NTRU-GKP Cryptosystem: Quantum-Resilient Encryption

Updated 19 April 2026

NTRU-GKP cryptosystem is a public-key protocol that combines NTRU encryption with Gottesman-Kitaev-Preskill (GKP) bosonic quantum error correction.
It establishes an equivalence between syndrome decoding in GKP codes and NTRU decryption, achieving constant code rate and optimal distance scaling (Δ ∝ √n).
Decoding leverages an efficient trapdoor via Babai’s nearest-plane method, ensuring post-quantum security based on the hardness of inverting NTRU.

The NTRU-GKP cryptosystem is a public-key quantum communication protocol that merges the security of the NTRU cryptosystem with the bosonic quantum error correction capabilities of Gottesman-Kitaev-Preskill (GKP) codes. This construction establishes a direct equivalence between syndrome decoding in a class of GKP codes and decrypting the NTRU cryptosystem, thereby linking quantum error correction with post-quantum cryptography. The NTRU-GKP codes achieve constant rate and average minimum distance scaling as $\Delta \propto \sqrt{n}$ with high probability, paralleling the optimal scaling of concatenated GKP qubit codes. Every random instance of an NTRU-GKP code features an efficient decoder derived from the NTRU trapdoor, with public-key security inherited from the computational hardness conjectures underlying NTRU (Conrad et al., 2023).

1. Code Construction and Formal Specification

The NTRU-GKP cryptosystem is parameterized by the ring/lattice dimension $n$ , modulus polynomials $\Phi(x)$ (typically $x^n - 1$ or $x^n + 1$ ), a large modulus $q$ , a small plaintext modulus $p \ll q$ , and trapdoor weight $d \approx n/3$ . The construction begins in the ring $R = \mathbb{Z}[x]/\Phi(x)$ .

Key Generation:

Sample "small" polynomials $\tilde{f}, \tilde{g} \leftarrow D(d, d)$ in $n$ 0 with $n$ 1 coefficients $n$ 2, $n$ 3 coefficients $n$ 4.
Form secret key polynomials as $n$ 5, $n$ 6, ensuring $n$ 7 and $n$ 8.
Compute the public key $n$ 9 in $\Phi(x)$ 0.

Lattice Embedding:

Define the circulant embedding $\Phi(x)$ 1, mapping $\Phi(x)$ 2 to its circulant matrix. The public NTRU lattice in $\Phi(x)$ 3 is generated by

$\Phi(x)$ 4

with $\Phi(x)$ 5. The set of short vectors in this lattice encodes the NTRU secret.

Symplectic (GKP) Basis and Code Lattice:

A $\Phi(x)$ 6-symplectic generator $\Phi(x)$ 7 (i.e., $\Phi(x)$ 8 for $\Phi(x)$ 9) is constructed by rotating the public basis: $x^n - 1$ 0 where $x^n - 1$ 1 is the anti-diagonal permutation. Choosing an integer scaling $x^n - 1$ 2 (often $x^n - 1$ 3), the GKP code lattice is

$x^n - 1$ 4

and its stabilizer group is generated by the $x^n - 1$ 5 displacement operators corresponding to the rows of $x^n - 1$ 6.

2. Encoding, Quantum Encryption, and Decoding

Encoding (Quantum Encryption):

A logical GKP code state $x^n - 1$ 7 is any simultaneous $x^n - 1$ 8 eigenstate of the code's stabilizer operators. To encrypt $x^n - 1$ 9 under Gaussian shift noise, a sender selects random elements $x^n + 1$ 0 and applies the displacement

$x^n + 1$ 1

The resulting displacement, in $x^n + 1$ 2 split, yields $x^n + 1$ 3, which precisely corresponds to NTRU encryption in syndrome form. The displaced codeword $x^n + 1$ 4 is transmitted.

Decoding (Quantum Decryption):

The receiver measures the $x^n + 1$ 5 stabilizers, correcting the trivial hypercubic GKP syndrome, and computes the residual error syndrome

$x^n + 1$ 6

where the phase-space shift is $x^n + 1$ 7. Standard NTRU decryption recovers $x^n + 1$ 8 as $x^n + 1$ 9: $q$ 0 The correct shift $q$ 1 is subtracted, returning to the code space.

3. Code Parameters and ‘Goodness’

$q$ 2

For $q$ 3, $q$ 4, and trapdoor weight $q$ 5, a random NTRU lattice yields a GKP code with $q$ 6 encoded qubits and $q$ 7, matching the scaling of "good" codes (Conrad et al., 2023). Proposition 1 asserts

$q$ 8

for random NTRU lattices, ensuring distance-optimality for $q$ 9. The code achieves constant rate and optimal distance scaling, satisfying the definition of a "good" GKP code.

4. Decoding and Computational Hardness

Minimum-energy decoding (MED) for GKP codes reduces to the closest vector problem (CVP) on the dual stabilizer lattice, which, in the NTRU-GKP setting, is the secret NTRU lattice: $p \ll q$ 0 Bounded-distance decoding (BDD) with a trapdoor (the secret key) is efficiently solved via Babai’s nearest-plane method. Without the trapdoor, BDD is as hard as NTRU decryption—inverting the public key $p \ll q$ 1—which underpins the post-quantum security of the cryptosystem. Lemma (eMLD $p \ll q$ 2 MED): access to the theta-function-based maximum likelihood decoder for GKP codes decodes CVP exactly. Thus, decoding under Gaussian noise is computationally equivalent to NTRU decryption, and decoding GKP codes under this construction is generally $p \ll q$ 3-hard (Conrad et al., 2023).

5. Public-Key Quantum Communication Protocol

The protocol yields a "quantum one-time pad" realized in a public-key setting:

The recipient generates $p \ll q$ 4, publishes $p \ll q$ 5, keeps $p \ll q$ 6 secret.
The sender prepares a GKP code state $p \ll q$ 7, samples random NTRU encryption $p \ll q$ 8, applies $p \ll q$ 9 with $d \approx n/3$ 0, and transmits $d \approx n/3$ 1.
The recipient measures syndromes and decodes using $d \approx n/3$ 2, undoing $d \approx n/3$ 3 to recover $d \approx n/3$ 4.

Any eavesdropper must solve NTRU decoding or CVP on $d \approx n/3$ 5 to remove the encryption displacement, which is infeasible under the average-case hardness assumption for NTRU (including average-case hardness of factoring $d \approx n/3$ 6, ring-LWE in cyclotomics, and quantum hardness of CVP).

6. Theoretical Results and Security Reductions

Proposition 1 (Goodness of NTRU–GKP): For $d \approx n/3$ 7, $d \approx n/3$ 8, $d \approx n/3$ 9, random NTRU lattices yield a GKP code with $R = \mathbb{Z}[x]/\Phi(x)$ 0, achieving $R = \mathbb{Z}[x]/\Phi(x)$ 1—thus, $R = \mathbb{Z}[x]/\Phi(x)$ 2 for $R = \mathbb{Z}[x]/\Phi(x)$ 3.
Conjecture 2–3: Random public keys $R = \mathbb{Z}[x]/\Phi(x)$ 4 produce good GKP codes with high probability, for both $R = \mathbb{Z}[x]/\Phi(x)$ 5 and $R = \mathbb{Z}[x]/\Phi(x)$ 6 (Stehlé-Steinfeld variant).
Lemmas: MED, eMLD, and CVP decoding for GKP are computationally equivalent; decoding the Construction-A GKP code is equivalent to decoding the underlying qubit code.

The construction embeds the trapdoor-hardness of NTRU polynomial factorization and public-key structure directly into the phase-space lattice of a GKP code. This provides a unified framework for bosonic quantum error correction and post-quantum cryptography, with a public-key quantum channel whose security derives from quantum-hard NTRU assumptions (Conrad et al., 2023).

Markdown Report Issue Upgrade to Chat

References (1)

Good Gottesman-Kitaev-Preskill codes from the NTRU cryptosystem (2023)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to NTRU-GKP Cryptosystem.