Several ideal-lattice-based cryptosystems have been broken by recent attacks that exploit special structures of the rings used in those cryptosystems. The same structures are also used in the leading proposals for post-quantum lattice-based cryptography, including the classic NTRU cryptosystem and typical Ring-LWE-based cryptosystems.
NTRU Prime tweaks NTRU to use rings without these structures. Here are two public-key cryptosystems in the NTRU Prime family, both designed for the standard goal of IND-CCA2 security:
- Streamlined NTRU Prime is optimized from an implementation perspective.
- NTRU LPRime (pronounced "ell-prime") is a variant offering different tradeoffs.
Streamlined NTRU Prime 4591761
and NTRU LPRime 4591761
are Streamlined NTRU Prime and NTRU LPRime
with high-security post-quantum parameters.
The resulting sizes and Haswell speeds
(from the official
supercop-20181216 benchmarks for
show that reducing the attack surface has very low cost:
|Metric||Streamlined NTRU Prime 4591761||NTRU LPRime 4591761|
|Public-key size||1218 bytes||1047 bytes|
|Ciphertext size||1047 bytes||1175 bytes|
|Key-generation time||940852 cycles||44948 cycles|
|Encapsulation time||44788 cycles||81144 cycles|
|Decapsulation time||93676 cycles||113708 cycles|
Contributors (alphabetical order)
- Daniel J. Bernstein, University of Illinois at Chicago, USA
- Chitchanok Chuengsatiansup, École Normale Supérieure de Lyon, France
- Tanja Lange, Technische Universiteit Eindhoven, Netherlands
- Christine van Vredendaal, Technische Universiteit Eindhoven, Netherlands
This work was supported by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005.
This work was supported by the Commission of the European Communities through the Horizon 2020 program under project number 645622 (PQCRYPTO) and project number 645421 (ECRYPT-CSA).
This work was supported by the U.S. National Science Foundation under grant 1314919. "Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation."
Calculations were carried out on the Saber cluster of the Cryptographic Implementations group at Technische Universiteit Eindhoven.
Version: This is version 2018.12.19 of the "Intro" web page.