The NTRU lattice is a promising candidate to construct practical cryptosystems, in particular key encapsulation mechanism (KEM), resistant to quantum computing attacks. Nevertheless, there are still some inherent obstacles to NTRU-based KEM schemes in having integrated performance, taking security, bandwidth, error probability, and computational efficiency \emph{as a whole}, that is as good as and even better than their \{R,M\}LWE-based counterparts. In this work, we solve this problem by presenting a new family of NTRU-based KEM schemes, referred to as CTRU and CNTR. By bridging low-dimensional lattice codes and high-dimensional NTRU-lattice-based cryptography with careful design and analysis, to the best of our knowledge CTRU and CNTR are the first NTRU-based KEM schemes with scalable ciphertext compression via only one \emph{single} ciphertext polynomial, and are the first that could outperform \{R,M\}LWE-based KEM schemes in integrated performance. For instance, compared to Kyber that is currently the only standardized KEM by NIST, on the recommended parameter set CNTR-768 has about $12\%$ smaller ciphertext size while encapsulating 384-bit keys compared to the fixed 256-bit key size of Kyber, security strengthened by $(8,7)$ bits for classical and quantum security respectively, and significantly lower error probability ($2^{-230}$ of CNTR-768 vs. $2^{-164}$ of Kyber-768). In comparison with the state-of-the-art AVX2 implementation of Kyber-768, CNTR-768 is faster by 1.9X in KeyGen, 2.6X in Encaps, and 1.2X in Decaps, respectively. When compared to the NIST Round 3 finalist NTRU-HRSS, our CNTR-768 has about $15\%$ smaller ciphertext size, and the security is strengthened by $(55,49)$ bits for classical and quantum security respectively. As for the AVX2 implementation, CNTR-768 is faster than NTRU-HRSS by 19X in KeyGen, 2.3X in Encaps, and 1.6X in Decaps, respectively.
翻译:NTRU Lattice 是一个有希望的候选者,可以构建实用的加密系统,特别是关键封闭机制(KEM),耐量计算攻击。然而,在以NTRU为基础的KEM系统综合性能、安全性能、带宽性、误差概率、计算效率等方面,仍然存在着一些固有的障碍。 NTRU和计算效率全方位,这比他们的QR、M ⁇ LWE的对应方还要好甚至好。在这项工作中,我们提出一个新的以NTRU为基础的KEM系统,称为CTRR和CNTR。 通过低维基的低维基码和高基级的NTRU-Lattic-Listricraphy 系统,我们的知识CTRU和CNTRFER系统的第一个基于可升级的密码系统, 以3毫基的内基调基价调平价调平价调, 以目前基调的基调基调基调比比比亚基比亚的基级安全性,比基比基比基比基基基比基比基比基基基基基基的基的基比基比基基的NEM更强。