High-speed key encapsulation from NTRU Andreas Hülsing1, Joost Rijneveld2, John Schanck3;4, and Peter Schwabe2 ? 1 Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, The Netherlands
[email protected] 2 Digital Security Group, Radboud University, The Netherlands
[email protected],
[email protected] 3 Institute for Quantum Computing, University of Waterloo, Canada, and 4 Security Innovation, Wilmington, MA, USA
[email protected] Abstract. This paper presents software demonstrating that the 20- year-old NTRU cryptosystem is competitive with more recent lattice- based cryptosystems in terms of speed, key size, and ciphertext size. We present a slightly simplified version of textbook NTRU, select param- eters for this encryption scheme that target the 128-bit post-quantum security level, construct a KEM that is CCA2-secure in the quantum random oracle model, and present highly optimized software targeting Intel CPUs with the AVX2 vector instruction set. This software takes only 307 914 cycles for the generation of a keypair, 48 646 for encapsu- lation, and 67 338 for decapsulation. It is, to the best of our knowledge, the first NTRU software with full protection against timing attacks. Keywords. Post-quantum crypto, lattice-based crypto, NTRU, CCA2- secure KEM, QROM, AVX2. 1 Introduction In December 2016, NIST issued a call for proposals for “post-quantum cryptogra- phy” [34] to select schemes for standardization. More specifically, NIST requests algorithms in three categories: public-key encryption, key exchange or key en- capsulation mechanisms (KEMs), and digital signatures. Obviously, the central requirement is that proposed schemes are indeed “post-quantum”, i.e., that they resist attacks by a large quantum computer.