Abstract:
Constructing post-quantum key encapsulation mechanism based on NTRU lattice is one of the popular research fields in lattice-based cryptography. To reduce the ciphertext size, some current schemes compress the ciphertext with the aid of extra hardness assumptions and error correction codes, which leads to idealistic underlying assumption and complicated implementation. To address the issues, an efficient and compact key encapsulation mechanism, named LTRU, is proposed. LTRU is only based on NTRU one-wayness assumption and enables ciphertext compression without using any error correction codes. The performance-balanced parameter set of LTRU is provided, featuring 128 b quantum security level along with the matching and negligible error probability, and smaller public key size and ciphertext size. LTRU is based on the NTT-friendly polynomial ring. To compute the polynomial operations of LTRU, an efficient mixed-radix NTT is presented. At last, both C implementation and AVX2 implementation of LTRU are provided. When compared with NIST Round 3 finalist NTRU-HRSS, the classical and quantum security of LTRU are strengthened by 6 b and 5 b, respectively. LTRU reduces the public key size, ciphertext size and total bandwidth by 14.6%, 26.0% and 20.3%, respectively. LTRU is 10.9 times faster in key generation and 1.7 faster in decapsulation with respect to AVX2 implementation, respectively.