D-NTRU: More efficient and average-case IND-CPA secure NTRU variant

NTRU is a fast public key cryptosystem remaining unbroken. However, there is no known worst-to-average reduction for the original NTRU cryptosystem. Several provably secure NTRU modifications such as NAEP, pNE and NTRUCCA were proposed in the literature at the cost of inefficiency in encryption/decryption and enlarged ciphertext expansion. NAEP completes the IND-CCA security of the original NTRU under the average-case NTRU one-wayness intractability assumption. Both pNE and NTRUCCA obtain provable security goals under worst-case lattice assumptions. In this paper, a general framework for NTRU is considered, and a new PKC called D-NTRU is proposed. It is shown that the D-NTRU cryptosystem reduces the ciphertext expansion of the NTRU algorithm, and the encryption and decryption algorithms of D-NTRU perform even asymptotically faster than the NTRU algorithm only at the cost of slightly enlarged secret and public keys. The security of D-NTRU is proven in the standard model and under the average-case NTRU one-wayness assumption. The proof of the IND-CPA security of D-NTRU is completed by introducing another NTRU variant called C-NTRU as a bridge, defining some problems, and then proving the equivalence of these problems. So the proposed D-NTRU algorithm is more advantageous than the original NTRU algorithm, and much more efficient than all the provably secure variants of NTRU.