Quantum Cryptanalysis of NTRU

This paper explores some attacks that someone with a Quantum Computer may be able to perform against NTRUEncrypt, and in particular NTRUEncrypt as implemented by the publicly available library from Security Innovation. We show four attacks that an attacker with a Quantum Computer might be able to perform against encryption performed by this library. Two of these attacks recover the private key from the public key with less effort than expected; in one case taking advantage of how the published library is implemented, and the other, an academic attack that works against four of the parameter sets defined for NTRUEncrypt. In addition, we also show two attacks that are able to recover plaintext from the ciphertext and public key with less than expected effort. This has potential implications on the use of NTRU within TOR, as suggested by Whyte and Schanc

Key Compression for Isogeny-Based Cryptosystems

We present a method for key compression in quantum-resistant isogeny-based cryptosystems, which reduces storage and transmission costs of per-party public information by a factor of two, with no effect on the security level of the scheme. We achieve this reduction by compressing both the representation of an elliptic curve, and torsion points on said curve. Compression of the elliptic curve is achieved by associating each j-invariant to a canonical choice of elliptic curve, and the torsion points will be represented as linear combinations with respect to a canonical choice of basis for this subgroup. This method of compressing public information can be applied to numerous isogeny-based protocols, such as key exchange, zero-knowledge identification, and public-key encryption. The details of utilizing compression for each of these cryptosystems is explained. We provide implementation results showing the computational cost of key compression and decompression at various security levels. Our results show that isogeny-based cryptosystems achieve the smallest possible key sizes among all existing families of post-quantum cryptosystems at practical security levels

Post-Quantum Elliptic Curve Cryptography

We propose and develop new schemes for post-quantum cryptography based on isogenies over elliptic curves. First we show that ordinary elliptic curves are have less than exponential security against quantum computers. These results were used as the motivation for De Feo, Jao and Pl\^ut's construction of public key cryptosystems using supersingular elliptic curve isogenies. We extend their construction and show that isogenies between supersingular elliptic curves can be used as the underlying hard mathematical problem for other quantum-resistant schemes. For our second contribution, we propose is an undeniable signature scheme based on elliptic curve isogenies. We prove its security under certain reasonable number-theoretic computational assumptions for which no efficient quantum algorithms are known. This proposal represents only the second known quantum-resistant undeniable signature scheme, and the first such scheme secure under a number-theoretic complexity assumption. Finally, we also propose a security model for evaluating the security of authenticated encryption schemes in the post-quantum setting. Our model is based on a combination of the classical Bellare-Namprempre security model for authenticated encryption together with modifications from Boneh and Zhandry to handle message authentication against quantum adversaries. We give a generic construction based on Bellare-Namprempre for producing an authenticated encryption protocol from any quantum-resistant symmetric-key encryption scheme together with any digital signature scheme or MAC admitting any classical security reduction to a quantum-computationally hard problem. We apply the results and show how we can explicitly construct authenticated encryption schemes based on isogenies

Practical Lattice Cryptosystems: NTRUEncrypt and NTRUMLS

Public key cryptography, as deployed on the internet today, stands on shaky ground. For over twenty years now it has been known that the systems in widespread use are insecure against adversaries equipped with quantum computers -- a fact that has largely been discounted due to the enormous challenge of building such devices. However, research into the development of quantum computers is accelerating and is producing an abundance of positive results that indicate quantum computers could be built in the near future. As a result, individuals, corporations and government entities are calling for the deployment of new cryptography to replace systems that are vulnerable to quantum cryptanalysis. Few satisfying schemes are to be found. This work examines the design, parameter selection, and cryptanalysis of a post-quantum public key encryption scheme, NTRUEncrypt, and a related signature scheme, NTRUMLS. It is hoped that this analysis will prove useful in comparing these schemes against other candidates that have been proposed to replace existing infrastructure