{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,11]],"date-time":"2026-06-11T16:26:02Z","timestamp":1781195162872,"version":"3.54.1"},"publisher-location":"Cham","reference-count":57,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319725642","type":"print"},{"value":"9783319725659","type":"electronic"}],"license":[{"start":{"date-parts":[[2017,12,23]],"date-time":"2017-12-23T00:00:00Z","timestamp":1513987200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2017,12,23]],"date-time":"2017-12-23T00:00:00Z","timestamp":1513987200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-319-72565-9_12","type":"book-chapter","created":{"date-parts":[[2017,12,22]],"date-time":"2017-12-22T08:55:58Z","timestamp":1513932958000},"page":"235-260","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":105,"title":["NTRU Prime: Reducing Attack Surface at Low Cost"],"prefix":"10.1007","author":[{"given":"Daniel J.","family":"Bernstein","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Chitchanok","family":"Chuengsatiansup","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Tanja","family":"Lange","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Christine","family":"van Vredendaal","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2017,12,23]]},"reference":[{"key":"12_CR1","unstructured":"Albrecht, M.R., Cid, C., Faug\u00e8re, J.-C., Fitzpatrick, R., Perret, L.: Algebraic algorithms for LWE problems (2014). https:\/\/eprint.iacr.org\/2014\/1018"},{"key":"12_CR2","unstructured":"Alkim, E., Ducas, L., P\u00f6ppelmann, T., Schwabe, P.: Post-quantum key exchange - A new hope. In: USENIX Security Symposium, pp. 327\u2013343. USENIX (2016)"},{"key":"12_CR3","unstructured":"Alperin-Sheriff, J., Apon, D.: Dimension-preserving reductions from LWE to LWR. IACR Cryptology ePrint Archive 2016:589 (2016)"},{"key":"12_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1007\/978-3-642-40041-4_4","volume-title":"Advances in Cryptology \u2013 CRYPTO 2013","author":"J Alwen","year":"2013","unstructured":"Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited - new reduction. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 57\u201374. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-40041-4_4"},{"key":"12_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"403","DOI":"10.1007\/978-3-642-22006-7_34","volume-title":"Automata, Languages and Programming","author":"S Arora","year":"2011","unstructured":"Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403\u2013415. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-22006-7_34"},{"key":"12_CR6","unstructured":"Bai, S., Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehl\u00e9, D.: Crystals: cryptographic suite for algebraic lattices (2017). http:\/\/tinyurl.com\/znsjrv5"},{"key":"12_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"719","DOI":"10.1007\/978-3-642-29011-4_42","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2012","author":"A Banerjee","year":"2012","unstructured":"Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719\u2013737. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-29011-4_42"},{"key":"12_CR8","unstructured":"Bernstein, D.J.: Multidigit multiplication for mathematicians (2001). https:\/\/cr.yp.to\/papers.html#m3"},{"key":"12_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"317","DOI":"10.1007\/978-3-642-03356-8_19","volume-title":"Advances in Cryptology - CRYPTO 2009","author":"DJ Bernstein","year":"2009","unstructured":"Bernstein, D.J.: Batch binary Edwards. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 317\u2013336. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-03356-8_19"},{"key":"12_CR10","doi-asserted-by":"crossref","unstructured":"Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU Prime: reducing attack surface at low cost (2017). https:\/\/eprint.iacr.org\/2016\/461. Full version of this paper","DOI":"10.1007\/978-3-319-72565-9_12"},{"key":"12_CR11","unstructured":"Bernstein, D.J., Lange, T.: eBACS: ECRYPT benchmarking of cryptographic systems. https:\/\/bench.cr.yp.to. Accessed 9 Feb 2017"},{"key":"12_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"321","DOI":"10.1007\/978-3-642-42045-0_17","volume-title":"Advances in Cryptology - ASIACRYPT 2013","author":"DJ Bernstein","year":"2013","unstructured":"Bernstein, D.J., Lange, T.: Non-uniform cracks in the concrete: the power of free precomputation. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 321\u2013340. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-42045-0_17"},{"key":"12_CR13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/978-3-662-49096-9_9","volume-title":"Theory of Cryptography","author":"A Bogdanov","year":"2016","unstructured":"Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 209\u2013224. Springer, Heidelberg (2016). https:\/\/doi.org\/10.1007\/978-3-662-49096-9_9"},{"key":"12_CR14","doi-asserted-by":"crossref","unstructured":"Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehl\u00e9, D.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM (2017). https:\/\/eprint.iacr.org\/2017\/634","DOI":"10.1109\/EuroSP.2018.00032"},{"key":"12_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"323","DOI":"10.1007\/978-3-662-53140-2_16","volume-title":"Cryptographic Hardware and Embedded Systems \u2013 CHES 2016","author":"L Groot Bruinderink","year":"2016","unstructured":"Groot Bruinderink, L., H\u00fclsing, A., Lange, T., Yarom, Y.: Flush, Gauss, and reload \u2013 a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323\u2013345. Springer, Heidelberg (2016). https:\/\/doi.org\/10.1007\/978-3-662-53140-2_16"},{"key":"12_CR16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-642-25385-0_1","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2011","author":"Y Chen","year":"2011","unstructured":"Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1\u201320. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-25385-0_1"},{"key":"12_CR17","doi-asserted-by":"crossref","unstructured":"Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates (full version) (2011). http:\/\/www.di.ens.fr\/~ychen\/research\/Full_BKZ.pdf","DOI":"10.1007\/978-3-642-25385-0_1"},{"key":"12_CR18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1007\/978-3-319-31301-6_8","volume-title":"Selected Areas in Cryptography \u2013 SAC 2015","author":"T Chou","year":"2016","unstructured":"Chou, T.: Sandy2x: New Curve25519 speed records. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 145\u2013160. Springer, Cham (2016). https:\/\/doi.org\/10.1007\/978-3-319-31301-6_8"},{"key":"12_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1007\/978-3-540-40974-8_12","volume-title":"Cryptography and Coding","author":"AW Dent","year":"2003","unstructured":"Dent, A.W.: A Designer\u2019s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133\u2013151. Springer, Heidelberg (2003). https:\/\/doi.org\/10.1007\/978-3-540-40974-8_12"},{"key":"12_CR20","unstructured":"Ding, J.: Solving LWE problem with bounded errors in polynomial time (2010). https:\/\/eprint.iacr.org\/2010\/558"},{"key":"12_CR21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1007\/978-3-642-40041-4_3","volume-title":"Advances in Cryptology \u2013 CRYPTO 2013","author":"L Ducas","year":"2013","unstructured":"Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40\u201356. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-40041-4_3"},{"key":"12_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"329","DOI":"10.1007\/978-3-319-22174-8_18","volume-title":"Progress in Cryptology \u2013 LATINCRYPT 2015","author":"A Faz-Hern\u00e1ndez","year":"2015","unstructured":"Faz-Hern\u00e1ndez, A., L\u00f3pez, J.: Fast implementation of Curve25519 using AVX2. In: Lauter, K., Rodr\u00edguez-Henr\u00edquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 329\u2013345. Springer, Cham (2015). https:\/\/doi.org\/10.1007\/978-3-319-22174-8_18"},{"key":"12_CR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/978-3-642-38616-9_5","volume-title":"Post-Quantum Cryptography","author":"T G\u00fcneysu","year":"2013","unstructured":"G\u00fcneysu, T., Oder, T., P\u00f6ppelmann, T., Schwabe, P.: Software speed records for lattice-based signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 67\u201382. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-38616-9_5"},{"key":"12_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"789","DOI":"10.1007\/978-3-662-53887-6_29","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2016","author":"Q Guo","year":"2016","unstructured":"Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 789\u2013815. Springer, Heidelberg (2016). https:\/\/doi.org\/10.1007\/978-3-662-53887-6_29"},{"key":"12_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"437","DOI":"10.1007\/978-3-642-01957-9_27","volume-title":"Applied Cryptography and Network Security","author":"PS Hirschhorn","year":"2009","unstructured":"Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437\u2013455. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-01957-9_27"},{"key":"12_CR26","unstructured":"Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, W.: Choosing parameters for NTRUEncrypt (2015). https:\/\/eprint.iacr.org\/2015\/708"},{"key":"12_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1007\/BFb0054868","volume-title":"Algorithmic Number Theory","author":"J Hoffstein","year":"1998","unstructured":"Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267\u2013288. Springer, Heidelberg (1998). https:\/\/doi.org\/10.1007\/BFb0054868"},{"key":"12_CR28","unstructured":"Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a new high speed public key cryptosystem (2016). Circulated privately in 1996; put online in 2016 at https:\/\/web.securityinnovation.com\/hubfs\/files\/ntru-orig.pdf"},{"key":"12_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"150","DOI":"10.1007\/978-3-540-74143-5_9","volume-title":"Advances in Cryptology - CRYPTO 2007","author":"N Howgrave-Graham","year":"2007","unstructured":"Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150\u2013169. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-74143-5_9"},{"key":"12_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"226","DOI":"10.1007\/978-3-540-45146-4_14","volume-title":"Advances in Cryptology - CRYPTO 2003","author":"N Howgrave-Graham","year":"2003","unstructured":"Howgrave-Graham, N., Nguyen, P.Q., Pointcheval, D., Proos, J., Silverman, J.H., Singer, A., Whyte, W.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226\u2013246. Springer, Heidelberg (2003). https:\/\/doi.org\/10.1007\/978-3-540-45146-4_14"},{"key":"12_CR31","unstructured":"Howgrave-Graham, N., Silverman, J.H., Whyte, W.: A meet-in-the-middle attack on an NTRU private key. Technical report, NTRU Cryptosystems (2003). https:\/\/www.securityinnovation.com\/uploads\/Crypto\/NTRUTech004v2.pdf"},{"key":"12_CR32","doi-asserted-by":"crossref","unstructured":"Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3 (2005). https:\/\/eprint.iacr.org\/2005\/045","DOI":"10.1007\/978-3-540-30574-3_10"},{"key":"12_CR33","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"232","DOI":"10.1007\/978-3-319-66787-4_12","volume-title":"Cryptographic Hardware and Embedded Systems \u2013 CHES 2017","author":"A H\u00fclsing","year":"2017","unstructured":"H\u00fclsing, A., Rijneveld, J., Schanck, J., Schwabe, P.: High-speed key encapsulation from NTRU. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 232\u2013252. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-66787-4_12"},{"key":"12_CR34","unstructured":"Kirchner, P., Fouque, P.-A.: Comparison between subfield and straightforward attacks on NTRU (2016). https:\/\/eprint.iacr.org\/2016\/717"},{"key":"12_CR35","unstructured":"Kumar, V.: ntruees743ep1 software (2014). Included in [11]"},{"issue":"2\u20133","key":"12_CR36","doi-asserted-by":"publisher","first-page":"375","DOI":"10.1007\/s10623-015-0067-5","volume":"77","author":"T Laarhoven","year":"2015","unstructured":"Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Cryptography 77(2\u20133), 375\u2013400 (2015)","journal-title":"Des. Codes Cryptography"},{"issue":"3","key":"12_CR37","doi-asserted-by":"publisher","first-page":"565","DOI":"10.1007\/s10623-014-9938-4","volume":"75","author":"A Langlois","year":"2015","unstructured":"Langlois, A., Stehl\u00e9, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptography 75(3), 565\u2013599 (2015)","journal-title":"Des. Codes Cryptography"},{"key":"12_CR38","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"124","DOI":"10.1007\/978-3-319-48965-0_8","volume-title":"Cryptology and Network Security","author":"P Longa","year":"2016","unstructured":"Longa, P., Naehrig, M.: Speeding up the number theoretic transform for faster ideal lattice-based cryptography. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 124\u2013139. Springer, Cham (2016). https:\/\/doi.org\/10.1007\/978-3-319-48965-0_8"},{"key":"12_CR39","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"196","DOI":"10.1007\/978-3-662-53890-6_7","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2016","author":"V Lyubashevsky","year":"2016","unstructured":"Lyubashevsky, V.: Digital signatures based on the hardness of ideal lattice problems in all rings. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 196\u2013214. Springer, Heidelberg (2016). https:\/\/doi.org\/10.1007\/978-3-662-53890-6_7"},{"key":"12_CR40","unstructured":"Lyubashevsky, V.: Future directions in lattice cryptography (talk slides) (2016). http:\/\/troll.iis.sinica.edu.tw\/pkc16\/slides\/Invited_Talk_II-Directions_in_Practical_Lattice_Cryptography.pptx"},{"issue":"6","key":"12_CR41","doi-asserted-by":"publisher","first-page":"43","DOI":"10.1145\/2535925","volume":"60","author":"V Lyubashevsky","year":"2013","unstructured":"Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43 (2013)","journal-title":"J. ACM"},{"key":"12_CR42","unstructured":"Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., Tews, E.: Revisiting SSL\/TLS implementations: new Bleichenbacher side channels and attacks. In: USENIX Security Symposium, pp. 733\u2013748. USENIX (2014)"},{"key":"12_CR43","doi-asserted-by":"crossref","unstructured":"Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC, pp. 333\u2013342. ACM (2009)","DOI":"10.1145\/1536414.1536461"},{"key":"12_CR44","unstructured":"Peikert, C.: \u201cA useful fact about Ring-LWE that should be known better: it is *at least as hard* to break as NTRU, and likely strictly harder. 1\/\u201d (tweet) (2017). http:\/\/archive.is\/B9KEW"},{"key":"12_CR45","doi-asserted-by":"crossref","unstructured":"Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of Ring-LWE for any ring and modulus. In: STOC, pp. 461\u2013473. ACM (2017)","DOI":"10.1145\/3055399.3055489"},{"key":"12_CR46","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1007\/978-3-662-43414-7_4","volume-title":"Selected Areas in Cryptography \u2013 SAC 2013","author":"T P\u00f6ppelmann","year":"2014","unstructured":"P\u00f6ppelmann, T., G\u00fcneysu, T.: Towards practical lattice-based public-key encryption on reconfigurable hardware. In: Lange, T., Lauter, K., Lison\u011bk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 68\u201385. Springer, Heidelberg (2014). https:\/\/doi.org\/10.1007\/978-3-662-43414-7_4"},{"key":"12_CR47","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"283","DOI":"10.1007\/978-3-319-63697-9_10","volume-title":"Advances in Cryptology \u2013 CRYPTO 2017","author":"M Ro\u015fca","year":"2017","unstructured":"Ro\u015fca, M., Sakzad, A., Stehl\u00e9, D., Steinfeld, R.: Middle-product learning with errors. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 283\u2013297. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-63697-9_10"},{"key":"12_CR48","unstructured":"The Sage Developers. SageMath, the Sage Mathematics Software System (Version 6.5) (2015). http:\/\/www.sagemath.org"},{"key":"12_CR49","unstructured":"Sakshaug, H.: Security analysis of the NTRUEncrypt public key encryption scheme (2007). https:\/\/brage.bibsys.no\/xmlui\/bitstream\/handle\/11250\/258846\/426901_FULLTEXT01.pdf"},{"key":"12_CR50","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1007\/3-540-36494-3_14","volume-title":"STACS 2003","author":"CP Schnorr","year":"2003","unstructured":"Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145\u2013156. Springer, Heidelberg (2003). https:\/\/doi.org\/10.1007\/3-540-36494-3_14"},{"key":"12_CR51","unstructured":"Shoup, V.: A proposal for an ISO standard for public key encryption (2001). https:\/\/eprint.iacr.org\/2001\/112"},{"issue":"4","key":"12_CR52","doi-asserted-by":"publisher","first-page":"223","DOI":"10.1007\/s00145-002-0133-9","volume":"15","author":"V Shoup","year":"2002","unstructured":"Shoup, V.: OAEP reconsidered. J. Cryptology 15(4), 223\u2013249 (2002)","journal-title":"J. Cryptology"},{"key":"12_CR53","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"410","DOI":"10.1007\/11586821_27","volume-title":"Cryptography and Coding","author":"M Stam","year":"2005","unstructured":"Stam, M.: A key encapsulation mechanism for NTRU. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 410\u2013427. Springer, Heidelberg (2005). https:\/\/doi.org\/10.1007\/11586821_27"},{"key":"12_CR54","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"27","DOI":"10.1007\/978-3-642-20465-4_4","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2011","author":"D Stehl\u00e9","year":"2011","unstructured":"Stehl\u00e9, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27\u201347. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-20465-4_4"},{"issue":"1","key":"12_CR55","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/PL00003816","volume":"12","author":"PC van Oorschot","year":"1999","unstructured":"van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptology 12(1), 1\u201328 (1999)","journal-title":"J. Cryptology"},{"key":"12_CR56","doi-asserted-by":"publisher","first-page":"43","DOI":"10.1112\/S1461157016000206","volume":"19","author":"C van Vredendaal","year":"2016","unstructured":"van Vredendaal, C.: Reduced memory meet-in-the-middle attack against the NTRU private key. LMS J. Comp. Math. 19, 43\u201357 (2016)","journal-title":"LMS J. Comp. Math."},{"key":"12_CR57","unstructured":"Wunderer, T.: Revisiting the hybrid attack: improved analysis and refined security estimates (2016). https:\/\/eprint.iacr.org\/2016\/733"}],"container-title":["Lecture Notes in Computer Science","Selected Areas in Cryptography \u2013 SAC 2017"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-72565-9_12","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,1,12]],"date-time":"2022-01-12T01:04:23Z","timestamp":1641949463000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-72565-9_12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,12,23]]},"ISBN":["9783319725642","9783319725659"],"references-count":57,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-72565-9_12","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,12,23]]},"assertion":[{"value":"23 December 2017","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SAC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Selected Areas in Cryptography","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Ottawa","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Canada","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2017","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16 August 2017","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18 August 2017","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"sacrypt2017","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/sacworkshop.org\/SAC17\/SAC2017.htm","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}