reification requested! http://blog.cr.yp.to/20140213-ideal.html """ Here's a concrete suggestion, which I'll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems. This suggestion uses a number field of prime degree, so that the only subfield is Q; and uses an irreducible polynomial xp-x-1 with a very large Galois group, so that the number field is very far from having automorphisms. The best CVP dimension seems to be about half the degree; this is optimal for number fields without many real embeddings. (It's hard to create many real embeddings while keeping coefficients small, and if coefficients are large then there are other problems.) This suggestion also chooses its modulus q so that (Z/q)[x]/(xp-x-1) is a field; this simultaneously avoids (1) NTRU's traditional 2-adic structure and (2) the linear splittings used in most recent papers. """