Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Successfully reported this slideshow.

Like this presentation? Why not share!

- What to Upload to SlideShare by SlideShare 6802622 views
- Customer Code: Creating a Company C... by HubSpot 5032122 views
- Be A Great Product Leader (Amplify,... by Adam Nash 1130106 views
- Trillion Dollar Coach Book (Bill Ca... by Eric Schmidt 1318233 views
- APIdays Paris 2019 - Innovation @ s... by apidays 1584274 views
- A few thoughts on work life-balance by Wim Vanderbauwhede 1160420 views

A review of NTRU Cryptosystem, including discussion of NTRU lattice, NTRUEncrypt, and pqNTRUSign.

No Downloads

Total views

2,201

On SlideShare

0

From Embeds

0

Number of Embeds

0

Shares

0

Downloads

64

Comments

8

Likes

2

No notes for slide

- 1. A short review of the NTRU cryptosystem Zhenfei Zhang zzhang@onboardsecurity.com July 12, 2017 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 1 / 42
- 2. Outline 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 2 / 42
- 3. Why lattice Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
- 4. Why lattice Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
- 5. Why lattice Lattice leads to the knowledge of everything! Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
- 6. Why lattice Lattice leads to the knowledge of everything! (WRONG!) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
- 7. Why lattice the real reason 1994, Shor’s algorithm, break RSA and ECC with quantum computers; 2015, NSA announcement: prepare for the quantum apocalypse; 2017, NIST call for competition/standardization; 2030(?), predicted general purpose quantum computers; bonus points Good understanding of underlying hard problem; Fast, parallelable, hardware friendly; Numerous applications: FHE, ABE, MMap, obfuscation, . . . Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 4 / 42
- 8. Why lattice the real reason 2030(?), predicted general purpose quantum computers; Data vaulting attack A.k.a., harvest-then-decrypt attack Data need to be secret for, say, 30 years; Quantum computer arrives in, say, 15 years; Perhaps the most practical attack in cryptography! Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 5 / 42
- 9. Figure source: https://nsa.gov1.info/utah-data-center/ Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 6 / 42
- 10. State-of-art lattice-based crypto in practice Key exchange/establishment schemes Newhope (R-LWE), Frodo (LWE), NTRU-KEM (NTRU) Encryption schemes NTRUEncrypt (NTRU) - standardized by IEEE and ASC X9. Signature schemes BLISS (NTRU), pqNTRUSign (NTRU), TESLA (R-LWE) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 7 / 42
- 11. Figure source: Christine van Vredendaal Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 8 / 42
- 12. How they are used in practice Hybrid mode: QSC + ECC/RSA Example: “quantum-saﬁng” handshake for TLS Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
- 13. How they are used in practice Hybrid mode: QSC + ECC/RSA Example: “quantum-saﬁng” handshake for TLS Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
- 14. How they are used in practice Hybrid mode: QSC + ECC/RSA Example: “quantum-saﬁng” handshake for TLS Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
- 15. Figure source: Wendy Cordero’s High School Math Site Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 10 / 42
- 16. Lattice Deﬁnition of a Lattice All the integral combinations of d ≤ n linearly independent vectors over R L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z} d dimension. B = (b1, . . . , bd ) is a basis. An example B = 5 1 2 √ 3 3 5 √ 2 1 d = 2 ≤ n = 3 In this talk, full rank integer Basis: B ∈ Zn,n. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 11 / 42
- 17. Example A lattice L B = 8 5 5 16 All lattice crypto talks start with an image of a dim-2 lattice Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
- 18. Example A lattice L UB = 1 0 −1 1 8 5 5 16 = 8 5 −3 11 An inﬁnity of basis Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
- 19. Example A lattice L UB = 1 0 1 1 8 5 5 16 = 8 5 13 21 An inﬁnity of basis Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
- 20. Example A lattice L UB = 3 1 2 1 8 5 5 16 = 29 31 21 26 An inﬁnity of basis Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
- 21. Example The Shortest Vector and The First Minima v = 8 5 , with λ1 = 82 + 52 = 9.434 The Shortest Vector Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
- 22. Example The Determinant det L = det (BBT ) = 103 The Fundamental Parallelepiped Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
- 23. SVP vs factorization Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18 607934075107679728535017910491 110892038590491011470413624162 102527531745069397657213612427 8592010462121158793989191725 1046281300378014562233368120438 686996122377288254791817885410 1103832612625211064506848179346 220852682915784634287852309921 944649534225139220175474902664 1176690699541611773408761953223 1136130825665947553678910749119 1108943208362935558648540132758 23737901275111053772686813555 465809649893186621224122861041 715902840717351780807871627645 630574310792857742024648084025 1051996449282023535890300047164 142993816453901841682500448596 Factorize d1|d2| . . . |d18 ≈ 1800 bits 6079340751076797285350179104911108920385904910114704136241621025275317450693976572136124278 5920104621211587939891917251046281300378014562233368120438686996122377288254791817885410110 3832612625211064506848179346220852682915784634287852309921944649534225139220175474902664117 6690699541611773408761953223113613082566594755367891074911911089432083629355586485401327582 3737901275111053772686813555465809649893186621224122861041715902840717351780807871627645630 5743107928577420246480840251051996449282023535890300047164142993816453901841682500448596 Find the shortest vector from 607934075107679728535017910491 0 0 . . . 0 0 110892038590491011470413624162 1 0 . . . 0 0 102527531745069397657213612427 0 1 . . . 0 0 . . . . . . . . . . . . . . . . . . 1051996449282023535890300047164 0 0 . . . 1 0 142993816453901841682500448596 0 0 . . . 0 1 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 13 / 42
- 24. SVP vs factorization Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18 607934075107679728535017910491 110892038590491011470413624162 102527531745069397657213612427 8592010462121158793989191725 1046281300378014562233368120438 686996122377288254791817885410 1103832612625211064506848179346 220852682915784634287852309921 944649534225139220175474902664 1176690699541611773408761953223 1136130825665947553678910749119 1108943208362935558648540132758 23737901275111053772686813555 465809649893186621224122861041 715902840717351780807871627645 630574310792857742024648084025 1051996449282023535890300047164 142993816453901841682500448596 Factorize d1|d2| . . . |d18 ≈ 1800 bits Easy 6079340751076797285350179104911108920385904910114704136241621025275317450693976572136124278 5920104621211587939891917251046281300378014562233368120438686996122377288254791817885410110 3832612625211064506848179346220852682915784634287852309921944649534225139220175474902664117 6690699541611773408761953223113613082566594755367891074911911089432083629355586485401327582 3737901275111053772686813555465809649893186621224122861041715902840717351780807871627645630 5743107928577420246480840251051996449282023535890300047164142993816453901841682500448596 Find the shortest vector from 607934075107679728535017910491 0 0 . . . 0 0 110892038590491011470413624162 1 0 . . . 0 0 102527531745069397657213612427 0 1 . . . 0 0 . . . . . . . . . . . . . . . . . . 1051996449282023535890300047164 0 0 . . . 1 0 142993816453901841682500448596 0 0 . . . 0 1 As hard as solving SVP for any lattice of same dim Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 13 / 42
- 25. NTRU lattice 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 14 / 42
- 26. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
- 27. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x) Compute h (x) = f (x) × g(x) over Z[x] Reduce h (x) mod (xN − 1) mod q Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
- 28. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x), alternatively h0, . . . , hN−1 = f0, . . . , fN−1 × g0 g1 g2 . . . gN−1 gN−1 g0 g1 . . . gN−2 gN−2 gN−1 g0 . . . gN−3 ... ... ... ... ... g1 g2 g3 . . . g0 mod q Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
- 29. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, ﬁnd f and g. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
- 30. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, ﬁnd f and g. NTRU lattice qIN 0 H IN ..= q 0 . . . 0 0 0 . . . 0 0 q . . . 0 0 0 . . . 0 ... ... ... ... ... ... ... ... 0 0 . . . q 0 0 . . . 0 h0 h1 . . . hN−1 1 0 . . . 0 hN−1 h0 . . . hN−2 0 1 . . . 0 ... ... ... ... ... ... ... ... h1 h2 . . . h0 0 0 . . . 1 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
- 31. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, ﬁnd f and g. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: ﬁnd those vectors. Both are hard for random lattices. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
- 32. NTRU lattice The real NTRU assumption NTRU lattice behaves the same as random lattices. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: ﬁnd those vectors. Both are hard for random lattices. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
- 33. NTRU lattice vs random lattice 256 0 172 1 256 0 17 1 (g, f ) = (1, 3) v = (17, 1) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
- 34. NTRU lattice vs random lattice Random lattice, SV ≈ Gaussian Heuristic length = dim 2πe det 1 dim NTRU lattice, unique shortest vectors = g, f 2 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
- 35. NTRU lattice vs LWE lattice NTRU R-LWE Secrets Trinary: {−1, 0, 1}dim Gaussian: χdim√ q Ring Zq[x]/(xN − 1) Zq[x]/(xN + 1) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 18 / 42
- 36. Interlude: How to estimate lattice strength? Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 19 / 42
- 37. Interlude: How to estimate lattice strength ( )? Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 20 / 42
- 38. Interlude: How to estimate the lattice strength “Understanding lattice strength = mastering key technology. :D” –Jackie Chan Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 21 / 42
- 39. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
- 40. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N “Ideal world” “Real world” Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
- 41. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N α-uSVP ≈ γ-SVP −→ we can use BKZ/LLL results on uSVP λ1 = λ2 = · · · = λN = g, f 2 = √ 2d λN+1 ≈ Gaussian Heuristic length dim 2πe det 1 dim = Nq πe α = Nq 2dπe 1 4N Not limited to NTRU, almost all eﬃcient lattice crypto base on uSVP Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
- 42. Interlude: How to estimate the lattice strength Random lattice: qIN 0 A IN NTRU lattice: qIN 0 H IN Lattice reduction algms. Approx.-SVP γ: root Hermite factor Cryptosystems1 Unique shortest vectors α: Gap = (λN+1/λ1)1/2N α = Nq 2dπe 1 4N Example: N = 743, q = 2048, d = 495: α ≈ 1.0038 α-uSVP ≈ γ-SVP If BKZ 2.0 can solve Approx-SVP with γ = 1.0038, it can solve uSVP Lattice strength = cost of BKZ 2.0 with γ = 1.0038 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
- 43. Interlude: Lattice reductions Overview time space approx. factor LLL poly poly exp BKZ sub-exp sub-exp sub-exp Enumeration sup-exp poly 1 Sieving exp exp 1 Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 23 / 42
- 44. Interlude: Lattice reductions Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Original BKZ 2.0: enumeration with extreme pruning “New Hope”: (quantum) sieving Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 24 / 42
- 45. Interlude: Estimate BKZ 2.0 cost Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Example: n = 1024, γ = 1.006(?) (Extreme pruning) To arrive γ = 1.006 one need to use block size 216; Cost to ﬁnd SV in dim-216 lattice requires > 2105 node; Per-node cost 27; Call this SV solver for (n − k + 1) ∗ round > 29 times; Total cost > 2121 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 25 / 42
- 46. Interlude: Estimate BKZ 2.0 cost Best in practice: BKZ 2.0 Input B = (b1, . . . , bn) and block size k Repeat: For i from 1 to n-k+1 do Solve SVP for sub-lattice (bi , . . . , bi+k−1) Size-reduction Example: n = 1024, γ = 1.006 (Sieving) To arrive γ = 1.006 one need to use block size 216; Cost to ﬁnd SV in dim-216 lattice requires > 2216∗0.3 ≈ 265 operation; Also requires ≈ 265 space Call this SV solver for (n − k + 1) ∗ round > 29 times; Total cost > 274 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 26 / 42
- 47. NTRUEncrypt 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 27 / 42
- 48. NTRUEncrypt A CCA-2 secure encryption scheme based on NTRU assumption Enc (h = g/f , p = 3, R, m ∈ {−1, 0, 1}N ) Find a random ring element r; Compute e = p × r · h + m; Dec (f , p = 3, R, e) Compute c = e · f = p × r · g + m · f ; Reduce c mod p = m · f mod p Recover m = c · f −1 mod p Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
- 49. NTRUEncrypt A CCA-2 secure encryption scheme based on NTRU assumption Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}N ) Find a random ring element r; Compute e = p × r · h + m; Dec (f ≡ 1 mod p, p = 3, R, e) Compute c = e · f = p × r · g + m · f ; Reduce c mod p = m · f mod p = m Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
- 50. NTRUEncrypt A CCA-2 secure encryption scheme based on NTRU assumption Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}k ) Find a random string b; r = hash(h|b) m = r ⊗ m|b Compute e = p × r · h + m ; Dec (f ≡ 1 mod p, g, p = 3, R, e) Compute c = e · f = p × r · g + m · f ; Reduce c mod p = m · f mod p = m Compute r = p−1 × (c − m · f ) · g−1 Extract m, b from m ⊗ r , compute r = hash(h|b); Output m if r = r . Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
- 51. Attacks Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 29 / 42
- 52. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Less eﬀective attacks Subﬁeld attacks; Subring attacks: Mod 2 attack. Hash attacks. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
- 53. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Suppose f , g are binary polynomials with hamming weight d list = ∅ Guess a fi with hamming weight d/2; compute gi = fi · h; Check gi against every gj ∈ list: if gi + gj is binary with hamming weight d; output gi , gj ; else, add gi to list: Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
- 54. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Find short vectors in NTRU lattice qIN 0 H IN Lattice reduction algorithms: BKZ 2.0 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
- 55. Attacks Known attacks Combinatorial attacks (meet-in-the-middle); Lattice reductions; Hybrid attacks; Re-write qIN 0 H IN ..= qIr1 0 0 ∗ L1 0 ∗ ∗ Ir2 Reduce L1 ..= qIr1 0 0 ∗ L1 0 (MITM) guess a vector v in L2 ..= ∗ ∗ Ir2 If guess correctly, v will be very close to L1; Find the closest vector of v in L1; Easy if L1 is well-reduced. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
- 56. Parameters Post-Quantum Parameter Sets and Security Estimates Classical Quantum Hybrid Attack Parameters Product form log2 dec. root security est. security est. N q (df , dg , dm) dim β rounds K Cost search cost fail prob. Hermite factor 128 128 443 2048 (148, 148, 115) 575 222 11 177 133 147 -196 1.0041 192 128 587 2048 (196, 196, 157) 723 311 9 258 197 193 -139 1.0031 256 128 743 2048 (247, 247, 204) 880 407 8 350 272 256 -112 1.0025 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 31 / 42
- 57. pqNTRUSign 1 Introduction 2 NTRU lattice 3 NTRUEncrypt 4 pqNTRUSign 5 Conclusion Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 32 / 42
- 58. Modular Lattice Signatures The core idea Given a lattice L with a trapdoor T, a message m, ﬁnd a vector v v ∈ L v ≡ hash(m) mod p Can be instantiated via any lattice SIS, R-SIS, R-LWE, etc pqNTRUSign is an eﬃcient instantiation using NTRU lattice Eﬃcient trapdoor f , g; Well-understood hardness. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 33 / 42
- 59. pqNTRUSign Sign (f , g, h = g/f , p = 3, R, m) Hash message into a “mod p” vector vp, up = hash(m|h) Repeat with rejection sampling: Sample v0 from certain distribution; compute v1 = p × v0 + vp Find a random lattice vector v1, u1 = v1 · I, h “v-side” meets the congruent condition. Micro-adjust “u-side” using trapdoor f and g Compute a = (u1 − up) · g−1 mod p Compute v2, u2 = a · p × f , g Compute v, u = v1, u1 + v2, u2 Output v as signature Remark v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 34 / 42
- 60. pqNTRUSign Verify (h, p = 3, R, m, v) Hash message into a “mod p” vector vp, up = hash(m|h) Reconstruct the lattice vector v, u = v · I, h Check vp, up = hash(m|h) Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 35 / 42
- 61. pqNTRUSign Public key security: recover f and g from h; Forgery: as hard as solving an approx.-SVP in an intersected lattice; Transcript security - achieved via rejection sampling. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 36 / 42
- 62. Forgery Forgery: as hard as solving an approx.-SVP in an intersected lattice: L ..= Lh ∩ (Z2N + vp, up ) det(L ) = p2NqN −→ Gaussian heuristic length = p2qN πe Target vector length v, u ≤ √ 2N q 2 Approx.-SVP with root Hermite factor γ = qπe 2p2 1 dim = qπe 2p2 1 4N Example: N = 512, q = 12289, p = 3 −→ γ = 1.0042 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 37 / 42
- 63. Transcript security Works on GGHSign, NTRUSign; Each signature is a vector close to the lattice (info leakage); Recover enough of distance vectors (blue dots) gives away a good basis of the lattice; Seal the leakage with rejection sampling. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 38 / 42
- 64. Rejection Sampling Consider b ..= v0 + a · f “large” v0 drawn from uniform or Gaussian; “small” a drawn from sparse trinary/binary; sparse trinary/binary f is the secret. RS on b b follows certain publicly known distribution independent from f ; for two secret keys f1, f2 and a signature b, one is not able to tell which key signs b - witness indistinguishability. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 39 / 42
- 65. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , −q 2 ]N Accept b when b is in [−q 2 + B, −q 2 − B]N Before rejection 0.0005 0.0006 0.0007 0.0008 0.0009 0.001 0.0011 -600 -400 -200 0 200 400 600 "notuniforminq" 1/1031.0 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
- 66. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , −q 2 ]N Accept b when b is in [−q 2 + B, −q 2 − B]N After rejection 0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 -600 -400 -200 0 200 400 600 "uniforminq" 1/1021.0 Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
- 67. Rejection Sampling Rejection sampling on Gaussian Sample v0 from discrete Gaussian χN σ Accept b when b is Gaussian Before/after rejection Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
- 68. Future work Better scalability: Module-LWE based schemes; Better eﬃciency: Improved rejection sampling methods; Better implementations Constant time. SIMD. Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 41 / 42
- 69. Thanks! to study the underlying principle to acquire knowledge (idiom); pursuing knowledge to the end. Figure source: Google Image & www.hsjushi.com Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 42 / 42

No public clipboards found for this slide

Login to see the comments