Ntrucipher-Lattice Based Secret Key Encryption

arXiv:1710.01928v2 [cs.CR] 6 Oct 2017 rdc omplnmas ertkyencryption. key the secret under polynomials; form secured aspects, product is security NTRUCipher attack. to the plaintext respect that chosen indistinguishability with show complexity also and space efficienc cipher the the this of analyze and We modification encryption. like using key public designed NTRUCi- attention NTRU is as any named NTRUCipher propose lattices, we This received NTRU paper, pher. over this yet encryption In not key encryption. secret key has secret it a nearly effi designing ago, introduced and decades was flexibility cryptosystem its two NTRU to due Although schemes ciency. cryptographic of range 8 vrtering, cryptosystem the key public over NTRU the [8] of modification a using The and (S-Box). operator decryption. Substitution-Box XOR net- and using and (P-Box) Feistel designed Permutation-Box encryption was using [7] for built network algorithm Feistel IDEA are encryption except ciphers data work Standard These International Encryption [17]. Data and (IDEA) [3], key [2], Blowfish secret (DES) known [15], (AES) well RC5 Standard The Encryption [10], Advanced key. the secret are ciphers algorithm the block of of strength key length parameters: secret and two the of on strength relies The encryption message. a integrity and of confidentiality, authentication key as secret such provide services cryptosystem own both key cryptographic their secret cryptosystem The contain key. key public the receiver associated public as and key, the common sender in a the use whereas and key, share secret receiver parties and communication sender encryption, key a secret authenticatio the message In and codes. functions, hash suc encryptions, schemes as and cryptographic plaintext designing crypt key, in influential primitives most secret graphic the the are ciphers of block size The ciphertext. and on cipher based stream cipher the key block as of categorized secret be The nature could properties. cryptosystem cryp- and on functions key based key public cryptographic cryptosystem) and (asymmetric cryptosystem) tosystem key (symmetric tem ta.i 98adi sbsdo rnae polynomials truncated on based is Hoffstein it to and due 1998 [8] in in al. appeared et first was cryptosystem and prime e od TUihr utpetasiso attack; transmission multiple NTRUCipher; - words Key h rpsdcpe rsne nti ae sdesigned is paper this in presented cipher proposed The cryptosys- key secret the as classified is Cryptosystem Abstract NR rpoytmhsalwddsgiga designing allowed has cryptosystem —NTRU q TUihrLtieBsdSce Key Secret Based NTRUCipher-Lattice sapwro .TeNR ulckey public NTRU The 2. of power a is R .I I. = NTRODUCTION Z q [ x ] / ( x n − colo ahmtcladCmuigSciences Computing and Mathematical of School 1) where , iiNtoa nvriy P.O.Box:7222 University, National Fiji erc aps ua iiIsland Fiji Suva, Campus, Derrick Encryption [email protected] aewr a Valluri Rao Maheswara n sa is and o- h n a y s - , ape rmtepoaiiydistribution probability the from sampled h fetvns fa loih odsigihbetween distinguish to algorithm an of effectiveness The ssi ob fceti t unn iei polynomial is time represent running We its length. if input efficient its be in to said is f2and 2 of rpsdaohrvrato h TU ae sNTRU as specific al. ring, named a the NTRU, et over up the Bernstein [4], of setting Prime J variant of further Daniel another work terms proposed Recently, to in parameters. scope contribution security still is their There on [6]. signature digital o all for bescrt eso fteNR ulckycryptosystem ring, key on public the NTRU prov- [14] over the a of algorithm proposed version Shor’s al. security et able the Stehle to Damien computers. resistance quantum the are of which candidates NTRUSign and [9] promising [8] NTRUEncrypt the are of cryptosystems NTRU Most fields. finite over .Notations A. notations. security its and encryption key n iecmlxt.Fnly epoiecnlso remarks and conclusion space VI. provide Section with and we in NTRUCipher aspects, Finally, the complexity. security analyze time performance, the we to V, for based respect parameters Section lattice recommend In - and cipher. NTRUCipher encryption the key In propose secret rings. we polynomial IV, truncated Section presents adversar III and encryption Section key secret model. a of definition the recall aspects. with security complexity to space secured the respect and is efficiency (I analyze attack NTRUCipher and plaintext CPA), chosen the indistinguishability prove the NTRUEncrypt under we the like Furthermore, probabilistic the a [8]. [8] is of NTRUEncrypt decryption as framework the same NTRU and the The is over decryption NTRUCipher. and encryption encryption as key named secret lattices, based lattice propose every elvle function valued real A secret a of definition formal the recall we Section, this In h ae sognzda olw:I eto I we II, Section In follows: as organized is paper The sapieand prime a is > λ c > c q sapie hc rvdsecyto 56 and [5,6] encryption provides which prime, a is 0 λ rbblsi oyoiltm algorithm time polynomial probabilistic A . hr exists there R = I P II. q Z sapwro .I hswr,we work, this In 2. of power a is q [ x RELIMINARIES ] R / ǫ c ( ( λ = x c ) n > Z c < 1) + q [ 0 x ] − uhthat such / where , x λ ( x admvariable random a sngiil ffor if negligible is n − D x n − as ǫ ( sapower a is c 1) ) x , c < ← where ND- − D λ y . two probability distributions D0 and D1 is measured by define the following experiment between a challenger and its distinguishing advantage, defined by P rx←D0 [A(x) = : | A b 1] P rx←D1 [A(x) = 1] . We say that a decision problem Experiment: IND-CPA ( ) − | SE A is hard if there does not exist an efficient algorithm for 1: The challenger runs k $ eyGen(1λ). it that has a non-negligible advantage in . The statistical ←−K λ 2: outputs a pair of plaintexts (µ ,µ ) of the same distance between two distributions on 0 1 (D0; D1) D0,D1 lengthA and sends (µ ,µ ) to the challenger. some countable△ domain is defined as 0 1 X (D0; D1) = ∗ $ △ 3: The challenger computes c nc(µb, k) and then D0(x) D1(x) . | − | sends c∗ to the adversary. ←−E ′ 4: continues its computation and outputs : b . B. Secret Key Encryption A ′ 5: Output 1 if b = b , and 0 otherwise. The goal of the secret key encryption is to furnish Definition 3. A secret key encryption = confidentiality of communications of two or more parties. ( eyGen, nc, ec) is indistinguishable underSE chosen In the secret key encryption, a common secret key is shared plaintextK attack,E D if it holds for all probabilistic polynomial among the communication parties, before decryption of the time adversary that ciphertext, to furnish confidentiality of the plaintext. The A IND−CPA IND−CPA 1 following definitions are acquired from [12,13]. For further AdvSE ( )= P r[ExpSE ( ) = 1] 2 details, the reader is referred to [12,13]. negl(λ). A | A − |≤ Definition 1. A secret key encryption = ( eyGen, nc, ec) consists of the followingSE three algorithms:K E D III. TRUNCATED POLYNOMIAL RINGS (i) Key Generation: Key Generation ( eyGen) is a N Z K Let q be a prime. We write q for the integer modulo randomized algorithm that outputs a random key. When the ∈ q q q and represents this set by integers in the range ( 2 , 2 ). algorithm is run, a different key is generated every time. −n The truncated polynomial ring Rn,q = Zq[x]/(x + 1) Note that in this case, the input for the algorithm is a null. consists of all polynomials with coefficients in Zq and The randomized output secret key is represented with a degree less than n. An element f Rq is represented as a dollar symbol $: polynomial, ∈ 1: Input: null n−1 $ i . 2: k KeyGen(1λ) f = fix = [f0,f1, ....., fn−1] ←− i=0 (ii) Encryption : Encryption ( nc) is a randomized TwoP polynomials f,g R are multiplied by the ordi- E q algorithm that takes a plaintext µ and the secret key k as nary convolution, ∈ input, and outputs a ciphertext c. (f g) = (f .g ), k =0, 1, ..., n 1, which ∗ k i j − 1: Input: µ µ, k k, where Dµ is the plaintext i+j≡kP(mod n) ∈ D ∈ D is commutative and associative. The convolution product is space, k is the secret key space and secret key k is generatedD by the eyGen(1λ) algorithm. represented by * to distinguish it from the multiplication in $ K Zq. We define a center l2 norm of an element f Rq by 2: c nc(µ, k), otherwise Φ if µ / µ) c c, N−1 − N−1 ∈ ←−E ∈ D ∀ ∈ D 1/2 1 where c is the ciphertext space. f = ( f f¯) , where f¯ = f and the D k k2 i − N i (iii) Decryption : Decryption ( ec) is a deterministic iP=0 iP=0 D infinity norm is f ∞ =max0≤i≤n−1 f fi f . algorithm. k k n Lemma 1[14,15]. For any f,g Rn,q = Zq[x]/(x + 1), 1: Input: c c, k k, where c is the ciphertext ∈ ∈ D ∈ D D f f.g f √n. f f f . f g f and f f.g f n. f f f . f g f . space and k is the secret key, generated by the KeyGen(1λ) ≤ ∞ ≤ ∞ ∞ algorithm. 2: µ ec(c, k) c c. A. Cryptographic Assumptions Correctness← D of the∀ ∈ secret D key encryption works as follows: We say that a secret key encryption = In this Subsection, we define the NTRUCipher ciphertext ( eyGen, nc, ec) is correct, if it holds forSE every cracking problem for which the parameters are chosen K E D $ as recommended in the table 1. The search and decision plaintext µ that P r[Deck(Enck(µ)) = µ : k KeyGen(1λ)] < negl(λ). 6 ←− ciphertext cracking problems are defined as follows: 1) Search NTRUCIpher Ciphertext Cracking Problem: Given c = r k−1 + µ(mod q) R , with r $ C. Security Notations ∗ ∈ n,q ← P (a ,a ,a ), k $ P (a ,a ,a ) , compute (r,k,µ). The aim of an adversary is to capture the secret key n 1 2 3 ← n 1 2 3 of the secret key encryptionA and then perceive the plain- 2) Decision NTRUCIpher Ciphertext Cracking Problem: −1 text corresponding to the ciphertext. We assume that the Given c = r k (mod q) Rn,q, distinguish whether c is ∗ ∈ −1 adversary does not have prior knowledge of the secret key sampled from the distribution D0 = c = r k (mod q): $ $ { ∗ k. The indistinguishability under chosen-plaintext attack or r Pn(a1,a2,a3), k Pn(a1,a2,a3) or from the ← ← } IND-CPA security is defined as follows: uniform distribution D1 = U(Rn,q). Definition 2. Let be an adversary. Let = We assume that the decision NTRUCipher Ciphertext ( eyGen, nc, ec) beA the secret key encryption.SE Let us Cracking Problem is hard to indistingush computationally. K E D IV. NTRUCIPHER (iii) Decryption : To decrypt the ciphertext c with respect to the secret key k, In this Section, we propose NTRUCipher which is drawn ′ 1) Compute first ciphertext, c = c k(mod q), and center from NTRUEncrypt [2,4] by modification. In this cipher, ′ ∗ Z n the coefficient of c in ( q/2,q/2). we use a ring of Rn,q = q[x]/(x + 1) and propose ′ − ′ NTRUCipher-lattice based secret key encryption. 2) Then, compute µ = c (modp), and center the coefficient in ( p/2,p/2) to get the plaintext µ. System Parameters: The cipher would have three integer − parameters, n,p and q. The integer n has to be 2l , p is a Algorithm 3 NTRUCipher-Decryption small prime, and q is large prime such that gcd(p, q)=1 , and p < q. Input: Secret key k, Ciphertext c Rn,q, and set a parameter, p =3. ∈ ′ 1: c = c k(mod q) Rn,q Table I ∗ ∈ ′ IPHER YSTEM ARAMETERS 2: Center the coefficients of c in ( q/2,q/2) NTRUC -S P ′ ′ 3: µ = c (modp) − 1. n- Degree Parameter ′ 2. q - Large Modulus 4: Center the coefficients of µ in ( p/2,p/2) Z − q [x] 5: Result = µ 3. Ring Parameters, Rn,q = (xn+1) 4. p - Plaintext space modulus Output : Plaintext µ 5. a1, a2, a3 - Non-zero coefficient counts for product form polynomial terms. 6. µ - Plaintext . Completeness: To decrypt the ciphertext c with respect 7. c - Ciphertext to the secret key k, ′ 8. k - Secret key 1) Compute first cipher text c = c k(mod q) = 9. r - Ephemeral key ∗ 10. Dµ - Plaintext space (p.r + µ k)(mod q), and center the coefficient of ′ ∗ 11. Dc - Ciphertext space c in ( q/2,q/2). ′ ′ ′ 12. Dk- Secret key space 2) Then,− compute µ = c (modp) = [p.(r + µ k )+ 13. Dr- Ephemeral key space ∗ 14. Bn ={Binary Polynomials} µ](modp) , and center the coefficient in ( p/2,p/2) T − 15. n ={Ternary Polynomials} to get the plaintext µ. 16. Tn(a, e)={Ternary polynomials with exactly a ones and e minus ones} P 17. n(a1, a2, a3)={Product form of A. Probability of decryption failure polynomials A1 ∗ A2 + A3 : Ai ∈ Tn(ai, ai)} In this subsection, we estimate decryption failure of the NTRUCipher in terms of probability. For a successful (i) Key Generation: 1. The secret key k is a polynomial ′ ′ decryption of the ciphertext c for the plaintext µ using the of the form p.k +1, where k is generated by product form ′ given secret key k, the coefficient of the c = [p.(r + µ of polynomials, P (a ,a ,a ). Note that this form ensures ′ n 1 2 3 k )+µ] must be in the range of less than q . By the triangle∗ that k has inverse 1 modulo p. 2 inequality, the following relation holds: ′ ′ f c f∞ 6 p.(f r f + f µ f∞ f k f ) + 1] . Algorithm 1 NTRUCipher-Key Generation 1 ′ 1 We assume that r and k are chosen in the product Input: A set of system parameters form and the plaintext µ is a ternary polynomial. Note 1: repeat ′ $ that the decryption failure can be avoided by ensuring 2: k Pn(a1,a2,a3) ′ q > 8p(2a1a2 + a3)+2 . We hereby set a probabilistic 3: k =1+← p.k R ∈ n,q bound to estimate the probability; 4: until k is invertible in Rn,q Prob(a given coefficients of r + µ k1 has absolute value Output : Secret key k. B). ∗ ≥ ′ We choose r and k in the product form such that r = r1 ′ ′ ′ ′ ′ ∗ (ii) Encryption : r2+r3, k = k k +k , where each ri and k has exactly ai 1∗ 2 3 i 1) To encrypt a plaintext µ (p 1)/2, .., +(p coefficients equal to 1, ai coefficients equal to -1 and the rest 1)/2 n with the secret key∈k {−, first− a polynomial −r of the coefficients equal to 0. When the coefficients of the } P plaintext µ are chosen from (p 1)/2, .., +(p 1)/2 n, is randomly sampled in n(a1,a2,a3) such that r {− − − } −1 ∗ the probability of taking 0 as coefficients of plaintext µ k (mod q) Rn,q. aµ aµ ∈ − is , and taking 1 as coefficients is (1 ). The 2) Compute ciphertext c = (p.r k 1 + µ)(mod q). n n ∗ coefficients of r + ±µ k1 are expected to be− distributed according to the convolution∗ of normal distribution with Algorithm 2 NTRUCipher-Encryption standard deviation, σ = (4a a +2a )(2 aµ ), which Input: Secret key k, message µ (p 1)/2, .., +(p 1 2 3 − n is computed by adoptingq technique of section 6 of [11]. 1)/2 n, and set a parameter, p =3∈. {− − − The probability that a normally distributed random vari- 1: repeat} $ able with mean 0 and standard deviation σ exceeds B in 2: r Pn(a1,a2,a3) ← −1 absolute value is given by the complementary error function, 3: c = (p.r k + µ)(mod q) Rn,q erfc(B/(√2σ). Thus, the probability that any of the n Output : ∗ ∈ ′ Ciphertext c coefficients of r + µ k is greater than B is bounded by ∗ n.erfc(B/(√2σ). With respect to security parameter λ this and multiplication of two polynomials over the ring, Rn,q = imposes the constraint n.erfc((q 2)/(2√2pσ) < 2−λ, Z [x]/(xn + 1) in O(n) and O(n2 log q ) bits operations − q ⌊ 2 ⌉ where σ = σ(n,a1,a2,a3,aµ). respectively. Thus, it follows that the cost of encryption and decryption in both cases is O(n2 log q ) bit operations. ⌊ 2 ⌉ B. Parameter Sets and Sample space In this Subsection, we give set of parameters for the D. Concrete Parameters Set NTRUCipher. We discuss how the NTRUCipher parameters Our recommendations for parameters of the NTRUCipher are chosen. suggests taking n = 256, p = 3, q = 1087 , a1 = 5,a2 = B 1) Binary polynomials: Binary polynomials n are used 5,a3 = 5, and aµ = 102 so that we will ensure upper in this cipher to generate product form of polynomials. bound on the security parameter that our decryption failure These can be easy to implement in software and hardware. probability is less than 2−80. A disadvantage is that binary polynomials are by definition unbalanced. Therefore, when k(1) = 0, as a consequence V. SECURITY ANALYSIS information on the plaintext µ, namely6 µ(1) leaks. 1) Brute-force attack: Brute-force attack is one of the 2) Ternary polynomials: We define Tn as the set of generic cryptographic attacks in which one could try for all ternary polynomials, a particular case Tn(a,e) with a coefficients are 1, e coefficients are 1 and rest of the every possible key permutation until it finds the secret key. coefficients are 0. These ternary polynomials− are used to The feasibility to find out the secret key in brute force attack make product form of polynomials. relies on key space. In this cipher, the key space order for n n 3) Product form of polynomials: Product form of poly- bit length is O((2 f k f∞ +1) ). In the proposed cipher, we use minimum key length of 256 bits. Therefore, one should nomials Pn are generated by Pn(a1,a2,a3)= a1 a2+a3 : { ∗ try (2 f k f +1)256 bit permutations to find the secret key a1 Tn(a,e),a2 Tn(a,e),a3 Tn(a,e)}. These ∞ polynomials∈ are used∈ in this cipher to∈ choose the secret which is large enough for brute force attack. The plaintext key k and ephemeral key r. For instance, the secret key k is µ is chosen as a polynomial with ternary coefficients of ′ ′ 256 chosen of the form k = 1+p.k , where k P (a ,a ,a ). degree 256 in the NTRUCipher, one should try 3 bit ′ n 1 2 3 The number of non-zero coefficients in k ∈and r are crucial permutations to find the plaintext µ on the brute force attack. for the performance of the encryption. Note that convolution According to knowledge of the author, currently complexity 80 can be faster if there are a small number of non-zero order 2 is considered as the lower bound of security for elements in the polynomial. An advantage of the product brute force attack. form of polynomials is that they allow for exceptionally 2) Multiple transmission attack: In this NTRUCipher, fast convolution without Fourier transforms. one would send a single plaintext µ multiple times using the same secret key k and different ephemeral keys, r’s. In this 4) Secret Key Space: The space of secret key k consists of all polynomials that are derived from P (a D,a ,a ). If scenario, one would transmit t ciphertexts such that ci = n 1 2 3 −1 n and q are fixed in advance, we can choose a ,a and a p.ri k + µ(mod q) for i = 1, 2, 3...., t. The adversary 1 2 3 ∗ −1 with 1’s for the secret key k. When we take a a can then compute (ci c1) = (ri r1) k (mod q). Note 1 2 −1 − − ∗ ± ≈ ≈ that c = r k (mod q) , where c = ci c1 and r = ri r1, a3, the expected number of non-zero coefficients in k are ∗ − − 4a a +2a 2n which is an optimal for key selection. The has same structure as the public key generation of the 1 2 3 3 −1 space complexity≈ of the secret key is O((2 f k f +1)n). NTRUEncrypt [2,4]. Since c = r k (mod q), there exists ∞ −k∗c+r ∗ u Rn,q with u = such that [k,u].Lc = [k, r], The size of the secret key is n log2(2 f k f∞ +1) . ∈ q 5) Ephemeral key space: The⌊ space of ephemeral⌉ key I c where Lc = . By choosing the appropriate r consists of all polynomials that are derived from 0 qI D parameters for [k, r], one can find the secret key k by Pn(a1,a2,a3). The space complexity of the ephemeral key n solving SVP (approximate SVP) in Lc. is O((2 f r f∞ +1) ). The size of the ephemeral key is 3) Chosen Plaintext attack: In chosen plaintext attack, n log2(2 f r f +1) . ⌊ ∞ ⌉ the adversary can randomly choose plaintexts to be en- 6) Plaintext space: The plaintext space µ is defined D p−1 p−1 crypted and gets corresponding ciphertexts. The goal of the as µ = µ Rn,q/µ has coefficients in ( 2 , 2 ) , assumingD p{ is∈ odd prime. The recommended parameter,− p =} attack is to get access to the information that reduces the 3. The space complexity of the plaintext space is O(pn). security of the secret key encryption. We hereby prove the NTRUCipher is indistinguishability chosen plaintext attack- The size of the plaintext is n log2p . ⌊ ⌉ secure. We use the following game IND-CPA between a 7) Ciphertext space: The ciphertext space c is defined D q−1 q−1 challenger and an adversary. as c = c Rn,q/c has coefficients in ( 2 , 2 ), assumingD q{is∈ odd prime. The complexity of the− ciphertext Theorem 1. The NTRUCipher-Lattice based secret key n encryption is INA-CPA Secure if the decision NTRUCipher space is O(q ). The size of the ciphertext is n log2q . ⌊ ⌉ ciphertext cracking problem is hard. Proof: Let be an adversary. is given random oracle C. Efficiency. access to NTRUCipherA Enc(A.) and outputs two plain- − We provide efficiency of the NTRUCipher in terms of texts µ0,µ1 of equal length of n and sends to a challenger. O notations. In this NTRUCipher, we can perform addition The challenger runs an algorithm C and picks b 0, 1 , ←{ } and computes challenging ciphertext c∗ = (p.r∗ k∗−1 + [7] F.Horst, “Cryptography and Computer Privacy”, Scientific American, −1 ∗ Vol.228, Issue No:5, pp. 15-13. µb)(mod q) instead of c = (p.r k + µ)(mod q). Then, ∗ ∗ [8] J.Hoffstein, J.Pipher, and J.H.Silverman, “NTRU: A ring-based the challenger sends the challenging ciphertext c to the public key crypto system”, in Algorithmic Number Theory, Third adversary . Eventually, when the adversary outputs his International Symposium, ANTS-III, Portland, Oregon, USA, June ′ ′ guess b forA b , the algorithm C outputs 1 if Ab = b, and 0 21-25, 1998, Proceedings , 1998, pp.267-288.[Online]. Available: http://dx.doi.org/10.1007/BFb0054868. otherwise. [9] J. Hoffstein, N. A. H. Graham, J. Pipher, J. H. Silverman, and We now compute advantage function of the ad- W. Whyte. “Performances improvements and a baseline parameter versary under indistinguishability (IND) chosen plain- generation algorithm for NTRUsign”, In Proc. of Workshop on Mathematical Problems and Techniques in Cryptology, CRM, 2005, text attack(CPA) experiment: AdvIND−CPA ( ) := NT RUCipher A pp. 99–126. IND−CPA 1 [10] J.Daemen and V.Rijmen, “The Design of Rijndael, AES - The P r[ExpNT RUCipher(A) = 1] 2 . We say that |the NTRUCipher satisfies IND-CPA,− if| the advantage Advanced Encryption Standard”, Springer-Verlag 2002, (pp.238). IND−CPA [11] J.Hoffstein, J.Pipher,J.M.Schanck, J.H.Silverman,W.Whyte, AdvNT RUCipher( ) is negligible for any polynomial time and Z.Zhang “Choosing Parameters for NTRUEncrypt”, adversary . A https://eprint.iacr.org/2015/708.pdf. A ∗ [12] J.Katz, and Y.Lindell, “Introduction to Modern Cryptography”, CRC If we fix k Rn,q, the encrypted oracle uses the value ∗ ∈ Press, 2nd Edition, 2015. r to answer at least one of the n queries of . Let qn [13] M. Bellare, A. Desai, E. Jokipii and P. Rogaway, "A concrete se- denote the total number of queries made by A. In this curity treatment of symmetric encryption," Proceedings 38th Annual experiment, can succeed by one of the two possibilities.A Symposium on Foundations of Computer Science, Miami Beach, FL, ∗ A 1997, pp. 394-403. If r is drawn from D0 for some queries of , then [14] P.W.Shor, “Polynomial-time algorithms for prime factorization and succeeds and the algorithm C returns 1 with probabilityA A is discrete logarithms on a quantum computer”, SIAM J.Compu., qe ∗ Vol.26, 1997, pp.1484-1509. at most ∗ n . If r is drawn from D1 for some (2 f r f∞ +1) [15] R.L.Rivest, "The RC5 Encryption Algorithm", Proceedings of queries of , then succeeds only by guessing b, and the Second International Workshop on Fast Software Encryption A C A 1 (FSE),1994, pp. 86–96. the algorithm returns 1 with probability 2 . Thus, we IND−CPA 1 qe [16] V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices have P r[ExpNT RU (A) = 1] + ∗ n . Cipher ≤ 2 (2 f r f∞ +1) and learning with errors over rings”, Advances in Cryptology - The advantage of the adversary of the NTRUCipher, EUROCRYPT 2010, LNCS volume 6110, Springer,2010, pp.1-23. AdvIND−CPA ( ) := P r[ExpIND−CPA (A) = 1] [17] X.Lai, and J. L. Massey, “A Proposal for a New Block Encryption NT RUCipher NT RUCipher Standard”, EUROCRYPT, 1990, pp. 389–404. 1 1 qe A | 1 qe − + ∗ n ∗ n negl(λ). 2 |≤ 2 (2 f r f∞ +1) − 2 ≤ (2 f r f∞ +1) ≤ Therefore, the NTRUCipher is IND-CPA secure.

VI. CONCLUSION In this paper, we have proposed a secret key encryption which is based on truncated polynomials over NTRU lattices instead of classical well known Feistel structure [7]. Attacks such as brute force attack, multiple transmission attack and IND-CPA have been exposed against the proposed NTRUCipher. We have also recommended a set of parameters and analyzed security aspects and efﬁciency. A disadvantage of the NTRUCipher is that size of ciphertext is very larger compared to other existing secret key block ciphers [2,10]. Further work is required for designing the NTRUCipher based homomorphic secret key encryption and message authentication code.

REFERENCES [1] A.Lopez-Alt, E.Tromer, and V.Vaikuntanathan, “On-the-ﬂy multi- party computation on the cloud via multikey fully homomorphic encryption”, In Proceedings of the 44th symposium on Theory of Computing, ACM, 2012, pp. 1219-1234. [2] ANSI X3.92, “American National Standard for Data Encryption Algorithm (DEA),” American National Standards Institute, 1981. [3] B.Schneier, “Description of a new variable length key, 64 bit block cipher(Blowﬁsh)”, International workshop on Fast Software Encryp- tion,1993, pp 191-204. [4] D. J. Bernstein, C.Chuengsatiansup, T.Lange, and C.V.Vredendaal. “NTRU Prime”. In Selected Areas in Cryptography – SAC 2017, LNCS. Springer, to appear. http: //ntruprime.cr.yp.to/papers.html. 2, 3, 5, 6, 11, 12, 14, 18. [5] D.Stehle, and R.Steifeld, “Making NTRUEncrypt as secure as standard worst-case problems over ideal lattices”, in: Proc.of EURO- CRYPT, 2011, pp.27-47. [6] D.Stehle, and R.Steifeld, “Making NTRUEncrypt and NTRUSign as secure as standard worst-case problems over ideal lattices”, 2013, https://eprint.iacr.org/2013/004.