phoenix

The NTRU Cryptosystem

The NTRU cryptosystem was developed in 1996 by Hoffstein, Pipher, and Silverman. NTRU is a public key cryptosystem not based on factorization or discrete logarithm problems. NTRU is based on the shortest vector problem in a lattice. The NTRU public key cryptosystem is one of the fastest known public key cryptosystems. NTRU works in the ring of truncated polynomials

\[R_q = \mathbb{Z}_q[X] / (X^N - 1)\]

where $N$ is a fixed positive integer and $b{Z}_q$ denotes the ring of integers modulo $q$. In this ring, a polynomial $f$ can be written as

\[f = (f_0, f_1, \ldots, f_{N-1}) = \sum_{k=0}^{N-1} f_k X^k\]

The addition of two polynomials $f = (f_0, f_1, \ldots, f_{N-1})$ and $g = (g_0, g_1, \ldots, g_{N-1})$ is defined as pairwise addition of the coefficients of the same degree, that is

\[f + g = (f_0 + g_0, f_1 + g_1, \ldots, f_{N-1} + g_{N-1})\]

The multiplication of two polynomials $f$ and $g$ is given by a convolution multiplication as follows

\[f \star g = h = (h_0, h_1, \ldots, h_{N-1}), \text{ where } h_k = \sum_{i + j \equiv k \mod N} f_i g_j\]

As an example, let us compute

\[(x^4 + 2x^3 + 3) \star (x^4 + 3x^2 + x + 2) = x^8 + 2x^7 + 3x^6 + 7x^5 + 7x^4 + 4x^3 + 9x^2 + 3x + 6\]

In the polynomial ring $\mathbb{Z}_3[X] / (X^5 - 1)$, it can be written as

\[x^3 + 2x^2 + 3x + 7 + 7x^4 + 4x^3 + 9x^2 + 3x + 6 = x^4 + 2x^3 + 2x^2 + 1\]

For a given positive integer $d$, define the set

\[B(d) = \left \{ \sum_{k=0}^{N-1} f_k X^k : f_i = 0 \text{ or } 1, \sum_{k=0}^{N-1} f_k = d \right \}\]

In NTRU, the parameters are chosen as follows:

Key Generation in NTRU Cryptosystem

To generate keys in the NTRU cryptosystem:

  1. Choose Polynomials:
    • Randomly select a polynomial $f$ from the set $B(d_f)$ such that $f$ has an inverse modulo $p$ and $q$. To Generate and Check if $f$ inverse modulo $p$ and $q$ exists we use Bezouts Identity.
    • Set $f_p \equiv f^{-1} \pmod{p}$ and $f_q \equiv f^{-1} \pmod{q}$.
    • Randomly choose a polynomial $g$ from the set $B(d_g)$.
  2. Compute $h$:
    • Compute $h \equiv g \star f_q \pmod{q}$.
  3. Generate Keys:
    • Public Key: $(N, h)$
    • Private Key: $(f, f_p)$

Encryption in NTRU Cryptosystem

To encrypt a message in the NTRU cryptosystem:

  1. Message Representation:
    • Represent the message as a polynomial $m$ from the plaintext space.
  2. Choose Blinding Polynomial:
    • Randomly choose a polynomial $r \in B(d_r)$.
  3. Encrypt Message:
    • Encrypt $m$ using the following rule: $e \equiv p \star r \star h + m \pmod{q}$


Decryption Steps in NTRU Cryptosystem

To decrypt a ciphertext in the NTRU cryptosystem, follow these steps:

  1. Compute $a$:
    • Compute $a \equiv f \star e \pmod{q}$.
  2. Transform $a$:
    • Transform $a$ to a polynomial with coefficients in the interval $[-q/2, q/2]$.
  3. Compute $m$:
    • Compute $m \equiv f_p \star a \pmod{p}$.


To check the computation and understand why the decryption procedure works, let’s break down the steps:

We have:

\[\begin{align*} a &\equiv f \star e \pmod{q} \\ &\equiv f \star (p \star r \star h + m) \pmod{q} \\ &\equiv p \star r \star g \star f \star f_q + f \star m \pmod{q} \\ &\equiv p \star r \star g + f \star m \pmod{q}. \end{align*}\]

We obtain that:

\[\begin{align*} f_p \star a \pmod{p} &\equiv (p \star r \star g + f \star m) \star f_p \pmod{p} \\ &\equiv m \pmod{p}. \end{align*}\]

Example of NTRU Cryptosystem

To illustrate the NTRU encryption/decryption, let’s consider an example with:

Here, we get:

This computation demonstrates the encryption and decryption process in the NTRU cryptosystem.

This site is open source. Improve this page.