NTRU Cryptosystems Technical Report

In this note we describe, extend, and analyze the lattice construction ideas of Alexander May 1] as they apply to the NTRU public key cryptosystem. We use both theoretical and experimental methods to analyze the strength of the attacks. The nal conclusion is that the new attacks only marginally aaect the security levels of the standard commercial NTRU parameter sets (N = 167, 263, and 503), but that the new lattices can be helpful for very low security levels (N = 107). In this note we describe, extend, and analyze the lattice construction ideas of Alexander May 1] as they apply to the NTRU public key cryptosystem. We use both theoretical and experimental methods to analyze the strength of the attacks. The nal conclusion is that the new attacks only marginally aaect the security levels of the standard commercial NTRU parameter sets (N = 167, 263, and 503), but that the new lattices can be helpful for very low security levels (N = 107). We will concentrate entirely on the underlying lattices. For details of the NTRU public key cryptosystem, see 2]. x1. The Standard NTRU Lattice. For the convenience of the reader, we brieey review the setup of the Standard NTRU Lattice L NT. Further details may be found in 3], which also contains the deenitions of the various lattice constants referred to below. Fix integers N, d f , and d g. Let S d be the set of N-tuples with d coordinates equal to each of 1 and ?1 and with the remaining N ? 2d coordinates equal to 0. Similarly, let S 0 d be the set of N-tuples with d coordinates equal to 1, with d ? 1 coordinates equal to ?1, and with the remaining N ?2d+1 coordinates equal to 0.