2005 of the Learning with Errors problem (LWE) by Regev [59, 60: LWE is both hard on the
average (standard worst-
ase latti
e problems quantumly redu
e to it), and su
iently exible to
allow for the design of
ryptographi
fun
tions. In the last few years, many
ryptographi
s
hemes
have been introdu
ed that are provably as se
ure as LWE and SIS are hard (and thus provably
se
ure, assuming the worst-
ase hardness of latti
e problems). These in
lude CPA and CCA se
ure
en
ryption s
hemes, identity-based en
ryption s
hemes, digital signatures,
(at least) linear in the se
urity parameter;
onsequently, the spa
e and time requirements seem
bound to be at least quadrati
with respe
t to the se
urity parameter. In 2002, Mi
ian
io [44
su
eeded in restri
ting
SIS
redu
tion. The worst-
ase problem is a restri
tion of a standard latti
e problem to the spe
i
family of
y
li
latti
es. The stru
ture of Mi
ian
io's matri
es allows for an interpretation in terms
of arithmeti
in the ring
Zq [x]/(xn 1),
where
is a small prime. Mi
ian
io's
onstru
tion leads to a family of pre-image resistant hash fun
tions,
with
omplexity quasi-linear in the se
urity parameter
n:
of the dis rete Fourier transform for multiplying polynomials. In two on urrent works, Peikert,
Zq [x]/ with a
that is irredu
ible over the rationals, sparse, and with small
oe
ients (e.g., = xn +1
power of 2). The resulting hash fun
tion was proven
ollision-resistant under the assumed
Rosen, Lyubashevsky and Mi
ian
io [57, 39 later suggested to
hange the ring to
polynomial
for
hardness of the modied average-
ase problem, now often
alled the
or
the restri
tions of standard worst-
ase latti
e problems to a spe
i
lass of latti
es,
alled ideal
latti
es. In 2009, Lyubashevsky [38 introdu
ed an e
ient digital signature provably as se
ure
as
R-SIS
(in the random ora le model). Also in 2009, Stehl, Steinfeld, Tanaka and Xagawa [65
R-SIS
LWE,
(under a quantum redu tion), and allowed for the design of an asymptoti ally e ient
CPA-se
ure en
ryption s
heme. In an independent and
on
urrent work, Lyubashevsky et al. [21
proposed a ring variant of LWE,
alled R-LWE, whose great exibility allows for more natural (and
e
ient)
ryptographi
onstru
tions.
Our results.
NTRUEn rypt
and
NTRUSign
strongly motivate a theoreti
ally founded study of their se
urity. Indeed, in the absen
e of su
h a
study so far, their se
urity has remained in doubt over the last 15 years sin
e the initial NTRU
publi
ation. This work addresses this problem.
the assumed quantum hardness of standard worst-
ase problems over ideal latti
es (for
with
a power of
2);
and we
the random ora
le model, under the assumed
lassi
al hardness of the same problems over ideal
latti
es. The
NTRUEn rypt
modi ations are summarized at the end of the introdu tion. The most
NTRUSign
13 in the signing pro
ess, that ensures that no se
ret information is leaked while signing (thus
preventing the learning atta
k from [52). We also give the rst rigorous analysis of the algorithm
that extends an
NTRUEn rypt
NTRUSign
se ret key.
We stress that our main goal in this paper is to provide, for the rst time, a rm theoreti
al
grounding for the se
urity of the NTRU s
hemes, in the asymptoti
sense. The pra
ti
al instantiations of our s
hemes are likely to be signi
antly less e
ient than the original s
hemes. However,
several of our modi
ations in
ur negligible performan
e overheads over the original s
hemes, while
bringing their se
urity level
loser to the provably se
ure s
hemes. For instan
e, the extra error term
NTRUEn rypt
we add to the
original s heme.
Zq
[x]/(xn
1)
<n
and oe-
(the denominator
is resampled if it is not invertible). A simple information-theoreti
argument shows that the publi
key
annot be uniformly distributed in the whole ring. It would be desirable to guarantee the latter
property, in order to exploit the established hardness of
R-SIS
and
weaker distribution property, whi h still su es for linking the se urity to
this purpose, we sample the se
ret key polynomials a
ording to a dis
rete Gaussian with standard
deviation
q 1/2 .
it bounds the distan
e to uniformity by a
onstant. To a
hieve the desired
loseness to uniformity,
we
hoose the
ai 's uniform
on
urrently and independently obtained by Lyubashevsky et al. in [43. An additional di
ulty in
the proof of publi
-key uniformity, whi
h we handle via an in
lusion-ex
lusion argument, is that we
need the randomizers
si
to be invertible in
Rq
si ):
We thus sample a
ording to a dis
rete Gaussian, and reje
t the sample if it is not invertible.
For
NTRUSign, the te
hnique des
ribed in [26, Se. 4 and in [25, Se. 5 to extend an NTRUEn
rypt
NTRUSign se
ret key is only heuristi
. For instan
e, it samples an en
ryption
se
ret key and reje
ts the sample until some desirable properties are satised (most notably the
o-primality of the two se
ret key polynomials over
Z[x]/(xn 1)),
pro
edure is not
arefully analyzed. We show that in our modied
ontext, the reje
tion probability
an be proven to be su
iently away from
1,
y
lotomi
elds under s
ope. Furthermore, the se
urity of the signature s
heme follows from the
hardness of
R-SIS,
Finally, the
ryptographi
s
hemes are obtained from (stru
tured variants of ) the Gentry et
al. [21 signature and dual en
ryption s
hemes, via an
R-SIS/R-LWE
of the
dently hosen in
Rq ,
nd an
am = 1
m = 2.
an then remove
for
R-SIS
when
from the input, by making it impli it. This improvement is most dramati
ring
Z[x]/(xn 1)
with
with large pres
ribed proportions of zero
oe
ients, and with their other
oe
ients belonging
to
{1, 1}.
as
f = 1 + pf
with
as des ribed
to be invertible modulo
result modulo
gives
q.
Compute
RNTRU ).
p.
(seen
pgs + f M
modulo
f M mod p.
f = 1 mod p).
Note that the en
ryption pro
ess is probabilisti
, and that de
ryption errors
an o
ur for some
sets of parameters. However, it is possible to arbitrarily de
rease the de
ryption error probability,
and even to prevent de
ryption errors from o
urring, by setting the parameters
arefully.
In order to a
hieve IND-CPA se
urity under the assumption that standard latti
e problems
are (quantumly) hard to solve in the worst-
ase for the family of ideal latti
es, we make a few
modi
ations to the original
spa e omplexity):
1. We repla e
n
of x
2.
3.
RNTRU
by
simplify de
ryption.
4. We add a small error term
from the
in the en ryption:
C = hs + pe + M mod q ,
with
and
sampled
the hardness of
a variant of
These modi
ations may be expensive to implement in pra
ti
e, be
ause of the hidden
onstant
fa
tor overheads. However, they suggest several
omputationally inexpensive modi
ations to the
NTRUEn
rypt design that bring it
loser to the provably se
ure variant. The addition of a
noise
omponent e in the en
ryption fun
tion (Modi
ation 4) does not require a large in
rease of q
original
for ensuring de ryption orre tness, but allows thwarting a simple Chosen Plaintext Atta k based
implement, as our analysis requires the standard deviation to be quite large, leading to se
ret key
polynomials
and
with mu h bigger oe ients than in the original s heme. Then the modulus
needs being signi antly in reased in order to enable de ryption orre tness. However, this modi ation may hint that taking
and
se
urity. This would for example thwart the so-
alled hybrid atta
k on NTRU [30 and allow using a
smaller
n.
and
and
would be
ome more
ostly. An alternative, suggested by Modi
ation 2, is to take a modulus
that
xn 1
has
n distin t
q : In
so
e ient Fast Fourier Transform. Finally, Modi ation 1 suggests repla ing
former has been shown inse
ure in the
ontext of hash fun
tions [56, Se. 4.1, although we a
tually
do not know of any su
h atta
k in the
ontext of NTRU.
Related works.
Like
NTRUEn rypt,
phertexts
onsisting of a single ring element. It also admits a se
urity proof under the assumed
quantum hardness of standard worst-
ase problems over ideal latti
es [19. Our se
urity analysis for
the modied
NTRUEn rypt
(n)
e
O(n)
2g(n) -time
O(g(n))
e
O(n)
e n)
g(n) = (
limiting the atta
ker's strength the analysis
an handle. On the other hand, Gentry's s
heme allows homomorphi
additions and multipli
ations, whereas ours seems restri
ted to homomorphi
additions.
The modied
NTRUSign an be shown hard to break for lassi al omputers, in the random ora le
model (assuming the worst-
ase hardness of standard latti
e problems for ideal latti
es). Be
ause of
the use of the random ora
le, it does not follow immediately whether this proof remains meaningful
in the
ase of quantum atta
kers. As pointed out in [7, one should be extremely
autious with
the random ora
le in a quantum setup. Fortunately, the se
urity proof for our
NTRUSign
s heme
falls in the
lass of `history-free' redu
tions as dened in [7 and shown to imply se
urity in the
quantum-a
essible random ora
le model.
Similarly, the se
urity of NAEP (the CCA-se
ure variant of
NTRUEn rypt)
dom ora le (see [32). Sin e the redu tion from standard problems over ideal latti es to
R-LWE
is
quantum, the se
urity of NAEP remains open, both quantumly and
lassi
ally.
We also mention a
ouple of works building upon some of the results of this paper, sin
e its
publi
ation in a preliminary form in [64. In [66, it is shown how to adapt the
NTRUSign
trapdoor
key generation algorithm from the present paper to onstru t an NTRU-based lossy trapdoor fun tion and use it to upgrade the IND-CPA se urity of the
NTRUEn rypt
se
urity (IND-CCA2) in the standard model, while preserving the same asymptoti
e
ien
y, up
to
onstant fa
tors. An extension in another dire
tion is given in [37, whi
h shows how to modify
NTRUEn rypt
our
the s heme in [37 requires the se ret key oe ients to be mu h smaller than the
O(Poly(n) q 1/2 )
value needed for our statisti
al uniformity bounds in this paper. The se
urity of the s
heme in [37
relies also, besides the hardness of
R-LWE,
Open problems.
with
a power of
2.
Z[x]/n
where
n = xn + 1
An obvious drawba k is that this does not allow for mu h exibility on the
n (in the
ase of NTRU, the degree was assumed prime, whi
h provides more freedom).
R-LWE problem is known to be hard when n is
y
lotomi
[41 (for an appropriate
hoi
e of
modulus q ). The R-SIS problem is known to be hard under even milder
onditions on n (see [39,
56). We
hose to restri
t ourselves to
y
lotomi
polynomials of order a power of 2 be
ause it makes
hoi
e of
The
the des
ription of the s
hemes simpler to follow. Our results are likely to hold for more general rings
than those we
onsidered. An interesting
hoi
e
ould be the
y
lotomi
rings of prime order (i.e.,
n = (xn 1)/(x 1)
with
prime) as these are large subrings of the original NTRU rings and
one might then be able to show that the hardness
arries over to the NTRU rings.
Redu
ing the
onstant fa
tor overheads of our provably se
ure s
hemes with respe
t to the
original NTRU s
hemes, while preserving a proof with respe
t to standard problems, is a remaining
interesting
hallenge. A related open question with additional appli
ations (see [37) is to prove the
omputational indistinguishability of the NTRU publi
key with se
ret key
oe
ients signi
antly
smaller than
q 1/2 ,
Road-map.
R-LWE.
NTRUSign
in Se tion 4.
Notation.
If q is a non-zero integer, we let Zq denote the ring of integers modulo q , i.e., the
{0, . . . , q 1} with addition and multipli
ation modulo q . For a ring (R, +, ), we let R denote
the set of invertible elements of R. If q is a prime power, we let Fq denote the nite eld with q
elements. If z C, its real and imaginary parts will be denoted by (z) and (z) respe
tively.
n
Ve
tors will be denoted in bold. If x R , then kxk denotes the Eu
lidean norm of x. The inner
produ
t of two ve
tors x and y will be denoted by hx, yi. We use ln to denote the natural logarithm.
The standard n-dimensional Gaussian fun
tion (resp. distribution) with
enter 0 and varian
e ,
2
2
n
will be denoted by (x) (resp. ), i.e., (x) = exp(kxk / ) (resp. (x) = (x)/ ). If E
is a nite set, we let U (E) denote the uniform distribution over E . If a fun
tion f over a
ountable
domain E takes non-negative real values, its sum over an arbitrary F E will be denoted by f (F ).
If D1 and D2 are two probability distributions over a dis
rete domain E , their statisti
al distan
e
1P
is (D1 ; D2 ) =
xE |D1 (x) D2 (x)|. We write z D when the random variable z is sampled
2
from the distribution D .
e
We make use of the Landau notations O(), O(),
o(), (), (), e (), (). A fun
tion f (n) is
(1) . We say that a sequen
e of events E holds with overwhelming
said negligible if f (n) = n
n
probability if Pr[En ] f (n) for a negligible fun
tion f .
set
latti e
L =
1 (L)) is the Eu
lidean (resp. innity) norm of any shortest nonzero ve
tor of L. If B = (bi )i is a basis matrix of L, the fundamental parallelepiped of B is the set
P
P(B) = { in ci bi : ci [0, 1)}. The volume | det B| of P(B) is an invariant of the latti
e L, denoted
minimum 1 (L)
(resp.
Lemma 2.1 q
([53, Le. 3.5,[46, Le. 3.3). For any
full-rank latti
e
have (L)
ln(2n(1+1/))
b
min n (L), 1/
1 (L)
L Rn
Lemma 2.2 ([46, Proof of Le. 4.4). For any full-rank latti
e L Rn , c Rn, (0, 1)h and i
(L),
we have ,c (L) =
+ ),
n
det(L) (1
1+
1
and
2n
L Rn , c Rn , (0, 1)
L L Rn be two full-rank
(DL,,c mod L ; U (L/L )) 2.
, we have
(L )
1+
1
2n .
,c (L)
(L)
1
1+ , 1
and (L),
t
2
(L),
we have:
Pr
bDL,,c
bDL,,c
L Rn , c Rn , (0, 1), t
i 1 +
|hb c, ui|
t
1
[|hb c, ui| t]
7
2e
.
t
1+
2
t 2e et .
1
2 ,
unit ve tor u Rn
Proof.
Let
X that
orresponds
= U L. We have:
variable
and L
uT .
b c
with
b DL ,,c , c = U c
the denominator. We have (L ) = (L) and det(L ) = det(L). Therefore, thanks to Lemma 2.2,
n
we have ,c (L ) =
det(L) (1 + ) with || .
n
We now provide an upper bound for the numerator. For any x R , we have 1/t,c (x)
2
|x c |
eK exp K 12 /t12 , where K := 12 t2 [0, 1/2]. As a
onsequen
e:
where
1/t,c (x)
with
where
1.
p
1 + Kt2 / and whose other diagop
(DL )
1 + Kt2 / (L ) and det(DL ) =
+ Kt2 /
It an be he ked that
Pr [|X| t] =
and
t,c (x)
1
|x1 c1 | > t
and 0 otherwise. The denominator is handled as above. For the numerator, note that for any x t,
2
x2
we have exp( 2 )
e exp(t2 ) exp( 2x2 t2 ). This gives:
where
X , L
t,c )(L )
(,c 1
,
,c (L )
1.
with
x Rn
is dened as
if
and det(DL ) =
det(L ). Using Lemma 2.2
t 2
It an be he ked that
(DL ) (L )
Z[x]/.
Let
be an (integral) ideal of
R,
i.e., a subset of
is exa tly the maximal order (i.e., the ring of integers) of the orresponding y lotomi number
Q[]
= Q[x]/ =: K ,
:
P
7 P ( 2i+1 ) for i n. For Q
any in Q[], we
i
P
2
2
dene its T2 -norm by T2 () =
|
()|
and
its
algebrai
norm
by
N
()
=
in i
in |i ()|. The
1
2/n
2
arithmeti
-geometri
inequality gives N ()
n T2 () . Also, for the spe
i
y
lotomi
elds
we are
onsidering, the polynomial norm (the norm of the
oe
ient ve
tor of when expressed
1
as an element of K ) satises kk = T2 (). We also use the fa
t for any element R, we
n
have |N ()| = det hi, where hi is the ideal of R generated by . For the sake of simpli
ity, we
eld
where
is a primitive
will try to use the polynomial terminology wherever possible (and we refer to [41, 43 for a more
mathemati
al exposition).
The following result is a
onsequen
e of Lemma 2.7.
(I),
we have
Pr
bDI,,c
Proof.
I R, c K , (0, 1), t
2 , u K
and
1+
2
k(b c) uk tkuk n
tn 2e et .
1
2
1+
t
probability
. The equality ku k = kuk and the union bound imply that all the
1 t 2e e
2
1+
magnitudes of the
oe
ients are tkuk with probability 1
nt 2e et . If that is the
1
ve tors of
bc
and of some
On the redu tion of the ring modulo q. Let q be a prime integer and Rq := R/qR = Zq [x]/.
n
Q = x + 1 with n a power of 2, the fa
torisation of modulo q is
always of the form =
ikq i , where all the i 's are irredu
ible modulo q and share the same
degree dq = n/kq . The number of fa
tors kq is a power of 2 that
an range from 2 (if q = 3 mod 8)
to n (if q = 1 mod 2n). The Chinese Remainder Theorem provides a ring isomorphism between Rq
k
and (Fq dq ) q :
a 7 a mod 1 , . . . , a mod kq .
Be
ause of the
hoi
e of
Fq
Rq
an be performed within
fa tors modulo
su h that
Rq
behave very similarly to a eld (it has very few zero divisors).
For example, this
hoi
e allows for proving statisti
al uniformity of the revised NTRU publi
key
for smaller values of
both
hoi
es of
q,
q,
and to have the se urity of the s hemes rely on weaker assumptions. For
Poly(n)
(a power of
2),
m a q -ary latti
e.
Module q-ary latti
es. We
all an m-dimensional
latti
e that
ontains qZ
P
An
R-module
we all them an
R-basis
of
M.
M=
id Rbi
K m.
If the
bi 's
K -linearly independent,
R-modules may not admit
are
R-basis (we refer the reader to [10, Ch. 1 and [14 for alternative
m
Let a Rq . We dene the following families of R-modules:
X
a := {(t1 , . . . , tm ) Rm :
ti ai = 0 mod q},
an
ompa t representations).
L(a) := {(t1 , . . . , tm ) R
: s Rq , i, ti = ai s mod q}.
q -ary
latti es.
In [55, Peikert des
ribed a signi
antly faster algorithm than the dis
rete Gaussian sampler
from [21, in the
ase of
q -ary
s1 (B)
by
n max kbi k
q -ary
e
O(nm)
-time o-line/on-line algorithm that
q -ary latti
e L Rm , with q = Poly(n), c Qmn
takes as input
an R-basis b1 , . . . , bm of a module
and = ( mn ln n) max kbi k, and returns samples from a distribution whose statisti
al distan
e
to DL,,c is negligible with respe
t to n. The
omplexity bound holds assuming pre-
omputations
(o-line) are performed using q , and b1 , . . . , bm , but not c.
Re
ently, Du
as and Nguyen [13 showed how to perform the pre-
omputations of Lemma 2.9
in expe
ted time
e
O(mn)
.
L,
(n)
L \ 0.
It an be relaxed to
times a solution to
SVP,
-SVP
by
(). If we restri
t the set of input latti
es to ideal latti
es, we obtain the problem Ideal-SVP
-Ideal-SVP), whi
h is impli
itly parameterized by a sequen
e of polynomials of growing
degrees. No algorithm is known to perform non-negligibly better for ( -)Ideal-SVP than for ( -)SVP.
It is believed that no subexponential quantum algorithm solves the
omputational variants of -SVP
or -Ideal-SVP in the worst
ase, for any that is polynomial in the dimension. The smallest
fun
tion
(resp.
-SVP
in module
q -ary
R-SIS
latti es.
Denition 2.1. The Ring Small Integer Solution problem with parameters q, m, and (R-SISq,m, )
Theorem
2.1 (Adapted from [39). Let n = 2k , = xn +1 and > 0. Let m, q > 0 su
h that q
10
a distribution in Rq , we
dene As, as the distribution obtained by sampling the pair (a, as + e) with a uniformly
hosen
in Rq and e sampled independently from . The Ring Learning With Errors problem (R-LWE) was
introdu
ed by Lyubashevsky et al. in [41 and shown hard for spe
i
error distributions
losely
and
related to Gaussians.
Rq
rather than
Rq
we have
Rq =
1
n Rq ); and the noise distributions are
dis rete.
R-LWE
(ai , bi )im
q -ary
m be the number of
R-LWE
onsists in
latti
e L(a) or around
the origin a ording to some Gaussian-like distribution and then redu ed modulo the latti e.
Variants of
R-LWE.
obtained by sampling the pair (a, as+e) with a uniformly
hosen in Rq and e sampled independently
from . When q = (n), the probability for a uniform element of Rq of being invertible is nonnegligible, and thus R-LWE remains hard even when As, and U (Rq Rq ) are respe
tively repla
ed
R-LWE
HNF . We use A to solve R-LWE . The prin
iple is to transform samples ((ai , bi ))i into sam1
1
ples ((a1 ai , bi a1 b1 ai ))i , where inversion is performed in Rq . This transformation maps As,
noise distribution is proven hard in [42. However, we hose not to use this simpler variant in this
the underlying hardness assumption and the ost of sampling noise ve tors.
It is somewhat
tedious to dene, but for the present work, the important fa ts to be remembered are that the
11
Rn
R-LWE
1),
a matrix transformation to the latter Gaussians. We dene a sample from as a sample from ,
1 1
1
multiplied rst (from the right) by
Idn/2 Cnn , and se
ond by V Cnn with
2
i i
1
(2j+1)k
of independent Gaussians
of the upper half. These matrix multipli ations an be performed using omplex dis rete Fourier
O(n ln n)
Moreover, they are numeri ally extremely stable: If all operations are performed with a numeri al
p = (ln n) bits, then the
omputed output ve
tor f l(y) satises kf l(y) yk
C(ln n)2p kyk, where C is some absolute
onstant and y is the ve
tor that would be obtained with
exa
t
omputations. We refer to [23, Ch. 24 for details. We now dene a sample from as follows:
2
2
Compute a sample from with absolute error < 1/n ; if it is within distan
e 1/n of the middle
pre
ision of
of two onse utive integers, then restart; otherwise, round it to a losest integer and then redu e it
q 1 + nxi with the xi 's sampled independently from the distribution (2, 1) for i n/2. The
distribution (2, 1) has density x exp(x) for x 0 and zero for x < 0.
Apart from a s
aling fa
tor and the
hoi
e of the polynomial representation, our R-LWE variant
diers from that of [41 in that we round to R using a reje
tion. The R-LWE problem remains hard
modulo
be
ause a sample passes the reje
tion step with non-negligible probability, and be
ause rounding
an be performed on the ora
le samples obliviously to the a
tual error.
an be performed
e , and the run-time
O(n)
Sampling from
in expe
ted time
in time
e .
O(n)
Sampling from
an also be performed
< 1. Furthermore, in our
ryptographi
appli
ations, one
ould pre-
ompute su
h samples
M to be pro
essed is known).
(1) , any
Finally, by taking r = 1 in the result below, we obtain that with probability 1 n
a bound given in Lemma 6 of the Euro
rypt pro
eedings paper presenting an earlier version of our
results, that exploits the narrower
(2, 1)
distribution of the
xi 's.
in [64, Le. 6.
Lemma 2.10. Let y, r R, with r xed and y sampled from , with q n1/4 . Then
h
i
Proof.
We dene
exa tly as
to
Be ause of the
p
instead of .
be sampled from
. The
involved
satises
12
1 1
1
In order to obtain the
oe
ients of yr , it su
es to apply the matri
es
Idn/2
2
i i
Cnn and V to the row ve
tor of the Gaussian samples. The magnitude of ea
h entry of the
matrix produ
t being
O(1/n),
yr
qn3/4 ( ln n)
qn1/4 ( ln n) krk with probability 1 n(1) . To
omplete the proof, observe that all
1/4 (ln n) krk with probability 1 n(1) . The additional rounding
the
oordinates are qn
error O( n) only hanges the hidden onstant fa tor in the (ln n) fa tor, thanks to the ondi1/4 .
tion q n
and
su
e, but we do not know how to a
hieve it based on standard latti
e assumptions.) For this
purpose, we sample
and
nc q 1/2
hoose
D ,
c.
uniformly and independently in Rq and the ti 's are independently sampled from D . We need an
unusually small bound on the statisti
al distan
e , be
ause we eventually sum this bound over |Rq |
to obtain the uniformity of the publi
key h. A similar strong regularity was independently used by
The proof that the ratio
to uniform when
Agrawal et al. in [2, Th. 3 in the
ontext of (non-stru
tured) SIS/LWE for proving the se
urity of
an identity-based en
ryption s
heme.
ti 's is not a
Zn minus the union of the
hq, i i of R. (Re
all that the i 's
Another unusual fa
et of our regularity bound is the fa
t that the support of the
latti
e. We
ir
umvent this di
ulty by writing the support as the latti
e
latti es
t 7
ti ai mod q .
P
t
made of the
Gaussian distribution, uniformity modulo the kernel follows by studying the smoothing parameter
of the kernel latti
e and using Lemma 2.4. The latter is the purpose of Subse
tion 3.1.
13
The bounds in this se
tion improve and generalize the results presented in [64. In parti
ular,
they show that, for a given desired
loseness to uniformity of
for f, g by a fa
tor
n, versus the
ase kq = n studied
h = g/f ,
using a modulus
su h that
in [64.
and
L(a)
and
iS
Q
LS as the latti
e
orresponding to the ideal q, iS i of R. More
have LS = {x R : (x mod q) IS }.
m
For a Rq and S {1, . . . , kq }, we dene the following families of R-modules:
We also dene
a (IS ) :=
L(a, IS ) :=
(t1 , . . . , tm ) R
(t1 , . . . , tm ) R
: i, (ti mod q) IS
and
X
i
expli itly, we
ti ai = 0 mod q ,
: s Rq , i, (ti mod q) = ai s mod IS ,
Cartesian produ
t of m
opies of LS . Also, if S = (resp. S = {1, . . . , n}), then we have a (IS ) = a
(resp. L(a, IS ) = L(a)).
We now des
ribe an automorphism of R that will help us exhibit the duality between the modules
1 = xn1 . Therefore, mapping a(x) R to a (x) = a(x1 ) R
above. In the ring R, we have x
provides ring automorphism. This map indu
es a bije
tion from the set of fa
tors i to itself. It has
the following useful matrix interpretation: If we let A denote the n n matrix having as its i-th
i
row the
oe
ient ve
tor of x a(x) for i = 0, . . . , n 1, then a (x) has
oe
ient ve
tor the rst
Q
Q
is an arbitrary subset of
latti es):
Proof.
1
(I ) = L(a , I ).
a\
S
S
q
1
\
S ). Let (t1 , . . . , tm )
q L(a , IS ) a (IP
j
j
j<n ti,j x and ui =
j<n ui,j x for any
L(a ,P
IS ).
ti =
that
im,jn
P ti,j ui,j= 0 mod q . This is equivalent to showing that the
onstant
oe
ient of the
polynomial
im ti ui is 0 modulo q . It thus su
es to show that ht, u i = 0 mod q . By denition
Write
14
of the
ui 's,
there exists
q:
following, modulo
s Rq
(ui mod q) = ai s + bi
su h that
for some
bi IS .
We have the
and bi
a (Rq )m ,
the latti e
L(a, IS )
is extremely unlikely
to ontain unusually short ve tors for the innity norm, i.e., mu h shorter than the Minkowski upper
(1
) |S|
(m1)|S|dq
det(L(a, IS )) mn = q m kq on
1 (L(a, IS )). (We have det(L(a, IS )) = q
|S|d
+m(n|S|d
)
mn
q
q
there are q
points of L(a, IS ) in the
ube [0, q 1]
.) We provide two lower
bound
be
ause
bounds.
The rst lower bound is useful for all parameter settings and mat hes the Minkowski upper bound
1
up to a fa
tor
ase
|S| = kq
> 0.
q kq ,
n in the
ase kq = O(1) (whi
h was not treated in [64). Even in the
ase
kq = n, the rst bound improves on the bound given in [64, by using a point
ounting bound based
on the minima of the ideals of Rq .
bound by a fa
tor
Lemma 3.2. Let n 8 be a power of 2 and q 5. Assume that = xn + 1 splits into kq distin
t
irredu
ible fa
tors modulo q , ea
h of degree dq = n/kq . Then, for m 2 and > 0, we have
1 (L(a, IS ))
q
n
1 |S|
(1 m
) k
q
1
1 m
kq
ex
ept with probability 24mn q mn over the uniformly random
hoi
e of a in (Rq )m .
Proof.
k
(resp. (F dq ) q ) via the isomorphism
q
generator of IS .
Rq
t 7 (t mod i )ikq .
(resp.
Let
ve tor
of innity norm
su h that ti
0k|S|
S S s Rq /IS
t (Rq )m
|S | = k
S |s
i, 0 < kti k < B
i, S |ti
m(k|S|)
.
q dq 1
|S | = k, let N (B, k) denote the number of t Rq su h that ktk < B and t = S t for
some t Rq of degree < n kdq = n(1 k/kq ). We onsider two upper bounds for N (B, k), from
n
sidelength is dened by C() = {v R : kvk < /2}. Let := 1 (IS + qZ ). If we
enter a
n
hyper
ube C() of sidelength on ea
h of the N (B, k) points of IS + qZ in C(2B), the resulting
N (B, k) hyper
ubes do not interse
t, and yet are all
ontained within the enlarged hyper
ube
n
C(2B + ). It follows that N (B, k) vol(C(2B+))
= ( 2B
+ 1) . To derive a lower bound on , note
vol(C())
kd
that for any t IS , we have N (t) = N (hti) N (hS , qi) = q q , where the inequality is be
ause
the ideal hti is a sub-ideal of hS , qi, and the last equality is be
ause deg S = kdq . It follows
1
1/n q k/kq . By equivalen
e of
from the arithmeti
-geometri
inequality that ktk = T2 (t) N (t)
n
As our rst bound for
ktk
as laimed.
sin e the degree of S is kdq , the ve tor t formed by the n kdq low-order oe ients of t = S t is
related to the ve
tor t formed by the n kdq low-order
oe
ients of t by a lower triangular (n
kdq ) (n kdq ) matrix whose diagonal
oe
ients are equal to the non-zero
onstant
oe
ient
of S . Hen
e this matrix is non-singular modulo q and the mapping from t to t is one-to-one. This
N (B, k),
we laim that
is
p 2(m+1)|S| max
0k|S|
N (B, k)
with
p 2(m+1)(|S|+2n)
B=
N (B, k)m
q (m1)(|S|k)dq
1 q , we get
n
n m( kk )(m1) |S|k
k
max q
0k<kq
k, the exponent in the right hand side is maximized for k = 0. It then has
1 |S|
mn, when = (1 m
) kq . This gives the rst
laimed bound on
1 (L(a, IS )).
In the
ase |S| = kq , using our se
ond bound on N (B, k) with B = q , and noting that
N (B, kq ) = 0, we get
Viewed as a fun
tion of
the value
(m+1)(|S|+2n)
p 2
max q
n((1)m1)
k
kq
0k<kq
16
1
= 2(m+1)(|S|+2n) q
kn ((1)m1)
q
1
m . Using
bound on
(a (I
= 1
g/f
with
1
m
kq
S )). As in Lemma 3.2, we give two bounds, although in this ase our appli ation
Lemma 3.3. Let n 8 be a power of 2 and q 5. Assume that = xn + 1 splits into kq distin
t
irredu
ible fa
tors modulo q , ea
h of degree dq = n/kq . Then, for m 2 and > 0, we have
1 (a (IS ))
qm
n
|S|
q
1
+(1 m
) k
1
kq
m
ex
ept with probability 24n q mn over the uniformly random
hoi
e of a in (Rq )m .
Proof. We pro
eed analogously to the proof of Lemma 3.2.
p denote the probability (over a) that L(a (IS ))
ontains a non-zero ve
tor t of innity
norm < B . We bound p from above by using the union bound, summing the probabilities p(t) =
P
Pra [ im ai ti = 0 mod q] over all possible values for t of innity norm
Q < B and ti IS for
i = 1, . . . , m. By the Chinese Remainder Theorem, we have p(t) = jkq pj (t), where pj (t) =
P
Q
Q
Pr
S = gcd(t
P 1 , . . . , tm , S ) =
Q a [ im ai ti = 0 mod j ]. Let S = iS i, S = iS i and
for
some
S
S
of
ardinality
0
|
S|
.
For
any
j
SS
,
we
have
i
iS
im ti ai = 0modj
\S , there exists i m su
h that ti 6= 0 mod j so
regardless of the value of ai mod j . For any j S
P
that for any
hoi
e of {aj }j6=i , there is a unique value of ai mod j su
h that
im ti ai = 0 mod j ;
1
1
It follows that pj (t) = dq
. As a
onsequen
e, we have p(t) =
,
and:
q 1
(q dq 1)|S|k
Let
For
|S | = k,
t Rq
The rst
S S
0k|S|
t (Rq )m
(q dq
1
.
1)|S|k
two upper bounds for N (B, k), from whi
h we get the
laimed bounds on 1 (L(a, IS )).
1
upper bound, with B = q , shows that N (B, k) = 0 for k kq |S|, while
n
with
S S t for some
we derive
let
of degree
N (B, k) 22n q ((|S|+k)/kq )n for k < kq |S|. The se
ond bound is N (B, k) (2B)n(1(|S|+k)/kq ) .
1
The rst bound on N (B, k) with B = q , leads to
n
2|S|+2n
p2
max q
|S|+k
|S|k
n m( k ) k
q
mn,
In the ase
0,
we get
when
0k<kq
is maximized for
k = 0.
It then has
|S| = 0, using our se ond bound on N (B, k) with B = q , and noting that N (B, kq ) =
p 22|S|+n max q
n(1m) kk 1
q
0k<kq
1
m . Using
17
= 22|S|+n q
1
m
kq
n(1m) 1 k1
q
(a1 , . . . , am ,
im ti ai ), where the
(Rq )m Rq of
(m + 1)-tuples
from
to [44, we all the distan e of the latter distribution to the uniform distribution on
regularity
(ti )im 7
(Rq )m Rq
the
for small m. To
ir
umvent this problem, we restri
t the ai 's to be uniform in Rq , and we
hoose
the ti 's from a dis
rete Gaussian distribution. We show a regularity bound exponentially small in n
even for m = O(1), by using an argument similar to that used in [21, Se. 5.1 for unstru
tured
of the generalized knapsa
k fun
tion
smoothing parameter
q.
1
1
1/))/ min( n q m + , q m +kq ). Then for all ex
ept a fra
tion 24mn q mn of a (Rq )m , we
p
1
1
+ m
+kq
)
m
have
(a
ln(2mn(1
+
1/))/
min(
n
q
,
q
), and the distan
e to uniformity
P
of im ti ai is 2. As a
onsequen
e:
"
#
X
m
a1 , . . . , am ,
ti ai ; U (Rq ) Rq
2 + 24mn q mn .
im
Proof.
from
Zmn , .
a (Rq )m ,
let
a 2,
Da .
t 7
24mn q mn
of
a (Rq )m .
Zmn /a
to its
distan e to uniformity of t mod a . In the following, sin e it is needed for our analysis
Da
ti ai where t is sampled
imP
1
Note that the above statisti
al distan
e is exa
tly
m a , where a
m
a(R
q )
|R
q |
For ea h
of the NTRU key generation algorithm (see Theorem 3.2 in Se
tion 3.3) we a
tually study the
distan
e to uniformity of
if
t mod a (IS )
for any
from above, we apply Lemma 2.1, whi
h redu
es the task to bounding the minimum of the dual
latti
e from below. By Lemma 3.1, the latter latti
e is
18
(I ) =
a\
S
1
q
is
a), and the latter task has been addressed by Lemma 3.2. Hen e,
we obtain the following result as a dire t onsequen e of Lemmata 2.1, 2.4, 3.1 and 3.2.
modulo
with
q
for any 0 |S| kq
p
1
+kq
m
ln(2mn(1 + 1/))/ q
for |S| = 0.
h
i
t mod a (IS ); U (R/a (IS )) 2.
S=
and
c = 0.
q -ary
algorithms for the NTRU s hemes, where the generated publi keys follow distributions for whi h
Ideal-SVP
is known to redu e to
R-LWE
and
R-SIS.
NTRUEn
rypt is given
and
are generated by using the Gentry et al. sampler of dis rete Gaussians (see Lemma 2.6),
and by reje ting so that the output polynomials are invertible modulo
q.
may not exa
tly sample from dis
rete Gaussians, but sin
e the statisti
al distan
e
an be made
negligible, the impa
t on our results is also negligible. Furthermore, it
an be
he
ked that our
onditions on standard deviations are mu
h stronger than the one in Lemma 2.6. From now on, we
will assume we have a perfe
t dis
rete Gaussian sampler.
Inputs: n, q Z, p Rq , > 0.
Output: A key pair (sk, pk) R Rq .
Proof.
p f + a
I := hq, k i
belongs to
by
q n/kq + 2,
for
k kq . The result then follows from the Chinese Remainder Theorem and the union bound.
n/k
q
f = a/p mod I ) with probability q
+ 2, as required.
any
We have
As a
onsequen
e of the above bound on the reje
tion probability, we have the following result,
whi
h ensures that the generated se
ret key is small.
Lemma 3.6. Let n 8be a power of 2 su h that = xn +1 splits into kq irredu ible fa tors modulo
prime q 8n. Let n ln n q 1/kq . The se
ret key polynomials f, g returned by the algorithm of
Fig. 1 satisfy, with probability 1 2n+3 :
and kgk n.
kf k 2nkpk
The probability under s ope is lower than the probability of the same event without reje tion,
divided by the a
eptan
e probability. The result follows by
ombining Lemmata 2.3 and 3.5.
In the algorithm of Fig. 1, the polynomials
Gaussian distribution
Zn ,
and
Rq p1
+ z.
and
Rq ,
Here we apply the result of Se
tion 3.2 to show that the statisti
al
loseness to uniformity of
a quotient of two distributions
)
(z + p D,y
for
z Rq
and
fa
tor
n versus the rst bound.
the
ase of
y1 + p D,z
1
y2 + p D,z
2
Proof.
mod q ; U Rq
210n q
kq
n
kq
210n q n
if n ln(8nq) q 2 +
kq
p
1+kq
if n ln(8nq) q 2 and q n 12kq .
1
for i
P ra = Prf1 ,f2 [(y1 + pf1 )/(y2 + pf2 ) = a], where fi D,z
i
k /k
1
2n+5
n
q
q
{1, 2}. We are to show that |P ra |Rq | | 2
q
|Rq | =: (resp. 26n+4 q n
|Rq |1 ). This dire
tly gives the
laimed bounds. The fra
tion of a Rq su
h that |P ra |Rq |1 |
is equal to the fra
tion of a = (a1 , a2 ) (Rq )2 su
h that |P ra |Rq |1 | , where P ra =
Prf1 ,f2 [a1 f1 + a2 f2 = a1 z1 + a2 z2 ]. This is be
ause a1 f1 + a2 f2 = a1 z1 + a2 z2 is equivalent to (y1 +
pf1 )/(y2 + pf2 ) = a2 /a1 (in Rq ), and a2 /a1 is uniformly random in Rq when a U ((Rq )2 ).
For
a Rq ,
fa tors
we dene
20
We observe that
solutions
P ra =
n
n
n
S{1,...,n},S6= a (IS ). Similarly, we have Rq + qZ = Z \ S{1,...,n},S6= (IS + qZ ). Using the
For any
t a
DZ2n , (z + a )
.
DZn , (z1 + Rq + qZn ) DZn , (z2 + Rq + qZn )
we have
DZ2n , (z + a ) =
(1)
(2)
S{1,...,n}
S{1,...,n}
In the rest of the proof, we show that, ex ept for a fra tion
29n q n
of
a (Rq )2 :
DZ2n , (z + a ) = (1 + 0 )|Rq |q 2n ,
where
Handling (1).
DZ2n , (z + a (IS )) =
z Z2n ,
for
i {0, 1, 2}.
The bounds on
|P ra
S {1, . . . , kq }):
(z + a (IS ))
(z + a (IS ))
=
= DZ2n ,,z (a (IS )).
(Z2n )
(z + Z2n )
|S| kq , we apply
the rst bound of Lemma 3.4 with m = 2 and = /2. The assumption of Lemma 3.4 on holds,
k /k )
n(1+
there are q
S
Z2n ,,z (a (IS ))
q n(1+|S|/kq ) | 2, for all ex
ept a fra
tion 28n q n of a (Rq )2 (possibly
orresponding to a
2
distin
t subset of (Rq ) for ea
h possible S ).
For a term of (1) with |S| > kq , we hoose S S with |S | = kq . Then we have a (IS )
a (IS ) and hen e DZ2n ,,z (a (IS )) DZ2n ,,z (a (IS )). By using with S the above result for
n(1+ kq /kq ) .
small |S|, we obtain DZ2n ,,z (a (IS )) 2 + q
9n n of a (R )2 :
Overall, we have, ex
ept possibly for a fra
tion 2 q
q
To get our rst our bound, we pro
eed as follows. For the terms of (1) with
kq
n
X
X
kq n(1+ kkqq )
k n
nk
n+1
DZ2n , (z + a )
(1)
q
+2
q
2
k
k
k=0
k=kq
2n+1 ( + q
We on lude that
|0 |
q 2n
2n+1 (
(q n/kq 1)kq
+q
n(1+
21
kq
)
kq
n(1+
kq
)
kq
22n+2 q
).
kq
n
kq
, as required.
For our se ond bound, we argue as follows. For the term of (1) with
bound in Lemma 3.4 with = /2. By the
hoi
e of , the Lemma 3.4 assumption on holds,
2n
n | 2 ,
with := q
. We have |R/a (IS )| = det(a (IS )) = q and hen
e |DZ2n ,,z (a (IS ))q
8n n of a (R )2 .
for all ex
ept a fra
tion 2 q
q
For the terms of (1) with |S| 1, unlike the argument above, we annot hoose for |S| = 1 an IS
(1+)n : su
h an ideal I does not exist, as the only possible
hoi
e for
with S S and det a (IS ) q
S
S is the empty set, whi h gives det a (IS ) = q n , and the latter is too small. Instead, we pro eed as
1 1/2+ /2
2n
follows. Let L = N Z , where N = q
. Note that det L = N 2n 24n q (1+ )n , and sin
e
4
p
bound, we now show that, for |S| 1, we have DZ2n , (z + a (IS )) DZ2n , (L ). For this, we use
2n L to map z + a (I ) onto a subset of L su
h that the following two
a rounding pro
ess : Z
S
properties hold:
1. The map
2. For ea
h
is one-to-one on z + a (IS ),
v Z2n , we have k(v)k kvk.
multiple of N whi
h is less than or equal to |vi | in absolute value, i.e., (v) = (v1 , . . . , v2n ) with
|vi |
vi = N N sign(vi ). Sin
e |vi | |vi |, property 2 of is
learly satised. To show property 1, note
2n
that k(v) vk < N for all v in Z . Suppose towards a
ontradi
tion that is not one-to-one on
1/2+ /2 .
inequality then gives that v 1 v 2 is a non-zero ve
tor of a (IS ) with kv 1 v 2 k < 2N q
However, by the rst bound of Lemma 3.3 with m = 2, |S| = 1, and = /2, we have 1 (a (IS ))
Sin e
1 q 2 2kq
n
24n q n
of
a (Rq )2 .
By the ondition on
q,
this gives a
4n n of a (R )2 . We
on
lude that
ontradi
tion, so has property 1, ex
ept for a fra
tion 2 q
q
q 2n
rst bound, we obtain our se
ond bound |0 |
25n+1 q (1+ )n 26n+1 q n .
(q n/kq 1)kq
Handling (2).
and
2 ,
i {1, 2}.
The
zi
of the ideal latti
e LS = IS + qZ . For this, we rst observe that LS = a (IS ) in the spe
ial
ase
Q
m = 1 and a1 (x) = iS i (x), where S denotes the
omplement of S . Therefore, by Lemma 3.1,
cS = 1 L(a , I ) = 1 L is also a (s
aled) ideal latti
e, for some S {1, . . . , kq }
the dual latti
e L
1 S
q
q S
| = |S|
, where we have used the fa
t that the mapping sending a1 (x) = Q i (x) to
with |S
iS
a1 (x) indu es a bije tion on the fa tors i (x). Sin e det LS = q n|S|/kq , we have by Minkowski's
that (IS + qZ )
ln(2n(1 + 1/))/ 1 (LS ) n ln(4nq)q |S|/kq , for := q n/2 ,
q
assuming |S| kq /2. Hen
e, for a term of (2) with |S| kq /2, by Lemma 2.4, we have |DZn ,,zi (IS +
qZn ) q n|S|/kq | 2.
term
an be handled like the
22
S S with |S | = kq /2 kq /3 for kq 2. By
n
n
using with S the above result for small |S|, we obtain DZn ,,zi (IS + qZ ) DZn ,,zi (IS + qZ )
n/3
2 + q
.
For a term of (2) with
we hoose
Overall, we have:
kq
kq
X
X
k
kq n/3
q
k
k
n+1
DZn , (zi + R + qZn )
(1)
+2
2n+1 ( + q n/3 ),
q 2
q
q
k
k
k=0
k=kq /2
i .
rings R and Rq . The parameter p Rq denes the plaintext message spa
e as P = R/pR. It must
be a polynomial with `small'
oe
ients with respe
t to q , but at the same time we require N (p) =
|P| = 2(n) so that many bits
an be en
oded at on
e. Typi
al
hoi
es as used in the original
NTRUEn
rypt s
heme are p = 3 and p = x + 2, but in our
ase, sin
e q is prime,P
we may also
i
i
hoose p = 2. By redu
ing modulo the px 's, we
an write any element of P as
0i<n i x p,
n
with i (1/2, 1/2]. Using the fa
t that R = Z[x]/(x + 1), we
an thus assume that any element
p
1
of P is an element of R with innity norm
deg(p) + 1kpk. The parameter is the R-LWE noise
2
distribution parameter. Finally, the parameter is the standard deviation of the dis
rete Gaussian
distribution used in the key generation pro ess (see Se tion 3.3).
Key generation. Use the algorithm of Fig. 1 and return sk = f Rq with f = 1 mod p, and pk = h = pg/f
Rq .
En
ryption. Given message M P , set s, e and return
iphertext C = hs + pe + M Rq .
De
ryption. Given
iphertext C and se
ret key f ,
ompute C = f C Rq and return C mod p.
Lemma 3.7. If deg p 1 (n0.25 ln n)kpk2 < 1, and q n0.75 , then the de ryption algorithm
2
norms 4 nkpk if deg p 1. This implies that kpf k, kpgk 8 nkpk , with probability
1 2n+3 . From Lemma 2.10, both pf s and pge have innity norms 8qn0.25 (ln n) kpk2 with
(1) . Independently, we have:
probability 1 n
23
Sin e
q n0.75 ,
we on lude that
with probability
The se
urity of the s
heme follows by a elementary redu
tion from the de
isional
exploiting the uniformity of the publi
key in
Rq
1 n(1) .
R-LWE
HNF ,
of p in Rq .
prime q 5. Let (0, 1/3), > 0, p Rq and n ln(8nq) q 2 + . If there exists an IND-CPA
atta
k against NTRUEn
rypt that runs in time T and has su
ess probability 1/2+ , then there exists
an algorithm solving R-LWEHNF with parameters q and that runs in time T = T + O(n) and has
su
ess probability = q (n) .
Proof.
Let A denote the given IND-CPA atta k algorithm. We onstru t an algorithm B against
R-LWE
HNF that runs as follows, given ora
le O that samples from either U (Rq Rq ) or As, for some
The h used by B is uniformly random in Rq , and therefore so is the publi
key h given to A,
thanks to the invertibility of p modulo q . Thus, by Theorem 3.2, the publi
key given to A is
(n) of the publi
key distribution in the genuine atta
k. Moreover,
within statisti
al distan
e q
sin e C = h s + e with s, e sampled from , the iphertext C given to A has exa tly the right
distribution as in the IND-CPA atta
k. Overall, if O outputs samples from As, , then A su
eeds
(n) .
and B returns 1 with probability 1/2 + q
On the other hand, if ora le O outputs samples from U (Rq Rq ), then, sin e p Rq , the value
of p C and hen e C , is uniformly random in Rq and independent of b. It follows that in this ase,
algorithm B outputs 1 with probability 1/2. The
laimed advantage of B now follows.
By
ombining Lemmata 3.7 and 3.8 with Theorem 2.2 we obtain our main result.
prime q = Poly(n) su
h that q 2 p= (n2.25 ln2 n)kpk2 , with = (1/n) and < 1/3 and p
1
Rq with deg(p) 1. Let = n ln(8nq) q 2 + and 1 = (n0.25 ln n)kpk2 . If there exists
an IND-CPA atta
k against NTRUEn
rypt whi
h runs in time Poly(n) and has su
ess probability
1/2 + 1/Poly(n), then there exists a Poly(n)-time quantum algorithm for -Ideal-SVP with =
1
(n2.75 ln2.5 n)kpk2 q 2 + . Moreover, the de
ryption algorithm su
eeds with probability 1 n(1) .
e 4.5 ), and the
= 1/(ln n), the smallest q for whi
h the analysis holds is (n
e 5 ). Finally, we observe that our proof
an be readily adapted
smallest that
an be obtained is O(n
to oer se
urity against sub-exponential atta
kers, under the assumption that Ideal-SVP
annot be
solved in quantum sub-exponential time for some polynomial approximation fa
tor .
Overall, by
hoosing
24
deterioration fa tor
1
1p in the expe
ted key generation time, and also to the se
urity redu
tion
1p
g/f
when
(f, g)
is sampled
1 p, are
not rigorously analyzed. Here, we rigourously bound the
oprimality probability 1 p when f and g
are independently sampled from a dis
rete Gaussian distribution DZn , over R. Our argument
is based on a generalization of the
lassi
al analysis of the probability 1 p that two random
Q
2
1
integers are
oprime, whi
h gives the asymptoti
value 1 p =
q (1 1/q ) = (2) , where
Q
2
(2) = q 1q1 2 = 6 is Riemann's zeta fun
tion evaluated at 2, and the produ
ts run over all
prime integers q . Our generalization of this analysis to the ring R leads us to study the value of K (2),
Q
1
n
where K (2) =
J 1N (J)2 is the Dedekind zeta fun
tion for K = Q[x]/(x + 1), evaluated at 2,
n
and the produ
t now runs over all prime ideals J of R = Z[x]/(x + 1). We show that K (2) = O(1)
1
and, using some additional results on K , that 1 p
2K (2) o(1), so the a
eptan
e probability
1 p is in fa
t lower bounded by a
onstant.
In [25, 26, the key generation algorithm, and in parti
ular, the
oprimality probability
As a further improvement on the key generation algorithm in [25, 26, we apply Babai's nearest
a
n fa
tor in the norm of (F, G).
25
Lemma
4.1. Let
Pr
bDI,
Proof.
kb
i 1 + n2e
t
.
k p
1
t
n/2
(b(i) )in (resp. (b(i) )in ) be the
omplex embeddings of b (resp. b1 ). We have b(i) =
(b(i) )1 , for P
all i. We rst show that it is unlikely that b has a small embedding. Wlog we
onP
(1)
sider b
= j bj j (where the bj 's are the
oe
ients of the polynomial b). We let Re2 = j ( j )2
P
2
j 2
and Im =
j ( ) . By applying Lemma 2.7 twi
e, we obtain:
Let
Re
Im
1 + 2e
(1)
max Pr |b |
, Pr |b |
.
t
t
1 t
p
Re2 + Im2 = n, whi
h implies that max(Re, Im) n/2. Therefore:
"
#
p
n/2
1 + 2e
(1)
.
Pr |b |
t
1 t
We have
(1)
maxi |b(i) | t
Pr[i : |b(i) |
n/2
n/2
]
t
n 2e
1+
. The latter event is
1
t
1
kb k maxi |b(i) | allows us to
Dedekind Zeta fun
tion. We now review some fa
ts about the Dedekind zeta fun
tion (see, e.g.,
[51, Ch. VII). The Mbius fun
tion for ring
Qr
R is a fun tion
R to {1, 0, 1} and is
I 6= 0 stri
tly
positive integer for i r ;
ei
i=1 (Ji ) denote the unique prime ideal fa
torization of
I=
R, where the Ji 's are distin
t prime ideals in R and ei is a
r
Then (I) = 0 if there exists i with ei 2, (I) = (1) if ei = 1 for all i. We extend the denition
to I = R by setting (R) = 1. The Dedekind zeta fun
tion of the ring R of integers of K is the
fun
tion K : R R dened by
X
K (s) =
N (I)s ,
dened as follows: Let
ontained in
IR
K (s)1 =
prime JR
where the produ
t is over all
prime
ideals of
R.
The series
and:
IR
R and
integral
ideals of
R.
Proof.
R = Z[x]/. For a prime integer p, we let K (p) denote the number of prime ideals
ontained in R having norm a power of p, i.e., dividing the prin
ipal ideal hpi R. We re
all that
n
by Dedekind's theorem, K (p) is the number of distin
t irredu
ible fa
tors of = x + 1 over Zp ,
Let
26
K (p) min(n, p). Also, sin
e K is a normal extension of Q with K a power of 2, all the prime
n/K (p) (see, e.g., [50, Ch. 4). Using this, we have, for s > 1:
ideals above p > 2 have identi
al norm p
Y
Y
K (s) =
(1 N (J)s )1
so
2s
2s 1
prime p>2
2s
2s 1
prime p, 2<pn
(1 psn/p )p
(1 ps )n .
prime p>n
K (2)
4
3
(1 p4 )p
prime p, n/2<pn
4
exp
3
O(1).
(p3 + p7 ) +
prime p, 2<pn
We have:
ln(1 x) x x2 ,
X
Similarly, we have
bound
pn p
1/6,
p>n p
for
n
1
c.
prime p, n/2<pn
ln n
ln
+O
ln(n/2)
K (1 + ) 2
s = 1 + .
1
ln n
2 exp
n1
and
(p
px
(1+) n
+1
p
K (1 + ).
+O
1
ln n
=O
1
ln n
prime p>n
+p
2(1+) n
+1
p
)+n
(p
(1+)
prime p>n
+p
2(1+)
) .
prime 2<pn
(1 p(1+) )n
4 n3 /3. It remains to
p>n p
1
p = ln ln x + c + O(1/ ln x), for
ln 2
= ln 1 +
ln(n/2)
prime p, 2<pn
bounded as:
prime p>n
x3 dx 1/2.
(1 p(1+)n/p )p
(p2 + p4 ) ,
We have:
prime p, 2<pn
t > 0.
(1 p2 )n
p1 + n
x [0, 1/3].
1
n/2<pn p . It is proved in [68, Th. 9, p. 16 that
some onstant
prime p>n
prime p, n/2<pn
prime pn
(1 p2 )p
prime p, 2<pn/2
2
27
p>n p
(1+)
21 n .This
In our study of the Dedekind zeta fun tion, we use the following bound.
Proof.
k 1,P
let M (k) denote the number of ideals of Rn of norm exa
tly k . Note that for s > 1,
P
P
P
s =
s
s . Using
s
(s)
=
N
(I)
M
(k)
k
M
(k)
k
K
IR
k1
kN
kN M (k) k
P
s = H(N )N s , we obtain that H(N ) (s)N s . Setting s = 1+ and applying
K
kN M (k)N
Lemma 4.2
ompletes the proof.
For
we have
The value
Q (2) = 2 /6
integers are o-prime. The next lemma onsiders the generalization of that fa t to
Kn .
Lemma 4.4. Assume that 7n1.5 ln1.5 n.Then, for n a su
iently large power of 2:
Pr
f,gDR,
Proof.
[hf, gi =
6 R] 1
1
+ 2n+1 .
2K (2)
Pr[hf, gi =
6 R] Pr[hf, gi =
6 R kf k, kgk
n] + Pr[kf k >
n+1
or
kgk >
n]
.
Pr[hf, gi =
6 R kf k, kgk n] + 2
We bound Pr[hf, gi =
6 R kf k, kgk n] by using an argument adapted from [63. Sin
e
any ideal I
ontaining the prin
ipal ideal hf i has norm N (I) N (hf i), the
ondition kf k
n
n
implies N (I) N (hf i) ( n) . Thus, we have Pr[hf, gi =
6 R kf k, kgk n] 1 p, with:
[
X
p := DZT2n , Z2n \
I I =
(I) DZTn , (I)2 ,
prime I R
N (I) ( n)n
I
R
N (I) ( n)n
T
n
R), and D,Z
denotes
the
trun
ation
of
D
to
the
ball
B
(
n) of radius n , i.e.
n
,Z
n
P
T
T
1 =
D,Z
n) and D,Z
(I)
n (x) = D,Zn (x) if x Bn (
n (x) = 0 otherwise.Re
all that K (2)
2
1
(2K (2))1 .
N (I) , where the sum is over all ideals I R.We now show that p K (2)
1
, as required. We have:
This implies p (2K (2))
X
X
p K (2)1
DZTn , (I)2 N (I)2 +
N (I)2 .
where in the se
ond equality, we used the in
lusion-ex
lusion prin
iple (and
for ring
I
R
N (I) ( n)n
I
R
N (I) > ( n)n
I , we have n (I) =
1/n
1 (I) nN (I) , so. for
p any (0, 1/2), the smoothing parameter (I) is no greater than
1/n , where B =
B
N
(I)
n ln(2n(1 + 1/))/ (by Lemma 2.1). It follows from Lemma 2.2 that
DZn , (I)2 N (I)2 18/N (I)2 if N (I) (/B )n and I R. We have |DZn , (I)D Tn (I)| =
Z ,
DZn , (I \ Bn ( n)) = DI, (I \ Bn ( n)) DZn , (I) 2n+2 DZn , (I), where in the last inequality
T
2
2 (18 + 2n+5 )/N (I)2 for I R
we applied Lemma 2.3. We
on
lude that DZn , (I) N (I)
To bound the rst sum, we re
all that for any (even fra
tional) ideal
of norm
(/B )n .
and let
k =
N (I)1/n
. Sin
e
/B
1
k
Now:
I,
we have
DZTn ,
DZn ,
1
I
k
k,
( k1 I Zn )
( k1 I)
=
(Zn )
(Zn )
n
N (I) ( 2B
) . Therefore,
1
and =
, we obtain:
160K (2)2
we have
I
R
N (I) ( n)n
2B
2n 1+ 2
DZTn , (I)2 ( 2B
) ( 1 ) . Finally,
T
DZn , (I)2 N (I)2
n
(Zn )
1
kn
( k1 I) = k1 (I) .
we have
1+
,
1
and
assuming
det( k1 I) =
that 2B
X
T
DZn , (I)2 N (I)2 +
DZTn , (I)2 N (I)2
IR
N (I) (/B )n
n+5
(18 + 2
IR
+ 2 H(( n)n )
N (I)
I R
N (I) (/B )n
1
<
+ 2 H(( n)n )
8K (2)
2B
2n
P
2B
2n
+ o(1),
N (I)2
2 = (2). Re
all that H(N ) is the number of (integral) ideals of R of norm N .
K
IR N (I)
ln ln n
4n
1+ . Taking 7n1.5 ln1.5 n
From Lemma 4.3 with =
ln n , we know that H(N ) 2 exp( ln ln n )N
2n
2B
n
provides H (( n) )
8K1(2) , for su
iently large n, using K (2) = O(1) from Lemma 4.2.
1
4K (2) for
N (I)2 =
I
R
N (I) > ( n)n
k>( n)n
H(k) H(k 1)
=
k2
H(k)
k2
k>( n)n
k>( n)n
2 exp
H(k)
4n
ln ln n
k( n)n
H(k)
(k + 1)2
1
1
k2 (k + 1)2
X
k( n)n
2k + 1
,
+ 1)2
k1 (k
4n
(1)n ) = o(1), so the
is 2 , whi
h allows us to bound the se
ond sum by O(exp(
ln ln n ) ( n)
k
1 for su
iently large n, whi
h
ompletes the proof.
latter is (4K (2))
H(k)
NTRUSign
Se. 4 and des ribed in more details in [25, Se. 5. The ve tor
29
(f, g)
produ ed by the
NTRUEn rypt
Inputs: n, q Z, > 0.
Output: A key pair (sk, pk) R22 Rq .
1h
0q
with
R-module
h = g/f mod q . The algorithm of Fig. 3 extends (f, g) into a short module basis
NTRUEn rypt.
f g
.
F G
in Rq ,
Theorem 2.1 to prove the se
urity of the signature s
heme. In fa
t, as we will show in Subse
tion 4.3,
it su
es that the
ombined reje
tion probabilities of Steps 3, 4 and 7 is non-negligibly away from
1.
By Lemma 4.4, when no reje
tion is performed in Steps 13, the reje
tion probability of Step 4
is (assuming that
7n1.5 ln1.5 n
Pr
and that
f,gDR,
[hf, gi =
6 R] 1
2):
1
+ 2n+1 .
2K (2)
We now onsider the reje tion probability of Step 7 (without reje tion in Steps 12).
f,gDR,
n2 2 q 2 (n)
k(F, G)k >
+
hf, gi = R = o(1),
2
2
2
(F, G)
as
proje
tion
proje
tion
plane algorithm, in rounding (Fq , Gq ) (Fq , Gq ) to a
lose point in the latti
e L(f, g) dened as
n1 f, xn1 g).
the Z-span of (f, g), (xf, xg), . . . , (x
As we use Babai's nearest-plane algorithm, the ve
tor
it
30
q( n)
hf, gi = R
o(1).
n
i f, xi g)k = n k(f, g)k. By Lemma 2.3,
To bound k(ef , eg )k, note that k(ef , eg )k
max
k(x
i
2
2
NTRUSign
key generation
algorithm.
For
i {3, 4, 7},
q 64nK (2)
we let
pi
i,
i.e.:
DR,
.
hf, gi =
6 R and kf k, kgk n , with f, g DR,
.
i {3, 4, 7}, we dene pi as pi ex ept that f and g are independently sampled from DR, rather
than DR, . Let p1 be the probability of reje tion of f at Step 1. By the union bound, the probability
of reje
ting f or g at Steps 1 or 2 is 2p1 . Hen
e for i {3, 4, 7}, we have pi pi /(1 2p1 ).
The reje
tion probability p1 has already been studied in Subse
tion 3.3. Indeed, by Lemma 3.5
1
and the
hoi
e of and q , we have p1
32K (2) . Lemmata 2.1 and 2.3 and the
hoi
e of imply
n+2 . Finally, from the
hoi
e of and Lemmata 4.4 and 4.5, we have that p
that p3 2
4
1
1 2K (2) + o(1) and p7 = o(1). Re
all from Lemma 4.2 that K (2) = O(1) when n grows to innity.
1
satises
p3 + p4 + p7
p3 +p4 +p7
12p1
1
8K (2) , as required.
We on lude this se tion with a orre tness and e ien y statement for the revised
NTRUSign
Theorem 4.1. Let n be a power of 2 su h that = xn + 1 splitspinto kq {2, n} irredu ible fa tors
1h
0q
f g
FG
is an R-basis of the R
and k(F, G)k n. Finally, if n is su
iently large, the distribution of the returned h is reje
ted
with probability c < 1 for some absolute
onstant c from a distribution whose statisti
al distan
e
from U (Rq ) is 210n q n .
Proof.
The rst statement is provided by Lemma 4.6. For the se ond statement, we refer to [26,
Th. 1. The norm inequalities are obvious from the des ription of the algorithm. Finally, the last
s
heme is an e
ient instan
iation of the Gentry et al. signature [21, where e
ien
y is improved
both by using the ring stru
ture (to redu
e
omputation and storage from
e 2)
O(n
NTRU key to redu e the key length and signature to a single ring element.
to
e ),
O(n)
and the
Collision-Resistant Preimage Sampleable Fun tions. We re all that the Gentry et al. signature is built from a general ryptographi primitive introdu ed in [21 and alled
Collision-Resistant
Denition 4.1 (CRPSF). A CRPSF is spe
ied by three probabilisti
polynomial-time algorithms
(TrapGen, SampleDom, SamplePre)
1.
2.
3.
4.
5.
su h that:
sampling.
n
n is a power of 2 su
h that
1 splits into kq {2, n} irredu
ible
p =x +
1/2+
e 7/2 ) if kq =
fa
tors modulo
prime q = Poly(n), with = n ln(8nq) q
and q 1/2 = (n
p
e 3 ) if kq = 2, for some xed (0, ln n ). Let
n, or = n ln(8nq) q 1/2+ and q 1/2 = (n
ln q
e 3/2 ). Then the
onstru
tion NTRUPSF(n, q, , s) from Fig. 4 is a CRPSF se
ure against
s = (n
32
Generating a Fun
tion with Trapdoor TrapGen(1n , q, ): Run the NTRUSign key generation algorithm
f g
from Fig. 3, using n, q, as inputs. It returns an NTRU key h = g/f Rq and a trapdoor R-basis sk =
F G
for the R-module h = {(z1 , z2 ) R2: z2 = hz1 mod q}. The key h denes fun
tion fh (z1 , z2 ) = hz1 z2 Rq
with domain Dn = {z R2 : kzk s 2n} and range Rn = Rq . The trapdoor string for fh is sk.
Domain Sampling with Uniform Output SampleDom(1n , q, s): Sample z from DZ2n ,s ; if kzk > 2ns,
resample.
Preimage Sampling with Trapdoor SamplePre(sk, t): To nd a preimage in Dn for target t Rq under fh
using the trapdoor sk, note that c = (1, h t) is a preimage of t under fh (not ne
essarily in Dn ). Sample z
from Dh +c,s , using trapdoor basis sk for h and the algorithm of Lemma 2.9. Return z .
Proof.
The sets
Dn
and
Rn
DZ2n ,s .
z = (z1 , z2 )
returned by
= n(1) to
on
lude that thanks to the
hoi
e of s, ex
ept for a fra
tion 28n q 2n of (a1 , a2 )
(Rq )2 , we have (a1 z1 a2 z2 ; U (Rq )) 2 with (z1 , z2 ) DZ2n ,s . Sin
e the mapping : x 7 a1
2 x
1
is a bije
tion of Rq , we have (a1 z1 a2 z2 ; U (Rq )) = (a1 a2 z1 z2 ; U (Rq )) for ea
h a1 , a2 .
1
Moreover, sin
e h = a2 a1 is uniformly random in Rq when a1 and a2 are independently so, we get
(hz1 z2 ; U (Rq )) 2 with (z1 , z2 ) DZ2n ,s ex
ept for a fra
tion 28n q 2n of h Rq . Finally,
by Theorem 4.1, the distribution Dh of h = g/f generated by TrapGen is obtained by reje
tion
10n q n
with
onstant reje
tion probability c < 1 from a distribution within statisti
al distan
e 2
of U (Rq ). It follows that (hz1 z2 ; U (Rq )) 2 with (z1 , z2 ) DZ2n ,s ex
ept with probability
1
1c
(28n q 2n + 210n q n ) = q (n) over the
hoi
e of the publi
key h, as required.
To show Property 3 of Denition 4.1, we rst observe that, for any xed t Rq , the
onditional
s (z)
distribution of z DZ2n ,s given fh (z) = hz1 z2 = t is exa
tly F (z) =
= Dh +c,s (z),
s (h +c)
where c = (1, h t). Therefore, Property 3 follows from Lemma 2.9, the upper bound n on the
3/2 ln n ).
trapdoor basis norm from Theorem 4.1, and the
hoi
e of s = (n
To show Property 4 of Denition 4.1, note that the
onditional preimage distribution is Dh +c,s =
Dh ,s,c + c, where c = (1, h t), so it su
es to bound the min-entropy of Dh ,s,c from be
low. By Lemma 2.5, the latter min-entropy is (n) if the
ondition s 21/2 (h ) is satised.
8n n = q (n) of a (R )2 , we have
Theorem 3.1 shows that for all ex
ept a fra
tion 2 q
q
1
1
+
e
2
1/2 (a ) = O( nq
). Sin
e a = h with h = a2 a1 , it follows that for all ex
ept a fra
tion
(n)
h,
q (n)
1c
= q (n)
over
as required.
have = 1/Poly(n). We
onstru
t an algorithm A for R-SISq,2, with = 2 2ns that works as
Finally, we show Property 5 of Denition 4.1. Let
with run-time
T = Poly(n)
33
a1
2ns su
hthat
2 a1 . If A su
eeds, it outputs (z1 , z2 ) 6= (z1 , z2 ) with k(z1 , z2 )k, k(z1 , z2 )k
a1 (z1 z1 )+a2 (z2 z2 ) = 0, and then A returns w = (z1 z1 , z2 z2 ). Note that 0 < kwk 2 2ns,
2
as required. Conditioned on (a1 , a2 ) (Rq ) , the distribution of h given to A is U (Rq ) and thus
2
A su
eeds with probability . Sin
e (a1 , a2 ) (Rq ) with probability 1 2n/q = (1), it
follows that A su eeds probability (1 2n/q) = 1/Poly(n). Applying Theorem 2.1 using the
e
hoi
e of q = ( n), we obtain a Poly(n) time algorithm for -Ideal-SVP with the
laimed .
follows on input
Given the
NTRUPSF
NTRUSign
follows the Gentry et al. `Probabilisti
Full Domain Hash'
onstru
tion and is shown in Fig. 5.
Besides the
NTRUPSF
on a message
Signing Algorithm Sign(sk, M ): Choose r U ({0, 1}k ), let (1 , 2 ) := SamplePre(sk, H(r, M )). Return
(r, 1 ).
Veri
ation Algorithm Ver(h, M, (r, 1 )): Compute t = H(r, M ) and 2 = h1 t. A
ept if (1 , 2 ) Dn
and r {0, 1}k , else reje
t.
1 , r
NTRUPSF,
NTRUSign
is
shown in [21, Prop. 6.2 to follow from the se
urity of the underlying CRPSF. Combining with
Theorem 4.2, we obtain our se
ond main result.
, n, q, , s satisfy the
onditions in Theorem 4.2, and let k = (ln n). Then,
assuming the random ora
le model for H, the signature s
heme NTRUSign(n, q, , s, k) from Fig. 5
is strongly existentially unforgeable against a
hosen message atta
k with Poly(n) run-time and
1/Poly(n) su
ess probability, assuming the hardness of -Ideal-SVP against Poly(n) time algoe s).
rithms, with = O(n
Note that if
runs in quasi-linear time, then so does the veri ation algorithm. Also, if pre-
omputations are performed, then so does the signing algorithm (see [55, 13). The amortized
ost
per signed bit is then
e .
O(1)
e 6/(12) )
(n
if
kq = 2
and
observe that our proof
an be readily adapted to oer se
urity against sub-exponential atta
kers (in
the random ora
le model), under the assumption that
time for some polynomial approximation fa
tor
.
34
A knowledgements.
Regev, Igor Shparlinski, Joseph Silverman and Frederik Ver
auteren for helpful dis
ussions. We
thank Jakob Breier for pointing out an error in the
R-LWE
eedings version of this arti
le. The rst author was partly supported by the LaRedA ANR grant.
The se
ond author was supported by an Australian Resear
h Fellowship (ARF) from the Australian
Resear
h Coun
il (ARC) under Dis
overy Grant DP0987734, and partly by a Ma
quarie University
Resear
h Fellowship. Both authors were partly supported by ARC Dis
overy Grant DP110100628.
Referen
es
1. S. Agrawal, D. Boneh, and X. Boyen. E
ient latti
e (H)IBE in the standard model. In Pro
. of EUROCRYPT,
volume 6110 of LNCS, pages 553572. Springer, 2010. Full version available from the authors upon request.
2. S. Agrawal, D. Boneh, and X. Boyen. Latti
e basis delegation in xed dimension and shorter-
iphertext hierar
hi
al IBE. In Pro
. of CRYPTO, volume 6223 of LNCS, pages 98115. Springer, 2010.
3. M. Ajtai. Generating hard instan
es of latti
e problems (extended abstra
t). In Pro
. of STOC, pages 99108.
ACM, 1996.
4. S. Ala
a and K.S. Williams. Introdu
tory Algebrai
Number Theory. Cambridge University Press, 2003.
5. B. Applebaum, D. Cash, C. Peikert, and A. Sahai. Fast
ryptographi
primitives and
ir
ular-se
ure en
ryption
based on hard learning problems. In Pro
. of CRYPTO, volume 5677 of LNCS, pages 595618. Springer, 2009.
6. L. Babai. On Lovsz latti
e redu
tion and the nearest latti
e point problem. Combinatori
a, 6:113, 1986.
7. D. Boneh, . Dagdelen, M. Fis
hlin, A. Lehmann, C. S
haner, and M. Zhandry. Random ora
les in a quantum
world. In Pro
. of ASIACRYPT, pages 4169, 2011.
8. D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert. Bonsai trees, or how to delegate a latti
e basis. In Pro
. of
Euro
rypt, volume 6110 of LNCS, pages 523552. Springer, 2010.
9. H. Cohen. A Course in Computational Algebrai
Number Theory, 2nd edition. Springer, 1995.
10. H. Cohen. Advan
ed topi
s in
omputational number theory. Springer, 2000.
11. D. Coppersmith and A. Shamir. Latti
e atta
ks on NTRU. In Pro
. of Euro
rypt, volume 1233 of LNCS, pages
5261. Springer, 1997.
12. L. Du
as and A. Durmus. Ring-LWE in polynomial rings. In Publi
Key Cryptography, volume 7293 of LNCS,
pages 3451. Springer, 2012.
13. L. Du
as and P. Q. Nguyen. Faster gaussian latti
e sampling using lazy oating-point arithmeti
. In Pro
. of
ASIACRYPT, volume xxxx of LNCS, pages xxxxxx. Springer, 2012.
14. C. Fieker and D. Stehl. Short bases of latti
es over number elds. In Pro
. of ANTS-IX, volume 6197 of LNCS,
pages 157173. Springer, 2010.
15. E. Fogels. On the zeros of L-fun
tions. A
ta Arith, 11:6796, 1965.
16. J. von zur Gathen and J. Gerhardt. Modern Computer Algebra, 2nd edition. Cambridge University Press, 2003.
17. C. Gentry. A fully homomorphi
en
ryption s
heme. PhD thesis, Stanford University, 2009. Manus
ript available
at http://
rypto.stanford.edu/
raig.
18. C. Gentry. Fully homomorphi
en
ryption using ideal latti
es. In Pro
. of STOC, pages 169178. ACM, 2009.
19. C. Gentry. Toward basing fully homomorphi
en
ryption on worst-
ase hardness. In Pro
. of CRYPTO, volume
6223 of LNCS, pages 116137. Springer, 2010.
20. C. Gentry, J. Jonsson, J. Stern, and M. Szydlo. Cryptanalysis of the NTRU signature s
heme (NSS) from
Euro
rypt 2001. In Pro
. of Asia
rypt, volume 2248 of LNCS, pages 120. Springer, 2001.
21. C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard latti
es and new
ryptographi
onstru
tions.
In Pro
. of STOC, pages 197206. ACM, 2008. Full version available at http://eprint.ia
r.org/2007/432.pdf.
22. C. Gentry and M. Szydlo. Cryptanalysis of the revised NTRU signature s
heme. In Pro
. of Euro
rypt, volume
2332 of LNCS, pages 299320. Springer, 2002.
23. N. Higham. A
ura
y and Stability of Numeri
al Algorithms, 2nd edition. SIAM, 2002.
24. J. Hostein, N. Howgrave-Graham, J. Pipher, and W. Whyte. Pra
ti
al latti
e-based
ryptography: NTRUEn
rypt
and NTRUSign, 2009. Chapter of [?.
25. J. Hostein, N. A. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte. NTRUSIGN: Digital signatures
using the NTRU latti
e, preliminary draft 2, dated april 2, 2002. Preliminary/extended version of [26. Available
at http://www.se
urityinnovation.
om/
ryptolab/arti
les.shtml.
26. J. Hostein, N. A. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte. NTRUSIGN: Digital signatures
using the NTRU latti
e. In Pro
. of CT-RSA, volume 2612 of LNCS. Springer, 2003.
35
27. J. Hostein, J. Pipher, and J. H. Silverman. NTRU: a new high speed publi
key
ryptosystem. Preprint;
presented at the rump session of Crypto'96, 1996.
28. J. Hostein, J. Pipher, and J. H. Silverman. NTRU: a ring based publi
key
ryptosystem. In Pro
. of ANTS,
volume 1423 of LNCS, pages 267288. Springer, 1998.
29. J. Hostein, J. Pipher, and J. H. Silverman. NSS: An NTRU latti
e-based signature s
heme. In Pro
. of Euro
rypt,
volume 2045 of LNCS. Springer, 2001.
30. N. Howgrave-Graham. A hybrid latti
e-redu
tion and meet-in-the-middle atta
k against NTRU. In Pro
. of
CRYPTO, volume 4622 of LNCS, pages 150169. Springer, 2007.
31. N. Howgrave-Graham, P. Q. Nguyen, D. Point
heval, J. Proos, J. H. Silverman, A. Singer, and W. Whyte. The
impa
t of de
ryption failures on the se
urity of NTRU en
ryption. In Pro
. of CRYPTO, volume 2729 of LNCS,
pages 226246. Springer, 2003.
32. N. Howgrave-Graham, J. H. Silverman, A. Singer, and W. Whyte. NAEP: Provable se
urity in the presen
e of
de
ryption failures. Te
hni
al report, Cryptology ePrint Ar
hive, 2003. http://eprint.ia
r.org/2003/172.
33. IEEE P1363. Standard spe
i
ations for publi
-key
ryptography. http://grouper.ieee.org/groups/1363/.
34. H. Iwanie
. On zeros of Diri
hlet's L series. Invent. Math., 23:97104, 1974.
35. A. Langlois and D. Stehl. Worst-
ase to average-
ase redu
tions for module latti
es. IACR Cryptology ePrint
Ar
hive, 2012:090.
36. A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovsz. Fa
toring polynomials with rational
oe
ients. Math. Ann,
261:515534, 1982.
37. A. Lpez-Alt, E. Tromer, and V. Vaikuntanathan. On-the-y multiparty
omputation on the
loud via multikey
fully homomorphi
en
ryption. In Pro
. of STOC, pages 12191234, 2012.
38. V. Lyubashevsky. Fiat-Shamir with aborts: Appli
ations to latti
e and fa
toring-based signatures. In Pro
. of
ASIACRYPT, volume 5912 of LNCS, pages 598616. Springer, 2009.
39. V. Lyubashevsky and D. Mi
ian
io. Generalized
ompa
t knapsa
ks are
ollision resistant. In Pro
. of ICALP,
volume 4052 of LNCS, pages 144155. Springer, 2006.
40. V. Lyubashevsky, D. Mi
ian
io, C. Peikert, and A. Rosen. SWIFFT: A modest proposal for FFT hashing. In
Pro
. of FSE, volume 5086 of LNCS, pages 5472. Springer, 2008.
41. V. Lyubashevsky, C. Peikert, and O. Regev. On ideal latti
es and learning with errors over rings. In Pro
. of
EUROCRYPT, volume 6110 of LNCS, pages 123. Springer, 2010.
42. V. Lyubashevsky, C. Peikert, and O. Regev. On ideal latti
es and learning with errors over rings, 2011. Draft
for the extended version of [41, dated 24/04/2012.
43. V. Lyubashevsky, C. Peikert, and O. Regev. A toolkit for Ring-LWE
ryptography, 2011. Draft, personal
omuni
ation.
44. D. Mi
ian
io. Generalized
ompa
t knapsa
ks,
y
li
latti
es, and e
ient one-way fun
tions. Comput. Complexity, 16(4):365411, 2007.
45. D. Mi
ian
io and S. Goldwasser. Complexity of latti
e problems: a
ryptographi
perspe
tive. Kluwer A
ademi
Press, 2002.
46. D. Mi
ian
io and O. Regev. Worst-
ase to average-
ase redu
tions based on gaussian measures. SIAM J.
Comput, 37(1):267302, 2007.
47. D. Mi
ian
io and O. Regev. Latti
e-based
ryptography. In Post-Quantum Cryptography, D. J. Bernstein,
J. Bu
hmann, E. Dahmen (Eds), pages 147191. Springer, 2009.
48. D. Mi
ian
io and P. Voulgaris. A deterministi
single exponential time algorithm for most latti
e problems
based on voronoi
ell
omputations. In Pro
. of STOC, pages 351358. ACM, 2010.
49. S. Min, G. Yamamoto, and K. Kim. Weak property of malleability in NTRUSign. In Pro
. of ACISP, volume
3108 of LNCS, pages 379390. Springer, 2004.
50. R. A. Mollin. Algebrai
Number Theory. Chapman and Hall/CRC Press, 1999.
51. J. Neukir
h. Algebrai
number theory, volume 322 of Grundlehren der Mathematis
hen Wissens
haften. Springer,
Berlin, 1999.
52. P. Q. Nguyen and O. Regev. Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures. Journal
of Cryptology, 22(2):139160, 2009.
53. C. Peikert. Limits on the hardness of latti
e problems in p norms. Comput. Complexity, 2(17):300351, 2008.
54. C. Peikert. Publi
-key
ryptosystems from the worst-
ase shortest ve
tor problem. In Pro
. of STOC, pages
333342. ACM, 2009.
55. C. Peikert. An e
ient and parallel gaussian sampler for latti
es. In Pro
. of CRYPTO, volume 6223 of LNCS,
pages 8097. Springer, 2010.
56. C. Peikert and A. Rosen. E
ient
ollision-resistant hashing from worst-
ase assumptions on
y
li
latti
es. In
Pro
. of TCC, volume 3876 of LNCS, pages 145166. Springer, 2006.
36
57. C. Peikert and A. Rosen. Latti
es that admit logarithmi
worst-
ase to average-
ase
onne
tion fa
tors. In Pro
.
of STOC, pages 478487. ACM, 2007.
58. R. A. Perlner and D. A. Cooper. Quantum resistant publi
key
ryptography: a survey. In Pro
. of IDtrust,
pages 8593. ACM, 2009.
59. O. Regev. On latti
es, learning with errors, random linear
odes, and
ryptography. In Pro
. of STOC, pages
8493. ACM, 2005.
60. O. Regev. On latti
es, learning with errors, random linear
odes, and
ryptography. J. ACM, 56(6), 2009.
61. O. Regev. The learning with errors problem, 2010. Invited survey in CCC 2010, available at http://www.
s.
tau.a
.il/~odedr/.
62. C. P. S
hnorr. A hierar
hy of polynomial latti
e basis redu
tion algorithms. Theor. Comput. S
ien
e, 53:201224,
1987.
63. B. D. Sittinger. The probability that random algebrai
integers are relatively r -prime. Journal of Number Theory,
130:164171, 2010.
64. D. Stehl and R. Steinfeld. Making NTRU as se
ure as worst-
ase problems over ideal latti
es. In Pro
. of
EUROCRYPT, pages 2747, 2011.
65. D. Stehl, R. Steinfeld, K. Tanaka, and K. Xagawa. E
ient publi
key en
ryption based on ideal latti
es. In
Pro
. of ASIACRYPT, volume 5912 of LNCS, pages 617635. Springer, 2009.
66. R. Steinfeld, S. Ling, J. Pieprzyk, C. Tartary, and H. Wang. NTRUCCA: How to Strengthen NTRUEn
rypt to
Chosen-Ciphertext Se
urity in the Standard Model. In Pro
. of PKC, pages 353371, 2012.
67. M. Szydlo. Hyper
ubi
latti
e redu
tion and analysis of GGH and NTRU signatures. In Pro
. of Euro
rypt,
volume 2656 of LNCS, pages 433448. Springer, 2003.
68. G. Tenenbaum. Introdu
tion to Analyti
and Probabilisti
Number Theory. Number 46 in Cambridge Studies in
Advan
ed Mathemati
s. Cambridge University Press, 1995.
37