Post-Quantum Cryptosystem NTRUEnCrypt and Its Advantage over Pre – Quantum Cryptosystem RSA

. Cryptography is inextricably linked to the transfer of data, and in addition to ensuring user authorization; it is designed to guarantee the integrity of the transmitted information and its confidentiality. The cryptographic system NTRUEncrypt is able to provide the necessary level of security at an extremely low cost, while possessing high speeds and low memory requirements. This is the main reason for the attractiveness of the NTRUEncrypt cryptosystem and its widespread use at present. The goal of this work is to develop a software application that implements the NTRUEncrypt cryptosystem in a modern high level C # programming language.


Introduction
In today's world, it is hard to imagine the protection of confidential data without cryptography. This industry is actively developing and is receiving great support from states and large private companies. You can meet elements of cryptography almost everywherefrom encrypting messages in instant messengers and secure protocols to digital signatures of authoring documents [1].
In this regard, attackers are improving and developing attacks on cryptographic algorithms such as RSA, El -Gamal, DES, and others. Attacks based on quantum algorithms have been particularly effective [2].
A proof of the effectiveness of quantum algorithms before classical ones was the test of the algorithm for factoring Shore integer numbers, conducted in 2001 on a 7-qubit computer of IBM. If on standard computers the factorization of the 129 -bit number requires more than eight months of continuous operation of the system of 1600 workstations connected via the Internet, then Shor's quantum algorithm, using parallel computing, speeds up this process millions of times.
As for public-key cryptographic systems, using the algorithm of Peter Shor, it becomes possible to break them.
For example, the RSA cryptosystem is based on the computational complexity of the problem of factoring large numbers, and uses the public key M, which is the product of two large primes [3].
To crack a cryptosystem, it suffices to find the factors of the number M. Using the potential capabilities of a quantum computer, P. Shor's algorithm is able to solve the factorization problem not just for polynomial time, but even for the length of time it takes to perform an integer multiplication operation.
Thus, with the introduction of quantum technologies into operation, many cryptographic systems become useless, including the RSA cryptosystem.
It is for this reason that the NTRUEncrypt cryptosystem was created -more resistant to attacks from quantum computers due to the difficulties of finding the shortest lattice vector. As of mid-2010's (2015), not a single quantum algorithm is known that can cope with this cryptosystem better than conventional pre-quantum algorithms.

Description of RSA Algorithm
RSA cryptosystem is used in a wide variety of products, on various platforms and in many industries. It is used by Microsoft, Apple, Sun and Novell operating systems. In hardware, the RSA algorithm is used in secure phones, on Ethernet network cards, on smart cards, and is widely used in Zaxus cryptographic equipment (Racal). In addition, the algorithm is part of all major protocols for secure Internet communications, including S/MIME, SSL and S/WAN, and is also used in many institutions, for example, in government services, in most corporations, in government laboratories and universities. The technologies using the RSA algorithm were licensed by more than 700 companies in 2000.
The encryption algorithm is presented below: 1. A recipient takes two random numbers 1 and 2 , from which forms the public key = 1 * 2 . 2. Next, the recipient calculates the value of the Euler function ( ) = ( 1 − 1)( 2 − 1). 3. The recipient calculates a simple integer e, 1 < e < F (n), which is coprime with the value of the function F(n). 4. The recipient creates secret exponent d = (k * F(n) +1)/e that will be in the private key. In addition, sends to the Sender the values of the public key n and e. 5. The sender, having public key values, encrypts the message and sends it to the Recipient. 6. The recipient decrypts the message = 1 .

Description of the Post-Quantum NTRUEncrypt Algorithm
Lattice cryptography is an approach to building asymmetric encryption algorithms using lattice theory problems. The advantage of post-quantum cryptography is the use of lattice cryptography for solving problems. The NTRUEncrypt public key cryptosystem uses operations on the Z[X] / ( -1) ring of polynomials of degree not exceeding N -1: where 0 , 1 , 2 … −1 are integers.
The operations of addition and multiplication are performed as usual, except that is replaced by 1, +1 is replaced by 1 , +2 is replaced by 2 , etc.
The NTRUEncrypt cryptosystem is determined by a number of parameters, the main ones being N, p and q. To preserve the cryptographic strength of the algorithm, it is necessary that the cryptosystem parameters p and q be mutually prime numbers.
Key generation. Let Bob want to send a message to Alice, and for this he needs public and private keys. Therefore, he randomly chooses two "small" polynomials and from the ring . Bob must keep the selected polynomials in secret, since anyone he knows will be able to decipher the message.
In the next step, Bob calculates the inverse polynomials and modulo p and q, respectively, such that: * = 1( ) and * = 1( ). (2) If by chance these inverse polynomials do not exist, then Bob goes back a step and reselects the polynomial f.
The secret key is a pair ( , ), and the public key h is calculated by the formula: Encryption. Let Alice want to send a message to Bob with the public key h. To do this, Alice needs to present her message as a polynomial m with coefficients modulo p selected from the range (-p/2, p/2]. Then Alice needs to choose another "small" polynomial r, which is called "blinding", and calculate ciphertext according to expression: Decryption. Let Bob receive an encrypted message from Alice and want to decrypt it. First of all, using his secret key, Bob calculates: = * ( ).
Since Bob calculates the value of a modulo the number q, he must choose his coefficients from the range (-q/2, q/2] and then calculates: i.e., bring all coefficients of polynomial a modulo р. Finally, Bob, using the second part of the secret key, can get the original message from Alice using the transform: = * ( ).
Advantages of the NTRUEncrypt cryptosystem. In April 2011, the American Accredited Standards Committee X9 approved the use of the NTRU's fastest asymmetric encryption algorithm (NTRUEncrypt). The NTRU algorithm was developed as early as the mid-1990s. Unlike the RSA cryptosystem, it was not widely used, because from the very beginning it was necessary to increase the cryptographic strength and performance of this encryption algorithm. To date, all the flaws have been fixed, and in practice, NTRUEncrypt is considered much faster than RSA. This fact is confirmed by RSA Labs themselves, as well as independent researchers.
One of these comparative studies conducted cryptologists from the Catholic University of Leuven (Belgium). They found that when testing with maximum security settings, the NTRUEncrypt asymmetric encryption algorithm is four orders of magnitude faster than RSA and three orders of magnitude faster than ECC. The graph (Figure 1) clearly shows how the NTRUEncrypt cryptosystem exceeds, by the number of operations per second, the majority of the existing prequantum algorithms. In addition, the NTRUEncrypt cryptosystem is post-quantum, and has higher cryptographic resistance to various attacks. In addition, as mentioned above, the cryptographic strength of the algorithm is ensured by the absence of an algorithm for finding the shortest lattice vector.

Attacks and Defense Against Attacks on NTRUEncrypt
Brute force. When carrying out the attack "Brutus Force" or "Hacking Brute Force", the main task of the enemy is to pick up Alice's secret key, i.e. polynomial ( ). The adversary knows that the polynomial ( ) of length has unit coefficients and ( − 1) coefficients -

1.
Selection of such a polynomial will require checking options. For N = 251 and df = 50, this expression is 3 * 10100. Comparing this assessment with the assessment of the complexity of solving the problem of finding the shortest lattice vector, we can conclude that, as in the case of RSA, bruteforce key is not the most successful attack against the NTRU.
Attack "Meeting in the middle". Andrew Odlyzko offered the option of an attack meeting in the middle, which for the successful opening of the NTRU secret key takes ( /2 /2 ) /√ time and exactly the same amount of hard disk space ( -integer is not greater than ). As a matter of fact, attacks of this type are called a meeting in the middle because they allow you to spend the time required for memory calculations necessary for storing temporary data.
The attack proposed by Odlyzko is as follows. The definition of the public key ℎ = * implies the equality g= ℎ * . In this case, the attacker presents as the concatenation of two polynomials of length N/2.
We know that the polynomial g consists of coefficients {1, 0, -1} for the case p = 3 or coefficients {1, 0} for the case p = 2, i.e. in other words Thus, if the cryptosystem key space of the NTRU is of a size ( ), then the search for a key by the method of meeting in the middle requires going through all ( /2 /2 ) the options.
In order to guarantee a 2 level of resilience, it is necessary to select the cryptosystem parameters of the NTRU with a key space of 2 2 .

Protection against attack with selected ciphertext
In order to protect the NTRU from such an attack, it is recommended to use the NTRU in conjunction with the FORST supplement scheme. When encrypting using the NTRU -FORST method, Bob, as in the usual NTRU scheme, calculates the plaintext polynomial ( ).
Complementing the polynomial with a random set of bits of , Bob computes ( ) = ( ( )|| ), where ( ) is a cryptographically strong hash function.