Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Short Review of the NTRU Cryptosystem

317 views

Published on

A review of NTRU Cryptosystem, including discussion of NTRU lattice, NTRUEncrypt, and pqNTRUSign.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

A Short Review of the NTRU Cryptosystem

  1. 1. A short review of the NTRU cryptosystem Zhenfei Zhang zzhang@onboardsecurity.com July 12, 2017 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 1 / 42
  2. 2. Outline 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 2 / 42
  3. 3. Why lattice Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
  4. 4. Why lattice Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
  5. 5. Why lattice Lattice leads to the knowledge of everything! Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
  6. 6. Why lattice Lattice leads to the knowledge of everything! (WRONG!) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
  7. 7. Why lattice the real reason 1994, Shor’s algorithm, break RSA and ECC with quantum computers; 2015, NSA announcement: prepare for the quantum apocalypse; 2017, NIST call for competition/standardization; 2030(?), predicted general purpose quantum computers; bonus points Good understanding of underlying hard problem; Fast, parallelable, hardware friendly; Numerous applications: FHE, ABE, MMap, obfuscation, . . . Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 4 / 42
  8. 8. Why lattice the real reason 2030(?), predicted general purpose quantum computers; Data vaulting attack A.k.a., harvest-then-decrypt attack Data need to be secret for, say, 30 years; Quantum computer arrives in, say, 15 years; Perhaps the most practical attack in cryptography! Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 5 / 42
  9. 9. Figure source: https://nsa.gov1.info/utah-data-center/ Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 6 / 42
  10. 10. State-of-art lattice-based crypto in practice Key exchange/establishment schemes Newhope (R-LWE), Frodo (LWE), NTRU-KEM (NTRU) Encryption schemes NTRUEncrypt (NTRU) - standardized by IEEE and ASC X9. Signature schemes BLISS (NTRU), pqNTRUSign (NTRU), TESLA (R-LWE) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 7 / 42
  11. 11. Figure source: Christine van Vredendaal Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 8 / 42
  12. 12. How they are used in practice Hybrid mode: QSC + ECC/RSA Example: “quantum-safing” handshake for TLS Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
  13. 13. How they are used in practice Hybrid mode: QSC + ECC/RSA Example: “quantum-safing” handshake for TLS Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
  14. 14. How they are used in practice Hybrid mode: QSC + ECC/RSA Example: “quantum-safing” handshake for TLS Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
  15. 15. Figure source: Wendy Cordero’s High School Math Site Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 10 / 42
  16. 16. Lattice Definition of a Lattice All the integral combinations of d ≤ n linearly independent vectors over R L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z} d dimension. B = (b1, . . . , bd ) is a basis. An example B = 5 1 2 √ 3 3 5 √ 2 1 d = 2 ≤ n = 3 In this talk, full rank integer Basis: B ∈ Zn,n. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 11 / 42
  17. 17. Example A lattice L B = 8 5 5 16 All lattice crypto talks start with an image of a dim-2 lattice Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  18. 18. Example A lattice L UB = 1 0 −1 1 8 5 5 16 = 8 5 −3 11 An infinity of basis Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  19. 19. Example A lattice L UB = 1 0 1 1 8 5 5 16 = 8 5 13 21 An infinity of basis Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  20. 20. Example A lattice L UB = 3 1 2 1 8 5 5 16 = 29 31 21 26 An infinity of basis Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  21. 21. Example The Shortest Vector and The First Minima v = 8 5 , with λ1 = 82 + 52 = 9.434 The Shortest Vector Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  22. 22. Example The Determinant det L = det (BBT ) = 103 The Fundamental Parallelepiped Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
  23. 23. SVP vs factorization Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18 607934075107679728535017910491 110892038590491011470413624162 102527531745069397657213612427 8592010462121158793989191725 1046281300378014562233368120438 686996122377288254791817885410 1103832612625211064506848179346 220852682915784634287852309921 944649534225139220175474902664 1176690699541611773408761953223 1136130825665947553678910749119 1108943208362935558648540132758 23737901275111053772686813555 465809649893186621224122861041 715902840717351780807871627645 630574310792857742024648084025 1051996449282023535890300047164 142993816453901841682500448596 Factorize d1|d2| . . . |d18 ≈ 1800 bits 6079340751076797285350179104911108920385904910114704136241621025275317450693976572136124278 5920104621211587939891917251046281300378014562233368120438686996122377288254791817885410110 3832612625211064506848179346220852682915784634287852309921944649534225139220175474902664117 6690699541611773408761953223113613082566594755367891074911911089432083629355586485401327582 3737901275111053772686813555465809649893186621224122861041715902840717351780807871627645630 5743107928577420246480840251051996449282023535890300047164142993816453901841682500448596 Find the shortest vector from          607934075107679728535017910491 0 0 . . . 0 0 110892038590491011470413624162 1 0 . . . 0 0 102527531745069397657213612427 0 1 . . . 0 0 . . . . . . . . . . . . . . . . . . 1051996449282023535890300047164 0 0 . . . 1 0 142993816453901841682500448596 0 0 . . . 0 1          Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 13 / 42
  24. 24. SVP vs factorization Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18 607934075107679728535017910491 110892038590491011470413624162 102527531745069397657213612427 8592010462121158793989191725 1046281300378014562233368120438 686996122377288254791817885410 1103832612625211064506848179346 220852682915784634287852309921 944649534225139220175474902664 1176690699541611773408761953223 1136130825665947553678910749119 1108943208362935558648540132758 23737901275111053772686813555 465809649893186621224122861041 715902840717351780807871627645 630574310792857742024648084025 1051996449282023535890300047164 142993816453901841682500448596 Factorize d1|d2| . . . |d18 ≈ 1800 bits Easy 6079340751076797285350179104911108920385904910114704136241621025275317450693976572136124278 5920104621211587939891917251046281300378014562233368120438686996122377288254791817885410110 3832612625211064506848179346220852682915784634287852309921944649534225139220175474902664117 6690699541611773408761953223113613082566594755367891074911911089432083629355586485401327582 3737901275111053772686813555465809649893186621224122861041715902840717351780807871627645630 5743107928577420246480840251051996449282023535890300047164142993816453901841682500448596 Find the shortest vector from          607934075107679728535017910491 0 0 . . . 0 0 110892038590491011470413624162 1 0 . . . 0 0 102527531745069397657213612427 0 1 . . . 0 0 . . . . . . . . . . . . . . . . . . 1051996449282023535890300047164 0 0 . . . 1 0 142993816453901841682500448596 0 0 . . . 0 1          As hard as solving SVP for any lattice of same dim Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 13 / 42
  25. 25. NTRU lattice 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 14 / 42
  26. 26. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
  27. 27. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x) Compute h (x) = f (x) × g(x) over Z[x] Reduce h (x) mod (xN − 1) mod q Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
  28. 28. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x), alternatively h0, . . . , hN−1 = f0, . . . , fN−1 ×        g0 g1 g2 . . . gN−1 gN−1 g0 g1 . . . gN−2 gN−2 gN−1 g0 . . . gN−3 ... ... ... ... ... g1 g2 g3 . . . g0        mod q Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
  29. 29. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
  30. 30. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice qIN 0 H IN ..=               q 0 . . . 0 0 0 . . . 0 0 q . . . 0 0 0 . . . 0 ... ... ... ... ... ... ... ... 0 0 . . . q 0 0 . . . 0 h0 h1 . . . hN−1 1 0 . . . 0 hN−1 h0 . . . hN−2 0 1 . . . 0 ... ... ... ... ... ... ... ... h1 h2 . . . h0 0 0 . . . 1               Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
  31. 31. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
  32. 32. NTRU lattice The real NTRU assumption NTRU lattice behaves the same as random lattices. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
  33. 33. NTRU lattice vs random lattice 256 0 172 1 256 0 17 1 (g, f ) = (1, 3) v = (17, 1) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
  34. 34. NTRU lattice vs random lattice Random lattice, SV ≈ Gaussian Heuristic length = dim 2πe det 1 dim NTRU lattice, unique shortest vectors = g, f 2 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
  35. 35. NTRU lattice vs LWE lattice NTRU R-LWE Secrets Trinary: {−1, 0, 1}dim Gaussian: χdim√ q Ring Zq[x]/(xN − 1) Zq[x]/(xN + 1) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 18 / 42
  36. 36. Interlude: How to estimate lattice strength? Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 19 / 42
  37. 37. Interlude: How to estimate lattice strength ( )? Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 20 / 42
  38. 38. Interlude: How to estimate the lattice strength “Understanding lattice strength = mastering key technology. :D” –Jackie Chan Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 21 / 42
  39. 39. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
  40. 40. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N “Ideal world” “Real world” Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
  41. 41. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N α-uSVP ≈ γ-SVP −→ we can use BKZ/LLL results on uSVP λ1 = λ2 = · · · = λN = g, f 2 = √ 2d λN+1 ≈ Gaussian Heuristic length dim 2πe det 1 dim = Nq πe α = Nq 2dπe 1 4N Not limited to NTRU, almost all efficient lattice crypto base on uSVP Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
  42. 42. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N α = Nq 2dπe 1 4N Example: N = 743, q = 2048, d = 495: α ≈ 1.0038 α-uSVP ≈ γ-SVP If BKZ 2.0 can solve Approx-SVP with γ = 1.0038, it can solve uSVP Lattice strength = cost of BKZ 2.0 with γ = 1.0038 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
  43. 43. Interlude: Lattice reductions Overview time space approx. factor LLL poly poly exp BKZ sub-exp sub-exp sub-exp Enumeration sup-exp poly 1 Sieving exp exp 1 Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 23 / 42
  44. 44. Interlude: Lattice reductions Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Original BKZ 2.0: enumeration with extreme pruning “New Hope”: (quantum) sieving Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 24 / 42
  45. 45. Interlude: Estimate BKZ 2.0 cost Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Example: n = 1024, γ = 1.006(?) (Extreme pruning) To arrive γ = 1.006 one need to use block size 216; Cost to find SV in dim-216 lattice requires > 2105 node; Per-node cost 27; Call this SV solver for (n − k + 1) ∗ round > 29 times; Total cost > 2121 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 25 / 42
  46. 46. Interlude: Estimate BKZ 2.0 cost Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Example: n = 1024, γ = 1.006 (Sieving) To arrive γ = 1.006 one need to use block size 216; Cost to find SV in dim-216 lattice requires > 2216∗0.3 ≈ 265 operation; Also requires ≈ 265 space Call this SV solver for (n − k + 1) ∗ round > 29 times; Total cost > 274 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 26 / 42
  47. 47. NTRUEncrypt 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 27 / 42
  48. 48. NTRUEncrypt A CCA-2 secure encryption scheme based on NTRU assumption Enc (h = g/f , p = 3, R, m ∈ {−1, 0, 1}N ) Find a random ring element r; Compute e = p × r · h + m; Dec (f , p = 3, R, e) Compute c = e · f = p × r · g + m · f ; Reduce c mod p = m · f mod p Recover m = c · f −1 mod p Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
  49. 49. NTRUEncrypt A CCA-2 secure encryption scheme based on NTRU assumption Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}N ) Find a random ring element r; Compute e = p × r · h + m; Dec (f ≡ 1 mod p, p = 3, R, e) Compute c = e · f = p × r · g + m · f ; Reduce c mod p = m · f mod p = m Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
  50. 50. NTRUEncrypt A CCA-2 secure encryption scheme based on NTRU assumption Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}k ) Find a random string b; r = hash(h|b) m = r ⊗ m|b Compute e = p × r · h + m ; Dec (f ≡ 1 mod p, g, p = 3, R, e) Compute c = e · f = p × r · g + m · f ; Reduce c mod p = m · f mod p = m Compute r = p−1 × (c − m · f ) · g−1 Extract m, b from m ⊗ r , compute r = hash(h|b); Output m if r = r . Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
  51. 51. Attacks Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 29 / 42
  52. 52. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Less effective attacks Subfield attacks; Subring attacks: Mod 2 attack. Hash attacks. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
  53. 53. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Suppose f , g are binary polynomials with hamming weight d list = ∅ Guess a fi with hamming weight d/2; compute gi = fi · h; Check gi against every gj ∈ list: if gi + gj is binary with hamming weight d; output gi , gj ; else, add gi to list: Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
  54. 54. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Find short vectors in NTRU lattice qIN 0 H IN Lattice reduction algorithms: BKZ 2.0 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
  55. 55. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Re-write qIN 0 H IN ..=   qIr1 0 0 ∗ L1 0 ∗ ∗ Ir2   Reduce L1 ..= qIr1 0 0 ∗ L1 0 (MITM) guess a vector v in L2 ..= ∗ ∗ Ir2 If guess correctly, v will be very close to L1; Find the closest vector of v in L1; Easy if L1 is well-reduced. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
  56. 56. Parameters Post-Quantum Parameter Sets and Security Estimates Classical Quantum Hybrid Attack Parameters Product form log2 dec. root security est. security est. N q (df , dg , dm) dim β rounds K Cost search cost fail prob. Hermite factor 128 128 443 2048 (148, 148, 115) 575 222 11 177 133 147 -196 1.0041 192 128 587 2048 (196, 196, 157) 723 311 9 258 197 193 -139 1.0031 256 128 743 2048 (247, 247, 204) 880 407 8 350 272 256 -112 1.0025 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 31 / 42
  57. 57. pqNTRUSign 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 32 / 42
  58. 58. Modular Lattice Signatures The core idea Given a lattice L with a trapdoor T, a message m, find a vector v v ∈ L v ≡ hash(m) mod p Can be instantiated via any lattice SIS, R-SIS, R-LWE, etc pqNTRUSign is an efficient instantiation using NTRU lattice Efficient trapdoor f , g; Well-understood hardness. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 33 / 42
  59. 59. pqNTRUSign Sign (f , g, h = g/f , p = 3, R, m) Hash message into a “mod p” vector vp, up = hash(m|h) Repeat with rejection sampling: Sample v0 from certain distribution; compute v1 = p × v0 + vp Find a random lattice vector v1, u1 = v1 · I, h “v-side” meets the congruent condition. Micro-adjust “u-side” using trapdoor f and g Compute a = (u1 − up) · g−1 mod p Compute v2, u2 = a · p × f , g Compute v, u = v1, u1 + v2, u2 Output v as signature Remark v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 34 / 42
  60. 60. pqNTRUSign Verify (h, p = 3, R, m, v) Hash message into a “mod p” vector vp, up = hash(m|h) Reconstruct the lattice vector v, u = v · I, h Check vp, up = hash(m|h) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 35 / 42
  61. 61. pqNTRUSign Public key security: recover f and g from h; Forgery: as hard as solving an approx.-SVP in an intersected lattice; Transcript security - achieved via rejection sampling. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 36 / 42
  62. 62. Forgery Forgery: as hard as solving an approx.-SVP in an intersected lattice: L ..= Lh ∩ (Z2N + vp, up ) det(L ) = p2NqN −→ Gaussian heuristic length = p2qN πe Target vector length v, u ≤ √ 2N q 2 Approx.-SVP with root Hermite factor γ = qπe 2p2 1 dim = qπe 2p2 1 4N Example: N = 512, q = 12289, p = 3 −→ γ = 1.0042 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 37 / 42
  63. 63. Transcript security Works on GGHSign, NTRUSign; Each signature is a vector close to the lattice (info leakage); Recover enough of distance vectors (blue dots) gives away a good basis of the lattice; Seal the leakage with rejection sampling. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 38 / 42
  64. 64. Rejection Sampling Consider b ..= v0 + a · f “large” v0 drawn from uniform or Gaussian; “small” a drawn from sparse trinary/binary; sparse trinary/binary f is the secret. RS on b b follows certain publicly known distribution independent from f ; for two secret keys f1, f2 and a signature b, one is not able to tell which key signs b - witness indistinguishability. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 39 / 42
  65. 65. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , −q 2 ]N Accept b when b is in [−q 2 + B, −q 2 − B]N Before rejection 0.0005 0.0006 0.0007 0.0008 0.0009 0.001 0.0011 -600 -400 -200 0 200 400 600 "notuniforminq" 1/1031.0 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
  66. 66. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , −q 2 ]N Accept b when b is in [−q 2 + B, −q 2 − B]N After rejection 0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 -600 -400 -200 0 200 400 600 "uniforminq" 1/1021.0 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
  67. 67. Rejection Sampling Rejection sampling on Gaussian Sample v0 from discrete Gaussian χN σ Accept b when b is Gaussian Before/after rejection Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
  68. 68. Future work Better scalability: Module-LWE based schemes; Better efficiency: Improved rejection sampling methods; Better implementations Constant time. SIMD. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 41 / 42
  69. 69. Thanks! to study the underlying principle to acquire knowledge (idiom); pursuing knowledge to the end. Figure source: Google Image & www.hsjushi.com Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 42 / 42

×