Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
A short review of the NTRU cryptosystem
Zhenfei Zhang
zzhang@onboardsecurity.com
July 12, 2017
Z.Zhang (Onboard Security I...
Outline
1 Introduction
2 NTRU lattice
3 NTRUEncrypt
4 pqNTRUSign
5 Conclusion
Z.Zhang (Onboard Security Inc.) NTRU crypto ...
Why lattice
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
Why lattice
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
Why lattice
Lattice leads to the knowledge of everything!
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
Why lattice
Lattice leads to the knowledge of everything!
(WRONG!)
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 20...
Why lattice
the real reason
1994, Shor’s algorithm, break RSA and ECC with quantum
computers;
2015, NSA announcement: prep...
Why lattice
the real reason
2030(?), predicted general purpose quantum computers;
Data vaulting attack
A.k.a., harvest-the...
Figure source: https://nsa.gov1.info/utah-data-center/
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 6 / 42
State-of-art lattice-based crypto in practice
Key exchange/establishment schemes
Newhope (R-LWE), Frodo (LWE), NTRU-KEM (N...
Figure source: Christine van Vredendaal
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 8 / 42
How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-safing” handshake for TLS
Z.Zhang (Onboard Secur...
How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-safing” handshake for TLS
Z.Zhang (Onboard Secur...
How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-safing” handshake for TLS
Z.Zhang (Onboard Secur...
Figure source: Wendy Cordero’s High School Math Site
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 10 / 42
Lattice
Definition of a Lattice
All the integral combinations of d ≤ n linearly independent vectors
over R
L = Z b1 + · · ·...
Example
A lattice L
B =
8 5
5 16
All lattice crypto talks start with an image of a dim-2 lattice
Z.Zhang (Onboard Security...
Example
A lattice L
UB =
1 0
−1 1
8 5
5 16
=
8 5
−3 11
An infinity of basis
Z.Zhang (Onboard Security Inc.) NTRU crypto Jul...
Example
A lattice L
UB =
1 0
1 1
8 5
5 16
=
8 5
13 21
An infinity of basis
Z.Zhang (Onboard Security Inc.) NTRU crypto July...
Example
A lattice L
UB =
3 1
2 1
8 5
5 16
=
29 31
21 26
An infinity of basis
Z.Zhang (Onboard Security Inc.) NTRU crypto Ju...
Example
The Shortest Vector and The First Minima
v = 8 5 , with λ1 = 82 + 52 = 9.434
The Shortest Vector
Z.Zhang (Onboard ...
Example
The Determinant
det L = det (BBT ) = 103
The Fundamental Parallelepiped
Z.Zhang (Onboard Security Inc.) NTRU crypt...
SVP vs factorization
Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18
607934075107679728535017910491 1108920...
SVP vs factorization
Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18
607934075107679728535017910491 1108920...
NTRU lattice
1 Introduction
2 NTRU lattice
3 NTRUEncrypt
4 pqNTRUSign
5 Conclusion
Z.Zhang (Onboard Security Inc.) NTRU cr...
NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime...
NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime...
NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime...
NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a ...
NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a ...
NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a ...
NTRU lattice
The real NTRU assumption
NTRU lattice behaves the same as random lattices.
NTRU lattice L =
qIN 0
H IN
g, f (...
NTRU lattice vs random lattice
256 0
172 1
256 0
17 1
(g, f ) = (1, 3) v = (17, 1)
Z.Zhang (Onboard Security Inc.) NTRU cr...
NTRU lattice vs random lattice
Random lattice, SV ≈ Gaussian Heuristic length = dim
2πe det
1
dim
NTRU lattice, unique sho...
NTRU lattice vs LWE lattice
NTRU R-LWE
Secrets Trinary: {−1, 0, 1}dim Gaussian: χdim√
q
Ring Zq[x]/(xN − 1) Zq[x]/(xN + 1)...
Interlude: How to estimate lattice strength?
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 19 / 42
Interlude: How to estimate lattice strength ( )?
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 20 / 42
Interlude: How to estimate the lattice strength
“Understanding lattice strength = mastering key technology. :D”
–Jackie Ch...
Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algm...
Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algm...
Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algm...
Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algm...
Interlude: Lattice reductions
Overview
time space approx. factor
LLL poly poly exp
BKZ sub-exp sub-exp sub-exp
Enumeration...
Interlude: Lattice reductions
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 t...
Interlude: Estimate BKZ 2.0 cost
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from ...
Interlude: Estimate BKZ 2.0 cost
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from ...
NTRUEncrypt
1 Introduction
2 NTRU lattice
3 NTRUEncrypt
4 pqNTRUSign
5 Conclusion
Z.Zhang (Onboard Security Inc.) NTRU cry...
NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, R, m ∈ {−1, 0, 1}N
)
Find a ra...
NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}...
NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}...
Attacks
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 29 / 42
Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Less effective attack...
Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Suppose f , g are bi...
Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Find short vectors i...
Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Re-write
qIN 0
H IN
...
Parameters
Post-Quantum Parameter Sets and Security Estimates
Classical Quantum Hybrid Attack Parameters Product form log2...
pqNTRUSign
1 Introduction
2 NTRU lattice
3 NTRUEncrypt
4 pqNTRUSign
5 Conclusion
Z.Zhang (Onboard Security Inc.) NTRU cryp...
Modular Lattice Signatures
The core idea
Given a lattice L with a trapdoor T, a message m, find a vector v
v ∈ L
v ≡ hash(m...
pqNTRUSign
Sign (f , g, h = g/f , p = 3, R, m)
Hash message into a “mod p” vector vp, up = hash(m|h)
Repeat with rejection...
pqNTRUSign
Verify (h, p = 3, R, m, v)
Hash message into a “mod p” vector vp, up = hash(m|h)
Reconstruct the lattice vector...
pqNTRUSign
Public key security: recover f and g from h;
Forgery: as hard as solving an approx.-SVP in an intersected latti...
Forgery
Forgery: as hard as solving an approx.-SVP in an intersected lattice:
L ..= Lh ∩ (Z2N + vp, up )
det(L ) = p2NqN −...
Transcript security
Works on GGHSign, NTRUSign;
Each signature is a vector close
to the lattice (info leakage);
Recover en...
Rejection Sampling
Consider b ..= v0 + a · f
“large” v0 drawn from uniform or Gaussian;
“small” a drawn from sparse trinar...
Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , −q
2 ]N
Accept b when b is in [−q
2 + B,...
Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , −q
2 ]N
Accept b when b is in [−q
2 + B,...
Rejection Sampling
Rejection sampling on Gaussian
Sample v0 from discrete Gaussian χN
σ
Accept b when b is Gaussian
Before...
Future work
Better scalability:
Module-LWE based schemes;
Better efficiency:
Improved rejection sampling methods;
Better imp...
Thanks!
to study the underlying principle to acquire knowledge (idiom);
pursuing knowledge to the end.
Figure source: Goog...
Upcoming SlideShare
Loading in …5
×

A Short Review of the NTRU Cryptosystem

1,077 views

Published on

A review of NTRU Cryptosystem, including discussion of NTRU lattice, NTRUEncrypt, and pqNTRUSign.

Published in: Technology
  • Doubled or Tripled in 5 weeks! Would recommend to anyone. ♥♥♥ https://tinyurl.com/semenax101
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

A Short Review of the NTRU Cryptosystem

  1. 1. A short review of the NTRU cryptosystem Zhenfei Zhang zzhang@onboardsecurity.com July 12, 2017 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 1 / 42
  2. 2. Outline 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 2 / 42
  3. 3. Why lattice Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
  4. 4. Why lattice Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
  5. 5. Why lattice Lattice leads to the knowledge of everything! Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
  6. 6. Why lattice Lattice leads to the knowledge of everything! (WRONG!) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
  7. 7. Why lattice the real reason 1994, Shor’s algorithm, break RSA and ECC with quantum computers; 2015, NSA announcement: prepare for the quantum apocalypse; 2017, NIST call for competition/standardization; 2030(?), predicted general purpose quantum computers; bonus points Good understanding of underlying hard problem; Fast, parallelable, hardware friendly; Numerous applications: FHE, ABE, MMap, obfuscation, . . . Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 4 / 42
  8. 8. Why lattice the real reason 2030(?), predicted general purpose quantum computers; Data vaulting attack A.k.a., harvest-then-decrypt attack Data need to be secret for, say, 30 years; Quantum computer arrives in, say, 15 years; Perhaps the most practical attack in cryptography! Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 5 / 42
  9. 9. Figure source: https://nsa.gov1.info/utah-data-center/ Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 6 / 42
  10. 10. State-of-art lattice-based crypto in practice Key exchange/establishment schemes Newhope (R-LWE), Frodo (LWE), NTRU-KEM (NTRU) Encryption schemes NTRUEncrypt (NTRU) - standardized by IEEE and ASC X9. Signature schemes BLISS (NTRU), pqNTRUSign (NTRU), TESLA (R-LWE) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 7 / 42
  11. 11. Figure source: Christine van Vredendaal Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 8 / 42
  12. 12. How they are used in practice Hybrid mode: QSC + ECC/RSA Example: “quantum-safing” handshake for TLS Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
  13. 13. How they are used in practice Hybrid mode: QSC + ECC/RSA Example: “quantum-safing” handshake for TLS Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
  14. 14. How they are used in practice Hybrid mode: QSC + ECC/RSA Example: “quantum-safing” handshake for TLS Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
  15. 15. Figure source: Wendy Cordero’s High School Math Site Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 10 / 42
  16. 16. Lattice Definition of a Lattice All the integral combinations of d ≤ n linearly independent vectors over R L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z} d dimension. B = (b1, . . . , bd ) is a basis. An example B = 5 1 2 √ 3 3 5 √ 2 1 d = 2 ≤ n = 3 In this talk, full rank integer Basis: B ∈ Zn,n. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 11 / 42
  17. 17. Example A lattice L B = 8 5 5 16 All lattice crypto talks start with an image of a dim-2 lattice Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  18. 18. Example A lattice L UB = 1 0 −1 1 8 5 5 16 = 8 5 −3 11 An infinity of basis Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  19. 19. Example A lattice L UB = 1 0 1 1 8 5 5 16 = 8 5 13 21 An infinity of basis Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  20. 20. Example A lattice L UB = 3 1 2 1 8 5 5 16 = 29 31 21 26 An infinity of basis Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  21. 21. Example The Shortest Vector and The First Minima v = 8 5 , with λ1 = 82 + 52 = 9.434 The Shortest Vector Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  22. 22. Example The Determinant det L = det (BBT ) = 103 The Fundamental Parallelepiped Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  23. 23. SVP vs factorization Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18 607934075107679728535017910491 110892038590491011470413624162 102527531745069397657213612427 8592010462121158793989191725 1046281300378014562233368120438 686996122377288254791817885410 1103832612625211064506848179346 220852682915784634287852309921 944649534225139220175474902664 1176690699541611773408761953223 1136130825665947553678910749119 1108943208362935558648540132758 23737901275111053772686813555 465809649893186621224122861041 715902840717351780807871627645 630574310792857742024648084025 1051996449282023535890300047164 142993816453901841682500448596 Factorize d1|d2| . . . |d18 ≈ 1800 bits 6079340751076797285350179104911108920385904910114704136241621025275317450693976572136124278 5920104621211587939891917251046281300378014562233368120438686996122377288254791817885410110 3832612625211064506848179346220852682915784634287852309921944649534225139220175474902664117 6690699541611773408761953223113613082566594755367891074911911089432083629355586485401327582 3737901275111053772686813555465809649893186621224122861041715902840717351780807871627645630 5743107928577420246480840251051996449282023535890300047164142993816453901841682500448596 Find the shortest vector from          607934075107679728535017910491 0 0 . . . 0 0 110892038590491011470413624162 1 0 . . . 0 0 102527531745069397657213612427 0 1 . . . 0 0 . . . . . . . . . . . . . . . . . . 1051996449282023535890300047164 0 0 . . . 1 0 142993816453901841682500448596 0 0 . . . 0 1          Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 13 / 42
  24. 24. SVP vs factorization Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18 607934075107679728535017910491 110892038590491011470413624162 102527531745069397657213612427 8592010462121158793989191725 1046281300378014562233368120438 686996122377288254791817885410 1103832612625211064506848179346 220852682915784634287852309921 944649534225139220175474902664 1176690699541611773408761953223 1136130825665947553678910749119 1108943208362935558648540132758 23737901275111053772686813555 465809649893186621224122861041 715902840717351780807871627645 630574310792857742024648084025 1051996449282023535890300047164 142993816453901841682500448596 Factorize d1|d2| . . . |d18 ≈ 1800 bits Easy 6079340751076797285350179104911108920385904910114704136241621025275317450693976572136124278 5920104621211587939891917251046281300378014562233368120438686996122377288254791817885410110 3832612625211064506848179346220852682915784634287852309921944649534225139220175474902664117 6690699541611773408761953223113613082566594755367891074911911089432083629355586485401327582 3737901275111053772686813555465809649893186621224122861041715902840717351780807871627645630 5743107928577420246480840251051996449282023535890300047164142993816453901841682500448596 Find the shortest vector from          607934075107679728535017910491 0 0 . . . 0 0 110892038590491011470413624162 1 0 . . . 0 0 102527531745069397657213612427 0 1 . . . 0 0 . . . . . . . . . . . . . . . . . . 1051996449282023535890300047164 0 0 . . . 1 0 142993816453901841682500448596 0 0 . . . 0 1          As hard as solving SVP for any lattice of same dim Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 13 / 42
  25. 25. NTRU lattice 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 14 / 42
  26. 26. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
  27. 27. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x) Compute h (x) = f (x) × g(x) over Z[x] Reduce h (x) mod (xN − 1) mod q Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
  28. 28. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x), alternatively h0, . . . , hN−1 = f0, . . . , fN−1 ×        g0 g1 g2 . . . gN−1 gN−1 g0 g1 . . . gN−2 gN−2 gN−1 g0 . . . gN−3 ... ... ... ... ... g1 g2 g3 . . . g0        mod q Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
  29. 29. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
  30. 30. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice qIN 0 H IN ..=               q 0 . . . 0 0 0 . . . 0 0 q . . . 0 0 0 . . . 0 ... ... ... ... ... ... ... ... 0 0 . . . q 0 0 . . . 0 h0 h1 . . . hN−1 1 0 . . . 0 hN−1 h0 . . . hN−2 0 1 . . . 0 ... ... ... ... ... ... ... ... h1 h2 . . . h0 0 0 . . . 1               Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
  31. 31. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
  32. 32. NTRU lattice The real NTRU assumption NTRU lattice behaves the same as random lattices. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
  33. 33. NTRU lattice vs random lattice 256 0 172 1 256 0 17 1 (g, f ) = (1, 3) v = (17, 1) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
  34. 34. NTRU lattice vs random lattice Random lattice, SV ≈ Gaussian Heuristic length = dim 2πe det 1 dim NTRU lattice, unique shortest vectors = g, f 2 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
  35. 35. NTRU lattice vs LWE lattice NTRU R-LWE Secrets Trinary: {−1, 0, 1}dim Gaussian: χdim√ q Ring Zq[x]/(xN − 1) Zq[x]/(xN + 1) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 18 / 42
  36. 36. Interlude: How to estimate lattice strength? Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 19 / 42
  37. 37. Interlude: How to estimate lattice strength ( )? Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 20 / 42
  38. 38. Interlude: How to estimate the lattice strength “Understanding lattice strength = mastering key technology. :D” –Jackie Chan Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 21 / 42
  39. 39. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
  40. 40. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N “Ideal world” “Real world” Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
  41. 41. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N α-uSVP ≈ γ-SVP −→ we can use BKZ/LLL results on uSVP λ1 = λ2 = · · · = λN = g, f 2 = √ 2d λN+1 ≈ Gaussian Heuristic length dim 2πe det 1 dim = Nq πe α = Nq 2dπe 1 4N Not limited to NTRU, almost all efficient lattice crypto base on uSVP Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
  42. 42. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N α = Nq 2dπe 1 4N Example: N = 743, q = 2048, d = 495: α ≈ 1.0038 α-uSVP ≈ γ-SVP If BKZ 2.0 can solve Approx-SVP with γ = 1.0038, it can solve uSVP Lattice strength = cost of BKZ 2.0 with γ = 1.0038 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
  43. 43. Interlude: Lattice reductions Overview time space approx. factor LLL poly poly exp BKZ sub-exp sub-exp sub-exp Enumeration sup-exp poly 1 Sieving exp exp 1 Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 23 / 42
  44. 44. Interlude: Lattice reductions Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Original BKZ 2.0: enumeration with extreme pruning “New Hope”: (quantum) sieving Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 24 / 42
  45. 45. Interlude: Estimate BKZ 2.0 cost Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Example: n = 1024, γ = 1.006(?) (Extreme pruning) To arrive γ = 1.006 one need to use block size 216; Cost to find SV in dim-216 lattice requires > 2105 node; Per-node cost 27; Call this SV solver for (n − k + 1) ∗ round > 29 times; Total cost > 2121 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 25 / 42
  46. 46. Interlude: Estimate BKZ 2.0 cost Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Example: n = 1024, γ = 1.006 (Sieving) To arrive γ = 1.006 one need to use block size 216; Cost to find SV in dim-216 lattice requires > 2216∗0.3 ≈ 265 operation; Also requires ≈ 265 space Call this SV solver for (n − k + 1) ∗ round > 29 times; Total cost > 274 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 26 / 42
  47. 47. NTRUEncrypt 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 27 / 42
  48. 48. NTRUEncrypt A CCA-2 secure encryption scheme based on NTRU assumption Enc (h = g/f , p = 3, R, m ∈ {−1, 0, 1}N ) Find a random ring element r; Compute e = p × r · h + m; Dec (f , p = 3, R, e) Compute c = e · f = p × r · g + m · f ; Reduce c mod p = m · f mod p Recover m = c · f −1 mod p Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
  49. 49. NTRUEncrypt A CCA-2 secure encryption scheme based on NTRU assumption Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}N ) Find a random ring element r; Compute e = p × r · h + m; Dec (f ≡ 1 mod p, p = 3, R, e) Compute c = e · f = p × r · g + m · f ; Reduce c mod p = m · f mod p = m Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
  50. 50. NTRUEncrypt A CCA-2 secure encryption scheme based on NTRU assumption Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}k ) Find a random string b; r = hash(h|b) m = r ⊗ m|b Compute e = p × r · h + m ; Dec (f ≡ 1 mod p, g, p = 3, R, e) Compute c = e · f = p × r · g + m · f ; Reduce c mod p = m · f mod p = m Compute r = p−1 × (c − m · f ) · g−1 Extract m, b from m ⊗ r , compute r = hash(h|b); Output m if r = r . Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
  51. 51. Attacks Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 29 / 42
  52. 52. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Less effective attacks Subfield attacks; Subring attacks: Mod 2 attack. Hash attacks. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
  53. 53. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Suppose f , g are binary polynomials with hamming weight d list = ∅ Guess a fi with hamming weight d/2; compute gi = fi · h; Check gi against every gj ∈ list: if gi + gj is binary with hamming weight d; output gi , gj ; else, add gi to list: Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
  54. 54. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Find short vectors in NTRU lattice qIN 0 H IN Lattice reduction algorithms: BKZ 2.0 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
  55. 55. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Re-write qIN 0 H IN ..=   qIr1 0 0 ∗ L1 0 ∗ ∗ Ir2   Reduce L1 ..= qIr1 0 0 ∗ L1 0 (MITM) guess a vector v in L2 ..= ∗ ∗ Ir2 If guess correctly, v will be very close to L1; Find the closest vector of v in L1; Easy if L1 is well-reduced. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
  56. 56. Parameters Post-Quantum Parameter Sets and Security Estimates Classical Quantum Hybrid Attack Parameters Product form log2 dec. root security est. security est. N q (df , dg , dm) dim β rounds K Cost search cost fail prob. Hermite factor 128 128 443 2048 (148, 148, 115) 575 222 11 177 133 147 -196 1.0041 192 128 587 2048 (196, 196, 157) 723 311 9 258 197 193 -139 1.0031 256 128 743 2048 (247, 247, 204) 880 407 8 350 272 256 -112 1.0025 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 31 / 42
  57. 57. pqNTRUSign 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 32 / 42
  58. 58. Modular Lattice Signatures The core idea Given a lattice L with a trapdoor T, a message m, find a vector v v ∈ L v ≡ hash(m) mod p Can be instantiated via any lattice SIS, R-SIS, R-LWE, etc pqNTRUSign is an efficient instantiation using NTRU lattice Efficient trapdoor f , g; Well-understood hardness. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 33 / 42
  59. 59. pqNTRUSign Sign (f , g, h = g/f , p = 3, R, m) Hash message into a “mod p” vector vp, up = hash(m|h) Repeat with rejection sampling: Sample v0 from certain distribution; compute v1 = p × v0 + vp Find a random lattice vector v1, u1 = v1 · I, h “v-side” meets the congruent condition. Micro-adjust “u-side” using trapdoor f and g Compute a = (u1 − up) · g−1 mod p Compute v2, u2 = a · p × f , g Compute v, u = v1, u1 + v2, u2 Output v as signature Remark v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 34 / 42
  60. 60. pqNTRUSign Verify (h, p = 3, R, m, v) Hash message into a “mod p” vector vp, up = hash(m|h) Reconstruct the lattice vector v, u = v · I, h Check vp, up = hash(m|h) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 35 / 42
  61. 61. pqNTRUSign Public key security: recover f and g from h; Forgery: as hard as solving an approx.-SVP in an intersected lattice; Transcript security - achieved via rejection sampling. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 36 / 42
  62. 62. Forgery Forgery: as hard as solving an approx.-SVP in an intersected lattice: L ..= Lh ∩ (Z2N + vp, up ) det(L ) = p2NqN −→ Gaussian heuristic length = p2qN πe Target vector length v, u ≤ √ 2N q 2 Approx.-SVP with root Hermite factor γ = qπe 2p2 1 dim = qπe 2p2 1 4N Example: N = 512, q = 12289, p = 3 −→ γ = 1.0042 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 37 / 42
  63. 63. Transcript security Works on GGHSign, NTRUSign; Each signature is a vector close to the lattice (info leakage); Recover enough of distance vectors (blue dots) gives away a good basis of the lattice; Seal the leakage with rejection sampling. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 38 / 42
  64. 64. Rejection Sampling Consider b ..= v0 + a · f “large” v0 drawn from uniform or Gaussian; “small” a drawn from sparse trinary/binary; sparse trinary/binary f is the secret. RS on b b follows certain publicly known distribution independent from f ; for two secret keys f1, f2 and a signature b, one is not able to tell which key signs b - witness indistinguishability. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 39 / 42
  65. 65. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , −q 2 ]N Accept b when b is in [−q 2 + B, −q 2 − B]N Before rejection 0.0005 0.0006 0.0007 0.0008 0.0009 0.001 0.0011 -600 -400 -200 0 200 400 600 "notuniforminq" 1/1031.0 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
  66. 66. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , −q 2 ]N Accept b when b is in [−q 2 + B, −q 2 − B]N After rejection 0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 -600 -400 -200 0 200 400 600 "uniforminq" 1/1021.0 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
  67. 67. Rejection Sampling Rejection sampling on Gaussian Sample v0 from discrete Gaussian χN σ Accept b when b is Gaussian Before/after rejection Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
  68. 68. Future work Better scalability: Module-LWE based schemes; Better efficiency: Improved rejection sampling methods; Better implementations Constant time. SIMD. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 41 / 42
  69. 69. Thanks! to study the underlying principle to acquire knowledge (idiom); pursuing knowledge to the end. Figure source: Google Image & www.hsjushi.com Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 42 / 42

×