High-Speed Key Encapsulation from NTRU

Hülsing, Andreas; Rijneveld, Joost; Schanck, John M.; Schwabe, Peter

doi:10.1007/978-3-319-66787-4_12

Cited by 74 publications

(73 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…AVX2 implementation of polynomial multiplication Starting from Sandy Bridge, Intel provides AVX/AVX2 SIMD instructions that support computation on 128/256-bit vectors. We utilize this feature to achieve fast polynomial multiplication inspired by the software implementations of NTRU Prime [11] and NTRU KEM [31]. In Algorithm 6 the interpolation phase is trivial to vectorize.…”

Section: Methodsmentioning

confidence: 99%

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

D’Anvers

Karmakar

Roy

et al. 2018

Lecture Notes in Computer Science

211

126

View full text Add to dashboard Cite

In this paper, we introduce Saber, a package of cryptographic primitives whose security relies on the hardness of the Module Learning With Rounding problem (Mod-LWR). We first describe a secure Diffie-Hellman type key exchange protocol, which is then transformed into an IND-CPA encryption scheme and finally into an IND-CCA secure key encapsulation mechanism using a post-quantum version of the Fujisaki-Okamoto transform. The design goals of this package were simplicity, efficiency and flexibility resulting in the following choices: all integer moduli are powers of 2 avoiding modular reduction and rejection sampling entirely; the use of LWR halves the amount of randomness required compared to LWE-based schemes and reduces bandwidth; the module structure provides flexibility by reusing one core component for multiple security levels. A constant-time AVX2 optimized software implementation of the KEM with parameters providing more than 128 bits of post-quantum security, requires only 101K, 125K and 129K cycles for key generation, encapsulation and decapsulation respectively on a Dell laptop with an Intel i7-Haswell processor.

show abstract

Section: Methodsmentioning

confidence: 99%

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

D’Anvers

Karmakar

Roy

et al. 2018

Lecture Notes in Computer Science

211

126

View full text Add to dashboard Cite

show abstract

“…All rings are used in public-key cryptosystems designed for at least 2 128 post-quantum security. The estimated pre-quantum security levels are 2 248 for Streamlined NTRU Prime 4591 761 ; 2 256 for ntruees743ep1; 2 281 for New Hope; not stated in [71].…”

Section: Introductionmentioning

confidence: 99%

“…Last month Hülsing, Rijneveld, Schanck, and Schwabe [71] announced 11722 cycles for NTRU Classic multiplication, specifically multiplication in the ring (Z/q) [x]/(x p − 1) with p = 701 and q = 8192, again using a combination of several layers of Karatsuba's method and Toom's method. The power-of-2 moduli in NTRU Classic avoid the cost of reducing modulo medium-size primes.…”

Section: Introductionmentioning

confidence: 99%

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

Lecture Notes in Computer Science

124

View full text Add to dashboard Cite

Abstract. Several ideal-lattice-based cryptosystems have been broken by recent attacks that exploit special structures of the rings used in those cryptosystems. The same structures are also used in the leading proposals for post-quantum lattice-based cryptography, including the classic NTRU cryptosystem and typical Ring-LWE-based cryptosystems. This paper (1) proposes NTRU Prime, which tweaks NTRU to use rings without these structures; (2) proposes Streamlined NTRU Prime, a public-key cryptosystem optimized from an implementation perspective, subject to the standard design goal of IND-CCA2 security; (3) finds high-security post-quantum parameters for Streamlined NTRU Prime; and (4) optimizes a constant-time implementation of those parameters. The resulting sizes and speeds show that reducing the attack surface has very low cost.

show abstract

“…Using the NTT could be particularly beneficial to NTRU because key generation (whose timing is important in ephemeral key exchange) requires inversion over a polynomial ring, which is a much more efficient operation when done over NTT-compatible rings. Despite this apparent advantage, there were no NTT-based NTRU schemes submitted to the NIST standardization process, and the key generation procedure in the proposed schemes ( [HRSS17], [BCLvV17]) was thus significantly slower than in the proposals based on Ring / Module-LWE.…”

Section: Introductionmentioning

confidence: 99%

“…[ACD + 18]), however, the ring dimension needs to be somewhere between 700 and 800 for 128-bit security (e.g. NTRU-HRSS [HRSS17] uses dimension 701, NTRU-Prime [BCLvV17] is in dimension 761, and Kyber / Saber [DKRV18] use dimension 768). And unlike schemes based on generalized LWE (like Kyber) that are able to use a public key consisting of a matrix of smaller-degree power-of-2 rings without increasing the public key size, this approach does not work for NTRU.…”

Section: Introductionmentioning

confidence: 99%

NTTRU: Truly Fast NTRU Using NTT

Lyubashevsky¹,

Seiler²

2019

TCHES

View full text Add to dashboard Cite

We present NTTRU – an IND-CCA2 secure NTRU-based key encapsulation scheme that uses the number theoretic transform (NTT) over the cyclotomic ring Z7681[X]/(X768−X384+1) and produces public keys and ciphertexts of approximately 1.25 KB at the 128-bit security level. The number of cycles on a Skylake CPU of our constant-time AVX2 implementation of the scheme for key generation, encapsulation and decapsulation is approximately 6.4K, 6.1K, and 7.9K, which is more than 30X, 5X, and 8X faster than these respective procedures in the NTRU schemes that were submitted to the NIST post-quantum standardization process. These running times are also, by a large margin, smaller than those for all the other schemes in the NIST process as well as the KEMs based on elliptic curve Diffie-Hellman. We additionally give a simple transformation that allows one to provably deal with small decryption errors in OW-CPA encryption schemes (such as NTRU) when using them to construct an IND-CCA2 key encapsulation.

show abstract

High-Speed Key Encapsulation from NTRU

Cited by 74 publications

References 28 publications

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

NTRU Prime: Reducing Attack Surface at Low Cost

NTTRU: Truly Fast NTRU Using NTT

Contact Info

Product

Resources

About