Choosing Parameters for NTRUEncrypt
نویسندگان
چکیده
We describe a methods for generating parameter sets and calculating security estimates for NTRUEncrypt. Analyses are provided for the standardized product-form parameter sets from IEEE 1363.1-2008 and for the NTRU Challenge parameter sets.
منابع مشابه
Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches
We present the new NTRUEncrypt parameter generation algorithm, which is designed to be secure in light of recent attacks that combine lattice reduction and meet-in-the-middle (MITM) techniques. The parameters generated from our algorithm have been submitted to several standard bodies and are presented at the end of the paper.
متن کاملProvably Secure NTRUEncrypt over More General Cyclotomic Rings
NTRUEncrypt is a fast and standardized lattice-based public key encryption scheme, but it lacks a solid security guarantee. In 2011, Stehlé and Steinfeld first proposed a provably secure variant of NTRUEncrypt, denoted by pNE, over power-of-2 cyclotomic rings. The IND-CPA security of pNE is based on the worst-case quantum hardness of classical problems over ideal lattices. Recently, Yu, Xu and ...
متن کاملChoosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3
We present, for the first time, an algorithm to choose parameter sets for NTRUEncrypt that give a desired level of security. Note: This is an expanded version of a paper presented at CT-RSA 2005.
متن کاملEfficient provable-secure NTRUEncrypt over any cyclotomic field
NTRUEncrypt is a fast lattice-based cryptosystem and a probable alternative of the existing public key schemes. The existing provable-secure NTRUEncrypts are limited by the cyclotomic field it works on the prime-power cyclotomic field. This is worth worrying, due to the subfield attack methods proposed in 2016. Also, the module used in computation and security parameters rely heavily on the cho...
متن کاملA Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU
To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meet-in-the-middle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in fact a continuum of more efficient attacks between these two attacks. We show that by combining lat...
متن کامل