NTRUEncrypt

This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (April 2013) (Learn how and when to remove this message)

The NTRUEncrypt public key cryptosystem, also known as the NTRU encryption algorithm, is an NTRU lattice-based alternative to RSA and elliptic curve cryptography (ECC) and is based on the shortest vector problem in a lattice (which is not known to be breakable using quantum computers).

It relies on the presumed difficulty of factoring certain polynomials in a truncated polynomial ring into a quotient of two polynomials having very small coefficients. Breaking the cryptosystem is strongly related, though not equivalent, to the algorithmic problem of lattice reduction in certain lattices. Careful choice of parameters is necessary to thwart some published attacks.

Since both encryption and decryption use only simple polynomial multiplication, these operations are very fast compared to other asymmetric encryption schemes, such as RSA, ElGamal and elliptic curve cryptography. However, NTRUEncrypt has not yet undergone a comparable amount of cryptographic analysis in deployed form.

A related algorithm is the NTRUSign digital signature algorithm.

Specifically, NTRU operations are based on objects in a truncated polynomial ring ${\displaystyle \ R=\mathbb {Z} [X]/(X^{N}-1)}$ with convolution multiplication and all polynomials in the ring have integer coefficients and degree at most N-1:

${\displaystyle {\textbf {a}}=a_{0}+a_{1}X+a_{2}X^{2}+\cdots +a_{N-2}X^{N-2}+a_{N-1}X^{N-1}}$

That ${\displaystyle X^{N}=1}$ in this ring has the effect that multiplying a polynomial by ${\displaystyle X}$ rotates the coefficients of the polynomial. A map of the form ${\displaystyle f\mapsto fg}$ for a fixed ${\displaystyle g\in R}$ thus produces a new polynomial ${\displaystyle fg}$ where every coefficient depends on as many coefficients from ${\displaystyle f}$ as there are nonzero coefficients in ${\displaystyle g}$.

NTRU has three integer parameters (N, p, q), where N is the polynomial degree bound, p is called the small modulus, and q is called the large modulus; it is assumed that N is prime, q is always (much) larger than p, and p and q are coprime. Plaintext messages are polynomials modulo p but ciphertext messages are polynomials modulo q. Concretely the ciphertext consists of the plaintext message plus a randomly chosen multiple of the public key, but the public key may itself be regarded as a multiple of the small modulus p, which allows the holder of the private key to extract the plaintext from the ciphertext.