Making NTRU as Secure as Worst-Case Problems over Ideal Lattices

  • Damien Stehlé
  • Ron Steinfeld
Conference paper

DOI: 10.1007/978-3-642-20465-4_4

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6632)
Cite this paper as:
Stehlé D., Steinfeld R. (2011) Making NTRU as Secure as Worst-Case Problems over Ideal Lattices. In: Paterson K.G. (eds) Advances in Cryptology – EUROCRYPT 2011. EUROCRYPT 2011. Lecture Notes in Computer Science, vol 6632. Springer, Berlin, Heidelberg


NTRUEncrypt, proposed in 1996 by Hoffstein, Pipher and Silverman, is the fastest known lattice-based encryption scheme. Its moderate key-sizes, excellent asymptotic performance and conjectured resistance to quantum computers could make it a desirable alternative to factorisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields. Our main contribution is to show that if the secret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the the R-LWE problem.


Lattice-based cryptography NTRU provable security 
Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Damien Stehlé
    • 1
  • Ron Steinfeld
    • 2
  1. 1.CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL)Lyon Cedex 07France
  2. 2.Centre for Advanced Computing - Algorithms and Cryptography, Department of ComputingMacquarie UniversityAustralia

Personalised recommendations