Abstract
Due to its remarkable performance and potential resistance to quantum attacks, \(\mathsf {NTRUEncrypt}\) has drawn much attention recently; it also has been standardized by IEEE. However, classical \(\mathsf {NTRUEncrypt}\) lacks a strong security guarantee and its security still relies on heuristic arguments. At Eurocrypt 2011, Stehlé and Steinfeld first proposed a variant of \(\mathsf {NTRUEncrypt}\) with a security reduction from standard problems on ideal lattices. This variant is restricted to the family of rings \(\mathbb {Z}[X]/(X^n+1)\) with n a power of 2 and its private keys are sampled by rejection from certain discrete Gaussian so that the public key is shown to be almost uniform. Despite the fact that partial operations, especially for \(\mathsf {RLWE} \), over \(\mathbb {Z}[X]/(X^n+1)\) are simple and efficient, these rings are quite scarce and different from the classical \(\mathsf {NTRU}\) setting. In this work, we consider a variant of \(\mathsf {NTRUEncrypt}\) over prime cyclotomic rings, i.e. \(\mathbb {Z}[X]/(X^{n-1}+\cdots +X+1)\) with n an odd prime, and obtain \(\mathsf {IND\text {-}CPA}\) secure results in the standard model assuming the hardness of worst-case problems on ideal lattices. In our setting, the choice of the rings is much more flexible and the scheme is closer to the original \(\mathsf {NTRU}\), as \(\mathbb {Z}[X]/(X^{n-1}+\cdots +X+1)\) is a large subring of the \(\mathsf {NTRU}\) ring \(\mathbb {Z}[X]/(X^{n}-1)\). Some tools for prime cyclotomic rings are also developed.
\(\copyright \) IACR 2017. This article is the final version submitted by the authors to the IACR and to Springer-Verlag on January 7, 2017. The version published by Springer-Verlag is available at doi:10.1007/978-3-662-54365-8_17.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
The well-known public key system \(\mathsf {NTRU}\) was created and refined by Hoffstein, Pipher and Silverman in [17, 18]. The \(\mathsf {NTRU}\) encryption scheme, \(\mathsf {NTRUEncrypt}\), is one of the fastest known lattice-based cryptosystems and regarded as an alternative to RSA and ECC due to its potential of countering attacks by quantum computers. The underlying problem of \(\mathsf {NTRUEncrypt}\) has been used to design various cryptographic primitives including digital signatures [16], identity-based encryption [8] and multi-linear maps [11, 23]. In the course of assessing the security of \(\mathsf {NTRU}\), Coppersmith and Shamir first claimed in [5] that one can convert breaking \(\mathsf {NTRU}\) to solving hard problems on the so-called \(\mathsf {NTRU}\) lattice. Then an army of cryptanalyses [1, 2, 4, 9, 10, 12, 15, 19, 21, 22, 29, 34] have brought security estimations on \(\mathsf {NTRU}\) and its variants, and \(\mathsf {NTRU}\) is still considered secure in practice.
The Learning With Errors problem (\(\mathsf {LWE} \)), introduced by Regev in 2005 [32], is shown to be as hard as certain lattice problems in the worst case. The Ring Learning With Errors problem (\(\mathsf {RLWE} \)) is an algebraic variant of \(\mathsf {LWE} \), proposed by Lyubashevsky, Peikert and Regev [25], whose hardness is guaranteed by some hard problems over ideal lattices. Due to its better compactness and efficiency over \(\mathsf {LWE} \), \(\mathsf {RLWE} \) has been used as the foundation of new cryptographic applications. In a celebrated paper [33], Stehlé and Steinfeld first modified \(\mathsf {NTRUEncrypt}\) by incorporating \(\mathsf {RLWE} \) and proved that the security of \(\mathsf {NTRU}\) follows by a reduction from \(\mathsf {RLWE} \) provided that a right set of parameters are used, which is the first sound theoretical base for the security of \(\mathsf {NTRU}\) in the asymptotic sense. It is worth noting that several novel ideas and powerful techniques have been developed in [33]. One remarkable contribution is to show that, for n being a power of 2, and private keys f, g sampled according suitable conditions and parameters from the ring \(\mathbb {Z}[X]/(X^n+1)\), the public key \(h=\frac{f}{g}\) is close to that uniformly sampled under the statistical distance. Based on the provably secure \(\mathsf {NTRU}\) scheme, more interesting cryptographic primitives are achieved, such as fully homomorphic encryption [3, 24], proxy re-encryption [30].
In most known ring-based cryptosystems, the rings of the form \(\mathbb {Z}[X]/(X^{2^m}+1)\) are preferred choices. This family of rings has some nice algebraic features and various results on it have been already established. However, as these rings are very scarce, it has a limitation on the choice of the rings. It is noted that another family of rings, the prime cyclotomic rings of the form \(\mathcal R=\mathbb {Z}[X]/(X^{n-1}+\cdots +X+1)\) with n being a prime, is also of particular interest in many aspects, especially in the context of \(\mathsf {RLWE} \) and \(\mathsf {NTRU}\). As a large subring, this ring is much closer to the original \(\mathsf {NTRU}\) ring. It is also remarked that a class of subfield attacks [1] is proposed recently and affects the asymptotic security of \(\mathsf {NTRU}\) for large moduli q. Note that the subfield attack is not applicable to the setting of [33], but it is still meaningful to consider \(\mathsf {NTRU}\) over the fields with no subfields of desired relative degree. In this sense, prime cyclotomic ring seems a good choice of the potential to counter the subfield attack. Establishing \(\mathsf {IND\text {-}CPA}\) (indistinguishability under chosen-plaintext attack) secure results with respect to this class of rings will be an important topic. Indeed, as stated in [33], the results for \(\mathbb {Z}[X]/(X^{2^m}+1)\) are likely to hold for more general cases including that for prime cyclotomic rings. However, to the best of our knowledge, there were no actual discussions on this issue found in literature.
Our Contribution. The main purpose of this paper is to study the problem of provable security of \(\mathsf {NTRU}\) in a modified setting with respect to prime cyclotomic rings. We show results similar to that of [33] still hold over prime cyclotomic rings. Consequently, to instantiate a provably secure \(\mathsf {NTRU}\), the density of usable cyclotomic polynomial degree \(n < N\) is increased from \(\varTheta \left( \frac{\log N}{N}\right) \) to \(\varTheta \left( \frac{1}{\log N}\right) \). Even though some main ideas of [33] are applicable in our discussion, many technical differences also need to be taken care of. Furthermore, some new results on prime cyclotomic rings developed here might be of general interest. We believe that these results could be used to design more applications based on prime cyclotomic rings.
Organization. We start in Sect. 2 with some notations and basic facts that will be useful to our discussion. We shall develop and prove a series of relevant results over prime cyclotomic rings in Sect. 3. Section 4 describes a modified \(\mathsf {NTRUEncrypt}\) over prime cyclotomic rings and a reduction to its \(\mathsf {IND\text {-}CPA}\) security from \(\mathsf {RLWE} \) which has been proven hard under worst-case assumptions on ideal lattices. We conclude in Sect. 5. We have a couple of results whose proofs are similar to that in [33], these proofs are included in Appendices A, B and C for completeness.
2 Preliminaries
Lattice. A lattice \(\mathcal {L}\) is a discrete subgroup of \(\mathbb {R}^m\) and represented by a basis, i.e.there is a set of linearly independent vectors \(\mathbf {b}_1,\cdots ,\mathbf {b}_n \in \mathbb {R}^m\) such that \(\mathcal {L}= {\{}{\sum _i x_i\mathbf {b}_i | x_i\in \mathbb {Z}}{\}}\). The integer m is the dimension and the integer n is the rank of \(\mathcal {L}\). A lattice is full-rank if its rank equals its dimension. The first minimum \(\lambda _1(\mathcal {L})\) (resp. \(\lambda _1^{\infty }(\mathcal {L})\)) is the minimum of Euclidean (resp. \(\ell _\infty \)) norm of all non-zero vectors of the lattice \(\mathcal {L}\). More generally, the k-th minimum \(\lambda _k(\mathcal {L})\) for \(k\le n\) is the smallest r such that there are at least k linearly independent vectors of \(\mathcal {L}\) whose norms are not greater than r. Given a basis \(\mathbf {B}= (\mathbf {b}_1,\cdots ,\mathbf {b}_n)\) of a full-rank lattice \(\mathcal {L}\), the set \(\mathcal {P}(\mathbf {B}) = {\{}{\sum _i c_i\mathbf {b}_i | c_i\in [0,1)}{\}}\) is the fundamental parallelepiped of \(\mathbf {B}\) whose volume \(|\det (\mathbf {B})|\) is an invariant of \(\mathcal {L}\), called the volume of \(\mathcal {L}\) and denoted by \(\det (\mathcal {L})\). The dual lattice of \(\mathcal {L}\) is the lattice \(\widehat{\mathcal {L}} = {\{}{\mathbf {c}\in \mathbb {R}^m | \forall i, \langle \mathbf {c},\mathbf {b}_i\rangle \in \mathbb {Z}}{\}}\) of the same dimension and rank with \(\mathcal {L}\).
Given a ring \(\mathcal R\) with an additive isomorphism \(\theta \) mapping \(\mathcal R\) to the lattice \(\theta (\mathcal R)\) in an inner product space and an ideal I of \(\mathcal R\), we call the sublattice \(\theta (I)\) an ideal lattice. Due to their smaller space requirement and faster operation speed, ideal lattices have been a popular choice for most lattice-based cryptosystems. More importantly, the hardness of classical lattice problems, \(\mathsf {SVP}\) (Shortest Vector Problem) and \(\gamma \)-\(\mathsf {SVP}\) (Approximate Shortest Vector Problem with approximation factor \(\gamma \)), does not seem to substantially decrease (except maybe very large approximate factors [6]). Thus, it is believed that the worst-case hardness of \(\gamma \)-\(\mathsf {SVP}\)over ideal lattices, denoted by \(\gamma \)-Ideal-\(\mathsf {SVP}\), is against subexponential quantum attacks, for any \(\gamma \le {{\mathrm{poly}}}(n)\).
Probability and Statistics. Let D be a distribution over a discrete domain E. We write to represent the random variable z that is sampled from the distribution D and denote by D(x) the probability of z evaluates to \(x \in E\). We denote by U(E) the uniform distribution over a finite domain E. For two distributions \(D_1, D_2\) over a same discrete domain E, their statistical distance is \(\varDelta (D_1;D_2) = \frac{1}{2}\sum _{x\in E}|D_1(x)-D_2(x)|\). Two distributions \(D_1,D_2\) are said to be statistically close with respect to n if their statistical distance \(\varDelta (D_1;D_2)=o(n^{-c})\) for any constant \(c>0\).
Gaussian Measures. We denote by \(\rho _{r,\mathbf {c}}(\mathbf {x})\) the n-dimensional Gaussian function with center \(\mathbf {c}\in \mathbb {R}^n\) and width r, i.e. \(\rho _{r,\mathbf {c}}(\mathbf {x}) = \exp \left( -\frac{\pi \Vert \mathbf {x}-\mathbf {c}\Vert ^2}{r^2}\right) \). When the center is \(\mathbf {0}\), the Gaussian function is simply written as \(\rho _{r}(\mathbf {x})\). Let \(S\) be a subset of \(\mathbb {R}^n\), we denote by \(\rho _{r,\mathbf {c}}(S)\) (resp. \(\rho _{r}(S)\)) the sum \(\sum _{\mathbf {x}\in S}\rho _{r,\mathbf {c}}(\mathbf {x})\) (resp. \(\sum _{\mathbf {x}\in S}\rho _{r}(\mathbf {x})\)). Let \(D_{\mathcal {L},r,\mathbf {c}}\) be the discrete Gaussian distribution over a lattice \(\mathcal {L}\) with center \(\mathbf {c}\) and width r, the probability of a vector \(\mathbf {x}\in \mathcal {L}\) under this distribution is \(D_{\mathcal {L},r,\mathbf {c}}(\mathbf {x}) = \frac{\rho _{r,\mathbf {c}}(\mathbf {x})}{\rho _{r,\mathbf {c}}(\mathcal {L})}\). For \(\delta > 0\), the smoothing parameter \(\eta _\delta (\mathcal {L})\) is the smallest \(r > 0\) such that \(\rho _{1/r}(\widehat{\mathcal {L}}) \le 1+\delta \). The smoothing parameter is bounded in terms of some lattice quantities. The following lemmata will be useful in our discussion.
Lemma 1
([28], Lemma 3.3). Let \(\mathcal {L}\subseteq \mathbb {R}^n\) be a full-rank lattice and \(\delta \in (0,1)\). Then \(\eta _\delta (\mathcal {L}) \le \sqrt{\frac{\ln (2n(1+1/\delta ))}{\pi }}\cdot \lambda _n(\mathcal {L})\).
Lemma 2
([31], Lemma 3.5). Let \(\mathcal {L}\subseteq \mathbb {R}^n\) be a full-rank lattice and \(\delta \in (0,1)\). Then \(\eta _\delta (\mathcal {L}) \le \frac{\sqrt{\ln (2n(1+1/\delta ))/\pi }}{ \lambda _1^{\infty }\left( \widehat{\mathcal {L}}\right) }\).
Lemma 3
([28], Lemma 4.4). Let \(\mathcal {L}\subseteq \mathbb {R}^n\) be a full-rank lattice and \(\delta \in (0,1)\). For \(\mathbf {c}\in \mathbb {R}^n\) and \(r \ge \eta _\delta (\mathcal {L})\), we have .
Lemma 4
([28], Corollary 2.8). Let \(\mathcal {L}' \subseteq \mathcal {L}\subseteq \mathbb {R}^n\) be full-rank lattices and \(\delta \in (0,\frac{1}{2})\). For \(\mathbf {c}\in \mathbb {R}^n\) and \(r \ge \eta _\delta (\mathcal {L}')\), we have \(\varDelta (D_{\mathcal {L},r,\mathbf {c}} \bmod \mathcal {L}'; U(\mathcal {L}/\mathcal {L}')) \le 2\delta \).
Lemma 5
([28], Theorem 4.1). There exists a polynomial-time algorithm that, given a basis \((\mathbf {b}_1,\cdots ,\mathbf {b}_n)\) of a lattice \(\mathcal {L}\subseteq \mathbb {Z}^n\), a parameter \(r = \omega (\sqrt{\log n})\max \Vert \mathbf {b}_i\Vert \) and \(\mathbf {c}\in \mathbb {R}^n\), outputs samples from a distribution statistically close to \(D_{\mathcal {L},r,\mathbf {c}}\) with respect to n.
Furthermore, we denote by \(\psi _r\) the Gaussian distribution with mean 0 and width r over \(\mathbb {R}\) and by \(\psi _r^n\) the spherical Gaussian distribution over \(\mathbb {R}^n\) of the vector \((v_1,\cdots ,v_n)\) in which each \(v_i\) is drawn from \(\psi _r\) independently. In this paper, we shall restrict \(\psi _r\) over \(\mathbb {Q}\) rather than \(\mathbb {R}\). As explained in [7], this will only lead to a negligible impact on our results.
Cyclotomic Ring. Let \(\xi _n\) be a primitive n-th complex root of unity and \(\varPhi _n(X)\) the n-th cyclotomic polynomial. It is known that \(\varPhi _n(X) \in \mathbb {Z}[X]\) and is of degree \(\varphi (n)\), the totient of n. All roots of \(\varPhi _n(X)\) form the set \({\{}{\xi _n^i | i \in \mathbb {Z}_n^*}{\}}\). In this paper, we will be working with a cyclotomic ring of the form \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any prime n, if a prime q satisfies \(q = 1 \bmod n\), then \(\varPhi _n(X)\) splits into \(n-1\) distinct linear factors modulo q. Given n, the existence of infinite such primes is guaranteed by Dirichlet’s theorem on arithmetic progressions. Furthermore, by Linnik’s theorem, the smallest such q can be bounded by \({{\mathrm{poly}}}(n)\) (a more precise bound \(O(n^{5.2})\) has been proven in [36]). Another important class of rings involved in our discussion is the family of rings of the form \(\mathcal R_q = \mathcal R/q\mathcal R\). As indicated earlier, our main focus will be prime cyclotomic rings, i.e.those rings associate with polynomials \(\varPhi _n(X) = X^{n-1} + X^{n-2} + \cdots + 1\) with n a prime.
Given a positive integer n, we define the polynomial \(\varTheta _n(X)\) to be \(X^n-1\) if n is odd, and \(X^{\frac{n}{2}}+1\) if n is even. It is easy to see that there is a natural ring extension \(\mathcal R'=\mathbb {Z}[X]/\varTheta _n(X)\) of the cyclotomic ring \(\mathcal R=\mathbb {Z}[X]/\varPhi _n(X)\). In particular, when \(n>1\) is a power of 2, \(\mathcal R= \mathcal R'\); when n is a prime, the relation \(\varTheta _n(X) = \varPhi _n(X)\cdot (X-1)\) implies a ring isomorphism \(\mathcal R' \simeq \mathcal R\times \mathbb {Z}\) by the Chinese Remainder Theorem.
Hardness of RLWE. The “pure” Ring Learning With Errors problem (\(\mathsf {RLWE} \)) introduced in [25] involves the dual of the ring. For the ring \(\mathbb {Z}[X]/(X^{2^m}+1)\), its dual is just a scaling of itself. Therefore, many \(\mathsf {RLWE} \) instances are established over such rings to avoid dual. In [7], Ducas and Durmus proposed an “easy-to-use” \(\mathsf {RLWE} \) setting and instantiated \(\mathsf {RLWE} \) over prime cyclotomic rings. In this paper, we follow the setting of [7].
Definition 1
( \(\mathsf {RLWE} \) error distribution in [7]). Let \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Given \(\psi \) a distribution over \(\mathbb {Q}[X]/\varTheta _n(X)\), we define \(\overline{\psi }\) as the distribution over \(\mathcal R\) obtained by \(e = {\lfloor }e' \bmod \varPhi _n(X){\rceil } \in \mathcal R\) with . Here we denote by \({\lfloor }f{\rceil }\) the polynomial whose coefficients are derived by rounding coefficients of f to the nearest integers.
Definition 2
( \(\mathsf {RLWE} \) distribution in [7]). Let \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\) and \(\mathcal R_q = \mathcal R/q\mathcal R\). For \(s \in \mathcal R_q\) and \(\psi \) a distribution over \(\mathbb {Q}[X]/\varTheta _n(X)\), we define \(A_{s,\psi }\) as the distribution over \(\mathcal R_q \times \mathcal R_q\) obtained by sampling the pair \((a, as+e)\) where and \(e \hookleftarrow \overline{\psi }\).
Definition 3
( \(\mathsf {RLWE} \) \(_{q,\psi ,k}\) ). Let \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\) and \(\mathcal R_q = \mathcal R/q\mathcal R\). The problem \(\mathsf {RLWE} \) \(_{q,\psi ,k}\) in the ring \(\mathcal R\) is defined as follows. Given k samples drawn from \(A_{s,\psi }\) where and k samples from \(U(\mathcal R_q \times \mathcal R_q)\), distinguish them with an advantage \(1/{{\mathrm{poly}}}(n)\).
The following theorem indicates that \(\mathsf {RLWE} \) under the above settings is hard based on the worst-case hardness of \(\gamma \)-Ideal-\(\mathsf {SVP}\). The ideal lattices we discuss here are with respect to the so-called canonical embedding, i.e. \(\theta (f) = (f(\xi _n^i))_{i\in \mathbb {Z}_n^*}\).
Theorem 1
([7], Theorem 2). Let n be an odd prime, and let \(\mathcal R_q\) be the ring \(\mathbb {Z}_q[X]/\varPhi _n(X)\) where q is a prime congruent to 1 modulo 2n. Also, let \(\alpha \in (0,1)\) be a real number such that \(\alpha q > \omega (\sqrt{\log n})\). There exists a randomized quantum reduction from \(\gamma \)-Ideal-\(\mathsf {SVP}\) on ideal lattices in \(\mathbb {Z}[X]/\varPhi _n(X)\) to \(\mathsf {RLWE} \) \(_{q,\psi _t^{n},k}\) for \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}\) (with \(\gamma = \tilde{O}\left( \frac{\sqrt{n}}{\alpha }\right) \)) that runs in time \(O(q\cdot {{\mathrm{poly}}}(n))\).
Let \(\mathcal R_q^{\times }\) be the set of all invertible elements of \(\mathcal R_q\). By restricting \(A_{s,\psi }\) to \(\mathcal R_q^{\times } \times \mathcal R_q\), we obtain a modified \(\mathsf {RLWE} \) distribution and denote it by \(A_{s,\psi }^{\times }\). Replacing \(A_{s,\psi }\) and \(U(\mathcal R_q \times \mathcal R_q)\) by \(A_{s,\psi }^{\times }\) and \(U(\mathcal R_q^{\times } \times \mathcal R_q)\) respectively, we get a variant of \(\mathsf {RLWE} \) which is denoted by \(\mathsf {RLWE} ^{\times }\). When \(q = \varOmega (n)\), the invertible elements account for a non-negligible fraction in the \(\mathcal R_q\). Thus \(\mathsf {RLWE} ^{\times }\) remains hard. Furthermore, as explained in [33], the nonce s in \(A_{s,\psi }^{\times }\) can be sampled from \(\psi \) without incurring security loss. We denote by \(\mathsf {RLWE} ^{\times }_{HNF}\) this variant of \(\mathsf {RLWE} ^{\times }\).
3 New Results on Prime Cyclotomic Rings
In this section, we will report on a series of results on prime cyclotomic rings. Some of the results are adapted from corresponding conclusions in [33], but the modifications are not trivial considering the differences between the cyclotomic rings of prime and a power of 2 orders. Firstly, we present several notations and basic properties aiming at prime cyclotomic rings.
3.1 Notations and Properties
Let n be a prime and \(\mathcal R\) be the ring \(\mathbb {Z}[X]/\varPhi _n(X)=\mathbb {Z}[X]/(X^{n-1}+\cdots +1)\). For any \(f \in \mathcal R\), we call a vector \((f_0,\cdots ,f_{n-2})\in \mathbb {Z}^{n-1}\) the coefficient vector of f if \(f = \sum _{i=0}^{n-2}f_iX^i\). For any \(\mathbf {s}= (s_1, \cdots , s_m) \in \mathcal R^m\), we view \(\mathbf {s}\) as a \(m(n-1)\)-dimensional vector in \(\mathbb {Z}^{m(n-1)}\) by coefficient embedding. Given \(\mathbf {s},\mathbf {t}\in \mathcal R^m\), their Euclidean inner product is denoted by \(\langle \mathbf {s}, \mathbf {t}\rangle \). To get a clean expression of \(\langle \mathbf {s}, \mathbf {t}\rangle \) as a coefficient of a polynomial related to \(\mathbf {s}\) and \(\mathbf {t}\), we introduce two operations on \(f \in \mathcal R\) as follows.
Let \(f \in \mathcal R\) of coefficient vector \((f_0,\cdots ,f_{n-2})\), we define \(f^{\smallsmile }\) to be the polynomial \(\sum _{i=0}^{n-2}(\sum _{j=i}^{n-2}f_j)X^i\) and \(f^{\smallfrown }\) the polynomial \(\sum _{i=0}^{n-3}(f_i - f_{i+1})X^i + f_{n-2}X^{n-2}\), respectively. One important consequence is that, regarding \(\smallsmile \) and \(\smallfrown \) as two functions over \(\mathcal R\), these operations are inverse to each other, namely
Proposition 1
Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\), then
Proof
Let \((g_0,\cdots ,g_{n-2})\) and \((h_0,\cdots ,h_{n-2})\) be the coefficient vectors of the polynomials \(f^{\smallsmile }\) and \(f^{\smallfrown }\) respectively. According to the definitions of these two operations, we have
and
Then, a straightforward computation leads to that
and
Thus we conclude that \(g^{\smallfrown } = h^{\smallsmile } = f\), i.e. \((f^{\smallsmile })^{\smallfrown } = (f^{\smallfrown })^{\smallsmile } = f\). \(\square \)
The following lemma manifests an expression of the Euclidean inner product of two elements in \(\mathcal R\).
Lemma 6
Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Denote by \(X^{-1}\) the inverse of X. Let \(f \in \mathcal R\) of coefficient vector \((f_0,\cdots ,f_{n-2})\) and \(g \in \mathcal R\) of coefficient vector \((g_0,\cdots ,g_{n-2})\). Then
Proof
Let \((g'_0,\cdots ,g'_{n-2})\) be the coefficient vector of the polynomial \(g^{\smallsmile }\). Notice that the term \(X^n\) is equivalent to the identity element of \(\mathcal R\). Hence \(X^{-1}\) is equivalent to \(X^{n-1}\) when it comes to the algebraic computations over \(\mathcal R\). Then we have
The constant coefficient of \(f(X)g^{\smallsmile }(X^{-1})\) is only contributed by the term \(X^{i+(n-1)j}\) with \(i+(n-1)j = 0,n-1\bmod n\), i.e. \(i=j\text { or }j-1\). Note that \(X^{n-1}=-(X^{n-2}+\cdots +1)\), thus the constant coefficient of \(f(X)g^{\smallsmile }(X^{-1})\) equals \(\sum _{i=0}^{n-2}f_ig'_i - \sum _{i=0}^{n-3}f_ig'_{i+1} = \sum _{i=0}^{n-3}f_i(g'_{i}-g'_{i+1}) + f_{n-2}g'_{n-2}\). The terms \(\{g'_{i}-g'_{i+1}\}_{i=0}^{n-3}\) and \(g'_{n-2}\) are the coefficients of the polynomial \((g^{\smallsmile })^{\smallfrown } = g\). Consequently, the constant coefficient of \(f(X)g^{\smallsmile }(X^{-1})\) equals \(\sum _{i=0}^{n-2}f_ig_i\). \(\square \)
Corollary 1
Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any \(\mathbf {s}= (s_1, \cdots , s_m) \in \mathcal R^m\) and \(\mathbf {t}= (t_1, \cdots , t_m) \in \mathcal R^m\), then
Remark
For the ring \(\mathbb {Z}[X]/(X^n+1)\), the Euclidean inner product of any two elements f and g equals the constant coefficient of the polynomial \(f(X)g(X^{-1})\), which is simpler than the case in our discussion. The rather involved expression of Euclidean inner product contributes to a sequence of technical differences compared to that in [33].
Now we introduce several norms and demonstrate some relations among them. For any \(t \in \mathcal R\), we define its \(\mathrm {T}_2\) -norm by \(\mathrm {T}_2(t)^2 = \sum _{i=1}^{n-1} |t(\xi _n^i)|^2\) and its algebraic norm by \({{\mathrm{N}}}(t) = \prod _{i=1}^{n-1} |t(\xi _n^i)|\). Also we define the polynomial norm \(\Vert t\Vert \) by the Euclidean norm of the coefficient vector of t.
Lemma 7
Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any \(t \in \mathcal R\), we have
Proof
The first inequality can be proven directly by arithmetic-geometric inequality. Since \(\Vert t\Vert ^2 = \frac{\sum _{i=0}^{n-1}|t(\xi _n^i)|^2}{n} = \frac{\mathrm {T}_2(t)^2 + t(1)^2}{n}\) is the Parseval’s identity [35], the second one follows immediately, as \(t(1)^2 \ge 0\). \(\square \)
Moreover, we present the following result to illustrate that the product of two polynomials in \(\mathcal R\) is of well-bounded norm.
Lemma 8
Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any \(f, g \in \mathcal R\), we have
Proof
Let \(\mathcal R' = \mathbb {Z}[X]/(X^n-1)\) and \(f', g'\in \mathcal R'\) be the polynomials with the same coefficients as f, g respectively, i.e.the coefficients of \(X^{n-1}\) are 0. Let \(h' = \sum _{i=0}^{n-1}h_i'X^i\) be the product of \(f'\) and \(g'\) in \(\mathcal R'\) where \(h_i' \in \mathbb {Z}\) for \(i \in {\{}{0,\cdots ,n-1}{\}}\). Let \(h = f\cdot g \in \mathcal R\). Notice that \(\varPhi _n(X)\) is a factor of \(X^n-1\), hence we know that \(h' \bmod \varPhi _n(X) = h \in \mathcal R\), i.e. \(h = h' \bmod \varPhi _n(X) = \sum _{i=0}^{n-2} (h_i'-h_{n-1}')X^i\).
Let \((f_0,\cdots ,f_{n-2})\) and \((g_0,\cdots ,g_{n-2})\) be the coefficient vectors of f and g. We also set \(f_{n-1} = g_{n-1} = 0\). For any \(i \in \{0,\cdots ,n-1\}\), we have \(h_i' = \sum _{j=0}^{n-1}{f_jg_{(i-j)\bmod n}}\). By Cauchy-Schwarz inequality, we know that \(|h_i'| \le \Vert f\Vert \Vert g\Vert \). Therefore
By equivalence of norms, we conclude that \(\Vert h\Vert \le \sqrt{n-1} \Vert h\Vert _{\infty } \le 2\sqrt{n-1}\Vert f\Vert \Vert g\Vert \). \(\square \)
Remark
The second inequality indicates that an upper bound of the multiplicative expansion factor of \(\mathcal R\), which is \(\gamma _{\times }(\mathcal R) = \max _{f,g\in \mathcal R} \frac{\Vert fg\Vert }{\Vert f\Vert \Vert g\Vert }\), is \(2\sqrt{n-1}\). This is comparable to that of power-of-2 cyclotomic rings in the asymptotic sense, as the expansion factor of the ring \(\mathbb {Z}[X]/(X^n+1)\) is exactly \(\sqrt{n}\) (see [13]).
3.2 Duality Results for Module Lattices
In [33], Stehlé and Steinfeld reveals a nice duality between two module lattices for the n-th cyclotomic ring with n a power of 2. However, that duality cannot be simply generalized to the case of prime cyclotomic rings. Next, we will propose a new duality relationship between two module lattices for a prime cyclotomic ring.
To begin with, we introduce a few families of \(\mathcal R\)-modules. Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). We denote by \({\{}{\phi _i}{\}}_{i=1,\cdots ,n-1}\) all roots of \(\varPhi _n(X)\) modulo q. Note that if \(\phi \) is a root of \(\varPhi _n(X)\) modulo q, then so is \(\phi ^{-1} \bmod q\). By the Chinese Remainder Theorem, we see that
From this, we see that each ideal of \(\mathcal R_q\) is of the form \(\prod _{i\in S}(X-\phi _i)\cdot \mathcal R_q\) with \(S\subseteq {\{}{1,\cdots ,n-1}{\}}\), and we denote it by \(I_S\). Let \(\mathcal R_q^{\times }\) be the set of all invertible elements of \(\mathcal R_q\). Given \(\mathbf {a}\in \mathcal R_q^m\), we define two \(\mathcal R\)-modules \(\mathbf {a}^{\perp }(I_S)\) and \(\mathcal {L}(\mathbf {a}, I_S)\) in exactly the same manner as in [33]:
Then we can define a new \(\mathcal R\)-module \(\mathcal {L}^{^{\smallfrown }}(\mathbf {a}, I_S)\) to be
Module lattices \(\mathbf {a}^{\perp }(I_S)\) and \(\mathcal {L}^{^{\smallfrown }}(\mathbf {a}, I_S)\) can be related by duality argument. More precisely,
Lemma 9
Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Given \(S\subseteq {\{}{1,\cdots , n-1}{\}}\) and \(\mathbf {a}\in \mathcal R_q^m\), let \(\mathbf {a}^{\times } \in \mathcal R_q^m\) be defined by \(a_i^{\times } = a_i(X^{-1})\) and \(I_{\bar{S}}^{\times }\) be the ideal \(\prod _{i\in \bar{S}}(X-\phi _i^{-1})\cdot \mathcal R_q\) where \(\bar{S}\) is the complement of \(S\). Then (considering both sets as \(m(n-1)\)-dimensional lattices by identifying \(\mathcal R\) with \(\mathbb {Z}^{n-1}\))
Proof
Firstly, we prove that \(\frac{1}{q}\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times }) \subseteq \widehat{\mathbf {a}^{\perp }(I_{S})}\). For any \(\mathbf {t}= (t_1,\cdots ,t_m) \in \mathbf {a}^{\perp }(I_{S})\) and \(\mathbf {t}' = (t'_1,\cdots , t'_m) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\), Corollary 1 says that their inner product \(\langle \mathbf {t},\mathbf {t}'\rangle \) equals the constant coefficient of the polynomial \(\sum _{i=1}^{m}t_i(X)t'^{\smallsmile }_i(X^{-1})\). According to the definition of \(\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\) and Proposition 1, there exists \(s \in \mathcal R_q\) such that \((t'^{\smallsmile }_i\bmod q) = a_i^{\times }\cdot s + b'_i\) for some \(b'_i \in I_{\bar{S}}^{\times }\). Then we get
Both two sums in the right hand side evaluate to 0 in \(\mathcal R_q\), which means that \(\langle \mathbf {t},\mathbf {t}'\rangle = 0 \bmod q\). Therefore, we finish the proof of this part.
Secondly, it suffices to prove that \(\widehat{\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })} \subseteq \frac{1}{q}\mathbf {a}^{\perp }(I_{S})\). For any \(\mathbf {t}\in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\) and \(\mathbf {t}' \in \widehat{\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })}\), the constant coefficient of \(\sum _{i=1}^{m}t'_i(X) t_i^{\smallsmile }(X^{-1}) = \langle \mathbf {t}',\mathbf {t}\rangle \) is an integer due to duality. Notice that if \((t_1,\cdots ,t_m) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\), then \(\left( (t_1^{\smallsmile }\cdot X^k)^{\smallfrown },\cdots , (t_m^{\smallsmile }\cdot X^k)^{\smallfrown }\right) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\). Thus, for \(k \in {\{}{1,\cdots ,n-2}{\}}\), the constant coefficient of \(\sum _{i=1}^{m}t'_i(X) t_i^{\smallsmile }(X^{-1})X^{-k}\) is also an integer, which implies that all coefficients of \(\sum _{i=1}^{m}t'_i(X) t_i^{\smallsmile }(X^{-1})\) are integers. For any \((t_1, \cdots , t_m) \in \widehat{\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })}\), we deduce from the fact \((q^{\smallfrown },0,\cdots ,0) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\) that \(qt_1 \in \mathbb {Z}^{n-1}\). Let \(\nu _{I_{\bar{S}}^{\times }}\) be the polynomial \(\prod _{i \in \bar{S}}(X-\phi _i^{-1})\). Since \(\left( \nu ^{\smallfrown }_{I_{\bar{S}}^{\times }}, 0, \cdots , 0\right) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\), we obtain \(qt_1(X) \cdot \nu _{I_{\bar{S}}^{\times }}(X^{-1}) = 0 \bmod \mathcal R_q\), that means \((qt_1 \bmod q) \in I_{S}\). For the same reason, we have \((qt_i \bmod q) \in I_{S}\) for any \(i \in {\{}{1,\cdots ,m}{\}}\). If we set \(s = 1\), then \((a^{\times \smallfrown }_1,\cdots ,a^{\times \smallfrown }_m) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\). It shows that the polynomial \(\sum _{i=1}^{m}\left( qt_i(X)a_i(X)\right) = q\sum _{i=1}^{m}\left( t_i(X)a_i^{\times }(X^{-1})\right) = 0 \bmod q\). Combining the fact that \((qt_i \bmod q)\in I_{S}\), we conclude that \(q(t_1,\cdots ,t_m) \in \mathbf {a}^{\perp }(I_{S})\). The proof is completed. \(\square \)
Remark
The above result on the duality is different from that proven in [33], because the inner product has a more involved form. The original ideas of [33] have been exploited here, but we also add more details to treat technical differences.
3.3 On the Absence of Unusually Short Vector in \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\)
We now show that for , the first minimum of \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\) for the \(\ell _\infty \) norm is overwhelming unlikely unusually small. First we observe that the lattice \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\) is transformed from the lattice \(\mathcal {L}(\mathbf {a}, I_{S})\). To describe the transformation, we define a matrix \(\mathbf {H}\in \mathbb {Z}^{m(n-1) \times m(n-1)}\) as
where \(\mathbf {Id}_{m}\) is an m-dimensional identity matrix. Let \(\mathbf {B}\in \mathbb {Z}^{m(n-1)\times m(n-1)}\) be a basis of \(\mathcal {L}(\mathbf {a}, I_{S})\) whose rows correspond to the basis vectors, then \(\mathbf {B}' = \mathbf {B}\cdot \mathbf {H}\) is a basis of \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\). It is thus easy to see that \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\) and \(\mathcal {L}(\mathbf {a}, I_{S})\) are of the same volume, i.e. \(\det \left( \mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\right) = \det \left( \mathcal {L}(\mathbf {a}, I_{S})\right) = q^{(m-1)|S|}\). This is because there are \(q^{m(n-1-|S|)+|S|}\) points of \(\mathcal {L}(\mathbf {a}, I_{S})\) in the cube \([0, q-1]^{m(n-1)}\). Also, the first minimums of these two lattices may not have a significant difference. Hence we first present a result on \(\mathcal {L}(\mathbf {a}, I_{S})\) which is a variant on prime cyclotomic rings of Lemma 8 in [33].
Lemma 10
Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). For any \(S\subseteq {\{}{1,\cdots , n-1}{\}}\), \(m \ge 2\) and \(\epsilon > 0\), set
then we have \(\lambda _1^{\infty }(\mathcal {L}(\mathbf {a}, I_{S})) \ge \frac{1}{\sqrt{n}}q^{\beta }\) with probability \(\ge 1-\frac{2^{n-1}}{(q-1)^{\epsilon (n-1)}}\) over the uniformly random choice of \(\mathbf {a}\) in \((\mathcal R_q^{\times })^m\).
Remark
The above lemma can be shown by following the original idea but with some slight modifications on the inequalities for different norms in prime cyclotomic rings. For completeness, we give a proof in Appendix A. It is also noted that our statement of the lemma is essentially the same as that in Lemma 8 of [33], this is primarily because there is a simple relation for the Euclidean and algebraic norms in both prime and power-of-2 cyclotomic rings.
Next, we shall show that the first minimum \(\lambda _1^{\infty }(\mathcal {L}(\mathbf {a}, I_{S}))\) is at most \(\frac{n}{2}\) times that of \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\).
Lemma 11
Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Then, for any \(\mathbf {a}\in (\mathcal R_q^{\times })^m\) and \(S\subseteq {\{}{1,\cdots , n-1}{\}}\), we have
Proof
We first show that \(\Vert X^{\frac{n-1}{2}}t^{\smallsmile }\Vert _{\infty } \le \frac{n-1}{2}\Vert t\Vert _{\infty }\) for any \(t\in \mathcal R\). Let \((t_0,\cdots ,t_{n-2})\) be the coefficient vector of t. We denote by \((t_0^{\smallsmile },\cdots ,t_{n-2}^{\smallsmile })\) and \((t_0',\cdots ,t_{n-2}')\) the coefficient vectors of the polynomials \(t^{\smallsmile }\) and \(X^{\frac{n-1}{2}}t^{\smallsmile }\), then:
From \(t_i^{\smallsmile } = \sum _{j=i}^{n-2}t_j\), we get
Notice that each \(t_i'\) is a sum of consecutive \(t_j\)’s of length at most \(\frac{n-1}{2}\), thus \(\Vert X^{\frac{n-1}{2}}t^{\smallsmile }\Vert _{\infty } = \max _{i}{|t_i'|} \le \frac{n-1}{2}\max _{i}{|t_i|}=\frac{n-1}{2}\Vert t\Vert _{\infty }\) holds.
For any \(\mathbf {s}= (s_1,\cdots , s_m) \in \mathcal {L}^\smallfrown (\mathbf {a}, I_{S})\), the vector \(\mathbf {s}^\smallsmile = (s_1^\smallsmile ,\cdots ,s_m^\smallsmile )\) belongs to \(\mathcal {L}(\mathbf {a}, I_{S})\) and thus the vector \(\mathbf {s}' = \left( X^{\frac{n-1}{2}}s_1^\smallsmile ,\cdots ,X^{\frac{n-1}{2}}s_m^\smallsmile \right) \) is also in \(\mathcal {L}(\mathbf {a}, I_{S})\). Then
Since there exists a unique \(\mathbf {s}\in \mathcal {L}(\mathbf {a}, I_{S})\) such that \(\mathbf {r}= \mathbf {s}^{\smallfrown }\) for any \(\mathbf {r}\in \mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\), we conclude that \(\lambda _1^{\infty }(\mathcal {L}(\mathbf {a}, I_{S})) \le \frac{n-1}{2}\lambda _1^{\infty }(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S}))\). \(\square \)
Lemmata 10 and 11 lead to the following result on \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\) immediately.
Lemma 12
Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). For any \(S\subseteq {\{}{1,\cdots , n-1}{\}}\), \(m \ge 2\) and \(\epsilon > 0\), set
then we have \(\lambda _1^{\infty }(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})) \ge \frac{2}{(n-1)\sqrt{n}}q^{\beta }\) with probability \(\ge 1-\frac{2^{n-1}}{(q-1)^{\epsilon (n-1)}}\) over the uniformly random choice of \(\mathbf {a}\) in \((\mathcal R_q^{\times })^m\).
3.4 Results on Regularity
Let \(\mathbb {D}_{\chi }\) be the distribution of the tuple \((a_1,\cdots ,a_m, \sum _{i=1}^m{t_ia_i}) \in (\mathcal R_q^{\times })^m \times \mathcal R_q\) with \(a_i\)’s being independent and uniformly random in \(\mathcal R_q^{\times }\) and \(t_i\)’s being sampled from the distribution \(\chi \) over \(\mathcal R_q\). We call the statistical distance between \(\mathbb {D}_{\chi }\) and the uniform distribution over \((\mathcal R_q^{\times })^m \times \mathcal R_q\) the regularity of the generalized knapsack function \((t_1,\cdots ,t_m) \mapsto \sum _{i=1}^m{t_ia_i}\). In [27], Micciancio gave some results on regularity for general finite rings and constructed a class of one-way functions. In [33], an improved result was claimed for the ring \(\mathbb {Z}[X]/(X^n+1)\) with n a power of 2 and a Gaussian distribution \(\chi \).
We can derive the result of the regularity for prime cyclotomic rings. It provides a foundation of security for more cryptographic primitives based on prime cyclotomic rings. In the later part, we will concentrate on \(\mathsf {NTRU}\) applications corresponding to the case \(m = 2\).
Lemma 13
Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(S\subseteq {\{}{1,\cdots , n-1}{\}}\), \(m \ge 2, \epsilon > 0, \delta \in (0,\frac{1}{2})\), \(\mathbf {c}\in \mathbb {R}^{m(n-1)}\) and , with \(r \ge \frac{n-1}{2}\sqrt{\frac{n\ln (2m(n-1)(1+1/\delta ))}{\pi }}\cdot q^{\frac{1}{m}+(m-1)\frac{|S|}{n-1}+\epsilon }\). Then for all except a fraction \(\le \frac{2^{n-1}}{(q-1)^{\epsilon (n-1)}}\) of \(\mathbf {a}\in (\mathcal R_q^{\times })^m\), we have
In particular, for all except a fraction \(\le 2^{n-1}(q-1)^{-\epsilon (n-1)}\) of \(\mathbf {a}\in (\mathcal R_q^{\times })^m\), we have
Proof
By combining Lemmata 2, 4, 9 and 12, the first part follows. For \(\mathbf {a}\in (\mathcal R_q^{\times })^m\), the lattice \(\mathbf {a}^{\perp }(I_{S})\) is of the volume \(\det \left( \mathbf {a}^{\perp }(I_{S})\right) = \det \left( \frac{1}{q}\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\right) ^{-1} = q^{m(n-1)}/q^{(m-1)(n-1-|S|)} = q^{n-1+(m-1)|S|}\). Notice that \(|\mathbb {Z}^{m(n-1)}/\mathbf {a}^{\perp }(I_{S})| = \det \left( \mathbf {a}^{\perp }(I_{S})\right) \), thus we complete the proof of the second part. \(\square \)
Remark
Our regularity result is under the coefficient embedding. We have also considered the canonical embedding and generalized some results of [26]. In the latter case, for \(\delta = q^{-\epsilon n}\) with \(\epsilon \in (0,1)\), the polynomial factor of the lower bound of required width gets reduced to \(O(n^{1.5})\) from \(O(n^{2})\) in Lemma 13 and the power exponent can also be slightly smaller. However, our key result, which is Theorem 2 in next section, requires the parameter \(\delta \) in Lemma 13 to be very small. Under the canonical embedding and with \(\delta =q^{-n-\epsilon n}\), a desired result similar to the lemma is not currently available. Thus we only work with the coefficient embedding in this paper and leave the relevant results for our next work.
3.5 Bounded Gap of Ideal Lattices
Let \(I\) be an ideal of the n-th cyclotomic ring and \(\mathcal {L}_I\) be the ideal lattice corresponding to \(I\) (under the coefficient embedding). For the case that n is a power of 2, one has \(\lambda _{\varphi (n)}(\mathcal {L}_I) = \lambda _1(\mathcal {L}_I)\). For n being a prime, however, we do not know whether this nice property hold or not, but we are able to show that the gap between \(\lambda _{n-1}(\mathcal {L}_I)\) and \(\lambda _1(\mathcal {L}_I)\) is bounded by \(\sqrt{n}\).
Lemma 14
Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any non-zero ideal \(I\) of \(\mathcal R\), we have:
Proof
Let \(\mathbf {a}= (a_0,\cdots ,a_{n-2})\) be a non-zero shortest vector of \(\mathcal {L}_{I}\) and \(a \in \mathcal R\) be the polynomial of coefficient vector \(\mathbf {a}\). Then the polynomial \(X^k\cdot a\) also induces a vector of \(\mathcal {L}_{I}\) denoted by \(\mathbf {a}^{(k)}=\left( a^{(k)}_0,\cdots ,a^{(k)}_{n-2}\right) \). For any \(k \in {\{}{1,\cdots ,n-2}{\}}\), the coordinates of \(\mathbf {a}^{(k)}\) can be represented by the \(a_i\)’s as follows:
Then, we have
All these \(\mathbf {a}^{(k)}\)’s and \(\mathbf {a}\) are linearly independent so that we conclude that \(\lambda _{n-1}(\mathcal {L}_{I_S}) \le \sqrt{n} \cdot \lambda _1(\mathcal {L}_{I_S})\). \(\square \)
Back to the ring \(\mathcal R_q\), combining Minkowski’s theorem, we obtain the following corollary.
Corollary 2
Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(S\subseteq {\{}{1,\cdots , n-1}{\}}\) and denote by \(\mathcal {L}_{I_S}\) the lattice generated by the ideal \(\langle q,\prod _{i\in S}(X-\phi _i)\rangle \). Then
4 Revised \(\mathsf {NTRUEncrypt}\) over Prime Cyclotomic Rings
In this section, we will describe a variant of \(\mathsf {NTRUEncrypt}\) over prime cyclotomic rings with provable security under the worst-case hardness assumption. The revised \(\mathsf {NTRUEncrypt}\) is determined by parameters \(n, q, p, r, \alpha , k\) and denoted by \(\mathsf {NTRUEncrypt}\) \((n,q,p,r,\alpha ,k)\). First, we choose a prime \(n \ge 7\) and let \(\mathcal R\) be the ring \(\mathbb {Z}[X]/\varPhi _n(X)\). Then we pick a prime \(q = 1 \bmod n\) so that \(\varPhi _n(X) = \prod _{i=1}^{n-1}(X-\phi _i) \bmod q\) with distinct \(\phi _i\)’s, and let \(\mathcal R_q = \mathcal R/q\mathcal R\). The parameter \(p \in \mathcal R_q^{\times }\) is chosen to be of small norm, such as \(p=2,3\) or \(p=x+2\). The parameter r is the width of discrete Gaussian distribution used for key generation. The parameters \(\alpha \) and k are used for \(\mathsf {RLWE} \) error generation. We list below three main components of \(\mathsf {NTRUEncrypt}\) \((n,q,p,r,\alpha ,k)\):
-
Key Generation. Sample \(f'\) from \(D_{\mathbb {Z}^{n-1},r}\); if \(f = pf'+1 \bmod q \notin \mathcal R_q^{\times }\), resample. Sample g from \(D_{\mathbb {Z}^{n-1},r}\); if \(g \bmod q\notin \mathcal R_q^{\times }\), resample. Then return private key \(sk = f \in \mathcal R_q^{\times }\) with \(f = 1 \bmod p\) and public key \(pk = h = pg/f \in \mathcal R_q^{\times }\).
-
Encryption. Given message \(M \in \mathcal R/p\mathcal R\), let \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}\), set and return ciphertext \(C = hs + pe + M \in \mathcal R_q\).
-
Decryption. Given ciphertext C and private key f, compute \(C' = f\cdot \, C \bmod q\) and return \(C' \bmod p\).
Next we explain when and why the scheme works and how to assess its security.
4.1 Key Generation
In the above key generation algorithm, we generate the polynomials f and g by using a discrete Gaussian sampler. Lemma 5 provides a sampler outputting a distribution within exponentially small statistical distance to a certain discrete Gaussian. Actually, the conditions in our results are more demanding than that in Lemma 5. Ignoring the negligible impact, we assume we already have a polynomial-time perfect discrete Gaussian sampler.
To ensure both f and g are invertible modulo q, we may need to resample quite a few times. The following result indicates that the key generation algorithm terminates in expected polynomial time for some selective parameters.
Lemma 15
Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). For any \(\delta \in (0,1/2)\), let \(r \ge n\sqrt{\frac{\ln (2(n-1)(1+1/\delta ))}{\pi }}\cdot q^{1/(n-1)}\). Then
holds for \(a \in \mathcal R\) and \(p \in \mathcal R_q^{\times }\).
Proof
It suffices to bound the probability that \(p\cdot f' + a\) belongs to \(I:= \langle q,X-\phi _k\rangle \) by \((1/q+2\delta )\) for any \(k \le n-1\). First we have \(\lambda _{n-1}(\mathcal {L}_{I}) \le nq^{\frac{1}{n-1}}\) by Corollary 2 since the ideal I corresponds to \(I_{\{k\}}\). This, together with Lemma 1, implies that \(r \ge \eta _{\delta }(\mathcal {L}_{I})\). Applying Lemma 4, we have that the probability of \(p\cdot f' + a = 0 \bmod I\) does not exceed \(1/q+2\delta \). \(\square \)
Next, we claim that the norms of f and g are small with overwhelming probability.
Lemma 16
Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Suppose \(q > 8n\) is a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(r \ge n\sqrt{\frac{2\ln (6(n-1))}{\pi }}\cdot q^{1/(n-1)}\). The secret key polynomials f, g satisfy, with probability \(\ge 1-2^{-n+4}\),
If \(\deg p = 0\), then \(\Vert f\Vert \le 2\sqrt{n-1} \cdot \Vert p\Vert r\) with probability \(\ge 1-2^{-n+4}\).
Proof
Setting \(\delta = \frac{1}{10(n-1)-1}\), then we get \(r \ge \sqrt{\frac{\ln (2(n-1)(1+1/\delta ))}{\pi }}\) from the assumption. Applying Lemma 1 to \(\mathbb {Z}^{n-1}\), we know that \(r \ge \eta _\delta (\mathbb {Z}^{n-1})\). Therefore, we can use Lemma 3 to get,
Since \(r \ge n\sqrt{\frac{\ln (2(n-1)(1+1/\delta ))}{\pi }}\cdot q^{1/(n-1)}\), Lemma 15 yields
This means that the norm of the key polynomial g is less than \(r\sqrt{n-1}\) with probability \(\ge \) \(1-2^{4-n}\). The same argument holds true for the polynomial \(f'\) such that \(f = p\cdot f'+1\).
If \(\deg p = 0\), we have \(\Vert f\Vert \le 1 + \Vert p\Vert \Vert f'\Vert \le 2\Vert p\Vert r\sqrt{n-1}\) with probability \(\ge \) \(1-2^{4-n}\). For general cases, applying Lemma 8, we know that \(\Vert f\Vert \le 1 + \Vert p\Vert \Vert f'\Vert \le 1 + 2(n-1)\Vert p\Vert r \le 2n \cdot \Vert p\Vert r\) with probability \(\ge \) \(1-2^{4-n}\). \(\square \)
We are also able to prove that the public key h, the ratio of pg and \(f=pf'+1\), enjoys a favorable uniformity for some well-chosen r’s, just like that shown in [33]. We denote by \(D^{\times }_{r,z}\) the discrete Gaussian \(D_{\mathbb {Z}^{n-1},r}\) restricted to \(\mathcal R_q^{\times } + z\).
Theorem 2
Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Suppose \(q > 8n\) is a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(0< \epsilon < \frac{1}{2}\) and \(r \ge (n-1)^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+2\epsilon }\). Then
for \(p \in \mathcal R_q^{\times }\), \(y_i \in \mathcal R_q\) and \(z_i = -y_ip^{-1} \bmod q \) for \(i \in {\{}{1,2}{\}}\).
Remark
Our proof follows essentially the same approach as in [33]. For completeness, we include it in Appendix B. This result provides a new instance of Decisional Small Polynomial Ratio (\(\mathsf {DSPR}\)) assumption introduced in [24].
4.2 Decryption
Just like in the classical \(\mathsf {NTRUEncrypt}\), the correctness of decryption is based on the fact that a polynomial of \(\ell _\infty \) norm \(< q/2\) is invariant under modulo q reduction. In our decryption procedure, we have \(C' = f\cdot C = pgs+pfe+fM \bmod q\). When \(\Vert pgs+pfe+fM\Vert _{\infty }<\frac{q}{2}\), \(C'\) is in fact \(pgs+pfe+fM\) and hence \(C'\bmod p = fM\bmod p = M\) due to \(f = 1 \bmod p\), i.e.the decryption succeeds. Now we are to confirm that, given a set of proper parameters, the \(\ell _\infty \) norms of pgs, pfe and fM will be small enough (e.g., less than \(\frac{q}{6}\)) with high probability. This ensures a successful decryption.
We first show that the polynomial drawn from \(\mathsf {RLWE} \) error distribution has a relatively small norm with a high probability.
Lemma 17
Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For \(t > 1\) and \(u > 0\), we have
Proof
We will need the following inequality in our proof:
In fact, for \(x \in \mathbb {R}\), we have \(({\lfloor }x{\rceil }-x)^2 \le \frac{1}{4}\). For any \(\epsilon \in (0,1)\), we have \({\lfloor }x{\rceil }^2 \le \frac{1}{4} - x^2 + 2{\lfloor }x{\rceil }x \le \frac{1}{4} - x^2 + \frac{1}{1-\epsilon }x^2+(1-\epsilon ){\lfloor }x{\rceil }^2 = \frac{1}{4} + \frac{\epsilon }{1-\epsilon }x^2+(1-\epsilon ){\lfloor }x{\rceil }^2\). A routine computation leads to the result.
Let \(\mathbf {b}= {\lfloor }\mathbf {b}' \bmod \varPhi _n(X){\rceil } \in \mathcal R\) with . Let vector \(\mathbf {v}= \frac{1}{t}(b_0,\cdots ,b_{n-1})\) where \((b_0,\cdots ,b_{n-1})\) is the coefficient vector of \(\mathbf {b}'\). Then we obtain
where
Let \(\varSigma = \mathbf {M}^{\top }\mathbf {M}\), we have
In our estimation, we need traces \(\mathbf {tr}(\varSigma )\), \(\mathbf {tr}(\varSigma ^2)\) and the operator norm \(\Vert \varSigma \Vert \). It is easy to check that \(\mathbf {tr}(\varSigma )=2(n-1), \ \mathbf {tr}(\varSigma ^2)=(n-1)(n+2)\). It can be calculated that the characteristic polynomial of \(\varSigma \) is \(\lambda (\lambda -1)^{n-2}(\lambda -n)\), so n is the largest eigenvalue of \(\varSigma \) and hence \(\Vert \varSigma \Vert =n\).
All coordinates of \(\mathbf {b}'\) follow the distribution \(\psi _t\) independently, so the coordinates of \(\mathbf {v}\) follow standard Gaussian independently. As shown in [20], an tail bound for \(\Vert \mathbf {M}\mathbf {v}\Vert ^2\) holds
Let
and
Then it can be verified that
thus we have
\(\square \)
Setting u in Lemma 17 to \(\mathrm {\varTheta }(\log ^{1+\kappa } n)\) and applying Lemmata 8 and 16, we are able to get the following:
Lemma 18
In \(\mathsf {NTRUEncrypt}\) \((n, q, p, r, \alpha , k)\), let \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}>1\). Then for \(\kappa > 0\), we have
with probability at least \( 1-n^{-\mathrm {\varTheta }\left( \log ^\kappa n\right) }\).
Furthermore, if \(\deg p = 0\), then
with probability at least \( 1-n^{-\mathrm {\varTheta }\left( \log ^\kappa n\right) }\).
It is also hoped that fM has smaller norm. Indeed, we can prove
Lemma 19
In \(\mathsf {NTRUEncrypt}\) \((n, q, p, r, \alpha , k)\), we have
-
1.
\(\Vert M\Vert \le (n-1)\Vert p\Vert .\)
-
2.
\(\Vert fM\Vert _\infty \le 4n^{2}\Vert p\Vert ^2r\) with probability at least \( 1-2^{-n+4}\).
Furthermore, if \(\deg p = 0\), we have \(\Vert M\Vert \le \frac{\sqrt{n-1}}{2}\Vert p\Vert \) holds, and with probability at least \( 1-2^{-n+4}\), \(\Vert fM\Vert _\infty \le 2n\Vert p\Vert ^2r\) holds.
Proof
By reducing modulo the \(pX^i\)’s, we can write M into \(\sum _{i=0}^{n-2}\epsilon _ipX^i\) with \( -1/2 < \epsilon _i \le 1/2\). Using Lemma 8, we have
For the case \(\deg p = 0\), we have \(\Vert M\Vert = \Vert p\Vert \cdot \Vert \sum _{i=0}^{n-2}\epsilon _iX^i\Vert \le \frac{\sqrt{n-1}}{2}\Vert p\Vert \). Then, combining Lemmata 8 and 16 with the above result, the proof is completed. \(\square \)
Overall, we give a set of parameters such that \(\mathsf {NTRUEncrypt}\) decrypts correctly with high probability.
Theorem 3
If \(\omega \left( n^{2}\log ^{0.5}n \right) \Vert p\Vert ^2rt/q < 1\)(resp. \(\omega \left( n\log ^{0.5}n \right) \Vert p\Vert ^2rt/q < 1\) if \(\deg p = 0\)) and \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4} > 1\), then the decryption algorithm of \(\mathsf {NTRUEncrypt}\) recovers M with probability \(1-n^{-\omega (1)}\) over the choice of s, e, f, g.
4.3 Security Reduction and Parameters
In a manner similar to [33], we are able to establish a security reduction of \(\mathsf {NTRUEncrypt}\) from the decisional \(\mathsf {RLWE} ^{\times }_{HNF}\). One technical idea is that one can produce a legal pair of public key and ciphertext pair \((h=pa, C = pb+M = hs+pe+M)\) by using the pair \((a, b = as+e)\) sampled from \(\mathsf {RLWE} \) distribution. The proof of Lemma 20 is shown in Appendix C.
Lemma 20
Let \(n \ge 8\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Suppose \(q > 8n\) is a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(\epsilon , \delta > 0\), \(p \in \mathcal R_q^{\times }\), \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}\), and \(r \ge (n-1)^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+\epsilon }\). If there exists an \(\mathsf {IND\text {-}CPA}\) attack against the variant of \(\mathsf {NTRUEncrypt}\) that runs in time T and has success probability \(1/2+\delta \), then there exists an algorithm solving \(\mathsf {RLWE} \) \(_{q,\psi ,k}\) with \(\psi = \overline{\psi _{t}^{n}}\) that runs in time \(T' = T+O(kn)\) and has success probability \(\frac{1}{2}+\delta '\) where \(\delta ' = \frac{\delta }{2} - q^{-\varOmega (n)}\).
Now we integrate all above results and discuss the parameter requirements. To ensure the uniformity of public keys, the parameters r, n and q should satisfy the condition claimed in Theorem 2, i.e. \(r \ge (n-1)^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+2\epsilon }\) for \(0< \epsilon < \frac{1}{2}\). To ensure a high probability of success decryption, we need that \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4} > 1\) and \(\omega \left( n^{2}\log ^{0.5}n \right) \Vert p\Vert ^2rt/q < 1\) (resp. \(\omega \left( n\log ^{0.5}n \right) \Vert p\Vert ^2rt/q < 1\) if \(\deg p = 0\)) as stated in Theorem 3. To satisfy the condition of \(\mathsf {RLWE} \) (Theorem 1), it requires that \(\alpha q > \omega (\sqrt{\log n})\). From these requirements, to obtain a variant of \(\mathsf {NTRUEncrypt}\) with provable security against \(\mathsf {IND\text {-}CPA}\) attack, we may set main parameters as follows.
-
\(q = {{\mathrm{poly}}}(n)\), \(\epsilon \in \left( 0,\frac{1}{2}\right) \), and \(q^{\frac{1}{2}-\epsilon } = \omega \left( n^{4.75}\log ^{1.5} n \Vert p\Vert ^2\right) \),
-
\(r = n^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+\epsilon }\),
-
\(k = O(1)\), \(\alpha q = \varOmega (\log ^{0.75} n)\) and \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4} = \varOmega (n^{0.75}\log ^{0.5}n)\).
If p is set to be an integer (i.e. \(\deg p = 0\)) which is a most routine case used in \(\mathsf {NTRUEncrypt}\) scheme, the parameters may be relaxed:
-
\(q = {{\mathrm{poly}}}(n)\), \(\epsilon \in \left( 0,\frac{1}{2}\right) \), and \(q^{\frac{1}{2}-\epsilon } = \omega \left( n^{3.75}\log ^{1.5} n \Vert p\Vert ^2\right) \),
-
\(r = n^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+\epsilon }\),
-
\(k = O(1)\), \(\alpha q = \varOmega (\log ^{0.75} n)\) and \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4} = \varOmega (n^{0.75}\log ^{0.5}n)\).
Combining with Theorem 1, we have obtained our main result.
Theorem 4
Let \(n \ge 8\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Suppose \(q = {{\mathrm{poly}}}(n)\) is a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(q^{\frac{1}{2}-\epsilon } = \omega \left( n^{4.75}\log ^{1.5} n \Vert p\Vert ^2\right) \) (resp. \(q^{\frac{1}{2}-\epsilon } = \omega \left( n^{3.75}\log ^{1.5} n \Vert p\Vert ^2\right) \), if \(\deg p = 0\)), for arbitrary \(\epsilon \in \left( 0,\frac{1}{2}\right) \) and \(p \in \mathcal R_q^{\times }\). Let \(r = n^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+\epsilon }\) and \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}\) where \(k = O(1)\) and \(\alpha q = \varOmega (\log ^{0.75} n)\). If there exists an \(\mathsf {IND\text {-}CPA}\) attack against the variant of \(\mathsf {NTRUEncrypt}\) \((n, q, p, r, \alpha , k)\) that runs in time \({{\mathrm{poly}}}(n)\) and has success probability \(\frac{1}{2}+\frac{1}{{{\mathrm{poly}}}(n)}\), then there exists a \({{\mathrm{poly}}}(n)\)-time algorithm solving \(\gamma \)-Ideal-\(\mathsf {SVP}\) on ideal lattices in \(\mathbb {Z}[X]/\varPhi _n(X)\) with \(\gamma = O\left( \sqrt{n} q/\log ^{0.75} n\right) \). Moreover, the decryption success probability exceeds \(1-n^{-\omega (1)}\) over the choice of the encryption randomness.
In the modified \(\mathsf {NTRUEncrypt}\), the parameter r is \(\tilde{\varOmega }(n^2\cdot q^{\frac{1}{2}+\epsilon })\) and that in [33] is \(\tilde{\varOmega }(n\cdot q^{\frac{1}{2}+\epsilon })\). Note tha the term \(q^{\frac{1}{2}+\epsilon }\) is much greater than its polynomial coefficient \(n^2\) or n, thus, in this sense, our result is close to that for power-of-2 cyclotomic rings. By setting \(\epsilon = o(1)\) and p to be of degree 0, the smallest modulus q and approximate factor \(\gamma \) reach \(\tilde{\varOmega }(n^{7.5})\) and \(\tilde{\varOmega }(n^{8})\) respectively. These compare to \(\tilde{\varOmega }(n^{5})\) and \(\tilde{\varOmega }(n^{5.5})\) for \(\mathsf {NTRUEncrypt}\) over power-of-2 cyclotomic rings.
5 Conclusion and Future Work
In this paper, we extended the provable security of an \(\mathsf {NTRU}\) variant, originally proposed by Stehlé and Steinfeld for power-of-2 cyclotomic rings, to the family of prime cyclotomic rings. As this class of rings is closer to the original \(\mathsf {NTRU}\) rings, the results here may bring a new security estimation for the original \(\mathsf {NTRU}\) settings. We also developed a series of tools for prime cyclotomic rings that provide a foundation to generalize more cryptosystems to this class of rings. These tools might be of some independent interest.
We present a theoretical construction with suggested parameters in the asymptotic sense. There are a batch of cryptanalyses work aiming at \(\mathsf {NTRU}\), such as hybrid attack [19], subfield attack [1] and straightforward attack [22]. Detailed analyses of our \(\mathsf {NTRU}\) variant against these attacks should be well-considered. Furthermore, the operations over the rings \(\mathbb {Z}[X]/(X^n\pm 1)\) are still more efficient than that over prime cyclotomic rings. The further investigation of the relation between the prime cyclotomic ring and \(\mathsf {NTRU}\) ring may improve the efficiency of related cryptosystems. We leave them to the future work.
As shown in [25, 26], canonical embedding provides a neat description of the geometry of cyclotomic rings, which may lead to more compact and general results. To get similar conclusions with respect to the canonical embedding, we need to develop more powerful tools and that is left as a future investigation.
The ideal lattices (under the coefficient embedding) over prime cyclotomic rings are not (anti-)circulant, thus to study the gap between their minimums could be useful in cryptanalysis. Another interesting problem is a finer estimation of Euclidean norm of elements in an ideal of the prime cyclotomic ring, as it is useful in reducing some complexity estimations.
References
Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53018-4_6
Bi, J., Cheng, Q.: Lower bounds of shortest vector lengths in random NTRU lattices. In: Agrawal, M., Cooper, S.B., Li, A. (eds.) TAMC 2012. LNCS, vol. 7287, pp. 143–155. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29952-0_18
Bos, J.W., Lauter, K., Loftus, J., Naehrig, M.: Improved security for a ring-based fully homomorphic encryption scheme. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 45–64. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45239-0_4
Cheon, J.H., Jeong, J., Lee, C.: An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without an encoding of zero. Cryptology ePrint Archive, Report 2016/139 (2016). http://eprint.iacr.org/2016/139
Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997). doi:10.1007/3-540-69053-0_5
Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to Ideal-SVP. Cryptology ePrint Archive, Report 2016/885 (2016). http://eprint.iacr.org/2016/885
Ducas, L., Durmus, A.: Ring-LWE in polynomial rings. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 34–51. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30057-8_3
Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45608-8_2
Ducas, L., Nguyen, P.Q.: Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 433–450. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_27
Gama, N., Nguyen, P.Q.: New chosen-ciphertext attacks on NTRU. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 89–106. Springer, Heidelberg (2007). doi:10.1007/978-3-540-71677-8_7
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38348-9_1
Gentry, C.: Key recovery and message attacks on NTRU-composite. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 182–194. Springer, Heidelberg (2001). doi:10.1007/3-540-44987-6_12
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC 2009, pp. 169–178 (2009)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206 (2008)
Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). doi:10.1007/3-540-46035-7_20
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003). doi:10.1007/3-540-36563-X_9
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a new high speed public key cryptosystem. Presented at the Rump Session of Crypto 1996 (1996)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). doi:10.1007/BFb0054868
Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74143-5_9
Hsu, D., Kakade, S.M., Zhang, T.: A tail inequality for quadratic forms of subgaussian random vectors. Electron. Commun. Probab. 17(25), 1–6 (2011)
Jaulmes, É., Joux, A.: A chosen-ciphertext attack against NTRU. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 20–35. Springer, Heidelberg (2000). doi:10.1007/3-540-44598-6_2
Kirchner, P., Fouque, P.A.: Comparison between subfield and straightforward attacks on NTRU. Cryptology ePrint Archive, Report 2016/717 (2016). http://eprint.iacr.org/2016/717
Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_14
López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: STOC 2012, pp. 1219–1234 (2012)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_1
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for Ring-LWE cryptography. Cryptology ePrint Archive, Report 2013/293 (2013). http://eprint.iacr.org/2013/293
Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007)
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006). doi:10.1007/11761679_17
Nuñez, D., Agudo, I., Lopez, J.: NTRUReEncrypt: An efficient proxy re-encryption scheme based on NTRU. In: ASIACCS 2015, pp. 179–189 (2015)
Peikert, C.: Limits on the hardness of lattice problems in \(\ell _p\) norms. Comput. Complex. 17(2), 300–351 (2008)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005, pp. 84–93 (2005)
Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20465-4_4
Szydlo, M.: Hypercubic lattice reduction and analysis of GGH and NTRU signatures. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 433–448. Springer, Heidelberg (2003). doi:10.1007/3-540-39200-9_27
Terras, A.: Fourier Analysis on Finite Groups and Applications. Cambridge University Press, Cambridge (1999)
Xylouris, T.: On Linnik’s constant (2009). http://arxiv.org/abs/0906.2749
Acknowledgements
We thank Léo Ducas, Dianyan Xiao and the anonymous PKC’17 reviewers for their helpful comments. This work is supported in part by China’s 973 Program (No. 2013CB834205), the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDB01010600) and NSF of China (No. 61502269).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Lemma 10
Let p be the probability over the randomness of \(\mathbf {a}\) that \(\lambda _1^{\infty }(\mathcal {L}(\mathbf {a}, I_{S})) < B\), where \(B = \frac{1}{\sqrt{n}}q^{\beta }\). For a non-zero vector \(\mathbf {t}\) of \(\ell _\infty \) norm \(< B\) and \(s \in \mathcal R_q/I_S\), let \(p(\mathbf {t},s) = \Pr _\mathbf {a}(\forall i, t_i = a_is \bmod I_S)\) and \(p_i(t_i,s) = \Pr _{a_i}(t_i = a_is\bmod I_S)\), then we have \(p(\mathbf {t},s) = \prod _{i=1}^{m}p_i(t_i,s)\).
Let \(\nu _{I_{S}}\) be the polynomial \(\prod _{i \in S}(X-\phi _i)\). We only need to consider such \((\mathbf {t}, s)\) pairs that \(\gcd (t_i,\nu _{I_{S}}) = \gcd (s,\nu _{I_{S}})\) for all \(i \in {\{}{1,\cdots ,m}{\}}\): if not so, we can prove \(p(\mathbf {t},s) = 0\) due to the invertibility of \(a_i\). For each such pair, we denote by d the degree of \(\gcd (s,\nu _{I_{S}})\). Notice that there are \((q-1)^{d+n-1-|S|}\) distinct \(a_i\)’s in \(\mathcal R_q^{\times }\) such that \(t_i = a_is\bmod I_S\), i.e. \(p_i(t_i,s) = (q-1)^{d-|S|}\), then we have \(p(\mathbf {t},s) = \prod _{i=1}^{m}p_i(t_i,s) = (q-1)^{m(d-|S|)}\).
The probability p is bounded by
For \(h = \prod _{i\in S'}(X-\phi _i)\) of degree d, let N(B, d) be the number of \(t \in \mathcal R_q\) such that \(\Vert t\Vert _{\infty } \in (0, B)\) and \(t = ht'\) for \(t' \in \mathcal R_q\) of degree \(< n-1-d\). We now show two bounds for N(B, d) depending on d.
Suppose that \(d \ge \beta (n-1)\), then \(N(B, d)=0\). Indeed, for any \(t = ht'\) with \(t' \in \mathcal R_q\), the ideal \(\langle t\rangle \) is a full-rank sub-ideal of the ideal \(\langle h, q\rangle \). Thus, we have \({{\mathrm{N}}}(t) = {{\mathrm{N}}}(\langle t\rangle ) \ge {{\mathrm{N}}}(\langle h, q\rangle ) = q^d\). Combined with Lemma 7 and equivalence of norms, we conclude that \(\Vert t\Vert _{\infty } \ge \frac{\Vert t\Vert }{\sqrt{n-1}} \ge \frac{\mathrm {T}_2(t)}{\sqrt{n(n-1)}} \ge \frac{{{\mathrm{N}}}(t)^{1/(n-1)}}{\sqrt{n}} \ge \frac{q^\beta }{\sqrt{n}}\), which implies \(N(B, d) = 0\) when \(d \ge \beta (n-1)\).
Suppose that \(d < \beta (n-1)\), then \(N(B,d)\le (2B)^{n-1-d}\). Let \(t = \sum _{i=0}^{n-2}t_iX^i\), \(h = \sum _{i=0}^{d}h_iX^i\) and \(t'= \sum _{i=0}^{n-2-d}t_i'X^i\). From \(t=ht'\), we have
The constant coefficient of \(h_0\) is non-zero modulo prime q, so the polynomial \(t'\) will be determined once the \((n-1-d)\) low-order coefficients of t are determined, and vice versa. Thus each possible t is uniquely decided by its \((n-1-d)\) low-order coefficients and this leads to \(N(B, d) \le (2B)^{n-1-d}\).
Notice that the number of subsets of \(S\) is \(2^{|S|}\) and the number of \(s \in \mathcal R_q/I_S\) divisible by \(h = \prod _{i\in S'}(X-\phi _i)\) of degree d is \(q^{|S| - d}\). Thus the probability p can be bounded as follows:
Since \(n\ge 7\), \(q=1\bmod n\) and \(\beta \le 1-\frac{1}{m}\), we have \((2B)^m(\frac{q}{q-1}) < (q-1)^{\beta m}\) and then
We now complete the proof.
B Proof of Theorem 2
For \(a \in \mathcal R_q^{\times }\), we define \(Pr_a = Pr_{f_1,f_2}\left( (y_1+pf_1)/(y_2+pf_2) = a\right) \), where . It suffices to prove that \(|Pr_a - (q-1)^{-(n-1)}| \le \frac{2^{2(n-1)+5}}{q^{{\lfloor }\epsilon (n-1){\rfloor }}}\cdot (q-1)^{-(n-1)} =: \epsilon '\) for all except a fraction \(\le \) \(\frac{2^{2(n-1)}}{(q-1)^{\epsilon (n-1)}}\) of \(a \in \mathcal R_q^{\times }\).
To translate \(\Pr _a\) into a more straightforward form, we introduce another probability \(Pr_{\mathbf {a}} = Pr_{f_1,f_2}[a_1f_1+a_2f_2 = a_1z_1+a_2z_2]\) for \(\mathbf {a}= (a_1, a_2) \in (\mathcal R_q^{\times })^2\), and then obtain \(Pr_{\mathbf {a}} = Pr_{-a_2\cdot a_1^{-1}}\) after a simple computation. For \((a_1, a_2) \in (\mathcal R_q^{\times })^2\), we consider the equation \(a_1f_1+a_2f_2 = a_1z_1+a_2z_2\) of the pair \((f_1,f_2)\). All its solutions form the set \(\mathbf {z}+ \mathbf {a}^{\perp \times }\), where \(\mathbf {z}= (z_1,z_2)\) and \(\mathbf {a}^{\perp \times } = \mathbf {a}^{\perp } \bigcap (\mathcal R_q^{\times } + q\mathbb {Z}^{n-1})^2\). Then, we have
Thanks to \(\mathbf {a}\in (\mathcal R_q^{\times })^2\), for any \((x_1,x_2) \in \mathbf {a}^{\perp }\), the elements \(x_1\) and \(x_2\) lie in the same ideal \(I_S\) of \(\mathcal R_q\). To circumvent the restriction on invertibility, we exploit the inclusion-exclusion principle and change the three above sums into the following forms.
First, let’s prove the Eq. 1. For \(\mathbf {D}_{\mathbb {Z}^{2(n-1)},r}(\mathbf {z}+ \mathbf {a}^{\perp }(I_{S}))\) with \(|S| \le \epsilon (n-1)\), let \(\delta = q^{-(n-1)-{\lfloor }\epsilon (n-1){\rfloor }}\) and \(m=2\), then Lemma 13 implies that, for all except a fraction \(\le \) \(\frac{2^{n-1}}{(q-1)^{\epsilon (n-1)}}\) of \(\mathbf {a}\in (\mathcal R_q^{\times })^2\),
For the case \(|S| > \epsilon (n-1)\), we can find \(S' \subseteq S\) with \(|S'| = {\lfloor }\epsilon (n-1){\rfloor }\). Because \(\mathbf {a}^{\perp }(I_{S}) \subseteq \mathbf {a}^{\perp }(I_{S'})\), we have \(\mathbf {D}_{\mathbb {Z}^{2(n-1)},r,-\mathbf {z}}(\mathbf {a}^{\perp }(I_{S})) \le \mathbf {D}_{\mathbb {Z}^{2(n-1)},r,-\mathbf {z}}(\mathbf {a}^{\perp }(I_{S'}))\). Using the result proven before, we conclude that \(\mathbf {D}_{\mathbb {Z}^{2(n-1)},r,-\mathbf {z}}(\mathbf {a}^{\perp }(I_{S})) \le 2\delta + q^{-(n-1)-{\lfloor }\epsilon (n-1){\rfloor }}\). Therefore, the following inequality holds
for all except a fraction \(\le \frac{2^{2(n-1)}}{(q-1)^{\epsilon (n-1)}}\) of \(\mathbf {a}\in (\mathcal R_q^{\times })^2\).
Next, we are to prove the Eq. 2. Let \(\delta = q^{-(n-1)/2}\). Lemma 2 shows that \(\lambda _{n-1}(\mathcal {L}_{I_S}) \le n\cdot q^{|S|/(n-1)}\). For \(S\) of cardinality \(\le (n-1)/2\), by Lemma 1, we get that \(r \ge \eta _\delta (I_S+q\mathbb {Z}^{n-1})\). Using Lemma 4, we know \(|\mathbf {D}_{\mathbb {Z}^{n-1},r,-z_i}(I_S+q\mathbb {Z}^{n-1}) - q^{-|S|}|\le 2\delta \). For the case \(|S| > (n-1)/2\), using the same argument, we have \(\mathbf {D}_{\mathbb {Z}^{n-1},r,-z_i}(I_S+q\mathbb {Z}^{n-1}) \le 2\delta +q^{-(n-1)/2}\). Therefore,
Overall, we prove that, except for a fraction \(\le \) \(\frac{2^{2(n-1)}}{(q-1)^{\epsilon (n-1)}}\) of \(\mathbf {a}\in (\mathbb {R}_q^{\times })^2\),
where \(|\delta _i| \le 2^{2n}q^{-{\lfloor }\epsilon (n-1){\rfloor }}\) for \(i \in {\{}{0,1,2}{\}}\), which implies that \(|Pr_a - (q-1)^{-(n-1)}| \le \epsilon '\).
C Proof of Lemma 20
Let \(\mathcal {A}\) be the given \(\mathsf {IND\text {-}CPA}\) attack algorithm. Given oracle \(\mathcal {O}\) that outputs k samples drawn from either \(U(\mathcal R_q^{\times } \times \mathcal R_q)\) or \(A_{s,\psi }^{\times }\) for previously chosen . We construct an algorithm \(\mathcal {B}\) to solve \(\mathsf {RLWE} ^{\times }_{HNF}\). Algorithm \(\mathcal {B}\) first calls \(\mathcal {O}\) to get k samples \((h'_1,C'_1),\cdots ,(h'_k,C'_k)\). Then algorithm \(\mathcal {B}\) picks and calculates the public key \(h_i = p\cdot h'_i\). When \(\mathcal {A}\) outputs a challenge message pair \((M_0,M_1)\), \(\mathcal {B}\) picks , computes the challenge ciphertext \(C_i = p\cdot C_i' + M_b\) and sends it to \(\mathcal {A}\). Finally, \(\mathcal {A}\) outputs its guess \(b'\), and then \(\mathcal {B}\) outputs 1 if \(b' = b\) and 0 otherwise.
All \(h'_i\)’s are uniformly random in \(\mathcal R_q^{\times }\), and thus so are the public keys \(h_i\)’s due to \(p\in \mathcal R_q^{\times }\). Theorem 2 shows that the statistical distance between the distribution of the public key given to \(\mathcal {A}\) and that in the genuine attack is \(q^{-\varOmega (n)}\). Furthermore, if \(\mathcal {O}\) outputs samples from \(A_{s,\psi }^{\times }\), the pair \((h_i,C_i)\) is of the form \((h_i, h_is+pe+M_b)\) which corresponds to actual “public key and ciphertext” pair in the \(\mathsf {IND\text {-}CPA}\) attack. Therefore \(\mathcal {A}\) succeeds and \(\mathcal {B}\) outputs 1 with probability \(\ge \frac{1}{2}+\delta -q^{-\varOmega (n)}\).
If \(\mathcal {O}\) outputs samples from \(U(\mathcal R_q^{\times } \times \mathcal R_q)\), then \(C_i\) is uniformly random in \(\mathcal R_q\) and independent of b. Algorithm \(\mathcal {B}\) outputs 1 with probability 1 / 2 in this case. Thus the advantage of \(\mathcal {B}\) in distinguishing \(U(\mathcal R_q^{\times } \times \mathcal R_q)\) and \(A_{s,\psi }^{\times }\) is greater than \(\delta /2-q^{-\varOmega (n)}\).
Rights and permissions
Copyright information
© 2017 International Association for Cryptologic Research
About this paper
Cite this paper
Yu, Y., Xu, G., Wang, X. (2017). Provably Secure NTRU Instances over Prime Cyclotomic Rings. In: Fehr, S. (eds) Public-Key Cryptography – PKC 2017. PKC 2017. Lecture Notes in Computer Science(), vol 10174. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54365-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-662-54365-8_17
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54364-1
Online ISBN: 978-3-662-54365-8
eBook Packages: Computer ScienceComputer Science (R0)