A Generalization of NTRUEncrypt —Cryptosystem Based on Ideal Lattice ()
1. Introduction
Lattice theory based cryptography is a representative technology of post quantum cryptography, which is recognized by the academic community as being able to resist quantum computing attacks. Cyclic code and the number theory research unit (NTRU) cryptosystem are two representatives of the post quantum cryptography. Both the two cryptosystems are based on the theory of circulant matrix. Cyclic code plays a central role in algebraic coding theory (see Chapter 6 of [3]). An important class of cyclic code named BCH code was discovered in 1960 [4]. After that, many other codes were developed based on cyclic code, such as polynomial code, Goppa code and so on [5]. The
-cyclic code was firstly introduced in [1], which was applied to McEliece and Niederriter’s cryptosystems.
NTRU cryptosystem is a new public key cryptosystem based on lattice hard problem proposed in 1996 by three digit theorists Hoffstein, Piper and Silverman of Brown University in the United States [6]. Its main feature is that the key generation is very simple, and the encryption and decryption algorithm is much faster than the commonly used RSA and elliptic curve cryptography. In particular, NTRU can resist quantum computing attacks and is considered to be a potential public key cryptography that can replace RSA in the post quantum cryptography era. The essence of NTRU cryptographic design is the generalization of RSA on polynomials, so it is called the cryptosystem based on polynomial rings. However, NTRU can give a completely equivalent form by using the concept of q-ary lattice, so NTRU is also a lattice based cryptosystem.
Many researchers have presented some variations of NTRU by changing its algebraic structure. In 2002, Gaborit introduced an NTRU-like cryptosystem called CTRU by replacing the base ring of the NTRU with a polynomial ring over a binary field
[7]. They proved that their system is successfully decrypted. In 2005, Kouzmenko showed that CTRU is weak under a time attack and proposed the GNTRU cryptosystem based on Gaussian integers
[8]. In the same year, Coglianese introduced an analog to the NTRU cryptosystem called MaTRU [9]. MaTRU is based on a ring of all square matrices with polynomial entries. In 2009, Malekian introduced the QTRU cryptosystem based on quaternion algebra [10]. They also introduced the OTRU cryptosystem in 2010 based on Octonion algebra [11]. In 2016, Alsaidi proposed a public key cryptosystem BITRU based on binary algebra [12]. However, all of the above variations of NTRU have limitations. The purpose of this article is to extend the theory of circulant matrix to general ideal matrix, and to construct more general NTRU cryptosystem combined with the
-cyclic code. The motivation of this research is to adapt the distributed scenario of blockchain architecture and apply the post quantum cryptography in it.
2.
-Cyclic Code
Let
be a finite field with
elements and
be a power of a prime number,
be the polynomial ring of
with variable
. Let
be the
-dimensional linear space over
, and
be a fixed vector in
with
, the associated polynomial of
given by
(1.1)
Let
be the principal ideal generated by
in
. There is a one to one correspondence between
and the quotient ring
, given by
(1.2)
In fact, this correspondence is also an isomorphism of Abel groups. One may extend this correspondence to subsets of
and
by
(1.3)
If
is a linear subspace of
of dimension
, then
is called a linear code in coding theory and written by
as usual. Each vector
is called a codeword of length
. Obviously,
and
are two trivial codes. Another one is called constant codes, which is almost trivial given by
According to the given polynomial
, we may define a linear transformation
in
,
(1.4)
It is easily seen that
is a linear transformation.
Definition 1.1. Let
be a linear code. It is called a
-cyclic code, if
(1.5)
In other words, a linear code
is a
-cyclic code, if and only if
is closed under linear transformation
. Clearly, if
, and
, then the
-cyclic code is precisely the ordinary cyclic code (see Chapter 6 of [1]).
Remark The
-cyclic code we give here is polycyclic code in fact, which firstly appeared in [1] [2], but we mainly concern for its application to McEliece and Niederriter’s cryptosystems. We first show that there is a one to one correspondence between
-cyclic codes in
and ideals in
.
Theorem 1. Let
be a subset, then
is a
-cyclic code, if and only if
is an ideal of
.
Proof: We use column notation for vector in
, then linear transformation
may be written as
Let
be a
square matrix over
,
(1.6)
where
is the
unit matrix. The matrix expression of
as follows
(1.7)
Suppose
and
is an ideal of
, it is clear that
is a linear code of
. To prove
is a
-cyclic code, we note that for any polynomial
, then
if and only if
, namely, if
, then
(1.8)
Therefore, if
is an ideal of
, then we have immediately that
is a
-cyclic code of
.
Conversely, if
is a
-cyclic code, then for all
, we have
It follows that
which implies
is an ideal of
. This is the proof of Theorem 1.
By Theorem 1, to find a
-cyclic code, it is enough to find an ideal of
. There are two trivial ideals
and
, the corresponding
-cyclic codes are
and
respectively, which are called trivial
-cyclic code. To find non-trivial
-cyclic codes, we make use of homomorphic theorems, which is a standard technique in Algebra. Let
be the natural homomorphism from
to its quotient ring
,
,
(1.9)
where
is an ideal of
, which is containing
. Since
is a principal ideal domain, then
is a principal ideal generated by a monic polynomial
. It is easy to see that
It follows that all ideals
satisfying (1.9) are given by
We write by
mod
, the image of
under
, it is easy to check
(1.10)
more precisely, which is a representative elements set of
mod
, by homomorphism theorem in ring theory, all ideals of
given by
(1.11)
Let
be the number of monic divisors of
in
, we can get the following corollary immediately.
Corollary 1. The number of
-cyclic code in
is
.
To compare the
-cyclic code and ordinary cyclic code, we see a simple example.
Example 1. Constant code
is always a cyclic code for
, and its generated polynomial is just
. But constant code
in
is not always a
-cyclic code, it is a
-cyclic code if and only if
, an equivalent condition for
is
Definition 1.2. Let
be a
-cyclic code and
mod
. We call
is the generated polynomial of
, where
is monic and
.
Lemma 1.1. Let
be the generated polynomial of a
-cyclic code
, where
, and
, then
and a generated matrix for
is the following block matrix
(1.12)
where
is the corresponding codeword of
, and
for
.
Proof: By assumption,
mod
, then
, we are to prove it is a basis of
. First, these vectors are linearly independent. Otherwise, we have
(1.13)
and the corresponding polynomial is zero, namely
It follows that
Next, if
, and
, by (1.10), there is a polynomial
such that
Thus we have the corresponding codeword of
This shows that
is a basis of
, and a generated matrix for
is
We have lemma 1.1 at once.
To describe a parity check matrix for a
-cyclic code, for any
, we write
Lemma 1.2. Suppose
is a
-cyclic code with generated polynomial
, where
and
. Let
, where
. Then a parity check matrix for
is
(1.14)
Proof: Since
, it means that
in
, thus we have
It follows that
, where
is a generated matrix for
given by (1.12). Therefore,
is a parity check matrix for
.
A separable polynomial in Algebra means that it has no multiple roots in its splitting field. The following lemma shows that there is a unit element in any non-zero ideal of
, when
is a separable polynomial.
Lemma 1.3. Suppose
is a separable polynomial of
, and
mod
is an ideal of
with
, then there exists an element
such that
Proof: Let
. Since
is a separable polynomial, then gcd
, and there are two polynomial
and
in
such that
Let
If
, by (1.10), we write
, it follows that
Thus we have
in
.
Next, we discuss maximal
-cyclic code. Let
mod
, and
be an irreducible polynomial in
, we call the corresponding
-cyclic code
a maximal
-cyclic code, because
is a maximal ideal in
.
Lemma 1.4. Let
be a maximal
-cyclic code with generated polynomial
,
be a root of
in some extensions of
, then
(1.15)
Proof: If
, by (1.10) we have
immediately. Conversely, if
and
, since
is irreducible, thus we have
, and (1.15) follows at once.
An important application of maximal
-cyclic code is to construct an error-correcting code, so that we may obtain a modified McEliece-Niederriter’s cryptosystem. To do this, let
, and
be an extension field of
of degree
. Suppose
, where
is a primitive element of
and
is the simple extension containing
and
. Let
be the minimum polynomial of
, then
is an irreducible polynomial of degree
of
. It is well-known that
is a Galois extension of
, so that all roots of
are in
. Let
be all roots of
, the Vandermonde matrix
defined by
(1.16)
where
and each
is a vector of
. For arbitrary monic polynomial
,
, let
and
be a maximal
-cyclic code generated by
. It is easy to verify that
Therefore,
is a parity check matrix for
. If we choose the primitive element
, so that any
columns in
are linearly independent, then the minimum distance of
is greater than
, and
is a t-error-correcting code, where
.
The public key cryptosystems based on algebraic coding theory were created by R. J. McEliece [13] and H. Niederriter [14], a suitable t-error-correcting code plays a key role in their construction. The error-correcting code
should satisfy the following requirements:
1)
should have a relatively large error-correcting capability so that a reasonable number of message vectors can be used;
2)
should allow an efficient decoding algorithm so that the decryption can be carried out in a short time.
Our results supply a different way to choose an error-correcting code by selecting arbitrary irreducible polynomials
of degree
and roots of
rather than an irreducible factor of
and the roots of unit such as ordinary BCH code and Gappa code.
In fact, for any positive integer
, there is at least an irreducible polynomial
with degree
. Let
be the number of irreducible polynomials of degree
in
, then we have (see Theorem 3.25 of [15])
where
is Mobius function.
Assuming one has selected two monic and irreducible polynomials
and
with
and
, let
, then one may obtain
-cyclic code
generated by
or
, which is more convenient and more flexible than the ordinary methods.
Remark It’s difficult to compare the error-correcting capability between
-cyclic code with existing cyclic codes of the same length and dimension. However, we believe that the advantages of
-cyclic code will become more clear when
increases. We will discuss this carefully in another paper later.
3. A Generalization of NTRUEncrypt
The public key cryptosystem NTRU proposed in 1996 by Hoffstein, Pipher and Silverman, is the fastest known lattice based encryption scheme, although its description relies on arithmetic over polynomial quotient ring
, it was easily observed that it could be expressed as a lattice based cryptosystem (see [16]). For the background materials, we refer to [3] [6] [17] [18] [19] and [20]. Our strategy in this section is to replace
by more general polynomial ring
and obtain a generalization of NTRUEncrypt, where
is a monic polynomial of degree
with integer coefficients.
In this section, we denote
and
by
(2.1)
Let
be a square matrix given by
(2.2)
where
is
unit matrix. Obviously,
is the characteristic polynomial of
, and
defines a linear transformation of
by
, where
is real number field,
is a column vector of
. We may extend this transformation to
and denote
by
(2.3)
Of course,
is again a linear transformation of
.
According to [20], a
-ary lattice is a lattice
such that
, where
is a positive integer.
Definition 2.1. A
-ary lattice
is called convolutional modular lattice, if
is in even dimension
satisfying
(2.4)
In other words, a convolutional modular lattice is a
-ary lattice in even dimension and is closed under the linear transformation
.
Recalling the secret key
of NTRU is a pair of polynomials of degree
, we may regard
and
as column vectors in
. To obtain a convolutional modular lattice containing
, we need some help of ideal matrices. An ideal matrix generated by a vector
is defined by
(2.5)
which is a block matrix in terms of each column
. It is easily seen that
is a generalization of the classical circulant matrices (see [21]), in fact, let
, and
, the ideal matrix
generated by
is given by
which is known as a circulant matrix. On the other hand, ideal matrix and ideal lattice play an important role in Ajtai’s construction of a collision resistant Hash function, the related materials we refer to [3] [22] [23] [24] [25] and [26].
First, we have to establish some basic properties for an ideal matrix
, most of them are known when
is a circulant matrix.
Lemma 2.1. Suppose
and
are given by (2.2) and (2.5) respectively, then for any
we have
Proof: Since
is the characteristic polynomial of
, by Hamilton-Cayley theorem, we have
(2.6)
Let
By (2.5) we have
the lemma follows.
Lemma 2.2. For any
we have
(2.7)
Proof: We use induction on
to show this conclusion. If
, it is trivial. Suppose it is true for
, we consider the case of
. For this purpose, we write
,
the
column vectors of unit in
, namely
and
where
is a row vector. For any
,
, it is easy to check that
Let
, we denote
by
By the assumption of induction, we have
It follows that
We complete the proof of lemma 2.2.
We always suppose that
is a separable polynomial and
are complex number roots of
, of which are different from each other. The Vandermonde matrix
generated by
is
Lemma 2.3. Let
, then we have
(2.8)
where
is the diagonal matrix.
Proof: By Theorem 3.2.5 of [21], for
, we have
(2.9)
By lemma 2.2, it follows that
Now, we summarize some basic properties for ideal matrix as follows.
Theorem 2. Let
,
be two column vectors and
be the ideal matrix generated by
, then we have:
(i)
.
(ii)
.
(iii)
.
(iv)
is an invertible matrix if and only if
and
are coprime, i.e.
.
Proof: (i) and (ii) follow from lemma 2.2 immediately, (iii) and (iv) follow from lemma 2.3. Here we only give an equivalent form of (ii). Let
(2.10)
then by (ii) we have
(2.11)
To construct a convolutional modular lattice containing vector
, let
,
be the transpose of
, and
(2.12)
(2.13)
We consider
and
as matrices over
, i.e.
,
, a
-ary lattice
is defined by (see [20])
(2.14)
Under the above notations, we have
Theorem 3. For any column vectors
and
, then
is a convolutional modular lattice, and
.
Proof: It is known that
is a
-ary lattice, i.e.
We only prove that
is fixed under the linear transformation
given by (2.4). If
, then
for some
, by lemma 2.1, we have
It means that
whenever
. Let
We have
, and Theorem 3 follows.
Since
, then there is a unique Hermite Normal Form of basis
, which is an upper triangular matrix given by
(2.15)
Next, we consider parameters system of NTRU. To choose the parameters of NTRU, let
be a positive integer and
be a subset of
, of which has exactly
positive entries and
negative ones, the remaining
entries will be zero. We take some assumption conditions for choice of parameters as follows:
(i)
with
, and
is separable polynomial,
are positive integers with
prime,
and gcd
.
(ii)
and
are two polynomials in
of degree
, the constant term of
is 1, and
(iii)
is invertible modulo
.
(iv)
.
Under the above conditions, by lemma 2.2 we have
(2.16)
Now, we state a generalization of NTRU as follows.
· Private key. The private key in generalized NTRU is a short vector
. The lattice associated with a private key is
, which is a convolutional modular lattice containing private key.
· Public key. The public key of the generalized NTRU is the HNF basis
of
, which is given by (2.15).
· Encryption. An input message is encoded as a vector
with exactly
positive entries and
negative ones. Here the reason for restricting
positive and
negative entries of vector
is to improve the efficiency of encryption and decryption and it’s not necessary. The vector
is concatenated with a randomly chosen vector
also with exactly
positive entries and
negative ones, to obtain a short error vector
. Let
(2.17)
where
is given by (2.15). Then, the
-dimensional vector
is the ciphertext.
· Decryption. Suppose the entries of
-dimensional vector
are belong to interval
, then ciphertext
is decrypted by multiplying it by the secret matrix
mod
, it follows that
(2.18)
Here, we use the identity (ii) of Theorem 2, namely,
If the above conditions (iv) is satisfied, it is easily seen that the coordinates of vector
are all bounded by
in absolute value, or, with high probability, even for larger value of
. The decryption process is completed by reducing (2.18) modulo
, to obtain
Thus one gets plaintext
from ciphertext
.
Example 2. Let
,
,
,
,
,
, i.e. the private key is
with
,
. It is easy to get
By (2.15), we compute the public key
as follows
Assume the input message
, random vector
, by (2.17) we get the ciphertext
By (2.18), we have
Since
one can get the plaintext
from ciphertext
.
4. Conclusion
In this study, we first discuss a more general form of the ordinary cyclic code, namely
-cyclic code. Then we give a generalized construction of NTRU based on ideal matrix and q-ary lattice theory. Compared with other variations of NTRU, such as CTRU, GNTRU, QTRU and BITRU, our extended NTRU cryptosystem is constructed with general ideal matrix rather than some special algebraic structures. Our purpose is to apply post quantum cryptography in distributed scenarios of blockchain future.